Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
09/12/2024, 02:17
Behavioral task
behavioral1
Sample
b360ef36fe9ef5b8c5af03d7b811926d864cbc3883967c776e42d00fc0b8536c.exe
Resource
win7-20240903-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
b360ef36fe9ef5b8c5af03d7b811926d864cbc3883967c776e42d00fc0b8536c.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
b360ef36fe9ef5b8c5af03d7b811926d864cbc3883967c776e42d00fc0b8536c.exe
-
Size
128KB
-
MD5
884e3a40d5d7f84aa8383868e5f2e15a
-
SHA1
9b03d4fade4d912b1cb323ef5f357f4ef705c801
-
SHA256
b360ef36fe9ef5b8c5af03d7b811926d864cbc3883967c776e42d00fc0b8536c
-
SHA512
e80dbc7692d67acc946300f3c81282f947277d9d925e3bcd185d7f72f3ed8e6f3ffc7d035e83809a092b6578a55eabe34dffb35c28e5d1084e11c08d6e437524
-
SSDEEP
3072:bI3D3GCfainaQwYehOvbdjKy0Dd1AZoUBW3FJeRuaWNXmgu+tB:s3jUtBYehOvbdjFGdWZHEFJ7aWN1B
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ciifbchf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lngnfnji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfdabino.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfemlpdf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pahogc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jodhdp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohfqmi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Biolanld.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmpnhdfc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjbafi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Halbai32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kegqdqbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Annbhi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfnmpn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mamgmofp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Olpgconp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fqlicclo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fdpkbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bgffhkoj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kobkpdfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bkmhnjlh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkkbkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fbjpblip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hppfog32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdmgclfk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pngphgbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jjbbpmgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpdkii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hebdfind.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hhhgcc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knnkpobc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abpjjeim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pomfkndo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ogiaif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pilfpqaa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdmnam32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odeiibdq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpfeppop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bjbcfn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndnlnm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jagnlkjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Neqnqofm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 2292 Jmbiipml.exe 3040 Jcmafj32.exe 2712 Jcmafj32.exe 2892 Jghmfhmb.exe 2764 Kmefooki.exe 1340 Kqqboncb.exe 2576 Kjifhc32.exe 1680 Kilfcpqm.exe 584 Kmgbdo32.exe 2488 Kkjcplpa.exe 2688 Kincipnk.exe 2400 Kohkfj32.exe 1752 Kbfhbeek.exe 796 Keednado.exe 1540 Kpjhkjde.exe 2596 Knmhgf32.exe 2908 Kaldcb32.exe 1244 Kegqdqbl.exe 1640 Kgemplap.exe 2188 Kjdilgpc.exe 2376 Kbkameaf.exe 1368 Llcefjgf.exe 1832 Ljffag32.exe 1784 Lnbbbffj.exe 2580 Lmebnb32.exe 2604 Lcojjmea.exe 2332 Lndohedg.exe 2636 Lpekon32.exe 2644 Lpekon32.exe 2788 Lfpclh32.exe 2840 Ljkomfjl.exe 2512 Lmikibio.exe 1156 Laegiq32.exe 332 Liplnc32.exe 2824 Lpjdjmfp.exe 2852 Lcfqkl32.exe 1812 Lfdmggnm.exe 1128 Mmneda32.exe 2020 Mlaeonld.exe 2100 Mpmapm32.exe 1208 Mbkmlh32.exe 1708 Meijhc32.exe 408 Mieeibkn.exe 2024 Mhhfdo32.exe 2088 Mlcbenjb.exe 1564 Mponel32.exe 3048 Mbmjah32.exe 316 Melfncqb.exe 1940 Migbnb32.exe 1792 Mlfojn32.exe 2280 Mkhofjoj.exe 2668 Modkfi32.exe 2648 Mencccop.exe 588 Mmihhelk.exe 2028 Mholen32.exe 2532 Mmldme32.exe 2832 Ndemjoae.exe 1484 Ngdifkpi.exe 1400 Nmnace32.exe 2336 Naimccpo.exe 1800 Ngfflj32.exe 2912 Nmpnhdfc.exe 1948 Npojdpef.exe 600 Ndjfeo32.exe -
Loads dropped DLL 64 IoCs
pid Process 1044 b360ef36fe9ef5b8c5af03d7b811926d864cbc3883967c776e42d00fc0b8536c.exe 1044 b360ef36fe9ef5b8c5af03d7b811926d864cbc3883967c776e42d00fc0b8536c.exe 2292 Jmbiipml.exe 2292 Jmbiipml.exe 3040 Jcmafj32.exe 3040 Jcmafj32.exe 2712 Jcmafj32.exe 2712 Jcmafj32.exe 2892 Jghmfhmb.exe 2892 Jghmfhmb.exe 2764 Kmefooki.exe 2764 Kmefooki.exe 1340 Kqqboncb.exe 1340 Kqqboncb.exe 2576 Kjifhc32.exe 2576 Kjifhc32.exe 1680 Kilfcpqm.exe 1680 Kilfcpqm.exe 584 Kmgbdo32.exe 584 Kmgbdo32.exe 2488 Kkjcplpa.exe 2488 Kkjcplpa.exe 2688 Kincipnk.exe 2688 Kincipnk.exe 2400 Kohkfj32.exe 2400 Kohkfj32.exe 1752 Kbfhbeek.exe 1752 Kbfhbeek.exe 796 Keednado.exe 796 Keednado.exe 1540 Kpjhkjde.exe 1540 Kpjhkjde.exe 2596 Knmhgf32.exe 2596 Knmhgf32.exe 2908 Kaldcb32.exe 2908 Kaldcb32.exe 1244 Kegqdqbl.exe 1244 Kegqdqbl.exe 1640 Kgemplap.exe 1640 Kgemplap.exe 2188 Kjdilgpc.exe 2188 Kjdilgpc.exe 2376 Kbkameaf.exe 2376 Kbkameaf.exe 1368 Llcefjgf.exe 1368 Llcefjgf.exe 1832 Ljffag32.exe 1832 Ljffag32.exe 1784 Lnbbbffj.exe 1784 Lnbbbffj.exe 2580 Lmebnb32.exe 2580 Lmebnb32.exe 2604 Lcojjmea.exe 2604 Lcojjmea.exe 2332 Lndohedg.exe 2332 Lndohedg.exe 2636 Lpekon32.exe 2636 Lpekon32.exe 2644 Lpekon32.exe 2644 Lpekon32.exe 2788 Lfpclh32.exe 2788 Lfpclh32.exe 2840 Ljkomfjl.exe 2840 Ljkomfjl.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Bcgdom32.exe Bplhnoej.exe File created C:\Windows\SysWOW64\Ffdgjmdh.dll Ifampo32.exe File created C:\Windows\SysWOW64\Qjeeidhg.dll Process not Found File created C:\Windows\SysWOW64\Ekdnehnn.dll Biojif32.exe File created C:\Windows\SysWOW64\Egiiapci.exe Eobapbbg.exe File created C:\Windows\SysWOW64\Ngdjmc32.dll Process not Found File created C:\Windows\SysWOW64\Flacnl32.dll Qqbecp32.exe File created C:\Windows\SysWOW64\Bplhnoej.exe Bmnlbcfg.exe File created C:\Windows\SysWOW64\Hphidanj.exe Hllmcc32.exe File opened for modification C:\Windows\SysWOW64\Bfagpiam.exe Bccjdnbi.exe File created C:\Windows\SysWOW64\Jaknfc32.dll Ohagbj32.exe File opened for modification C:\Windows\SysWOW64\Boljgg32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Cepipm32.exe Process not Found File created C:\Windows\SysWOW64\Icmqhn32.dll Qjnmlk32.exe File created C:\Windows\SysWOW64\Gnnphemi.dll Lqmjnk32.exe File created C:\Windows\SysWOW64\Nahlmpdg.dll Lmdkcl32.exe File opened for modification C:\Windows\SysWOW64\Jbcjnnpl.exe Process not Found File opened for modification C:\Windows\SysWOW64\Mklcadfn.exe Process not Found File created C:\Windows\SysWOW64\Fbmfkkbm.exe Fqlicclo.exe File created C:\Windows\SysWOW64\Nhmglf32.dll Mpamde32.exe File created C:\Windows\SysWOW64\Bchqdi32.dll Bnldjekl.exe File created C:\Windows\SysWOW64\Jdhfppnm.dll Process not Found File created C:\Windows\SysWOW64\Picion32.dll Process not Found File created C:\Windows\SysWOW64\Mgkjgicl.dll Hbqoqbho.exe File opened for modification C:\Windows\SysWOW64\Plijimee.exe Phnnho32.exe File created C:\Windows\SysWOW64\Peedka32.exe Pcghof32.exe File opened for modification C:\Windows\SysWOW64\Balkchpi.exe Bbikgk32.exe File created C:\Windows\SysWOW64\Dnfddh32.dll Enlglnci.exe File created C:\Windows\SysWOW64\Bljbql32.dll Plaimk32.exe File created C:\Windows\SysWOW64\Iliebpfc.exe Process not Found File created C:\Windows\SysWOW64\Cgdcgm32.exe Conkepdq.exe File created C:\Windows\SysWOW64\Abmdafpp.exe Aoohekal.exe File created C:\Windows\SysWOW64\Accpqnab.dll Ncfoch32.exe File created C:\Windows\SysWOW64\Pondgbkk.dll Bbjmpcab.exe File created C:\Windows\SysWOW64\Ippdgc32.exe Process not Found File created C:\Windows\SysWOW64\Pmmgmc32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Cebeem32.exe Process not Found File created C:\Windows\SysWOW64\Kmcipd32.dll Kjifhc32.exe File created C:\Windows\SysWOW64\Lcnaga32.dll Okoafmkm.exe File created C:\Windows\SysWOW64\Aqhhanig.exe Anjlebjc.exe File created C:\Windows\SysWOW64\Mjcoqdoc.exe Mlpneh32.exe File created C:\Windows\SysWOW64\Lohccp32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Danmmd32.exe Cmbalfem.exe File opened for modification C:\Windows\SysWOW64\Ndkhngdd.exe Npolmh32.exe File opened for modification C:\Windows\SysWOW64\Qiioon32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Kilfcpqm.exe Kjifhc32.exe File created C:\Windows\SysWOW64\Lnbqqhdp.dll Jcjnfdbp.exe File created C:\Windows\SysWOW64\Dhmhhmlm.exe Process not Found File opened for modification C:\Windows\SysWOW64\Nkhdkgnj.exe Nledoj32.exe File created C:\Windows\SysWOW64\Elnqmd32.exe Enkpahon.exe File created C:\Windows\SysWOW64\Epbpbnan.exe Process not Found File opened for modification C:\Windows\SysWOW64\Lkgkoiqc.exe Lmdkcl32.exe File opened for modification C:\Windows\SysWOW64\Bgffhkoj.exe Bckjhl32.exe File opened for modification C:\Windows\SysWOW64\Dgbeiiqe.exe Process not Found File created C:\Windows\SysWOW64\Kblikadd.dll Process not Found File created C:\Windows\SysWOW64\Onpjghhn.exe Olonpp32.exe File created C:\Windows\SysWOW64\Eobapbbg.exe Epoqde32.exe File opened for modification C:\Windows\SysWOW64\Fcbbjcif.exe Fqcfnhjb.exe File created C:\Windows\SysWOW64\Blobjaba.exe Biafnecn.exe File created C:\Windows\SysWOW64\Jmefhb32.dll Knnkpobc.exe File created C:\Windows\SysWOW64\Hahjegok.dll Llnaoh32.exe File created C:\Windows\SysWOW64\Diibag32.exe Dgjfek32.exe File created C:\Windows\SysWOW64\Fqahnjpk.dll Jhlmmfef.exe File opened for modification C:\Windows\SysWOW64\Pojecajj.exe Process not Found -
Program crash 1 IoCs
pid pid_target Process procid_target 2752 1980 Process not Found 1471 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hppfog32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbemfbdk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imiigiab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnbdko32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abmdafpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdjccf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkmhnjlh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dedlag32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Maefamlh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npdfhhhe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jghmfhmb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oghopm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfmgelil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcahoqhf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcpgdhpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljffag32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcpkpe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hebdfind.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ookpodkj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocalkn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qgmdjp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Inafbooe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khabghdl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfebambf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgfoie32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpamde32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpnmjd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndnlnm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oghhfg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aennba32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mencccop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iknpkd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pggdejno.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bejfao32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nilhhdga.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cophko32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcaiiejc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbkameaf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knjegqif.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlkail32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhjphfgi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njbdea32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aopahjll.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Chhldeho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fqomci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ioliqbjn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iajemnia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jlmicj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Poeipifl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qdnpmb32.dll" Ijmipn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djniek32.dll" Cophko32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qaqnkafa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bmibgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohniib32.dll" Odjdmjgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmhflfhh.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imglhaji.dll" Jbpdeogo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hihjhl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qqbecp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qflhbhgg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qgoapp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cielhh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717} b360ef36fe9ef5b8c5af03d7b811926d864cbc3883967c776e42d00fc0b8536c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pegqpacp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aqonbm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Agdjkogm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfjgop32.dll" Liminmmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iofjqboi.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lmebnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hmmphlpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hfedqagp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgbdoe32.dll" Fjdnlhco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gckemgnc.dll" Jodhdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hckmla32.dll" Bgblmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hicapn32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjpbcokk.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mmneda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jglgpdcc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hfbaql32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aajbne32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ejkkfjkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knjmll32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Deojci32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Liqoflfh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Opfbngfb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahcjenki.dll" Ioooiack.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dhobddbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dpmdofno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bfagpiam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iennnogo.dll" Pegqpacp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bbgqjdce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffjaickl.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pkidlk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqaegjop.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ndemjoae.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1044 wrote to memory of 2292 1044 b360ef36fe9ef5b8c5af03d7b811926d864cbc3883967c776e42d00fc0b8536c.exe 28 PID 1044 wrote to memory of 2292 1044 b360ef36fe9ef5b8c5af03d7b811926d864cbc3883967c776e42d00fc0b8536c.exe 28 PID 1044 wrote to memory of 2292 1044 b360ef36fe9ef5b8c5af03d7b811926d864cbc3883967c776e42d00fc0b8536c.exe 28 PID 1044 wrote to memory of 2292 1044 b360ef36fe9ef5b8c5af03d7b811926d864cbc3883967c776e42d00fc0b8536c.exe 28 PID 2292 wrote to memory of 3040 2292 Jmbiipml.exe 29 PID 2292 wrote to memory of 3040 2292 Jmbiipml.exe 29 PID 2292 wrote to memory of 3040 2292 Jmbiipml.exe 29 PID 2292 wrote to memory of 3040 2292 Jmbiipml.exe 29 PID 3040 wrote to memory of 2712 3040 Jcmafj32.exe 30 PID 3040 wrote to memory of 2712 3040 Jcmafj32.exe 30 PID 3040 wrote to memory of 2712 3040 Jcmafj32.exe 30 PID 3040 wrote to memory of 2712 3040 Jcmafj32.exe 30 PID 2712 wrote to memory of 2892 2712 Jcmafj32.exe 31 PID 2712 wrote to memory of 2892 2712 Jcmafj32.exe 31 PID 2712 wrote to memory of 2892 2712 Jcmafj32.exe 31 PID 2712 wrote to memory of 2892 2712 Jcmafj32.exe 31 PID 2892 wrote to memory of 2764 2892 Jghmfhmb.exe 32 PID 2892 wrote to memory of 2764 2892 Jghmfhmb.exe 32 PID 2892 wrote to memory of 2764 2892 Jghmfhmb.exe 32 PID 2892 wrote to memory of 2764 2892 Jghmfhmb.exe 32 PID 2764 wrote to memory of 1340 2764 Kmefooki.exe 33 PID 2764 wrote to memory of 1340 2764 Kmefooki.exe 33 PID 2764 wrote to memory of 1340 2764 Kmefooki.exe 33 PID 2764 wrote to memory of 1340 2764 Kmefooki.exe 33 PID 1340 wrote to memory of 2576 1340 Kqqboncb.exe 34 PID 1340 wrote to memory of 2576 1340 Kqqboncb.exe 34 PID 1340 wrote to memory of 2576 1340 Kqqboncb.exe 34 PID 1340 wrote to memory of 2576 1340 Kqqboncb.exe 34 PID 2576 wrote to memory of 1680 2576 Kjifhc32.exe 35 PID 2576 wrote to memory of 1680 2576 Kjifhc32.exe 35 PID 2576 wrote to memory of 1680 2576 Kjifhc32.exe 35 PID 2576 wrote to memory of 1680 2576 Kjifhc32.exe 35 PID 1680 wrote to memory of 584 1680 Kilfcpqm.exe 36 PID 1680 wrote to memory of 584 1680 Kilfcpqm.exe 36 PID 1680 wrote to memory of 584 1680 Kilfcpqm.exe 36 PID 1680 wrote to memory of 584 1680 Kilfcpqm.exe 36 PID 584 wrote to memory of 2488 584 Kmgbdo32.exe 37 PID 584 wrote to memory of 2488 584 Kmgbdo32.exe 37 PID 584 wrote to memory of 2488 584 Kmgbdo32.exe 37 PID 584 wrote to memory of 2488 584 Kmgbdo32.exe 37 PID 2488 wrote to memory of 2688 2488 Kkjcplpa.exe 38 PID 2488 wrote to memory of 2688 2488 Kkjcplpa.exe 38 PID 2488 wrote to memory of 2688 2488 Kkjcplpa.exe 38 PID 2488 wrote to memory of 2688 2488 Kkjcplpa.exe 38 PID 2688 wrote to memory of 2400 2688 Kincipnk.exe 39 PID 2688 wrote to memory of 2400 2688 Kincipnk.exe 39 PID 2688 wrote to memory of 2400 2688 Kincipnk.exe 39 PID 2688 wrote to memory of 2400 2688 Kincipnk.exe 39 PID 2400 wrote to memory of 1752 2400 Kohkfj32.exe 40 PID 2400 wrote to memory of 1752 2400 Kohkfj32.exe 40 PID 2400 wrote to memory of 1752 2400 Kohkfj32.exe 40 PID 2400 wrote to memory of 1752 2400 Kohkfj32.exe 40 PID 1752 wrote to memory of 796 1752 Kbfhbeek.exe 41 PID 1752 wrote to memory of 796 1752 Kbfhbeek.exe 41 PID 1752 wrote to memory of 796 1752 Kbfhbeek.exe 41 PID 1752 wrote to memory of 796 1752 Kbfhbeek.exe 41 PID 796 wrote to memory of 1540 796 Keednado.exe 42 PID 796 wrote to memory of 1540 796 Keednado.exe 42 PID 796 wrote to memory of 1540 796 Keednado.exe 42 PID 796 wrote to memory of 1540 796 Keednado.exe 42 PID 1540 wrote to memory of 2596 1540 Kpjhkjde.exe 43 PID 1540 wrote to memory of 2596 1540 Kpjhkjde.exe 43 PID 1540 wrote to memory of 2596 1540 Kpjhkjde.exe 43 PID 1540 wrote to memory of 2596 1540 Kpjhkjde.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\b360ef36fe9ef5b8c5af03d7b811926d864cbc3883967c776e42d00fc0b8536c.exe"C:\Users\Admin\AppData\Local\Temp\b360ef36fe9ef5b8c5af03d7b811926d864cbc3883967c776e42d00fc0b8536c.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1044 -
C:\Windows\SysWOW64\Jmbiipml.exeC:\Windows\system32\Jmbiipml.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2292 -
C:\Windows\SysWOW64\Jcmafj32.exeC:\Windows\system32\Jcmafj32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Windows\SysWOW64\Jcmafj32.exeC:\Windows\system32\Jcmafj32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\SysWOW64\Jghmfhmb.exeC:\Windows\system32\Jghmfhmb.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Windows\SysWOW64\Kmefooki.exeC:\Windows\system32\Kmefooki.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Windows\SysWOW64\Kqqboncb.exeC:\Windows\system32\Kqqboncb.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1340 -
C:\Windows\SysWOW64\Kjifhc32.exeC:\Windows\system32\Kjifhc32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\Windows\SysWOW64\Kilfcpqm.exeC:\Windows\system32\Kilfcpqm.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Windows\SysWOW64\Kmgbdo32.exeC:\Windows\system32\Kmgbdo32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:584 -
C:\Windows\SysWOW64\Kkjcplpa.exeC:\Windows\system32\Kkjcplpa.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\Windows\SysWOW64\Kincipnk.exeC:\Windows\system32\Kincipnk.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\SysWOW64\Kohkfj32.exeC:\Windows\system32\Kohkfj32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2400 -
C:\Windows\SysWOW64\Kbfhbeek.exeC:\Windows\system32\Kbfhbeek.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1752 -
C:\Windows\SysWOW64\Keednado.exeC:\Windows\system32\Keednado.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:796 -
C:\Windows\SysWOW64\Kpjhkjde.exeC:\Windows\system32\Kpjhkjde.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1540 -
C:\Windows\SysWOW64\Knmhgf32.exeC:\Windows\system32\Knmhgf32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2596 -
C:\Windows\SysWOW64\Kaldcb32.exeC:\Windows\system32\Kaldcb32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2908 -
C:\Windows\SysWOW64\Kegqdqbl.exeC:\Windows\system32\Kegqdqbl.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1244 -
C:\Windows\SysWOW64\Kgemplap.exeC:\Windows\system32\Kgemplap.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1640 -
C:\Windows\SysWOW64\Kjdilgpc.exeC:\Windows\system32\Kjdilgpc.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2188 -
C:\Windows\SysWOW64\Kbkameaf.exeC:\Windows\system32\Kbkameaf.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2376 -
C:\Windows\SysWOW64\Llcefjgf.exeC:\Windows\system32\Llcefjgf.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1368 -
C:\Windows\SysWOW64\Ljffag32.exeC:\Windows\system32\Ljffag32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1832 -
C:\Windows\SysWOW64\Lnbbbffj.exeC:\Windows\system32\Lnbbbffj.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1784 -
C:\Windows\SysWOW64\Lmebnb32.exeC:\Windows\system32\Lmebnb32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2580 -
C:\Windows\SysWOW64\Lcojjmea.exeC:\Windows\system32\Lcojjmea.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2604 -
C:\Windows\SysWOW64\Lndohedg.exeC:\Windows\system32\Lndohedg.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2332 -
C:\Windows\SysWOW64\Lpekon32.exeC:\Windows\system32\Lpekon32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2636 -
C:\Windows\SysWOW64\Lpekon32.exeC:\Windows\system32\Lpekon32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2644 -
C:\Windows\SysWOW64\Lfpclh32.exeC:\Windows\system32\Lfpclh32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2788 -
C:\Windows\SysWOW64\Ljkomfjl.exeC:\Windows\system32\Ljkomfjl.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2840 -
C:\Windows\SysWOW64\Lmikibio.exeC:\Windows\system32\Lmikibio.exe33⤵
- Executes dropped EXE
PID:2512 -
C:\Windows\SysWOW64\Laegiq32.exeC:\Windows\system32\Laegiq32.exe34⤵
- Executes dropped EXE
PID:1156 -
C:\Windows\SysWOW64\Liplnc32.exeC:\Windows\system32\Liplnc32.exe35⤵
- Executes dropped EXE
PID:332 -
C:\Windows\SysWOW64\Lpjdjmfp.exeC:\Windows\system32\Lpjdjmfp.exe36⤵
- Executes dropped EXE
PID:2824 -
C:\Windows\SysWOW64\Lcfqkl32.exeC:\Windows\system32\Lcfqkl32.exe37⤵
- Executes dropped EXE
PID:2852 -
C:\Windows\SysWOW64\Lfdmggnm.exeC:\Windows\system32\Lfdmggnm.exe38⤵
- Executes dropped EXE
PID:1812 -
C:\Windows\SysWOW64\Mmneda32.exeC:\Windows\system32\Mmneda32.exe39⤵
- Executes dropped EXE
- Modifies registry class
PID:1128 -
C:\Windows\SysWOW64\Mlaeonld.exeC:\Windows\system32\Mlaeonld.exe40⤵
- Executes dropped EXE
PID:2020 -
C:\Windows\SysWOW64\Mpmapm32.exeC:\Windows\system32\Mpmapm32.exe41⤵
- Executes dropped EXE
PID:2100 -
C:\Windows\SysWOW64\Mbkmlh32.exeC:\Windows\system32\Mbkmlh32.exe42⤵
- Executes dropped EXE
PID:1208 -
C:\Windows\SysWOW64\Meijhc32.exeC:\Windows\system32\Meijhc32.exe43⤵
- Executes dropped EXE
PID:1708 -
C:\Windows\SysWOW64\Mieeibkn.exeC:\Windows\system32\Mieeibkn.exe44⤵
- Executes dropped EXE
PID:408 -
C:\Windows\SysWOW64\Mhhfdo32.exeC:\Windows\system32\Mhhfdo32.exe45⤵
- Executes dropped EXE
PID:2024 -
C:\Windows\SysWOW64\Mlcbenjb.exeC:\Windows\system32\Mlcbenjb.exe46⤵
- Executes dropped EXE
PID:2088 -
C:\Windows\SysWOW64\Mponel32.exeC:\Windows\system32\Mponel32.exe47⤵
- Executes dropped EXE
PID:1564 -
C:\Windows\SysWOW64\Mbmjah32.exeC:\Windows\system32\Mbmjah32.exe48⤵
- Executes dropped EXE
PID:3048 -
C:\Windows\SysWOW64\Melfncqb.exeC:\Windows\system32\Melfncqb.exe49⤵
- Executes dropped EXE
PID:316 -
C:\Windows\SysWOW64\Migbnb32.exeC:\Windows\system32\Migbnb32.exe50⤵
- Executes dropped EXE
PID:1940 -
C:\Windows\SysWOW64\Mlfojn32.exeC:\Windows\system32\Mlfojn32.exe51⤵
- Executes dropped EXE
PID:1792 -
C:\Windows\SysWOW64\Mkhofjoj.exeC:\Windows\system32\Mkhofjoj.exe52⤵
- Executes dropped EXE
PID:2280 -
C:\Windows\SysWOW64\Modkfi32.exeC:\Windows\system32\Modkfi32.exe53⤵
- Executes dropped EXE
PID:2668 -
C:\Windows\SysWOW64\Mencccop.exeC:\Windows\system32\Mencccop.exe54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2648 -
C:\Windows\SysWOW64\Mmihhelk.exeC:\Windows\system32\Mmihhelk.exe55⤵
- Executes dropped EXE
PID:588 -
C:\Windows\SysWOW64\Mholen32.exeC:\Windows\system32\Mholen32.exe56⤵
- Executes dropped EXE
PID:2028 -
C:\Windows\SysWOW64\Mmldme32.exeC:\Windows\system32\Mmldme32.exe57⤵
- Executes dropped EXE
PID:2532 -
C:\Windows\SysWOW64\Ndemjoae.exeC:\Windows\system32\Ndemjoae.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:2832 -
C:\Windows\SysWOW64\Ngdifkpi.exeC:\Windows\system32\Ngdifkpi.exe59⤵
- Executes dropped EXE
PID:1484 -
C:\Windows\SysWOW64\Nmnace32.exeC:\Windows\system32\Nmnace32.exe60⤵
- Executes dropped EXE
PID:1400 -
C:\Windows\SysWOW64\Naimccpo.exeC:\Windows\system32\Naimccpo.exe61⤵
- Executes dropped EXE
PID:2336 -
C:\Windows\SysWOW64\Ngfflj32.exeC:\Windows\system32\Ngfflj32.exe62⤵
- Executes dropped EXE
PID:1800 -
C:\Windows\SysWOW64\Nmpnhdfc.exeC:\Windows\system32\Nmpnhdfc.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2912 -
C:\Windows\SysWOW64\Npojdpef.exeC:\Windows\system32\Npojdpef.exe64⤵
- Executes dropped EXE
PID:1948 -
C:\Windows\SysWOW64\Ndjfeo32.exeC:\Windows\system32\Ndjfeo32.exe65⤵
- Executes dropped EXE
PID:600 -
C:\Windows\SysWOW64\Nekbmgcn.exeC:\Windows\system32\Nekbmgcn.exe66⤵PID:2160
-
C:\Windows\SysWOW64\Nmbknddp.exeC:\Windows\system32\Nmbknddp.exe67⤵PID:1992
-
C:\Windows\SysWOW64\Niikceid.exeC:\Windows\system32\Niikceid.exe68⤵PID:1296
-
C:\Windows\SysWOW64\Nofdklgl.exeC:\Windows\system32\Nofdklgl.exe69⤵PID:860
-
C:\Windows\SysWOW64\Nilhhdga.exeC:\Windows\system32\Nilhhdga.exe70⤵
- System Location Discovery: System Language Discovery
PID:2484 -
C:\Windows\SysWOW64\Nljddpfe.exeC:\Windows\system32\Nljddpfe.exe71⤵PID:1880
-
C:\Windows\SysWOW64\Ocdmaj32.exeC:\Windows\system32\Ocdmaj32.exe72⤵PID:1632
-
C:\Windows\SysWOW64\Odeiibdq.exeC:\Windows\system32\Odeiibdq.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2836 -
C:\Windows\SysWOW64\Okoafmkm.exeC:\Windows\system32\Okoafmkm.exe74⤵
- Drops file in System32 directory
PID:2300 -
C:\Windows\SysWOW64\Ocfigjlp.exeC:\Windows\system32\Ocfigjlp.exe75⤵PID:1604
-
C:\Windows\SysWOW64\Odhfob32.exeC:\Windows\system32\Odhfob32.exe76⤵PID:1112
-
C:\Windows\SysWOW64\Olonpp32.exeC:\Windows\system32\Olonpp32.exe77⤵
- Drops file in System32 directory
PID:2784 -
C:\Windows\SysWOW64\Onpjghhn.exeC:\Windows\system32\Onpjghhn.exe78⤵PID:2828
-
C:\Windows\SysWOW64\Oegbheiq.exeC:\Windows\system32\Oegbheiq.exe79⤵PID:292
-
C:\Windows\SysWOW64\Oghopm32.exeC:\Windows\system32\Oghopm32.exe80⤵
- System Location Discovery: System Language Discovery
PID:1764 -
C:\Windows\SysWOW64\Onbgmg32.exeC:\Windows\system32\Onbgmg32.exe81⤵PID:1756
-
C:\Windows\SysWOW64\Oqacic32.exeC:\Windows\system32\Oqacic32.exe82⤵PID:556
-
C:\Windows\SysWOW64\Ohhkjp32.exeC:\Windows\system32\Ohhkjp32.exe83⤵PID:2812
-
C:\Windows\SysWOW64\Okfgfl32.exeC:\Windows\system32\Okfgfl32.exe84⤵PID:1440
-
C:\Windows\SysWOW64\Onecbg32.exeC:\Windows\system32\Onecbg32.exe85⤵PID:2992
-
C:\Windows\SysWOW64\Oappcfmb.exeC:\Windows\system32\Oappcfmb.exe86⤵PID:2428
-
C:\Windows\SysWOW64\Odoloalf.exeC:\Windows\system32\Odoloalf.exe87⤵PID:2680
-
C:\Windows\SysWOW64\Ocalkn32.exeC:\Windows\system32\Ocalkn32.exe88⤵
- System Location Discovery: System Language Discovery
PID:1252 -
C:\Windows\SysWOW64\Pkidlk32.exeC:\Windows\system32\Pkidlk32.exe89⤵
- Modifies registry class
PID:1700 -
C:\Windows\SysWOW64\Pngphgbf.exeC:\Windows\system32\Pngphgbf.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2384 -
C:\Windows\SysWOW64\Pqemdbaj.exeC:\Windows\system32\Pqemdbaj.exe91⤵PID:2700
-
C:\Windows\SysWOW64\Pgpeal32.exeC:\Windows\system32\Pgpeal32.exe92⤵PID:2960
-
C:\Windows\SysWOW64\Pfbelipa.exeC:\Windows\system32\Pfbelipa.exe93⤵PID:1500
-
C:\Windows\SysWOW64\Pnimnfpc.exeC:\Windows\system32\Pnimnfpc.exe94⤵PID:2196
-
C:\Windows\SysWOW64\Pmlmic32.exeC:\Windows\system32\Pmlmic32.exe95⤵PID:1092
-
C:\Windows\SysWOW64\Pokieo32.exeC:\Windows\system32\Pokieo32.exe96⤵PID:2804
-
C:\Windows\SysWOW64\Pgbafl32.exeC:\Windows\system32\Pgbafl32.exe97⤵PID:2808
-
C:\Windows\SysWOW64\Pfdabino.exeC:\Windows\system32\Pfdabino.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1804 -
C:\Windows\SysWOW64\Pmojocel.exeC:\Windows\system32\Pmojocel.exe99⤵PID:2916
-
C:\Windows\SysWOW64\Pqjfoa32.exeC:\Windows\system32\Pqjfoa32.exe100⤵PID:1192
-
C:\Windows\SysWOW64\Pomfkndo.exeC:\Windows\system32\Pomfkndo.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:772 -
C:\Windows\SysWOW64\Pbkbgjcc.exeC:\Windows\system32\Pbkbgjcc.exe102⤵PID:2340
-
C:\Windows\SysWOW64\Pfgngh32.exeC:\Windows\system32\Pfgngh32.exe103⤵PID:1228
-
C:\Windows\SysWOW64\Piekcd32.exeC:\Windows\system32\Piekcd32.exe104⤵PID:2164
-
C:\Windows\SysWOW64\Pkdgpo32.exeC:\Windows\system32\Pkdgpo32.exe105⤵PID:2256
-
C:\Windows\SysWOW64\Pckoam32.exeC:\Windows\system32\Pckoam32.exe106⤵PID:2112
-
C:\Windows\SysWOW64\Pdlkiepd.exeC:\Windows\system32\Pdlkiepd.exe107⤵PID:2096
-
C:\Windows\SysWOW64\Pmccjbaf.exeC:\Windows\system32\Pmccjbaf.exe108⤵PID:3004
-
C:\Windows\SysWOW64\Pkfceo32.exeC:\Windows\system32\Pkfceo32.exe109⤵PID:1488
-
C:\Windows\SysWOW64\Pndpajgd.exeC:\Windows\system32\Pndpajgd.exe110⤵PID:1664
-
C:\Windows\SysWOW64\Qflhbhgg.exeC:\Windows\system32\Qflhbhgg.exe111⤵
- Modifies registry class
PID:2968 -
C:\Windows\SysWOW64\Qeohnd32.exeC:\Windows\system32\Qeohnd32.exe112⤵PID:2868
-
C:\Windows\SysWOW64\Qgmdjp32.exeC:\Windows\system32\Qgmdjp32.exe113⤵
- System Location Discovery: System Language Discovery
PID:444 -
C:\Windows\SysWOW64\Qodlkm32.exeC:\Windows\system32\Qodlkm32.exe114⤵PID:2872
-
C:\Windows\SysWOW64\Qngmgjeb.exeC:\Windows\system32\Qngmgjeb.exe115⤵PID:2068
-
C:\Windows\SysWOW64\Qqeicede.exeC:\Windows\system32\Qqeicede.exe116⤵PID:2132
-
C:\Windows\SysWOW64\Qeaedd32.exeC:\Windows\system32\Qeaedd32.exe117⤵PID:964
-
C:\Windows\SysWOW64\Qgoapp32.exeC:\Windows\system32\Qgoapp32.exe118⤵
- Modifies registry class
PID:1072 -
C:\Windows\SysWOW64\Qjnmlk32.exeC:\Windows\system32\Qjnmlk32.exe119⤵
- Drops file in System32 directory
PID:2556 -
C:\Windows\SysWOW64\Abeemhkh.exeC:\Windows\system32\Abeemhkh.exe120⤵PID:2748
-
C:\Windows\SysWOW64\Aecaidjl.exeC:\Windows\system32\Aecaidjl.exe121⤵PID:532
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-