Analysis
-
max time kernel
149s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22-12-2024 20:16
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
1be5b7526e6c4bce79bc3fb2bed777ddbed2dfb6c9ecab94e82c5e5979a5505d.exe
Resource
win7-20240903-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
1be5b7526e6c4bce79bc3fb2bed777ddbed2dfb6c9ecab94e82c5e5979a5505d.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
1be5b7526e6c4bce79bc3fb2bed777ddbed2dfb6c9ecab94e82c5e5979a5505d.exe
-
Size
90KB
-
MD5
93f79d6ab91ee6e8e8fcf264c11e3524
-
SHA1
f8b76d2ca184237e11626117b65c016c2e4cb740
-
SHA256
1be5b7526e6c4bce79bc3fb2bed777ddbed2dfb6c9ecab94e82c5e5979a5505d
-
SHA512
d3c6cc5648a9dde11c1f34b67ce1587026221022a3ff462c55c33621e43c45cfc512c2edacb7081d509d7baca479df9184a5319e7ff7272f31951bd185beb105
-
SSDEEP
1536:RGUl7AtclMz1LR66hYVk3xd0tBfgXMFChDUPhWF9e79qJiifEG3u/Ub0VkVNp:J7UDBL2K3XMFCChWF9C9AMG3u/Ub0+Np
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad 1be5b7526e6c4bce79bc3fb2bed777ddbed2dfb6c9ecab94e82c5e5979a5505d.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccmgiaig.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igdnabjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mepfiq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emoadlfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qjiipk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpjcgm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bomkcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Flfkkhid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fligqhga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pjpfjl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pefabkej.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fihnomjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Llmhaold.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oklkdi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bcddcbab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gjfnedho.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lndagg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Maiccajf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfohgqlg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mnegbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aagkhd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Neoieenp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ikkpgafg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nccokk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckclhn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cndeii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oemefcap.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knooej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Chiigadc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gojiiafp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pcepkfld.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbgnemjj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnlhncgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bbiado32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fpbmfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Njpdnedf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iedjmioj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qfkqjmdg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qaqegecm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpkdjofm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chkobkod.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eiaoid32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idfaefkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ebdcld32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eokqkh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emanjldl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dngjff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jcdjbk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnldla32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hplbickp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ibfnqmpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ioolkncg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pakllc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ebhglj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hlcjhkdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Adfnofpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cnfaohbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nnhmnn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfbaonae.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbcfhibj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcdciiec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Omdppiif.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahmjjoig.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 4504 Iqpfjnba.exe 2616 Ihgnkkbd.exe 4868 Indfca32.exe 4720 Jdnoplhh.exe 2068 Jglklggl.exe 3984 Jnfcia32.exe 1484 Jdpkflfe.exe 1676 Jjmcnbdm.exe 4256 Jqglkmlj.exe 5088 Jgadgf32.exe 3108 Jnkldqkc.exe 2436 Jbfheo32.exe 968 Jgcamf32.exe 3380 Jkomneim.exe 4688 Jnmijq32.exe 1280 Jqlefl32.exe 220 Jgenbfoa.exe 1800 Kqnbkl32.exe 2736 Kiejmi32.exe 3912 Kjffdalb.exe 4920 Kqpoakco.exe 4440 Kgjgne32.exe 688 Kjhcjq32.exe 4604 Kndojobi.exe 1480 Kqbkfkal.exe 3788 Kenggi32.exe 3720 Kgmcce32.exe 4424 Kjkpoq32.exe 3260 Knflpoqf.exe 1212 Kgopidgf.exe 3476 Kjmmepfj.exe 184 Kniieo32.exe 2904 Kgamnded.exe 4716 Kjpijpdg.exe 2504 Lajagj32.exe 3004 Lkofdbkj.exe 2396 Lalnmiia.exe 548 Lkabjbih.exe 3216 Lejgch32.exe 3148 Ljgpkonp.exe 4828 Laqhhi32.exe 5020 Lgkpdcmi.exe 2544 Lbpdblmo.exe 2992 Llhikacp.exe 2892 Maeachag.exe 3684 Mlkepaam.exe 3688 Mecjif32.exe 5076 Majjng32.exe 1148 Mhdckaeo.exe 1376 Mbighjdd.exe 4956 Mhfppabl.exe 2020 Mnphmkji.exe 3704 Mldhfpib.exe 2524 Nbnpcj32.exe 4296 Nemmoe32.exe 4900 Nhkikq32.exe 396 Neoieenp.exe 1032 Nafjjf32.exe 4896 Nlkngo32.exe 3740 Nbefdijg.exe 1272 Nhbolp32.exe 4616 Nbgcih32.exe 5048 Niakfbpa.exe 1596 Objpoh32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Eiaoid32.exe Efccmidp.exe File created C:\Windows\SysWOW64\Jjlmclqa.exe Jcbdgb32.exe File opened for modification C:\Windows\SysWOW64\Nagpeo32.exe Nmlddqem.exe File created C:\Windows\SysWOW64\Bojomm32.exe Bllbaa32.exe File created C:\Windows\SysWOW64\Jdokpl32.dll Mnphmkji.exe File created C:\Windows\SysWOW64\Oampjeml.exe Objpoh32.exe File created C:\Windows\SysWOW64\Cjliajmo.exe Cfqmpl32.exe File created C:\Windows\SysWOW64\Ljfhqh32.exe Lggldm32.exe File created C:\Windows\SysWOW64\Ibkgme32.dll Omgcpokp.exe File opened for modification C:\Windows\SysWOW64\Ilnbicff.exe Iedjmioj.exe File created C:\Windows\SysWOW64\Ljnlecmp.exe Lcdciiec.exe File opened for modification C:\Windows\SysWOW64\Kndojobi.exe Kjhcjq32.exe File opened for modification C:\Windows\SysWOW64\Maeachag.exe Llhikacp.exe File created C:\Windows\SysWOW64\Aajhndkb.exe Akpoaj32.exe File opened for modification C:\Windows\SysWOW64\Ckjknfnh.exe Chkobkod.exe File opened for modification C:\Windows\SysWOW64\Ccmgiaig.exe Cmcolgbj.exe File created C:\Windows\SysWOW64\Ckclhn32.exe Bdickcpo.exe File created C:\Windows\SysWOW64\Ikjllm32.dll Onmfimga.exe File opened for modification C:\Windows\SysWOW64\Agimkk32.exe Adkqoohc.exe File opened for modification C:\Windows\SysWOW64\Qkjgegae.exe Pemomqcn.exe File opened for modification C:\Windows\SysWOW64\Lmdnbn32.exe Lfjfecno.exe File created C:\Windows\SysWOW64\Nagpeo32.exe Nmlddqem.exe File opened for modification C:\Windows\SysWOW64\Eokqkh32.exe Eiahnnph.exe File opened for modification C:\Windows\SysWOW64\Hiipmhmk.exe Hfjdqmng.exe File opened for modification C:\Windows\SysWOW64\Qmgelf32.exe Qjiipk32.exe File created C:\Windows\SysWOW64\Bpfkpp32.exe Boenhgdd.exe File created C:\Windows\SysWOW64\Fbajbi32.exe Fpbmfn32.exe File created C:\Windows\SysWOW64\Ooaafghm.dll Hpcodihc.exe File created C:\Windows\SysWOW64\Effkpc32.dll Cfkmkf32.exe File opened for modification C:\Windows\SysWOW64\Hfjdqmng.exe Hoclopne.exe File created C:\Windows\SysWOW64\Kniieo32.exe Kjmmepfj.exe File created C:\Windows\SysWOW64\Gkbndlfi.dll Cmcolgbj.exe File created C:\Windows\SysWOW64\Dafipibl.dll Jcdala32.exe File created C:\Windows\SysWOW64\Ngndaccj.exe Npgmpf32.exe File created C:\Windows\SysWOW64\Fdflahpe.dll Bokehc32.exe File created C:\Windows\SysWOW64\Fhgebmil.dll Ccmgiaig.exe File opened for modification C:\Windows\SysWOW64\Flkdfh32.exe Fealin32.exe File created C:\Windows\SysWOW64\Ignlbcmf.dll Jcfggkac.exe File opened for modification C:\Windows\SysWOW64\Oelolmnd.exe Oobfob32.exe File created C:\Windows\SysWOW64\Emjgim32.exe Ebdcld32.exe File created C:\Windows\SysWOW64\Manmoq32.exe Mjdebfnd.exe File opened for modification C:\Windows\SysWOW64\Mogcihaj.exe Mnegbp32.exe File opened for modification C:\Windows\SysWOW64\Mcgiefen.exe Mqimikfj.exe File created C:\Windows\SysWOW64\Ljeffhcd.dll Hmechmip.exe File created C:\Windows\SysWOW64\Kbgbpn32.dll Mgaokl32.exe File created C:\Windows\SysWOW64\Jfhepbll.dll Dpnkdq32.exe File created C:\Windows\SysWOW64\Mkjnfkma.exe Mepfiq32.exe File created C:\Windows\SysWOW64\Cjgjmg32.dll Hmmfmhll.exe File created C:\Windows\SysWOW64\Eehmok32.dll Qaqegecm.exe File created C:\Windows\SysWOW64\Feaabknn.dll Poomegpf.exe File opened for modification C:\Windows\SysWOW64\Bhoqeibl.exe Bfpdin32.exe File opened for modification C:\Windows\SysWOW64\Ncofplba.exe Nmenca32.exe File opened for modification C:\Windows\SysWOW64\Qdbdcg32.exe Qachgk32.exe File created C:\Windows\SysWOW64\Ckjinf32.dll Gppcmeem.exe File created C:\Windows\SysWOW64\Fclbolkk.dll Jdpkflfe.exe File opened for modification C:\Windows\SysWOW64\Oekiqccc.exe Okedcjcm.exe File opened for modification C:\Windows\SysWOW64\Njfkmphe.exe Nggnadib.exe File created C:\Windows\SysWOW64\Kgamnded.exe Kniieo32.exe File created C:\Windows\SysWOW64\Dikihe32.exe Dbqqkkbo.exe File created C:\Windows\SysWOW64\Mmddqemj.dll Ojigdcll.exe File created C:\Windows\SysWOW64\Khliclno.dll Plbfdekd.exe File created C:\Windows\SysWOW64\Almoijfo.dll Knenkbio.exe File created C:\Windows\SysWOW64\Chiblk32.exe Cpbjkn32.exe File created C:\Windows\SysWOW64\Djaiilmd.dll Lalnmiia.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 14400 13872 WerFault.exe 753 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qdbdcg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmaamn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfcjfk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhoqeibl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbndfl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdfehh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dngjff32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fechomko.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcnfohmi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qobhkjdi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkhjph32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkadoiip.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qljcoj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbfldf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkbmqb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljfhqh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pecellgl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnepna32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhdckaeo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfnoqc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjkblhfo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flpmagqi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lalnmiia.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbgnemjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbpjaeoc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iefgbh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kniieo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpjcgm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aamknj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdlqqcnl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbbpmb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kodnmkap.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Boenhgdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oampjeml.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knooej32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgkfnh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgkpdcmi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Popbpqjh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emoadlfo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcdjbk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npiiffqe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oabhfg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qohpkf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmnhcb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahpmjejp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eiahnnph.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flqdlnde.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpkdjofm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcdala32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmgabcge.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aggpfkjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahjgjj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cohkokgj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbjoeojc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibfnqmpf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Komhll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phonha32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pldcjeia.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enkdaepb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpcjgnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpfgmnfp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddgplado.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qklmpalf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bomkcm32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kjpijpdg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kiejmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kghfphob.dll" Ipoheakj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfombjbg.dll" Kjpijpdg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kmfhkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mnmdme32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dkokcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcgplk32.dll" Adfgdpmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pghien32.dll" Chiblk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jdpkflfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kndojobi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kjmmepfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hibafp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ipflihfq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pmpolgoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aafemk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Llmhaold.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lmdnbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcdcmh32.dll" Fmpqfq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kclgmq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Naecop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Effkpc32.dll" Cfkmkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fphppfgi.dll" Kndojobi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lkofdbkj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oemefcap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jenmcggo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ljceqb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qobhkjdi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pkadoiip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdbeojmh.dll" Mnjqmpgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Indfca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ioqgiibk.dll" Hcblpdgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oekiqccc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jnlbojee.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kdpmbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Odmbaj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Plpjoe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iedjmioj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mglfplgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cdlqqcnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hiebgmkm.dll" Qjiipk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ahmjjoig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbkjdh32.dll" Ajndioga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfkegm32.dll" Mjahlgpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hffpdd32.dll" Popbpqjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lgepom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nmnqjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bddjpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Camddhoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoqqpnlk.dll" Chiigadc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apoigbgj.dll" Iphioh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lnohlgep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oelolmnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eiloco32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kgnbdh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lajagj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bmabggdm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpcelk32.dll" Gljgbllj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eokqkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lebcnn32.dll" Oelolmnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Adfnofpd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kjhcjq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oklkdi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nmenca32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2500 wrote to memory of 4504 2500 1be5b7526e6c4bce79bc3fb2bed777ddbed2dfb6c9ecab94e82c5e5979a5505d.exe 83 PID 2500 wrote to memory of 4504 2500 1be5b7526e6c4bce79bc3fb2bed777ddbed2dfb6c9ecab94e82c5e5979a5505d.exe 83 PID 2500 wrote to memory of 4504 2500 1be5b7526e6c4bce79bc3fb2bed777ddbed2dfb6c9ecab94e82c5e5979a5505d.exe 83 PID 4504 wrote to memory of 2616 4504 Iqpfjnba.exe 84 PID 4504 wrote to memory of 2616 4504 Iqpfjnba.exe 84 PID 4504 wrote to memory of 2616 4504 Iqpfjnba.exe 84 PID 2616 wrote to memory of 4868 2616 Ihgnkkbd.exe 85 PID 2616 wrote to memory of 4868 2616 Ihgnkkbd.exe 85 PID 2616 wrote to memory of 4868 2616 Ihgnkkbd.exe 85 PID 4868 wrote to memory of 4720 4868 Indfca32.exe 86 PID 4868 wrote to memory of 4720 4868 Indfca32.exe 86 PID 4868 wrote to memory of 4720 4868 Indfca32.exe 86 PID 4720 wrote to memory of 2068 4720 Jdnoplhh.exe 87 PID 4720 wrote to memory of 2068 4720 Jdnoplhh.exe 87 PID 4720 wrote to memory of 2068 4720 Jdnoplhh.exe 87 PID 2068 wrote to memory of 3984 2068 Jglklggl.exe 88 PID 2068 wrote to memory of 3984 2068 Jglklggl.exe 88 PID 2068 wrote to memory of 3984 2068 Jglklggl.exe 88 PID 3984 wrote to memory of 1484 3984 Jnfcia32.exe 89 PID 3984 wrote to memory of 1484 3984 Jnfcia32.exe 89 PID 3984 wrote to memory of 1484 3984 Jnfcia32.exe 89 PID 1484 wrote to memory of 1676 1484 Jdpkflfe.exe 90 PID 1484 wrote to memory of 1676 1484 Jdpkflfe.exe 90 PID 1484 wrote to memory of 1676 1484 Jdpkflfe.exe 90 PID 1676 wrote to memory of 4256 1676 Jjmcnbdm.exe 91 PID 1676 wrote to memory of 4256 1676 Jjmcnbdm.exe 91 PID 1676 wrote to memory of 4256 1676 Jjmcnbdm.exe 91 PID 4256 wrote to memory of 5088 4256 Jqglkmlj.exe 92 PID 4256 wrote to memory of 5088 4256 Jqglkmlj.exe 92 PID 4256 wrote to memory of 5088 4256 Jqglkmlj.exe 92 PID 5088 wrote to memory of 3108 5088 Jgadgf32.exe 93 PID 5088 wrote to memory of 3108 5088 Jgadgf32.exe 93 PID 5088 wrote to memory of 3108 5088 Jgadgf32.exe 93 PID 3108 wrote to memory of 2436 3108 Jnkldqkc.exe 94 PID 3108 wrote to memory of 2436 3108 Jnkldqkc.exe 94 PID 3108 wrote to memory of 2436 3108 Jnkldqkc.exe 94 PID 2436 wrote to memory of 968 2436 Jbfheo32.exe 95 PID 2436 wrote to memory of 968 2436 Jbfheo32.exe 95 PID 2436 wrote to memory of 968 2436 Jbfheo32.exe 95 PID 968 wrote to memory of 3380 968 Jgcamf32.exe 96 PID 968 wrote to memory of 3380 968 Jgcamf32.exe 96 PID 968 wrote to memory of 3380 968 Jgcamf32.exe 96 PID 3380 wrote to memory of 4688 3380 Jkomneim.exe 97 PID 3380 wrote to memory of 4688 3380 Jkomneim.exe 97 PID 3380 wrote to memory of 4688 3380 Jkomneim.exe 97 PID 4688 wrote to memory of 1280 4688 Jnmijq32.exe 98 PID 4688 wrote to memory of 1280 4688 Jnmijq32.exe 98 PID 4688 wrote to memory of 1280 4688 Jnmijq32.exe 98 PID 1280 wrote to memory of 220 1280 Jqlefl32.exe 99 PID 1280 wrote to memory of 220 1280 Jqlefl32.exe 99 PID 1280 wrote to memory of 220 1280 Jqlefl32.exe 99 PID 220 wrote to memory of 1800 220 Jgenbfoa.exe 100 PID 220 wrote to memory of 1800 220 Jgenbfoa.exe 100 PID 220 wrote to memory of 1800 220 Jgenbfoa.exe 100 PID 1800 wrote to memory of 2736 1800 Kqnbkl32.exe 101 PID 1800 wrote to memory of 2736 1800 Kqnbkl32.exe 101 PID 1800 wrote to memory of 2736 1800 Kqnbkl32.exe 101 PID 2736 wrote to memory of 3912 2736 Kiejmi32.exe 102 PID 2736 wrote to memory of 3912 2736 Kiejmi32.exe 102 PID 2736 wrote to memory of 3912 2736 Kiejmi32.exe 102 PID 3912 wrote to memory of 4920 3912 Kjffdalb.exe 103 PID 3912 wrote to memory of 4920 3912 Kjffdalb.exe 103 PID 3912 wrote to memory of 4920 3912 Kjffdalb.exe 103 PID 4920 wrote to memory of 4440 4920 Kqpoakco.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\1be5b7526e6c4bce79bc3fb2bed777ddbed2dfb6c9ecab94e82c5e5979a5505d.exe"C:\Users\Admin\AppData\Local\Temp\1be5b7526e6c4bce79bc3fb2bed777ddbed2dfb6c9ecab94e82c5e5979a5505d.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Windows\SysWOW64\Iqpfjnba.exeC:\Windows\system32\Iqpfjnba.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4504 -
C:\Windows\SysWOW64\Ihgnkkbd.exeC:\Windows\system32\Ihgnkkbd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\SysWOW64\Indfca32.exeC:\Windows\system32\Indfca32.exe4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4868 -
C:\Windows\SysWOW64\Jdnoplhh.exeC:\Windows\system32\Jdnoplhh.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4720 -
C:\Windows\SysWOW64\Jglklggl.exeC:\Windows\system32\Jglklggl.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Windows\SysWOW64\Jnfcia32.exeC:\Windows\system32\Jnfcia32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3984 -
C:\Windows\SysWOW64\Jdpkflfe.exeC:\Windows\system32\Jdpkflfe.exe8⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1484 -
C:\Windows\SysWOW64\Jjmcnbdm.exeC:\Windows\system32\Jjmcnbdm.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1676 -
C:\Windows\SysWOW64\Jqglkmlj.exeC:\Windows\system32\Jqglkmlj.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4256 -
C:\Windows\SysWOW64\Jgadgf32.exeC:\Windows\system32\Jgadgf32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5088 -
C:\Windows\SysWOW64\Jnkldqkc.exeC:\Windows\system32\Jnkldqkc.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3108 -
C:\Windows\SysWOW64\Jbfheo32.exeC:\Windows\system32\Jbfheo32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2436 -
C:\Windows\SysWOW64\Jgcamf32.exeC:\Windows\system32\Jgcamf32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:968 -
C:\Windows\SysWOW64\Jkomneim.exeC:\Windows\system32\Jkomneim.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3380 -
C:\Windows\SysWOW64\Jnmijq32.exeC:\Windows\system32\Jnmijq32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4688 -
C:\Windows\SysWOW64\Jqlefl32.exeC:\Windows\system32\Jqlefl32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1280 -
C:\Windows\SysWOW64\Jgenbfoa.exeC:\Windows\system32\Jgenbfoa.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:220 -
C:\Windows\SysWOW64\Kqnbkl32.exeC:\Windows\system32\Kqnbkl32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1800 -
C:\Windows\SysWOW64\Kiejmi32.exeC:\Windows\system32\Kiejmi32.exe20⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\SysWOW64\Kjffdalb.exeC:\Windows\system32\Kjffdalb.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3912 -
C:\Windows\SysWOW64\Kqpoakco.exeC:\Windows\system32\Kqpoakco.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4920 -
C:\Windows\SysWOW64\Kgjgne32.exeC:\Windows\system32\Kgjgne32.exe23⤵
- Executes dropped EXE
PID:4440 -
C:\Windows\SysWOW64\Kjhcjq32.exeC:\Windows\system32\Kjhcjq32.exe24⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:688 -
C:\Windows\SysWOW64\Kndojobi.exeC:\Windows\system32\Kndojobi.exe25⤵
- Executes dropped EXE
- Modifies registry class
PID:4604 -
C:\Windows\SysWOW64\Kqbkfkal.exeC:\Windows\system32\Kqbkfkal.exe26⤵
- Executes dropped EXE
PID:1480 -
C:\Windows\SysWOW64\Kenggi32.exeC:\Windows\system32\Kenggi32.exe27⤵
- Executes dropped EXE
PID:3788 -
C:\Windows\SysWOW64\Kgmcce32.exeC:\Windows\system32\Kgmcce32.exe28⤵
- Executes dropped EXE
PID:3720 -
C:\Windows\SysWOW64\Kjkpoq32.exeC:\Windows\system32\Kjkpoq32.exe29⤵
- Executes dropped EXE
PID:4424 -
C:\Windows\SysWOW64\Knflpoqf.exeC:\Windows\system32\Knflpoqf.exe30⤵
- Executes dropped EXE
PID:3260 -
C:\Windows\SysWOW64\Kgopidgf.exeC:\Windows\system32\Kgopidgf.exe31⤵
- Executes dropped EXE
PID:1212 -
C:\Windows\SysWOW64\Kjmmepfj.exeC:\Windows\system32\Kjmmepfj.exe32⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3476 -
C:\Windows\SysWOW64\Kniieo32.exeC:\Windows\system32\Kniieo32.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:184 -
C:\Windows\SysWOW64\Kgamnded.exeC:\Windows\system32\Kgamnded.exe34⤵
- Executes dropped EXE
PID:2904 -
C:\Windows\SysWOW64\Kjpijpdg.exeC:\Windows\system32\Kjpijpdg.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:4716 -
C:\Windows\SysWOW64\Lajagj32.exeC:\Windows\system32\Lajagj32.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:2504 -
C:\Windows\SysWOW64\Lkofdbkj.exeC:\Windows\system32\Lkofdbkj.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:3004 -
C:\Windows\SysWOW64\Lalnmiia.exeC:\Windows\system32\Lalnmiia.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2396 -
C:\Windows\SysWOW64\Lkabjbih.exeC:\Windows\system32\Lkabjbih.exe39⤵
- Executes dropped EXE
PID:548 -
C:\Windows\SysWOW64\Lejgch32.exeC:\Windows\system32\Lejgch32.exe40⤵
- Executes dropped EXE
PID:3216 -
C:\Windows\SysWOW64\Ljgpkonp.exeC:\Windows\system32\Ljgpkonp.exe41⤵
- Executes dropped EXE
PID:3148 -
C:\Windows\SysWOW64\Laqhhi32.exeC:\Windows\system32\Laqhhi32.exe42⤵
- Executes dropped EXE
PID:4828 -
C:\Windows\SysWOW64\Lgkpdcmi.exeC:\Windows\system32\Lgkpdcmi.exe43⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5020 -
C:\Windows\SysWOW64\Lbpdblmo.exeC:\Windows\system32\Lbpdblmo.exe44⤵
- Executes dropped EXE
PID:2544 -
C:\Windows\SysWOW64\Llhikacp.exeC:\Windows\system32\Llhikacp.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2992 -
C:\Windows\SysWOW64\Maeachag.exeC:\Windows\system32\Maeachag.exe46⤵
- Executes dropped EXE
PID:2892 -
C:\Windows\SysWOW64\Mlkepaam.exeC:\Windows\system32\Mlkepaam.exe47⤵
- Executes dropped EXE
PID:3684 -
C:\Windows\SysWOW64\Mecjif32.exeC:\Windows\system32\Mecjif32.exe48⤵
- Executes dropped EXE
PID:3688 -
C:\Windows\SysWOW64\Majjng32.exeC:\Windows\system32\Majjng32.exe49⤵
- Executes dropped EXE
PID:5076 -
C:\Windows\SysWOW64\Mhdckaeo.exeC:\Windows\system32\Mhdckaeo.exe50⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1148 -
C:\Windows\SysWOW64\Mbighjdd.exeC:\Windows\system32\Mbighjdd.exe51⤵
- Executes dropped EXE
PID:1376 -
C:\Windows\SysWOW64\Mhfppabl.exeC:\Windows\system32\Mhfppabl.exe52⤵
- Executes dropped EXE
PID:4956 -
C:\Windows\SysWOW64\Mnphmkji.exeC:\Windows\system32\Mnphmkji.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2020 -
C:\Windows\SysWOW64\Mldhfpib.exeC:\Windows\system32\Mldhfpib.exe54⤵
- Executes dropped EXE
PID:3704 -
C:\Windows\SysWOW64\Nbnpcj32.exeC:\Windows\system32\Nbnpcj32.exe55⤵
- Executes dropped EXE
PID:2524 -
C:\Windows\SysWOW64\Nemmoe32.exeC:\Windows\system32\Nemmoe32.exe56⤵
- Executes dropped EXE
PID:4296 -
C:\Windows\SysWOW64\Nhkikq32.exeC:\Windows\system32\Nhkikq32.exe57⤵
- Executes dropped EXE
PID:4900 -
C:\Windows\SysWOW64\Neoieenp.exeC:\Windows\system32\Neoieenp.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:396 -
C:\Windows\SysWOW64\Nafjjf32.exeC:\Windows\system32\Nafjjf32.exe59⤵
- Executes dropped EXE
PID:1032 -
C:\Windows\SysWOW64\Nlkngo32.exeC:\Windows\system32\Nlkngo32.exe60⤵
- Executes dropped EXE
PID:4896 -
C:\Windows\SysWOW64\Nbefdijg.exeC:\Windows\system32\Nbefdijg.exe61⤵
- Executes dropped EXE
PID:3740 -
C:\Windows\SysWOW64\Nhbolp32.exeC:\Windows\system32\Nhbolp32.exe62⤵
- Executes dropped EXE
PID:1272 -
C:\Windows\SysWOW64\Nbgcih32.exeC:\Windows\system32\Nbgcih32.exe63⤵
- Executes dropped EXE
PID:4616 -
C:\Windows\SysWOW64\Niakfbpa.exeC:\Windows\system32\Niakfbpa.exe64⤵
- Executes dropped EXE
PID:5048 -
C:\Windows\SysWOW64\Objpoh32.exeC:\Windows\system32\Objpoh32.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1596 -
C:\Windows\SysWOW64\Oampjeml.exeC:\Windows\system32\Oampjeml.exe66⤵
- System Location Discovery: System Language Discovery
PID:4312 -
C:\Windows\SysWOW64\Okedcjcm.exeC:\Windows\system32\Okedcjcm.exe67⤵
- Drops file in System32 directory
PID:1236 -
C:\Windows\SysWOW64\Oekiqccc.exeC:\Windows\system32\Oekiqccc.exe68⤵
- Modifies registry class
PID:4336 -
C:\Windows\SysWOW64\Ohiemobf.exeC:\Windows\system32\Ohiemobf.exe69⤵PID:2576
-
C:\Windows\SysWOW64\Oboijgbl.exeC:\Windows\system32\Oboijgbl.exe70⤵PID:1768
-
C:\Windows\SysWOW64\Oemefcap.exeC:\Windows\system32\Oemefcap.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:4292 -
C:\Windows\SysWOW64\Okjnnj32.exeC:\Windows\system32\Okjnnj32.exe72⤵PID:4104
-
C:\Windows\SysWOW64\Obafpg32.exeC:\Windows\system32\Obafpg32.exe73⤵PID:2376
-
C:\Windows\SysWOW64\Ohnohn32.exeC:\Windows\system32\Ohnohn32.exe74⤵PID:3200
-
C:\Windows\SysWOW64\Oklkdi32.exeC:\Windows\system32\Oklkdi32.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3508 -
C:\Windows\SysWOW64\Oeaoab32.exeC:\Windows\system32\Oeaoab32.exe76⤵PID:1968
-
C:\Windows\SysWOW64\Oimkbaed.exeC:\Windows\system32\Oimkbaed.exe77⤵PID:1588
-
C:\Windows\SysWOW64\Pcepkfld.exeC:\Windows\system32\Pcepkfld.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:432 -
C:\Windows\SysWOW64\Pedlgbkh.exeC:\Windows\system32\Pedlgbkh.exe79⤵PID:3248
-
C:\Windows\SysWOW64\Pkadoiip.exeC:\Windows\system32\Pkadoiip.exe80⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4416 -
C:\Windows\SysWOW64\Pakllc32.exeC:\Windows\system32\Pakllc32.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4356 -
C:\Windows\SysWOW64\Phedhmhi.exeC:\Windows\system32\Phedhmhi.exe82⤵PID:348
-
C:\Windows\SysWOW64\Poomegpf.exeC:\Windows\system32\Poomegpf.exe83⤵
- Drops file in System32 directory
PID:2044 -
C:\Windows\SysWOW64\Pidabppl.exeC:\Windows\system32\Pidabppl.exe84⤵PID:4208
-
C:\Windows\SysWOW64\Poajkgnc.exeC:\Windows\system32\Poajkgnc.exe85⤵PID:2620
-
C:\Windows\SysWOW64\Papfgbmg.exeC:\Windows\system32\Papfgbmg.exe86⤵PID:244
-
C:\Windows\SysWOW64\Pkhjph32.exeC:\Windows\system32\Pkhjph32.exe87⤵
- System Location Discovery: System Language Discovery
PID:2232 -
C:\Windows\SysWOW64\Pemomqcn.exeC:\Windows\system32\Pemomqcn.exe88⤵
- Drops file in System32 directory
PID:2276 -
C:\Windows\SysWOW64\Qkjgegae.exeC:\Windows\system32\Qkjgegae.exe89⤵PID:5068
-
C:\Windows\SysWOW64\Qcaofebg.exeC:\Windows\system32\Qcaofebg.exe90⤵PID:1792
-
C:\Windows\SysWOW64\Qikgco32.exeC:\Windows\system32\Qikgco32.exe91⤵PID:2308
-
C:\Windows\SysWOW64\Qljcoj32.exeC:\Windows\system32\Qljcoj32.exe92⤵
- System Location Discovery: System Language Discovery
PID:4812 -
C:\Windows\SysWOW64\Qohpkf32.exeC:\Windows\system32\Qohpkf32.exe93⤵
- System Location Discovery: System Language Discovery
PID:212 -
C:\Windows\SysWOW64\Ajndioga.exeC:\Windows\system32\Ajndioga.exe94⤵
- Modifies registry class
PID:3384 -
C:\Windows\SysWOW64\Akoqpg32.exeC:\Windows\system32\Akoqpg32.exe95⤵PID:3116
-
C:\Windows\SysWOW64\Aojlaeei.exeC:\Windows\system32\Aojlaeei.exe96⤵PID:1648
-
C:\Windows\SysWOW64\Ajpqnneo.exeC:\Windows\system32\Ajpqnneo.exe97⤵PID:4384
-
C:\Windows\SysWOW64\Achegd32.exeC:\Windows\system32\Achegd32.exe98⤵PID:3860
-
C:\Windows\SysWOW64\Afgacokc.exeC:\Windows\system32\Afgacokc.exe99⤵PID:4992
-
C:\Windows\SysWOW64\Alqjpi32.exeC:\Windows\system32\Alqjpi32.exe100⤵PID:4804
-
C:\Windows\SysWOW64\Aoofle32.exeC:\Windows\system32\Aoofle32.exe101⤵PID:4696
-
C:\Windows\SysWOW64\Afinioip.exeC:\Windows\system32\Afinioip.exe102⤵PID:4760
-
C:\Windows\SysWOW64\Ahgjejhd.exeC:\Windows\system32\Ahgjejhd.exe103⤵PID:3820
-
C:\Windows\SysWOW64\Aoabad32.exeC:\Windows\system32\Aoabad32.exe104⤵PID:4588
-
C:\Windows\SysWOW64\Afkknogn.exeC:\Windows\system32\Afkknogn.exe105⤵PID:2520
-
C:\Windows\SysWOW64\Ahjgjj32.exeC:\Windows\system32\Ahjgjj32.exe106⤵
- System Location Discovery: System Language Discovery
PID:3468 -
C:\Windows\SysWOW64\Akhcfe32.exeC:\Windows\system32\Akhcfe32.exe107⤵PID:4532
-
C:\Windows\SysWOW64\Abbkcpma.exeC:\Windows\system32\Abbkcpma.exe108⤵PID:2100
-
C:\Windows\SysWOW64\Bjicdmmd.exeC:\Windows\system32\Bjicdmmd.exe109⤵PID:4376
-
C:\Windows\SysWOW64\Bhldpj32.exeC:\Windows\system32\Bhldpj32.exe110⤵PID:2460
-
C:\Windows\SysWOW64\Boflmdkk.exeC:\Windows\system32\Boflmdkk.exe111⤵PID:1388
-
C:\Windows\SysWOW64\Bfpdin32.exeC:\Windows\system32\Bfpdin32.exe112⤵
- Drops file in System32 directory
PID:4348 -
C:\Windows\SysWOW64\Bhoqeibl.exeC:\Windows\system32\Bhoqeibl.exe113⤵
- System Location Discovery: System Language Discovery
PID:924 -
C:\Windows\SysWOW64\Bkmmaeap.exeC:\Windows\system32\Bkmmaeap.exe114⤵PID:1248
-
C:\Windows\SysWOW64\Bcddcbab.exeC:\Windows\system32\Bcddcbab.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3744 -
C:\Windows\SysWOW64\Bfbaonae.exeC:\Windows\system32\Bfbaonae.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5136 -
C:\Windows\SysWOW64\Bhamkipi.exeC:\Windows\system32\Bhamkipi.exe117⤵PID:5188
-
C:\Windows\SysWOW64\Bokehc32.exeC:\Windows\system32\Bokehc32.exe118⤵
- Drops file in System32 directory
PID:5232 -
C:\Windows\SysWOW64\Bbiado32.exeC:\Windows\system32\Bbiado32.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5296 -
C:\Windows\SysWOW64\Bfendmoc.exeC:\Windows\system32\Bfendmoc.exe120⤵PID:5340
-
C:\Windows\SysWOW64\Bmofagfp.exeC:\Windows\system32\Bmofagfp.exe121⤵PID:5408
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-