Analysis
-
max time kernel
92s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22-12-2024 09:40
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
30dd4d6b951c6ce9b717eb054b0921b207c1d6de188b11e005baea346c4df992.exe
Resource
win7-20240903-en
windows7-x64
11 signatures
120 seconds
Behavioral task
behavioral2
Sample
30dd4d6b951c6ce9b717eb054b0921b207c1d6de188b11e005baea346c4df992.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
120 seconds
General
-
Target
30dd4d6b951c6ce9b717eb054b0921b207c1d6de188b11e005baea346c4df992.exe
-
Size
335KB
-
MD5
783ce8dfb190afecd9ecd7b60e2e554e
-
SHA1
59b793fbaf3ce1f08cef13526ac0cdd4cfccd634
-
SHA256
30dd4d6b951c6ce9b717eb054b0921b207c1d6de188b11e005baea346c4df992
-
SHA512
b194db782550c75cc942b853546035cdf4d7d6963f3cd45a5b48891fe92fd4953c3a08816189962ed62f40e548f8236a7649381887e43980503adb6589f4536a
-
SSDEEP
6144:WnSU3IIXvLvwU/4qwvwU/4qvvwevwU/4q+vwk/4qh:zU
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://tat-neftbank.ru/kkq.php
http://tat-neftbank.ru/wcmd.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpdfnolo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eblpgjha.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Poimpapp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmdnbn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohlqcagj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkmioc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndflak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jcfggkac.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdbhkk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfpcoefj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjdjoane.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hpabni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lknojl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aaohcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ljilqnlm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmdhcddh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ohpkmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jcgnbaeo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emmdom32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhphmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" 30dd4d6b951c6ce9b717eb054b0921b207c1d6de188b11e005baea346c4df992.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nahgoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Icdheded.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahbjoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aonoao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Akkffkhk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmadco32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qdoacabq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cgqlcg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbajbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mjkblhfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmlneg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lekmnajj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oloahhki.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oplfkeob.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qaqegecm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mcjmel32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnafno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Onkidm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmihij32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhpbfpka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pemomqcn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfhgkmpj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdbpgl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhilfa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdickcpo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Injmcmej.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdpjlb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dheibpje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ennqfenp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnfjbdmk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmiclo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkmdecbg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipjedh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Phigif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nnojho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pefhlaie.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bohibc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Conanfli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qjfmkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bmjkic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ebhglj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nmlddqem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lcdciiec.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 2200 Acilajpk.exe 1680 Ahfdjanb.exe 5084 Aggegh32.exe 3348 Aihaoqlp.exe 2788 Aflaie32.exe 4376 Amfjeobf.exe 368 Aglnbhal.exe 3424 Bqdblmhl.exe 2864 Boipmj32.exe 2912 Biadeoce.exe 4356 Boklbi32.exe 1300 Bidqko32.exe 304 Bciehh32.exe 2604 Bmbiamhi.exe 908 Bggnof32.exe 1184 Cmdfgm32.exe 2404 Cflkpblf.exe 620 Ccqkigkp.exe 4000 Cimcan32.exe 1980 Ccchof32.exe 1192 Cippgm32.exe 3108 Cceddf32.exe 2900 Cibmlmeb.exe 3668 Cmniml32.exe 1172 Cffmfadl.exe 2748 Cjaifp32.exe 3320 Dmpfbk32.exe 2136 Dakacjdb.exe 2676 Dannij32.exe 4144 Dclkee32.exe 4720 Dcogje32.exe 428 Dfmcfp32.exe 3152 Djhpgofm.exe 3632 Dmglcj32.exe 4984 Dpehof32.exe 2292 Dinmhkke.exe 2256 Dmihij32.exe 3748 Ddcqedkk.exe 4284 Dfamapjo.exe 4844 Djmibn32.exe 3752 Eagaoh32.exe 4176 Epjajeqo.exe 4192 Ejpfhnpe.exe 2816 Emnbdioi.exe 1928 Edhjqc32.exe 4312 Ehcfaboo.exe 932 Eidbij32.exe 2752 Ealkjh32.exe 1916 Efhcbodf.exe 4112 Eigonjcj.exe 4848 Eangpgcl.exe 2728 Edmclccp.exe 1524 Efkphnbd.exe 4412 Eiildjag.exe 4264 Eaqdegaj.exe 3944 Edopabqn.exe 3628 Ehjlaaig.exe 960 Fmgejhgn.exe 3860 Fpeafcfa.exe 5060 Fhmigagd.exe 1224 Fkkeclfh.exe 528 Fmjaphek.exe 1716 Fphnlcdo.exe 2408 Fhofmq32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Nhhlki32.dll Qdoacabq.exe File created C:\Windows\SysWOW64\Dkndie32.exe Dgcihgaj.exe File created C:\Windows\SysWOW64\Cffpglpg.dll Lnpofnhk.exe File created C:\Windows\SysWOW64\Dqklch32.dll Pekbga32.exe File created C:\Windows\SysWOW64\Iljpij32.exe Ingpmmgm.exe File created C:\Windows\SysWOW64\Cdbcfp32.dll Jgbjbp32.exe File created C:\Windows\SysWOW64\Onnmdcjm.exe Ojbacd32.exe File created C:\Windows\SysWOW64\Dmkalh32.dll Fijkdmhn.exe File opened for modification C:\Windows\SysWOW64\Fnnjmbpm.exe Flpmagqi.exe File created C:\Windows\SysWOW64\Fdahdiml.dll Igajal32.exe File created C:\Windows\SysWOW64\Ccqkigkp.exe Cflkpblf.exe File opened for modification C:\Windows\SysWOW64\Lajagj32.exe Knkekn32.exe File created C:\Windows\SysWOW64\Ddhnoefl.dll Ohpkmn32.exe File created C:\Windows\SysWOW64\Bomkcm32.exe Bkaobnio.exe File created C:\Windows\SysWOW64\Fpbflg32.exe Fmcjpl32.exe File created C:\Windows\SysWOW64\Ahofoogd.exe Aphnnafb.exe File created C:\Windows\SysWOW64\Qaalblgi.exe Pocpfphe.exe File created C:\Windows\SysWOW64\Obgbikfp.dll Bahkih32.exe File created C:\Windows\SysWOW64\Bkaobnio.exe Bhbcfbjk.exe File opened for modification C:\Windows\SysWOW64\Kjffdalb.exe Kkcfid32.exe File opened for modification C:\Windows\SysWOW64\Kkhpdcab.exe Kenggi32.exe File created C:\Windows\SysWOW64\Pjglocmi.dll Lijlof32.exe File opened for modification C:\Windows\SysWOW64\Maodigil.exe Mnphmkji.exe File created C:\Windows\SysWOW64\Ddalgo32.dll Phaahggp.exe File created C:\Windows\SysWOW64\Jfegnkqm.dll Dfdpad32.exe File opened for modification C:\Windows\SysWOW64\Caageq32.exe Cnfkdb32.exe File created C:\Windows\SysWOW64\Ddgibkpc.exe Dahmfpap.exe File opened for modification C:\Windows\SysWOW64\Fmqgpgoc.exe Fkbkdkpp.exe File created C:\Windows\SysWOW64\Ingpmmgm.exe Hildmn32.exe File created C:\Windows\SysWOW64\Adkgje32.exe Aamknj32.exe File created C:\Windows\SysWOW64\Fmcjpl32.exe Felbnn32.exe File opened for modification C:\Windows\SysWOW64\Igajal32.exe Iojbpo32.exe File opened for modification C:\Windows\SysWOW64\Pmlfqh32.exe Pfandnla.exe File created C:\Windows\SysWOW64\Pcmdgodo.dll Cgnomg32.exe File created C:\Windows\SysWOW64\Bmofagfp.exe Bhcjqinf.exe File opened for modification C:\Windows\SysWOW64\Glengm32.exe Gjdaodja.exe File opened for modification C:\Windows\SysWOW64\Adfnofpd.exe Aednci32.exe File created C:\Windows\SysWOW64\Ifaciolc.dll Ebdcld32.exe File opened for modification C:\Windows\SysWOW64\Iepaaico.exe Ibaeen32.exe File created C:\Windows\SysWOW64\Eidbij32.exe Ehcfaboo.exe File opened for modification C:\Windows\SysWOW64\Fkkeclfh.exe Fhmigagd.exe File created C:\Windows\SysWOW64\Hijjli32.dll Kecabifp.exe File created C:\Windows\SysWOW64\Kljibbol.dll Bmofagfp.exe File opened for modification C:\Windows\SysWOW64\Ldipha32.exe Lmbhgd32.exe File created C:\Windows\SysWOW64\Ebggoi32.dll Bogkmgba.exe File opened for modification C:\Windows\SysWOW64\Cpbjkn32.exe Caojpaij.exe File created C:\Windows\SysWOW64\Fphnlcdo.exe Fmjaphek.exe File opened for modification C:\Windows\SysWOW64\Bfbaonae.exe Bcddcbab.exe File created C:\Windows\SysWOW64\Bgnagk32.dll Kqfngd32.exe File created C:\Windows\SysWOW64\Pfnmog32.dll Gifkpknp.exe File created C:\Windows\SysWOW64\Lbpflbpa.dll Ojajin32.exe File opened for modification C:\Windows\SysWOW64\Hdmoohbo.exe Hpabni32.exe File created C:\Windows\SysWOW64\Ekhobd32.dll Aoalgn32.exe File created C:\Windows\SysWOW64\Jeeobqbq.dll Dmcain32.exe File opened for modification C:\Windows\SysWOW64\Eigonjcj.exe Efhcbodf.exe File created C:\Windows\SysWOW64\Capqggce.dll Bljlfh32.exe File created C:\Windows\SysWOW64\Qdbpmock.dll Cbeapmll.exe File opened for modification C:\Windows\SysWOW64\Fdqfll32.exe Fpejlmcf.exe File created C:\Windows\SysWOW64\Bpcelk32.dll Gbdoof32.exe File created C:\Windows\SysWOW64\Jinboekc.exe Jcdjbk32.exe File created C:\Windows\SysWOW64\Palklf32.exe Pmpolgoi.exe File opened for modification C:\Windows\SysWOW64\Aednci32.exe Anmfbl32.exe File created C:\Windows\SysWOW64\Lhffmd32.dll Njkkbehl.exe File opened for modification C:\Windows\SysWOW64\Aoalgn32.exe Ahgcjddh.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 18624 18520 WerFault.exe 1033 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnmdme32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnmoijje.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocohmc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phonha32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nimbkc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ciafbg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dihlbf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjmfjj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njkkbehl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plpjoe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekdnei32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgifbhid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bidqko32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eangpgcl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkhpdcab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cglbhhga.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmoiqneg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pedlgbkh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Achegd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilmmni32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igajal32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahaceo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnfjbdmk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcniglmb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfeaopqo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekodjiol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmdlmg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cponen32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knnhjcog.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aajhndkb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdecgbfa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jofalmmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amcehdod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bajqda32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Maeachag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmhigf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kqmkae32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgdejd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oloahhki.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gejopl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Coegoe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nijeec32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cioilg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eblpgjha.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlhkgi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Paelfmaf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efhcbodf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlegnjbm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmfplibd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lopmii32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbfgkffn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffqhcq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfaajnfb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahgjejhd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbdhiojo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmbhgd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjokgg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbicpfdk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eiahnnph.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lncjlq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpomcp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pchlpfjb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkhkjd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ompfej32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cjliajmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdbbdk32.dll" Hpabni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Emhkdmlg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qpeahb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aoioli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlkonq32.dll" Fmlneg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Meefofek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nognnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Edopabqn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkfkkmmp.dll" Fibojhim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Keimof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eifhdd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hkdjfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gfhndpol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Illfdc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Coqncejg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jqlefl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lajagj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nefped32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlkidpke.dll" Coqncejg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jipegn32.dll" Emoadlfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfmifiap.dll" Fpdcag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljcpchlo.dll" Ieidhh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpefcn32.dll" Jekqmhia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bgbpaipl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbngpi32.dll" Cceddf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lekmnajj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Anmfbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eodolnaf.dll" Feoodn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gmfplibd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fmjaphek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oghdfilo.dll" Ecbjkngo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hgkkkcbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jjdjoane.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Alnmjjdb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dckajh32.dll" Mmhgmmbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igpoaebh.dll" Pkpmdbfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhgcme32.dll" Bnhenj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cdpjlb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekbmje32.dll" Aajhndkb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cdimqm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gacjadad.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nlnkmnah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnnlhc32.dll" Giinpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmpmfmao.dll" Aajohjon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Klfaapbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odnknc32.dll" Cmniml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pkogiikb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cioilg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkodcb32.dll" Mnhdgpii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nocedmfn.dll" Lajagj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adnipccc.dll" Gkhkjd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mcpcdg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ipflihfq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Omdppiif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Keiifian.dll" Qjfmkk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jkaicd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npkjmfie.dll" Pcobaedj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fikbocki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbdqegoi.dll" Omegjomb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cboeai32.dll" Dodjjimm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enfdlg32.dll" Aggegh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epgkpagl.dll" Kqbdldnq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lmpkadnm.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3928 wrote to memory of 2200 3928 30dd4d6b951c6ce9b717eb054b0921b207c1d6de188b11e005baea346c4df992.exe 82 PID 3928 wrote to memory of 2200 3928 30dd4d6b951c6ce9b717eb054b0921b207c1d6de188b11e005baea346c4df992.exe 82 PID 3928 wrote to memory of 2200 3928 30dd4d6b951c6ce9b717eb054b0921b207c1d6de188b11e005baea346c4df992.exe 82 PID 2200 wrote to memory of 1680 2200 Acilajpk.exe 83 PID 2200 wrote to memory of 1680 2200 Acilajpk.exe 83 PID 2200 wrote to memory of 1680 2200 Acilajpk.exe 83 PID 1680 wrote to memory of 5084 1680 Ahfdjanb.exe 84 PID 1680 wrote to memory of 5084 1680 Ahfdjanb.exe 84 PID 1680 wrote to memory of 5084 1680 Ahfdjanb.exe 84 PID 5084 wrote to memory of 3348 5084 Aggegh32.exe 85 PID 5084 wrote to memory of 3348 5084 Aggegh32.exe 85 PID 5084 wrote to memory of 3348 5084 Aggegh32.exe 85 PID 3348 wrote to memory of 2788 3348 Aihaoqlp.exe 86 PID 3348 wrote to memory of 2788 3348 Aihaoqlp.exe 86 PID 3348 wrote to memory of 2788 3348 Aihaoqlp.exe 86 PID 2788 wrote to memory of 4376 2788 Aflaie32.exe 87 PID 2788 wrote to memory of 4376 2788 Aflaie32.exe 87 PID 2788 wrote to memory of 4376 2788 Aflaie32.exe 87 PID 4376 wrote to memory of 368 4376 Amfjeobf.exe 88 PID 4376 wrote to memory of 368 4376 Amfjeobf.exe 88 PID 4376 wrote to memory of 368 4376 Amfjeobf.exe 88 PID 368 wrote to memory of 3424 368 Aglnbhal.exe 89 PID 368 wrote to memory of 3424 368 Aglnbhal.exe 89 PID 368 wrote to memory of 3424 368 Aglnbhal.exe 89 PID 3424 wrote to memory of 2864 3424 Bqdblmhl.exe 90 PID 3424 wrote to memory of 2864 3424 Bqdblmhl.exe 90 PID 3424 wrote to memory of 2864 3424 Bqdblmhl.exe 90 PID 2864 wrote to memory of 2912 2864 Boipmj32.exe 91 PID 2864 wrote to memory of 2912 2864 Boipmj32.exe 91 PID 2864 wrote to memory of 2912 2864 Boipmj32.exe 91 PID 2912 wrote to memory of 4356 2912 Biadeoce.exe 92 PID 2912 wrote to memory of 4356 2912 Biadeoce.exe 92 PID 2912 wrote to memory of 4356 2912 Biadeoce.exe 92 PID 4356 wrote to memory of 1300 4356 Boklbi32.exe 93 PID 4356 wrote to memory of 1300 4356 Boklbi32.exe 93 PID 4356 wrote to memory of 1300 4356 Boklbi32.exe 93 PID 1300 wrote to memory of 304 1300 Bidqko32.exe 94 PID 1300 wrote to memory of 304 1300 Bidqko32.exe 94 PID 1300 wrote to memory of 304 1300 Bidqko32.exe 94 PID 304 wrote to memory of 2604 304 Bciehh32.exe 95 PID 304 wrote to memory of 2604 304 Bciehh32.exe 95 PID 304 wrote to memory of 2604 304 Bciehh32.exe 95 PID 2604 wrote to memory of 908 2604 Bmbiamhi.exe 96 PID 2604 wrote to memory of 908 2604 Bmbiamhi.exe 96 PID 2604 wrote to memory of 908 2604 Bmbiamhi.exe 96 PID 908 wrote to memory of 1184 908 Bggnof32.exe 97 PID 908 wrote to memory of 1184 908 Bggnof32.exe 97 PID 908 wrote to memory of 1184 908 Bggnof32.exe 97 PID 1184 wrote to memory of 2404 1184 Cmdfgm32.exe 98 PID 1184 wrote to memory of 2404 1184 Cmdfgm32.exe 98 PID 1184 wrote to memory of 2404 1184 Cmdfgm32.exe 98 PID 2404 wrote to memory of 620 2404 Cflkpblf.exe 99 PID 2404 wrote to memory of 620 2404 Cflkpblf.exe 99 PID 2404 wrote to memory of 620 2404 Cflkpblf.exe 99 PID 620 wrote to memory of 4000 620 Ccqkigkp.exe 100 PID 620 wrote to memory of 4000 620 Ccqkigkp.exe 100 PID 620 wrote to memory of 4000 620 Ccqkigkp.exe 100 PID 4000 wrote to memory of 1980 4000 Cimcan32.exe 101 PID 4000 wrote to memory of 1980 4000 Cimcan32.exe 101 PID 4000 wrote to memory of 1980 4000 Cimcan32.exe 101 PID 1980 wrote to memory of 1192 1980 Ccchof32.exe 102 PID 1980 wrote to memory of 1192 1980 Ccchof32.exe 102 PID 1980 wrote to memory of 1192 1980 Ccchof32.exe 102 PID 1192 wrote to memory of 3108 1192 Cippgm32.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\30dd4d6b951c6ce9b717eb054b0921b207c1d6de188b11e005baea346c4df992.exe"C:\Users\Admin\AppData\Local\Temp\30dd4d6b951c6ce9b717eb054b0921b207c1d6de188b11e005baea346c4df992.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Suspicious use of WriteProcessMemory
PID:3928 -
C:\Windows\SysWOW64\Acilajpk.exeC:\Windows\system32\Acilajpk.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Windows\SysWOW64\Ahfdjanb.exeC:\Windows\system32\Ahfdjanb.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Windows\SysWOW64\Aggegh32.exeC:\Windows\system32\Aggegh32.exe4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5084 -
C:\Windows\SysWOW64\Aihaoqlp.exeC:\Windows\system32\Aihaoqlp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3348 -
C:\Windows\SysWOW64\Aflaie32.exeC:\Windows\system32\Aflaie32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Windows\SysWOW64\Amfjeobf.exeC:\Windows\system32\Amfjeobf.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4376 -
C:\Windows\SysWOW64\Aglnbhal.exeC:\Windows\system32\Aglnbhal.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:368 -
C:\Windows\SysWOW64\Bqdblmhl.exeC:\Windows\system32\Bqdblmhl.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3424 -
C:\Windows\SysWOW64\Boipmj32.exeC:\Windows\system32\Boipmj32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Windows\SysWOW64\Biadeoce.exeC:\Windows\system32\Biadeoce.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Windows\SysWOW64\Boklbi32.exeC:\Windows\system32\Boklbi32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4356 -
C:\Windows\SysWOW64\Bidqko32.exeC:\Windows\system32\Bidqko32.exe13⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1300 -
C:\Windows\SysWOW64\Bciehh32.exeC:\Windows\system32\Bciehh32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:304 -
C:\Windows\SysWOW64\Bmbiamhi.exeC:\Windows\system32\Bmbiamhi.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Windows\SysWOW64\Bggnof32.exeC:\Windows\system32\Bggnof32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:908 -
C:\Windows\SysWOW64\Cmdfgm32.exeC:\Windows\system32\Cmdfgm32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1184 -
C:\Windows\SysWOW64\Cflkpblf.exeC:\Windows\system32\Cflkpblf.exe18⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2404 -
C:\Windows\SysWOW64\Ccqkigkp.exeC:\Windows\system32\Ccqkigkp.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:620 -
C:\Windows\SysWOW64\Cimcan32.exeC:\Windows\system32\Cimcan32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4000 -
C:\Windows\SysWOW64\Ccchof32.exeC:\Windows\system32\Ccchof32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Windows\SysWOW64\Cippgm32.exeC:\Windows\system32\Cippgm32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1192 -
C:\Windows\SysWOW64\Cceddf32.exeC:\Windows\system32\Cceddf32.exe23⤵
- Executes dropped EXE
- Modifies registry class
PID:3108 -
C:\Windows\SysWOW64\Cibmlmeb.exeC:\Windows\system32\Cibmlmeb.exe24⤵
- Executes dropped EXE
PID:2900 -
C:\Windows\SysWOW64\Cmniml32.exeC:\Windows\system32\Cmniml32.exe25⤵
- Executes dropped EXE
- Modifies registry class
PID:3668 -
C:\Windows\SysWOW64\Cffmfadl.exeC:\Windows\system32\Cffmfadl.exe26⤵
- Executes dropped EXE
PID:1172 -
C:\Windows\SysWOW64\Cjaifp32.exeC:\Windows\system32\Cjaifp32.exe27⤵
- Executes dropped EXE
PID:2748 -
C:\Windows\SysWOW64\Dmpfbk32.exeC:\Windows\system32\Dmpfbk32.exe28⤵
- Executes dropped EXE
PID:3320 -
C:\Windows\SysWOW64\Dakacjdb.exeC:\Windows\system32\Dakacjdb.exe29⤵
- Executes dropped EXE
PID:2136 -
C:\Windows\SysWOW64\Dannij32.exeC:\Windows\system32\Dannij32.exe30⤵
- Executes dropped EXE
PID:2676 -
C:\Windows\SysWOW64\Dclkee32.exeC:\Windows\system32\Dclkee32.exe31⤵
- Executes dropped EXE
PID:4144 -
C:\Windows\SysWOW64\Dcogje32.exeC:\Windows\system32\Dcogje32.exe32⤵
- Executes dropped EXE
PID:4720 -
C:\Windows\SysWOW64\Dfmcfp32.exeC:\Windows\system32\Dfmcfp32.exe33⤵
- Executes dropped EXE
PID:428 -
C:\Windows\SysWOW64\Djhpgofm.exeC:\Windows\system32\Djhpgofm.exe34⤵
- Executes dropped EXE
PID:3152 -
C:\Windows\SysWOW64\Dmglcj32.exeC:\Windows\system32\Dmglcj32.exe35⤵
- Executes dropped EXE
PID:3632 -
C:\Windows\SysWOW64\Dpehof32.exeC:\Windows\system32\Dpehof32.exe36⤵
- Executes dropped EXE
PID:4984 -
C:\Windows\SysWOW64\Dinmhkke.exeC:\Windows\system32\Dinmhkke.exe37⤵
- Executes dropped EXE
PID:2292 -
C:\Windows\SysWOW64\Dmihij32.exeC:\Windows\system32\Dmihij32.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2256 -
C:\Windows\SysWOW64\Ddcqedkk.exeC:\Windows\system32\Ddcqedkk.exe39⤵
- Executes dropped EXE
PID:3748 -
C:\Windows\SysWOW64\Dfamapjo.exeC:\Windows\system32\Dfamapjo.exe40⤵
- Executes dropped EXE
PID:4284 -
C:\Windows\SysWOW64\Djmibn32.exeC:\Windows\system32\Djmibn32.exe41⤵
- Executes dropped EXE
PID:4844 -
C:\Windows\SysWOW64\Eagaoh32.exeC:\Windows\system32\Eagaoh32.exe42⤵
- Executes dropped EXE
PID:3752 -
C:\Windows\SysWOW64\Epjajeqo.exeC:\Windows\system32\Epjajeqo.exe43⤵
- Executes dropped EXE
PID:4176 -
C:\Windows\SysWOW64\Ejpfhnpe.exeC:\Windows\system32\Ejpfhnpe.exe44⤵
- Executes dropped EXE
PID:4192 -
C:\Windows\SysWOW64\Emnbdioi.exeC:\Windows\system32\Emnbdioi.exe45⤵
- Executes dropped EXE
PID:2816 -
C:\Windows\SysWOW64\Edhjqc32.exeC:\Windows\system32\Edhjqc32.exe46⤵
- Executes dropped EXE
PID:1928 -
C:\Windows\SysWOW64\Ehcfaboo.exeC:\Windows\system32\Ehcfaboo.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4312 -
C:\Windows\SysWOW64\Eidbij32.exeC:\Windows\system32\Eidbij32.exe48⤵
- Executes dropped EXE
PID:932 -
C:\Windows\SysWOW64\Ealkjh32.exeC:\Windows\system32\Ealkjh32.exe49⤵
- Executes dropped EXE
PID:2752 -
C:\Windows\SysWOW64\Efhcbodf.exeC:\Windows\system32\Efhcbodf.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1916 -
C:\Windows\SysWOW64\Eigonjcj.exeC:\Windows\system32\Eigonjcj.exe51⤵
- Executes dropped EXE
PID:4112 -
C:\Windows\SysWOW64\Eangpgcl.exeC:\Windows\system32\Eangpgcl.exe52⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4848 -
C:\Windows\SysWOW64\Edmclccp.exeC:\Windows\system32\Edmclccp.exe53⤵
- Executes dropped EXE
PID:2728 -
C:\Windows\SysWOW64\Efkphnbd.exeC:\Windows\system32\Efkphnbd.exe54⤵
- Executes dropped EXE
PID:1524 -
C:\Windows\SysWOW64\Eiildjag.exeC:\Windows\system32\Eiildjag.exe55⤵
- Executes dropped EXE
PID:4412 -
C:\Windows\SysWOW64\Eaqdegaj.exeC:\Windows\system32\Eaqdegaj.exe56⤵
- Executes dropped EXE
PID:4264 -
C:\Windows\SysWOW64\Edopabqn.exeC:\Windows\system32\Edopabqn.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:3944 -
C:\Windows\SysWOW64\Ehjlaaig.exeC:\Windows\system32\Ehjlaaig.exe58⤵
- Executes dropped EXE
PID:3628 -
C:\Windows\SysWOW64\Fmgejhgn.exeC:\Windows\system32\Fmgejhgn.exe59⤵
- Executes dropped EXE
PID:960 -
C:\Windows\SysWOW64\Fpeafcfa.exeC:\Windows\system32\Fpeafcfa.exe60⤵
- Executes dropped EXE
PID:3860 -
C:\Windows\SysWOW64\Fhmigagd.exeC:\Windows\system32\Fhmigagd.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5060 -
C:\Windows\SysWOW64\Fkkeclfh.exeC:\Windows\system32\Fkkeclfh.exe62⤵
- Executes dropped EXE
PID:1224 -
C:\Windows\SysWOW64\Fmjaphek.exeC:\Windows\system32\Fmjaphek.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:528 -
C:\Windows\SysWOW64\Fphnlcdo.exeC:\Windows\system32\Fphnlcdo.exe64⤵
- Executes dropped EXE
PID:1716 -
C:\Windows\SysWOW64\Fhofmq32.exeC:\Windows\system32\Fhofmq32.exe65⤵
- Executes dropped EXE
PID:2408 -
C:\Windows\SysWOW64\Fknbil32.exeC:\Windows\system32\Fknbil32.exe66⤵PID:912
-
C:\Windows\SysWOW64\Fmlneg32.exeC:\Windows\system32\Fmlneg32.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:4504 -
C:\Windows\SysWOW64\Fpjjac32.exeC:\Windows\system32\Fpjjac32.exe68⤵PID:3472
-
C:\Windows\SysWOW64\Fkpool32.exeC:\Windows\system32\Fkpool32.exe69⤵PID:420
-
C:\Windows\SysWOW64\Fibojhim.exeC:\Windows\system32\Fibojhim.exe70⤵
- Modifies registry class
PID:3656 -
C:\Windows\SysWOW64\Fmnkkg32.exeC:\Windows\system32\Fmnkkg32.exe71⤵PID:4368
-
C:\Windows\SysWOW64\Fdhcgaic.exeC:\Windows\system32\Fdhcgaic.exe72⤵PID:2172
-
C:\Windows\SysWOW64\Fkbkdkpp.exeC:\Windows\system32\Fkbkdkpp.exe73⤵
- Drops file in System32 directory
PID:4272 -
C:\Windows\SysWOW64\Fmqgpgoc.exeC:\Windows\system32\Fmqgpgoc.exe74⤵PID:2332
-
C:\Windows\SysWOW64\Ggilil32.exeC:\Windows\system32\Ggilil32.exe75⤵PID:920
-
C:\Windows\SysWOW64\Gaopfe32.exeC:\Windows\system32\Gaopfe32.exe76⤵PID:3284
-
C:\Windows\SysWOW64\Ghhhcomg.exeC:\Windows\system32\Ghhhcomg.exe77⤵PID:4972
-
C:\Windows\SysWOW64\Gaamlecg.exeC:\Windows\system32\Gaamlecg.exe78⤵PID:2056
-
C:\Windows\SysWOW64\Ghkeio32.exeC:\Windows\system32\Ghkeio32.exe79⤵PID:2140
-
C:\Windows\SysWOW64\Gkiaej32.exeC:\Windows\system32\Gkiaej32.exe80⤵PID:628
-
C:\Windows\SysWOW64\Gacjadad.exeC:\Windows\system32\Gacjadad.exe81⤵
- Modifies registry class
PID:1876 -
C:\Windows\SysWOW64\Gaefgd32.exeC:\Windows\system32\Gaefgd32.exe82⤵PID:2440
-
C:\Windows\SysWOW64\Gnlgleef.exeC:\Windows\system32\Gnlgleef.exe83⤵PID:2080
-
C:\Windows\SysWOW64\Hhbkinel.exeC:\Windows\system32\Hhbkinel.exe84⤵PID:1456
-
C:\Windows\SysWOW64\Hnodaecc.exeC:\Windows\system32\Hnodaecc.exe85⤵PID:4964
-
C:\Windows\SysWOW64\Hhdhon32.exeC:\Windows\system32\Hhdhon32.exe86⤵PID:2240
-
C:\Windows\SysWOW64\Hpomcp32.exeC:\Windows\system32\Hpomcp32.exe87⤵
- System Location Discovery: System Language Discovery
PID:4488 -
C:\Windows\SysWOW64\Hgiepjga.exeC:\Windows\system32\Hgiepjga.exe88⤵PID:3364
-
C:\Windows\SysWOW64\Hpbiip32.exeC:\Windows\system32\Hpbiip32.exe89⤵PID:1976
-
C:\Windows\SysWOW64\Hnfjbdmk.exeC:\Windows\system32\Hnfjbdmk.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2812 -
C:\Windows\SysWOW64\Hpdfnolo.exeC:\Windows\system32\Hpdfnolo.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1276 -
C:\Windows\SysWOW64\Hjlkge32.exeC:\Windows\system32\Hjlkge32.exe92⤵PID:376
-
C:\Windows\SysWOW64\Hpfcdojl.exeC:\Windows\system32\Hpfcdojl.exe93⤵PID:4588
-
C:\Windows\SysWOW64\Iafonaao.exeC:\Windows\system32\Iafonaao.exe94⤵PID:988
-
C:\Windows\SysWOW64\Iqipio32.exeC:\Windows\system32\Iqipio32.exe95⤵PID:2488
-
C:\Windows\SysWOW64\Idghpmnp.exeC:\Windows\system32\Idghpmnp.exe96⤵PID:1988
-
C:\Windows\SysWOW64\Iakiia32.exeC:\Windows\system32\Iakiia32.exe97⤵PID:1324
-
C:\Windows\SysWOW64\Ijfnmc32.exeC:\Windows\system32\Ijfnmc32.exe98⤵PID:3368
-
C:\Windows\SysWOW64\Idkbkl32.exeC:\Windows\system32\Idkbkl32.exe99⤵PID:4332
-
C:\Windows\SysWOW64\Ikejgf32.exeC:\Windows\system32\Ikejgf32.exe100⤵PID:4184
-
C:\Windows\SysWOW64\Ibobdqid.exeC:\Windows\system32\Ibobdqid.exe101⤵PID:1964
-
C:\Windows\SysWOW64\Jkhgmf32.exeC:\Windows\system32\Jkhgmf32.exe102⤵PID:2456
-
C:\Windows\SysWOW64\Jjmcnbdm.exeC:\Windows\system32\Jjmcnbdm.exe103⤵PID:3448
-
C:\Windows\SysWOW64\Jdbhkk32.exeC:\Windows\system32\Jdbhkk32.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3208 -
C:\Windows\SysWOW64\Jhndljll.exeC:\Windows\system32\Jhndljll.exe105⤵PID:5076
-
C:\Windows\SysWOW64\Jklphekp.exeC:\Windows\system32\Jklphekp.exe106⤵PID:1560
-
C:\Windows\SysWOW64\Jjopcb32.exeC:\Windows\system32\Jjopcb32.exe107⤵PID:616
-
C:\Windows\SysWOW64\Jqiipljg.exeC:\Windows\system32\Jqiipljg.exe108⤵PID:4056
-
C:\Windows\SysWOW64\Jhpqaiji.exeC:\Windows\system32\Jhpqaiji.exe109⤵PID:4820
-
C:\Windows\SysWOW64\Jkomneim.exeC:\Windows\system32\Jkomneim.exe110⤵PID:3288
-
C:\Windows\SysWOW64\Jnmijq32.exeC:\Windows\system32\Jnmijq32.exe111⤵PID:2084
-
C:\Windows\SysWOW64\Jbiejoaj.exeC:\Windows\system32\Jbiejoaj.exe112⤵PID:2632
-
C:\Windows\SysWOW64\Jqlefl32.exeC:\Windows\system32\Jqlefl32.exe113⤵
- Modifies registry class
PID:440 -
C:\Windows\SysWOW64\Jkaicd32.exeC:\Windows\system32\Jkaicd32.exe114⤵
- Modifies registry class
PID:3344 -
C:\Windows\SysWOW64\Jjdjoane.exeC:\Windows\system32\Jjdjoane.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3412 -
C:\Windows\SysWOW64\Jbkbpoog.exeC:\Windows\system32\Jbkbpoog.exe116⤵PID:5132
-
C:\Windows\SysWOW64\Kdinljnk.exeC:\Windows\system32\Kdinljnk.exe117⤵PID:5172
-
C:\Windows\SysWOW64\Kkcfid32.exeC:\Windows\system32\Kkcfid32.exe118⤵
- Drops file in System32 directory
PID:5216 -
C:\Windows\SysWOW64\Kjffdalb.exeC:\Windows\system32\Kjffdalb.exe119⤵PID:5252
-
C:\Windows\SysWOW64\Knbbep32.exeC:\Windows\system32\Knbbep32.exe120⤵PID:5300
-
C:\Windows\SysWOW64\Kqpoakco.exeC:\Windows\system32\Kqpoakco.exe121⤵PID:5340
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-