Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
115s -
max time network
119s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
28/09/2024, 08:32
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
7e14d3cac672090384e032dbd6ef51c946f85ee4eaf824ae8aca2f0864f1432dN.exe
Resource
win7-20240708-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
7e14d3cac672090384e032dbd6ef51c946f85ee4eaf824ae8aca2f0864f1432dN.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
8 signatures
120 seconds
General
-
Target
7e14d3cac672090384e032dbd6ef51c946f85ee4eaf824ae8aca2f0864f1432dN.exe
-
Size
76KB
-
MD5
ca7c7866bd83455a038b4bca9e85d750
-
SHA1
ca5d85c30fb053863245abaf4b1456e20308f99f
-
SHA256
7e14d3cac672090384e032dbd6ef51c946f85ee4eaf824ae8aca2f0864f1432d
-
SHA512
693772a8ffe30f292fb4faa8d6c891963bf466a19cd5b129279820d877d76a3e3ba24839011020b8f776aa7166af16d095f33083086486c95f355ab9ceb55b89
-
SSDEEP
1536:LRS6S3YQfZQ9gOSW6BLzBD739sQHioQV+/eCeyvCQ:y3G9gO+zp7NsQHrk+
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://master-x.com/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://crutop.ru/index.php
http://kaspersky.ru/index.php
http://color-bank.ru/index.php
http://adult-empire.com/index.php
http://virus-list.com/index.php
http://trojan.ru/index.php
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://fethard.biz/index.htm
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://kaspersky.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmmakk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lhogamih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Abdfkj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehbihj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bnoiqd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qgehml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jnnnfalp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khdoqefq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mehafq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nnoefagj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qghlmbae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Alpnde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gpgnjebd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfeagefd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdaqhf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cqghcn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnoefagj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Homcbo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcgekjgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lfodmdni.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfhgcbfo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkghqo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcfmneaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fcbgfhii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Afpbkicl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aeeomegd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Miipencp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghqeihbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gegchl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jlfhke32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Janpnfee.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmdqbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pklamb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efampahd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knifging.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hodqlq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hcipcnac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Omgabj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pkinmlnm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bijncb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbehienn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjbhph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kfjjbd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dlkiaece.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bomppneg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfjnhe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhnjna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdjlap32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmbkfjko.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ienlbf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmpgghoo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpklql32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chkjpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eoladdeo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihceigec.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kblpcndd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ollljmhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bcbeqaia.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdkffi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pgkegn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qdihfq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgmpkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ljncnhhk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mjkiephp.exe -
Executes dropped EXE 64 IoCs
pid Process 4276 Iaedanal.exe 4708 Ijmhkchl.exe 1116 Ibdplaho.exe 5004 Ihaidhgf.exe 3344 Inkaqb32.exe 916 Ihceigec.exe 4496 Jnnnfalp.exe 3032 Jehfcl32.exe 1140 Jlanpfkj.exe 1856 Jblflp32.exe 2228 Jhhodg32.exe 1164 Jnbgaa32.exe 1316 Jlfhke32.exe 4144 Jnedgq32.exe 3524 Jlidpe32.exe 4428 Jeaiij32.exe 3720 Kbeibo32.exe 208 Klmnkdal.exe 2448 Kefbdjgm.exe 2256 Khdoqefq.exe 3520 Kdkoef32.exe 4724 Kblpcndd.exe 3956 Kejloi32.exe 4808 Khihld32.exe 5108 Loemnnhe.exe 1584 Lbcedmnl.exe 3372 Lknjhokg.exe 2220 Ldfoad32.exe 3448 Lefkkg32.exe 3288 Loopdmpk.exe 2296 Moalil32.exe 4764 Mhiabbdi.exe 1736 Mcoepkdo.exe 2548 Moefdljc.exe 1344 Mhnjna32.exe 3972 Mafofggd.exe 1836 Mahklf32.exe 3284 Nheqnpjk.exe 1132 Nfiagd32.exe 3612 Nlcidopb.exe 3104 Ndnnianm.exe 2356 Nbbnbemf.exe 1708 Nofoki32.exe 4360 Okmpqjad.exe 5048 Odedipge.exe 3488 Ollljmhg.exe 4292 Ohcmpn32.exe 32 Obkahddl.exe 2400 Omaeem32.exe 4584 Obnnnc32.exe 1060 Omcbkl32.exe 2124 Pdngpo32.exe 3120 Pcpgmf32.exe 2216 Pdqcenmg.exe 5020 Pkklbh32.exe 1088 Pcbdcf32.exe 3776 Piolkm32.exe 4364 Pkmhgh32.exe 4572 Pcdqhecd.exe 2884 Piaiqlak.exe 4696 Pokanf32.exe 1644 Pcfmneaa.exe 4940 Piceflpi.exe 2100 Pomncfge.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Lhmjlm32.exe Ldanloba.exe File created C:\Windows\SysWOW64\Oahnhncc.exe Okneldkf.exe File opened for modification C:\Windows\SysWOW64\Iobmmoed.exe Icklhnop.exe File created C:\Windows\SysWOW64\Nfmdccgi.dll Djbbhafj.exe File opened for modification C:\Windows\SysWOW64\Alkeifga.exe Aealll32.exe File opened for modification C:\Windows\SysWOW64\Jmopmalc.exe Jfehpg32.exe File opened for modification C:\Windows\SysWOW64\Cqghcn32.exe Bjmpfdhb.exe File created C:\Windows\SysWOW64\Eheani32.dll Dmplkd32.exe File created C:\Windows\SysWOW64\Kgaljo32.dll Hdppaidl.exe File created C:\Windows\SysWOW64\Pelkha32.dll Kanidd32.exe File created C:\Windows\SysWOW64\Pfbfjk32.exe Pbfjjlgc.exe File opened for modification C:\Windows\SysWOW64\Dnkbcp32.exe Dlmegd32.exe File opened for modification C:\Windows\SysWOW64\Hmpnqj32.exe Hfefdpfe.exe File created C:\Windows\SysWOW64\Dbcbnlcl.exe Ddqbbo32.exe File created C:\Windows\SysWOW64\Pohqjpee.dll Ifjoop32.exe File created C:\Windows\SysWOW64\Bkcjjhgp.exe Bdiamnpc.exe File created C:\Windows\SysWOW64\Piaiqlak.exe Pcdqhecd.exe File created C:\Windows\SysWOW64\Oqlbphhk.dll Mhiabbdi.exe File created C:\Windows\SysWOW64\Kkpdnm32.dll Piaiqlak.exe File opened for modification C:\Windows\SysWOW64\Fcaqka32.exe Fpcdof32.exe File created C:\Windows\SysWOW64\Pknghk32.exe Phpklp32.exe File created C:\Windows\SysWOW64\Dndlba32.exe Ckfofe32.exe File opened for modification C:\Windows\SysWOW64\Jnnnfalp.exe Ihceigec.exe File created C:\Windows\SysWOW64\Mkofokch.dll Kfkamk32.exe File created C:\Windows\SysWOW64\Jikjmbmb.exe Jflnafno.exe File opened for modification C:\Windows\SysWOW64\Bcbeqaia.exe Bimach32.exe File created C:\Windows\SysWOW64\Nejgbn32.exe Noqofdlj.exe File created C:\Windows\SysWOW64\Cnaoemei.dll Kfjjbd32.exe File opened for modification C:\Windows\SysWOW64\Cmgjee32.exe Cepadh32.exe File created C:\Windows\SysWOW64\Nmpkakak.exe Nkboeobh.exe File created C:\Windows\SysWOW64\Cjaiac32.exe Ckoifgmb.exe File created C:\Windows\SysWOW64\Pdpmkhjl.exe Pnfdnnbo.exe File created C:\Windows\SysWOW64\Dipgpf32.exe Dedkogqm.exe File created C:\Windows\SysWOW64\Hmmakk32.exe Hjoeoo32.exe File created C:\Windows\SysWOW64\Eoconenj.exe Ehifak32.exe File created C:\Windows\SysWOW64\Ggociklh.dll Amfhgj32.exe File opened for modification C:\Windows\SysWOW64\Nheqnpjk.exe Mahklf32.exe File created C:\Windows\SysWOW64\Hkmphoim.dll Ijfkpnji.exe File opened for modification C:\Windows\SysWOW64\Kfkamk32.exe Khhaanop.exe File opened for modification C:\Windows\SysWOW64\Ldfoad32.exe Lknjhokg.exe File created C:\Windows\SysWOW64\Idkpmgjo.exe Ijfkpnji.exe File opened for modification C:\Windows\SysWOW64\Namnmp32.exe Najagp32.exe File created C:\Windows\SysWOW64\Hmkeekag.exe Hjlhipbc.exe File opened for modification C:\Windows\SysWOW64\Mfkcibdl.exe Mdlgmgdh.exe File created C:\Windows\SysWOW64\Onhhmpoo.exe Naaghoik.exe File opened for modification C:\Windows\SysWOW64\Aokcjngj.exe Aeeomegd.exe File opened for modification C:\Windows\SysWOW64\Cfjnhe32.exe Cnbfgh32.exe File created C:\Windows\SysWOW64\Icklhnop.exe Hjbhph32.exe File opened for modification C:\Windows\SysWOW64\Jflnafno.exe Jobfdl32.exe File created C:\Windows\SysWOW64\Kialcj32.dll Pcfmneaa.exe File created C:\Windows\SysWOW64\Djkjkdck.dll Jjemle32.exe File opened for modification C:\Windows\SysWOW64\Mdjjgggk.exe Mmpbkm32.exe File opened for modification C:\Windows\SysWOW64\Opjgidfa.exe Omlkmign.exe File opened for modification C:\Windows\SysWOW64\Bppcpc32.exe Bmagch32.exe File created C:\Windows\SysWOW64\Hodcma32.dll Dinjjf32.exe File created C:\Windows\SysWOW64\Leahbp32.dll Ogjpld32.exe File created C:\Windows\SysWOW64\Dhogee32.dll Pfkpiled.exe File opened for modification C:\Windows\SysWOW64\Kfhnme32.exe Kakednfj.exe File opened for modification C:\Windows\SysWOW64\Qnopjfgi.exe Qgehml32.exe File created C:\Windows\SysWOW64\Fqkiecpd.dll Amkabind.exe File created C:\Windows\SysWOW64\Oookgbpj.exe Oggbfdog.exe File opened for modification C:\Windows\SysWOW64\Gebimmco.exe Ggoiap32.exe File opened for modification C:\Windows\SysWOW64\Pklkbl32.exe Ppffec32.exe File created C:\Windows\SysWOW64\Gdfmkjlg.exe Gnlenp32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 13176 12732 WerFault.exe 662 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cepadh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Foakpc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Paaidf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bejobk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hqmggi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ailabddb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Diopep32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jqbbno32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Piceflpi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dinjjf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfkhfmdm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mobbdf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmhofbma.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qnbdjl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmpnqj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggilgn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhopgg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbaehl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dekapfke.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmpgghoo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlbfmjqi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggafgo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjbhph32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bglgdi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhfcae32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mehafq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akfdcq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfcdaehf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogbbqo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anjpeelk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omcbkl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pomncfge.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obnnnc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dllffa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oeffnl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpmifkgd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehbihj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igpkok32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cemeoh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmkeekag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogpfko32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajhndgjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Inhmqlmj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmbmdeoj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkinmlnm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbeibo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohcmpn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfehpg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ladhkmno.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgihanii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnkilbni.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgejkh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihaidhgf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjdgal32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmfodn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmnnlk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlcidopb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oookgbpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ankgpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chfaenfb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfdfoala.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnaffdfc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bliajd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adnilfnl.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iaofbqgi.dll" Onhhmpoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Odhppclh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ndjcne32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kbeibo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gnanioad.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hmbkfjko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcqbmqdi.dll" Pbfjjlgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epehoppk.dll" Bbpeghpe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ijmhkchl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cfjeckpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ggoiap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qdihfq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cjaiac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dojahakp.dll" Bliajd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kagbdenk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ggoiap32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kblpcndd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcblbn32.dll" Iaifbg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jmpgghoo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jobfdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ginenk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nandhi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ahinbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Moalil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Miiepfpf.dll" Obnnnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cnkilbni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afgfhaab.dll" Jnbgaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpklcffg.dll" Knifging.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkgokhco.dll" Oddmoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aeeomegd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bndjfjhl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gflcnanp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hgbfhc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jaefne32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lhogamih.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bkfmjnii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mahklf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kqfaoo32.dll" Cidgdg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eimlgnij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdclbd32.dll" Ahinbo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} 7e14d3cac672090384e032dbd6ef51c946f85ee4eaf824ae8aca2f0864f1432dN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fphmhm32.dll" Gnlenp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nnoefagj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jqmicpbj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Omlkmign.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oqlbphhk.dll" Mhiabbdi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aehbmk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Odhppclh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gohapb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hoclajjj.dll" Aehbmk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fpfholhc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mmbopm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mdlgmgdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhiddl32.dll" Mabdlk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mmiealgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Amoknh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jcaeea32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hcfcmnce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pgihanii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pemqkk32.dll" Ailabddb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mdjjgggk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjmgjm32.dll" Bqkigp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dekapfke.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kcgekjgp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4112 wrote to memory of 4276 4112 7e14d3cac672090384e032dbd6ef51c946f85ee4eaf824ae8aca2f0864f1432dN.exe 89 PID 4112 wrote to memory of 4276 4112 7e14d3cac672090384e032dbd6ef51c946f85ee4eaf824ae8aca2f0864f1432dN.exe 89 PID 4112 wrote to memory of 4276 4112 7e14d3cac672090384e032dbd6ef51c946f85ee4eaf824ae8aca2f0864f1432dN.exe 89 PID 4276 wrote to memory of 4708 4276 Iaedanal.exe 90 PID 4276 wrote to memory of 4708 4276 Iaedanal.exe 90 PID 4276 wrote to memory of 4708 4276 Iaedanal.exe 90 PID 4708 wrote to memory of 1116 4708 Ijmhkchl.exe 91 PID 4708 wrote to memory of 1116 4708 Ijmhkchl.exe 91 PID 4708 wrote to memory of 1116 4708 Ijmhkchl.exe 91 PID 1116 wrote to memory of 5004 1116 Ibdplaho.exe 92 PID 1116 wrote to memory of 5004 1116 Ibdplaho.exe 92 PID 1116 wrote to memory of 5004 1116 Ibdplaho.exe 92 PID 5004 wrote to memory of 3344 5004 Ihaidhgf.exe 93 PID 5004 wrote to memory of 3344 5004 Ihaidhgf.exe 93 PID 5004 wrote to memory of 3344 5004 Ihaidhgf.exe 93 PID 3344 wrote to memory of 916 3344 Inkaqb32.exe 94 PID 3344 wrote to memory of 916 3344 Inkaqb32.exe 94 PID 3344 wrote to memory of 916 3344 Inkaqb32.exe 94 PID 916 wrote to memory of 4496 916 Ihceigec.exe 95 PID 916 wrote to memory of 4496 916 Ihceigec.exe 95 PID 916 wrote to memory of 4496 916 Ihceigec.exe 95 PID 4496 wrote to memory of 3032 4496 Jnnnfalp.exe 96 PID 4496 wrote to memory of 3032 4496 Jnnnfalp.exe 96 PID 4496 wrote to memory of 3032 4496 Jnnnfalp.exe 96 PID 3032 wrote to memory of 1140 3032 Jehfcl32.exe 97 PID 3032 wrote to memory of 1140 3032 Jehfcl32.exe 97 PID 3032 wrote to memory of 1140 3032 Jehfcl32.exe 97 PID 1140 wrote to memory of 1856 1140 Jlanpfkj.exe 98 PID 1140 wrote to memory of 1856 1140 Jlanpfkj.exe 98 PID 1140 wrote to memory of 1856 1140 Jlanpfkj.exe 98 PID 1856 wrote to memory of 2228 1856 Jblflp32.exe 99 PID 1856 wrote to memory of 2228 1856 Jblflp32.exe 99 PID 1856 wrote to memory of 2228 1856 Jblflp32.exe 99 PID 2228 wrote to memory of 1164 2228 Jhhodg32.exe 100 PID 2228 wrote to memory of 1164 2228 Jhhodg32.exe 100 PID 2228 wrote to memory of 1164 2228 Jhhodg32.exe 100 PID 1164 wrote to memory of 1316 1164 Jnbgaa32.exe 101 PID 1164 wrote to memory of 1316 1164 Jnbgaa32.exe 101 PID 1164 wrote to memory of 1316 1164 Jnbgaa32.exe 101 PID 1316 wrote to memory of 4144 1316 Jlfhke32.exe 102 PID 1316 wrote to memory of 4144 1316 Jlfhke32.exe 102 PID 1316 wrote to memory of 4144 1316 Jlfhke32.exe 102 PID 4144 wrote to memory of 3524 4144 Jnedgq32.exe 103 PID 4144 wrote to memory of 3524 4144 Jnedgq32.exe 103 PID 4144 wrote to memory of 3524 4144 Jnedgq32.exe 103 PID 3524 wrote to memory of 4428 3524 Jlidpe32.exe 104 PID 3524 wrote to memory of 4428 3524 Jlidpe32.exe 104 PID 3524 wrote to memory of 4428 3524 Jlidpe32.exe 104 PID 4428 wrote to memory of 3720 4428 Jeaiij32.exe 105 PID 4428 wrote to memory of 3720 4428 Jeaiij32.exe 105 PID 4428 wrote to memory of 3720 4428 Jeaiij32.exe 105 PID 3720 wrote to memory of 208 3720 Kbeibo32.exe 106 PID 3720 wrote to memory of 208 3720 Kbeibo32.exe 106 PID 3720 wrote to memory of 208 3720 Kbeibo32.exe 106 PID 208 wrote to memory of 2448 208 Klmnkdal.exe 107 PID 208 wrote to memory of 2448 208 Klmnkdal.exe 107 PID 208 wrote to memory of 2448 208 Klmnkdal.exe 107 PID 2448 wrote to memory of 2256 2448 Kefbdjgm.exe 108 PID 2448 wrote to memory of 2256 2448 Kefbdjgm.exe 108 PID 2448 wrote to memory of 2256 2448 Kefbdjgm.exe 108 PID 2256 wrote to memory of 3520 2256 Khdoqefq.exe 109 PID 2256 wrote to memory of 3520 2256 Khdoqefq.exe 109 PID 2256 wrote to memory of 3520 2256 Khdoqefq.exe 109 PID 3520 wrote to memory of 4724 3520 Kdkoef32.exe 110
Processes
-
C:\Users\Admin\AppData\Local\Temp\7e14d3cac672090384e032dbd6ef51c946f85ee4eaf824ae8aca2f0864f1432dN.exe"C:\Users\Admin\AppData\Local\Temp\7e14d3cac672090384e032dbd6ef51c946f85ee4eaf824ae8aca2f0864f1432dN.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4112 -
C:\Windows\SysWOW64\Iaedanal.exeC:\Windows\system32\Iaedanal.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4276 -
C:\Windows\SysWOW64\Ijmhkchl.exeC:\Windows\system32\Ijmhkchl.exe3⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4708 -
C:\Windows\SysWOW64\Ibdplaho.exeC:\Windows\system32\Ibdplaho.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1116 -
C:\Windows\SysWOW64\Ihaidhgf.exeC:\Windows\system32\Ihaidhgf.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5004 -
C:\Windows\SysWOW64\Inkaqb32.exeC:\Windows\system32\Inkaqb32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3344 -
C:\Windows\SysWOW64\Ihceigec.exeC:\Windows\system32\Ihceigec.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:916 -
C:\Windows\SysWOW64\Jnnnfalp.exeC:\Windows\system32\Jnnnfalp.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4496 -
C:\Windows\SysWOW64\Jehfcl32.exeC:\Windows\system32\Jehfcl32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Windows\SysWOW64\Jlanpfkj.exeC:\Windows\system32\Jlanpfkj.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1140 -
C:\Windows\SysWOW64\Jblflp32.exeC:\Windows\system32\Jblflp32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1856 -
C:\Windows\SysWOW64\Jhhodg32.exeC:\Windows\system32\Jhhodg32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2228 -
C:\Windows\SysWOW64\Jnbgaa32.exeC:\Windows\system32\Jnbgaa32.exe13⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1164 -
C:\Windows\SysWOW64\Jlfhke32.exeC:\Windows\system32\Jlfhke32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1316 -
C:\Windows\SysWOW64\Jnedgq32.exeC:\Windows\system32\Jnedgq32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4144 -
C:\Windows\SysWOW64\Jlidpe32.exeC:\Windows\system32\Jlidpe32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3524 -
C:\Windows\SysWOW64\Jeaiij32.exeC:\Windows\system32\Jeaiij32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4428 -
C:\Windows\SysWOW64\Kbeibo32.exeC:\Windows\system32\Kbeibo32.exe18⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3720 -
C:\Windows\SysWOW64\Klmnkdal.exeC:\Windows\system32\Klmnkdal.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:208 -
C:\Windows\SysWOW64\Kefbdjgm.exeC:\Windows\system32\Kefbdjgm.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2448 -
C:\Windows\SysWOW64\Khdoqefq.exeC:\Windows\system32\Khdoqefq.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2256 -
C:\Windows\SysWOW64\Kdkoef32.exeC:\Windows\system32\Kdkoef32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3520 -
C:\Windows\SysWOW64\Kblpcndd.exeC:\Windows\system32\Kblpcndd.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4724 -
C:\Windows\SysWOW64\Kejloi32.exeC:\Windows\system32\Kejloi32.exe24⤵
- Executes dropped EXE
PID:3956 -
C:\Windows\SysWOW64\Khihld32.exeC:\Windows\system32\Khihld32.exe25⤵
- Executes dropped EXE
PID:4808 -
C:\Windows\SysWOW64\Loemnnhe.exeC:\Windows\system32\Loemnnhe.exe26⤵
- Executes dropped EXE
PID:5108 -
C:\Windows\SysWOW64\Lbcedmnl.exeC:\Windows\system32\Lbcedmnl.exe27⤵
- Executes dropped EXE
PID:1584 -
C:\Windows\SysWOW64\Lknjhokg.exeC:\Windows\system32\Lknjhokg.exe28⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3372 -
C:\Windows\SysWOW64\Ldfoad32.exeC:\Windows\system32\Ldfoad32.exe29⤵
- Executes dropped EXE
PID:2220 -
C:\Windows\SysWOW64\Lefkkg32.exeC:\Windows\system32\Lefkkg32.exe30⤵
- Executes dropped EXE
PID:3448 -
C:\Windows\SysWOW64\Loopdmpk.exeC:\Windows\system32\Loopdmpk.exe31⤵
- Executes dropped EXE
PID:3288 -
C:\Windows\SysWOW64\Moalil32.exeC:\Windows\system32\Moalil32.exe32⤵
- Executes dropped EXE
- Modifies registry class
PID:2296 -
C:\Windows\SysWOW64\Mhiabbdi.exeC:\Windows\system32\Mhiabbdi.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4764 -
C:\Windows\SysWOW64\Mcoepkdo.exeC:\Windows\system32\Mcoepkdo.exe34⤵
- Executes dropped EXE
PID:1736 -
C:\Windows\SysWOW64\Moefdljc.exeC:\Windows\system32\Moefdljc.exe35⤵
- Executes dropped EXE
PID:2548 -
C:\Windows\SysWOW64\Mhnjna32.exeC:\Windows\system32\Mhnjna32.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1344 -
C:\Windows\SysWOW64\Mafofggd.exeC:\Windows\system32\Mafofggd.exe37⤵
- Executes dropped EXE
PID:3972 -
C:\Windows\SysWOW64\Mahklf32.exeC:\Windows\system32\Mahklf32.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1836 -
C:\Windows\SysWOW64\Nheqnpjk.exeC:\Windows\system32\Nheqnpjk.exe39⤵
- Executes dropped EXE
PID:3284 -
C:\Windows\SysWOW64\Nfiagd32.exeC:\Windows\system32\Nfiagd32.exe40⤵
- Executes dropped EXE
PID:1132 -
C:\Windows\SysWOW64\Nlcidopb.exeC:\Windows\system32\Nlcidopb.exe41⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3612 -
C:\Windows\SysWOW64\Ndnnianm.exeC:\Windows\system32\Ndnnianm.exe42⤵
- Executes dropped EXE
PID:3104 -
C:\Windows\SysWOW64\Nbbnbemf.exeC:\Windows\system32\Nbbnbemf.exe43⤵
- Executes dropped EXE
PID:2356 -
C:\Windows\SysWOW64\Nofoki32.exeC:\Windows\system32\Nofoki32.exe44⤵
- Executes dropped EXE
PID:1708 -
C:\Windows\SysWOW64\Okmpqjad.exeC:\Windows\system32\Okmpqjad.exe45⤵
- Executes dropped EXE
PID:4360 -
C:\Windows\SysWOW64\Odedipge.exeC:\Windows\system32\Odedipge.exe46⤵
- Executes dropped EXE
PID:5048 -
C:\Windows\SysWOW64\Ollljmhg.exeC:\Windows\system32\Ollljmhg.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3488 -
C:\Windows\SysWOW64\Ohcmpn32.exeC:\Windows\system32\Ohcmpn32.exe48⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4292 -
C:\Windows\SysWOW64\Obkahddl.exeC:\Windows\system32\Obkahddl.exe49⤵
- Executes dropped EXE
PID:32 -
C:\Windows\SysWOW64\Omaeem32.exeC:\Windows\system32\Omaeem32.exe50⤵
- Executes dropped EXE
PID:2400 -
C:\Windows\SysWOW64\Obnnnc32.exeC:\Windows\system32\Obnnnc32.exe51⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4584 -
C:\Windows\SysWOW64\Omcbkl32.exeC:\Windows\system32\Omcbkl32.exe52⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1060 -
C:\Windows\SysWOW64\Pdngpo32.exeC:\Windows\system32\Pdngpo32.exe53⤵
- Executes dropped EXE
PID:2124 -
C:\Windows\SysWOW64\Pcpgmf32.exeC:\Windows\system32\Pcpgmf32.exe54⤵
- Executes dropped EXE
PID:3120 -
C:\Windows\SysWOW64\Pdqcenmg.exeC:\Windows\system32\Pdqcenmg.exe55⤵
- Executes dropped EXE
PID:2216 -
C:\Windows\SysWOW64\Pkklbh32.exeC:\Windows\system32\Pkklbh32.exe56⤵
- Executes dropped EXE
PID:5020 -
C:\Windows\SysWOW64\Pcbdcf32.exeC:\Windows\system32\Pcbdcf32.exe57⤵
- Executes dropped EXE
PID:1088 -
C:\Windows\SysWOW64\Piolkm32.exeC:\Windows\system32\Piolkm32.exe58⤵
- Executes dropped EXE
PID:3776 -
C:\Windows\SysWOW64\Pkmhgh32.exeC:\Windows\system32\Pkmhgh32.exe59⤵
- Executes dropped EXE
PID:4364 -
C:\Windows\SysWOW64\Pcdqhecd.exeC:\Windows\system32\Pcdqhecd.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4572 -
C:\Windows\SysWOW64\Piaiqlak.exeC:\Windows\system32\Piaiqlak.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2884 -
C:\Windows\SysWOW64\Pokanf32.exeC:\Windows\system32\Pokanf32.exe62⤵
- Executes dropped EXE
PID:4696 -
C:\Windows\SysWOW64\Pcfmneaa.exeC:\Windows\system32\Pcfmneaa.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1644 -
C:\Windows\SysWOW64\Piceflpi.exeC:\Windows\system32\Piceflpi.exe64⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4940 -
C:\Windows\SysWOW64\Pomncfge.exeC:\Windows\system32\Pomncfge.exe65⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2100 -
C:\Windows\SysWOW64\Pcijce32.exeC:\Windows\system32\Pcijce32.exe66⤵PID:4868
-
C:\Windows\SysWOW64\Qfgfpp32.exeC:\Windows\system32\Qfgfpp32.exe67⤵PID:456
-
C:\Windows\SysWOW64\Qkdohg32.exeC:\Windows\system32\Qkdohg32.exe68⤵PID:760
-
C:\Windows\SysWOW64\Qfjcep32.exeC:\Windows\system32\Qfjcep32.exe69⤵PID:4972
-
C:\Windows\SysWOW64\Qmckbjdl.exeC:\Windows\system32\Qmckbjdl.exe70⤵PID:3484
-
C:\Windows\SysWOW64\Qpbgnecp.exeC:\Windows\system32\Qpbgnecp.exe71⤵PID:1848
-
C:\Windows\SysWOW64\Abpcja32.exeC:\Windows\system32\Abpcja32.exe72⤵PID:4792
-
C:\Windows\SysWOW64\Aflpkpjm.exeC:\Windows\system32\Aflpkpjm.exe73⤵PID:1540
-
C:\Windows\SysWOW64\Amfhgj32.exeC:\Windows\system32\Amfhgj32.exe74⤵
- Drops file in System32 directory
PID:3188 -
C:\Windows\SysWOW64\Aealll32.exeC:\Windows\system32\Aealll32.exe75⤵
- Drops file in System32 directory
PID:3340 -
C:\Windows\SysWOW64\Alkeifga.exeC:\Windows\system32\Alkeifga.exe76⤵PID:2904
-
C:\Windows\SysWOW64\Abemep32.exeC:\Windows\system32\Abemep32.exe77⤵PID:2060
-
C:\Windows\SysWOW64\Amkabind.exeC:\Windows\system32\Amkabind.exe78⤵
- Drops file in System32 directory
PID:1044 -
C:\Windows\SysWOW64\Apimodmh.exeC:\Windows\system32\Apimodmh.exe79⤵PID:4040
-
C:\Windows\SysWOW64\Acdioc32.exeC:\Windows\system32\Acdioc32.exe80⤵PID:5076
-
C:\Windows\SysWOW64\Afceko32.exeC:\Windows\system32\Afceko32.exe81⤵PID:5164
-
C:\Windows\SysWOW64\Alpnde32.exeC:\Windows\system32\Alpnde32.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5208 -
C:\Windows\SysWOW64\Acgfec32.exeC:\Windows\system32\Acgfec32.exe83⤵PID:5252
-
C:\Windows\SysWOW64\Aehbmk32.exeC:\Windows\system32\Aehbmk32.exe84⤵
- Modifies registry class
PID:5300 -
C:\Windows\SysWOW64\Amoknh32.exeC:\Windows\system32\Amoknh32.exe85⤵
- Modifies registry class
PID:5344 -
C:\Windows\SysWOW64\Bejobk32.exeC:\Windows\system32\Bejobk32.exe86⤵
- System Location Discovery: System Language Discovery
PID:5396 -
C:\Windows\SysWOW64\Bmagch32.exeC:\Windows\system32\Bmagch32.exe87⤵
- Drops file in System32 directory
PID:5460 -
C:\Windows\SysWOW64\Bppcpc32.exeC:\Windows\system32\Bppcpc32.exe88⤵PID:5516
-
C:\Windows\SysWOW64\Bihhhi32.exeC:\Windows\system32\Bihhhi32.exe89⤵PID:5568
-
C:\Windows\SysWOW64\Bcnleb32.exeC:\Windows\system32\Bcnleb32.exe90⤵PID:5612
-
C:\Windows\SysWOW64\Beoimjce.exeC:\Windows\system32\Beoimjce.exe91⤵PID:5656
-
C:\Windows\SysWOW64\Bliajd32.exeC:\Windows\system32\Bliajd32.exe92⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5700 -
C:\Windows\SysWOW64\Bbcignbo.exeC:\Windows\system32\Bbcignbo.exe93⤵PID:5748
-
C:\Windows\SysWOW64\Bimach32.exeC:\Windows\system32\Bimach32.exe94⤵
- Drops file in System32 directory
PID:5792 -
C:\Windows\SysWOW64\Bcbeqaia.exeC:\Windows\system32\Bcbeqaia.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5836 -
C:\Windows\SysWOW64\Bedbhi32.exeC:\Windows\system32\Bedbhi32.exe96⤵PID:5880
-
C:\Windows\SysWOW64\Blnjecfl.exeC:\Windows\system32\Blnjecfl.exe97⤵PID:5924
-
C:\Windows\SysWOW64\Cfcoblfb.exeC:\Windows\system32\Cfcoblfb.exe98⤵PID:5968
-
C:\Windows\SysWOW64\Cmmgof32.exeC:\Windows\system32\Cmmgof32.exe99⤵PID:6012
-
C:\Windows\SysWOW64\Cbjogmlf.exeC:\Windows\system32\Cbjogmlf.exe100⤵PID:6056
-
C:\Windows\SysWOW64\Cidgdg32.exeC:\Windows\system32\Cidgdg32.exe101⤵
- Modifies registry class
PID:6100 -
C:\Windows\SysWOW64\Cpnpqakp.exeC:\Windows\system32\Cpnpqakp.exe102⤵PID:3376
-
C:\Windows\SysWOW64\Cdjlap32.exeC:\Windows\system32\Cdjlap32.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5172 -
C:\Windows\SysWOW64\Cifdjg32.exeC:\Windows\system32\Cifdjg32.exe104⤵PID:5240
-
C:\Windows\SysWOW64\Cdlhgpag.exeC:\Windows\system32\Cdlhgpag.exe105⤵PID:5312
-
C:\Windows\SysWOW64\Cfjeckpj.exeC:\Windows\system32\Cfjeckpj.exe106⤵
- Modifies registry class
PID:5384 -
C:\Windows\SysWOW64\Cemeoh32.exeC:\Windows\system32\Cemeoh32.exe107⤵
- System Location Discovery: System Language Discovery
PID:5512 -
C:\Windows\SysWOW64\Cmdmpe32.exeC:\Windows\system32\Cmdmpe32.exe108⤵PID:5576
-
C:\Windows\SysWOW64\Cpcila32.exeC:\Windows\system32\Cpcila32.exe109⤵PID:5672
-
C:\Windows\SysWOW64\Cbaehl32.exeC:\Windows\system32\Cbaehl32.exe110⤵
- System Location Discovery: System Language Discovery
PID:5760 -
C:\Windows\SysWOW64\Cepadh32.exeC:\Windows\system32\Cepadh32.exe111⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:5872 -
C:\Windows\SysWOW64\Cmgjee32.exeC:\Windows\system32\Cmgjee32.exe112⤵PID:5960
-
C:\Windows\SysWOW64\Ddqbbo32.exeC:\Windows\system32\Ddqbbo32.exe113⤵
- Drops file in System32 directory
PID:6044 -
C:\Windows\SysWOW64\Dbcbnlcl.exeC:\Windows\system32\Dbcbnlcl.exe114⤵PID:5160
-
C:\Windows\SysWOW64\Debnjgcp.exeC:\Windows\system32\Debnjgcp.exe115⤵PID:5340
-
C:\Windows\SysWOW64\Dinjjf32.exeC:\Windows\system32\Dinjjf32.exe116⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:5448 -
C:\Windows\SysWOW64\Dllffa32.exeC:\Windows\system32\Dllffa32.exe117⤵
- System Location Discovery: System Language Discovery
PID:5604 -
C:\Windows\SysWOW64\Ddcogo32.exeC:\Windows\system32\Ddcogo32.exe118⤵PID:5732
-
C:\Windows\SysWOW64\Dbfoclai.exeC:\Windows\system32\Dbfoclai.exe119⤵PID:5908
-
C:\Windows\SysWOW64\Dedkogqm.exeC:\Windows\system32\Dedkogqm.exe120⤵
- Drops file in System32 directory
PID:6028 -
C:\Windows\SysWOW64\Dipgpf32.exeC:\Windows\system32\Dipgpf32.exe121⤵PID:5360
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-