Analysis
-
max time kernel
91s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25-12-2024 00:49
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
97cbbc3d45de096c6a7b9398a07071ac890ec47a7d0abd4d8ca14f66ab0b79bc.exe
Resource
win7-20240903-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
97cbbc3d45de096c6a7b9398a07071ac890ec47a7d0abd4d8ca14f66ab0b79bc.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
97cbbc3d45de096c6a7b9398a07071ac890ec47a7d0abd4d8ca14f66ab0b79bc.exe
-
Size
88KB
-
MD5
470b482d86ff94fe7c2997e33a4f5813
-
SHA1
38a404b56737dae83fd38c9fa73fe828f9518dde
-
SHA256
97cbbc3d45de096c6a7b9398a07071ac890ec47a7d0abd4d8ca14f66ab0b79bc
-
SHA512
992d30ac41c569a47e9797b55142bd5aa09e9de558e84c84d137ba8d7430e3d58886d01cdf1dc4f6712eccb1b9a0175f543fe8e27e29824822359f5972ec15b6
-
SSDEEP
1536:rmjI+6y1sRappkEGbQWE+m1PW6JiDvub5bSZnXftdnouy8h:rmUM1lppkKWCPW6JUv9Ptlouth
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qmgelf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Feqeog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Opnbae32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eqgmmk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmndpq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hcblpdgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bllbaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Johnamkm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjkmomfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nimmifgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ipoopgnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aonoao32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cglbhhga.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpepbgbd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfiokmkc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Igdnabjh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phaahggp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlgepanl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Opclldhj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfoann32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpdennml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gpnfge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jiglnf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhenai32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmhijd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kjmfjj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phfcipoo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emoadlfo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnegbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ofkgcobj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eomffaag.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihmfco32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfenglqf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hcmbee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pkbjjbda.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnoaaaad.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opeiadfg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjlalkmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gkmdecbg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmgabcge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kjgeedch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dafppp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jnelok32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qklmpalf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgcjfbed.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iafkld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Obqanjdb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aednci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dbicpfdk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qmgelf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cglbhhga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hienlpel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jlgepanl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lmmolepp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Afpjel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Loacdc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pbjddh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Holfoqcm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iibccgep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hlepcdoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hpchib32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Loacdc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fffhifdk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omnjojpo.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 4396 Fjohde32.exe 3976 Fmndpq32.exe 952 Fffhifdk.exe 2528 Gpnmbl32.exe 2204 Gfheof32.exe 2400 Gmbmkpie.exe 5028 Gdlfhj32.exe 640 Gfkbde32.exe 4060 Gphphj32.exe 3732 Gkmdecbg.exe 3968 Hloqml32.exe 4968 Hbhijepa.exe 4076 Hkpqkcpd.exe 2676 Hplicjok.exe 4064 Hgfapd32.exe 3708 Hienlpel.exe 740 Hcmbee32.exe 3552 Hkdjfb32.exe 1268 Hmbfbn32.exe 4948 Hdmoohbo.exe 4648 Hkfglb32.exe 916 Hlhccj32.exe 2368 Hcblpdgg.exe 4496 Hildmn32.exe 4016 Ingpmmgm.exe 2196 Idahjg32.exe 2244 Iinqbn32.exe 2652 Injmcmej.exe 2900 Idcepgmg.exe 1192 Iknmla32.exe 3468 Ipjedh32.exe 4768 Idfaefkd.exe 4920 Igdnabjh.exe 2432 Ijcjmmil.exe 4904 Ilafiihp.exe 4420 Icknfcol.exe 3340 Ijegcm32.exe 4880 Ipoopgnf.exe 4068 Ikdcmpnl.exe 2416 Jlfpdh32.exe 3280 Jcphab32.exe 4012 Jnelok32.exe 2700 Jdodkebj.exe 4864 Jjlmclqa.exe 4560 Jcdala32.exe 2892 Jgpmmp32.exe 4416 Jqhafffk.exe 3192 Jgbjbp32.exe 2640 Jnlbojee.exe 3952 Jqknkedi.exe 4128 Kjccdkki.exe 1852 Kclgmq32.exe 4960 Kdkdgchl.exe 2480 Kjhloj32.exe 1444 Kmfhkf32.exe 1848 Kqbdldnq.exe 2548 Knfeeimj.exe 720 Kmieae32.exe 4040 Kgninn32.exe 1308 Kjmfjj32.exe 3580 Kqfngd32.exe 2496 Lklbdm32.exe 4408 Lmmolepp.exe 1752 Ldgccb32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Ipjoja32.exe Imkbnf32.exe File created C:\Windows\SysWOW64\Mqkiok32.exe Mfeeabda.exe File created C:\Windows\SysWOW64\Gpdennml.exe Ggmmlamj.exe File created C:\Windows\SysWOW64\Kofljo32.dll Nbnlaldg.exe File created C:\Windows\SysWOW64\Pfccogfc.exe Pjlcjf32.exe File created C:\Windows\SysWOW64\Gacepg32.exe Gpaihooo.exe File created C:\Windows\SysWOW64\Fkaokcqj.dll Mcoljagj.exe File created C:\Windows\SysWOW64\Mohjdmko.dll Madjhb32.exe File opened for modification C:\Windows\SysWOW64\Chqogq32.exe Cbfgkffn.exe File created C:\Windows\SysWOW64\Jiejjepo.dll Hoaojp32.exe File created C:\Windows\SysWOW64\Nnfpinmi.exe Nglhld32.exe File created C:\Windows\SysWOW64\Biafno32.dll Cacckp32.exe File opened for modification C:\Windows\SysWOW64\Ebkbbmqj.exe Eomffaag.exe File created C:\Windows\SysWOW64\Pqolaipg.dll Ooibkpmi.exe File opened for modification C:\Windows\SysWOW64\Hcblpdgg.exe Hlhccj32.exe File created C:\Windows\SysWOW64\Fnadil32.dll Efblbbqd.exe File created C:\Windows\SysWOW64\Lpmkebjc.dll Aopemh32.exe File created C:\Windows\SysWOW64\Ngbjmd32.dll Pmlmkn32.exe File created C:\Windows\SysWOW64\Fealin32.exe Fngcmcfe.exe File opened for modification C:\Windows\SysWOW64\Hgfapd32.exe Hplicjok.exe File created C:\Windows\SysWOW64\Ajfmkfhq.dll Jgbjbp32.exe File created C:\Windows\SysWOW64\Kjhloj32.exe Kdkdgchl.exe File created C:\Windows\SysWOW64\Mgclpkac.exe Maiccajf.exe File created C:\Windows\SysWOW64\Mmpdhboj.exe Mgclpkac.exe File opened for modification C:\Windows\SysWOW64\Phaahggp.exe Pmlmkn32.exe File created C:\Windows\SysWOW64\Npepkf32.exe Nncccnol.exe File opened for modification C:\Windows\SysWOW64\Cdimqm32.exe Bahdob32.exe File opened for modification C:\Windows\SysWOW64\Iajdgcab.exe Ipihpkkd.exe File opened for modification C:\Windows\SysWOW64\Ojnfihmo.exe Obgohklm.exe File created C:\Windows\SysWOW64\Ganldgib.exe Gkaclqkk.exe File created C:\Windows\SysWOW64\Nohffe32.dll Dkokcl32.exe File created C:\Windows\SysWOW64\Ffqhcq32.exe Fpgpgfmh.exe File created C:\Windows\SysWOW64\Ifenan32.dll Jedccfqg.exe File created C:\Windows\SysWOW64\Mnegbp32.exe Mfnoqc32.exe File opened for modification C:\Windows\SysWOW64\Pagbaglh.exe Pnifekmd.exe File opened for modification C:\Windows\SysWOW64\Ehbnigjj.exe Enmjlojd.exe File created C:\Windows\SysWOW64\Hmbfbn32.exe Hkdjfb32.exe File created C:\Windows\SysWOW64\Kghfphob.dll Ieidhh32.exe File created C:\Windows\SysWOW64\Bghgmioe.dll Cklhcfle.exe File opened for modification C:\Windows\SysWOW64\Ddgibkpc.exe Dnmaea32.exe File created C:\Windows\SysWOW64\Dnajppda.exe Dggbcf32.exe File created C:\Windows\SysWOW64\Cpdfhgmd.dll Mmpdhboj.exe File opened for modification C:\Windows\SysWOW64\Qdbdcg32.exe Qmhlgmmm.exe File opened for modification C:\Windows\SysWOW64\Hpqldc32.exe Hlepcdoa.exe File opened for modification C:\Windows\SysWOW64\Mcpcdg32.exe Ljhnlb32.exe File opened for modification C:\Windows\SysWOW64\Nagiji32.exe Njmqnobn.exe File created C:\Windows\SysWOW64\Flbfjl32.dll Opnbae32.exe File opened for modification C:\Windows\SysWOW64\Jadgnb32.exe Jpbjfjci.exe File opened for modification C:\Windows\SysWOW64\Alpbecod.exe Aefjii32.exe File opened for modification C:\Windows\SysWOW64\Iohejo32.exe Iliinc32.exe File created C:\Windows\SysWOW64\Dhhmleng.dll Ojhpimhp.exe File created C:\Windows\SysWOW64\Mjlalkmd.exe Mfpell32.exe File created C:\Windows\SysWOW64\Mgccelpk.dll Mhanngbl.exe File opened for modification C:\Windows\SysWOW64\Gfheof32.exe Gpnmbl32.exe File created C:\Windows\SysWOW64\Ogeacidl.dll Fofilp32.exe File opened for modification C:\Windows\SysWOW64\Kiikpnmj.exe Kapfiqoj.exe File opened for modification C:\Windows\SysWOW64\Loofnccf.exe Lhenai32.exe File opened for modification C:\Windows\SysWOW64\Mcoljagj.exe Mledmg32.exe File created C:\Windows\SysWOW64\Qacameaj.exe Qmgelf32.exe File opened for modification C:\Windows\SysWOW64\Jiglnf32.exe Jcmdaljn.exe File created C:\Windows\SysWOW64\Mjodla32.exe Mgphpe32.exe File created C:\Windows\SysWOW64\Nmpgal32.dll Hplicjok.exe File opened for modification C:\Windows\SysWOW64\Jgpmmp32.exe Jcdala32.exe File created C:\Windows\SysWOW64\Jfniqp32.dll Oodcdb32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 13188 13072 WerFault.exe 643 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eecphp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofmdio32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmfmde32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nimmifgo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oeheqm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhkmec32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iibccgep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nncccnol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kclgmq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bochmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nagiji32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lchfib32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbhijepa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjodla32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aaohcj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpbflg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcpcdg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcbpjg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohcegi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plkpcfal.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpgpgfmh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpelhd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jleijb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogcnmc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Manmoq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkndie32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opeiadfg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fajbjh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kqbdldnq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnindhpg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emhkdmlg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffqhcq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Moipoh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnfiplog.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phaahggp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljqhkckn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojdgnn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qhjmdp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iijfhbhl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khbiello.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhoahh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncbafoge.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfkbde32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alnfpcag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adkgje32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oghghb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmnbfhal.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggmmlamj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nofefp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbjddh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhokljge.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aonoao32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qfmmplad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qdbdcg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfpffeaj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbfgkffn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gflhoo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnohlgep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gojiiafp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmfgek32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olanmgig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbbffdlq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjohde32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnegbp32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cagdge32.dll" Ehbnigjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jifecp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kolabf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jacodldj.dll" Loofnccf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Icknfcol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mjdebfnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihbjebjh.dll" Paoollik.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ppjbmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nqobhgmh.dll" Mqjbddpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ddkbmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dndgfpbo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nfnamjhk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmgnid32.dll" Ebdcld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hbhboolf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Koodbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Klcekpdo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mqhfoebo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ojnfihmo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cnahdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ongbqjjf.dll" Dheibpje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gmafajfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gbnoiqdq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mfeeabda.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pmnbfhal.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qmgelf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Popbpqjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hmkigh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hlbcnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iibccgep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmplqd32.dll" Ljqhkckn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjecbd32.dll" Baegibae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcgckb32.dll" Iafkld32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mfenglqf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmmcnn32.dll" Lklbdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdpkjpdi.dll" Ldgccb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gpnfge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lfbped32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oejbfmpg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kjgeedch.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cglbhhga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipamlopb.dll" Lpjjmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Igdnabjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oacoqnci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbegml32.dll" Hlepcdoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oglbla32.dll" Onmfimga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hhimhobl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kapfiqoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mpeiie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dkfadkgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofpnmakg.dll" Epmmqheb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lgdidgjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhdbgapf.dll" Paeelgnj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iafkld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mokfja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Baiinofi.dll" Ngndaccj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Opnbae32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dgcihgaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocfgbfdm.dll" Figgdg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ipjedh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aqhblk32.dll" Plkpcfal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odjjif32.dll" Bllbaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ladfllde.dll" Hloqml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdnnlj32.dll" Cnindhpg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Imkbnf32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2440 wrote to memory of 4396 2440 97cbbc3d45de096c6a7b9398a07071ac890ec47a7d0abd4d8ca14f66ab0b79bc.exe 85 PID 2440 wrote to memory of 4396 2440 97cbbc3d45de096c6a7b9398a07071ac890ec47a7d0abd4d8ca14f66ab0b79bc.exe 85 PID 2440 wrote to memory of 4396 2440 97cbbc3d45de096c6a7b9398a07071ac890ec47a7d0abd4d8ca14f66ab0b79bc.exe 85 PID 4396 wrote to memory of 3976 4396 Fjohde32.exe 86 PID 4396 wrote to memory of 3976 4396 Fjohde32.exe 86 PID 4396 wrote to memory of 3976 4396 Fjohde32.exe 86 PID 3976 wrote to memory of 952 3976 Fmndpq32.exe 87 PID 3976 wrote to memory of 952 3976 Fmndpq32.exe 87 PID 3976 wrote to memory of 952 3976 Fmndpq32.exe 87 PID 952 wrote to memory of 2528 952 Fffhifdk.exe 88 PID 952 wrote to memory of 2528 952 Fffhifdk.exe 88 PID 952 wrote to memory of 2528 952 Fffhifdk.exe 88 PID 2528 wrote to memory of 2204 2528 Gpnmbl32.exe 89 PID 2528 wrote to memory of 2204 2528 Gpnmbl32.exe 89 PID 2528 wrote to memory of 2204 2528 Gpnmbl32.exe 89 PID 2204 wrote to memory of 2400 2204 Gfheof32.exe 90 PID 2204 wrote to memory of 2400 2204 Gfheof32.exe 90 PID 2204 wrote to memory of 2400 2204 Gfheof32.exe 90 PID 2400 wrote to memory of 5028 2400 Gmbmkpie.exe 91 PID 2400 wrote to memory of 5028 2400 Gmbmkpie.exe 91 PID 2400 wrote to memory of 5028 2400 Gmbmkpie.exe 91 PID 5028 wrote to memory of 640 5028 Gdlfhj32.exe 92 PID 5028 wrote to memory of 640 5028 Gdlfhj32.exe 92 PID 5028 wrote to memory of 640 5028 Gdlfhj32.exe 92 PID 640 wrote to memory of 4060 640 Gfkbde32.exe 93 PID 640 wrote to memory of 4060 640 Gfkbde32.exe 93 PID 640 wrote to memory of 4060 640 Gfkbde32.exe 93 PID 4060 wrote to memory of 3732 4060 Gphphj32.exe 94 PID 4060 wrote to memory of 3732 4060 Gphphj32.exe 94 PID 4060 wrote to memory of 3732 4060 Gphphj32.exe 94 PID 3732 wrote to memory of 3968 3732 Gkmdecbg.exe 95 PID 3732 wrote to memory of 3968 3732 Gkmdecbg.exe 95 PID 3732 wrote to memory of 3968 3732 Gkmdecbg.exe 95 PID 3968 wrote to memory of 4968 3968 Hloqml32.exe 96 PID 3968 wrote to memory of 4968 3968 Hloqml32.exe 96 PID 3968 wrote to memory of 4968 3968 Hloqml32.exe 96 PID 4968 wrote to memory of 4076 4968 Hbhijepa.exe 97 PID 4968 wrote to memory of 4076 4968 Hbhijepa.exe 97 PID 4968 wrote to memory of 4076 4968 Hbhijepa.exe 97 PID 4076 wrote to memory of 2676 4076 Hkpqkcpd.exe 98 PID 4076 wrote to memory of 2676 4076 Hkpqkcpd.exe 98 PID 4076 wrote to memory of 2676 4076 Hkpqkcpd.exe 98 PID 2676 wrote to memory of 4064 2676 Hplicjok.exe 99 PID 2676 wrote to memory of 4064 2676 Hplicjok.exe 99 PID 2676 wrote to memory of 4064 2676 Hplicjok.exe 99 PID 4064 wrote to memory of 3708 4064 Hgfapd32.exe 100 PID 4064 wrote to memory of 3708 4064 Hgfapd32.exe 100 PID 4064 wrote to memory of 3708 4064 Hgfapd32.exe 100 PID 3708 wrote to memory of 740 3708 Hienlpel.exe 101 PID 3708 wrote to memory of 740 3708 Hienlpel.exe 101 PID 3708 wrote to memory of 740 3708 Hienlpel.exe 101 PID 740 wrote to memory of 3552 740 Hcmbee32.exe 102 PID 740 wrote to memory of 3552 740 Hcmbee32.exe 102 PID 740 wrote to memory of 3552 740 Hcmbee32.exe 102 PID 3552 wrote to memory of 1268 3552 Hkdjfb32.exe 103 PID 3552 wrote to memory of 1268 3552 Hkdjfb32.exe 103 PID 3552 wrote to memory of 1268 3552 Hkdjfb32.exe 103 PID 1268 wrote to memory of 4948 1268 Hmbfbn32.exe 104 PID 1268 wrote to memory of 4948 1268 Hmbfbn32.exe 104 PID 1268 wrote to memory of 4948 1268 Hmbfbn32.exe 104 PID 4948 wrote to memory of 4648 4948 Hdmoohbo.exe 105 PID 4948 wrote to memory of 4648 4948 Hdmoohbo.exe 105 PID 4948 wrote to memory of 4648 4948 Hdmoohbo.exe 105 PID 4648 wrote to memory of 916 4648 Hkfglb32.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\97cbbc3d45de096c6a7b9398a07071ac890ec47a7d0abd4d8ca14f66ab0b79bc.exe"C:\Users\Admin\AppData\Local\Temp\97cbbc3d45de096c6a7b9398a07071ac890ec47a7d0abd4d8ca14f66ab0b79bc.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2440 -
C:\Windows\SysWOW64\Fjohde32.exeC:\Windows\system32\Fjohde32.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4396 -
C:\Windows\SysWOW64\Fmndpq32.exeC:\Windows\system32\Fmndpq32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3976 -
C:\Windows\SysWOW64\Fffhifdk.exeC:\Windows\system32\Fffhifdk.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:952 -
C:\Windows\SysWOW64\Gpnmbl32.exeC:\Windows\system32\Gpnmbl32.exe5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Windows\SysWOW64\Gfheof32.exeC:\Windows\system32\Gfheof32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\Windows\SysWOW64\Gmbmkpie.exeC:\Windows\system32\Gmbmkpie.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2400 -
C:\Windows\SysWOW64\Gdlfhj32.exeC:\Windows\system32\Gdlfhj32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5028 -
C:\Windows\SysWOW64\Gfkbde32.exeC:\Windows\system32\Gfkbde32.exe9⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:640 -
C:\Windows\SysWOW64\Gphphj32.exeC:\Windows\system32\Gphphj32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4060 -
C:\Windows\SysWOW64\Gkmdecbg.exeC:\Windows\system32\Gkmdecbg.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3732 -
C:\Windows\SysWOW64\Hloqml32.exeC:\Windows\system32\Hloqml32.exe12⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3968 -
C:\Windows\SysWOW64\Hbhijepa.exeC:\Windows\system32\Hbhijepa.exe13⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4968 -
C:\Windows\SysWOW64\Hkpqkcpd.exeC:\Windows\system32\Hkpqkcpd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4076 -
C:\Windows\SysWOW64\Hplicjok.exeC:\Windows\system32\Hplicjok.exe15⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Windows\SysWOW64\Hgfapd32.exeC:\Windows\system32\Hgfapd32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4064 -
C:\Windows\SysWOW64\Hienlpel.exeC:\Windows\system32\Hienlpel.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3708 -
C:\Windows\SysWOW64\Hcmbee32.exeC:\Windows\system32\Hcmbee32.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:740 -
C:\Windows\SysWOW64\Hkdjfb32.exeC:\Windows\system32\Hkdjfb32.exe19⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3552 -
C:\Windows\SysWOW64\Hmbfbn32.exeC:\Windows\system32\Hmbfbn32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1268 -
C:\Windows\SysWOW64\Hdmoohbo.exeC:\Windows\system32\Hdmoohbo.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4948 -
C:\Windows\SysWOW64\Hkfglb32.exeC:\Windows\system32\Hkfglb32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4648 -
C:\Windows\SysWOW64\Hlhccj32.exeC:\Windows\system32\Hlhccj32.exe23⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:916 -
C:\Windows\SysWOW64\Hcblpdgg.exeC:\Windows\system32\Hcblpdgg.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2368 -
C:\Windows\SysWOW64\Hildmn32.exeC:\Windows\system32\Hildmn32.exe25⤵
- Executes dropped EXE
PID:4496 -
C:\Windows\SysWOW64\Ingpmmgm.exeC:\Windows\system32\Ingpmmgm.exe26⤵
- Executes dropped EXE
PID:4016 -
C:\Windows\SysWOW64\Idahjg32.exeC:\Windows\system32\Idahjg32.exe27⤵
- Executes dropped EXE
PID:2196 -
C:\Windows\SysWOW64\Iinqbn32.exeC:\Windows\system32\Iinqbn32.exe28⤵
- Executes dropped EXE
PID:2244 -
C:\Windows\SysWOW64\Injmcmej.exeC:\Windows\system32\Injmcmej.exe29⤵
- Executes dropped EXE
PID:2652 -
C:\Windows\SysWOW64\Idcepgmg.exeC:\Windows\system32\Idcepgmg.exe30⤵
- Executes dropped EXE
PID:2900 -
C:\Windows\SysWOW64\Iknmla32.exeC:\Windows\system32\Iknmla32.exe31⤵
- Executes dropped EXE
PID:1192 -
C:\Windows\SysWOW64\Ipjedh32.exeC:\Windows\system32\Ipjedh32.exe32⤵
- Executes dropped EXE
- Modifies registry class
PID:3468 -
C:\Windows\SysWOW64\Idfaefkd.exeC:\Windows\system32\Idfaefkd.exe33⤵
- Executes dropped EXE
PID:4768 -
C:\Windows\SysWOW64\Igdnabjh.exeC:\Windows\system32\Igdnabjh.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4920 -
C:\Windows\SysWOW64\Ijcjmmil.exeC:\Windows\system32\Ijcjmmil.exe35⤵
- Executes dropped EXE
PID:2432 -
C:\Windows\SysWOW64\Ilafiihp.exeC:\Windows\system32\Ilafiihp.exe36⤵
- Executes dropped EXE
PID:4904 -
C:\Windows\SysWOW64\Icknfcol.exeC:\Windows\system32\Icknfcol.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:4420 -
C:\Windows\SysWOW64\Ijegcm32.exeC:\Windows\system32\Ijegcm32.exe38⤵
- Executes dropped EXE
PID:3340 -
C:\Windows\SysWOW64\Ipoopgnf.exeC:\Windows\system32\Ipoopgnf.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4880 -
C:\Windows\SysWOW64\Ikdcmpnl.exeC:\Windows\system32\Ikdcmpnl.exe40⤵
- Executes dropped EXE
PID:4068 -
C:\Windows\SysWOW64\Jlfpdh32.exeC:\Windows\system32\Jlfpdh32.exe41⤵
- Executes dropped EXE
PID:2416 -
C:\Windows\SysWOW64\Jcphab32.exeC:\Windows\system32\Jcphab32.exe42⤵
- Executes dropped EXE
PID:3280 -
C:\Windows\SysWOW64\Jnelok32.exeC:\Windows\system32\Jnelok32.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4012 -
C:\Windows\SysWOW64\Jdodkebj.exeC:\Windows\system32\Jdodkebj.exe44⤵
- Executes dropped EXE
PID:2700 -
C:\Windows\SysWOW64\Jjlmclqa.exeC:\Windows\system32\Jjlmclqa.exe45⤵
- Executes dropped EXE
PID:4864 -
C:\Windows\SysWOW64\Jcdala32.exeC:\Windows\system32\Jcdala32.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4560 -
C:\Windows\SysWOW64\Jgpmmp32.exeC:\Windows\system32\Jgpmmp32.exe47⤵
- Executes dropped EXE
PID:2892 -
C:\Windows\SysWOW64\Jqhafffk.exeC:\Windows\system32\Jqhafffk.exe48⤵
- Executes dropped EXE
PID:4416 -
C:\Windows\SysWOW64\Jgbjbp32.exeC:\Windows\system32\Jgbjbp32.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3192 -
C:\Windows\SysWOW64\Jnlbojee.exeC:\Windows\system32\Jnlbojee.exe50⤵
- Executes dropped EXE
PID:2640 -
C:\Windows\SysWOW64\Jqknkedi.exeC:\Windows\system32\Jqknkedi.exe51⤵
- Executes dropped EXE
PID:3952 -
C:\Windows\SysWOW64\Kjccdkki.exeC:\Windows\system32\Kjccdkki.exe52⤵
- Executes dropped EXE
PID:4128 -
C:\Windows\SysWOW64\Kclgmq32.exeC:\Windows\system32\Kclgmq32.exe53⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1852 -
C:\Windows\SysWOW64\Kdkdgchl.exeC:\Windows\system32\Kdkdgchl.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4960 -
C:\Windows\SysWOW64\Kjhloj32.exeC:\Windows\system32\Kjhloj32.exe55⤵
- Executes dropped EXE
PID:2480 -
C:\Windows\SysWOW64\Kmfhkf32.exeC:\Windows\system32\Kmfhkf32.exe56⤵
- Executes dropped EXE
PID:1444 -
C:\Windows\SysWOW64\Kqbdldnq.exeC:\Windows\system32\Kqbdldnq.exe57⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1848 -
C:\Windows\SysWOW64\Knfeeimj.exeC:\Windows\system32\Knfeeimj.exe58⤵
- Executes dropped EXE
PID:2548 -
C:\Windows\SysWOW64\Kmieae32.exeC:\Windows\system32\Kmieae32.exe59⤵
- Executes dropped EXE
PID:720 -
C:\Windows\SysWOW64\Kgninn32.exeC:\Windows\system32\Kgninn32.exe60⤵
- Executes dropped EXE
PID:4040 -
C:\Windows\SysWOW64\Kjmfjj32.exeC:\Windows\system32\Kjmfjj32.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1308 -
C:\Windows\SysWOW64\Kqfngd32.exeC:\Windows\system32\Kqfngd32.exe62⤵
- Executes dropped EXE
PID:3580 -
C:\Windows\SysWOW64\Lklbdm32.exeC:\Windows\system32\Lklbdm32.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:2496 -
C:\Windows\SysWOW64\Lmmolepp.exeC:\Windows\system32\Lmmolepp.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4408 -
C:\Windows\SysWOW64\Ldgccb32.exeC:\Windows\system32\Ldgccb32.exe65⤵
- Executes dropped EXE
- Modifies registry class
PID:1752 -
C:\Windows\SysWOW64\Lnohlgep.exeC:\Windows\system32\Lnohlgep.exe66⤵
- System Location Discovery: System Language Discovery
PID:1800 -
C:\Windows\SysWOW64\Lnadagbm.exeC:\Windows\system32\Lnadagbm.exe67⤵PID:716
-
C:\Windows\SysWOW64\Lkeekk32.exeC:\Windows\system32\Lkeekk32.exe68⤵PID:400
-
C:\Windows\SysWOW64\Lmgabcge.exeC:\Windows\system32\Lmgabcge.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4436 -
C:\Windows\SysWOW64\Mglfplgk.exeC:\Windows\system32\Mglfplgk.exe70⤵PID:3764
-
C:\Windows\SysWOW64\Madjhb32.exeC:\Windows\system32\Madjhb32.exe71⤵
- Drops file in System32 directory
PID:2712 -
C:\Windows\SysWOW64\Maggnali.exeC:\Windows\system32\Maggnali.exe72⤵PID:2704
-
C:\Windows\SysWOW64\Maiccajf.exeC:\Windows\system32\Maiccajf.exe73⤵
- Drops file in System32 directory
PID:944 -
C:\Windows\SysWOW64\Mgclpkac.exeC:\Windows\system32\Mgclpkac.exe74⤵
- Drops file in System32 directory
PID:3360 -
C:\Windows\SysWOW64\Mmpdhboj.exeC:\Windows\system32\Mmpdhboj.exe75⤵
- Drops file in System32 directory
PID:4048 -
C:\Windows\SysWOW64\Mjdebfnd.exeC:\Windows\system32\Mjdebfnd.exe76⤵
- Modifies registry class
PID:4736 -
C:\Windows\SysWOW64\Manmoq32.exeC:\Windows\system32\Manmoq32.exe77⤵
- System Location Discovery: System Language Discovery
PID:1180 -
C:\Windows\SysWOW64\Njfagf32.exeC:\Windows\system32\Njfagf32.exe78⤵PID:220
-
C:\Windows\SysWOW64\Nndjndbh.exeC:\Windows\system32\Nndjndbh.exe79⤵PID:840
-
C:\Windows\SysWOW64\Nlhkgi32.exeC:\Windows\system32\Nlhkgi32.exe80⤵PID:3176
-
C:\Windows\SysWOW64\Nhokljge.exeC:\Windows\system32\Nhokljge.exe81⤵
- System Location Discovery: System Language Discovery
PID:1440 -
C:\Windows\SysWOW64\Nnicid32.exeC:\Windows\system32\Nnicid32.exe82⤵PID:1056
-
C:\Windows\SysWOW64\Nmnqjp32.exeC:\Windows\system32\Nmnqjp32.exe83⤵PID:4392
-
C:\Windows\SysWOW64\Ohcegi32.exeC:\Windows\system32\Ohcegi32.exe84⤵
- System Location Discovery: System Language Discovery
PID:1148 -
C:\Windows\SysWOW64\Oeheqm32.exeC:\Windows\system32\Oeheqm32.exe85⤵
- System Location Discovery: System Language Discovery
PID:4520 -
C:\Windows\SysWOW64\Olanmgig.exeC:\Windows\system32\Olanmgig.exe86⤵
- System Location Discovery: System Language Discovery
PID:3872 -
C:\Windows\SysWOW64\Oejbfmpg.exeC:\Windows\system32\Oejbfmpg.exe87⤵
- Modifies registry class
PID:4364 -
C:\Windows\SysWOW64\Odmbaj32.exeC:\Windows\system32\Odmbaj32.exe88⤵PID:700
-
C:\Windows\SysWOW64\Oelolmnd.exeC:\Windows\system32\Oelolmnd.exe89⤵PID:2584
-
C:\Windows\SysWOW64\Olfghg32.exeC:\Windows\system32\Olfghg32.exe90⤵PID:2212
-
C:\Windows\SysWOW64\Oodcdb32.exeC:\Windows\system32\Oodcdb32.exe91⤵
- Drops file in System32 directory
PID:2164 -
C:\Windows\SysWOW64\Oacoqnci.exeC:\Windows\system32\Oacoqnci.exe92⤵
- Modifies registry class
PID:5104 -
C:\Windows\SysWOW64\Ohmhmh32.exeC:\Windows\system32\Ohmhmh32.exe93⤵PID:2392
-
C:\Windows\SysWOW64\Oogpjbbb.exeC:\Windows\system32\Oogpjbbb.exe94⤵PID:412
-
C:\Windows\SysWOW64\Peahgl32.exeC:\Windows\system32\Peahgl32.exe95⤵PID:4136
-
C:\Windows\SysWOW64\Plkpcfal.exeC:\Windows\system32\Plkpcfal.exe96⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1616 -
C:\Windows\SysWOW64\Pmlmkn32.exeC:\Windows\system32\Pmlmkn32.exe97⤵
- Drops file in System32 directory
PID:2988 -
C:\Windows\SysWOW64\Phaahggp.exeC:\Windows\system32\Phaahggp.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:428 -
C:\Windows\SysWOW64\Poliea32.exeC:\Windows\system32\Poliea32.exe99⤵PID:2840
-
C:\Windows\SysWOW64\Pmoiqneg.exeC:\Windows\system32\Pmoiqneg.exe100⤵PID:456
-
C:\Windows\SysWOW64\Pkbjjbda.exeC:\Windows\system32\Pkbjjbda.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3688 -
C:\Windows\SysWOW64\Palbgl32.exeC:\Windows\system32\Palbgl32.exe102⤵PID:1220
-
C:\Windows\SysWOW64\Phfjcf32.exeC:\Windows\system32\Phfjcf32.exe103⤵PID:3620
-
C:\Windows\SysWOW64\Popbpqjh.exeC:\Windows\system32\Popbpqjh.exe104⤵
- Modifies registry class
PID:5076 -
C:\Windows\SysWOW64\Paoollik.exeC:\Windows\system32\Paoollik.exe105⤵
- Modifies registry class
PID:4388 -
C:\Windows\SysWOW64\Pldcjeia.exeC:\Windows\system32\Pldcjeia.exe106⤵PID:4208
-
C:\Windows\SysWOW64\Pkgcea32.exeC:\Windows\system32\Pkgcea32.exe107⤵PID:2308
-
C:\Windows\SysWOW64\Qemhbj32.exeC:\Windows\system32\Qemhbj32.exe108⤵PID:5156
-
C:\Windows\SysWOW64\Qlgpod32.exeC:\Windows\system32\Qlgpod32.exe109⤵PID:5196
-
C:\Windows\SysWOW64\Qmhlgmmm.exeC:\Windows\system32\Qmhlgmmm.exe110⤵
- Drops file in System32 directory
PID:5236 -
C:\Windows\SysWOW64\Qdbdcg32.exeC:\Windows\system32\Qdbdcg32.exe111⤵
- System Location Discovery: System Language Discovery
PID:5276 -
C:\Windows\SysWOW64\Qklmpalf.exeC:\Windows\system32\Qklmpalf.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5320 -
C:\Windows\SysWOW64\Aeaanjkl.exeC:\Windows\system32\Aeaanjkl.exe113⤵PID:5380
-
C:\Windows\SysWOW64\Ahpmjejp.exeC:\Windows\system32\Ahpmjejp.exe114⤵PID:5424
-
C:\Windows\SysWOW64\Aojefobm.exeC:\Windows\system32\Aojefobm.exe115⤵PID:5468
-
C:\Windows\SysWOW64\Aednci32.exeC:\Windows\system32\Aednci32.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5512 -
C:\Windows\SysWOW64\Alnfpcag.exeC:\Windows\system32\Alnfpcag.exe117⤵
- System Location Discovery: System Language Discovery
PID:5556 -
C:\Windows\SysWOW64\Aolblopj.exeC:\Windows\system32\Aolblopj.exe118⤵PID:5600
-
C:\Windows\SysWOW64\Aefjii32.exeC:\Windows\system32\Aefjii32.exe119⤵
- Drops file in System32 directory
PID:5644 -
C:\Windows\SysWOW64\Alpbecod.exeC:\Windows\system32\Alpbecod.exe120⤵PID:5688
-
C:\Windows\SysWOW64\Aonoao32.exeC:\Windows\system32\Aonoao32.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:5732
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-