Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
110s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
21/09/2024, 17:47
Behavioral task
behavioral1
Sample
cd85834b1ec88b2b4e065cb59cdbfbc4b77b10600fbfdc8501ec7fd1c0fbe948.exe
Resource
win7-20240903-en
windows7-x64
10 signatures
150 seconds
General
-
Target
cd85834b1ec88b2b4e065cb59cdbfbc4b77b10600fbfdc8501ec7fd1c0fbe948.exe
-
Size
337KB
-
MD5
f66386730c3497ca644c7e77d5d793b0
-
SHA1
5da659a3e0af11bc6202517eacca18f4014b705d
-
SHA256
cd85834b1ec88b2b4e065cb59cdbfbc4b77b10600fbfdc8501ec7fd1c0fbe948
-
SHA512
0317f66c97bd23f87b547663cab8cbc1a9bfa6cf620ee8f05380600109ce6f319229c6950776edb3d2f705c672407c8480e44da08455f1f11e01e943ac672cac
-
SSDEEP
3072:um2uO9O6VLTav239gYfc0DV+1BIyLK5jZWlfXXqyYwi8x4Yfc09:tMae391+fIyG5jZkCwi8r
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehkpcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jldjjpdc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qnhgei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhjpbi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibhijf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Beghnf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chdalplm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djhlnd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgompjbg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dejnkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Elpfclfc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gliapi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pgkbcoko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ekbodc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gaommjaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ikadnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jlbmdpff.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojiehm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hefhjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aelibh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ehicnmje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lihcjaek.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hncjcijn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aelibh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eonboheg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eoehpgpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Klnmpnli.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Doiajb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekfhobem.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efipidog.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgbbpbgl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nllbhjbf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odccqedf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghiejd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndadonhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Leodob32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmdhbnoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ehcchg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igeabm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jnmfqe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgpgdl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Feambq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fggljb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ndhjombo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bbdbglnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mifplp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nchgkdgq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bedenqhq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpklpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nllbhjbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djkicdpk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hilbah32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjldkhjm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bcehdn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Foahleeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Meigea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eefnfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Efipidog.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hoodmc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ickidp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnlgik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pdhlld32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbehgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Koooph32.exe -
Executes dropped EXE 64 IoCs
pid Process 4076 Kmgjdi32.exe 2228 Kpefpd32.exe 5172 Kmifjh32.exe 5504 Kpgcfd32.exe 4988 Kipgoiqa.exe 2484 Kbhlgoga.exe 5300 Kibddi32.exe 4572 Kpllacfk.exe 5680 Lidqji32.exe 2192 Ldjegala.exe 2024 Lmbipg32.exe 4316 Ldlamajo.exe 4888 Lgknimib.exe 2632 Ldonbq32.exe 2964 Lkifokpi.exe 5924 Lpeoganq.exe 5980 Lgpgdl32.exe 5888 Laelad32.exe 5828 Ldchmpdg.exe 5500 Maghgdcq.exe 3240 Mibmkfql.exe 456 Mgfmdk32.exe 3600 Miejqf32.exe 4496 Mcmnilei.exe 1904 Manngc32.exe 1216 Mkgcpi32.exe 4004 Ngncejim.exe 3116 Ndadonhg.exe 3672 Npheconk.exe 5676 Ndfnjm32.exe 5304 Ndhjombo.exe 656 Nalkiaah.exe 4016 Oncknb32.exe 2380 Ocpdfied.exe 5424 Obaddq32.exe 5752 Ocbqkica.exe 3224 Ojlihc32.exe 3292 Oqfaem32.exe 4388 Oklebf32.exe 4636 Oqinjm32.exe 4480 Oknbhe32.exe 4980 Onmnda32.exe 5088 Pciglhmi.exe 5384 Pnokiqlo.exe 884 Pdicfk32.exe 4336 Pkckceki.exe 5236 Pbmcpo32.exe 4768 Pdkplj32.exe 4176 Pkehhd32.exe 4252 Pbopeoqc.exe 2452 Pdnmajpg.exe 2940 Pkgend32.exe 3668 Pbamknoq.exe 3088 Pepigjnd.exe 3960 Pnhnpode.exe 5484 Qqgjlkch.exe 8 Qklniccn.exe 768 Qjoodp32.exe 4772 Qedbbi32.exe 4376 Qjakjphf.exe 5772 Aakcgj32.exe 5764 Aegogihl.exe 5176 Akahdc32.exe 5508 Anodpn32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Pkehhd32.exe Pdkplj32.exe File created C:\Windows\SysWOW64\Leodob32.exe Ldnghjeq.exe File created C:\Windows\SysWOW64\Mpnkcjbj.exe Meigea32.exe File created C:\Windows\SysWOW64\Dmoegi32.dll Jegnmpkn.exe File created C:\Windows\SysWOW64\Mkafqmop.dll Pnokiqlo.exe File created C:\Windows\SysWOW64\Coipmkho.exe Clkcaoil.exe File created C:\Windows\SysWOW64\Dkichj32.exe Dhkglo32.exe File created C:\Windows\SysWOW64\Dmcihglg.dll Iejifhki.exe File created C:\Windows\SysWOW64\Lihcjaek.exe Lbokng32.exe File created C:\Windows\SysWOW64\Pinhap32.dll Kipgoiqa.exe File created C:\Windows\SysWOW64\Abmmfm32.exe Aghhidem.exe File opened for modification C:\Windows\SysWOW64\Bgpdelig.exe Bcehdn32.exe File created C:\Windows\SysWOW64\Dapheokm.exe Dmdldp32.exe File created C:\Windows\SysWOW64\Fkpkeqmb.exe Fdfcig32.exe File created C:\Windows\SysWOW64\Nhholdkb.dll Bgpdelig.exe File created C:\Windows\SysWOW64\Pdicfk32.exe Pnokiqlo.exe File created C:\Windows\SysWOW64\Dihceh32.dll Pbopeoqc.exe File opened for modification C:\Windows\SysWOW64\Kecdcd32.exe Kbehgi32.exe File created C:\Windows\SysWOW64\Cckmcj32.dll Leodob32.exe File opened for modification C:\Windows\SysWOW64\Nmiamm32.exe Ngoipcco.exe File created C:\Windows\SysWOW64\Qgnohoil.exe Pdoblcjh.exe File created C:\Windows\SysWOW64\Eqidgolb.dll Ajjgfh32.exe File created C:\Windows\SysWOW64\Ehcchg32.exe Emnoko32.exe File created C:\Windows\SysWOW64\Neicejic.dll Laelad32.exe File opened for modification C:\Windows\SysWOW64\Andmknjg.exe Ajhako32.exe File created C:\Windows\SysWOW64\Banicgon.exe Beghnf32.exe File created C:\Windows\SysWOW64\Bceiigfg.dll Hohgcb32.exe File created C:\Windows\SysWOW64\Dchgij32.dll Kmhpob32.exe File created C:\Windows\SysWOW64\Cbcdfd32.dll Mpnkcjbj.exe File created C:\Windows\SysWOW64\Ipedqm32.dll Ibmbeffg.exe File created C:\Windows\SysWOW64\Mmanfl32.dll Lfbjcahc.exe File created C:\Windows\SysWOW64\Pciglhmi.exe Onmnda32.exe File created C:\Windows\SysWOW64\Accbid32.exe Aepbngpa.exe File created C:\Windows\SysWOW64\Lcaloamp.dll Hhelpiae.exe File created C:\Windows\SysWOW64\Fhgmqh32.dll Qddlgc32.exe File created C:\Windows\SysWOW64\Eonkeabl.exe Ekbodc32.exe File opened for modification C:\Windows\SysWOW64\Holpmmgi.exe Hgehlpgg.exe File created C:\Windows\SysWOW64\Gnbnnc32.dll Kmifjh32.exe File created C:\Windows\SysWOW64\Iflbfkpi.exe Icmejoaf.exe File created C:\Windows\SysWOW64\Engdcfhb.dll Mfcjdenl.exe File created C:\Windows\SysWOW64\Cnhicddc.exe Cjmmbf32.exe File created C:\Windows\SysWOW64\Hbdoogob.exe Hoecclon.exe File created C:\Windows\SysWOW64\Bbdbglnk.exe Accbid32.exe File created C:\Windows\SysWOW64\Jjjpocip.dll Dklpnjcf.exe File created C:\Windows\SysWOW64\Fnbhhq32.dll Aqabmceo.exe File created C:\Windows\SysWOW64\Eeodgiee.dll Eejpgkgf.exe File created C:\Windows\SysWOW64\Gkgafp32.exe Ghiejd32.exe File opened for modification C:\Windows\SysWOW64\Jkjpikib.exe Jdphmq32.exe File created C:\Windows\SysWOW64\Bccaclhi.dll Pkehhd32.exe File created C:\Windows\SysWOW64\Efipidog.exe Empkpn32.exe File created C:\Windows\SysWOW64\Hhdefb32.exe Hefhjg32.exe File created C:\Windows\SysWOW64\Kendnoef.exe Kbphbcfb.exe File created C:\Windows\SysWOW64\Hcaoiqob.dll Meajjleq.exe File created C:\Windows\SysWOW64\Qjakjphf.exe Qedbbi32.exe File created C:\Windows\SysWOW64\Calede32.exe Ckbmhkka.exe File created C:\Windows\SysWOW64\Ngfpabng.exe Nplgdhfj.exe File created C:\Windows\SysWOW64\Mgkhej32.dll Cengdopf.exe File opened for modification C:\Windows\SysWOW64\Iggnhmfa.exe Iffaqe32.exe File opened for modification C:\Windows\SysWOW64\Ibmbeffg.exe Ioofijgc.exe File opened for modification C:\Windows\SysWOW64\Mninca32.exe Mlkbgf32.exe File created C:\Windows\SysWOW64\Blehee32.dll Ldjegala.exe File opened for modification C:\Windows\SysWOW64\Bbnemjfq.exe Blcmqp32.exe File opened for modification C:\Windows\SysWOW64\Dhkglo32.exe Dbnodh32.exe File created C:\Windows\SysWOW64\Lchpcobb.dll Flbkpjfn.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 11404 12272 WerFault.exe 601 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kemncekd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Leodob32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mempqqoo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onbdcl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndfnjm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgjped32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnenbk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkcabnmm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkckceki.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfpkaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pqajfe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbdlni32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klkpkonl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmflqpka.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgfhhp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbdoogob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpllacfk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alhnebia.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aqdobbcm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbphbcfb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mifplp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bqflhb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gemfchgq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdoblcjh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bedenqhq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oknbhe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcjggd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmhghdfc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Keahnd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nllbhjbf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgdlbpag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbndca32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pepigjnd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elbbil32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpnkcjbj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nedfaphg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkgafp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdphmq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbopeoqc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddddgp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eehjlbmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ickidp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmhjkfif.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Liafolgg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flbkpjfn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldnghjeq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgbbpbgl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aakcgj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nibogn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qjngjj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbhlgoga.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbnemjfq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccnkjl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnfgii32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgfmdk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dopfnjag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfpicoii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdkekc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfokpf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbamknoq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdpmil32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gliapi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Leaqebil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Accbid32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlimimnj.dll" Ghpkkc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Knieldjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qedbbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bbfomklh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpiidmae.dll" Ncfjedic.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fkpkeqmb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hfmojf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kflkmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbhdlccc.dll" Lbokng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ngoipcco.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ggpoqq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qqfcad32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hfokpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afbgkqef.dll" Indcjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejibkgdj.dll" Lhhpfhjl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ldonbq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pciglhmi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Banicgon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgnokbbf.dll" Gohnldoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bgngom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jobfdqef.dll" Dapheokm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jinqco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kkhlki32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ehicnmje.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gojjbdmg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ifdlelfa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jfnoljng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehnbaepk.dll" Lbndca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qcdompoq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bmmmmcgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cageopcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Diaojo32.dll" Kphbfg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pkckceki.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gkjeffic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nedfaphg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pjbhnlqk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nnknbmii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlmocn32.dll" Liafolgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lhhpfhjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blehee32.dll" Ldjegala.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epffbngm.dll" Aeilmhei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfmeaqjl.dll" Hffpdnba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkjpdgjm.dll" Nepmfp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID cd85834b1ec88b2b4e065cb59cdbfbc4b77b10600fbfdc8501ec7fd1c0fbe948.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjgophbc.dll" Ldqdmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oinloq32.dll" Ofbbbnlg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kfigmbqn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkijlhhp.dll" Oknbhe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgdnhf32.dll" Ngfpabng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iipena32.dll" Pqajfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hfokpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fabbmdgh.dll" Onbdcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cnhicddc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kejphh32.dll" Deigpneh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ekieebck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnphgc32.dll" Qjoodp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkleiaff.dll" Flkeok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcaloamp.dll" Hhelpiae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nplgdhfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcecmk32.dll" Idkoaaek.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kfnqha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kfpmnajf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Facnalkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lhkmlh32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1172 wrote to memory of 4076 1172 cd85834b1ec88b2b4e065cb59cdbfbc4b77b10600fbfdc8501ec7fd1c0fbe948.exe 84 PID 1172 wrote to memory of 4076 1172 cd85834b1ec88b2b4e065cb59cdbfbc4b77b10600fbfdc8501ec7fd1c0fbe948.exe 84 PID 1172 wrote to memory of 4076 1172 cd85834b1ec88b2b4e065cb59cdbfbc4b77b10600fbfdc8501ec7fd1c0fbe948.exe 84 PID 4076 wrote to memory of 2228 4076 Kmgjdi32.exe 85 PID 4076 wrote to memory of 2228 4076 Kmgjdi32.exe 85 PID 4076 wrote to memory of 2228 4076 Kmgjdi32.exe 85 PID 2228 wrote to memory of 5172 2228 Kpefpd32.exe 86 PID 2228 wrote to memory of 5172 2228 Kpefpd32.exe 86 PID 2228 wrote to memory of 5172 2228 Kpefpd32.exe 86 PID 5172 wrote to memory of 5504 5172 Kmifjh32.exe 87 PID 5172 wrote to memory of 5504 5172 Kmifjh32.exe 87 PID 5172 wrote to memory of 5504 5172 Kmifjh32.exe 87 PID 5504 wrote to memory of 4988 5504 Kpgcfd32.exe 88 PID 5504 wrote to memory of 4988 5504 Kpgcfd32.exe 88 PID 5504 wrote to memory of 4988 5504 Kpgcfd32.exe 88 PID 4988 wrote to memory of 2484 4988 Kipgoiqa.exe 89 PID 4988 wrote to memory of 2484 4988 Kipgoiqa.exe 89 PID 4988 wrote to memory of 2484 4988 Kipgoiqa.exe 89 PID 2484 wrote to memory of 5300 2484 Kbhlgoga.exe 90 PID 2484 wrote to memory of 5300 2484 Kbhlgoga.exe 90 PID 2484 wrote to memory of 5300 2484 Kbhlgoga.exe 90 PID 5300 wrote to memory of 4572 5300 Kibddi32.exe 91 PID 5300 wrote to memory of 4572 5300 Kibddi32.exe 91 PID 5300 wrote to memory of 4572 5300 Kibddi32.exe 91 PID 4572 wrote to memory of 5680 4572 Kpllacfk.exe 92 PID 4572 wrote to memory of 5680 4572 Kpllacfk.exe 92 PID 4572 wrote to memory of 5680 4572 Kpllacfk.exe 92 PID 5680 wrote to memory of 2192 5680 Lidqji32.exe 93 PID 5680 wrote to memory of 2192 5680 Lidqji32.exe 93 PID 5680 wrote to memory of 2192 5680 Lidqji32.exe 93 PID 2192 wrote to memory of 2024 2192 Ldjegala.exe 94 PID 2192 wrote to memory of 2024 2192 Ldjegala.exe 94 PID 2192 wrote to memory of 2024 2192 Ldjegala.exe 94 PID 2024 wrote to memory of 4316 2024 Lmbipg32.exe 95 PID 2024 wrote to memory of 4316 2024 Lmbipg32.exe 95 PID 2024 wrote to memory of 4316 2024 Lmbipg32.exe 95 PID 4316 wrote to memory of 4888 4316 Ldlamajo.exe 96 PID 4316 wrote to memory of 4888 4316 Ldlamajo.exe 96 PID 4316 wrote to memory of 4888 4316 Ldlamajo.exe 96 PID 4888 wrote to memory of 2632 4888 Lgknimib.exe 97 PID 4888 wrote to memory of 2632 4888 Lgknimib.exe 97 PID 4888 wrote to memory of 2632 4888 Lgknimib.exe 97 PID 2632 wrote to memory of 2964 2632 Ldonbq32.exe 98 PID 2632 wrote to memory of 2964 2632 Ldonbq32.exe 98 PID 2632 wrote to memory of 2964 2632 Ldonbq32.exe 98 PID 2964 wrote to memory of 5924 2964 Lkifokpi.exe 99 PID 2964 wrote to memory of 5924 2964 Lkifokpi.exe 99 PID 2964 wrote to memory of 5924 2964 Lkifokpi.exe 99 PID 5924 wrote to memory of 5980 5924 Lpeoganq.exe 100 PID 5924 wrote to memory of 5980 5924 Lpeoganq.exe 100 PID 5924 wrote to memory of 5980 5924 Lpeoganq.exe 100 PID 5980 wrote to memory of 5888 5980 Lgpgdl32.exe 101 PID 5980 wrote to memory of 5888 5980 Lgpgdl32.exe 101 PID 5980 wrote to memory of 5888 5980 Lgpgdl32.exe 101 PID 5888 wrote to memory of 5828 5888 Laelad32.exe 102 PID 5888 wrote to memory of 5828 5888 Laelad32.exe 102 PID 5888 wrote to memory of 5828 5888 Laelad32.exe 102 PID 5828 wrote to memory of 5500 5828 Ldchmpdg.exe 103 PID 5828 wrote to memory of 5500 5828 Ldchmpdg.exe 103 PID 5828 wrote to memory of 5500 5828 Ldchmpdg.exe 103 PID 5500 wrote to memory of 3240 5500 Maghgdcq.exe 104 PID 5500 wrote to memory of 3240 5500 Maghgdcq.exe 104 PID 5500 wrote to memory of 3240 5500 Maghgdcq.exe 104 PID 3240 wrote to memory of 456 3240 Mibmkfql.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\cd85834b1ec88b2b4e065cb59cdbfbc4b77b10600fbfdc8501ec7fd1c0fbe948.exe"C:\Users\Admin\AppData\Local\Temp\cd85834b1ec88b2b4e065cb59cdbfbc4b77b10600fbfdc8501ec7fd1c0fbe948.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1172 -
C:\Windows\SysWOW64\Kmgjdi32.exeC:\Windows\system32\Kmgjdi32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4076 -
C:\Windows\SysWOW64\Kpefpd32.exeC:\Windows\system32\Kpefpd32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2228 -
C:\Windows\SysWOW64\Kmifjh32.exeC:\Windows\system32\Kmifjh32.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5172 -
C:\Windows\SysWOW64\Kpgcfd32.exeC:\Windows\system32\Kpgcfd32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5504 -
C:\Windows\SysWOW64\Kipgoiqa.exeC:\Windows\system32\Kipgoiqa.exe6⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4988 -
C:\Windows\SysWOW64\Kbhlgoga.exeC:\Windows\system32\Kbhlgoga.exe7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2484 -
C:\Windows\SysWOW64\Kibddi32.exeC:\Windows\system32\Kibddi32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5300 -
C:\Windows\SysWOW64\Kpllacfk.exeC:\Windows\system32\Kpllacfk.exe9⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4572 -
C:\Windows\SysWOW64\Lidqji32.exeC:\Windows\system32\Lidqji32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5680 -
C:\Windows\SysWOW64\Ldjegala.exeC:\Windows\system32\Ldjegala.exe11⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Windows\SysWOW64\Lmbipg32.exeC:\Windows\system32\Lmbipg32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Windows\SysWOW64\Ldlamajo.exeC:\Windows\system32\Ldlamajo.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4316 -
C:\Windows\SysWOW64\Lgknimib.exeC:\Windows\system32\Lgknimib.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4888 -
C:\Windows\SysWOW64\Ldonbq32.exeC:\Windows\system32\Ldonbq32.exe15⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\SysWOW64\Lkifokpi.exeC:\Windows\system32\Lkifokpi.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Windows\SysWOW64\Lpeoganq.exeC:\Windows\system32\Lpeoganq.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5924 -
C:\Windows\SysWOW64\Lgpgdl32.exeC:\Windows\system32\Lgpgdl32.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5980 -
C:\Windows\SysWOW64\Laelad32.exeC:\Windows\system32\Laelad32.exe19⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5888 -
C:\Windows\SysWOW64\Ldchmpdg.exeC:\Windows\system32\Ldchmpdg.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5828 -
C:\Windows\SysWOW64\Maghgdcq.exeC:\Windows\system32\Maghgdcq.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5500 -
C:\Windows\SysWOW64\Mibmkfql.exeC:\Windows\system32\Mibmkfql.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3240 -
C:\Windows\SysWOW64\Mgfmdk32.exeC:\Windows\system32\Mgfmdk32.exe23⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:456 -
C:\Windows\SysWOW64\Miejqf32.exeC:\Windows\system32\Miejqf32.exe24⤵
- Executes dropped EXE
PID:3600 -
C:\Windows\SysWOW64\Mcmnilei.exeC:\Windows\system32\Mcmnilei.exe25⤵
- Executes dropped EXE
PID:4496 -
C:\Windows\SysWOW64\Manngc32.exeC:\Windows\system32\Manngc32.exe26⤵
- Executes dropped EXE
PID:1904 -
C:\Windows\SysWOW64\Mkgcpi32.exeC:\Windows\system32\Mkgcpi32.exe27⤵
- Executes dropped EXE
PID:1216 -
C:\Windows\SysWOW64\Ngncejim.exeC:\Windows\system32\Ngncejim.exe28⤵
- Executes dropped EXE
PID:4004 -
C:\Windows\SysWOW64\Ndadonhg.exeC:\Windows\system32\Ndadonhg.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3116 -
C:\Windows\SysWOW64\Npheconk.exeC:\Windows\system32\Npheconk.exe30⤵
- Executes dropped EXE
PID:3672 -
C:\Windows\SysWOW64\Ndfnjm32.exeC:\Windows\system32\Ndfnjm32.exe31⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5676 -
C:\Windows\SysWOW64\Ndhjombo.exeC:\Windows\system32\Ndhjombo.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5304 -
C:\Windows\SysWOW64\Nalkiaah.exeC:\Windows\system32\Nalkiaah.exe33⤵
- Executes dropped EXE
PID:656 -
C:\Windows\SysWOW64\Oncknb32.exeC:\Windows\system32\Oncknb32.exe34⤵
- Executes dropped EXE
PID:4016 -
C:\Windows\SysWOW64\Ocpdfied.exeC:\Windows\system32\Ocpdfied.exe35⤵
- Executes dropped EXE
PID:2380 -
C:\Windows\SysWOW64\Obaddq32.exeC:\Windows\system32\Obaddq32.exe36⤵
- Executes dropped EXE
PID:5424 -
C:\Windows\SysWOW64\Ocbqkica.exeC:\Windows\system32\Ocbqkica.exe37⤵
- Executes dropped EXE
PID:5752 -
C:\Windows\SysWOW64\Ojlihc32.exeC:\Windows\system32\Ojlihc32.exe38⤵
- Executes dropped EXE
PID:3224 -
C:\Windows\SysWOW64\Oqfaem32.exeC:\Windows\system32\Oqfaem32.exe39⤵
- Executes dropped EXE
PID:3292 -
C:\Windows\SysWOW64\Oklebf32.exeC:\Windows\system32\Oklebf32.exe40⤵
- Executes dropped EXE
PID:4388 -
C:\Windows\SysWOW64\Oqinjm32.exeC:\Windows\system32\Oqinjm32.exe41⤵
- Executes dropped EXE
PID:4636 -
C:\Windows\SysWOW64\Oknbhe32.exeC:\Windows\system32\Oknbhe32.exe42⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4480 -
C:\Windows\SysWOW64\Onmnda32.exeC:\Windows\system32\Onmnda32.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4980 -
C:\Windows\SysWOW64\Pciglhmi.exeC:\Windows\system32\Pciglhmi.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:5088 -
C:\Windows\SysWOW64\Pnokiqlo.exeC:\Windows\system32\Pnokiqlo.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5384 -
C:\Windows\SysWOW64\Pdicfk32.exeC:\Windows\system32\Pdicfk32.exe46⤵
- Executes dropped EXE
PID:884 -
C:\Windows\SysWOW64\Pkckceki.exeC:\Windows\system32\Pkckceki.exe47⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4336 -
C:\Windows\SysWOW64\Pbmcpo32.exeC:\Windows\system32\Pbmcpo32.exe48⤵
- Executes dropped EXE
PID:5236 -
C:\Windows\SysWOW64\Pdkplj32.exeC:\Windows\system32\Pdkplj32.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4768 -
C:\Windows\SysWOW64\Pkehhd32.exeC:\Windows\system32\Pkehhd32.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4176 -
C:\Windows\SysWOW64\Pbopeoqc.exeC:\Windows\system32\Pbopeoqc.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4252 -
C:\Windows\SysWOW64\Pdnmajpg.exeC:\Windows\system32\Pdnmajpg.exe52⤵
- Executes dropped EXE
PID:2452 -
C:\Windows\SysWOW64\Pkgend32.exeC:\Windows\system32\Pkgend32.exe53⤵
- Executes dropped EXE
PID:2940 -
C:\Windows\SysWOW64\Pbamknoq.exeC:\Windows\system32\Pbamknoq.exe54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3668 -
C:\Windows\SysWOW64\Pepigjnd.exeC:\Windows\system32\Pepigjnd.exe55⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3088 -
C:\Windows\SysWOW64\Pnhnpode.exeC:\Windows\system32\Pnhnpode.exe56⤵
- Executes dropped EXE
PID:3960 -
C:\Windows\SysWOW64\Qqgjlkch.exeC:\Windows\system32\Qqgjlkch.exe57⤵
- Executes dropped EXE
PID:5484 -
C:\Windows\SysWOW64\Qklniccn.exeC:\Windows\system32\Qklniccn.exe58⤵
- Executes dropped EXE
PID:8 -
C:\Windows\SysWOW64\Qjoodp32.exeC:\Windows\system32\Qjoodp32.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:768 -
C:\Windows\SysWOW64\Qedbbi32.exeC:\Windows\system32\Qedbbi32.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4772 -
C:\Windows\SysWOW64\Qjakjphf.exeC:\Windows\system32\Qjakjphf.exe61⤵
- Executes dropped EXE
PID:4376 -
C:\Windows\SysWOW64\Aakcgj32.exeC:\Windows\system32\Aakcgj32.exe62⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5772 -
C:\Windows\SysWOW64\Aegogihl.exeC:\Windows\system32\Aegogihl.exe63⤵
- Executes dropped EXE
PID:5764 -
C:\Windows\SysWOW64\Akahdc32.exeC:\Windows\system32\Akahdc32.exe64⤵
- Executes dropped EXE
PID:5176 -
C:\Windows\SysWOW64\Anodpn32.exeC:\Windows\system32\Anodpn32.exe65⤵
- Executes dropped EXE
PID:5508 -
C:\Windows\SysWOW64\Aeilmhei.exeC:\Windows\system32\Aeilmhei.exe66⤵
- Modifies registry class
PID:1428 -
C:\Windows\SysWOW64\Aghhidem.exeC:\Windows\system32\Aghhidem.exe67⤵
- Drops file in System32 directory
PID:5404 -
C:\Windows\SysWOW64\Abmmfm32.exeC:\Windows\system32\Abmmfm32.exe68⤵PID:812
-
C:\Windows\SysWOW64\Aelibh32.exeC:\Windows\system32\Aelibh32.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3028 -
C:\Windows\SysWOW64\Ajhako32.exeC:\Windows\system32\Ajhako32.exe70⤵
- Drops file in System32 directory
PID:6024 -
C:\Windows\SysWOW64\Andmknjg.exeC:\Windows\system32\Andmknjg.exe71⤵PID:5952
-
C:\Windows\SysWOW64\Aenehh32.exeC:\Windows\system32\Aenehh32.exe72⤵PID:5960
-
C:\Windows\SysWOW64\Acafcdho.exeC:\Windows\system32\Acafcdho.exe73⤵PID:5148
-
C:\Windows\SysWOW64\Alhnebia.exeC:\Windows\system32\Alhnebia.exe74⤵
- System Location Discovery: System Language Discovery
PID:5928 -
C:\Windows\SysWOW64\Anfjamhe.exeC:\Windows\system32\Anfjamhe.exe75⤵PID:4540
-
C:\Windows\SysWOW64\Aepbngpa.exeC:\Windows\system32\Aepbngpa.exe76⤵
- Drops file in System32 directory
PID:3888 -
C:\Windows\SysWOW64\Accbid32.exeC:\Windows\system32\Accbid32.exe77⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3648 -
C:\Windows\SysWOW64\Bbdbglnk.exeC:\Windows\system32\Bbdbglnk.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2988 -
C:\Windows\SysWOW64\Bbfomklh.exeC:\Windows\system32\Bbfomklh.exe79⤵
- Modifies registry class
PID:1220 -
C:\Windows\SysWOW64\Beelig32.exeC:\Windows\system32\Beelig32.exe80⤵PID:2392
-
C:\Windows\SysWOW64\Bnmpalbm.exeC:\Windows\system32\Bnmpalbm.exe81⤵PID:5232
-
C:\Windows\SysWOW64\Beghnf32.exeC:\Windows\system32\Beghnf32.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5104 -
C:\Windows\SysWOW64\Banicgon.exeC:\Windows\system32\Banicgon.exe83⤵
- Modifies registry class
PID:5372 -
C:\Windows\SysWOW64\Blcmqp32.exeC:\Windows\system32\Blcmqp32.exe84⤵
- Drops file in System32 directory
PID:5708 -
C:\Windows\SysWOW64\Bbnemjfq.exeC:\Windows\system32\Bbnemjfq.exe85⤵
- System Location Discovery: System Language Discovery
PID:5004 -
C:\Windows\SysWOW64\Bdobeb32.exeC:\Windows\system32\Bdobeb32.exe86⤵PID:2512
-
C:\Windows\SysWOW64\Cjijamcl.exeC:\Windows\system32\Cjijamcl.exe87⤵PID:2532
-
C:\Windows\SysWOW64\Cacbng32.exeC:\Windows\system32\Cacbng32.exe88⤵PID:836
-
C:\Windows\SysWOW64\Chmkka32.exeC:\Windows\system32\Chmkka32.exe89⤵PID:1900
-
C:\Windows\SysWOW64\Cogchkjb.exeC:\Windows\system32\Cogchkjb.exe90⤵PID:1048
-
C:\Windows\SysWOW64\Caeodfif.exeC:\Windows\system32\Caeodfif.exe91⤵PID:5392
-
C:\Windows\SysWOW64\Clkcaoil.exeC:\Windows\system32\Clkcaoil.exe92⤵
- Drops file in System32 directory
PID:1876 -
C:\Windows\SysWOW64\Coipmkho.exeC:\Windows\system32\Coipmkho.exe93⤵PID:1544
-
C:\Windows\SysWOW64\Cbdlni32.exeC:\Windows\system32\Cbdlni32.exe94⤵
- System Location Discovery: System Language Discovery
PID:1376 -
C:\Windows\SysWOW64\Cdfheafg.exeC:\Windows\system32\Cdfheafg.exe95⤵PID:2460
-
C:\Windows\SysWOW64\Chadfp32.exeC:\Windows\system32\Chadfp32.exe96⤵PID:5476
-
C:\Windows\SysWOW64\Coklcj32.exeC:\Windows\system32\Coklcj32.exe97⤵PID:3856
-
C:\Windows\SysWOW64\Cajiof32.exeC:\Windows\system32\Cajiof32.exe98⤵PID:5580
-
C:\Windows\SysWOW64\Chdalplm.exeC:\Windows\system32\Chdalplm.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:628 -
C:\Windows\SysWOW64\Ckbmhkka.exeC:\Windows\system32\Ckbmhkka.exe100⤵
- Drops file in System32 directory
PID:3696 -
C:\Windows\SysWOW64\Calede32.exeC:\Windows\system32\Calede32.exe101⤵PID:3984
-
C:\Windows\SysWOW64\Dhfnapjk.exeC:\Windows\system32\Dhfnapjk.exe102⤵PID:5556
-
C:\Windows\SysWOW64\Dopfnjag.exeC:\Windows\system32\Dopfnjag.exe103⤵
- System Location Discovery: System Language Discovery
PID:4380 -
C:\Windows\SysWOW64\Dblboh32.exeC:\Windows\system32\Dblboh32.exe104⤵PID:4684
-
C:\Windows\SysWOW64\Dejnkd32.exeC:\Windows\system32\Dejnkd32.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1648 -
C:\Windows\SysWOW64\Dobbcipe.exeC:\Windows\system32\Dobbcipe.exe106⤵PID:5860
-
C:\Windows\SysWOW64\Dbnodh32.exeC:\Windows\system32\Dbnodh32.exe107⤵
- Drops file in System32 directory
PID:5868 -
C:\Windows\SysWOW64\Dhkglo32.exeC:\Windows\system32\Dhkglo32.exe108⤵
- Drops file in System32 directory
PID:1652 -
C:\Windows\SysWOW64\Dkichj32.exeC:\Windows\system32\Dkichj32.exe109⤵PID:3060
-
C:\Windows\SysWOW64\Dacked32.exeC:\Windows\system32\Dacked32.exe110⤵PID:3008
-
C:\Windows\SysWOW64\Dklpnjcf.exeC:\Windows\system32\Dklpnjcf.exe111⤵
- Drops file in System32 directory
PID:3484 -
C:\Windows\SysWOW64\Dogloi32.exeC:\Windows\system32\Dogloi32.exe112⤵PID:5360
-
C:\Windows\SysWOW64\Ddddgp32.exeC:\Windows\system32\Ddddgp32.exe113⤵
- System Location Discovery: System Language Discovery
PID:4816 -
C:\Windows\SysWOW64\Dknmcjac.exeC:\Windows\system32\Dknmcjac.exe114⤵PID:4232
-
C:\Windows\SysWOW64\Dbedeg32.exeC:\Windows\system32\Dbedeg32.exe115⤵PID:316
-
C:\Windows\SysWOW64\Decaab32.exeC:\Windows\system32\Decaab32.exe116⤵PID:5468
-
C:\Windows\SysWOW64\Elminmhf.exeC:\Windows\system32\Elminmhf.exe117⤵PID:908
-
C:\Windows\SysWOW64\Eolejhgj.exeC:\Windows\system32\Eolejhgj.exe118⤵PID:2652
-
C:\Windows\SysWOW64\Eefnfb32.exeC:\Windows\system32\Eefnfb32.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:756 -
C:\Windows\SysWOW64\Elpfclfc.exeC:\Windows\system32\Elpfclfc.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3216 -
C:\Windows\SysWOW64\Eonboheg.exeC:\Windows\system32\Eonboheg.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3580
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-