Analysis
-
max time kernel
138s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
07-12-2024 22:27
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
4e8eda880e3326dd280f6b50a4a6c10132e6b085fdb0c73f097b6847b766173c.exe
Resource
win7-20240903-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
4e8eda880e3326dd280f6b50a4a6c10132e6b085fdb0c73f097b6847b766173c.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
4e8eda880e3326dd280f6b50a4a6c10132e6b085fdb0c73f097b6847b766173c.exe
-
Size
890KB
-
MD5
cacf193b3b8f2f73b8583aad6d61c601
-
SHA1
6733e73ef1f2579cc7cc9f8c9ed182c8b233c3bf
-
SHA256
4e8eda880e3326dd280f6b50a4a6c10132e6b085fdb0c73f097b6847b766173c
-
SHA512
f08d269974cf20341a2f833b5993fe9d57b8666e4085309099731a56bc2cf3f839fdbd59d19c916993f194265955b89919a21a61365d0e00e376bcffbea8244a
-
SSDEEP
6144:72tP7DNn1GmPQ///NR5fKr2n0MO3LPlkUCmVs5bPQ///NR5frdQt383PQ///NR5y:atnNI/Ng1/Nmr/Ng1/Nblt01PBNkEG
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://master-x.com/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://crutop.ru/index.php
http://kaspersky.ru/index.php
http://color-bank.ru/index.php
http://adult-empire.com/index.php
http://virus-list.com/index.php
http://trojan.ru/index.php
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://fethard.biz/index.htm
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://kaspersky.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjccdkki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pefabkej.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbhmbdle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Omfekbdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aibibp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbhildae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hkfglb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adkqoohc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fdlkdhnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aakebqbj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecbjkngo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acfhad32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnhidk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dddllkbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hahokfag.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afinioip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Imnocf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbibfm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eicedn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gdaociml.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmbanbmg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpmdfonj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfjola32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dafppp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gaebef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hhaggp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbeapmll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jhifomdj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibegfglj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cocjiehd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enkmfolf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Paihlpfi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfdjinjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fikbocki.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aekddhcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Efjbcakl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcdciiec.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hihibbjo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qapnmopa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhoqeibl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odoogi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qacameaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aagkhd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgcihgaj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edbiniff.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Foclgq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpcpfg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahcajk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhgonidg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gicgpelg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Haaaaeim.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qfmfefni.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knqepc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eppqqn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fplpll32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkalplel.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbbnpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gnepna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbkkik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Embddb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nghekkmn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njfagf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofhknodl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmdlffhj.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 1596 Pibdmp32.exe 5056 Peieba32.exe 2140 Pcmeke32.exe 2000 Phincl32.exe 4176 Pabblb32.exe 3856 Qhngolpo.exe 1788 Qaflgago.exe 4864 Acfhad32.exe 4956 Ahcajk32.exe 2672 Akamff32.exe 4192 Aakebqbj.exe 3220 Ahenokjf.exe 1772 Ackbmcjl.exe 1216 Afinioip.exe 4948 Ahgjejhd.exe 1776 Akffafgg.exe 2436 Bhoqeibl.exe 4508 Bkmmaeap.exe 2760 Bbgeno32.exe 4432 Bfgjjm32.exe 876 Bopocbcq.exe 3116 Cfigpm32.exe 1004 Ccmgiaig.exe 1376 Cjjlkk32.exe 4976 Cbeapmll.exe 4944 Ckmehb32.exe 4452 Cmmbbejp.exe 384 Dbjkkl32.exe 1052 Diccgfpd.exe 1424 Dkdliame.exe 1200 Djelgied.exe 4120 Dcnqpo32.exe 860 Dmfeidbe.exe 4884 Dfoiaj32.exe 3376 Dmhand32.exe 3504 Eiobceef.exe 1192 Elnoopdj.exe 4612 Efccmidp.exe 2452 Ecgcfm32.exe 2368 Emphocjj.exe 1904 Efhlhh32.exe 864 Embddb32.exe 2808 Eppqqn32.exe 2840 Eiieicml.exe 4644 Fbajbi32.exe 1808 Fikbocki.exe 3928 Ffobhg32.exe 3040 Fmikeaap.exe 2108 Ffaong32.exe 4264 Fipkjb32.exe 4056 Fdepgkgj.exe 2668 Fibhpbea.exe 3852 Fplpll32.exe 752 Fjadje32.exe 2876 Gpnmbl32.exe 1828 Gigaka32.exe 3004 Glengm32.exe 5052 Giinpa32.exe 4144 Gbabigfj.exe 2308 Gmggfp32.exe 1032 Gdaociml.exe 2572 Gfokoelp.exe 3532 Gmiclo32.exe 4020 Gbfldf32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Mcgiefen.exe Mqimikfj.exe File created C:\Windows\SysWOW64\Nalhik32.dll Dafppp32.exe File created C:\Windows\SysWOW64\Elnoopdj.exe Eiobceef.exe File created C:\Windows\SysWOW64\Epmmqheb.exe Eicedn32.exe File created C:\Windows\SysWOW64\Fijkdmhn.exe Fflohaij.exe File opened for modification C:\Windows\SysWOW64\Qacameaj.exe Qmgelf32.exe File created C:\Windows\SysWOW64\Hnnljj32.exe Hhdcmp32.exe File created C:\Windows\SysWOW64\Amhmnagf.dll Jpegkj32.exe File created C:\Windows\SysWOW64\Acfhad32.exe Qaflgago.exe File opened for modification C:\Windows\SysWOW64\Ahgjejhd.exe Afinioip.exe File created C:\Windows\SysWOW64\Nhmofj32.exe Nenbjo32.exe File created C:\Windows\SysWOW64\Dkfadkgf.exe Ddligq32.exe File created C:\Windows\SysWOW64\Jepjhg32.exe Jgmjmjnb.exe File created C:\Windows\SysWOW64\Mcbpjg32.exe Mqdcnl32.exe File opened for modification C:\Windows\SysWOW64\Ibcjqgnm.exe Ipdndloi.exe File created C:\Windows\SysWOW64\Qikbaaml.exe Qfmfefni.exe File created C:\Windows\SysWOW64\Aalmimfd.exe Ajaelc32.exe File created C:\Windows\SysWOW64\Aolblopj.exe Ahbjoe32.exe File opened for modification C:\Windows\SysWOW64\Fechomko.exe Fbelcblk.exe File opened for modification C:\Windows\SysWOW64\Mjokgg32.exe Mebcop32.exe File opened for modification C:\Windows\SysWOW64\Odalmibl.exe Oodcdb32.exe File created C:\Windows\SysWOW64\Poigcbng.dll Dfglfdkb.exe File created C:\Windows\SysWOW64\Efeihb32.exe Eokqkh32.exe File created C:\Windows\SysWOW64\Efgemb32.exe Epmmqheb.exe File created C:\Windows\SysWOW64\Ckbemgcp.exe Cdimqm32.exe File created C:\Windows\SysWOW64\Ecipcemb.dll Fgcjfbed.exe File opened for modification C:\Windows\SysWOW64\Mpeiie32.exe Mhoahh32.exe File created C:\Windows\SysWOW64\Monjjgkb.exe Mmpmnl32.exe File created C:\Windows\SysWOW64\Ogacbllg.dll Pahilmoc.exe File opened for modification C:\Windows\SysWOW64\Lpfgmnfp.exe Kngkqbgl.exe File created C:\Windows\SysWOW64\Ojfcdnjc.exe Opqofe32.exe File opened for modification C:\Windows\SysWOW64\Bnoddcef.exe Boldhf32.exe File created C:\Windows\SysWOW64\Khgbqkhj.exe Kamjda32.exe File created C:\Windows\SysWOW64\Giinpa32.exe Glengm32.exe File opened for modification C:\Windows\SysWOW64\Dkfadkgf.exe Ddligq32.exe File created C:\Windows\SysWOW64\Efjbcakl.exe Ekdnei32.exe File created C:\Windows\SysWOW64\Nmipdk32.exe Njjdho32.exe File opened for modification C:\Windows\SysWOW64\Chiblk32.exe Cdmfllhn.exe File created C:\Windows\SysWOW64\Gimngjie.dll Ehbnigjj.exe File created C:\Windows\SysWOW64\Mpiedk32.dll Pjaleemj.exe File opened for modification C:\Windows\SysWOW64\Nmgjia32.exe Njinmf32.exe File opened for modification C:\Windows\SysWOW64\Paelfmaf.exe Olicnfco.exe File opened for modification C:\Windows\SysWOW64\Plmmif32.exe Pahilmoc.exe File created C:\Windows\SysWOW64\Egjgdg32.dll Adkgje32.exe File created C:\Windows\SysWOW64\Hknfelnj.dll Damfao32.exe File created C:\Windows\SysWOW64\Ajihlijd.dll Mglfplgk.exe File opened for modification C:\Windows\SysWOW64\Bgpcliao.exe Bacjdbch.exe File opened for modification C:\Windows\SysWOW64\Aagdnn32.exe Ajmladbl.exe File created C:\Windows\SysWOW64\Nnhmnn32.exe Ngndaccj.exe File opened for modification C:\Windows\SysWOW64\Nciopppp.exe Mhckcgpj.exe File opened for modification C:\Windows\SysWOW64\Apggckbf.exe Aimogakj.exe File created C:\Windows\SysWOW64\Pocpfphe.exe Phigif32.exe File opened for modification C:\Windows\SysWOW64\Cohkokgj.exe Chnbbqpn.exe File created C:\Windows\SysWOW64\Kllfakij.dll Nnojho32.exe File created C:\Windows\SysWOW64\Qmeigg32.exe Qfkqjmdg.exe File opened for modification C:\Windows\SysWOW64\Jlhljhbg.exe Jjjpnlbd.exe File opened for modification C:\Windows\SysWOW64\Jgnqgqan.exe Jdodkebj.exe File created C:\Windows\SysWOW64\Dngjff32.exe Dmennnni.exe File created C:\Windows\SysWOW64\Cocjiehd.exe Chiblk32.exe File opened for modification C:\Windows\SysWOW64\Pjcikejg.exe Pblajhje.exe File created C:\Windows\SysWOW64\Efhlhh32.exe Emphocjj.exe File created C:\Windows\SysWOW64\Fngjep32.dll Mnfnlf32.exe File created C:\Windows\SysWOW64\Pefabkej.exe Pmoiqneg.exe File created C:\Windows\SysWOW64\Qgiiak32.dll Ihbponja.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1500 4768 WerFault.exe 829 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opqofe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogjdmbil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkeekk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bddjpd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aahbbkaq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blqllqqa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dflfac32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gppcmeem.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnangaoa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lobjni32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgccinoe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmbanbmg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmjfodne.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocdnln32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkkhbb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njjdho32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjidgkog.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chiigadc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chlflabp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qacameaj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgbpaipl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlgoek32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncpeaoih.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbeapmll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmiclo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Keimof32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfqlfb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eiieicml.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojbacd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pddhbipj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmennnni.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Paiogf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aimogakj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmhand32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdmqmc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnojho32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnoddcef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnlodjpa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmladm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Peieba32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fibhpbea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lokdnjkg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgifbhid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpeiie32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppikbm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oanfen32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jphkkpbp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gihpkd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aagdnn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bepmoh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnkbkk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oiccje32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Biiobo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkmmaeap.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kggcnoic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Inqbclob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jebfng32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amjillkj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aekddhcb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ombcji32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aaoaic32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnbcgn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nijqcf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phincl32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eifaim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lnjgfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fckjejfe.dll" Gkaclqkk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ecbjkngo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Flmqlg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chflphjh.dll" Iefgbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpceplkl.dll" Haaaaeim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmjbog32.dll" Jikoopij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eknphfld.dll" Bboffejp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node 4e8eda880e3326dd280f6b50a4a6c10132e6b085fdb0c73f097b6847b766173c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjpbba32.dll" Eicedn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gnqfcbnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edqnimdf.dll" Kflide32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnihkq32.dll" Mcgiefen.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oihmedma.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qhngolpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbofpe32.dll" Npiiffqe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Obqanjdb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lcjcnoej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Omfekbdh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qikbaaml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iocmhlca.dll" Bpcgpihi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jjjpnlbd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mebcop32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Malpia32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bnhenj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fpgpgfmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jgmjmjnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lobjni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hginecde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bklfgo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nmfcok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gedhfp32.dll" Gicgpelg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gijmad32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Chlflabp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eokqkh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kngkqbgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ibqnkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkbndlfi.dll" Cfigpm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nnkpnclp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iikikigb.dll" Cfpffeaj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jgkmgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfiedd32.dll" Knenkbio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inmdohhp.dll" Koajmepf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghaeocdd.dll" Ookoaokf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jnhidk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Famcfn32.dll" Lnmkfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Chqogq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ilibdmgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cbpajgmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dkfadkgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bmeandma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nijqcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kgninn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Napjdpcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcpcam32.dll" Bbgeno32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ilafiihp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lqpamb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkldkg32.dll" Nmgjia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jlolpq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pbekii32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Abmjqe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Napjdpcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oibqpk32.dll" Ndflak32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3212 wrote to memory of 1596 3212 4e8eda880e3326dd280f6b50a4a6c10132e6b085fdb0c73f097b6847b766173c.exe 85 PID 3212 wrote to memory of 1596 3212 4e8eda880e3326dd280f6b50a4a6c10132e6b085fdb0c73f097b6847b766173c.exe 85 PID 3212 wrote to memory of 1596 3212 4e8eda880e3326dd280f6b50a4a6c10132e6b085fdb0c73f097b6847b766173c.exe 85 PID 1596 wrote to memory of 5056 1596 Pibdmp32.exe 86 PID 1596 wrote to memory of 5056 1596 Pibdmp32.exe 86 PID 1596 wrote to memory of 5056 1596 Pibdmp32.exe 86 PID 5056 wrote to memory of 2140 5056 Peieba32.exe 87 PID 5056 wrote to memory of 2140 5056 Peieba32.exe 87 PID 5056 wrote to memory of 2140 5056 Peieba32.exe 87 PID 2140 wrote to memory of 2000 2140 Pcmeke32.exe 88 PID 2140 wrote to memory of 2000 2140 Pcmeke32.exe 88 PID 2140 wrote to memory of 2000 2140 Pcmeke32.exe 88 PID 2000 wrote to memory of 4176 2000 Phincl32.exe 89 PID 2000 wrote to memory of 4176 2000 Phincl32.exe 89 PID 2000 wrote to memory of 4176 2000 Phincl32.exe 89 PID 4176 wrote to memory of 3856 4176 Pabblb32.exe 90 PID 4176 wrote to memory of 3856 4176 Pabblb32.exe 90 PID 4176 wrote to memory of 3856 4176 Pabblb32.exe 90 PID 3856 wrote to memory of 1788 3856 Qhngolpo.exe 91 PID 3856 wrote to memory of 1788 3856 Qhngolpo.exe 91 PID 3856 wrote to memory of 1788 3856 Qhngolpo.exe 91 PID 1788 wrote to memory of 4864 1788 Qaflgago.exe 92 PID 1788 wrote to memory of 4864 1788 Qaflgago.exe 92 PID 1788 wrote to memory of 4864 1788 Qaflgago.exe 92 PID 4864 wrote to memory of 4956 4864 Acfhad32.exe 93 PID 4864 wrote to memory of 4956 4864 Acfhad32.exe 93 PID 4864 wrote to memory of 4956 4864 Acfhad32.exe 93 PID 4956 wrote to memory of 2672 4956 Ahcajk32.exe 94 PID 4956 wrote to memory of 2672 4956 Ahcajk32.exe 94 PID 4956 wrote to memory of 2672 4956 Ahcajk32.exe 94 PID 2672 wrote to memory of 4192 2672 Akamff32.exe 95 PID 2672 wrote to memory of 4192 2672 Akamff32.exe 95 PID 2672 wrote to memory of 4192 2672 Akamff32.exe 95 PID 4192 wrote to memory of 3220 4192 Aakebqbj.exe 96 PID 4192 wrote to memory of 3220 4192 Aakebqbj.exe 96 PID 4192 wrote to memory of 3220 4192 Aakebqbj.exe 96 PID 3220 wrote to memory of 1772 3220 Ahenokjf.exe 97 PID 3220 wrote to memory of 1772 3220 Ahenokjf.exe 97 PID 3220 wrote to memory of 1772 3220 Ahenokjf.exe 97 PID 1772 wrote to memory of 1216 1772 Ackbmcjl.exe 98 PID 1772 wrote to memory of 1216 1772 Ackbmcjl.exe 98 PID 1772 wrote to memory of 1216 1772 Ackbmcjl.exe 98 PID 1216 wrote to memory of 4948 1216 Afinioip.exe 99 PID 1216 wrote to memory of 4948 1216 Afinioip.exe 99 PID 1216 wrote to memory of 4948 1216 Afinioip.exe 99 PID 4948 wrote to memory of 1776 4948 Ahgjejhd.exe 100 PID 4948 wrote to memory of 1776 4948 Ahgjejhd.exe 100 PID 4948 wrote to memory of 1776 4948 Ahgjejhd.exe 100 PID 1776 wrote to memory of 2436 1776 Akffafgg.exe 101 PID 1776 wrote to memory of 2436 1776 Akffafgg.exe 101 PID 1776 wrote to memory of 2436 1776 Akffafgg.exe 101 PID 2436 wrote to memory of 4508 2436 Bhoqeibl.exe 102 PID 2436 wrote to memory of 4508 2436 Bhoqeibl.exe 102 PID 2436 wrote to memory of 4508 2436 Bhoqeibl.exe 102 PID 4508 wrote to memory of 2760 4508 Bkmmaeap.exe 103 PID 4508 wrote to memory of 2760 4508 Bkmmaeap.exe 103 PID 4508 wrote to memory of 2760 4508 Bkmmaeap.exe 103 PID 2760 wrote to memory of 4432 2760 Bbgeno32.exe 104 PID 2760 wrote to memory of 4432 2760 Bbgeno32.exe 104 PID 2760 wrote to memory of 4432 2760 Bbgeno32.exe 104 PID 4432 wrote to memory of 876 4432 Bfgjjm32.exe 105 PID 4432 wrote to memory of 876 4432 Bfgjjm32.exe 105 PID 4432 wrote to memory of 876 4432 Bfgjjm32.exe 105 PID 876 wrote to memory of 3116 876 Bopocbcq.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\4e8eda880e3326dd280f6b50a4a6c10132e6b085fdb0c73f097b6847b766173c.exe"C:\Users\Admin\AppData\Local\Temp\4e8eda880e3326dd280f6b50a4a6c10132e6b085fdb0c73f097b6847b766173c.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3212 -
C:\Windows\SysWOW64\Pibdmp32.exeC:\Windows\system32\Pibdmp32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1596 -
C:\Windows\SysWOW64\Peieba32.exeC:\Windows\system32\Peieba32.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5056 -
C:\Windows\SysWOW64\Pcmeke32.exeC:\Windows\system32\Pcmeke32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2140 -
C:\Windows\SysWOW64\Phincl32.exeC:\Windows\system32\Phincl32.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Windows\SysWOW64\Pabblb32.exeC:\Windows\system32\Pabblb32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4176 -
C:\Windows\SysWOW64\Qhngolpo.exeC:\Windows\system32\Qhngolpo.exe7⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3856 -
C:\Windows\SysWOW64\Qaflgago.exeC:\Windows\system32\Qaflgago.exe8⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1788 -
C:\Windows\SysWOW64\Acfhad32.exeC:\Windows\system32\Acfhad32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4864 -
C:\Windows\SysWOW64\Ahcajk32.exeC:\Windows\system32\Ahcajk32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4956 -
C:\Windows\SysWOW64\Akamff32.exeC:\Windows\system32\Akamff32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\SysWOW64\Aakebqbj.exeC:\Windows\system32\Aakebqbj.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4192 -
C:\Windows\SysWOW64\Ahenokjf.exeC:\Windows\system32\Ahenokjf.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3220 -
C:\Windows\SysWOW64\Ackbmcjl.exeC:\Windows\system32\Ackbmcjl.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1772 -
C:\Windows\SysWOW64\Afinioip.exeC:\Windows\system32\Afinioip.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1216 -
C:\Windows\SysWOW64\Ahgjejhd.exeC:\Windows\system32\Ahgjejhd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4948 -
C:\Windows\SysWOW64\Akffafgg.exeC:\Windows\system32\Akffafgg.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1776 -
C:\Windows\SysWOW64\Bhoqeibl.exeC:\Windows\system32\Bhoqeibl.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2436 -
C:\Windows\SysWOW64\Bkmmaeap.exeC:\Windows\system32\Bkmmaeap.exe19⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4508 -
C:\Windows\SysWOW64\Bbgeno32.exeC:\Windows\system32\Bbgeno32.exe20⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\SysWOW64\Bfgjjm32.exeC:\Windows\system32\Bfgjjm32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4432 -
C:\Windows\SysWOW64\Bopocbcq.exeC:\Windows\system32\Bopocbcq.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:876 -
C:\Windows\SysWOW64\Cfigpm32.exeC:\Windows\system32\Cfigpm32.exe23⤵
- Executes dropped EXE
- Modifies registry class
PID:3116 -
C:\Windows\SysWOW64\Ccmgiaig.exeC:\Windows\system32\Ccmgiaig.exe24⤵
- Executes dropped EXE
PID:1004 -
C:\Windows\SysWOW64\Cjjlkk32.exeC:\Windows\system32\Cjjlkk32.exe25⤵
- Executes dropped EXE
PID:1376 -
C:\Windows\SysWOW64\Cbeapmll.exeC:\Windows\system32\Cbeapmll.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4976 -
C:\Windows\SysWOW64\Ckmehb32.exeC:\Windows\system32\Ckmehb32.exe27⤵
- Executes dropped EXE
PID:4944 -
C:\Windows\SysWOW64\Cmmbbejp.exeC:\Windows\system32\Cmmbbejp.exe28⤵
- Executes dropped EXE
PID:4452 -
C:\Windows\SysWOW64\Dbjkkl32.exeC:\Windows\system32\Dbjkkl32.exe29⤵
- Executes dropped EXE
PID:384 -
C:\Windows\SysWOW64\Diccgfpd.exeC:\Windows\system32\Diccgfpd.exe30⤵
- Executes dropped EXE
PID:1052 -
C:\Windows\SysWOW64\Dkdliame.exeC:\Windows\system32\Dkdliame.exe31⤵
- Executes dropped EXE
PID:1424 -
C:\Windows\SysWOW64\Djelgied.exeC:\Windows\system32\Djelgied.exe32⤵
- Executes dropped EXE
PID:1200 -
C:\Windows\SysWOW64\Dcnqpo32.exeC:\Windows\system32\Dcnqpo32.exe33⤵
- Executes dropped EXE
PID:4120 -
C:\Windows\SysWOW64\Dmfeidbe.exeC:\Windows\system32\Dmfeidbe.exe34⤵
- Executes dropped EXE
PID:860 -
C:\Windows\SysWOW64\Dfoiaj32.exeC:\Windows\system32\Dfoiaj32.exe35⤵
- Executes dropped EXE
PID:4884 -
C:\Windows\SysWOW64\Dmhand32.exeC:\Windows\system32\Dmhand32.exe36⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3376 -
C:\Windows\SysWOW64\Ecbjkngo.exeC:\Windows\system32\Ecbjkngo.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:4524 -
C:\Windows\SysWOW64\Eiobceef.exeC:\Windows\system32\Eiobceef.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3504 -
C:\Windows\SysWOW64\Elnoopdj.exeC:\Windows\system32\Elnoopdj.exe39⤵
- Executes dropped EXE
PID:1192 -
C:\Windows\SysWOW64\Efccmidp.exeC:\Windows\system32\Efccmidp.exe40⤵
- Executes dropped EXE
PID:4612 -
C:\Windows\SysWOW64\Ecgcfm32.exeC:\Windows\system32\Ecgcfm32.exe41⤵
- Executes dropped EXE
PID:2452 -
C:\Windows\SysWOW64\Emphocjj.exeC:\Windows\system32\Emphocjj.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2368 -
C:\Windows\SysWOW64\Efhlhh32.exeC:\Windows\system32\Efhlhh32.exe43⤵
- Executes dropped EXE
PID:1904 -
C:\Windows\SysWOW64\Embddb32.exeC:\Windows\system32\Embddb32.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:864 -
C:\Windows\SysWOW64\Eppqqn32.exeC:\Windows\system32\Eppqqn32.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2808 -
C:\Windows\SysWOW64\Eiieicml.exeC:\Windows\system32\Eiieicml.exe46⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2840 -
C:\Windows\SysWOW64\Fbajbi32.exeC:\Windows\system32\Fbajbi32.exe47⤵
- Executes dropped EXE
PID:4644 -
C:\Windows\SysWOW64\Fikbocki.exeC:\Windows\system32\Fikbocki.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1808 -
C:\Windows\SysWOW64\Ffobhg32.exeC:\Windows\system32\Ffobhg32.exe49⤵
- Executes dropped EXE
PID:3928 -
C:\Windows\SysWOW64\Fmikeaap.exeC:\Windows\system32\Fmikeaap.exe50⤵
- Executes dropped EXE
PID:3040 -
C:\Windows\SysWOW64\Ffaong32.exeC:\Windows\system32\Ffaong32.exe51⤵
- Executes dropped EXE
PID:2108 -
C:\Windows\SysWOW64\Fipkjb32.exeC:\Windows\system32\Fipkjb32.exe52⤵
- Executes dropped EXE
PID:4264 -
C:\Windows\SysWOW64\Fdepgkgj.exeC:\Windows\system32\Fdepgkgj.exe53⤵
- Executes dropped EXE
PID:4056 -
C:\Windows\SysWOW64\Fibhpbea.exeC:\Windows\system32\Fibhpbea.exe54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2668 -
C:\Windows\SysWOW64\Fplpll32.exeC:\Windows\system32\Fplpll32.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3852 -
C:\Windows\SysWOW64\Fjadje32.exeC:\Windows\system32\Fjadje32.exe56⤵
- Executes dropped EXE
PID:752 -
C:\Windows\SysWOW64\Gpnmbl32.exeC:\Windows\system32\Gpnmbl32.exe57⤵
- Executes dropped EXE
PID:2876 -
C:\Windows\SysWOW64\Gigaka32.exeC:\Windows\system32\Gigaka32.exe58⤵
- Executes dropped EXE
PID:1828 -
C:\Windows\SysWOW64\Glengm32.exeC:\Windows\system32\Glengm32.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3004 -
C:\Windows\SysWOW64\Giinpa32.exeC:\Windows\system32\Giinpa32.exe60⤵
- Executes dropped EXE
PID:5052 -
C:\Windows\SysWOW64\Gbabigfj.exeC:\Windows\system32\Gbabigfj.exe61⤵
- Executes dropped EXE
PID:4144 -
C:\Windows\SysWOW64\Gmggfp32.exeC:\Windows\system32\Gmggfp32.exe62⤵
- Executes dropped EXE
PID:2308 -
C:\Windows\SysWOW64\Gdaociml.exeC:\Windows\system32\Gdaociml.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1032 -
C:\Windows\SysWOW64\Gfokoelp.exeC:\Windows\system32\Gfokoelp.exe64⤵
- Executes dropped EXE
PID:2572 -
C:\Windows\SysWOW64\Gmiclo32.exeC:\Windows\system32\Gmiclo32.exe65⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3532 -
C:\Windows\SysWOW64\Gbfldf32.exeC:\Windows\system32\Gbfldf32.exe66⤵
- Executes dropped EXE
PID:4020 -
C:\Windows\SysWOW64\Hmlpaoaj.exeC:\Windows\system32\Hmlpaoaj.exe67⤵PID:3832
-
C:\Windows\SysWOW64\Hgdejd32.exeC:\Windows\system32\Hgdejd32.exe68⤵PID:756
-
C:\Windows\SysWOW64\Hkpqkcpd.exeC:\Windows\system32\Hkpqkcpd.exe69⤵PID:4256
-
C:\Windows\SysWOW64\Hplicjok.exeC:\Windows\system32\Hplicjok.exe70⤵PID:872
-
C:\Windows\SysWOW64\Hgfapd32.exeC:\Windows\system32\Hgfapd32.exe71⤵PID:1988
-
C:\Windows\SysWOW64\Hmpjmn32.exeC:\Windows\system32\Hmpjmn32.exe72⤵PID:1224
-
C:\Windows\SysWOW64\Hpofii32.exeC:\Windows\system32\Hpofii32.exe73⤵PID:1420
-
C:\Windows\SysWOW64\Hginecde.exeC:\Windows\system32\Hginecde.exe74⤵
- Modifies registry class
PID:1560 -
C:\Windows\SysWOW64\Hmbfbn32.exeC:\Windows\system32\Hmbfbn32.exe75⤵PID:2984
-
C:\Windows\SysWOW64\Hdmoohbo.exeC:\Windows\system32\Hdmoohbo.exe76⤵PID:3192
-
C:\Windows\SysWOW64\Hkfglb32.exeC:\Windows\system32\Hkfglb32.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1136 -
C:\Windows\SysWOW64\Hmechmip.exeC:\Windows\system32\Hmechmip.exe78⤵PID:840
-
C:\Windows\SysWOW64\Hdokdg32.exeC:\Windows\system32\Hdokdg32.exe79⤵PID:1676
-
C:\Windows\SysWOW64\Hildmn32.exeC:\Windows\system32\Hildmn32.exe80⤵PID:4800
-
C:\Windows\SysWOW64\Ipflihfq.exeC:\Windows\system32\Ipflihfq.exe81⤵PID:528
-
C:\Windows\SysWOW64\Ikkpgafg.exeC:\Windows\system32\Ikkpgafg.exe82⤵PID:4832
-
C:\Windows\SysWOW64\Iphioh32.exeC:\Windows\system32\Iphioh32.exe83⤵PID:3588
-
C:\Windows\SysWOW64\Iknmla32.exeC:\Windows\system32\Iknmla32.exe84⤵PID:2604
-
C:\Windows\SysWOW64\Iloidijb.exeC:\Windows\system32\Iloidijb.exe85⤵PID:1188
-
C:\Windows\SysWOW64\Iciaqc32.exeC:\Windows\system32\Iciaqc32.exe86⤵PID:3136
-
C:\Windows\SysWOW64\Ikpjbq32.exeC:\Windows\system32\Ikpjbq32.exe87⤵PID:2612
-
C:\Windows\SysWOW64\Ilafiihp.exeC:\Windows\system32\Ilafiihp.exe88⤵
- Modifies registry class
PID:4808 -
C:\Windows\SysWOW64\Iggjga32.exeC:\Windows\system32\Iggjga32.exe89⤵PID:4284
-
C:\Windows\SysWOW64\Inqbclob.exeC:\Windows\system32\Inqbclob.exe90⤵
- System Location Discovery: System Language Discovery
PID:4872 -
C:\Windows\SysWOW64\Ipoopgnf.exeC:\Windows\system32\Ipoopgnf.exe91⤵PID:3808
-
C:\Windows\SysWOW64\Ikdcmpnl.exeC:\Windows\system32\Ikdcmpnl.exe92⤵PID:4040
-
C:\Windows\SysWOW64\Jncoikmp.exeC:\Windows\system32\Jncoikmp.exe93⤵PID:2652
-
C:\Windows\SysWOW64\Jpaleglc.exeC:\Windows\system32\Jpaleglc.exe94⤵PID:1104
-
C:\Windows\SysWOW64\Jgkdbacp.exeC:\Windows\system32\Jgkdbacp.exe95⤵PID:4620
-
C:\Windows\SysWOW64\Jjjpnlbd.exeC:\Windows\system32\Jjjpnlbd.exe96⤵
- Drops file in System32 directory
- Modifies registry class
PID:1660 -
C:\Windows\SysWOW64\Jlhljhbg.exeC:\Windows\system32\Jlhljhbg.exe97⤵PID:4668
-
C:\Windows\SysWOW64\Jdodkebj.exeC:\Windows\system32\Jdodkebj.exe98⤵
- Drops file in System32 directory
PID:2232 -
C:\Windows\SysWOW64\Jgnqgqan.exeC:\Windows\system32\Jgnqgqan.exe99⤵PID:2376
-
C:\Windows\SysWOW64\Jnhidk32.exeC:\Windows\system32\Jnhidk32.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1760 -
C:\Windows\SysWOW64\Jlkipgpe.exeC:\Windows\system32\Jlkipgpe.exe101⤵PID:4984
-
C:\Windows\SysWOW64\Jcdala32.exeC:\Windows\system32\Jcdala32.exe102⤵PID:640
-
C:\Windows\SysWOW64\Jjoiil32.exeC:\Windows\system32\Jjoiil32.exe103⤵PID:3152
-
C:\Windows\SysWOW64\Jqhafffk.exeC:\Windows\system32\Jqhafffk.exe104⤵PID:4756
-
C:\Windows\SysWOW64\Jcgnbaeo.exeC:\Windows\system32\Jcgnbaeo.exe105⤵PID:4652
-
C:\Windows\SysWOW64\Jgbjbp32.exeC:\Windows\system32\Jgbjbp32.exe106⤵PID:3144
-
C:\Windows\SysWOW64\Jnlbojee.exeC:\Windows\system32\Jnlbojee.exe107⤵PID:1452
-
C:\Windows\SysWOW64\Jdfjld32.exeC:\Windows\system32\Jdfjld32.exe108⤵PID:2444
-
C:\Windows\SysWOW64\Jgeghp32.exeC:\Windows\system32\Jgeghp32.exe109⤵PID:5168
-
C:\Windows\SysWOW64\Kjccdkki.exeC:\Windows\system32\Kjccdkki.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5212 -
C:\Windows\SysWOW64\Kdigadjo.exeC:\Windows\system32\Kdigadjo.exe111⤵PID:5256
-
C:\Windows\SysWOW64\Kggcnoic.exeC:\Windows\system32\Kggcnoic.exe112⤵
- System Location Discovery: System Language Discovery
PID:5300 -
C:\Windows\SysWOW64\Kjepjkhf.exeC:\Windows\system32\Kjepjkhf.exe113⤵PID:5344
-
C:\Windows\SysWOW64\Kmdlffhj.exeC:\Windows\system32\Kmdlffhj.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5388 -
C:\Windows\SysWOW64\Kcndbp32.exeC:\Windows\system32\Kcndbp32.exe115⤵PID:5436
-
C:\Windows\SysWOW64\Kjhloj32.exeC:\Windows\system32\Kjhloj32.exe116⤵PID:5480
-
C:\Windows\SysWOW64\Kmfhkf32.exeC:\Windows\system32\Kmfhkf32.exe117⤵PID:5524
-
C:\Windows\SysWOW64\Kdmqmc32.exeC:\Windows\system32\Kdmqmc32.exe118⤵
- System Location Discovery: System Language Discovery
PID:5568 -
C:\Windows\SysWOW64\Kkgiimng.exeC:\Windows\system32\Kkgiimng.exe119⤵PID:5612
-
C:\Windows\SysWOW64\Knfeeimj.exeC:\Windows\system32\Knfeeimj.exe120⤵PID:5652
-
C:\Windows\SysWOW64\Kqdaadln.exeC:\Windows\system32\Kqdaadln.exe121⤵PID:5700
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-