Analysis
-
max time kernel
95s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08-12-2024 00:52
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
8d63078e8171dc5844707c066c3a0bd28af11b2e6603274443c9699af9ec0e99.exe
Resource
win7-20240903-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
8d63078e8171dc5844707c066c3a0bd28af11b2e6603274443c9699af9ec0e99.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
8d63078e8171dc5844707c066c3a0bd28af11b2e6603274443c9699af9ec0e99.exe
-
Size
439KB
-
MD5
b72045970ee85f2d822dbd076b3e95d1
-
SHA1
c629e28e5064fbbe1ecdd49edec1c498b3721c61
-
SHA256
8d63078e8171dc5844707c066c3a0bd28af11b2e6603274443c9699af9ec0e99
-
SHA512
4e024b1ff72ff1e74be487801d9c315aa8f205cd04838570557ddb0b2890653f2a7336b4beecc5c8fb4f9bad6943ef37bba0ae5245653f8ff299ba8c49a628bb
-
SSDEEP
12288:nSwJPeKm2OPeKm22Vtp90NtmVtp90NtXONtE:nSupEkpEYE
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Idahjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Olanmgig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Baegibae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aoabad32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebjcajjd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knalji32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjgeedch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Flmqlg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Johnamkm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aogbfi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdpkflfe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlkngo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mmkkmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Domdjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kegpifod.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hloqml32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chglab32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Holfoqcm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mogcihaj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebhglj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jkimho32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Coegoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jklphekp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kecabifp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Feoodn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ickglm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kegpifod.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbkbpoog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Alnmjjdb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckeimm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifomll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmblagmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckilmcgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Opclldhj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnfiplog.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lajagj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flqdlnde.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbofcghl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qlgpod32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekodjiol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jedccfqg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgcihgaj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bopocbcq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ikpjbq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhnikc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eejeiocj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgibpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kelkaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kageaj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plejdkmm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkjnfkma.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmnhcb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nnfgcd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jngbjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cponen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Knkekn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlpokp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Micoed32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkmmaeap.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plndcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kodnmkap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lflbkcll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmpolgoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Adhdjpjf.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 4648 Ihbdplfi.exe 5080 Idieem32.exe 4484 Iggaah32.exe 3460 Idkbkl32.exe 2524 Igjngh32.exe 4796 Ijhjcchb.exe 2884 Indfca32.exe 4740 Ibobdqid.exe 1584 Jdnoplhh.exe 4808 Jhijqj32.exe 1048 Jglklggl.exe 4692 Jjjghcfp.exe 3608 Jnfcia32.exe 1040 Jbaojpgb.exe 4564 Jqdoem32.exe 1032 Jdpkflfe.exe 1912 Jhlgfj32.exe 2148 Jkjcbe32.exe 4296 Jjmcnbdm.exe 3084 Jnhpoamf.exe 2940 Jbdlop32.exe 4620 Jqglkmlj.exe 1424 Jdbhkk32.exe 2308 Jhndljll.exe 1660 Jgadgf32.exe 756 Jklphekp.exe 244 Jjopcb32.exe 4040 Jbfheo32.exe 876 Jqiipljg.exe 892 Jdedak32.exe 4536 Jhpqaiji.exe 5020 Jgcamf32.exe 4912 Jkomneim.exe 3708 Jjamia32.exe 1820 Jbiejoaj.exe 836 Jqlefl32.exe 704 Jdgafjpn.exe 5108 Jgenbfoa.exe 3164 Jkaicd32.exe 4556 Jnpfop32.exe 2236 Jbkbpoog.exe 4988 Kqnbkl32.exe 1084 Kiejmi32.exe 2392 Kghjhemo.exe 2776 Kjffdalb.exe 2652 Kbmoen32.exe 808 Kqpoakco.exe 5040 Kelkaj32.exe 4548 Kiggbhda.exe 4820 Kkfcndce.exe 828 Kjhcjq32.exe 1456 Kndojobi.exe 2216 Kqbkfkal.exe 2380 Kenggi32.exe 1436 Kijchhbo.exe 2312 Kkhpdcab.exe 412 Kjkpoq32.exe 4724 Knflpoqf.exe 4320 Kaehljpj.exe 440 Keqdmihc.exe 1112 Kilpmh32.exe 1556 Kkjlic32.exe 1816 Kjmmepfj.exe 2512 Kniieo32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Djhimica.exe Dcnqpo32.exe File created C:\Windows\SysWOW64\Elpkep32.exe Emmkiclm.exe File opened for modification C:\Windows\SysWOW64\Pejkmk32.exe Pmcclm32.exe File created C:\Windows\SysWOW64\Ineedcfb.dll Ckeimm32.exe File created C:\Windows\SysWOW64\Lbkkgl32.exe Ljdceo32.exe File created C:\Windows\SysWOW64\Apddkmko.dll Lejgch32.exe File opened for modification C:\Windows\SysWOW64\Lcnmin32.exe Lnadagbm.exe File created C:\Windows\SysWOW64\Fcokoohi.dll Npbceggm.exe File created C:\Windows\SysWOW64\Lhmmjbkf.exe Lijlof32.exe File created C:\Windows\SysWOW64\Pejkmk32.exe Pmcclm32.exe File created C:\Windows\SysWOW64\Hkdoio32.dll Ilqoobdd.exe File created C:\Windows\SysWOW64\Dddjmo32.dll Pmblagmf.exe File opened for modification C:\Windows\SysWOW64\Nknobkje.exe Nlkngo32.exe File created C:\Windows\SysWOW64\Cmflbf32.exe Cbphdn32.exe File created C:\Windows\SysWOW64\Kqphfe32.exe Knalji32.exe File opened for modification C:\Windows\SysWOW64\Blielbfi.exe Bhnikc32.exe File opened for modification C:\Windows\SysWOW64\Qhngolpo.exe Qepkbpak.exe File opened for modification C:\Windows\SysWOW64\Gigaka32.exe Gdjibj32.exe File created C:\Windows\SysWOW64\Eghghj32.dll Kdbjhbbd.exe File opened for modification C:\Windows\SysWOW64\Afbgkl32.exe Ahofoogd.exe File created C:\Windows\SysWOW64\Jmheim32.dll Ffmfchle.exe File created C:\Windows\SysWOW64\Pmaffnce.exe Phdnngdn.exe File created C:\Windows\SysWOW64\Mgnlkfal.exe Mogcihaj.exe File created C:\Windows\SysWOW64\Kkfcndce.exe Kiggbhda.exe File created C:\Windows\SysWOW64\Gikgni32.dll Boenhgdd.exe File created C:\Windows\SysWOW64\Gbhhlfgd.dll Bahdob32.exe File created C:\Windows\SysWOW64\Aafkfgeh.dll Jgkmgk32.exe File created C:\Windows\SysWOW64\Lfdqcn32.dll Pjmjdm32.exe File created C:\Windows\SysWOW64\Plkpcfal.exe Peahgl32.exe File created C:\Windows\SysWOW64\Aafemk32.exe Qklmpalf.exe File opened for modification C:\Windows\SysWOW64\Bhnikc32.exe Bnhenj32.exe File created C:\Windows\SysWOW64\Mnjqmpgg.exe Mfchlbfd.exe File opened for modification C:\Windows\SysWOW64\Nceefd32.exe Nmkmjjaa.exe File created C:\Windows\SysWOW64\Opeiadfg.exe Ojhpimhp.exe File created C:\Windows\SysWOW64\Hkfoel32.dll Ojhpimhp.exe File created C:\Windows\SysWOW64\Jjmcnbdm.exe Jkjcbe32.exe File created C:\Windows\SysWOW64\Kkhpdcab.exe Kijchhbo.exe File opened for modification C:\Windows\SysWOW64\Ljdceo32.exe Lkabjbih.exe File created C:\Windows\SysWOW64\Faikapbo.dll Akcjkfij.exe File opened for modification C:\Windows\SysWOW64\Gidnkkpc.exe Fnnjmbpm.exe File created C:\Windows\SysWOW64\Amjmfo32.dll Kjhcjq32.exe File created C:\Windows\SysWOW64\Gifkpknp.exe Gpnfge32.exe File created C:\Windows\SysWOW64\Jklaah32.dll 8d63078e8171dc5844707c066c3a0bd28af11b2e6603274443c9699af9ec0e99.exe File created C:\Windows\SysWOW64\Kelkaj32.exe Kqpoakco.exe File opened for modification C:\Windows\SysWOW64\Malgcg32.exe Mbighjdd.exe File opened for modification C:\Windows\SysWOW64\Nenbjo32.exe Ngjbaj32.exe File created C:\Windows\SysWOW64\Ckeimm32.exe Chglab32.exe File opened for modification C:\Windows\SysWOW64\Lcnfohmi.exe Lmdnbn32.exe File created C:\Windows\SysWOW64\Indfca32.exe Ijhjcchb.exe File created C:\Windows\SysWOW64\Kjmmepfj.exe Kkjlic32.exe File created C:\Windows\SysWOW64\Mbgjbkfg.exe Mhafeb32.exe File created C:\Windows\SysWOW64\Fkemhahj.dll Nlhkgi32.exe File opened for modification C:\Windows\SysWOW64\Phdnngdn.exe Pmoiqneg.exe File created C:\Windows\SysWOW64\Gipdap32.exe Gdcliikj.exe File created C:\Windows\SysWOW64\Jdmgfedl.exe Ikdcmpnl.exe File created C:\Windows\SysWOW64\Aolblopj.exe Aknifq32.exe File opened for modification C:\Windows\SysWOW64\Flmqlg32.exe Fpgpgfmh.exe File opened for modification C:\Windows\SysWOW64\Mjaabq32.exe Mokmdh32.exe File opened for modification C:\Windows\SysWOW64\Nimbkc32.exe Neafjdkn.exe File created C:\Windows\SysWOW64\Pbjnik32.dll Flinkojm.exe File created C:\Windows\SysWOW64\Illddp32.dll Ldipha32.exe File opened for modification C:\Windows\SysWOW64\Coohhlpe.exe Blqllqqa.exe File created C:\Windows\SysWOW64\Jedccfqg.exe Jphkkpbp.exe File created C:\Windows\SysWOW64\Dgegjnih.dll Onocomdo.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 14168 14044 WerFault.exe 714 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Baegibae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhbolp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcinna32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hildmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kqmkae32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mokmdh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogjdmbil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aonhghjl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nimbkc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcnmin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qklmpalf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnhenj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhclmp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpdcag32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bknlbhhe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idkbkl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glcaambb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfipef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfgipd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qobhkjdi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcnqpo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pplobcpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgkiaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckebcg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjffdalb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbmoen32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgkmgk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Neccpd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhldpj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffmfchle.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohmhmh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjlopc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnkbkk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgcihgaj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gflhoo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jllokajf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnlmhc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlpokp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oehlkc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmlilh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcggio32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pejkmk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bahkih32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chglab32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbkbpoog.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eicedn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipeeobbe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cggimh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahenokjf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldipha32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Coohhlpe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmadco32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjgeedch.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgbloglj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcnfohmi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djqblj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikdcmpnl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qmepam32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Feoodn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpqldc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kijchhbo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flinkojm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmbmkpie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oalipoiq.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cjliajmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lnadagbm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hfaajnfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bnoknihb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aogbfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jkomneim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kifona32.dll" Pcobaedj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkjmfeo.dll" Ajdjin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnbcohkd.dll" Elbhjp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jngbjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qklmpalf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kgnbdh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lmdnbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ingcceof.dll" Oehlkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Chqogq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gmfplibd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jgenbfoa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kniieo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cbphdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Neqhhf32.dll" Dpdaepai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dddjmo32.dll" Pmblagmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eadpldgf.dll" Kinmcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ieneofbo.dll" Cobkhb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bakgoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fpdcag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bahdob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hglppijc.dll" Ihbdplfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Neoogc32.dll" Igjngh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jdgafjpn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ojigdcll.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mogcihaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Doepmnag.dll" Jllokajf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmemlfol.dll" Hpabni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Plkpcfal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gflhoo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Goglcahb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gmimai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hplicjok.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jgkmgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Minqeaad.dll" Lokdnjkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nnafno32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qaqegecm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ilmifh32.dll" Eiloco32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mfchlbfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ckebcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnggge32.dll" Lbinam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfhepbll.dll" Dkbocbog.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eppqqn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eghghj32.dll" Kdbjhbbd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pahilmoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jlolpq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Chnbbqpn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kjmmepfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcdcmh32.dll" Glcaambb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lncjlq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omfmcjlk.dll" Pfoann32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Efeihb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Legjmh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Neccpd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kjmfjj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aekddhcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afnqfkij.dll" Chqogq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjonng32.dll" Plejdkmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mokmdh32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4080 wrote to memory of 4648 4080 8d63078e8171dc5844707c066c3a0bd28af11b2e6603274443c9699af9ec0e99.exe 83 PID 4080 wrote to memory of 4648 4080 8d63078e8171dc5844707c066c3a0bd28af11b2e6603274443c9699af9ec0e99.exe 83 PID 4080 wrote to memory of 4648 4080 8d63078e8171dc5844707c066c3a0bd28af11b2e6603274443c9699af9ec0e99.exe 83 PID 4648 wrote to memory of 5080 4648 Ihbdplfi.exe 84 PID 4648 wrote to memory of 5080 4648 Ihbdplfi.exe 84 PID 4648 wrote to memory of 5080 4648 Ihbdplfi.exe 84 PID 5080 wrote to memory of 4484 5080 Idieem32.exe 85 PID 5080 wrote to memory of 4484 5080 Idieem32.exe 85 PID 5080 wrote to memory of 4484 5080 Idieem32.exe 85 PID 4484 wrote to memory of 3460 4484 Iggaah32.exe 86 PID 4484 wrote to memory of 3460 4484 Iggaah32.exe 86 PID 4484 wrote to memory of 3460 4484 Iggaah32.exe 86 PID 3460 wrote to memory of 2524 3460 Idkbkl32.exe 87 PID 3460 wrote to memory of 2524 3460 Idkbkl32.exe 87 PID 3460 wrote to memory of 2524 3460 Idkbkl32.exe 87 PID 2524 wrote to memory of 4796 2524 Igjngh32.exe 88 PID 2524 wrote to memory of 4796 2524 Igjngh32.exe 88 PID 2524 wrote to memory of 4796 2524 Igjngh32.exe 88 PID 4796 wrote to memory of 2884 4796 Ijhjcchb.exe 89 PID 4796 wrote to memory of 2884 4796 Ijhjcchb.exe 89 PID 4796 wrote to memory of 2884 4796 Ijhjcchb.exe 89 PID 2884 wrote to memory of 4740 2884 Indfca32.exe 90 PID 2884 wrote to memory of 4740 2884 Indfca32.exe 90 PID 2884 wrote to memory of 4740 2884 Indfca32.exe 90 PID 4740 wrote to memory of 1584 4740 Ibobdqid.exe 91 PID 4740 wrote to memory of 1584 4740 Ibobdqid.exe 91 PID 4740 wrote to memory of 1584 4740 Ibobdqid.exe 91 PID 1584 wrote to memory of 4808 1584 Jdnoplhh.exe 92 PID 1584 wrote to memory of 4808 1584 Jdnoplhh.exe 92 PID 1584 wrote to memory of 4808 1584 Jdnoplhh.exe 92 PID 4808 wrote to memory of 1048 4808 Jhijqj32.exe 93 PID 4808 wrote to memory of 1048 4808 Jhijqj32.exe 93 PID 4808 wrote to memory of 1048 4808 Jhijqj32.exe 93 PID 1048 wrote to memory of 4692 1048 Jglklggl.exe 94 PID 1048 wrote to memory of 4692 1048 Jglklggl.exe 94 PID 1048 wrote to memory of 4692 1048 Jglklggl.exe 94 PID 4692 wrote to memory of 3608 4692 Jjjghcfp.exe 95 PID 4692 wrote to memory of 3608 4692 Jjjghcfp.exe 95 PID 4692 wrote to memory of 3608 4692 Jjjghcfp.exe 95 PID 3608 wrote to memory of 1040 3608 Jnfcia32.exe 96 PID 3608 wrote to memory of 1040 3608 Jnfcia32.exe 96 PID 3608 wrote to memory of 1040 3608 Jnfcia32.exe 96 PID 1040 wrote to memory of 4564 1040 Jbaojpgb.exe 97 PID 1040 wrote to memory of 4564 1040 Jbaojpgb.exe 97 PID 1040 wrote to memory of 4564 1040 Jbaojpgb.exe 97 PID 4564 wrote to memory of 1032 4564 Jqdoem32.exe 98 PID 4564 wrote to memory of 1032 4564 Jqdoem32.exe 98 PID 4564 wrote to memory of 1032 4564 Jqdoem32.exe 98 PID 1032 wrote to memory of 1912 1032 Jdpkflfe.exe 99 PID 1032 wrote to memory of 1912 1032 Jdpkflfe.exe 99 PID 1032 wrote to memory of 1912 1032 Jdpkflfe.exe 99 PID 1912 wrote to memory of 2148 1912 Jhlgfj32.exe 100 PID 1912 wrote to memory of 2148 1912 Jhlgfj32.exe 100 PID 1912 wrote to memory of 2148 1912 Jhlgfj32.exe 100 PID 2148 wrote to memory of 4296 2148 Jkjcbe32.exe 101 PID 2148 wrote to memory of 4296 2148 Jkjcbe32.exe 101 PID 2148 wrote to memory of 4296 2148 Jkjcbe32.exe 101 PID 4296 wrote to memory of 3084 4296 Jjmcnbdm.exe 102 PID 4296 wrote to memory of 3084 4296 Jjmcnbdm.exe 102 PID 4296 wrote to memory of 3084 4296 Jjmcnbdm.exe 102 PID 3084 wrote to memory of 2940 3084 Jnhpoamf.exe 103 PID 3084 wrote to memory of 2940 3084 Jnhpoamf.exe 103 PID 3084 wrote to memory of 2940 3084 Jnhpoamf.exe 103 PID 2940 wrote to memory of 4620 2940 Jbdlop32.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\8d63078e8171dc5844707c066c3a0bd28af11b2e6603274443c9699af9ec0e99.exe"C:\Users\Admin\AppData\Local\Temp\8d63078e8171dc5844707c066c3a0bd28af11b2e6603274443c9699af9ec0e99.exe"1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4080 -
C:\Windows\SysWOW64\Ihbdplfi.exeC:\Windows\system32\Ihbdplfi.exe2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4648 -
C:\Windows\SysWOW64\Idieem32.exeC:\Windows\system32\Idieem32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5080 -
C:\Windows\SysWOW64\Iggaah32.exeC:\Windows\system32\Iggaah32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4484 -
C:\Windows\SysWOW64\Idkbkl32.exeC:\Windows\system32\Idkbkl32.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3460 -
C:\Windows\SysWOW64\Igjngh32.exeC:\Windows\system32\Igjngh32.exe6⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\SysWOW64\Ijhjcchb.exeC:\Windows\system32\Ijhjcchb.exe7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4796 -
C:\Windows\SysWOW64\Indfca32.exeC:\Windows\system32\Indfca32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Windows\SysWOW64\Ibobdqid.exeC:\Windows\system32\Ibobdqid.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4740 -
C:\Windows\SysWOW64\Jdnoplhh.exeC:\Windows\system32\Jdnoplhh.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1584 -
C:\Windows\SysWOW64\Jhijqj32.exeC:\Windows\system32\Jhijqj32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4808 -
C:\Windows\SysWOW64\Jglklggl.exeC:\Windows\system32\Jglklggl.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1048 -
C:\Windows\SysWOW64\Jjjghcfp.exeC:\Windows\system32\Jjjghcfp.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4692 -
C:\Windows\SysWOW64\Jnfcia32.exeC:\Windows\system32\Jnfcia32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3608 -
C:\Windows\SysWOW64\Jbaojpgb.exeC:\Windows\system32\Jbaojpgb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1040 -
C:\Windows\SysWOW64\Jqdoem32.exeC:\Windows\system32\Jqdoem32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4564 -
C:\Windows\SysWOW64\Jdpkflfe.exeC:\Windows\system32\Jdpkflfe.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1032 -
C:\Windows\SysWOW64\Jhlgfj32.exeC:\Windows\system32\Jhlgfj32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1912 -
C:\Windows\SysWOW64\Jkjcbe32.exeC:\Windows\system32\Jkjcbe32.exe19⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Windows\SysWOW64\Jjmcnbdm.exeC:\Windows\system32\Jjmcnbdm.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4296 -
C:\Windows\SysWOW64\Jnhpoamf.exeC:\Windows\system32\Jnhpoamf.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3084 -
C:\Windows\SysWOW64\Jbdlop32.exeC:\Windows\system32\Jbdlop32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Windows\SysWOW64\Jqglkmlj.exeC:\Windows\system32\Jqglkmlj.exe23⤵
- Executes dropped EXE
PID:4620 -
C:\Windows\SysWOW64\Jdbhkk32.exeC:\Windows\system32\Jdbhkk32.exe24⤵
- Executes dropped EXE
PID:1424 -
C:\Windows\SysWOW64\Jhndljll.exeC:\Windows\system32\Jhndljll.exe25⤵
- Executes dropped EXE
PID:2308 -
C:\Windows\SysWOW64\Jgadgf32.exeC:\Windows\system32\Jgadgf32.exe26⤵
- Executes dropped EXE
PID:1660 -
C:\Windows\SysWOW64\Jklphekp.exeC:\Windows\system32\Jklphekp.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:756 -
C:\Windows\SysWOW64\Jjopcb32.exeC:\Windows\system32\Jjopcb32.exe28⤵
- Executes dropped EXE
PID:244 -
C:\Windows\SysWOW64\Jbfheo32.exeC:\Windows\system32\Jbfheo32.exe29⤵
- Executes dropped EXE
PID:4040 -
C:\Windows\SysWOW64\Jqiipljg.exeC:\Windows\system32\Jqiipljg.exe30⤵
- Executes dropped EXE
PID:876 -
C:\Windows\SysWOW64\Jdedak32.exeC:\Windows\system32\Jdedak32.exe31⤵
- Executes dropped EXE
PID:892 -
C:\Windows\SysWOW64\Jhpqaiji.exeC:\Windows\system32\Jhpqaiji.exe32⤵
- Executes dropped EXE
PID:4536 -
C:\Windows\SysWOW64\Jgcamf32.exeC:\Windows\system32\Jgcamf32.exe33⤵
- Executes dropped EXE
PID:5020 -
C:\Windows\SysWOW64\Jkomneim.exeC:\Windows\system32\Jkomneim.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:4912 -
C:\Windows\SysWOW64\Jjamia32.exeC:\Windows\system32\Jjamia32.exe35⤵
- Executes dropped EXE
PID:3708 -
C:\Windows\SysWOW64\Jbiejoaj.exeC:\Windows\system32\Jbiejoaj.exe36⤵
- Executes dropped EXE
PID:1820 -
C:\Windows\SysWOW64\Jqlefl32.exeC:\Windows\system32\Jqlefl32.exe37⤵
- Executes dropped EXE
PID:836 -
C:\Windows\SysWOW64\Jdgafjpn.exeC:\Windows\system32\Jdgafjpn.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:704 -
C:\Windows\SysWOW64\Jgenbfoa.exeC:\Windows\system32\Jgenbfoa.exe39⤵
- Executes dropped EXE
- Modifies registry class
PID:5108 -
C:\Windows\SysWOW64\Jkaicd32.exeC:\Windows\system32\Jkaicd32.exe40⤵
- Executes dropped EXE
PID:3164 -
C:\Windows\SysWOW64\Jnpfop32.exeC:\Windows\system32\Jnpfop32.exe41⤵
- Executes dropped EXE
PID:4556 -
C:\Windows\SysWOW64\Jbkbpoog.exeC:\Windows\system32\Jbkbpoog.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2236 -
C:\Windows\SysWOW64\Kqnbkl32.exeC:\Windows\system32\Kqnbkl32.exe43⤵
- Executes dropped EXE
PID:4988 -
C:\Windows\SysWOW64\Kiejmi32.exeC:\Windows\system32\Kiejmi32.exe44⤵
- Executes dropped EXE
PID:1084 -
C:\Windows\SysWOW64\Kghjhemo.exeC:\Windows\system32\Kghjhemo.exe45⤵
- Executes dropped EXE
PID:2392 -
C:\Windows\SysWOW64\Kjffdalb.exeC:\Windows\system32\Kjffdalb.exe46⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2776 -
C:\Windows\SysWOW64\Kbmoen32.exeC:\Windows\system32\Kbmoen32.exe47⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2652 -
C:\Windows\SysWOW64\Kqpoakco.exeC:\Windows\system32\Kqpoakco.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:808 -
C:\Windows\SysWOW64\Kelkaj32.exeC:\Windows\system32\Kelkaj32.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5040 -
C:\Windows\SysWOW64\Kiggbhda.exeC:\Windows\system32\Kiggbhda.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4548 -
C:\Windows\SysWOW64\Kkfcndce.exeC:\Windows\system32\Kkfcndce.exe51⤵
- Executes dropped EXE
PID:4820 -
C:\Windows\SysWOW64\Kjhcjq32.exeC:\Windows\system32\Kjhcjq32.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:828 -
C:\Windows\SysWOW64\Kndojobi.exeC:\Windows\system32\Kndojobi.exe53⤵
- Executes dropped EXE
PID:1456 -
C:\Windows\SysWOW64\Kqbkfkal.exeC:\Windows\system32\Kqbkfkal.exe54⤵
- Executes dropped EXE
PID:2216 -
C:\Windows\SysWOW64\Kenggi32.exeC:\Windows\system32\Kenggi32.exe55⤵
- Executes dropped EXE
PID:2380 -
C:\Windows\SysWOW64\Kijchhbo.exeC:\Windows\system32\Kijchhbo.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1436 -
C:\Windows\SysWOW64\Kkhpdcab.exeC:\Windows\system32\Kkhpdcab.exe57⤵
- Executes dropped EXE
PID:2312 -
C:\Windows\SysWOW64\Kjkpoq32.exeC:\Windows\system32\Kjkpoq32.exe58⤵
- Executes dropped EXE
PID:412 -
C:\Windows\SysWOW64\Knflpoqf.exeC:\Windows\system32\Knflpoqf.exe59⤵
- Executes dropped EXE
PID:4724 -
C:\Windows\SysWOW64\Kaehljpj.exeC:\Windows\system32\Kaehljpj.exe60⤵
- Executes dropped EXE
PID:4320 -
C:\Windows\SysWOW64\Keqdmihc.exeC:\Windows\system32\Keqdmihc.exe61⤵
- Executes dropped EXE
PID:440 -
C:\Windows\SysWOW64\Kilpmh32.exeC:\Windows\system32\Kilpmh32.exe62⤵
- Executes dropped EXE
PID:1112 -
C:\Windows\SysWOW64\Kkjlic32.exeC:\Windows\system32\Kkjlic32.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1556 -
C:\Windows\SysWOW64\Kjmmepfj.exeC:\Windows\system32\Kjmmepfj.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:1816 -
C:\Windows\SysWOW64\Kniieo32.exeC:\Windows\system32\Kniieo32.exe65⤵
- Executes dropped EXE
- Modifies registry class
PID:2512 -
C:\Windows\SysWOW64\Kageaj32.exeC:\Windows\system32\Kageaj32.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:740 -
C:\Windows\SysWOW64\Kecabifp.exeC:\Windows\system32\Kecabifp.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:768 -
C:\Windows\SysWOW64\Kinmcg32.exeC:\Windows\system32\Kinmcg32.exe68⤵
- Modifies registry class
PID:940 -
C:\Windows\SysWOW64\Kkmioc32.exeC:\Windows\system32\Kkmioc32.exe69⤵PID:4968
-
C:\Windows\SysWOW64\Kjpijpdg.exeC:\Windows\system32\Kjpijpdg.exe70⤵PID:2564
-
C:\Windows\SysWOW64\Knkekn32.exeC:\Windows\system32\Knkekn32.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5000 -
C:\Windows\SysWOW64\Lajagj32.exeC:\Windows\system32\Lajagj32.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2876 -
C:\Windows\SysWOW64\Leenhhdn.exeC:\Windows\system32\Leenhhdn.exe73⤵PID:1372
-
C:\Windows\SysWOW64\Lgcjdd32.exeC:\Windows\system32\Lgcjdd32.exe74⤵PID:1404
-
C:\Windows\SysWOW64\Lkofdbkj.exeC:\Windows\system32\Lkofdbkj.exe75⤵PID:4140
-
C:\Windows\SysWOW64\Ljbfpo32.exeC:\Windows\system32\Ljbfpo32.exe76⤵PID:4984
-
C:\Windows\SysWOW64\Lbinam32.exeC:\Windows\system32\Lbinam32.exe77⤵
- Modifies registry class
PID:60 -
C:\Windows\SysWOW64\Lalnmiia.exeC:\Windows\system32\Lalnmiia.exe78⤵PID:4612
-
C:\Windows\SysWOW64\Legjmh32.exeC:\Windows\system32\Legjmh32.exe79⤵
- Modifies registry class
PID:4544 -
C:\Windows\SysWOW64\Lgffic32.exeC:\Windows\system32\Lgffic32.exe80⤵PID:700
-
C:\Windows\SysWOW64\Lkabjbih.exeC:\Windows\system32\Lkabjbih.exe81⤵
- Drops file in System32 directory
PID:1236 -
C:\Windows\SysWOW64\Ljdceo32.exeC:\Windows\system32\Ljdceo32.exe82⤵
- Drops file in System32 directory
PID:408 -
C:\Windows\SysWOW64\Lbkkgl32.exeC:\Windows\system32\Lbkkgl32.exe83⤵PID:4056
-
C:\Windows\SysWOW64\Lankbigo.exeC:\Windows\system32\Lankbigo.exe84⤵PID:4684
-
C:\Windows\SysWOW64\Lejgch32.exeC:\Windows\system32\Lejgch32.exe85⤵
- Drops file in System32 directory
PID:3396 -
C:\Windows\SysWOW64\Lieccf32.exeC:\Windows\system32\Lieccf32.exe86⤵PID:3452
-
C:\Windows\SysWOW64\Lldopb32.exeC:\Windows\system32\Lldopb32.exe87⤵PID:3360
-
C:\Windows\SysWOW64\Ljgpkonp.exeC:\Windows\system32\Ljgpkonp.exe88⤵PID:4308
-
C:\Windows\SysWOW64\Lnbklm32.exeC:\Windows\system32\Lnbklm32.exe89⤵PID:3520
-
C:\Windows\SysWOW64\Lelchgne.exeC:\Windows\system32\Lelchgne.exe90⤵PID:1164
-
C:\Windows\SysWOW64\Lgkpdcmi.exeC:\Windows\system32\Lgkpdcmi.exe91⤵PID:3112
-
C:\Windows\SysWOW64\Llflea32.exeC:\Windows\system32\Llflea32.exe92⤵PID:3056
-
C:\Windows\SysWOW64\Lndham32.exeC:\Windows\system32\Lndham32.exe93⤵PID:3172
-
C:\Windows\SysWOW64\Lacdmh32.exeC:\Windows\system32\Lacdmh32.exe94⤵PID:3752
-
C:\Windows\SysWOW64\Lijlof32.exeC:\Windows\system32\Lijlof32.exe95⤵
- Drops file in System32 directory
PID:1280 -
C:\Windows\SysWOW64\Lhmmjbkf.exeC:\Windows\system32\Lhmmjbkf.exe96⤵PID:4228
-
C:\Windows\SysWOW64\Mhafeb32.exeC:\Windows\system32\Mhafeb32.exe97⤵
- Drops file in System32 directory
PID:4100 -
C:\Windows\SysWOW64\Mbgjbkfg.exeC:\Windows\system32\Mbgjbkfg.exe98⤵PID:4312
-
C:\Windows\SysWOW64\Mlpokp32.exeC:\Windows\system32\Mlpokp32.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:540 -
C:\Windows\SysWOW64\Mnnkgl32.exeC:\Windows\system32\Mnnkgl32.exe100⤵PID:3680
-
C:\Windows\SysWOW64\Mbighjdd.exeC:\Windows\system32\Mbighjdd.exe101⤵
- Drops file in System32 directory
PID:3904 -
C:\Windows\SysWOW64\Malgcg32.exeC:\Windows\system32\Malgcg32.exe102⤵PID:2228
-
C:\Windows\SysWOW64\Micoed32.exeC:\Windows\system32\Micoed32.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3748 -
C:\Windows\SysWOW64\Mhfppabl.exeC:\Windows\system32\Mhfppabl.exe104⤵PID:4356
-
C:\Windows\SysWOW64\Mlbkap32.exeC:\Windows\system32\Mlbkap32.exe105⤵PID:3388
-
C:\Windows\SysWOW64\Mnphmkji.exeC:\Windows\system32\Mnphmkji.exe106⤵PID:2244
-
C:\Windows\SysWOW64\Mblcnj32.exeC:\Windows\system32\Mblcnj32.exe107⤵PID:4020
-
C:\Windows\SysWOW64\Maodigil.exeC:\Windows\system32\Maodigil.exe108⤵PID:2292
-
C:\Windows\SysWOW64\Mhilfa32.exeC:\Windows\system32\Mhilfa32.exe109⤵PID:3184
-
C:\Windows\SysWOW64\Nobdbkhf.exeC:\Windows\system32\Nobdbkhf.exe110⤵PID:5060
-
C:\Windows\SysWOW64\Nemmoe32.exeC:\Windows\system32\Nemmoe32.exe111⤵PID:2168
-
C:\Windows\SysWOW64\Nhkikq32.exeC:\Windows\system32\Nhkikq32.exe112⤵PID:4360
-
C:\Windows\SysWOW64\Noeahkfc.exeC:\Windows\system32\Noeahkfc.exe113⤵PID:4832
-
C:\Windows\SysWOW64\Nbqmiinl.exeC:\Windows\system32\Nbqmiinl.exe114⤵PID:5148
-
C:\Windows\SysWOW64\Nacmdf32.exeC:\Windows\system32\Nacmdf32.exe115⤵PID:5188
-
C:\Windows\SysWOW64\Nijeec32.exeC:\Windows\system32\Nijeec32.exe116⤵PID:5228
-
C:\Windows\SysWOW64\Nklbmllg.exeC:\Windows\system32\Nklbmllg.exe117⤵PID:5284
-
C:\Windows\SysWOW64\Nognnj32.exeC:\Windows\system32\Nognnj32.exe118⤵PID:5332
-
C:\Windows\SysWOW64\Nafjjf32.exeC:\Windows\system32\Nafjjf32.exe119⤵PID:5368
-
C:\Windows\SysWOW64\Neafjdkn.exeC:\Windows\system32\Neafjdkn.exe120⤵
- Drops file in System32 directory
PID:5400 -
C:\Windows\SysWOW64\Nimbkc32.exeC:\Windows\system32\Nimbkc32.exe121⤵
- System Location Discovery: System Language Discovery
PID:5444
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-