Analysis
-
max time kernel
93s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
07-12-2024 20:50
Behavioral task
behavioral1
Sample
e1fa82aa821a0518e335c53c249de34a1bc1d714e19aee25a142ebaf79e5d85aN.exe
Resource
win7-20240903-en
windows7-x64
10 signatures
120 seconds
Behavioral task
behavioral2
Sample
e1fa82aa821a0518e335c53c249de34a1bc1d714e19aee25a142ebaf79e5d85aN.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
120 seconds
General
-
Target
e1fa82aa821a0518e335c53c249de34a1bc1d714e19aee25a142ebaf79e5d85aN.exe
-
Size
377KB
-
MD5
d56ae216482241441dd29dbb393e6c30
-
SHA1
8c3d823d996ec9f3816542c2b87459e8617f8c88
-
SHA256
e1fa82aa821a0518e335c53c249de34a1bc1d714e19aee25a142ebaf79e5d85a
-
SHA512
8d13a848960323bbe428d8fd3637932418928264d6b0870f35e6d2e637a1caae4e69f260115e6a1115208f3871b9fe3e78665486383dc8e104113adc61452532
-
SSDEEP
6144:9kyHB7NaGSgnohijgAUv5fKx/SgnohignC5VA:9kyH7dMTv5i1dayVA
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://master-x.com/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://crutop.ru/index.php
http://kaspersky.ru/index.php
http://color-bank.ru/index.php
http://adult-empire.com/index.php
http://virus-list.com/index.php
http://trojan.ru/index.php
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://fethard.biz/index.htm
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://kaspersky.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ibampd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mefmlh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njfajagl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Knlkho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ealagi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpnmeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Knalme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mccfgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cegljmid.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdbhnfon.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phkbejko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qmqfiinp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gfcell32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ahpdggif.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apcefmeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bnadadld.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjicgh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgkideqo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fdlcon32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hibaik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ngqong32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Banalobh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djlide32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njfajagl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qffgbhcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bflalped.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hknkce32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phbhfi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbompdaj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddmfohci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gehbmhbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iimjkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jeidkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jiglable.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojmqqj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mepnfone.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Igiecebl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ompmbklb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdkgmqgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eilofj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojbinjbc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdoikk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Omnqmlne.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmmefd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmkdfhko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ffnkalab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gpimoafp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iiippdhe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aaenepjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eogokokj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iklgdcem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Afpkelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Afjlqgkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mflgpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jdpkigap.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elkbml32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpicjhjk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifejhi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppgejopp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aoplie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Impceced.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcknin32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mccfgi32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 548 Llpcljnl.exe 4684 Lbjlid32.exe 1264 Leihep32.exe 3364 Lmppfm32.exe 1976 Lpnlbi32.exe 4100 Ldjhcgll.exe 892 Lghdockp.exe 872 Lifqkn32.exe 3732 Llemgj32.exe 4716 Ldlehg32.exe 4444 Mboeddad.exe 4000 Memapppg.exe 2552 Mmdiamqj.exe 4576 Mpcenhpn.exe 4960 Mdnang32.exe 4832 Mgmnjb32.exe 2160 Mepnfone.exe 180 Mmgfgl32.exe 1764 Mljfbiea.exe 4900 Mdqncffd.exe 1792 Mccooc32.exe 3864 Mebkko32.exe 4700 Minglmdk.exe 4876 Mllchico.exe 3632 Mpgoig32.exe 1840 Mcfkec32.exe 3620 Mgageace.exe 4736 Mipcambi.exe 3472 Mpjlngje.exe 2892 Mchhjbii.exe 3500 Mgddka32.exe 5072 Mibpgm32.exe 2740 Mlqlch32.exe 1232 Ndhdde32.exe 1000 Nckepbgf.exe 1860 Neialnfj.exe 2528 Nnpimkfl.exe 2896 Nlciih32.exe 2824 Ndjajeni.exe 4992 Nghmfqmm.exe 3524 Njgjbllq.exe 4316 Nnbebk32.exe 3536 Npabof32.exe 3396 Ndlnoelf.exe 1484 Ngkjlpkj.exe 960 Njifhljn.exe 4364 Nnebhj32.exe 4808 Npcodf32.exe 3784 Ncakqaqo.exe 648 Nfpgmmpb.exe 4396 Njlcmk32.exe 3704 Nljoig32.exe 2744 Ndagjd32.exe 5104 Ncdgfaol.exe 4240 Nfbdblnp.exe 2816 Nnilcjnb.exe 4320 Nlllof32.exe 3292 Odcdpd32.exe 820 Ogbploeb.exe 4752 Ofeqhl32.exe 2240 Onlhii32.exe 4080 Opjeee32.exe 2908 Odfqecdl.exe 2108 Ogdmaocp.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Jcknin32.exe Jpmbmc32.exe File created C:\Windows\SysWOW64\Ifiigp32.dll Impceced.exe File created C:\Windows\SysWOW64\Knpdcoho.exe Kckqefhi.exe File created C:\Windows\SysWOW64\Nnbebk32.exe Njgjbllq.exe File created C:\Windows\SysWOW64\Mjkiiiee.exe Macdpd32.exe File created C:\Windows\SysWOW64\Hpgpkf32.exe Hmicoj32.exe File created C:\Windows\SysWOW64\Ihachhje.dll Hpgpkf32.exe File created C:\Windows\SysWOW64\Lipdiikh.dll Qffgbhcg.exe File opened for modification C:\Windows\SysWOW64\Amhdab32.exe Qgllil32.exe File created C:\Windows\SysWOW64\Obgcldco.exe Okpkkfbm.exe File created C:\Windows\SysWOW64\Gmhcnf32.exe Ffnkalab.exe File created C:\Windows\SysWOW64\Cameeg32.exe Cfgago32.exe File opened for modification C:\Windows\SysWOW64\Mjneoicb.exe Miliga32.exe File created C:\Windows\SysWOW64\Afbhkkjc.exe Acclopko.exe File created C:\Windows\SysWOW64\Jqchnbek.exe Jjjpah32.exe File created C:\Windows\SysWOW64\Nakpllbn.exe Njahob32.exe File opened for modification C:\Windows\SysWOW64\Memapppg.exe Mboeddad.exe File created C:\Windows\SysWOW64\Mcfkec32.exe Mpgoig32.exe File created C:\Windows\SysWOW64\Lcfbok32.dll Qhjean32.exe File opened for modification C:\Windows\SysWOW64\Kgackeeg.exe Kphknk32.exe File created C:\Windows\SysWOW64\Bdmmhjak.exe Banalobh.exe File created C:\Windows\SysWOW64\Glnggjeb.dll Ejgipdnl.exe File created C:\Windows\SysWOW64\Jhlqjb32.dll Cjddbcgk.exe File opened for modification C:\Windows\SysWOW64\Dhqqhpjo.exe Dafhkf32.exe File created C:\Windows\SysWOW64\Abiipl32.exe Acfhdpil.exe File created C:\Windows\SysWOW64\Gajkjd32.dll Hmpjpihp.exe File created C:\Windows\SysWOW64\Gjfmdnbf.dll Jkpjel32.exe File created C:\Windows\SysWOW64\Ekmhhe32.exe Emjglheo.exe File opened for modification C:\Windows\SysWOW64\Jghpefmb.exe Joahcilp.exe File created C:\Windows\SysWOW64\Caemodbo.dll Nhgfncab.exe File opened for modification C:\Windows\SysWOW64\Emglffqk.exe Ejhpjjah.exe File opened for modification C:\Windows\SysWOW64\Lebaed32.exe Ljmmhk32.exe File created C:\Windows\SysWOW64\Dlckfffm.dll Process not Found File created C:\Windows\SysWOW64\Gehcca32.dll Njlcmk32.exe File created C:\Windows\SysWOW64\Bflalped.exe Bgiapc32.exe File created C:\Windows\SysWOW64\Cnlcjaki.dll Epkghj32.exe File opened for modification C:\Windows\SysWOW64\Dpphmk32.exe Difppail.exe File created C:\Windows\SysWOW64\Pjmnek32.dll Hmhmddkl.exe File opened for modification C:\Windows\SysWOW64\Iiippdhe.exe Ipplgnbe.exe File opened for modification C:\Windows\SysWOW64\Igmqihgo.exe Ilgllogi.exe File created C:\Windows\SysWOW64\Kpbnbeon.dll Llhnikkd.exe File opened for modification C:\Windows\SysWOW64\Bnhjbcfl.exe Bfabaf32.exe File opened for modification C:\Windows\SysWOW64\Kigged32.exe Kbmnhjho.exe File created C:\Windows\SysWOW64\Qjcafq32.dll Nelmbq32.exe File created C:\Windows\SysWOW64\Lbindhnb.exe Ljbfckmp.exe File created C:\Windows\SysWOW64\Acclopko.exe Aklcnbjm.exe File created C:\Windows\SysWOW64\Gdbfom32.dll Fncblj32.exe File opened for modification C:\Windows\SysWOW64\Cjhfcm32.exe Ccnnfb32.exe File created C:\Windows\SysWOW64\Lebaed32.exe Ljmmhk32.exe File created C:\Windows\SysWOW64\Fhgmfjcf.dll Hnmnigdl.exe File opened for modification C:\Windows\SysWOW64\Jfihmabf.exe Jkcdohbq.exe File created C:\Windows\SysWOW64\Nghflj32.exe Nhgfncab.exe File opened for modification C:\Windows\SysWOW64\Eihleagi.exe Dckdmjhb.exe File opened for modification C:\Windows\SysWOW64\Plhcaa32.exe Pacoci32.exe File created C:\Windows\SysWOW64\Ofeqhl32.exe Ogbploeb.exe File created C:\Windows\SysWOW64\Pgdfim32.exe Pqknlbmp.exe File created C:\Windows\SysWOW64\Fncblj32.exe Fgijpp32.exe File opened for modification C:\Windows\SysWOW64\Clplol32.exe Chepomcc.exe File opened for modification C:\Windows\SysWOW64\Cgbpddjg.exe Cnjklo32.exe File created C:\Windows\SysWOW64\Ngclcg32.exe Naicfmeq.exe File opened for modification C:\Windows\SysWOW64\Acbmnmdi.exe Amhdab32.exe File opened for modification C:\Windows\SysWOW64\Pimkelqo.exe Pccbhb32.exe File created C:\Windows\SysWOW64\Icalcp32.exe Ilhcfeke.exe File created C:\Windows\SysWOW64\Jjjpah32.exe Jkgpekgd.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 8004 8500 Process not Found 1122 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbjlid32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aaenepjb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpippeho.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdkigjch.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Diqojlie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpkieadm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojomfjke.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfonbdij.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfihmabf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhjpgn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oehlno32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kqohip32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Baadld32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bklfjj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnfibg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpcenhpn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdqncffd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndjajeni.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idbfbo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnoddpnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nblcqenl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kqhaia32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdapabjo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aedfnoii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Diamoh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijjndppm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgqdjbna.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhhlilld.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gipkmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkfjao32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aecnfddd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dojggfqb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knpdcoho.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omhlkeko.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iqdfaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aojeij32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kicddk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mppbnb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olbkeoki.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bflalped.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mccfgi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eelijl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iikmecfc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfbdblnp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emnbgd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhecjmhf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkdhmf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngclcg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kckqefhi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmjkoj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cabopggg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfoghneo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgdccf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Daqblk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbpcknkk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eaddldgb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lepdpd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afpkelle.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmjpcfgl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iddlmh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkbcdk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckqoeidi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogifmn32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ndagjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knejbf32.dll" Hkckhk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Idbfbo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hckebqij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfdng32.dll" Anhljh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bnfhkflg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bacaad32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Njlcmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ilgllogi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ieoodedo.dll" Lifjahgh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hknpna32.dll" Jgngebpd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pkjnaekb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjpbli32.dll" Dieiek32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cjagmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afafca32.dll" Pnoneglj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cnffcajl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Olnbjp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jcknin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekonjefb.dll" Jcknin32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Diclpk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eooabe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igbmja32.dll" Pgnphnke.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bflalped.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mndhdh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aklcnbjm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oncfgcbi.dll" Dohkaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Felbajma.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kgackeeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mllchico.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dilmjbaf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gpicjhjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Idjblc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcflbi32.dll" Idjblc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Efnbjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmgoeckg.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eindhlep.dll" Olknjj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ljmmhk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ohloie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcggopbf.dll" Aceidl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fhofplpl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Knklgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klplmeeg.dll" Ngclcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhojac32.dll" Bnaopf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dnfabc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mflbnogg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qqopml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Keondk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfgiee32.dll" Gagjia32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bneaqphl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jokjjbno.dll" Ibampd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Diopji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jqpfmiml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cbnkbimo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kjlmfgll.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gmjpcfgl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Koodeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgdnac32.dll" Bckijehc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dppogb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mmdepo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mkjnif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djcebb32.dll" Mojhjnog.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hkckhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ghabekni.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ghhhfjha.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 416 wrote to memory of 548 416 e1fa82aa821a0518e335c53c249de34a1bc1d714e19aee25a142ebaf79e5d85aN.exe 81 PID 416 wrote to memory of 548 416 e1fa82aa821a0518e335c53c249de34a1bc1d714e19aee25a142ebaf79e5d85aN.exe 81 PID 416 wrote to memory of 548 416 e1fa82aa821a0518e335c53c249de34a1bc1d714e19aee25a142ebaf79e5d85aN.exe 81 PID 548 wrote to memory of 4684 548 Llpcljnl.exe 82 PID 548 wrote to memory of 4684 548 Llpcljnl.exe 82 PID 548 wrote to memory of 4684 548 Llpcljnl.exe 82 PID 4684 wrote to memory of 1264 4684 Lbjlid32.exe 83 PID 4684 wrote to memory of 1264 4684 Lbjlid32.exe 83 PID 4684 wrote to memory of 1264 4684 Lbjlid32.exe 83 PID 1264 wrote to memory of 3364 1264 Leihep32.exe 84 PID 1264 wrote to memory of 3364 1264 Leihep32.exe 84 PID 1264 wrote to memory of 3364 1264 Leihep32.exe 84 PID 3364 wrote to memory of 1976 3364 Lmppfm32.exe 85 PID 3364 wrote to memory of 1976 3364 Lmppfm32.exe 85 PID 3364 wrote to memory of 1976 3364 Lmppfm32.exe 85 PID 1976 wrote to memory of 4100 1976 Lpnlbi32.exe 86 PID 1976 wrote to memory of 4100 1976 Lpnlbi32.exe 86 PID 1976 wrote to memory of 4100 1976 Lpnlbi32.exe 86 PID 4100 wrote to memory of 892 4100 Ldjhcgll.exe 87 PID 4100 wrote to memory of 892 4100 Ldjhcgll.exe 87 PID 4100 wrote to memory of 892 4100 Ldjhcgll.exe 87 PID 892 wrote to memory of 872 892 Lghdockp.exe 88 PID 892 wrote to memory of 872 892 Lghdockp.exe 88 PID 892 wrote to memory of 872 892 Lghdockp.exe 88 PID 872 wrote to memory of 3732 872 Lifqkn32.exe 89 PID 872 wrote to memory of 3732 872 Lifqkn32.exe 89 PID 872 wrote to memory of 3732 872 Lifqkn32.exe 89 PID 3732 wrote to memory of 4716 3732 Llemgj32.exe 90 PID 3732 wrote to memory of 4716 3732 Llemgj32.exe 90 PID 3732 wrote to memory of 4716 3732 Llemgj32.exe 90 PID 4716 wrote to memory of 4444 4716 Ldlehg32.exe 91 PID 4716 wrote to memory of 4444 4716 Ldlehg32.exe 91 PID 4716 wrote to memory of 4444 4716 Ldlehg32.exe 91 PID 4444 wrote to memory of 4000 4444 Mboeddad.exe 92 PID 4444 wrote to memory of 4000 4444 Mboeddad.exe 92 PID 4444 wrote to memory of 4000 4444 Mboeddad.exe 92 PID 4000 wrote to memory of 2552 4000 Memapppg.exe 93 PID 4000 wrote to memory of 2552 4000 Memapppg.exe 93 PID 4000 wrote to memory of 2552 4000 Memapppg.exe 93 PID 2552 wrote to memory of 4576 2552 Mmdiamqj.exe 94 PID 2552 wrote to memory of 4576 2552 Mmdiamqj.exe 94 PID 2552 wrote to memory of 4576 2552 Mmdiamqj.exe 94 PID 4576 wrote to memory of 4960 4576 Mpcenhpn.exe 95 PID 4576 wrote to memory of 4960 4576 Mpcenhpn.exe 95 PID 4576 wrote to memory of 4960 4576 Mpcenhpn.exe 95 PID 4960 wrote to memory of 4832 4960 Mdnang32.exe 96 PID 4960 wrote to memory of 4832 4960 Mdnang32.exe 96 PID 4960 wrote to memory of 4832 4960 Mdnang32.exe 96 PID 4832 wrote to memory of 2160 4832 Mgmnjb32.exe 97 PID 4832 wrote to memory of 2160 4832 Mgmnjb32.exe 97 PID 4832 wrote to memory of 2160 4832 Mgmnjb32.exe 97 PID 2160 wrote to memory of 180 2160 Mepnfone.exe 98 PID 2160 wrote to memory of 180 2160 Mepnfone.exe 98 PID 2160 wrote to memory of 180 2160 Mepnfone.exe 98 PID 180 wrote to memory of 1764 180 Mmgfgl32.exe 99 PID 180 wrote to memory of 1764 180 Mmgfgl32.exe 99 PID 180 wrote to memory of 1764 180 Mmgfgl32.exe 99 PID 1764 wrote to memory of 4900 1764 Mljfbiea.exe 100 PID 1764 wrote to memory of 4900 1764 Mljfbiea.exe 100 PID 1764 wrote to memory of 4900 1764 Mljfbiea.exe 100 PID 4900 wrote to memory of 1792 4900 Mdqncffd.exe 101 PID 4900 wrote to memory of 1792 4900 Mdqncffd.exe 101 PID 4900 wrote to memory of 1792 4900 Mdqncffd.exe 101 PID 1792 wrote to memory of 3864 1792 Mccooc32.exe 102
Processes
-
C:\Users\Admin\AppData\Local\Temp\e1fa82aa821a0518e335c53c249de34a1bc1d714e19aee25a142ebaf79e5d85aN.exe"C:\Users\Admin\AppData\Local\Temp\e1fa82aa821a0518e335c53c249de34a1bc1d714e19aee25a142ebaf79e5d85aN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:416 -
C:\Windows\SysWOW64\Llpcljnl.exeC:\Windows\system32\Llpcljnl.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:548 -
C:\Windows\SysWOW64\Lbjlid32.exeC:\Windows\system32\Lbjlid32.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4684 -
C:\Windows\SysWOW64\Leihep32.exeC:\Windows\system32\Leihep32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1264 -
C:\Windows\SysWOW64\Lmppfm32.exeC:\Windows\system32\Lmppfm32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3364 -
C:\Windows\SysWOW64\Lpnlbi32.exeC:\Windows\system32\Lpnlbi32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\Windows\SysWOW64\Ldjhcgll.exeC:\Windows\system32\Ldjhcgll.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4100 -
C:\Windows\SysWOW64\Lghdockp.exeC:\Windows\system32\Lghdockp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:892 -
C:\Windows\SysWOW64\Lifqkn32.exeC:\Windows\system32\Lifqkn32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:872 -
C:\Windows\SysWOW64\Llemgj32.exeC:\Windows\system32\Llemgj32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3732 -
C:\Windows\SysWOW64\Ldlehg32.exeC:\Windows\system32\Ldlehg32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4716 -
C:\Windows\SysWOW64\Mboeddad.exeC:\Windows\system32\Mboeddad.exe12⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4444 -
C:\Windows\SysWOW64\Memapppg.exeC:\Windows\system32\Memapppg.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4000 -
C:\Windows\SysWOW64\Mmdiamqj.exeC:\Windows\system32\Mmdiamqj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2552 -
C:\Windows\SysWOW64\Mpcenhpn.exeC:\Windows\system32\Mpcenhpn.exe15⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4576 -
C:\Windows\SysWOW64\Mdnang32.exeC:\Windows\system32\Mdnang32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4960 -
C:\Windows\SysWOW64\Mgmnjb32.exeC:\Windows\system32\Mgmnjb32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4832 -
C:\Windows\SysWOW64\Mepnfone.exeC:\Windows\system32\Mepnfone.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2160 -
C:\Windows\SysWOW64\Mmgfgl32.exeC:\Windows\system32\Mmgfgl32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:180 -
C:\Windows\SysWOW64\Mljfbiea.exeC:\Windows\system32\Mljfbiea.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1764 -
C:\Windows\SysWOW64\Mdqncffd.exeC:\Windows\system32\Mdqncffd.exe21⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4900 -
C:\Windows\SysWOW64\Mccooc32.exeC:\Windows\system32\Mccooc32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1792 -
C:\Windows\SysWOW64\Mebkko32.exeC:\Windows\system32\Mebkko32.exe23⤵
- Executes dropped EXE
PID:3864 -
C:\Windows\SysWOW64\Minglmdk.exeC:\Windows\system32\Minglmdk.exe24⤵
- Executes dropped EXE
PID:4700 -
C:\Windows\SysWOW64\Mllchico.exeC:\Windows\system32\Mllchico.exe25⤵
- Executes dropped EXE
- Modifies registry class
PID:4876 -
C:\Windows\SysWOW64\Mpgoig32.exeC:\Windows\system32\Mpgoig32.exe26⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3632 -
C:\Windows\SysWOW64\Mcfkec32.exeC:\Windows\system32\Mcfkec32.exe27⤵
- Executes dropped EXE
PID:1840 -
C:\Windows\SysWOW64\Mgageace.exeC:\Windows\system32\Mgageace.exe28⤵
- Executes dropped EXE
PID:3620 -
C:\Windows\SysWOW64\Mipcambi.exeC:\Windows\system32\Mipcambi.exe29⤵
- Executes dropped EXE
PID:4736 -
C:\Windows\SysWOW64\Mpjlngje.exeC:\Windows\system32\Mpjlngje.exe30⤵
- Executes dropped EXE
PID:3472 -
C:\Windows\SysWOW64\Mchhjbii.exeC:\Windows\system32\Mchhjbii.exe31⤵
- Executes dropped EXE
PID:2892 -
C:\Windows\SysWOW64\Mgddka32.exeC:\Windows\system32\Mgddka32.exe32⤵
- Executes dropped EXE
PID:3500 -
C:\Windows\SysWOW64\Mibpgm32.exeC:\Windows\system32\Mibpgm32.exe33⤵
- Executes dropped EXE
PID:5072 -
C:\Windows\SysWOW64\Mlqlch32.exeC:\Windows\system32\Mlqlch32.exe34⤵
- Executes dropped EXE
PID:2740 -
C:\Windows\SysWOW64\Ndhdde32.exeC:\Windows\system32\Ndhdde32.exe35⤵
- Executes dropped EXE
PID:1232 -
C:\Windows\SysWOW64\Nckepbgf.exeC:\Windows\system32\Nckepbgf.exe36⤵
- Executes dropped EXE
PID:1000 -
C:\Windows\SysWOW64\Neialnfj.exeC:\Windows\system32\Neialnfj.exe37⤵
- Executes dropped EXE
PID:1860 -
C:\Windows\SysWOW64\Nnpimkfl.exeC:\Windows\system32\Nnpimkfl.exe38⤵
- Executes dropped EXE
PID:2528 -
C:\Windows\SysWOW64\Nlciih32.exeC:\Windows\system32\Nlciih32.exe39⤵
- Executes dropped EXE
PID:2896 -
C:\Windows\SysWOW64\Ndjajeni.exeC:\Windows\system32\Ndjajeni.exe40⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2824 -
C:\Windows\SysWOW64\Nghmfqmm.exeC:\Windows\system32\Nghmfqmm.exe41⤵
- Executes dropped EXE
PID:4992 -
C:\Windows\SysWOW64\Njgjbllq.exeC:\Windows\system32\Njgjbllq.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3524 -
C:\Windows\SysWOW64\Nnbebk32.exeC:\Windows\system32\Nnbebk32.exe43⤵
- Executes dropped EXE
PID:4316 -
C:\Windows\SysWOW64\Npabof32.exeC:\Windows\system32\Npabof32.exe44⤵
- Executes dropped EXE
PID:3536 -
C:\Windows\SysWOW64\Ndlnoelf.exeC:\Windows\system32\Ndlnoelf.exe45⤵
- Executes dropped EXE
PID:3396 -
C:\Windows\SysWOW64\Ngkjlpkj.exeC:\Windows\system32\Ngkjlpkj.exe46⤵
- Executes dropped EXE
PID:1484 -
C:\Windows\SysWOW64\Njifhljn.exeC:\Windows\system32\Njifhljn.exe47⤵
- Executes dropped EXE
PID:960 -
C:\Windows\SysWOW64\Nnebhj32.exeC:\Windows\system32\Nnebhj32.exe48⤵
- Executes dropped EXE
PID:4364 -
C:\Windows\SysWOW64\Npcodf32.exeC:\Windows\system32\Npcodf32.exe49⤵
- Executes dropped EXE
PID:4808 -
C:\Windows\SysWOW64\Ncakqaqo.exeC:\Windows\system32\Ncakqaqo.exe50⤵
- Executes dropped EXE
PID:3784 -
C:\Windows\SysWOW64\Nfpgmmpb.exeC:\Windows\system32\Nfpgmmpb.exe51⤵
- Executes dropped EXE
PID:648 -
C:\Windows\SysWOW64\Njlcmk32.exeC:\Windows\system32\Njlcmk32.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4396 -
C:\Windows\SysWOW64\Nljoig32.exeC:\Windows\system32\Nljoig32.exe53⤵
- Executes dropped EXE
PID:3704 -
C:\Windows\SysWOW64\Ndagjd32.exeC:\Windows\system32\Ndagjd32.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:2744 -
C:\Windows\SysWOW64\Ncdgfaol.exeC:\Windows\system32\Ncdgfaol.exe55⤵
- Executes dropped EXE
PID:5104 -
C:\Windows\SysWOW64\Nfbdblnp.exeC:\Windows\system32\Nfbdblnp.exe56⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4240 -
C:\Windows\SysWOW64\Nnilcjnb.exeC:\Windows\system32\Nnilcjnb.exe57⤵
- Executes dropped EXE
PID:2816 -
C:\Windows\SysWOW64\Nlllof32.exeC:\Windows\system32\Nlllof32.exe58⤵
- Executes dropped EXE
PID:4320 -
C:\Windows\SysWOW64\Odcdpd32.exeC:\Windows\system32\Odcdpd32.exe59⤵
- Executes dropped EXE
PID:3292 -
C:\Windows\SysWOW64\Ogbploeb.exeC:\Windows\system32\Ogbploeb.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:820 -
C:\Windows\SysWOW64\Ofeqhl32.exeC:\Windows\system32\Ofeqhl32.exe61⤵
- Executes dropped EXE
PID:4752 -
C:\Windows\SysWOW64\Onlhii32.exeC:\Windows\system32\Onlhii32.exe62⤵
- Executes dropped EXE
PID:2240 -
C:\Windows\SysWOW64\Opjeee32.exeC:\Windows\system32\Opjeee32.exe63⤵
- Executes dropped EXE
PID:4080 -
C:\Windows\SysWOW64\Odfqecdl.exeC:\Windows\system32\Odfqecdl.exe64⤵
- Executes dropped EXE
PID:2908 -
C:\Windows\SysWOW64\Ogdmaocp.exeC:\Windows\system32\Ogdmaocp.exe65⤵
- Executes dropped EXE
PID:2108 -
C:\Windows\SysWOW64\Ojbinjbc.exeC:\Windows\system32\Ojbinjbc.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4764 -
C:\Windows\SysWOW64\Olaejfag.exeC:\Windows\system32\Olaejfag.exe67⤵PID:4956
-
C:\Windows\SysWOW64\Odhmkcbi.exeC:\Windows\system32\Odhmkcbi.exe68⤵PID:1648
-
C:\Windows\SysWOW64\Ogfjgo32.exeC:\Windows\system32\Ogfjgo32.exe69⤵PID:2972
-
C:\Windows\SysWOW64\Ofijckhg.exeC:\Windows\system32\Ofijckhg.exe70⤵PID:4772
-
C:\Windows\SysWOW64\Onqbdihj.exeC:\Windows\system32\Onqbdihj.exe71⤵PID:1420
-
C:\Windows\SysWOW64\Oqonpdgn.exeC:\Windows\system32\Oqonpdgn.exe72⤵PID:1628
-
C:\Windows\SysWOW64\Ocmjlpfa.exeC:\Windows\system32\Ocmjlpfa.exe73⤵PID:1816
-
C:\Windows\SysWOW64\Ogifmn32.exeC:\Windows\system32\Ogifmn32.exe74⤵
- System Location Discovery: System Language Discovery
PID:3092 -
C:\Windows\SysWOW64\Ojgbij32.exeC:\Windows\system32\Ojgbij32.exe75⤵PID:4564
-
C:\Windows\SysWOW64\Olfoee32.exeC:\Windows\system32\Olfoee32.exe76⤵PID:2724
-
C:\Windows\SysWOW64\Ocpgbodo.exeC:\Windows\system32\Ocpgbodo.exe77⤵PID:5136
-
C:\Windows\SysWOW64\Ofncnkcb.exeC:\Windows\system32\Ofncnkcb.exe78⤵PID:5176
-
C:\Windows\SysWOW64\Onekoh32.exeC:\Windows\system32\Onekoh32.exe79⤵PID:5216
-
C:\Windows\SysWOW64\Omhlkeko.exeC:\Windows\system32\Omhlkeko.exe80⤵
- System Location Discovery: System Language Discovery
PID:5252 -
C:\Windows\SysWOW64\Pdoclbla.exeC:\Windows\system32\Pdoclbla.exe81⤵PID:5292
-
C:\Windows\SysWOW64\Pgnphnke.exeC:\Windows\system32\Pgnphnke.exe82⤵
- Modifies registry class
PID:5332 -
C:\Windows\SysWOW64\Pjlldiji.exeC:\Windows\system32\Pjlldiji.exe83⤵PID:5372
-
C:\Windows\SysWOW64\Pmjhpdil.exeC:\Windows\system32\Pmjhpdil.exe84⤵PID:5416
-
C:\Windows\SysWOW64\Pdapabjo.exeC:\Windows\system32\Pdapabjo.exe85⤵
- System Location Discovery: System Language Discovery
PID:5456 -
C:\Windows\SysWOW64\Pgplnmib.exeC:\Windows\system32\Pgplnmib.exe86⤵PID:5496
-
C:\Windows\SysWOW64\Pjnijihf.exeC:\Windows\system32\Pjnijihf.exe87⤵PID:5536
-
C:\Windows\SysWOW64\Pmmefd32.exeC:\Windows\system32\Pmmefd32.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5576 -
C:\Windows\SysWOW64\Pddmga32.exeC:\Windows\system32\Pddmga32.exe89⤵PID:5612
-
C:\Windows\SysWOW64\Pgbicm32.exeC:\Windows\system32\Pgbicm32.exe90⤵PID:5656
-
C:\Windows\SysWOW64\Pnlapgnl.exeC:\Windows\system32\Pnlapgnl.exe91⤵PID:5692
-
C:\Windows\SysWOW64\Pqknlbmp.exeC:\Windows\system32\Pqknlbmp.exe92⤵
- Drops file in System32 directory
PID:5736 -
C:\Windows\SysWOW64\Pgdfim32.exeC:\Windows\system32\Pgdfim32.exe93⤵PID:5772
-
C:\Windows\SysWOW64\Pnoneglj.exeC:\Windows\system32\Pnoneglj.exe94⤵
- Modifies registry class
PID:5816 -
C:\Windows\SysWOW64\Pqmjab32.exeC:\Windows\system32\Pqmjab32.exe95⤵PID:5852
-
C:\Windows\SysWOW64\Pggbnlbj.exeC:\Windows\system32\Pggbnlbj.exe96⤵PID:5896
-
C:\Windows\SysWOW64\Pjeojhbn.exeC:\Windows\system32\Pjeojhbn.exe97⤵PID:5936
-
C:\Windows\SysWOW64\Qqoggb32.exeC:\Windows\system32\Qqoggb32.exe98⤵PID:5972
-
C:\Windows\SysWOW64\Qcnccm32.exeC:\Windows\system32\Qcnccm32.exe99⤵PID:6012
-
C:\Windows\SysWOW64\Qjhlpgpk.exeC:\Windows\system32\Qjhlpgpk.exe100⤵PID:6052
-
C:\Windows\SysWOW64\Qqadmagh.exeC:\Windows\system32\Qqadmagh.exe101⤵PID:6092
-
C:\Windows\SysWOW64\Qgllil32.exeC:\Windows\system32\Qgllil32.exe102⤵
- Drops file in System32 directory
PID:6132 -
C:\Windows\SysWOW64\Amhdab32.exeC:\Windows\system32\Amhdab32.exe103⤵
- Drops file in System32 directory
PID:3984 -
C:\Windows\SysWOW64\Acbmnmdi.exeC:\Windows\system32\Acbmnmdi.exe104⤵PID:4944
-
C:\Windows\SysWOW64\Ajlekg32.exeC:\Windows\system32\Ajlekg32.exe105⤵PID:4200
-
C:\Windows\SysWOW64\Amkagb32.exeC:\Windows\system32\Amkagb32.exe106⤵PID:3392
-
C:\Windows\SysWOW64\Aceidl32.exeC:\Windows\system32\Aceidl32.exe107⤵
- Modifies registry class
PID:3504 -
C:\Windows\SysWOW64\Ajoaqfjc.exeC:\Windows\system32\Ajoaqfjc.exe108⤵PID:4408
-
C:\Windows\SysWOW64\Ammnmbig.exeC:\Windows\system32\Ammnmbig.exe109⤵PID:2800
-
C:\Windows\SysWOW64\Aedfnoii.exeC:\Windows\system32\Aedfnoii.exe110⤵
- System Location Discovery: System Language Discovery
PID:712 -
C:\Windows\SysWOW64\Afebeg32.exeC:\Windows\system32\Afebeg32.exe111⤵PID:2140
-
C:\Windows\SysWOW64\Ampkbagd.exeC:\Windows\system32\Ampkbagd.exe112⤵PID:5124
-
C:\Windows\SysWOW64\Aefbcogf.exeC:\Windows\system32\Aefbcogf.exe113⤵PID:5200
-
C:\Windows\SysWOW64\Ageopj32.exeC:\Windows\system32\Ageopj32.exe114⤵PID:2648
-
C:\Windows\SysWOW64\Ajcklf32.exeC:\Windows\system32\Ajcklf32.exe115⤵PID:4020
-
C:\Windows\SysWOW64\Aamchpmk.exeC:\Windows\system32\Aamchpmk.exe116⤵PID:5380
-
C:\Windows\SysWOW64\Aclpdklo.exeC:\Windows\system32\Aclpdklo.exe117⤵PID:2504
-
C:\Windows\SysWOW64\Afjlqgkb.exeC:\Windows\system32\Afjlqgkb.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5516 -
C:\Windows\SysWOW64\Bnadadld.exeC:\Windows\system32\Bnadadld.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2384 -
C:\Windows\SysWOW64\Bappnpkh.exeC:\Windows\system32\Bappnpkh.exe120⤵PID:5636
-
C:\Windows\SysWOW64\Bgjhkjbe.exeC:\Windows\system32\Bgjhkjbe.exe121⤵PID:5684
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-