Analysis
-
max time kernel
95s -
max time network
101s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
27-09-2024 06:15
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
1ebfd4bebd09e6787a47e38e5855746915e091a5bfa845514a7384f5a5484d2dN.exe
Resource
win7-20240903-en
windows7-x64
9 signatures
120 seconds
Behavioral task
behavioral2
Sample
1ebfd4bebd09e6787a47e38e5855746915e091a5bfa845514a7384f5a5484d2dN.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
8 signatures
120 seconds
General
-
Target
1ebfd4bebd09e6787a47e38e5855746915e091a5bfa845514a7384f5a5484d2dN.exe
-
Size
73KB
-
MD5
43e4b2787b376aab62be0a532a036cc0
-
SHA1
0b97452719d872bcf8b1069a7d5774f1295d3751
-
SHA256
1ebfd4bebd09e6787a47e38e5855746915e091a5bfa845514a7384f5a5484d2d
-
SHA512
f4e684faf5623229b4b8b4e2c0fc8f1606088193b04293cb222e6736aac0e39c588c5adea78f00710a43429863dca65fcf5919d712366f9edea56fa9562c6fa7
-
SSDEEP
1536:tZABEREQ5Ko4RbxzqjtyqNTlNTBqXtZ2LgJWdryyA:tzRECszgtfNTlNT48gE5C
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Boeebnhp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nipekiep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Odalmibl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mokmdh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oljaccjf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcicklnn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epokedmj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohcegi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmoiqneg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aefjii32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qjlnnemp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlgepanl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knenkbio.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nclbpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aimkjp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oifeab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oeokal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eehicoel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mqdcnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmcolgbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dihlbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkmdecbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fligqhga.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbpdblmo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfendmoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Olanmgig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ogcnmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lgcjdd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ccbadp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dikihe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fiodpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Igbalblk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oloahhki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nflkbanj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Caghhk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbgcih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hpnoncim.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbhpch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qoelkp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmipblaq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ginnfgop.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aakebqbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkoigdom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmfnpa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbedga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ilnbicff.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbchdp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kncaec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgclpkac.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mbedga32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehjlaaig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fikbocki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cocacl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddcqedkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Knchpiom.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfnjpfcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ppmcdq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jqdoem32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjellmbp.exe -
Executes dropped EXE 64 IoCs
pid Process 2632 Mlklkgei.exe 4440 Mbedga32.exe 4524 Medqcmki.exe 4844 Mlnipg32.exe 4460 Mbhamajc.exe 2316 Mibijk32.exe 3716 Mlpeff32.exe 1664 Mbjnbqhp.exe 1416 Mehjol32.exe 2092 Mlbbkfoq.exe 4408 Mblkhq32.exe 2072 Mleoafmn.exe 4556 Mfjcnold.exe 388 Nlglfe32.exe 4028 Noehba32.exe 1040 Neppokal.exe 3532 Npedmdab.exe 3280 Ngomin32.exe 2656 Niniei32.exe 3908 Npgabc32.exe 4948 Ngaionfl.exe 2460 Nipekiep.exe 3500 Nlnbgddc.exe 5000 Nchjdo32.exe 4060 Nibbqicm.exe 2228 Nlqomd32.exe 4588 Nookip32.exe 4232 Ohgoaehe.exe 1424 Opogbbig.exe 4756 Ocmconhk.exe 3188 Oekpkigo.exe 2900 Olehhc32.exe 4772 Oocddono.exe 1328 Oenlqi32.exe 1348 Oofaiokl.exe 2000 Ogmijllo.exe 4836 Oileggkb.exe 1880 Oljaccjf.exe 4304 Ocdjpmac.exe 1212 Ojnblg32.exe 2052 Ohqbhdpj.exe 3844 Ookjdn32.exe 2776 Pgbbek32.exe 3576 Phcomcng.exe 4000 Ppjgoaoj.exe 5116 Pcicklnn.exe 2980 Pfgogh32.exe 2180 Phelcc32.exe 2364 Ppmcdq32.exe 4504 Pgflqkdd.exe 3460 Pfillg32.exe 432 Phhhhc32.exe 4700 Poaqemao.exe 5068 Qjlnnemp.exe 2320 Qhonib32.exe 4868 Qljjjqlc.exe 3632 Qfbobf32.exe 2284 Qhakoa32.exe 3028 Qlmgopjq.exe 1796 Acgolj32.exe 3164 Ajqgidij.exe 2040 Ahchda32.exe 4528 Aompak32.exe 1900 Agdhbi32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Dcigeooj.exe Dkbocbog.exe File created C:\Windows\SysWOW64\Fajbad32.dll Higjaoci.exe File created C:\Windows\SysWOW64\Oidalg32.dll Dkfadkgf.exe File created C:\Windows\SysWOW64\Pmpockdl.dll Process not Found File opened for modification C:\Windows\SysWOW64\Oekpkigo.exe Ocmconhk.exe File created C:\Windows\SysWOW64\Gbmingjo.exe Gpnmbl32.exe File created C:\Windows\SysWOW64\Ahgcjddh.exe Aehgnied.exe File opened for modification C:\Windows\SysWOW64\Phcomcng.exe Pgbbek32.exe File opened for modification C:\Windows\SysWOW64\Gdoihpbk.exe Gpcmga32.exe File created C:\Windows\SysWOW64\Fihgkk32.dll Lnangaoa.exe File opened for modification C:\Windows\SysWOW64\Kncaec32.exe Kjgeedch.exe File created C:\Windows\SysWOW64\Nipekiep.exe Ngaionfl.exe File created C:\Windows\SysWOW64\Egjogddi.dll Phbhcmjl.exe File created C:\Windows\SysWOW64\Bbaffgag.dll Hkicaahi.exe File opened for modification C:\Windows\SysWOW64\Maggnali.exe Mnhkbfme.exe File created C:\Windows\SysWOW64\Mbedga32.exe Mlklkgei.exe File created C:\Windows\SysWOW64\Ppjgoaoj.exe Phcomcng.exe File created C:\Windows\SysWOW64\Mehcdfch.exe Mnnkgl32.exe File opened for modification C:\Windows\SysWOW64\Ekaapi32.exe Eehicoel.exe File opened for modification C:\Windows\SysWOW64\Dbnmke32.exe Dkceokii.exe File created C:\Windows\SysWOW64\Npefkf32.dll Cnahdi32.exe File created C:\Windows\SysWOW64\Hglppijc.dll Iakiia32.exe File created C:\Windows\SysWOW64\Oonnoglh.dll Llodgnja.exe File created C:\Windows\SysWOW64\Aggpfkjj.exe Process not Found File created C:\Windows\SysWOW64\Dannij32.exe Diffglam.exe File created C:\Windows\SysWOW64\Hgnilk32.dll Cippgm32.exe File opened for modification C:\Windows\SysWOW64\Baegibae.exe Process not Found File created C:\Windows\SysWOW64\Dbnmke32.exe Dkceokii.exe File created C:\Windows\SysWOW64\Pqfkck32.dll Falcae32.exe File created C:\Windows\SysWOW64\Pojcjh32.exe Pllgnl32.exe File created C:\Windows\SysWOW64\Ecgflaec.dll Gigaka32.exe File opened for modification C:\Windows\SysWOW64\Lmbhgd32.exe Ljclki32.exe File opened for modification C:\Windows\SysWOW64\Kjblje32.exe Kegpifod.exe File opened for modification C:\Windows\SysWOW64\Cpeohh32.exe Cmfclm32.exe File created C:\Windows\SysWOW64\Kdinljnk.exe Jbkbpoog.exe File created C:\Windows\SysWOW64\Mlihmi32.dll Mmnhcb32.exe File created C:\Windows\SysWOW64\Ckgofgjn.dll Ahdged32.exe File opened for modification C:\Windows\SysWOW64\Bidqko32.exe Bgbdcgld.exe File created C:\Windows\SysWOW64\Llodgnja.exe Ljqhkckn.exe File opened for modification C:\Windows\SysWOW64\Dbndfl32.exe Dpphjp32.exe File created C:\Windows\SysWOW64\Hdhedh32.exe Hlambk32.exe File created C:\Windows\SysWOW64\Ijcjmmil.exe Ikpjbq32.exe File created C:\Windows\SysWOW64\Bcflijmh.dll Lmbhgd32.exe File opened for modification C:\Windows\SysWOW64\Omjpeo32.exe Olicnfco.exe File created C:\Windows\SysWOW64\Idhnkf32.exe Ilafiihp.exe File opened for modification C:\Windows\SysWOW64\Mmpmnl32.exe Mjaabq32.exe File created C:\Windows\SysWOW64\Fligqhga.exe Fijkdmhn.exe File created C:\Windows\SysWOW64\Niniei32.exe Ngomin32.exe File opened for modification C:\Windows\SysWOW64\Qofcff32.exe Qlggjk32.exe File created C:\Windows\SysWOW64\Dnpdegjp.exe Dkahilkl.exe File opened for modification C:\Windows\SysWOW64\Meamcg32.exe Mngegmbc.exe File created C:\Windows\SysWOW64\Jdmgfedl.exe Jncoikmp.exe File opened for modification C:\Windows\SysWOW64\Lndagg32.exe Lkeekk32.exe File created C:\Windows\SysWOW64\Dfjehbcf.dll Iepaaico.exe File created C:\Windows\SysWOW64\Ohqbhdpj.exe Ojnblg32.exe File created C:\Windows\SysWOW64\Mnhkbfme.exe Mkjnfkma.exe File created C:\Windows\SysWOW64\Hhbdbmfg.dll Pehngkcg.exe File created C:\Windows\SysWOW64\Odjjif32.dll Bllbaa32.exe File opened for modification C:\Windows\SysWOW64\Miofjepg.exe Mahnhhod.exe File created C:\Windows\SysWOW64\Pamiaboj.exe Poomegpf.exe File opened for modification C:\Windows\SysWOW64\Fmnkkg32.exe Fgdbnmji.exe File created C:\Windows\SysWOW64\Oocmii32.exe Oldamm32.exe File created C:\Windows\SysWOW64\Dikihe32.exe Dflmlj32.exe File created C:\Windows\SysWOW64\Anoabcka.dll Mlpeff32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 19792 2068 Process not Found 1207 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aggegh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bafndi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ickglm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mehjol32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdkdgchl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bllbaa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmcjpl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bppfmigl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjgeedch.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phcomcng.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lankbigo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pojcjh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahjgjj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjecpkcg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bheplb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oldamm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmggfp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Innfnl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knenkbio.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qlmgopjq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmkgkapm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iinqbn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onocomdo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebjcajjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijegcm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpelhd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oakbehfe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dihlbf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbjmhh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pehngkcg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bohbhmfm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hplbickp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpeohh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcogje32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ecefqnel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knchpiom.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pddhbipj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nklbmllg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phbhcmjl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnbnhedj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Digehphc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okjnnj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Poomegpf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcgnbaeo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpqjglii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nacmdf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbohpn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fknbil32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpmpnp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmnhcb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kngkqbgl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npedmdab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dclkee32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljilqnlm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lenicahg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmmpfn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knkekn32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhjhdagb.dll" Hblkjo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ddcqedkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdflmg32.dll" Plkpcfal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Comjoclk.dll" Jqhafffk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ahippdbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iekkfckg.dll" Kmdlffhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Galdglpd.dll" Glgcbf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hpomcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Baadiiif.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nfjola32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eiaoid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qjpnpd32.dll" Jjoiil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oldjcg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aoofle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ennqfenp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bgeaifia.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qdbdcg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ckeimm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohofdmkm.dll" Efjbcakl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Llmhaold.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Okedcjcm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lklbdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lklcfhik.dll" Kghjhemo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mblkhq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cjjcfabm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qffkpn32.dll" Bakgoh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Laniklje.dll" Dpehof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbdplc32.dll" Ljaoeini.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hpnoncim.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nagpeo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mleoafmn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Edemkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Edmclccp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eeelnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qhonib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjjfgb32.dll" Bohibc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cmcolgbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kfpcoefj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lalnmiia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ljdceo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cjnffjkl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kggcnoic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpidef32.dll" Ohgoaehe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qlggjk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ohqbhdpj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ibobdqid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Abbkcpma.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kncaec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ccnncgmc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Diffglam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lhmmjbkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Najceeoo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mmmqhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmmmic32.dll" Oenlqi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eegiklal.dll" Mgaokl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ebimgcfi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hmpcbhji.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Falcae32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Acfhad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iphioh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcghdkpf.dll" Impliekg.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2736 wrote to memory of 2632 2736 1ebfd4bebd09e6787a47e38e5855746915e091a5bfa845514a7384f5a5484d2dN.exe 82 PID 2736 wrote to memory of 2632 2736 1ebfd4bebd09e6787a47e38e5855746915e091a5bfa845514a7384f5a5484d2dN.exe 82 PID 2736 wrote to memory of 2632 2736 1ebfd4bebd09e6787a47e38e5855746915e091a5bfa845514a7384f5a5484d2dN.exe 82 PID 2632 wrote to memory of 4440 2632 Mlklkgei.exe 83 PID 2632 wrote to memory of 4440 2632 Mlklkgei.exe 83 PID 2632 wrote to memory of 4440 2632 Mlklkgei.exe 83 PID 4440 wrote to memory of 4524 4440 Mbedga32.exe 84 PID 4440 wrote to memory of 4524 4440 Mbedga32.exe 84 PID 4440 wrote to memory of 4524 4440 Mbedga32.exe 84 PID 4524 wrote to memory of 4844 4524 Medqcmki.exe 85 PID 4524 wrote to memory of 4844 4524 Medqcmki.exe 85 PID 4524 wrote to memory of 4844 4524 Medqcmki.exe 85 PID 4844 wrote to memory of 4460 4844 Mlnipg32.exe 86 PID 4844 wrote to memory of 4460 4844 Mlnipg32.exe 86 PID 4844 wrote to memory of 4460 4844 Mlnipg32.exe 86 PID 4460 wrote to memory of 2316 4460 Mbhamajc.exe 87 PID 4460 wrote to memory of 2316 4460 Mbhamajc.exe 87 PID 4460 wrote to memory of 2316 4460 Mbhamajc.exe 87 PID 2316 wrote to memory of 3716 2316 Mibijk32.exe 88 PID 2316 wrote to memory of 3716 2316 Mibijk32.exe 88 PID 2316 wrote to memory of 3716 2316 Mibijk32.exe 88 PID 3716 wrote to memory of 1664 3716 Mlpeff32.exe 89 PID 3716 wrote to memory of 1664 3716 Mlpeff32.exe 89 PID 3716 wrote to memory of 1664 3716 Mlpeff32.exe 89 PID 1664 wrote to memory of 1416 1664 Mbjnbqhp.exe 90 PID 1664 wrote to memory of 1416 1664 Mbjnbqhp.exe 90 PID 1664 wrote to memory of 1416 1664 Mbjnbqhp.exe 90 PID 1416 wrote to memory of 2092 1416 Mehjol32.exe 91 PID 1416 wrote to memory of 2092 1416 Mehjol32.exe 91 PID 1416 wrote to memory of 2092 1416 Mehjol32.exe 91 PID 2092 wrote to memory of 4408 2092 Mlbbkfoq.exe 92 PID 2092 wrote to memory of 4408 2092 Mlbbkfoq.exe 92 PID 2092 wrote to memory of 4408 2092 Mlbbkfoq.exe 92 PID 4408 wrote to memory of 2072 4408 Mblkhq32.exe 93 PID 4408 wrote to memory of 2072 4408 Mblkhq32.exe 93 PID 4408 wrote to memory of 2072 4408 Mblkhq32.exe 93 PID 2072 wrote to memory of 4556 2072 Mleoafmn.exe 94 PID 2072 wrote to memory of 4556 2072 Mleoafmn.exe 94 PID 2072 wrote to memory of 4556 2072 Mleoafmn.exe 94 PID 4556 wrote to memory of 388 4556 Mfjcnold.exe 95 PID 4556 wrote to memory of 388 4556 Mfjcnold.exe 95 PID 4556 wrote to memory of 388 4556 Mfjcnold.exe 95 PID 388 wrote to memory of 4028 388 Nlglfe32.exe 96 PID 388 wrote to memory of 4028 388 Nlglfe32.exe 96 PID 388 wrote to memory of 4028 388 Nlglfe32.exe 96 PID 4028 wrote to memory of 1040 4028 Noehba32.exe 97 PID 4028 wrote to memory of 1040 4028 Noehba32.exe 97 PID 4028 wrote to memory of 1040 4028 Noehba32.exe 97 PID 1040 wrote to memory of 3532 1040 Neppokal.exe 98 PID 1040 wrote to memory of 3532 1040 Neppokal.exe 98 PID 1040 wrote to memory of 3532 1040 Neppokal.exe 98 PID 3532 wrote to memory of 3280 3532 Npedmdab.exe 99 PID 3532 wrote to memory of 3280 3532 Npedmdab.exe 99 PID 3532 wrote to memory of 3280 3532 Npedmdab.exe 99 PID 3280 wrote to memory of 2656 3280 Ngomin32.exe 100 PID 3280 wrote to memory of 2656 3280 Ngomin32.exe 100 PID 3280 wrote to memory of 2656 3280 Ngomin32.exe 100 PID 2656 wrote to memory of 3908 2656 Niniei32.exe 101 PID 2656 wrote to memory of 3908 2656 Niniei32.exe 101 PID 2656 wrote to memory of 3908 2656 Niniei32.exe 101 PID 3908 wrote to memory of 4948 3908 Npgabc32.exe 102 PID 3908 wrote to memory of 4948 3908 Npgabc32.exe 102 PID 3908 wrote to memory of 4948 3908 Npgabc32.exe 102 PID 4948 wrote to memory of 2460 4948 Ngaionfl.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\1ebfd4bebd09e6787a47e38e5855746915e091a5bfa845514a7384f5a5484d2dN.exe"C:\Users\Admin\AppData\Local\Temp\1ebfd4bebd09e6787a47e38e5855746915e091a5bfa845514a7384f5a5484d2dN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\SysWOW64\Mlklkgei.exeC:\Windows\system32\Mlklkgei.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\SysWOW64\Mbedga32.exeC:\Windows\system32\Mbedga32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4440 -
C:\Windows\SysWOW64\Medqcmki.exeC:\Windows\system32\Medqcmki.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4524 -
C:\Windows\SysWOW64\Mlnipg32.exeC:\Windows\system32\Mlnipg32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4844 -
C:\Windows\SysWOW64\Mbhamajc.exeC:\Windows\system32\Mbhamajc.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4460 -
C:\Windows\SysWOW64\Mibijk32.exeC:\Windows\system32\Mibijk32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Windows\SysWOW64\Mlpeff32.exeC:\Windows\system32\Mlpeff32.exe8⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3716 -
C:\Windows\SysWOW64\Mbjnbqhp.exeC:\Windows\system32\Mbjnbqhp.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Windows\SysWOW64\Mehjol32.exeC:\Windows\system32\Mehjol32.exe10⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1416 -
C:\Windows\SysWOW64\Mlbbkfoq.exeC:\Windows\system32\Mlbbkfoq.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2092 -
C:\Windows\SysWOW64\Mblkhq32.exeC:\Windows\system32\Mblkhq32.exe12⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4408 -
C:\Windows\SysWOW64\Mleoafmn.exeC:\Windows\system32\Mleoafmn.exe13⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2072 -
C:\Windows\SysWOW64\Mfjcnold.exeC:\Windows\system32\Mfjcnold.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4556 -
C:\Windows\SysWOW64\Nlglfe32.exeC:\Windows\system32\Nlglfe32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:388 -
C:\Windows\SysWOW64\Noehba32.exeC:\Windows\system32\Noehba32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4028 -
C:\Windows\SysWOW64\Neppokal.exeC:\Windows\system32\Neppokal.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1040 -
C:\Windows\SysWOW64\Npedmdab.exeC:\Windows\system32\Npedmdab.exe18⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3532 -
C:\Windows\SysWOW64\Ngomin32.exeC:\Windows\system32\Ngomin32.exe19⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3280 -
C:\Windows\SysWOW64\Niniei32.exeC:\Windows\system32\Niniei32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\SysWOW64\Npgabc32.exeC:\Windows\system32\Npgabc32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3908 -
C:\Windows\SysWOW64\Ngaionfl.exeC:\Windows\system32\Ngaionfl.exe22⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4948 -
C:\Windows\SysWOW64\Nipekiep.exeC:\Windows\system32\Nipekiep.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2460 -
C:\Windows\SysWOW64\Nlnbgddc.exeC:\Windows\system32\Nlnbgddc.exe24⤵
- Executes dropped EXE
PID:3500 -
C:\Windows\SysWOW64\Nchjdo32.exeC:\Windows\system32\Nchjdo32.exe25⤵
- Executes dropped EXE
PID:5000 -
C:\Windows\SysWOW64\Nibbqicm.exeC:\Windows\system32\Nibbqicm.exe26⤵
- Executes dropped EXE
PID:4060 -
C:\Windows\SysWOW64\Nlqomd32.exeC:\Windows\system32\Nlqomd32.exe27⤵
- Executes dropped EXE
PID:2228 -
C:\Windows\SysWOW64\Nookip32.exeC:\Windows\system32\Nookip32.exe28⤵
- Executes dropped EXE
PID:4588 -
C:\Windows\SysWOW64\Ohgoaehe.exeC:\Windows\system32\Ohgoaehe.exe29⤵
- Executes dropped EXE
- Modifies registry class
PID:4232 -
C:\Windows\SysWOW64\Opogbbig.exeC:\Windows\system32\Opogbbig.exe30⤵
- Executes dropped EXE
PID:1424 -
C:\Windows\SysWOW64\Ocmconhk.exeC:\Windows\system32\Ocmconhk.exe31⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4756 -
C:\Windows\SysWOW64\Oekpkigo.exeC:\Windows\system32\Oekpkigo.exe32⤵
- Executes dropped EXE
PID:3188 -
C:\Windows\SysWOW64\Olehhc32.exeC:\Windows\system32\Olehhc32.exe33⤵
- Executes dropped EXE
PID:2900 -
C:\Windows\SysWOW64\Oocddono.exeC:\Windows\system32\Oocddono.exe34⤵
- Executes dropped EXE
PID:4772 -
C:\Windows\SysWOW64\Oenlqi32.exeC:\Windows\system32\Oenlqi32.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:1328 -
C:\Windows\SysWOW64\Oofaiokl.exeC:\Windows\system32\Oofaiokl.exe36⤵
- Executes dropped EXE
PID:1348 -
C:\Windows\SysWOW64\Ogmijllo.exeC:\Windows\system32\Ogmijllo.exe37⤵
- Executes dropped EXE
PID:2000 -
C:\Windows\SysWOW64\Oileggkb.exeC:\Windows\system32\Oileggkb.exe38⤵
- Executes dropped EXE
PID:4836 -
C:\Windows\SysWOW64\Oljaccjf.exeC:\Windows\system32\Oljaccjf.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1880 -
C:\Windows\SysWOW64\Ocdjpmac.exeC:\Windows\system32\Ocdjpmac.exe40⤵
- Executes dropped EXE
PID:4304 -
C:\Windows\SysWOW64\Ojnblg32.exeC:\Windows\system32\Ojnblg32.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1212 -
C:\Windows\SysWOW64\Ohqbhdpj.exeC:\Windows\system32\Ohqbhdpj.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:2052 -
C:\Windows\SysWOW64\Ookjdn32.exeC:\Windows\system32\Ookjdn32.exe43⤵
- Executes dropped EXE
PID:3844 -
C:\Windows\SysWOW64\Pgbbek32.exeC:\Windows\system32\Pgbbek32.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2776 -
C:\Windows\SysWOW64\Phcomcng.exeC:\Windows\system32\Phcomcng.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3576 -
C:\Windows\SysWOW64\Ppjgoaoj.exeC:\Windows\system32\Ppjgoaoj.exe46⤵
- Executes dropped EXE
PID:4000 -
C:\Windows\SysWOW64\Pcicklnn.exeC:\Windows\system32\Pcicklnn.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5116 -
C:\Windows\SysWOW64\Pfgogh32.exeC:\Windows\system32\Pfgogh32.exe48⤵
- Executes dropped EXE
PID:2980 -
C:\Windows\SysWOW64\Phelcc32.exeC:\Windows\system32\Phelcc32.exe49⤵
- Executes dropped EXE
PID:2180 -
C:\Windows\SysWOW64\Ppmcdq32.exeC:\Windows\system32\Ppmcdq32.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2364 -
C:\Windows\SysWOW64\Pgflqkdd.exeC:\Windows\system32\Pgflqkdd.exe51⤵
- Executes dropped EXE
PID:4504 -
C:\Windows\SysWOW64\Pfillg32.exeC:\Windows\system32\Pfillg32.exe52⤵
- Executes dropped EXE
PID:3460 -
C:\Windows\SysWOW64\Phhhhc32.exeC:\Windows\system32\Phhhhc32.exe53⤵
- Executes dropped EXE
PID:432 -
C:\Windows\SysWOW64\Poaqemao.exeC:\Windows\system32\Poaqemao.exe54⤵
- Executes dropped EXE
PID:4700 -
C:\Windows\SysWOW64\Qjlnnemp.exeC:\Windows\system32\Qjlnnemp.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5068 -
C:\Windows\SysWOW64\Qhonib32.exeC:\Windows\system32\Qhonib32.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:2320 -
C:\Windows\SysWOW64\Qljjjqlc.exeC:\Windows\system32\Qljjjqlc.exe57⤵
- Executes dropped EXE
PID:4868 -
C:\Windows\SysWOW64\Qfbobf32.exeC:\Windows\system32\Qfbobf32.exe58⤵
- Executes dropped EXE
PID:3632 -
C:\Windows\SysWOW64\Qhakoa32.exeC:\Windows\system32\Qhakoa32.exe59⤵
- Executes dropped EXE
PID:2284 -
C:\Windows\SysWOW64\Qlmgopjq.exeC:\Windows\system32\Qlmgopjq.exe60⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3028 -
C:\Windows\SysWOW64\Acgolj32.exeC:\Windows\system32\Acgolj32.exe61⤵
- Executes dropped EXE
PID:1796 -
C:\Windows\SysWOW64\Ajqgidij.exeC:\Windows\system32\Ajqgidij.exe62⤵
- Executes dropped EXE
PID:3164 -
C:\Windows\SysWOW64\Ahchda32.exeC:\Windows\system32\Ahchda32.exe63⤵
- Executes dropped EXE
PID:2040 -
C:\Windows\SysWOW64\Aompak32.exeC:\Windows\system32\Aompak32.exe64⤵
- Executes dropped EXE
PID:4528 -
C:\Windows\SysWOW64\Agdhbi32.exeC:\Windows\system32\Agdhbi32.exe65⤵
- Executes dropped EXE
PID:1900 -
C:\Windows\SysWOW64\Ajcdnd32.exeC:\Windows\system32\Ajcdnd32.exe66⤵PID:1084
-
C:\Windows\SysWOW64\Aqmlknnd.exeC:\Windows\system32\Aqmlknnd.exe67⤵PID:4376
-
C:\Windows\SysWOW64\Ackigjmh.exeC:\Windows\system32\Ackigjmh.exe68⤵PID:2060
-
C:\Windows\SysWOW64\Aggegh32.exeC:\Windows\system32\Aggegh32.exe69⤵
- System Location Discovery: System Language Discovery
PID:4280 -
C:\Windows\SysWOW64\Aihaoqlp.exeC:\Windows\system32\Aihaoqlp.exe70⤵PID:2296
-
C:\Windows\SysWOW64\Aobilkcl.exeC:\Windows\system32\Aobilkcl.exe71⤵PID:2756
-
C:\Windows\SysWOW64\Acnemi32.exeC:\Windows\system32\Acnemi32.exe72⤵PID:220
-
C:\Windows\SysWOW64\Ajhniccb.exeC:\Windows\system32\Ajhniccb.exe73⤵PID:3076
-
C:\Windows\SysWOW64\Amfjeobf.exeC:\Windows\system32\Amfjeobf.exe74⤵PID:1112
-
C:\Windows\SysWOW64\Acpbbi32.exeC:\Windows\system32\Acpbbi32.exe75⤵PID:1068
-
C:\Windows\SysWOW64\Aglnbhal.exeC:\Windows\system32\Aglnbhal.exe76⤵PID:2552
-
C:\Windows\SysWOW64\Aimkjp32.exeC:\Windows\system32\Aimkjp32.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1032 -
C:\Windows\SysWOW64\Bogcgj32.exeC:\Windows\system32\Bogcgj32.exe78⤵PID:1172
-
C:\Windows\SysWOW64\Bfqkddfd.exeC:\Windows\system32\Bfqkddfd.exe79⤵PID:1952
-
C:\Windows\SysWOW64\Bjlgdc32.exeC:\Windows\system32\Bjlgdc32.exe80⤵PID:3964
-
C:\Windows\SysWOW64\Bqfoamfj.exeC:\Windows\system32\Bqfoamfj.exe81⤵PID:2972
-
C:\Windows\SysWOW64\Bcelmhen.exeC:\Windows\system32\Bcelmhen.exe82⤵PID:4760
-
C:\Windows\SysWOW64\Bjodjb32.exeC:\Windows\system32\Bjodjb32.exe83⤵PID:2872
-
C:\Windows\SysWOW64\Bmmpfn32.exeC:\Windows\system32\Bmmpfn32.exe84⤵
- System Location Discovery: System Language Discovery
PID:4044 -
C:\Windows\SysWOW64\Bgbdcgld.exeC:\Windows\system32\Bgbdcgld.exe85⤵
- Drops file in System32 directory
PID:3960 -
C:\Windows\SysWOW64\Bidqko32.exeC:\Windows\system32\Bidqko32.exe86⤵PID:1336
-
C:\Windows\SysWOW64\Bmomlnjk.exeC:\Windows\system32\Bmomlnjk.exe87⤵PID:5084
-
C:\Windows\SysWOW64\Bgeaifia.exeC:\Windows\system32\Bgeaifia.exe88⤵
- Modifies registry class
PID:1468 -
C:\Windows\SysWOW64\Bjcmebie.exeC:\Windows\system32\Bjcmebie.exe89⤵PID:2304
-
C:\Windows\SysWOW64\Bmbiamhi.exeC:\Windows\system32\Bmbiamhi.exe90⤵PID:1324
-
C:\Windows\SysWOW64\Bppfmigl.exeC:\Windows\system32\Bppfmigl.exe91⤵
- System Location Discovery: System Language Discovery
PID:3880 -
C:\Windows\SysWOW64\Bggnof32.exeC:\Windows\system32\Bggnof32.exe92⤵PID:4268
-
C:\Windows\SysWOW64\Bjfjka32.exeC:\Windows\system32\Bjfjka32.exe93⤵PID:2884
-
C:\Windows\SysWOW64\Cmdfgm32.exeC:\Windows\system32\Cmdfgm32.exe94⤵PID:3740
-
C:\Windows\SysWOW64\Cqpbglno.exeC:\Windows\system32\Cqpbglno.exe95⤵PID:5072
-
C:\Windows\SysWOW64\Ccnncgmc.exeC:\Windows\system32\Ccnncgmc.exe96⤵
- Modifies registry class
PID:5076 -
C:\Windows\SysWOW64\Cflkpblf.exeC:\Windows\system32\Cflkpblf.exe97⤵PID:4428
-
C:\Windows\SysWOW64\Cikglnkj.exeC:\Windows\system32\Cikglnkj.exe98⤵PID:3536
-
C:\Windows\SysWOW64\Cmfclm32.exeC:\Windows\system32\Cmfclm32.exe99⤵
- Drops file in System32 directory
PID:5032 -
C:\Windows\SysWOW64\Cpeohh32.exeC:\Windows\system32\Cpeohh32.exe100⤵
- System Location Discovery: System Language Discovery
PID:4288 -
C:\Windows\SysWOW64\Cfogeb32.exeC:\Windows\system32\Cfogeb32.exe101⤵PID:2056
-
C:\Windows\SysWOW64\Cjjcfabm.exeC:\Windows\system32\Cjjcfabm.exe102⤵
- Modifies registry class
PID:4564 -
C:\Windows\SysWOW64\Cmipblaq.exeC:\Windows\system32\Cmipblaq.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2916 -
C:\Windows\SysWOW64\Cpglnhad.exeC:\Windows\system32\Cpglnhad.exe104⤵PID:2016
-
C:\Windows\SysWOW64\Ccchof32.exeC:\Windows\system32\Ccchof32.exe105⤵PID:1004
-
C:\Windows\SysWOW64\Cjmpkqqj.exeC:\Windows\system32\Cjmpkqqj.exe106⤵PID:2280
-
C:\Windows\SysWOW64\Cippgm32.exeC:\Windows\system32\Cippgm32.exe107⤵
- Drops file in System32 directory
PID:1804 -
C:\Windows\SysWOW64\Caghhk32.exeC:\Windows\system32\Caghhk32.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4712 -
C:\Windows\SysWOW64\Cceddf32.exeC:\Windows\system32\Cceddf32.exe109⤵PID:1968
-
C:\Windows\SysWOW64\Cfcqpa32.exeC:\Windows\system32\Cfcqpa32.exe110⤵PID:4684
-
C:\Windows\SysWOW64\Cibmlmeb.exeC:\Windows\system32\Cibmlmeb.exe111⤵PID:5108
-
C:\Windows\SysWOW64\Caienjfd.exeC:\Windows\system32\Caienjfd.exe112⤵PID:3604
-
C:\Windows\SysWOW64\Ccgajfeh.exeC:\Windows\system32\Ccgajfeh.exe113⤵PID:3376
-
C:\Windows\SysWOW64\Cgcmjd32.exeC:\Windows\system32\Cgcmjd32.exe114⤵PID:4888
-
C:\Windows\SysWOW64\Cjaifp32.exeC:\Windows\system32\Cjaifp32.exe115⤵PID:4596
-
C:\Windows\SysWOW64\Dmpfbk32.exeC:\Windows\system32\Dmpfbk32.exe116⤵PID:4780
-
C:\Windows\SysWOW64\Dpnbog32.exeC:\Windows\system32\Dpnbog32.exe117⤵PID:5148
-
C:\Windows\SysWOW64\Dgejpd32.exeC:\Windows\system32\Dgejpd32.exe118⤵PID:5192
-
C:\Windows\SysWOW64\Djdflp32.exeC:\Windows\system32\Djdflp32.exe119⤵PID:5236
-
C:\Windows\SysWOW64\Diffglam.exeC:\Windows\system32\Diffglam.exe120⤵
- Drops file in System32 directory
- Modifies registry class
PID:5280 -
C:\Windows\SysWOW64\Dannij32.exeC:\Windows\system32\Dannij32.exe121⤵PID:5324
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-