Analysis
-
max time kernel
145s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
08-12-2024 03:35
Behavioral task
behavioral1
Sample
d812fc05ff7a8c7d151673c4fbb5c51e74f7fa5b0c01de782b40399cd1a0c370.exe
Resource
win7-20240903-en
windows7-x64
9 signatures
150 seconds
Behavioral task
behavioral2
Sample
d812fc05ff7a8c7d151673c4fbb5c51e74f7fa5b0c01de782b40399cd1a0c370.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
d812fc05ff7a8c7d151673c4fbb5c51e74f7fa5b0c01de782b40399cd1a0c370.exe
-
Size
482KB
-
MD5
c1abfff68d9a91c3636e7dbac847c3a8
-
SHA1
f06e5523a7a7c019bc1782c08f9f450114350ed6
-
SHA256
d812fc05ff7a8c7d151673c4fbb5c51e74f7fa5b0c01de782b40399cd1a0c370
-
SHA512
06dd1dafbbe04b1af3e7f89fcd09a872a8dff6d78597a5e8e204f3de3eb7404edcfde123c6d21f3d2a2b64c0022cede3a77d16bffc8a4f1844cbe05f38320f7b
-
SSDEEP
12288:pUWGyKLMwGXAF5KLVGFB24lwR45FB24l:pcyKLZkO5KLVuPLP
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://viruslist.com/wcmd.txt
http://viruslist.com/ppslog.php
http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmimcbja.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pehebbbh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fmfalg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eppefg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jggoqimd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ncipjieo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obnbpb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbghhj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kaholp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nobndj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blkjkflb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdkhjgeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hmmdin32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bchhqo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pefhlcdk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lilomj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Difqji32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anbmbi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apkbnibq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qanolm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbgjgomc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plpopddd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikjhki32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifolhann.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdldeo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmnahilc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogdaod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Clciod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cbbomjnn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Endklmlq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nknkeg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbkdpnil.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkaane32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ckhpejbf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpiaipmh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijdppm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Modlbmmn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kenhopmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aipgifcp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eacghhkd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnpgloog.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onamle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lgfjggll.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Deondj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkkgfm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbigmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Meljbqna.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eiilge32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogmkne32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aognbnkm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngjlpmnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nckmpicl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adaiee32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahpbkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kkjpggkn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgqion32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gonale32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hjmlhbbg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajamfh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aifjgdkj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Golgon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kenhopmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fogdap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kpfbegei.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 2880 Kbbobkol.exe 2848 Kokmmkcm.exe 2612 Lgingm32.exe 2584 Ldokfakl.exe 2640 Lkicbk32.exe 2940 Mhfjjdjf.exe 616 Mcknhm32.exe 1908 Modlbmmn.exe 1208 Njpihk32.exe 2844 Nqjaeeog.exe 568 Nfgjml32.exe 2220 Nqmnjd32.exe 2180 Njeccjcd.exe 1752 Npbklabl.exe 652 Njgpij32.exe 636 Ncpdbohb.exe 1504 Omhhke32.exe 1964 Obeacl32.exe 644 Ohbikbkb.exe 2368 Oajndh32.exe 3020 Olpbaa32.exe 1252 Objjnkie.exe 1016 Odkgec32.exe 896 Onqkclni.exe 2448 Ohipla32.exe 2904 Paaddgkj.exe 2720 Pfnmmn32.exe 2780 Pdbmfb32.exe 2608 Pioeoi32.exe 3056 Pbgjgomc.exe 1120 Plpopddd.exe 2240 Pbigmn32.exe 2140 Plbkfdba.exe 1720 Paocnkph.exe 1412 Qkghgpfi.exe 916 Qemldifo.exe 1724 Qoeamo32.exe 2464 Adaiee32.exe 1300 Aognbnkm.exe 2984 Ahpbkd32.exe 1884 Anljck32.exe 1012 Ageompfe.exe 2512 Alageg32.exe 3012 Aejlnmkm.exe 888 Apppkekc.exe 1520 Ajhddk32.exe 580 Boemlbpk.exe 1876 Bhmaeg32.exe 600 Baefnmml.exe 1744 Blkjkflb.exe 748 Bnlgbnbp.exe 624 Bfcodkcb.exe 2116 Bgdkkc32.exe 2976 Bnochnpm.exe 1804 Bkbdabog.exe 1900 Bdkhjgeh.exe 2364 Cjhabndo.exe 1556 Cglalbbi.exe 2708 Cqdfehii.exe 2592 Cfanmogq.exe 1212 Cceogcfj.exe 2128 Cjogcm32.exe 596 Ccgklc32.exe 1416 Cmppehkh.exe -
Loads dropped DLL 64 IoCs
pid Process 2316 d812fc05ff7a8c7d151673c4fbb5c51e74f7fa5b0c01de782b40399cd1a0c370.exe 2316 d812fc05ff7a8c7d151673c4fbb5c51e74f7fa5b0c01de782b40399cd1a0c370.exe 2880 Kbbobkol.exe 2880 Kbbobkol.exe 2848 Kokmmkcm.exe 2848 Kokmmkcm.exe 2612 Lgingm32.exe 2612 Lgingm32.exe 2584 Ldokfakl.exe 2584 Ldokfakl.exe 2640 Lkicbk32.exe 2640 Lkicbk32.exe 2940 Mhfjjdjf.exe 2940 Mhfjjdjf.exe 616 Mcknhm32.exe 616 Mcknhm32.exe 1908 Modlbmmn.exe 1908 Modlbmmn.exe 1208 Njpihk32.exe 1208 Njpihk32.exe 2844 Nqjaeeog.exe 2844 Nqjaeeog.exe 568 Nfgjml32.exe 568 Nfgjml32.exe 2220 Nqmnjd32.exe 2220 Nqmnjd32.exe 2180 Njeccjcd.exe 2180 Njeccjcd.exe 1752 Npbklabl.exe 1752 Npbklabl.exe 652 Njgpij32.exe 652 Njgpij32.exe 636 Ncpdbohb.exe 636 Ncpdbohb.exe 1504 Omhhke32.exe 1504 Omhhke32.exe 1964 Obeacl32.exe 1964 Obeacl32.exe 644 Ohbikbkb.exe 644 Ohbikbkb.exe 2368 Oajndh32.exe 2368 Oajndh32.exe 3020 Olpbaa32.exe 3020 Olpbaa32.exe 1252 Objjnkie.exe 1252 Objjnkie.exe 1016 Odkgec32.exe 1016 Odkgec32.exe 896 Onqkclni.exe 896 Onqkclni.exe 2448 Ohipla32.exe 2448 Ohipla32.exe 2904 Paaddgkj.exe 2904 Paaddgkj.exe 2720 Pfnmmn32.exe 2720 Pfnmmn32.exe 2780 Pdbmfb32.exe 2780 Pdbmfb32.exe 2608 Pioeoi32.exe 2608 Pioeoi32.exe 3056 Pbgjgomc.exe 3056 Pbgjgomc.exe 1120 Plpopddd.exe 1120 Plpopddd.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Biqfpb32.exe Bfbjdf32.exe File created C:\Windows\SysWOW64\Ilalae32.dll Ehpcehcj.exe File opened for modification C:\Windows\SysWOW64\Cdnncfoe.exe Clciod32.exe File created C:\Windows\SysWOW64\Mpmpji32.dll Fogdap32.exe File created C:\Windows\SysWOW64\Lbgkfbbj.exe Kaholp32.exe File created C:\Windows\SysWOW64\Aeokba32.exe Ajjgei32.exe File opened for modification C:\Windows\SysWOW64\Glpgibbn.exe Golgon32.exe File created C:\Windows\SysWOW64\Meemgk32.exe Mdepmh32.exe File opened for modification C:\Windows\SysWOW64\Ckiiiine.exe Clfhml32.exe File opened for modification C:\Windows\SysWOW64\Anljck32.exe Ahpbkd32.exe File created C:\Windows\SysWOW64\Pcieol32.dll Cjppfl32.exe File created C:\Windows\SysWOW64\Noingpnc.dll Dphhka32.exe File opened for modification C:\Windows\SysWOW64\Fdfmpc32.exe Fmlecinf.exe File opened for modification C:\Windows\SysWOW64\Eqkjmcmq.exe Ecgjdong.exe File created C:\Windows\SysWOW64\Oggpcipi.dll Ijdppm32.exe File created C:\Windows\SysWOW64\Pbgjgomc.exe Pioeoi32.exe File created C:\Windows\SysWOW64\Jaoobkci.dll Ahpbkd32.exe File created C:\Windows\SysWOW64\Nidjhoea.dll Fefqdl32.exe File opened for modification C:\Windows\SysWOW64\Gkgoff32.exe Gdnfjl32.exe File created C:\Windows\SysWOW64\Oighcd32.exe Olchjp32.exe File created C:\Windows\SysWOW64\Kglfcd32.exe Kabngjla.exe File opened for modification C:\Windows\SysWOW64\Bodhjdcc.exe Beldao32.exe File created C:\Windows\SysWOW64\Hakhbifq.dll Chmibmlo.exe File created C:\Windows\SysWOW64\Bnochnpm.exe Bgdkkc32.exe File opened for modification C:\Windows\SysWOW64\Emoldlmc.exe Dcghkf32.exe File created C:\Windows\SysWOW64\Faphfl32.dll Iipejmko.exe File opened for modification C:\Windows\SysWOW64\Jedehaea.exe Jllqplnp.exe File opened for modification C:\Windows\SysWOW64\Ggbieb32.exe Fogdap32.exe File opened for modification C:\Windows\SysWOW64\Gkpakq32.exe Gpjmnh32.exe File opened for modification C:\Windows\SysWOW64\Negeln32.exe Nkaane32.exe File created C:\Windows\SysWOW64\Ilemce32.exe Hekefkig.exe File opened for modification C:\Windows\SysWOW64\Cmppehkh.exe Ccgklc32.exe File created C:\Windows\SysWOW64\Alhpic32.dll Kmimcbja.exe File created C:\Windows\SysWOW64\Alcfgo32.dll Lohelidp.exe File created C:\Windows\SysWOW64\Kiecgo32.exe Kgdgpfnf.exe File opened for modification C:\Windows\SysWOW64\Lpdankjg.exe Lglmefcg.exe File opened for modification C:\Windows\SysWOW64\Mokkegmm.exe Mecglbfl.exe File created C:\Windows\SysWOW64\Dkjhjm32.exe Dhklna32.exe File created C:\Windows\SysWOW64\Dcming32.dll Pbgefa32.exe File created C:\Windows\SysWOW64\Kacclb32.dll Beggec32.exe File created C:\Windows\SysWOW64\Doijgpba.dll Pnimpcke.exe File created C:\Windows\SysWOW64\Mmjgpkif.dll Cglalbbi.exe File created C:\Windows\SysWOW64\Lkhkagoh.dll Cceogcfj.exe File created C:\Windows\SysWOW64\Fefqdl32.exe Fkqlgc32.exe File created C:\Windows\SysWOW64\Ffbpca32.dll Hiioin32.exe File opened for modification C:\Windows\SysWOW64\Lplbjm32.exe Lmmfnb32.exe File created C:\Windows\SysWOW64\Ohopde32.dll Nkclkl32.exe File opened for modification C:\Windows\SysWOW64\Pcpbik32.exe Pjhnqfla.exe File created C:\Windows\SysWOW64\Lnoipg32.dll Qanolm32.exe File opened for modification C:\Windows\SysWOW64\Aalofa32.exe Apkbnibq.exe File created C:\Windows\SysWOW64\Hjpqkajf.dll Difqji32.exe File opened for modification C:\Windows\SysWOW64\Dnefhpma.exe Daaenlng.exe File created C:\Windows\SysWOW64\Phcgcahd.dll Nhbciaki.exe File created C:\Windows\SysWOW64\Bgmnpn32.exe Bapfhg32.exe File opened for modification C:\Windows\SysWOW64\Clciod32.exe Booiep32.exe File opened for modification C:\Windows\SysWOW64\Jcdadhjb.exe Jeaahk32.exe File opened for modification C:\Windows\SysWOW64\Einebddd.exe Ebcmfj32.exe File opened for modification C:\Windows\SysWOW64\Daaenlng.exe Difqji32.exe File created C:\Windows\SysWOW64\Piaoqi32.dll Gpggei32.exe File opened for modification C:\Windows\SysWOW64\Jfohgepi.exe Jabponba.exe File created C:\Windows\SysWOW64\Nihkmh32.dll Allgoa32.exe File opened for modification C:\Windows\SysWOW64\Laodmoep.exe Lhfpdi32.exe File created C:\Windows\SysWOW64\Dnjoco32.exe Deakjjbk.exe File created C:\Windows\SysWOW64\Nhldnm32.dll Abdbflnf.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imhqbkbm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kckhdg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlifadkk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bapfhg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkdgecna.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgbjjf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgingm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oqmmbqgd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elieipej.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebcmfj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Allgoa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaagcpdl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Inmmbc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnpobefe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phobjp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcppkbia.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cncolfcl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hoalia32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfcodkcb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hekefkig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jllqplnp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pijgbl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkjqcg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhkopj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnpgloog.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdlpnamm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npbklabl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nqpdcc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkpakq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Joblkegc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kigibh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnahgh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgciff32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nqjaeeog.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgjpaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkkgfm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bggjjlnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Daaenlng.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbpefc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qdpohodn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajhddk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndnmialh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omiand32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbpqmfmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eifobe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihpgce32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibkhak32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hifbdnbi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfjhbo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mebpakbq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdjihgef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apfici32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nqeapo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pehebbbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkcilc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llbconkd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bacefpbg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omhhke32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfmkbebl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phaoppja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjppfl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhfpdi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iqllghon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emoldlmc.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Eacghhkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nckmpicl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Iqllghon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jjijkmbi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kigibh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pdbmfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Plpopddd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nqpdcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Npechhgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Beldao32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nkclkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gelpjgll.dll" Bapfhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gncnmane.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qmgaio32.dll" Jabponba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcieol32.dll" Cjppfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Llpoohik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Piohgbng.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nfgjml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmjofl32.dll" Odkgec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bgdkkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Clfhml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khqplf32.dll" Dhklna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgnedp32.dll" Eifobe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Glnkcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pnnmeh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hhkopj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Llbconkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iaimld32.dll" Llepen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kndkfpje.dll" Ifolhann.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dinpnged.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kjkbpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Malmllfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jalnli32.dll" Ahcjmkbo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pbigmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phoogg32.dll" Aejlnmkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffdmihcc.dll" Ikjhki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpgope32.dll" Hdgkicek.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jjfmem32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Caenkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omgfflgg.dll" Ldokfakl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Aeiecfga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jecnnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpnghhmn.dll" Kmfpmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ldjmidcj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Djicmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egjnpn32.dll" Kokmmkcm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ibacbcgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Olchjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cpiaipmh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kglfcd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nepokogo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfikokgf.dll" Andjgidl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bkkgfm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Padccpal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Miclhpjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpjqnpjb.dll" Ooofcg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ckiiiine.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Oqkpmaif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cfaqfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gllnnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Negeln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgdekc32.dll" Paocnkph.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gmhkin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lofifi32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2316 wrote to memory of 2880 2316 d812fc05ff7a8c7d151673c4fbb5c51e74f7fa5b0c01de782b40399cd1a0c370.exe 30 PID 2316 wrote to memory of 2880 2316 d812fc05ff7a8c7d151673c4fbb5c51e74f7fa5b0c01de782b40399cd1a0c370.exe 30 PID 2316 wrote to memory of 2880 2316 d812fc05ff7a8c7d151673c4fbb5c51e74f7fa5b0c01de782b40399cd1a0c370.exe 30 PID 2316 wrote to memory of 2880 2316 d812fc05ff7a8c7d151673c4fbb5c51e74f7fa5b0c01de782b40399cd1a0c370.exe 30 PID 2880 wrote to memory of 2848 2880 Kbbobkol.exe 31 PID 2880 wrote to memory of 2848 2880 Kbbobkol.exe 31 PID 2880 wrote to memory of 2848 2880 Kbbobkol.exe 31 PID 2880 wrote to memory of 2848 2880 Kbbobkol.exe 31 PID 2848 wrote to memory of 2612 2848 Kokmmkcm.exe 32 PID 2848 wrote to memory of 2612 2848 Kokmmkcm.exe 32 PID 2848 wrote to memory of 2612 2848 Kokmmkcm.exe 32 PID 2848 wrote to memory of 2612 2848 Kokmmkcm.exe 32 PID 2612 wrote to memory of 2584 2612 Lgingm32.exe 33 PID 2612 wrote to memory of 2584 2612 Lgingm32.exe 33 PID 2612 wrote to memory of 2584 2612 Lgingm32.exe 33 PID 2612 wrote to memory of 2584 2612 Lgingm32.exe 33 PID 2584 wrote to memory of 2640 2584 Ldokfakl.exe 34 PID 2584 wrote to memory of 2640 2584 Ldokfakl.exe 34 PID 2584 wrote to memory of 2640 2584 Ldokfakl.exe 34 PID 2584 wrote to memory of 2640 2584 Ldokfakl.exe 34 PID 2640 wrote to memory of 2940 2640 Lkicbk32.exe 35 PID 2640 wrote to memory of 2940 2640 Lkicbk32.exe 35 PID 2640 wrote to memory of 2940 2640 Lkicbk32.exe 35 PID 2640 wrote to memory of 2940 2640 Lkicbk32.exe 35 PID 2940 wrote to memory of 616 2940 Mhfjjdjf.exe 36 PID 2940 wrote to memory of 616 2940 Mhfjjdjf.exe 36 PID 2940 wrote to memory of 616 2940 Mhfjjdjf.exe 36 PID 2940 wrote to memory of 616 2940 Mhfjjdjf.exe 36 PID 616 wrote to memory of 1908 616 Mcknhm32.exe 37 PID 616 wrote to memory of 1908 616 Mcknhm32.exe 37 PID 616 wrote to memory of 1908 616 Mcknhm32.exe 37 PID 616 wrote to memory of 1908 616 Mcknhm32.exe 37 PID 1908 wrote to memory of 1208 1908 Modlbmmn.exe 38 PID 1908 wrote to memory of 1208 1908 Modlbmmn.exe 38 PID 1908 wrote to memory of 1208 1908 Modlbmmn.exe 38 PID 1908 wrote to memory of 1208 1908 Modlbmmn.exe 38 PID 1208 wrote to memory of 2844 1208 Njpihk32.exe 39 PID 1208 wrote to memory of 2844 1208 Njpihk32.exe 39 PID 1208 wrote to memory of 2844 1208 Njpihk32.exe 39 PID 1208 wrote to memory of 2844 1208 Njpihk32.exe 39 PID 2844 wrote to memory of 568 2844 Nqjaeeog.exe 40 PID 2844 wrote to memory of 568 2844 Nqjaeeog.exe 40 PID 2844 wrote to memory of 568 2844 Nqjaeeog.exe 40 PID 2844 wrote to memory of 568 2844 Nqjaeeog.exe 40 PID 568 wrote to memory of 2220 568 Nfgjml32.exe 41 PID 568 wrote to memory of 2220 568 Nfgjml32.exe 41 PID 568 wrote to memory of 2220 568 Nfgjml32.exe 41 PID 568 wrote to memory of 2220 568 Nfgjml32.exe 41 PID 2220 wrote to memory of 2180 2220 Nqmnjd32.exe 42 PID 2220 wrote to memory of 2180 2220 Nqmnjd32.exe 42 PID 2220 wrote to memory of 2180 2220 Nqmnjd32.exe 42 PID 2220 wrote to memory of 2180 2220 Nqmnjd32.exe 42 PID 2180 wrote to memory of 1752 2180 Njeccjcd.exe 43 PID 2180 wrote to memory of 1752 2180 Njeccjcd.exe 43 PID 2180 wrote to memory of 1752 2180 Njeccjcd.exe 43 PID 2180 wrote to memory of 1752 2180 Njeccjcd.exe 43 PID 1752 wrote to memory of 652 1752 Npbklabl.exe 44 PID 1752 wrote to memory of 652 1752 Npbklabl.exe 44 PID 1752 wrote to memory of 652 1752 Npbklabl.exe 44 PID 1752 wrote to memory of 652 1752 Npbklabl.exe 44 PID 652 wrote to memory of 636 652 Njgpij32.exe 45 PID 652 wrote to memory of 636 652 Njgpij32.exe 45 PID 652 wrote to memory of 636 652 Njgpij32.exe 45 PID 652 wrote to memory of 636 652 Njgpij32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\d812fc05ff7a8c7d151673c4fbb5c51e74f7fa5b0c01de782b40399cd1a0c370.exe"C:\Users\Admin\AppData\Local\Temp\d812fc05ff7a8c7d151673c4fbb5c51e74f7fa5b0c01de782b40399cd1a0c370.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Windows\SysWOW64\Kbbobkol.exeC:\Windows\system32\Kbbobkol.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Windows\SysWOW64\Kokmmkcm.exeC:\Windows\system32\Kokmmkcm.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Windows\SysWOW64\Lgingm32.exeC:\Windows\system32\Lgingm32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\SysWOW64\Ldokfakl.exeC:\Windows\system32\Ldokfakl.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Windows\SysWOW64\Lkicbk32.exeC:\Windows\system32\Lkicbk32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\SysWOW64\Mhfjjdjf.exeC:\Windows\system32\Mhfjjdjf.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Windows\SysWOW64\Mcknhm32.exeC:\Windows\system32\Mcknhm32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:616 -
C:\Windows\SysWOW64\Modlbmmn.exeC:\Windows\system32\Modlbmmn.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1908 -
C:\Windows\SysWOW64\Njpihk32.exeC:\Windows\system32\Njpihk32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1208 -
C:\Windows\SysWOW64\Nqjaeeog.exeC:\Windows\system32\Nqjaeeog.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\SysWOW64\Nfgjml32.exeC:\Windows\system32\Nfgjml32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:568 -
C:\Windows\SysWOW64\Nqmnjd32.exeC:\Windows\system32\Nqmnjd32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2220 -
C:\Windows\SysWOW64\Njeccjcd.exeC:\Windows\system32\Njeccjcd.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Windows\SysWOW64\Npbklabl.exeC:\Windows\system32\Npbklabl.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1752 -
C:\Windows\SysWOW64\Njgpij32.exeC:\Windows\system32\Njgpij32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:652 -
C:\Windows\SysWOW64\Ncpdbohb.exeC:\Windows\system32\Ncpdbohb.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:636 -
C:\Windows\SysWOW64\Omhhke32.exeC:\Windows\system32\Omhhke32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1504 -
C:\Windows\SysWOW64\Obeacl32.exeC:\Windows\system32\Obeacl32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1964 -
C:\Windows\SysWOW64\Ohbikbkb.exeC:\Windows\system32\Ohbikbkb.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:644 -
C:\Windows\SysWOW64\Oajndh32.exeC:\Windows\system32\Oajndh32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2368 -
C:\Windows\SysWOW64\Olpbaa32.exeC:\Windows\system32\Olpbaa32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3020 -
C:\Windows\SysWOW64\Objjnkie.exeC:\Windows\system32\Objjnkie.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1252 -
C:\Windows\SysWOW64\Odkgec32.exeC:\Windows\system32\Odkgec32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1016 -
C:\Windows\SysWOW64\Onqkclni.exeC:\Windows\system32\Onqkclni.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:896 -
C:\Windows\SysWOW64\Ohipla32.exeC:\Windows\system32\Ohipla32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2448 -
C:\Windows\SysWOW64\Paaddgkj.exeC:\Windows\system32\Paaddgkj.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2904 -
C:\Windows\SysWOW64\Pfnmmn32.exeC:\Windows\system32\Pfnmmn32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2720 -
C:\Windows\SysWOW64\Pdbmfb32.exeC:\Windows\system32\Pdbmfb32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2780 -
C:\Windows\SysWOW64\Pioeoi32.exeC:\Windows\system32\Pioeoi32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2608 -
C:\Windows\SysWOW64\Pbgjgomc.exeC:\Windows\system32\Pbgjgomc.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:3056 -
C:\Windows\SysWOW64\Plpopddd.exeC:\Windows\system32\Plpopddd.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1120 -
C:\Windows\SysWOW64\Pbigmn32.exeC:\Windows\system32\Pbigmn32.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2240 -
C:\Windows\SysWOW64\Plbkfdba.exeC:\Windows\system32\Plbkfdba.exe34⤵
- Executes dropped EXE
PID:2140 -
C:\Windows\SysWOW64\Paocnkph.exeC:\Windows\system32\Paocnkph.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:1720 -
C:\Windows\SysWOW64\Qkghgpfi.exeC:\Windows\system32\Qkghgpfi.exe36⤵
- Executes dropped EXE
PID:1412 -
C:\Windows\SysWOW64\Qemldifo.exeC:\Windows\system32\Qemldifo.exe37⤵
- Executes dropped EXE
PID:916 -
C:\Windows\SysWOW64\Qoeamo32.exeC:\Windows\system32\Qoeamo32.exe38⤵
- Executes dropped EXE
PID:1724 -
C:\Windows\SysWOW64\Adaiee32.exeC:\Windows\system32\Adaiee32.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2464 -
C:\Windows\SysWOW64\Aognbnkm.exeC:\Windows\system32\Aognbnkm.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1300 -
C:\Windows\SysWOW64\Ahpbkd32.exeC:\Windows\system32\Ahpbkd32.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2984 -
C:\Windows\SysWOW64\Anljck32.exeC:\Windows\system32\Anljck32.exe42⤵
- Executes dropped EXE
PID:1884 -
C:\Windows\SysWOW64\Ageompfe.exeC:\Windows\system32\Ageompfe.exe43⤵
- Executes dropped EXE
PID:1012 -
C:\Windows\SysWOW64\Alageg32.exeC:\Windows\system32\Alageg32.exe44⤵
- Executes dropped EXE
PID:2512 -
C:\Windows\SysWOW64\Aejlnmkm.exeC:\Windows\system32\Aejlnmkm.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:3012 -
C:\Windows\SysWOW64\Apppkekc.exeC:\Windows\system32\Apppkekc.exe46⤵
- Executes dropped EXE
PID:888 -
C:\Windows\SysWOW64\Ajhddk32.exeC:\Windows\system32\Ajhddk32.exe47⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1520 -
C:\Windows\SysWOW64\Boemlbpk.exeC:\Windows\system32\Boemlbpk.exe48⤵
- Executes dropped EXE
PID:580 -
C:\Windows\SysWOW64\Bhmaeg32.exeC:\Windows\system32\Bhmaeg32.exe49⤵
- Executes dropped EXE
PID:1876 -
C:\Windows\SysWOW64\Baefnmml.exeC:\Windows\system32\Baefnmml.exe50⤵
- Executes dropped EXE
PID:600 -
C:\Windows\SysWOW64\Blkjkflb.exeC:\Windows\system32\Blkjkflb.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1744 -
C:\Windows\SysWOW64\Bnlgbnbp.exeC:\Windows\system32\Bnlgbnbp.exe52⤵
- Executes dropped EXE
PID:748 -
C:\Windows\SysWOW64\Bfcodkcb.exeC:\Windows\system32\Bfcodkcb.exe53⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:624 -
C:\Windows\SysWOW64\Bgdkkc32.exeC:\Windows\system32\Bgdkkc32.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2116 -
C:\Windows\SysWOW64\Bnochnpm.exeC:\Windows\system32\Bnochnpm.exe55⤵
- Executes dropped EXE
PID:2976 -
C:\Windows\SysWOW64\Bkbdabog.exeC:\Windows\system32\Bkbdabog.exe56⤵
- Executes dropped EXE
PID:1804 -
C:\Windows\SysWOW64\Bdkhjgeh.exeC:\Windows\system32\Bdkhjgeh.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1900 -
C:\Windows\SysWOW64\Cjhabndo.exeC:\Windows\system32\Cjhabndo.exe58⤵
- Executes dropped EXE
PID:2364 -
C:\Windows\SysWOW64\Cglalbbi.exeC:\Windows\system32\Cglalbbi.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1556 -
C:\Windows\SysWOW64\Cqdfehii.exeC:\Windows\system32\Cqdfehii.exe60⤵
- Executes dropped EXE
PID:2708 -
C:\Windows\SysWOW64\Cfanmogq.exeC:\Windows\system32\Cfanmogq.exe61⤵
- Executes dropped EXE
PID:2592 -
C:\Windows\SysWOW64\Cceogcfj.exeC:\Windows\system32\Cceogcfj.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1212 -
C:\Windows\SysWOW64\Cjogcm32.exeC:\Windows\system32\Cjogcm32.exe63⤵
- Executes dropped EXE
PID:2128 -
C:\Windows\SysWOW64\Ccgklc32.exeC:\Windows\system32\Ccgklc32.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:596 -
C:\Windows\SysWOW64\Cmppehkh.exeC:\Windows\system32\Cmppehkh.exe65⤵
- Executes dropped EXE
PID:1416 -
C:\Windows\SysWOW64\Dblhmoio.exeC:\Windows\system32\Dblhmoio.exe66⤵PID:2168
-
C:\Windows\SysWOW64\Difqji32.exeC:\Windows\system32\Difqji32.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1672 -
C:\Windows\SysWOW64\Daaenlng.exeC:\Windows\system32\Daaenlng.exe68⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2148 -
C:\Windows\SysWOW64\Dnefhpma.exeC:\Windows\system32\Dnefhpma.exe69⤵PID:2488
-
C:\Windows\SysWOW64\Deondj32.exeC:\Windows\system32\Deondj32.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2860 -
C:\Windows\SysWOW64\Dlifadkk.exeC:\Windows\system32\Dlifadkk.exe71⤵
- System Location Discovery: System Language Discovery
PID:1376 -
C:\Windows\SysWOW64\Deakjjbk.exeC:\Windows\system32\Deakjjbk.exe72⤵
- Drops file in System32 directory
PID:2756 -
C:\Windows\SysWOW64\Dnjoco32.exeC:\Windows\system32\Dnjoco32.exe73⤵PID:2604
-
C:\Windows\SysWOW64\Dcghkf32.exeC:\Windows\system32\Dcghkf32.exe74⤵
- Drops file in System32 directory
PID:1872 -
C:\Windows\SysWOW64\Emoldlmc.exeC:\Windows\system32\Emoldlmc.exe75⤵
- System Location Discovery: System Language Discovery
PID:1912 -
C:\Windows\SysWOW64\Eblelb32.exeC:\Windows\system32\Eblelb32.exe76⤵PID:2284
-
C:\Windows\SysWOW64\Eppefg32.exeC:\Windows\system32\Eppefg32.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1664 -
C:\Windows\SysWOW64\Eihjolae.exeC:\Windows\system32\Eihjolae.exe78⤵PID:876
-
C:\Windows\SysWOW64\Ehpcehcj.exeC:\Windows\system32\Ehpcehcj.exe79⤵
- Drops file in System32 directory
PID:448 -
C:\Windows\SysWOW64\Feddombd.exeC:\Windows\system32\Feddombd.exe80⤵PID:2760
-
C:\Windows\SysWOW64\Fkqlgc32.exeC:\Windows\system32\Fkqlgc32.exe81⤵
- Drops file in System32 directory
PID:552 -
C:\Windows\SysWOW64\Fefqdl32.exeC:\Windows\system32\Fefqdl32.exe82⤵
- Drops file in System32 directory
PID:1268 -
C:\Windows\SysWOW64\Fkcilc32.exeC:\Windows\system32\Fkcilc32.exe83⤵
- System Location Discovery: System Language Discovery
PID:2216 -
C:\Windows\SysWOW64\Fppaej32.exeC:\Windows\system32\Fppaej32.exe84⤵PID:1648
-
C:\Windows\SysWOW64\Fihfnp32.exeC:\Windows\system32\Fihfnp32.exe85⤵PID:2420
-
C:\Windows\SysWOW64\Fcqjfeja.exeC:\Windows\system32\Fcqjfeja.exe86⤵PID:2412
-
C:\Windows\SysWOW64\Fliook32.exeC:\Windows\system32\Fliook32.exe87⤵PID:1588
-
C:\Windows\SysWOW64\Fdpgph32.exeC:\Windows\system32\Fdpgph32.exe88⤵PID:2856
-
C:\Windows\SysWOW64\Feachqgb.exeC:\Windows\system32\Feachqgb.exe89⤵PID:2544
-
C:\Windows\SysWOW64\Gmhkin32.exeC:\Windows\system32\Gmhkin32.exe90⤵
- Modifies registry class
PID:1712 -
C:\Windows\SysWOW64\Gpggei32.exeC:\Windows\system32\Gpggei32.exe91⤵
- Drops file in System32 directory
PID:1984 -
C:\Windows\SysWOW64\Gcedad32.exeC:\Windows\system32\Gcedad32.exe92⤵PID:988
-
C:\Windows\SysWOW64\Glnhjjml.exeC:\Windows\system32\Glnhjjml.exe93⤵PID:912
-
C:\Windows\SysWOW64\Gefmcp32.exeC:\Windows\system32\Gefmcp32.exe94⤵PID:2460
-
C:\Windows\SysWOW64\Ghdiokbq.exeC:\Windows\system32\Ghdiokbq.exe95⤵PID:1008
-
C:\Windows\SysWOW64\Gonale32.exeC:\Windows\system32\Gonale32.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2040 -
C:\Windows\SysWOW64\Gdkjdl32.exeC:\Windows\system32\Gdkjdl32.exe97⤵PID:2864
-
C:\Windows\SysWOW64\Glbaei32.exeC:\Windows\system32\Glbaei32.exe98⤵PID:1228
-
C:\Windows\SysWOW64\Gncnmane.exeC:\Windows\system32\Gncnmane.exe99⤵
- Modifies registry class
PID:2260 -
C:\Windows\SysWOW64\Gdnfjl32.exeC:\Windows\system32\Gdnfjl32.exe100⤵
- Drops file in System32 directory
PID:2660 -
C:\Windows\SysWOW64\Gkgoff32.exeC:\Windows\system32\Gkgoff32.exe101⤵PID:2020
-
C:\Windows\SysWOW64\Gaagcpdl.exeC:\Windows\system32\Gaagcpdl.exe102⤵
- System Location Discovery: System Language Discovery
PID:2268 -
C:\Windows\SysWOW64\Hhkopj32.exeC:\Windows\system32\Hhkopj32.exe103⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1488 -
C:\Windows\SysWOW64\Hjmlhbbg.exeC:\Windows\system32\Hjmlhbbg.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1696 -
C:\Windows\SysWOW64\Hqgddm32.exeC:\Windows\system32\Hqgddm32.exe105⤵PID:3032
-
C:\Windows\SysWOW64\Hcepqh32.exeC:\Windows\system32\Hcepqh32.exe106⤵PID:2428
-
C:\Windows\SysWOW64\Hjohmbpd.exeC:\Windows\system32\Hjohmbpd.exe107⤵PID:1272
-
C:\Windows\SysWOW64\Hmmdin32.exeC:\Windows\system32\Hmmdin32.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1584 -
C:\Windows\SysWOW64\Hddmjk32.exeC:\Windows\system32\Hddmjk32.exe109⤵PID:2292
-
C:\Windows\SysWOW64\Hgciff32.exeC:\Windows\system32\Hgciff32.exe110⤵
- System Location Discovery: System Language Discovery
PID:1052 -
C:\Windows\SysWOW64\Hjaeba32.exeC:\Windows\system32\Hjaeba32.exe111⤵PID:2176
-
C:\Windows\SysWOW64\Hcjilgdb.exeC:\Windows\system32\Hcjilgdb.exe112⤵PID:1552
-
C:\Windows\SysWOW64\Hifbdnbi.exeC:\Windows\system32\Hifbdnbi.exe113⤵
- System Location Discovery: System Language Discovery
PID:1708 -
C:\Windows\SysWOW64\Hclfag32.exeC:\Windows\system32\Hclfag32.exe114⤵PID:2664
-
C:\Windows\SysWOW64\Hiioin32.exeC:\Windows\system32\Hiioin32.exe115⤵
- Drops file in System32 directory
PID:2476 -
C:\Windows\SysWOW64\Ibacbcgg.exeC:\Windows\system32\Ibacbcgg.exe116⤵
- Modifies registry class
PID:2120 -
C:\Windows\SysWOW64\Ikjhki32.exeC:\Windows\system32\Ikjhki32.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2876 -
C:\Windows\SysWOW64\Ifolhann.exeC:\Windows\system32\Ifolhann.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:996 -
C:\Windows\SysWOW64\Iogpag32.exeC:\Windows\system32\Iogpag32.exe119⤵PID:2828
-
C:\Windows\SysWOW64\Iipejmko.exeC:\Windows\system32\Iipejmko.exe120⤵
- Drops file in System32 directory
PID:2712 -
C:\Windows\SysWOW64\Inmmbc32.exeC:\Windows\system32\Inmmbc32.exe121⤵
- System Location Discovery: System Language Discovery
PID:1320
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-