Analysis
-
max time kernel
120s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20250217-en -
resource tags
arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system -
submitted
06/03/2025, 20:43
Behavioral task
behavioral1
Sample
11008fc3aca9051661e4c9ae4498cc922f8891342851a391eadd6777ef3aa3b1.exe
Resource
win7-20241010-en
windows7-x64
9 signatures
150 seconds
Behavioral task
behavioral2
Sample
11008fc3aca9051661e4c9ae4498cc922f8891342851a391eadd6777ef3aa3b1.exe
Resource
win10v2004-20250217-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
11008fc3aca9051661e4c9ae4498cc922f8891342851a391eadd6777ef3aa3b1.exe
-
Size
448KB
-
MD5
b53eea24bccf7e408165ffb1ce818fff
-
SHA1
140bbcf0c6b5dc600b7305bbbfd52e34d97814d2
-
SHA256
11008fc3aca9051661e4c9ae4498cc922f8891342851a391eadd6777ef3aa3b1
-
SHA512
921ee4b97a4ec14b7ae0eb440581fcaa34a82858069019c2a0edae9c39543e809e64da138d6a87106f03450d749849781aba272373de8607df9ca2b63fddfc10
-
SSDEEP
12288:2XrCjGyXu1jGG1ws5iETdqvZNemWrsiLk6mqgd:SUGyXsGG1ws5ipd
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljceqb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgphpe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnafno32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Paiogf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcapicdj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abmjqe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mmkdcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ekonpckp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ilkoim32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhanngbl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhegig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jogqlpde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lojfin32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdlfjh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjaphgpl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohlqcagj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fohfbpgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gdgdeppb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lopmii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Npbceggm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcoccc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mhanngbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ofgdcipq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dpmcmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dkcndeen.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebaplnie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Adhdjpjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qcnjijoe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgbpaipl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbnhoj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjkmomfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qpeahb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhaggp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kplmliko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mfenglqf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kemhei32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnifekmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pnifekmd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnkbkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cnfkdb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpdennml.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbiockdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pbcncibp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glfmgp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Adgmoigj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hldiinke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nbebbk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adhdjpjf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eklajcmc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hbenoi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iojkeh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpapnfhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Npepkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ojdgnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dolmodpi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdolgfbp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgpeha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jnnnfalp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gbiockdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ipdndloi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcfbkpab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mfeeabda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ocgbld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Adcjop32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 3144 Ljnlecmp.exe 2204 Lqhdbm32.exe 4992 Lqkqhm32.exe 3348 Lcimdh32.exe 3468 Lfgipd32.exe 3172 Ljceqb32.exe 3892 Lmaamn32.exe 4136 Lopmii32.exe 1208 Lckiihok.exe 1480 Lfjfecno.exe 344 Ljeafb32.exe 2652 Lmdnbn32.exe 3388 Lqojclne.exe 1112 Lcnfohmi.exe 996 Lgibpf32.exe 2972 Ljhnlb32.exe 1728 Lncjlq32.exe 2168 Mmfkhmdi.exe 3912 Modgdicm.exe 1156 Mcpcdg32.exe 2512 Mgloefco.exe 1488 Mjjkaabc.exe 1676 Mmhgmmbf.exe 1796 Mqdcnl32.exe 1600 Mcbpjg32.exe 4900 Mfqlfb32.exe 4140 Mjlhgaqp.exe 4380 Mmkdcm32.exe 3268 Mgphpe32.exe 2792 Mfchlbfd.exe 3208 Mnjqmpgg.exe 1648 Mmmqhl32.exe 1928 Mokmdh32.exe 4044 Mcgiefen.exe 1632 Mfeeabda.exe 4952 Mjaabq32.exe 2308 Mmpmnl32.exe 1140 Monjjgkb.exe 3704 Mcifkf32.exe 3640 Mfhbga32.exe 1588 Nnojho32.exe 4192 Nqmfdj32.exe 760 Nclbpf32.exe 2260 Nfjola32.exe 4084 Nnafno32.exe 660 Nmdgikhi.exe 5128 Npbceggm.exe 5168 Ngjkfd32.exe 5208 Njhgbp32.exe 5256 Nncccnol.exe 5288 Npepkf32.exe 5328 Nglhld32.exe 5368 Nfohgqlg.exe 5408 Nnfpinmi.exe 5448 Nadleilm.exe 5488 Ncchae32.exe 5532 Nfaemp32.exe 5568 Nnhmnn32.exe 5608 Nmkmjjaa.exe 5652 Nceefd32.exe 5688 Ngqagcag.exe 5728 Ojomcopk.exe 5768 Omnjojpo.exe 5808 Oaifpi32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Klbjgbff.dll Pnifekmd.exe File created C:\Windows\SysWOW64\Dpifjj32.dll Mjlalkmd.exe File created C:\Windows\SysWOW64\Pjkakfla.dll 11008fc3aca9051661e4c9ae4498cc922f8891342851a391eadd6777ef3aa3b1.exe File opened for modification C:\Windows\SysWOW64\Mnjqmpgg.exe Mfchlbfd.exe File opened for modification C:\Windows\SysWOW64\Mjaabq32.exe Mfeeabda.exe File created C:\Windows\SysWOW64\Kajimagp.dll Aajhndkb.exe File opened for modification C:\Windows\SysWOW64\Boldhf32.exe Bgelgi32.exe File opened for modification C:\Windows\SysWOW64\Dndgfpbo.exe Doagjc32.exe File created C:\Windows\SysWOW64\Anjkcakk.dll Kdhbpf32.exe File opened for modification C:\Windows\SysWOW64\Mcgiefen.exe Mokmdh32.exe File created C:\Windows\SysWOW64\Hjdedepg.exe Hkaeih32.exe File opened for modification C:\Windows\SysWOW64\Kbjbnnfg.exe Kkbkmqed.exe File created C:\Windows\SysWOW64\Gfkcaoef.dll Nmdgikhi.exe File created C:\Windows\SysWOW64\Oppceehj.dll Nfohgqlg.exe File opened for modification C:\Windows\SysWOW64\Jhgiim32.exe Jidinqpb.exe File created C:\Windows\SysWOW64\Kcapicdj.exe Klggli32.exe File created C:\Windows\SysWOW64\Fkgillpj.exe Fboecfii.exe File created C:\Windows\SysWOW64\Okehmlqi.dll Mmpmnl32.exe File opened for modification C:\Windows\SysWOW64\Mfhbga32.exe Mcifkf32.exe File created C:\Windows\SysWOW64\Enfqikef.dll Pmblagmf.exe File opened for modification C:\Windows\SysWOW64\Pbcncibp.exe Oflmnh32.exe File created C:\Windows\SysWOW64\Kehojiej.exe Kalcik32.exe File created C:\Windows\SysWOW64\Kemhei32.exe Kbnlim32.exe File opened for modification C:\Windows\SysWOW64\Adkqoohc.exe Aaldccip.exe File created C:\Windows\SysWOW64\Noppeaed.exe Nhegig32.exe File created C:\Windows\SysWOW64\Bfmpaf32.dll Oqmhqapg.exe File opened for modification C:\Windows\SysWOW64\Dcphdqmj.exe Dckoia32.exe File opened for modification C:\Windows\SysWOW64\Hchqbkkm.exe Heepfn32.exe File created C:\Windows\SysWOW64\Dddjmo32.dll Ppahmb32.exe File opened for modification C:\Windows\SysWOW64\Fohfbpgi.exe Finnef32.exe File created C:\Windows\SysWOW64\Bmgjnl32.dll Oflmnh32.exe File created C:\Windows\SysWOW64\Jlkafdco.exe Jhoeef32.exe File created C:\Windows\SysWOW64\Lgibpf32.exe Lcnfohmi.exe File created C:\Windows\SysWOW64\Mpkcqhdh.dll Doccpcja.exe File opened for modification C:\Windows\SysWOW64\Jldbpl32.exe Jifecp32.exe File opened for modification C:\Windows\SysWOW64\Mlofcf32.exe Mfenglqf.exe File opened for modification C:\Windows\SysWOW64\Ppgegd32.exe Pmiikh32.exe File created C:\Windows\SysWOW64\Caojpaij.exe Ckebcg32.exe File created C:\Windows\SysWOW64\Ekajec32.exe Ehbnigjj.exe File opened for modification C:\Windows\SysWOW64\Jifecp32.exe Jaonbc32.exe File created C:\Windows\SysWOW64\Hcoejf32.dll Mlhqcgnk.exe File opened for modification C:\Windows\SysWOW64\Klmnkdal.exe Keceoj32.exe File opened for modification C:\Windows\SysWOW64\Khfkfedn.exe Kehojiej.exe File created C:\Windows\SysWOW64\Ljeafb32.exe Lfjfecno.exe File created C:\Windows\SysWOW64\Aaenbd32.exe Aogbfi32.exe File created C:\Windows\SysWOW64\Jldbpl32.exe Jifecp32.exe File created C:\Windows\SysWOW64\Heepfn32.exe Hjolie32.exe File created C:\Windows\SysWOW64\Kkbkmqed.exe Kdhbpf32.exe File created C:\Windows\SysWOW64\Mobpnd32.dll Kehojiej.exe File created C:\Windows\SysWOW64\Dhfhohgp.dll Khfkfedn.exe File created C:\Windows\SysWOW64\Fnihkq32.dll Mfeeabda.exe File created C:\Windows\SysWOW64\Mlbmonhi.dll Fkhpfbce.exe File created C:\Windows\SysWOW64\Ljbnfleo.exe Lakfeodm.exe File created C:\Windows\SysWOW64\Jopaaj32.dll Ibnjkbog.exe File created C:\Windows\SysWOW64\Gcgplk32.dll Ahaceo32.exe File created C:\Windows\SysWOW64\Fgijpe32.dll Adkqoohc.exe File created C:\Windows\SysWOW64\Olaafabl.dll Cnaaib32.exe File created C:\Windows\SysWOW64\Jidinqpb.exe Iondqhpl.exe File created C:\Windows\SysWOW64\Laiipofp.exe Lojmcdgl.exe File created C:\Windows\SysWOW64\Jeaiij32.exe Jbbmmo32.exe File opened for modification C:\Windows\SysWOW64\Opqofe32.exe Ombcji32.exe File created C:\Windows\SysWOW64\Dgfpihkg.dll Opclldhj.exe File opened for modification C:\Windows\SysWOW64\Pmblagmf.exe Pjdpelnc.exe File opened for modification C:\Windows\SysWOW64\Qmeigg32.exe Qjfmkk32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 11928 11576 WerFault.exe 581 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qodeajbg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpmapodj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkofga32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jppnpjel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abmjqe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eomffaag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbenoi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jidinqpb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhgiim32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lckboblp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehbnigjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Piocecgj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hccggl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Boldhf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chfegk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dddllkbf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lojmcdgl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lplfcf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpeiie32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbkkik32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpcpfg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kalcik32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmhgmmbf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hecjke32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihpcinld.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kifojnol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oqmhqapg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajjokd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lckiihok.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppolhcnm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Joekag32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nceefd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qhjmdp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgelgi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lafmjp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmjfodne.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ieojgc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgpeha32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfjfecno.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddnobj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Geldkfpi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbekii32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Modgdicm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aajhndkb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggfglb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcmodajm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhegig32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkkhbb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Koimbpbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdhbpf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amlogfel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahaceo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlgoek32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojhpimhp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpkknmgd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbhgoh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chkobkod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehlhih32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpolbo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjolie32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcbnpnme.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcbpjg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipdndloi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lebijnak.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pjkmomfn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ekajec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jbojlfdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Foniaq32.dll" Kadpdp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Apnndj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbmolo32.dll" Lqojclne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cdmfllhn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lalceb32.dll" Bbaclegm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aknbkjfh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dafppp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hiacacpg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hhdcmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gifffn32.dll" Hejqldci.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jikoopij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlgfga32.dll" Keifdpif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Noppeaed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nphihiif.dll" Oghghb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ondljl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ppolhcnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dddjmo32.dll" Ppahmb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dbocfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ofgdcipq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iheocj32.dll" Pbekii32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dckoia32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ebaplnie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbjnhape.dll" Hhimhobl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jppnpjel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kplmliko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Inkaqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfkcaoef.dll" Nmdgikhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iondqhpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kibeoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpcgahca.dll" Ccdihbgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bgelgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lfgipd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ocgbld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qmeigg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cnjdpaki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hhdcmp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kamjda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nepmal32.dll" Cdmoafdb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nflnbh32.dll" Cggimh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fboqkn32.dll" Lgibpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qbkofn32.dll" Qjfmkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojidbohn.dll" Ekonpckp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipamlopb.dll" Lpjjmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mlofcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Daqfhf32.dll" Cpacqg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmaoca32.dll" Hegmlnbp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ljnlecmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Offnhpfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jehfcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eloeba32.dll" Jeaiij32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lkqgno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dempqa32.dll" Nceefd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Adcjop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kafkmp32.dll" Jemfhacc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iankhggi.dll" Mfkkqmiq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mhanngbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifkqol32.dll" Jjnaaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Koimbpbc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kdhbpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhpicj32.dll" Ojomcopk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ljceqb32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2588 wrote to memory of 3144 2588 11008fc3aca9051661e4c9ae4498cc922f8891342851a391eadd6777ef3aa3b1.exe 88 PID 2588 wrote to memory of 3144 2588 11008fc3aca9051661e4c9ae4498cc922f8891342851a391eadd6777ef3aa3b1.exe 88 PID 2588 wrote to memory of 3144 2588 11008fc3aca9051661e4c9ae4498cc922f8891342851a391eadd6777ef3aa3b1.exe 88 PID 3144 wrote to memory of 2204 3144 Ljnlecmp.exe 89 PID 3144 wrote to memory of 2204 3144 Ljnlecmp.exe 89 PID 3144 wrote to memory of 2204 3144 Ljnlecmp.exe 89 PID 2204 wrote to memory of 4992 2204 Lqhdbm32.exe 90 PID 2204 wrote to memory of 4992 2204 Lqhdbm32.exe 90 PID 2204 wrote to memory of 4992 2204 Lqhdbm32.exe 90 PID 4992 wrote to memory of 3348 4992 Lqkqhm32.exe 91 PID 4992 wrote to memory of 3348 4992 Lqkqhm32.exe 91 PID 4992 wrote to memory of 3348 4992 Lqkqhm32.exe 91 PID 3348 wrote to memory of 3468 3348 Lcimdh32.exe 92 PID 3348 wrote to memory of 3468 3348 Lcimdh32.exe 92 PID 3348 wrote to memory of 3468 3348 Lcimdh32.exe 92 PID 3468 wrote to memory of 3172 3468 Lfgipd32.exe 93 PID 3468 wrote to memory of 3172 3468 Lfgipd32.exe 93 PID 3468 wrote to memory of 3172 3468 Lfgipd32.exe 93 PID 3172 wrote to memory of 3892 3172 Ljceqb32.exe 94 PID 3172 wrote to memory of 3892 3172 Ljceqb32.exe 94 PID 3172 wrote to memory of 3892 3172 Ljceqb32.exe 94 PID 3892 wrote to memory of 4136 3892 Lmaamn32.exe 95 PID 3892 wrote to memory of 4136 3892 Lmaamn32.exe 95 PID 3892 wrote to memory of 4136 3892 Lmaamn32.exe 95 PID 4136 wrote to memory of 1208 4136 Lopmii32.exe 96 PID 4136 wrote to memory of 1208 4136 Lopmii32.exe 96 PID 4136 wrote to memory of 1208 4136 Lopmii32.exe 96 PID 1208 wrote to memory of 1480 1208 Lckiihok.exe 97 PID 1208 wrote to memory of 1480 1208 Lckiihok.exe 97 PID 1208 wrote to memory of 1480 1208 Lckiihok.exe 97 PID 1480 wrote to memory of 344 1480 Lfjfecno.exe 98 PID 1480 wrote to memory of 344 1480 Lfjfecno.exe 98 PID 1480 wrote to memory of 344 1480 Lfjfecno.exe 98 PID 344 wrote to memory of 2652 344 Ljeafb32.exe 99 PID 344 wrote to memory of 2652 344 Ljeafb32.exe 99 PID 344 wrote to memory of 2652 344 Ljeafb32.exe 99 PID 2652 wrote to memory of 3388 2652 Lmdnbn32.exe 100 PID 2652 wrote to memory of 3388 2652 Lmdnbn32.exe 100 PID 2652 wrote to memory of 3388 2652 Lmdnbn32.exe 100 PID 3388 wrote to memory of 1112 3388 Lqojclne.exe 101 PID 3388 wrote to memory of 1112 3388 Lqojclne.exe 101 PID 3388 wrote to memory of 1112 3388 Lqojclne.exe 101 PID 1112 wrote to memory of 996 1112 Lcnfohmi.exe 102 PID 1112 wrote to memory of 996 1112 Lcnfohmi.exe 102 PID 1112 wrote to memory of 996 1112 Lcnfohmi.exe 102 PID 996 wrote to memory of 2972 996 Lgibpf32.exe 103 PID 996 wrote to memory of 2972 996 Lgibpf32.exe 103 PID 996 wrote to memory of 2972 996 Lgibpf32.exe 103 PID 2972 wrote to memory of 1728 2972 Ljhnlb32.exe 104 PID 2972 wrote to memory of 1728 2972 Ljhnlb32.exe 104 PID 2972 wrote to memory of 1728 2972 Ljhnlb32.exe 104 PID 1728 wrote to memory of 2168 1728 Lncjlq32.exe 105 PID 1728 wrote to memory of 2168 1728 Lncjlq32.exe 105 PID 1728 wrote to memory of 2168 1728 Lncjlq32.exe 105 PID 2168 wrote to memory of 3912 2168 Mmfkhmdi.exe 106 PID 2168 wrote to memory of 3912 2168 Mmfkhmdi.exe 106 PID 2168 wrote to memory of 3912 2168 Mmfkhmdi.exe 106 PID 3912 wrote to memory of 1156 3912 Modgdicm.exe 107 PID 3912 wrote to memory of 1156 3912 Modgdicm.exe 107 PID 3912 wrote to memory of 1156 3912 Modgdicm.exe 107 PID 1156 wrote to memory of 2512 1156 Mcpcdg32.exe 108 PID 1156 wrote to memory of 2512 1156 Mcpcdg32.exe 108 PID 1156 wrote to memory of 2512 1156 Mcpcdg32.exe 108 PID 2512 wrote to memory of 1488 2512 Mgloefco.exe 109
Processes
-
C:\Users\Admin\AppData\Local\Temp\11008fc3aca9051661e4c9ae4498cc922f8891342851a391eadd6777ef3aa3b1.exe"C:\Users\Admin\AppData\Local\Temp\11008fc3aca9051661e4c9ae4498cc922f8891342851a391eadd6777ef3aa3b1.exe"1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Windows\SysWOW64\Ljnlecmp.exeC:\Windows\system32\Ljnlecmp.exe2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3144 -
C:\Windows\SysWOW64\Lqhdbm32.exeC:\Windows\system32\Lqhdbm32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\Windows\SysWOW64\Lqkqhm32.exeC:\Windows\system32\Lqkqhm32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4992 -
C:\Windows\SysWOW64\Lcimdh32.exeC:\Windows\system32\Lcimdh32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3348 -
C:\Windows\SysWOW64\Lfgipd32.exeC:\Windows\system32\Lfgipd32.exe6⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3468 -
C:\Windows\SysWOW64\Ljceqb32.exeC:\Windows\system32\Ljceqb32.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3172 -
C:\Windows\SysWOW64\Lmaamn32.exeC:\Windows\system32\Lmaamn32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3892 -
C:\Windows\SysWOW64\Lopmii32.exeC:\Windows\system32\Lopmii32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4136 -
C:\Windows\SysWOW64\Lckiihok.exeC:\Windows\system32\Lckiihok.exe10⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1208 -
C:\Windows\SysWOW64\Lfjfecno.exeC:\Windows\system32\Lfjfecno.exe11⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1480 -
C:\Windows\SysWOW64\Ljeafb32.exeC:\Windows\system32\Ljeafb32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:344 -
C:\Windows\SysWOW64\Lmdnbn32.exeC:\Windows\system32\Lmdnbn32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Windows\SysWOW64\Lqojclne.exeC:\Windows\system32\Lqojclne.exe14⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3388 -
C:\Windows\SysWOW64\Lcnfohmi.exeC:\Windows\system32\Lcnfohmi.exe15⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1112 -
C:\Windows\SysWOW64\Lgibpf32.exeC:\Windows\system32\Lgibpf32.exe16⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:996 -
C:\Windows\SysWOW64\Ljhnlb32.exeC:\Windows\system32\Ljhnlb32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\SysWOW64\Lncjlq32.exeC:\Windows\system32\Lncjlq32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Windows\SysWOW64\Mmfkhmdi.exeC:\Windows\system32\Mmfkhmdi.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Windows\SysWOW64\Modgdicm.exeC:\Windows\system32\Modgdicm.exe20⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3912 -
C:\Windows\SysWOW64\Mcpcdg32.exeC:\Windows\system32\Mcpcdg32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1156 -
C:\Windows\SysWOW64\Mgloefco.exeC:\Windows\system32\Mgloefco.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Windows\SysWOW64\Mjjkaabc.exeC:\Windows\system32\Mjjkaabc.exe23⤵
- Executes dropped EXE
PID:1488 -
C:\Windows\SysWOW64\Mmhgmmbf.exeC:\Windows\system32\Mmhgmmbf.exe24⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1676 -
C:\Windows\SysWOW64\Mqdcnl32.exeC:\Windows\system32\Mqdcnl32.exe25⤵
- Executes dropped EXE
PID:1796 -
C:\Windows\SysWOW64\Mcbpjg32.exeC:\Windows\system32\Mcbpjg32.exe26⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1600 -
C:\Windows\SysWOW64\Mfqlfb32.exeC:\Windows\system32\Mfqlfb32.exe27⤵
- Executes dropped EXE
PID:4900 -
C:\Windows\SysWOW64\Mjlhgaqp.exeC:\Windows\system32\Mjlhgaqp.exe28⤵
- Executes dropped EXE
PID:4140 -
C:\Windows\SysWOW64\Mmkdcm32.exeC:\Windows\system32\Mmkdcm32.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4380 -
C:\Windows\SysWOW64\Mgphpe32.exeC:\Windows\system32\Mgphpe32.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3268 -
C:\Windows\SysWOW64\Mfchlbfd.exeC:\Windows\system32\Mfchlbfd.exe31⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2792 -
C:\Windows\SysWOW64\Mnjqmpgg.exeC:\Windows\system32\Mnjqmpgg.exe32⤵
- Executes dropped EXE
PID:3208 -
C:\Windows\SysWOW64\Mmmqhl32.exeC:\Windows\system32\Mmmqhl32.exe33⤵
- Executes dropped EXE
PID:1648 -
C:\Windows\SysWOW64\Mokmdh32.exeC:\Windows\system32\Mokmdh32.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1928 -
C:\Windows\SysWOW64\Mcgiefen.exeC:\Windows\system32\Mcgiefen.exe35⤵
- Executes dropped EXE
PID:4044 -
C:\Windows\SysWOW64\Mfeeabda.exeC:\Windows\system32\Mfeeabda.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1632 -
C:\Windows\SysWOW64\Mjaabq32.exeC:\Windows\system32\Mjaabq32.exe37⤵
- Executes dropped EXE
PID:4952 -
C:\Windows\SysWOW64\Mmpmnl32.exeC:\Windows\system32\Mmpmnl32.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2308 -
C:\Windows\SysWOW64\Monjjgkb.exeC:\Windows\system32\Monjjgkb.exe39⤵
- Executes dropped EXE
PID:1140 -
C:\Windows\SysWOW64\Mcifkf32.exeC:\Windows\system32\Mcifkf32.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3704 -
C:\Windows\SysWOW64\Mfhbga32.exeC:\Windows\system32\Mfhbga32.exe41⤵
- Executes dropped EXE
PID:3640 -
C:\Windows\SysWOW64\Nnojho32.exeC:\Windows\system32\Nnojho32.exe42⤵
- Executes dropped EXE
PID:1588 -
C:\Windows\SysWOW64\Nqmfdj32.exeC:\Windows\system32\Nqmfdj32.exe43⤵
- Executes dropped EXE
PID:4192 -
C:\Windows\SysWOW64\Nclbpf32.exeC:\Windows\system32\Nclbpf32.exe44⤵
- Executes dropped EXE
PID:760 -
C:\Windows\SysWOW64\Nfjola32.exeC:\Windows\system32\Nfjola32.exe45⤵
- Executes dropped EXE
PID:2260 -
C:\Windows\SysWOW64\Nnafno32.exeC:\Windows\system32\Nnafno32.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4084 -
C:\Windows\SysWOW64\Nmdgikhi.exeC:\Windows\system32\Nmdgikhi.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:660 -
C:\Windows\SysWOW64\Npbceggm.exeC:\Windows\system32\Npbceggm.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5128 -
C:\Windows\SysWOW64\Ngjkfd32.exeC:\Windows\system32\Ngjkfd32.exe49⤵
- Executes dropped EXE
PID:5168 -
C:\Windows\SysWOW64\Njhgbp32.exeC:\Windows\system32\Njhgbp32.exe50⤵
- Executes dropped EXE
PID:5208 -
C:\Windows\SysWOW64\Nncccnol.exeC:\Windows\system32\Nncccnol.exe51⤵
- Executes dropped EXE
PID:5256 -
C:\Windows\SysWOW64\Npepkf32.exeC:\Windows\system32\Npepkf32.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5288 -
C:\Windows\SysWOW64\Nglhld32.exeC:\Windows\system32\Nglhld32.exe53⤵
- Executes dropped EXE
PID:5328 -
C:\Windows\SysWOW64\Nfohgqlg.exeC:\Windows\system32\Nfohgqlg.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5368 -
C:\Windows\SysWOW64\Nnfpinmi.exeC:\Windows\system32\Nnfpinmi.exe55⤵
- Executes dropped EXE
PID:5408 -
C:\Windows\SysWOW64\Nadleilm.exeC:\Windows\system32\Nadleilm.exe56⤵
- Executes dropped EXE
PID:5448 -
C:\Windows\SysWOW64\Ncchae32.exeC:\Windows\system32\Ncchae32.exe57⤵
- Executes dropped EXE
PID:5488 -
C:\Windows\SysWOW64\Nfaemp32.exeC:\Windows\system32\Nfaemp32.exe58⤵
- Executes dropped EXE
PID:5532 -
C:\Windows\SysWOW64\Nnhmnn32.exeC:\Windows\system32\Nnhmnn32.exe59⤵
- Executes dropped EXE
PID:5568 -
C:\Windows\SysWOW64\Nmkmjjaa.exeC:\Windows\system32\Nmkmjjaa.exe60⤵
- Executes dropped EXE
PID:5608 -
C:\Windows\SysWOW64\Nceefd32.exeC:\Windows\system32\Nceefd32.exe61⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5652 -
C:\Windows\SysWOW64\Ngqagcag.exeC:\Windows\system32\Ngqagcag.exe62⤵
- Executes dropped EXE
PID:5688 -
C:\Windows\SysWOW64\Ojomcopk.exeC:\Windows\system32\Ojomcopk.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:5728 -
C:\Windows\SysWOW64\Omnjojpo.exeC:\Windows\system32\Omnjojpo.exe64⤵
- Executes dropped EXE
PID:5768 -
C:\Windows\SysWOW64\Oaifpi32.exeC:\Windows\system32\Oaifpi32.exe65⤵
- Executes dropped EXE
PID:5808 -
C:\Windows\SysWOW64\Ocgbld32.exeC:\Windows\system32\Ocgbld32.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5856 -
C:\Windows\SysWOW64\Offnhpfo.exeC:\Windows\system32\Offnhpfo.exe67⤵
- Modifies registry class
PID:5892 -
C:\Windows\SysWOW64\Onmfimga.exeC:\Windows\system32\Onmfimga.exe68⤵PID:5928
-
C:\Windows\SysWOW64\Ompfej32.exeC:\Windows\system32\Ompfej32.exe69⤵PID:5968
-
C:\Windows\SysWOW64\Opnbae32.exeC:\Windows\system32\Opnbae32.exe70⤵PID:6012
-
C:\Windows\SysWOW64\Ogekbb32.exeC:\Windows\system32\Ogekbb32.exe71⤵PID:6052
-
C:\Windows\SysWOW64\Ojdgnn32.exeC:\Windows\system32\Ojdgnn32.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6092 -
C:\Windows\SysWOW64\Ombcji32.exeC:\Windows\system32\Ombcji32.exe73⤵
- Drops file in System32 directory
PID:6132 -
C:\Windows\SysWOW64\Opqofe32.exeC:\Windows\system32\Opqofe32.exe74⤵PID:1656
-
C:\Windows\SysWOW64\Oghghb32.exeC:\Windows\system32\Oghghb32.exe75⤵
- Modifies registry class
PID:432 -
C:\Windows\SysWOW64\Ojfcdnjc.exeC:\Windows\system32\Ojfcdnjc.exe76⤵PID:796
-
C:\Windows\SysWOW64\Omdppiif.exeC:\Windows\system32\Omdppiif.exe77⤵PID:1960
-
C:\Windows\SysWOW64\Opclldhj.exeC:\Windows\system32\Opclldhj.exe78⤵
- Drops file in System32 directory
PID:4836 -
C:\Windows\SysWOW64\Ogjdmbil.exeC:\Windows\system32\Ogjdmbil.exe79⤵PID:5088
-
C:\Windows\SysWOW64\Ojhpimhp.exeC:\Windows\system32\Ojhpimhp.exe80⤵
- System Location Discovery: System Language Discovery
PID:736 -
C:\Windows\SysWOW64\Ondljl32.exeC:\Windows\system32\Ondljl32.exe81⤵
- Modifies registry class
PID:5184 -
C:\Windows\SysWOW64\Oabhfg32.exeC:\Windows\system32\Oabhfg32.exe82⤵PID:5240
-
C:\Windows\SysWOW64\Ocaebc32.exeC:\Windows\system32\Ocaebc32.exe83⤵PID:5312
-
C:\Windows\SysWOW64\Ohlqcagj.exeC:\Windows\system32\Ohlqcagj.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5364 -
C:\Windows\SysWOW64\Pjkmomfn.exeC:\Windows\system32\Pjkmomfn.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5464 -
C:\Windows\SysWOW64\Pmiikh32.exeC:\Windows\system32\Pmiikh32.exe86⤵
- Drops file in System32 directory
PID:5552 -
C:\Windows\SysWOW64\Ppgegd32.exeC:\Windows\system32\Ppgegd32.exe87⤵PID:5624
-
C:\Windows\SysWOW64\Phonha32.exeC:\Windows\system32\Phonha32.exe88⤵PID:5712
-
C:\Windows\SysWOW64\Pjmjdm32.exeC:\Windows\system32\Pjmjdm32.exe89⤵PID:5784
-
C:\Windows\SysWOW64\Pnifekmd.exeC:\Windows\system32\Pnifekmd.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5840 -
C:\Windows\SysWOW64\Pagbaglh.exeC:\Windows\system32\Pagbaglh.exe91⤵PID:5884
-
C:\Windows\SysWOW64\Pdenmbkk.exeC:\Windows\system32\Pdenmbkk.exe92⤵PID:5956
-
C:\Windows\SysWOW64\Pfdjinjo.exeC:\Windows\system32\Pfdjinjo.exe93⤵PID:6024
-
C:\Windows\SysWOW64\Pnkbkk32.exeC:\Windows\system32\Pnkbkk32.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6088 -
C:\Windows\SysWOW64\Paiogf32.exeC:\Windows\system32\Paiogf32.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2632 -
C:\Windows\SysWOW64\Pdhkcb32.exeC:\Windows\system32\Pdhkcb32.exe96⤵PID:2116
-
C:\Windows\SysWOW64\Pffgom32.exeC:\Windows\system32\Pffgom32.exe97⤵PID:4244
-
C:\Windows\SysWOW64\Pnmopk32.exeC:\Windows\system32\Pnmopk32.exe98⤵PID:2468
-
C:\Windows\SysWOW64\Pmpolgoi.exeC:\Windows\system32\Pmpolgoi.exe99⤵PID:3828
-
C:\Windows\SysWOW64\Ppolhcnm.exeC:\Windows\system32\Ppolhcnm.exe100⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2592 -
C:\Windows\SysWOW64\Phfcipoo.exeC:\Windows\system32\Phfcipoo.exe101⤵PID:616
-
C:\Windows\SysWOW64\Pjdpelnc.exeC:\Windows\system32\Pjdpelnc.exe102⤵
- Drops file in System32 directory
PID:5440 -
C:\Windows\SysWOW64\Pmblagmf.exeC:\Windows\system32\Pmblagmf.exe103⤵
- Drops file in System32 directory
PID:6148 -
C:\Windows\SysWOW64\Ppahmb32.exeC:\Windows\system32\Ppahmb32.exe104⤵
- Drops file in System32 directory
- Modifies registry class
PID:6188 -
C:\Windows\SysWOW64\Pdmdnadc.exeC:\Windows\system32\Pdmdnadc.exe105⤵PID:6228
-
C:\Windows\SysWOW64\Qfkqjmdg.exeC:\Windows\system32\Qfkqjmdg.exe106⤵PID:6268
-
C:\Windows\SysWOW64\Qjfmkk32.exeC:\Windows\system32\Qjfmkk32.exe107⤵
- Drops file in System32 directory
- Modifies registry class
PID:6308 -
C:\Windows\SysWOW64\Qmeigg32.exeC:\Windows\system32\Qmeigg32.exe108⤵
- Modifies registry class
PID:6348 -
C:\Windows\SysWOW64\Qpcecb32.exeC:\Windows\system32\Qpcecb32.exe109⤵PID:6388
-
C:\Windows\SysWOW64\Qhjmdp32.exeC:\Windows\system32\Qhjmdp32.exe110⤵
- System Location Discovery: System Language Discovery
PID:6428 -
C:\Windows\SysWOW64\Qfmmplad.exeC:\Windows\system32\Qfmmplad.exe111⤵PID:6468
-
C:\Windows\SysWOW64\Qodeajbg.exeC:\Windows\system32\Qodeajbg.exe112⤵
- System Location Discovery: System Language Discovery
PID:6508 -
C:\Windows\SysWOW64\Qacameaj.exeC:\Windows\system32\Qacameaj.exe113⤵PID:6548
-
C:\Windows\SysWOW64\Qpeahb32.exeC:\Windows\system32\Qpeahb32.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6588 -
C:\Windows\SysWOW64\Ahmjjoig.exeC:\Windows\system32\Ahmjjoig.exe115⤵PID:6628
-
C:\Windows\SysWOW64\Afpjel32.exeC:\Windows\system32\Afpjel32.exe116⤵PID:6676
-
C:\Windows\SysWOW64\Aogbfi32.exeC:\Windows\system32\Aogbfi32.exe117⤵
- Drops file in System32 directory
PID:6708 -
C:\Windows\SysWOW64\Aaenbd32.exeC:\Windows\system32\Aaenbd32.exe118⤵PID:6748
-
C:\Windows\SysWOW64\Adcjop32.exeC:\Windows\system32\Adcjop32.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:6788 -
C:\Windows\SysWOW64\Ahofoogd.exeC:\Windows\system32\Ahofoogd.exe120⤵PID:6828
-
C:\Windows\SysWOW64\Aknbkjfh.exeC:\Windows\system32\Aknbkjfh.exe121⤵
- Modifies registry class
PID:6872
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-