Analysis
-
max time kernel
123s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
22-12-2024 23:30
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
6d1188b06de0d5c1082c08a9b8cd7a91f9c328035b24517509344a830519ce82.exe
Resource
win7-20241010-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
6d1188b06de0d5c1082c08a9b8cd7a91f9c328035b24517509344a830519ce82.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
6d1188b06de0d5c1082c08a9b8cd7a91f9c328035b24517509344a830519ce82.exe
-
Size
96KB
-
MD5
5898197ec67476f9d4228c66009fc385
-
SHA1
3119d911d5f2cb8bfef2c850940b741ebe14851a
-
SHA256
6d1188b06de0d5c1082c08a9b8cd7a91f9c328035b24517509344a830519ce82
-
SHA512
3fdd0e6ac13b6eddc8ffc224c230b05869f273b4667ad469d46c0c7a9dc50acb17a8e35c53f510814d11ac98dfa2e58efc57c60c2719838bd201210bffcea86e
-
SSDEEP
1536:1S9eVGepiDH0qW8DYdLSW/duD7rQgYHFSA9D2nfC8VXOsOn/BOmXCMy0QiLiizH9:o9Vep4H0CUdLSWVuD7rDYlSAF2nf3cse
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olehbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lihifhoq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpplfm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kpcngnob.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbkkbpjc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Donijk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Emilqb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afojgiei.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Haldgbkc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hamlmmej.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Caligc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glkinb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lbffga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dphmiokb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Doflofbf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jiphpf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fljhojnk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gakjcp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Figoefkf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdfejn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bmdehgcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Anjjjn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcnmne32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhmijn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnocgnoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ncdciq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cjdonndl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Heoadcmh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Noalfe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihhlbegd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oijbkpqm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdafkm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olchgp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gemham32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajpgkb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpnmoe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oehmamnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oaiglnih.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lihifhoq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Peooek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nkhkbmco.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Piaiko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fieiephm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iggdmkmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pgfbhb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ifmbilhq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clbbfj32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 1516 Kpblne32.exe 2860 Keodflee.exe 2836 Lgejidgn.exe 2148 Lkccob32.exe 2880 Lkepdbkb.exe 2772 Mglpjc32.exe 2472 Mgomoboc.exe 1916 Mojaceln.exe 3048 Mfhcknpf.exe 1532 Nmkbfmpf.exe 2540 Nfcfob32.exe 1616 Olehbh32.exe 1524 Oenmkngi.exe 1652 Oaiglnih.exe 2168 Pfjiod32.exe 972 Pfaopc32.exe 1056 Qomcdf32.exe 1668 Aoamoefh.exe 1736 Aabfqp32.exe 2460 Aniffaim.exe 556 Ajpgkb32.exe 2268 Bhgaan32.exe 2792 Bcmeogam.exe 2856 Bkjfhile.exe 1604 Bbdoec32.exe 2988 Cjfjjd32.exe 2748 Cfmjoe32.exe 2848 Dmllgo32.exe 2812 Dbidof32.exe 2660 Dgemgm32.exe 1660 Danaqbgp.exe 2784 Dbmnjenb.exe 2224 Dlfbck32.exe 3052 Denglpkc.exe 2024 Emilqb32.exe 1296 Ejmljg32.exe 1704 Ebhani32.exe 2452 Emnelbdi.exe 2096 Ebkndibq.exe 368 Elcbmn32.exe 1220 Eelfedpa.exe 2516 Eleobngo.exe 1832 Fijolbfh.exe 112 Fbbcdh32.exe 2688 Fljhmmci.exe 1756 Fokaoh32.exe 2060 Fmpnpe32.exe 2256 Figoefkf.exe 1752 Gcocnk32.exe 2840 Ggmldj32.exe 2912 Gljdlq32.exe 2312 Gaiijgbi.exe 2736 Glongpao.exe 2588 Gdjblboj.exe 2416 Hkfgnldd.exe 2196 Hhjhgpcn.exe 2352 Hngppgae.exe 580 Hkkaik32.exe 540 Hdcebagp.exe 1984 Hjpnjheg.exe 2348 Igdndl32.exe 1744 Ioochn32.exe 2672 Ijegeg32.exe 848 Icmlnmgb.exe -
Loads dropped DLL 64 IoCs
pid Process 840 6d1188b06de0d5c1082c08a9b8cd7a91f9c328035b24517509344a830519ce82.exe 840 6d1188b06de0d5c1082c08a9b8cd7a91f9c328035b24517509344a830519ce82.exe 1516 Kpblne32.exe 1516 Kpblne32.exe 2860 Keodflee.exe 2860 Keodflee.exe 2836 Lgejidgn.exe 2836 Lgejidgn.exe 2148 Lkccob32.exe 2148 Lkccob32.exe 2880 Lkepdbkb.exe 2880 Lkepdbkb.exe 2772 Mglpjc32.exe 2772 Mglpjc32.exe 2472 Mgomoboc.exe 2472 Mgomoboc.exe 1916 Mojaceln.exe 1916 Mojaceln.exe 3048 Mfhcknpf.exe 3048 Mfhcknpf.exe 1532 Nmkbfmpf.exe 1532 Nmkbfmpf.exe 2540 Nfcfob32.exe 2540 Nfcfob32.exe 1616 Olehbh32.exe 1616 Olehbh32.exe 1524 Oenmkngi.exe 1524 Oenmkngi.exe 1652 Oaiglnih.exe 1652 Oaiglnih.exe 2168 Pfjiod32.exe 2168 Pfjiod32.exe 972 Pfaopc32.exe 972 Pfaopc32.exe 1056 Qomcdf32.exe 1056 Qomcdf32.exe 1668 Aoamoefh.exe 1668 Aoamoefh.exe 1736 Aabfqp32.exe 1736 Aabfqp32.exe 2460 Aniffaim.exe 2460 Aniffaim.exe 556 Ajpgkb32.exe 556 Ajpgkb32.exe 2268 Bhgaan32.exe 2268 Bhgaan32.exe 2792 Bcmeogam.exe 2792 Bcmeogam.exe 2856 Bkjfhile.exe 2856 Bkjfhile.exe 1604 Bbdoec32.exe 1604 Bbdoec32.exe 2988 Cjfjjd32.exe 2988 Cjfjjd32.exe 2748 Cfmjoe32.exe 2748 Cfmjoe32.exe 2848 Dmllgo32.exe 2848 Dmllgo32.exe 2812 Dbidof32.exe 2812 Dbidof32.exe 2660 Dgemgm32.exe 2660 Dgemgm32.exe 1660 Danaqbgp.exe 1660 Danaqbgp.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Gljdlq32.exe Ggmldj32.exe File created C:\Windows\SysWOW64\Njnion32.exe Nhombc32.exe File created C:\Windows\SysWOW64\Cmclem32.exe Cgfdmf32.exe File created C:\Windows\SysWOW64\Oldeje32.dll Process not Found File created C:\Windows\SysWOW64\Cclkcdpl.exe Clbbfj32.exe File created C:\Windows\SysWOW64\Gqomqm32.exe Gjeedcjh.exe File created C:\Windows\SysWOW64\Iekbob32.exe Iehejc32.exe File created C:\Windows\SysWOW64\Fqookn32.exe Process not Found File created C:\Windows\SysWOW64\Ncmbldke.dll Keodflee.exe File opened for modification C:\Windows\SysWOW64\Cldolj32.exe Cclkcdpl.exe File created C:\Windows\SysWOW64\Qcgmnh32.exe Qgqlig32.exe File created C:\Windows\SysWOW64\Gnahoh32.exe Fdicfbpl.exe File created C:\Windows\SysWOW64\Mlccmcna.exe Process not Found File created C:\Windows\SysWOW64\Alhnag32.exe Process not Found File created C:\Windows\SysWOW64\Qmomelml.exe Qhbdmeoe.exe File opened for modification C:\Windows\SysWOW64\Aedghf32.exe Afojgiei.exe File opened for modification C:\Windows\SysWOW64\Gfnpek32.exe Gijplg32.exe File created C:\Windows\SysWOW64\Ppoijq32.exe Phdden32.exe File opened for modification C:\Windows\SysWOW64\Nkbdbbop.exe Nbjpjm32.exe File created C:\Windows\SysWOW64\Coejfn32.exe Ckgapo32.exe File created C:\Windows\SysWOW64\Fdmpmneg.dll Kboill32.exe File opened for modification C:\Windows\SysWOW64\Fkphcg32.exe Fqkdenfj.exe File opened for modification C:\Windows\SysWOW64\Pohngd32.exe Process not Found File created C:\Windows\SysWOW64\Ejkampao.exe Ddoiei32.exe File created C:\Windows\SysWOW64\Jfhbbjbk.dll Fflehp32.exe File created C:\Windows\SysWOW64\Llmipdhh.dll Nannejni.exe File opened for modification C:\Windows\SysWOW64\Dfclpcik.exe Process not Found File created C:\Windows\SysWOW64\Dglbjgff.exe Process not Found File opened for modification C:\Windows\SysWOW64\Dhknigfq.exe Docjpa32.exe File created C:\Windows\SysWOW64\Nffjpb32.dll Ggfgoo32.exe File created C:\Windows\SysWOW64\Cceenilo.exe Cmkmao32.exe File created C:\Windows\SysWOW64\Bpjjgpdc.dll Knlpphnd.exe File created C:\Windows\SysWOW64\Hmnoih32.dll Nacgpi32.exe File opened for modification C:\Windows\SysWOW64\Aobblkkk.exe Admnob32.exe File created C:\Windows\SysWOW64\Fcnmploa.dll Jidppaio.exe File created C:\Windows\SysWOW64\Hcbogk32.exe Hmhgjahb.exe File opened for modification C:\Windows\SysWOW64\Niangl32.exe Process not Found File created C:\Windows\SysWOW64\Hlqolb32.dll Process not Found File created C:\Windows\SysWOW64\Qjnaimap.dll Fdhlphff.exe File opened for modification C:\Windows\SysWOW64\Fkkmoo32.exe Fhjcmcep.exe File opened for modification C:\Windows\SysWOW64\Flgdod32.exe Fbnpfnfa.exe File opened for modification C:\Windows\SysWOW64\Fafimjhf.exe Fklaqp32.exe File opened for modification C:\Windows\SysWOW64\Bdjgnp32.exe Process not Found File created C:\Windows\SysWOW64\Oofeeflg.dll Elcbmn32.exe File created C:\Windows\SysWOW64\Aohgoa32.dll Phghedga.exe File created C:\Windows\SysWOW64\Ohfflgdl.dll Ppoijq32.exe File created C:\Windows\SysWOW64\Cbmehn32.dll Fbqllnco.exe File created C:\Windows\SysWOW64\Pbdkoe32.dll Gkcgaoka.exe File created C:\Windows\SysWOW64\Gfdialbn.dll Process not Found File opened for modification C:\Windows\SysWOW64\Mnqdpj32.exe Mdhpgeeg.exe File created C:\Windows\SysWOW64\Qbggqfca.exe Pmjohoej.exe File opened for modification C:\Windows\SysWOW64\Jpjpmqjl.exe Jiphpf32.exe File created C:\Windows\SysWOW64\Hhdgdg32.exe Hnocgnoc.exe File opened for modification C:\Windows\SysWOW64\Lfibeoog.exe Process not Found File created C:\Windows\SysWOW64\Fabppo32.exe Ecnpgj32.exe File created C:\Windows\SysWOW64\Fcjenkhm.exe Process not Found File opened for modification C:\Windows\SysWOW64\Olmilk32.exe Process not Found File created C:\Windows\SysWOW64\Pjeghe32.dll Process not Found File created C:\Windows\SysWOW64\Ikfffh32.exe Iejnna32.exe File created C:\Windows\SysWOW64\Mibgho32.exe Mpjboi32.exe File created C:\Windows\SysWOW64\Fccncknc.exe Fdnabo32.exe File created C:\Windows\SysWOW64\Mpflmbnc.exe Milcphgf.exe File created C:\Windows\SysWOW64\Jhakfh32.dll Qeakmg32.exe File opened for modification C:\Windows\SysWOW64\Bkabejfg.exe Process not Found -
Program crash 1 IoCs
pid pid_target Process procid_target 4388 1964 Process not Found 1457 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qeakmg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iegjnkod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elbkbh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nkhkbmco.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbijgg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onhihepp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmeemp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khdhmg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekaegbnd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eleobngo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckklfoah.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olchgp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jckiolgm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjkpjkni.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjeedcjh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojgado32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdbfpafn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdfifg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eaaajo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egnjbfqc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnlpmiog.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afdjmo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pppihdha.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkahbkgk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbmnjenb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Makmnh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgkjji32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdddpa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppbfmdfo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icqagkqp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hphljkfk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Piaiko32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aobblkkk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkcgaoka.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ommdqi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jidppaio.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oggkklnk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fklohgie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgdkbo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egmhjm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qcgmnh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abbknb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmhfpmee.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbqllnco.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjjmgo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lneghd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lebemmbk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hinolcbf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlackjgd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ioochn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ndqokc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qcgmnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldamfd32.dll" Ciggap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eibbqmhd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkomjmah.dll" Kobhkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdjamd32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maaaim32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hdcebagp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hpplfm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Okomappb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afpefd32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgbbmdea.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlnjfoml.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kahedf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pajldmna.dll" Lofafhck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnofgcif.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npqbka32.dll" Jnppei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckanhf32.dll" Cjiiim32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cbpbek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Donijk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nihjfm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgeahmik.dll" Ggmldj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ibehna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kphmmi32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjoeqmhb.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Keekeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jhjpekkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edgbldch.dll" Cdadie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fokaef32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pofififf.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qnmfmoaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bcklmdqn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pbefbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pefoci32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcjdnp32.dll" Gfaodclg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Anbmoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kefhcm32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oenppk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qiaikl32.dll" Lpodmb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pphilb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ejbhno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Epmdljal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gonmki32.dll" Ldhcjn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mojaceln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aniffaim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kpblne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjamhe32.dll" Cjdonndl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lkccob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amclfgik.dll" Njpdiifd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pkiikm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nffjpb32.dll" Ggfgoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bdekjg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Emilqb32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 840 wrote to memory of 1516 840 6d1188b06de0d5c1082c08a9b8cd7a91f9c328035b24517509344a830519ce82.exe 29 PID 840 wrote to memory of 1516 840 6d1188b06de0d5c1082c08a9b8cd7a91f9c328035b24517509344a830519ce82.exe 29 PID 840 wrote to memory of 1516 840 6d1188b06de0d5c1082c08a9b8cd7a91f9c328035b24517509344a830519ce82.exe 29 PID 840 wrote to memory of 1516 840 6d1188b06de0d5c1082c08a9b8cd7a91f9c328035b24517509344a830519ce82.exe 29 PID 1516 wrote to memory of 2860 1516 Kpblne32.exe 30 PID 1516 wrote to memory of 2860 1516 Kpblne32.exe 30 PID 1516 wrote to memory of 2860 1516 Kpblne32.exe 30 PID 1516 wrote to memory of 2860 1516 Kpblne32.exe 30 PID 2860 wrote to memory of 2836 2860 Keodflee.exe 31 PID 2860 wrote to memory of 2836 2860 Keodflee.exe 31 PID 2860 wrote to memory of 2836 2860 Keodflee.exe 31 PID 2860 wrote to memory of 2836 2860 Keodflee.exe 31 PID 2836 wrote to memory of 2148 2836 Lgejidgn.exe 32 PID 2836 wrote to memory of 2148 2836 Lgejidgn.exe 32 PID 2836 wrote to memory of 2148 2836 Lgejidgn.exe 32 PID 2836 wrote to memory of 2148 2836 Lgejidgn.exe 32 PID 2148 wrote to memory of 2880 2148 Lkccob32.exe 33 PID 2148 wrote to memory of 2880 2148 Lkccob32.exe 33 PID 2148 wrote to memory of 2880 2148 Lkccob32.exe 33 PID 2148 wrote to memory of 2880 2148 Lkccob32.exe 33 PID 2880 wrote to memory of 2772 2880 Lkepdbkb.exe 34 PID 2880 wrote to memory of 2772 2880 Lkepdbkb.exe 34 PID 2880 wrote to memory of 2772 2880 Lkepdbkb.exe 34 PID 2880 wrote to memory of 2772 2880 Lkepdbkb.exe 34 PID 2772 wrote to memory of 2472 2772 Mglpjc32.exe 35 PID 2772 wrote to memory of 2472 2772 Mglpjc32.exe 35 PID 2772 wrote to memory of 2472 2772 Mglpjc32.exe 35 PID 2772 wrote to memory of 2472 2772 Mglpjc32.exe 35 PID 2472 wrote to memory of 1916 2472 Mgomoboc.exe 36 PID 2472 wrote to memory of 1916 2472 Mgomoboc.exe 36 PID 2472 wrote to memory of 1916 2472 Mgomoboc.exe 36 PID 2472 wrote to memory of 1916 2472 Mgomoboc.exe 36 PID 1916 wrote to memory of 3048 1916 Mojaceln.exe 37 PID 1916 wrote to memory of 3048 1916 Mojaceln.exe 37 PID 1916 wrote to memory of 3048 1916 Mojaceln.exe 37 PID 1916 wrote to memory of 3048 1916 Mojaceln.exe 37 PID 3048 wrote to memory of 1532 3048 Mfhcknpf.exe 38 PID 3048 wrote to memory of 1532 3048 Mfhcknpf.exe 38 PID 3048 wrote to memory of 1532 3048 Mfhcknpf.exe 38 PID 3048 wrote to memory of 1532 3048 Mfhcknpf.exe 38 PID 1532 wrote to memory of 2540 1532 Nmkbfmpf.exe 39 PID 1532 wrote to memory of 2540 1532 Nmkbfmpf.exe 39 PID 1532 wrote to memory of 2540 1532 Nmkbfmpf.exe 39 PID 1532 wrote to memory of 2540 1532 Nmkbfmpf.exe 39 PID 2540 wrote to memory of 1616 2540 Nfcfob32.exe 40 PID 2540 wrote to memory of 1616 2540 Nfcfob32.exe 40 PID 2540 wrote to memory of 1616 2540 Nfcfob32.exe 40 PID 2540 wrote to memory of 1616 2540 Nfcfob32.exe 40 PID 1616 wrote to memory of 1524 1616 Olehbh32.exe 41 PID 1616 wrote to memory of 1524 1616 Olehbh32.exe 41 PID 1616 wrote to memory of 1524 1616 Olehbh32.exe 41 PID 1616 wrote to memory of 1524 1616 Olehbh32.exe 41 PID 1524 wrote to memory of 1652 1524 Oenmkngi.exe 42 PID 1524 wrote to memory of 1652 1524 Oenmkngi.exe 42 PID 1524 wrote to memory of 1652 1524 Oenmkngi.exe 42 PID 1524 wrote to memory of 1652 1524 Oenmkngi.exe 42 PID 1652 wrote to memory of 2168 1652 Oaiglnih.exe 43 PID 1652 wrote to memory of 2168 1652 Oaiglnih.exe 43 PID 1652 wrote to memory of 2168 1652 Oaiglnih.exe 43 PID 1652 wrote to memory of 2168 1652 Oaiglnih.exe 43 PID 2168 wrote to memory of 972 2168 Pfjiod32.exe 44 PID 2168 wrote to memory of 972 2168 Pfjiod32.exe 44 PID 2168 wrote to memory of 972 2168 Pfjiod32.exe 44 PID 2168 wrote to memory of 972 2168 Pfjiod32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\6d1188b06de0d5c1082c08a9b8cd7a91f9c328035b24517509344a830519ce82.exe"C:\Users\Admin\AppData\Local\Temp\6d1188b06de0d5c1082c08a9b8cd7a91f9c328035b24517509344a830519ce82.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:840 -
C:\Windows\SysWOW64\Kpblne32.exeC:\Windows\system32\Kpblne32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1516 -
C:\Windows\SysWOW64\Keodflee.exeC:\Windows\system32\Keodflee.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\SysWOW64\Lgejidgn.exeC:\Windows\system32\Lgejidgn.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Windows\SysWOW64\Lkccob32.exeC:\Windows\system32\Lkccob32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Windows\SysWOW64\Lkepdbkb.exeC:\Windows\system32\Lkepdbkb.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Windows\SysWOW64\Mglpjc32.exeC:\Windows\system32\Mglpjc32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\SysWOW64\Mgomoboc.exeC:\Windows\system32\Mgomoboc.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Windows\SysWOW64\Mojaceln.exeC:\Windows\system32\Mojaceln.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1916 -
C:\Windows\SysWOW64\Mfhcknpf.exeC:\Windows\system32\Mfhcknpf.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Windows\SysWOW64\Nmkbfmpf.exeC:\Windows\system32\Nmkbfmpf.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1532 -
C:\Windows\SysWOW64\Nfcfob32.exeC:\Windows\system32\Nfcfob32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Windows\SysWOW64\Olehbh32.exeC:\Windows\system32\Olehbh32.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1616 -
C:\Windows\SysWOW64\Oenmkngi.exeC:\Windows\system32\Oenmkngi.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1524 -
C:\Windows\SysWOW64\Oaiglnih.exeC:\Windows\system32\Oaiglnih.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1652 -
C:\Windows\SysWOW64\Pfjiod32.exeC:\Windows\system32\Pfjiod32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Windows\SysWOW64\Pfaopc32.exeC:\Windows\system32\Pfaopc32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:972 -
C:\Windows\SysWOW64\Qomcdf32.exeC:\Windows\system32\Qomcdf32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1056 -
C:\Windows\SysWOW64\Aoamoefh.exeC:\Windows\system32\Aoamoefh.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1668 -
C:\Windows\SysWOW64\Aabfqp32.exeC:\Windows\system32\Aabfqp32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1736 -
C:\Windows\SysWOW64\Aniffaim.exeC:\Windows\system32\Aniffaim.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2460 -
C:\Windows\SysWOW64\Ajpgkb32.exeC:\Windows\system32\Ajpgkb32.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:556 -
C:\Windows\SysWOW64\Bhgaan32.exeC:\Windows\system32\Bhgaan32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2268 -
C:\Windows\SysWOW64\Bcmeogam.exeC:\Windows\system32\Bcmeogam.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2792 -
C:\Windows\SysWOW64\Bkjfhile.exeC:\Windows\system32\Bkjfhile.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2856 -
C:\Windows\SysWOW64\Bbdoec32.exeC:\Windows\system32\Bbdoec32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1604 -
C:\Windows\SysWOW64\Cjfjjd32.exeC:\Windows\system32\Cjfjjd32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2988 -
C:\Windows\SysWOW64\Cfmjoe32.exeC:\Windows\system32\Cfmjoe32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2748 -
C:\Windows\SysWOW64\Dmllgo32.exeC:\Windows\system32\Dmllgo32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2848 -
C:\Windows\SysWOW64\Dbidof32.exeC:\Windows\system32\Dbidof32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2812 -
C:\Windows\SysWOW64\Dgemgm32.exeC:\Windows\system32\Dgemgm32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2660 -
C:\Windows\SysWOW64\Danaqbgp.exeC:\Windows\system32\Danaqbgp.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1660 -
C:\Windows\SysWOW64\Dbmnjenb.exeC:\Windows\system32\Dbmnjenb.exe33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2784 -
C:\Windows\SysWOW64\Dlfbck32.exeC:\Windows\system32\Dlfbck32.exe34⤵
- Executes dropped EXE
PID:2224 -
C:\Windows\SysWOW64\Denglpkc.exeC:\Windows\system32\Denglpkc.exe35⤵
- Executes dropped EXE
PID:3052 -
C:\Windows\SysWOW64\Emilqb32.exeC:\Windows\system32\Emilqb32.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2024 -
C:\Windows\SysWOW64\Ejmljg32.exeC:\Windows\system32\Ejmljg32.exe37⤵
- Executes dropped EXE
PID:1296 -
C:\Windows\SysWOW64\Ebhani32.exeC:\Windows\system32\Ebhani32.exe38⤵
- Executes dropped EXE
PID:1704 -
C:\Windows\SysWOW64\Emnelbdi.exeC:\Windows\system32\Emnelbdi.exe39⤵
- Executes dropped EXE
PID:2452 -
C:\Windows\SysWOW64\Ebkndibq.exeC:\Windows\system32\Ebkndibq.exe40⤵
- Executes dropped EXE
PID:2096 -
C:\Windows\SysWOW64\Elcbmn32.exeC:\Windows\system32\Elcbmn32.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:368 -
C:\Windows\SysWOW64\Eelfedpa.exeC:\Windows\system32\Eelfedpa.exe42⤵
- Executes dropped EXE
PID:1220 -
C:\Windows\SysWOW64\Eleobngo.exeC:\Windows\system32\Eleobngo.exe43⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2516 -
C:\Windows\SysWOW64\Fijolbfh.exeC:\Windows\system32\Fijolbfh.exe44⤵
- Executes dropped EXE
PID:1832 -
C:\Windows\SysWOW64\Fbbcdh32.exeC:\Windows\system32\Fbbcdh32.exe45⤵
- Executes dropped EXE
PID:112 -
C:\Windows\SysWOW64\Fljhmmci.exeC:\Windows\system32\Fljhmmci.exe46⤵
- Executes dropped EXE
PID:2688 -
C:\Windows\SysWOW64\Fokaoh32.exeC:\Windows\system32\Fokaoh32.exe47⤵
- Executes dropped EXE
PID:1756 -
C:\Windows\SysWOW64\Fmpnpe32.exeC:\Windows\system32\Fmpnpe32.exe48⤵
- Executes dropped EXE
PID:2060 -
C:\Windows\SysWOW64\Figoefkf.exeC:\Windows\system32\Figoefkf.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2256 -
C:\Windows\SysWOW64\Gcocnk32.exeC:\Windows\system32\Gcocnk32.exe50⤵
- Executes dropped EXE
PID:1752 -
C:\Windows\SysWOW64\Gmegkd32.exeC:\Windows\system32\Gmegkd32.exe51⤵PID:2804
-
C:\Windows\SysWOW64\Ggmldj32.exeC:\Windows\system32\Ggmldj32.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2840 -
C:\Windows\SysWOW64\Gljdlq32.exeC:\Windows\system32\Gljdlq32.exe53⤵
- Executes dropped EXE
PID:2912 -
C:\Windows\SysWOW64\Gaiijgbi.exeC:\Windows\system32\Gaiijgbi.exe54⤵
- Executes dropped EXE
PID:2312 -
C:\Windows\SysWOW64\Glongpao.exeC:\Windows\system32\Glongpao.exe55⤵
- Executes dropped EXE
PID:2736 -
C:\Windows\SysWOW64\Gdjblboj.exeC:\Windows\system32\Gdjblboj.exe56⤵
- Executes dropped EXE
PID:2588 -
C:\Windows\SysWOW64\Hkfgnldd.exeC:\Windows\system32\Hkfgnldd.exe57⤵
- Executes dropped EXE
PID:2416 -
C:\Windows\SysWOW64\Hhjhgpcn.exeC:\Windows\system32\Hhjhgpcn.exe58⤵
- Executes dropped EXE
PID:2196 -
C:\Windows\SysWOW64\Hngppgae.exeC:\Windows\system32\Hngppgae.exe59⤵
- Executes dropped EXE
PID:2352 -
C:\Windows\SysWOW64\Hkkaik32.exeC:\Windows\system32\Hkkaik32.exe60⤵
- Executes dropped EXE
PID:580 -
C:\Windows\SysWOW64\Hdcebagp.exeC:\Windows\system32\Hdcebagp.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:540 -
C:\Windows\SysWOW64\Hjpnjheg.exeC:\Windows\system32\Hjpnjheg.exe62⤵
- Executes dropped EXE
PID:1984 -
C:\Windows\SysWOW64\Igdndl32.exeC:\Windows\system32\Igdndl32.exe63⤵
- Executes dropped EXE
PID:2348 -
C:\Windows\SysWOW64\Ioochn32.exeC:\Windows\system32\Ioochn32.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:1744 -
C:\Windows\SysWOW64\Ijegeg32.exeC:\Windows\system32\Ijegeg32.exe65⤵
- Executes dropped EXE
PID:2672 -
C:\Windows\SysWOW64\Icmlnmgb.exeC:\Windows\system32\Icmlnmgb.exe66⤵
- Executes dropped EXE
PID:848 -
C:\Windows\SysWOW64\Ikhqbo32.exeC:\Windows\system32\Ikhqbo32.exe67⤵PID:660
-
C:\Windows\SysWOW64\Igoagpja.exeC:\Windows\system32\Igoagpja.exe68⤵PID:680
-
C:\Windows\SysWOW64\Iecaad32.exeC:\Windows\system32\Iecaad32.exe69⤵PID:2032
-
C:\Windows\SysWOW64\Ijpjik32.exeC:\Windows\system32\Ijpjik32.exe70⤵PID:1724
-
C:\Windows\SysWOW64\Jgdkbo32.exeC:\Windows\system32\Jgdkbo32.exe71⤵
- System Location Discovery: System Language Discovery
PID:920 -
C:\Windows\SysWOW64\Jehklc32.exeC:\Windows\system32\Jehklc32.exe72⤵PID:2372
-
C:\Windows\SysWOW64\Jnppei32.exeC:\Windows\system32\Jnppei32.exe73⤵
- Modifies registry class
PID:1740 -
C:\Windows\SysWOW64\Jfkdik32.exeC:\Windows\system32\Jfkdik32.exe74⤵PID:1596
-
C:\Windows\SysWOW64\Kiojqfdp.exeC:\Windows\system32\Kiojqfdp.exe75⤵PID:2868
-
C:\Windows\SysWOW64\Keekeg32.exeC:\Windows\system32\Keekeg32.exe76⤵
- Modifies registry class
PID:2408 -
C:\Windows\SysWOW64\Kbikokin.exeC:\Windows\system32\Kbikokin.exe77⤵PID:2716
-
C:\Windows\SysWOW64\Khfcgbge.exeC:\Windows\system32\Khfcgbge.exe78⤵PID:2612
-
C:\Windows\SysWOW64\Kanhph32.exeC:\Windows\system32\Kanhph32.exe79⤵PID:1292
-
C:\Windows\SysWOW64\Kldlmqml.exeC:\Windows\system32\Kldlmqml.exe80⤵PID:2960
-
C:\Windows\SysWOW64\Lkkfdmpq.exeC:\Windows\system32\Lkkfdmpq.exe81⤵PID:3040
-
C:\Windows\SysWOW64\Lgbfin32.exeC:\Windows\system32\Lgbfin32.exe82⤵PID:2896
-
C:\Windows\SysWOW64\Licpki32.exeC:\Windows\system32\Licpki32.exe83⤵PID:2504
-
C:\Windows\SysWOW64\Lophcpam.exeC:\Windows\system32\Lophcpam.exe84⤵PID:1160
-
C:\Windows\SysWOW64\Lpodmb32.exeC:\Windows\system32\Lpodmb32.exe85⤵
- Modifies registry class
PID:2080 -
C:\Windows\SysWOW64\Lihifhoq.exeC:\Windows\system32\Lihifhoq.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2412 -
C:\Windows\SysWOW64\Mkiemqdo.exeC:\Windows\system32\Mkiemqdo.exe87⤵PID:1944
-
C:\Windows\SysWOW64\Meojkide.exeC:\Windows\system32\Meojkide.exe88⤵PID:1640
-
C:\Windows\SysWOW64\Mkkbcpbl.exeC:\Windows\system32\Mkkbcpbl.exe89⤵PID:2000
-
C:\Windows\SysWOW64\Meafpibb.exeC:\Windows\system32\Meafpibb.exe90⤵PID:572
-
C:\Windows\SysWOW64\Mgbcha32.exeC:\Windows\system32\Mgbcha32.exe91⤵PID:1132
-
C:\Windows\SysWOW64\Mahgejhf.exeC:\Windows\system32\Mahgejhf.exe92⤵PID:1600
-
C:\Windows\SysWOW64\Mgdpnqfn.exeC:\Windows\system32\Mgdpnqfn.exe93⤵PID:2916
-
C:\Windows\SysWOW64\Mdhpgeeg.exeC:\Windows\system32\Mdhpgeeg.exe94⤵
- Drops file in System32 directory
PID:2884 -
C:\Windows\SysWOW64\Mnqdpj32.exeC:\Windows\system32\Mnqdpj32.exe95⤵PID:1676
-
C:\Windows\SysWOW64\Mdkmld32.exeC:\Windows\system32\Mdkmld32.exe96⤵PID:2092
-
C:\Windows\SysWOW64\Nlfaag32.exeC:\Windows\system32\Nlfaag32.exe97⤵PID:3036
-
C:\Windows\SysWOW64\Ngkfnp32.exeC:\Windows\system32\Ngkfnp32.exe98⤵PID:2064
-
C:\Windows\SysWOW64\Nqdjge32.exeC:\Windows\system32\Nqdjge32.exe99⤵PID:1812
-
C:\Windows\SysWOW64\Njlopkmg.exeC:\Windows\system32\Njlopkmg.exe100⤵PID:2240
-
C:\Windows\SysWOW64\Ncdciq32.exeC:\Windows\system32\Ncdciq32.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2432 -
C:\Windows\SysWOW64\Nmmgafjh.exeC:\Windows\system32\Nmmgafjh.exe102⤵PID:2604
-
C:\Windows\SysWOW64\Nbjpjm32.exeC:\Windows\system32\Nbjpjm32.exe103⤵
- Drops file in System32 directory
PID:388 -
C:\Windows\SysWOW64\Nkbdbbop.exeC:\Windows\system32\Nkbdbbop.exe104⤵PID:1816
-
C:\Windows\SysWOW64\Odjikh32.exeC:\Windows\system32\Odjikh32.exe105⤵PID:1472
-
C:\Windows\SysWOW64\Ojgado32.exeC:\Windows\system32\Ojgado32.exe106⤵
- System Location Discovery: System Language Discovery
PID:2384 -
C:\Windows\SysWOW64\Oemfahcn.exeC:\Windows\system32\Oemfahcn.exe107⤵PID:1388
-
C:\Windows\SysWOW64\Onejjm32.exeC:\Windows\system32\Onejjm32.exe108⤵PID:2456
-
C:\Windows\SysWOW64\Onggom32.exeC:\Windows\system32\Onggom32.exe109⤵PID:2608
-
C:\Windows\SysWOW64\Ocdohdfc.exeC:\Windows\system32\Ocdohdfc.exe110⤵PID:2768
-
C:\Windows\SysWOW64\Ommdqi32.exeC:\Windows\system32\Ommdqi32.exe111⤵
- System Location Discovery: System Language Discovery
PID:1020 -
C:\Windows\SysWOW64\Pjqdjn32.exeC:\Windows\system32\Pjqdjn32.exe112⤵PID:2764
-
C:\Windows\SysWOW64\Plbaafak.exeC:\Windows\system32\Plbaafak.exe113⤵PID:584
-
C:\Windows\SysWOW64\Pfgeoo32.exeC:\Windows\system32\Pfgeoo32.exe114⤵PID:1768
-
C:\Windows\SysWOW64\Pppihdha.exeC:\Windows\system32\Pppihdha.exe115⤵
- System Location Discovery: System Language Discovery
PID:976 -
C:\Windows\SysWOW64\Pembpkfi.exeC:\Windows\system32\Pembpkfi.exe116⤵PID:2548
-
C:\Windows\SysWOW64\Ppbfmdfo.exeC:\Windows\system32\Ppbfmdfo.exe117⤵
- System Location Discovery: System Language Discovery
PID:696 -
C:\Windows\SysWOW64\Peooek32.exeC:\Windows\system32\Peooek32.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1396 -
C:\Windows\SysWOW64\Pbcooo32.exeC:\Windows\system32\Pbcooo32.exe119⤵PID:1072
-
C:\Windows\SysWOW64\Phphgf32.exeC:\Windows\system32\Phphgf32.exe120⤵PID:2296
-
C:\Windows\SysWOW64\Qhbdmeoe.exeC:\Windows\system32\Qhbdmeoe.exe121⤵
- Drops file in System32 directory
PID:2948
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-