Analysis
-
max time kernel
115s -
max time network
119s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
29/09/2024, 20:34
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
9219c5bb7a177fa57e2984b73b2e610ffbbc9335844992a90787b354fef68bf2N.exe
Resource
win7-20240903-en
windows7-x64
9 signatures
120 seconds
Behavioral task
behavioral2
Sample
9219c5bb7a177fa57e2984b73b2e610ffbbc9335844992a90787b354fef68bf2N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
8 signatures
120 seconds
General
-
Target
9219c5bb7a177fa57e2984b73b2e610ffbbc9335844992a90787b354fef68bf2N.exe
-
Size
90KB
-
MD5
5133cd7caa19ab37d72ab6b9a4db5490
-
SHA1
b2f97d38ff67dbd89d48ffb35384d636f5498a78
-
SHA256
9219c5bb7a177fa57e2984b73b2e610ffbbc9335844992a90787b354fef68bf2
-
SHA512
a3f70fbc55bdff1fe0aa9973576a6e0d53e4f15cdde05814f49c55aa2ce588cc8b3784962ba8c9a92103e46be946981ee80b28f223e42a6a6ac4a7755b63623b
-
SSDEEP
1536:Q41bW1KSeRPdU/uryp8pYdXqLDfu5Nlq/ZBhCweYepU5sdrB/QR/44SXMfOOQ/4e:Q41bUKSeRhyp8cXqLDfu5NlyZBhCY5s7
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djommaop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ljoigq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lkelpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dfbchfpo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dabfdbpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Keqbmcji.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcmcko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bckick32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffepojce.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odelmlma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cnhejkob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aebiae32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Foekebeg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pekpgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dpdhjcpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jdjkmggg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ljepfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Meipebmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Doiccf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oahglf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oioomd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Epdaaq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Beiobd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nobdol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dnkkfiom.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Felgmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cigchi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Epmkqahi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fbgghk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jkokno32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eenfia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Efopha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eimldl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eipijljj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mmbhcelb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Odjjjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eanepafc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ngcmjqcd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aqamla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Adknoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mjjbhi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkigpd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alimaeed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fkioed32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acobmf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfiglnke.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Menipb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Degdkp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eaghfpnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nobdol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ljjiakei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nhoilcil.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aalbcm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkokpmnf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olaeclgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ohbfcgmb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfpibjca.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhoilcil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nkbocn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oahglf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcgnnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ehapbj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkioed32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Plgdjd32.exe -
Executes dropped EXE 64 IoCs
pid Process 3860 Kbjclm32.exe 2076 Kickhg32.exe 592 Kblpalgf.exe 3096 Kmacoefl.exe 700 Kbnlgled.exe 1436 Kihdcf32.exe 4440 Llgqpakd.exe 4608 Ldniqolf.exe 4860 Lmfmid32.exe 3532 Lbcebk32.exe 2380 Lmijod32.exe 2360 Llngpq32.exe 3776 Lbjlbj32.exe 1864 Lehhof32.exe 3900 Mekdde32.exe 2388 Mcoenjfa.exe 2924 Mlgjfo32.exe 1920 Mgmndh32.exe 512 Mpebmnch.exe 1948 Mgokihke.exe 5096 Mdckbljo.exe 3360 Nnkpla32.exe 4144 Ngdddg32.exe 4756 Nlqlmn32.exe 3320 Npoeclkn.exe 4436 Npabhl32.exe 2428 Ngkjefqh.exe 1440 Nfpgfb32.exe 672 Oljocm32.exe 2984 Onilmpdo.exe 4840 Ocfdefbf.exe 3024 Onlhbobl.exe 4564 Olaeclgd.exe 2896 Ojefmpen.exe 1872 Odjjjh32.exe 996 Pncocnld.exe 1688 Pgkclc32.exe 4360 Pqcgeiie.exe 1504 Pjllnopf.exe 1320 Pcdqfd32.exe 4628 Pjnicomc.exe 4572 Pcgmld32.exe 2344 Pmoaei32.exe 760 Qfgfnoae.exe 1744 Qckfgcpo.exe 3960 Qnakdl32.exe 4356 Agiomafe.exe 808 Amfhehdl.exe 5020 Afnlnn32.exe 2636 Aeplle32.exe 264 Ajledl32.exe 3316 Aebiae32.exe 4968 Afcfimgg.exe 4196 Aedfgeof.exe 552 Afebom32.exe 4004 Anmjpj32.exe 1216 Aefbmdmd.exe 4984 Bfhodm32.exe 3440 Bnogfj32.exe 2084 Beiobd32.exe 2060 Bgglop32.exe 1988 Bnadkjab.exe 4476 Beklhd32.exe 3064 Bflhplom.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Edlkafak.exe Eppoqg32.exe File created C:\Windows\SysWOW64\Fabqghpo.exe Fgmljoqi.exe File opened for modification C:\Windows\SysWOW64\Jgganili.exe Jqmiao32.exe File opened for modification C:\Windows\SysWOW64\Jglkih32.exe Jdmnmm32.exe File created C:\Windows\SysWOW64\Jkdajnfp.dll Allpak32.exe File created C:\Windows\SysWOW64\Igdgpc32.dll Hikkba32.exe File created C:\Windows\SysWOW64\Egknhhdj.exe Eanepafc.exe File created C:\Windows\SysWOW64\Akhjdhio.dll Ajnkpf32.exe File opened for modification C:\Windows\SysWOW64\Jjadoe32.exe Jgbhbj32.exe File opened for modification C:\Windows\SysWOW64\Bfghjf32.exe Bompmlhj.exe File created C:\Windows\SysWOW64\Nmembigd.dll Nicoaeli.exe File opened for modification C:\Windows\SysWOW64\Eckcgpno.exe Emakjffb.exe File created C:\Windows\SysWOW64\Jgnhooqm.dll Fiaoeedl.exe File opened for modification C:\Windows\SysWOW64\Mjclgjmo.exe Mcickp32.exe File created C:\Windows\SysWOW64\Degdkp32.exe Dkbpmgqi.exe File created C:\Windows\SysWOW64\Keqbmcji.exe Jnfjpi32.exe File created C:\Windows\SysWOW64\Opgaodog.exe Ohpimgoe.exe File created C:\Windows\SysWOW64\Fdpdba32.dll Mglflm32.exe File opened for modification C:\Windows\SysWOW64\Pmgclplg.exe Pkigpd32.exe File created C:\Windows\SysWOW64\Cdpaaf32.exe Bnfhdlae.exe File opened for modification C:\Windows\SysWOW64\Cfhpaghj.exe Coohem32.exe File created C:\Windows\SysWOW64\Fkbidebf.exe Fhdmhicb.exe File created C:\Windows\SysWOW64\Adfkcp32.dll Klapjlln.exe File created C:\Windows\SysWOW64\Bpnbgg32.dll Dlobjc32.exe File created C:\Windows\SysWOW64\Hmindkbf.dll Kjcjkb32.exe File created C:\Windows\SysWOW64\Oilkhbeh.dll Linmohoa.exe File created C:\Windows\SysWOW64\Icdhbe32.exe Iljpekop.exe File opened for modification C:\Windows\SysWOW64\Emqdpocf.exe Efflce32.exe File created C:\Windows\SysWOW64\Jccfcejk.dll Flmhak32.exe File created C:\Windows\SysWOW64\Edahlcga.dll Amfhehdl.exe File opened for modification C:\Windows\SysWOW64\Cjagfi32.exe Cffkfkfb.exe File created C:\Windows\SysWOW64\Fipldnpc.dll Nidfll32.exe File opened for modification C:\Windows\SysWOW64\Hdppog32.exe Hnfhbmoa.exe File opened for modification C:\Windows\SysWOW64\Cfiglnke.exe Cooooc32.exe File created C:\Windows\SysWOW64\Paelbn32.exe Pkkdfdja.exe File created C:\Windows\SysWOW64\Lbnimeja.dll Iggoaa32.exe File created C:\Windows\SysWOW64\Lihnip32.exe Knbilg32.exe File created C:\Windows\SysWOW64\Hchiff32.exe Hlnqimim.exe File created C:\Windows\SysWOW64\Ohjbmklc.exe Nnamdf32.exe File created C:\Windows\SysWOW64\Nhicjn32.dll Cdbnge32.exe File created C:\Windows\SysWOW64\Hgdgonca.dll Pcdqfd32.exe File created C:\Windows\SysWOW64\Bghlaame.dll Aedfgeof.exe File created C:\Windows\SysWOW64\Aoiamqbd.dll Gaogml32.exe File created C:\Windows\SysWOW64\Afbhdapp.exe Aklcghpj.exe File opened for modification C:\Windows\SysWOW64\Aeplle32.exe Afnlnn32.exe File opened for modification C:\Windows\SysWOW64\Jncfpbac.exe Jjhjod32.exe File opened for modification C:\Windows\SysWOW64\Poggai32.exe Phmodooi.exe File created C:\Windows\SysWOW64\Lnjgpaak.dll Aejkilbl.exe File created C:\Windows\SysWOW64\Fhhfci32.exe Fejjgmpi.exe File opened for modification C:\Windows\SysWOW64\Fkgbod32.exe Fhhfci32.exe File opened for modification C:\Windows\SysWOW64\Menipb32.exe Mmfaod32.exe File opened for modification C:\Windows\SysWOW64\Hchiff32.exe Hlnqimim.exe File opened for modification C:\Windows\SysWOW64\Knlblk32.exe Kcgnnb32.exe File created C:\Windows\SysWOW64\Ehmggjij.exe Emgbjajd.exe File opened for modification C:\Windows\SysWOW64\Kgoninim.exe Keqbmcji.exe File opened for modification C:\Windows\SysWOW64\Kkpbeodf.exe Kcikdbdd.exe File opened for modification C:\Windows\SysWOW64\Kgkdnb32.exe Kcphnclo.exe File created C:\Windows\SysWOW64\Pcdqfd32.exe Pjllnopf.exe File created C:\Windows\SysWOW64\Ahlapc32.exe Acoihl32.exe File created C:\Windows\SysWOW64\Cjqqlc32.exe Ccghoidc.exe File created C:\Windows\SysWOW64\Dikbqo32.dll Lehhof32.exe File created C:\Windows\SysWOW64\Pkqmhigd.dll Gkmkkf32.exe File created C:\Windows\SysWOW64\Ahngkm32.exe Acaocf32.exe File created C:\Windows\SysWOW64\Gfagkj32.dll Onlhbobl.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5656 5812 WerFault.exe 888 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Baohpklq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Felgmm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Liocjo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhbdmm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbnmijfg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgmljoqi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llhppd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfpdfo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmofnh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cffkfkfb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehapbj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkbidebf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fghcop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgkdnb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oolnpa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pobmfjjk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlmeecce.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffhldi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cndihgal.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Inkjdjmj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klmgom32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Keekhb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkkijp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nobdol32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkleaa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojdobibb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Didjnn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igghgk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aqamla32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akgcabpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmfmid32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anmjpj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aefbmdmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edonal32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lebjdc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnoqofge.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qfgfnoae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cicqgpbj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnjcjdin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Poejki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcphnclo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nminddfj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blmfld32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Coohem32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aedfgeof.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kicdnqmj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efnink32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hikkba32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emgkpnmo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbgpneic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhoopo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbkkcmal.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhoilcil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oajcaf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kihdcf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chehpnne.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eaekpppk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfihfggd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkmmibdl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnliemdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngcmjqcd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oedjgkno.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Inhfdd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbmekalo.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fheqgj32.dll" Bknibajl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Afcfimgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Falaao32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Djaicamm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jdfaag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phbepi32.dll" Qkpmac32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cjagfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhbmblmg.dll" Bcbodj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eipijljj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pncocnld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aiicgahn.dll" Nhoilcil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlgckoik.dll" Bmecgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jkpjnabi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jpmbfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ilefjk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nljnbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mpebmnch.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hhbbpeip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aqopfakl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qkqlfdoc.dll" Emakjffb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Flmola32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mfeaib32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eimldl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hheocg32.dll" Qlpqem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Epmkqahi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pmgclplg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Beiobd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gefjbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bijnaaje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fabqghpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maapngik.dll" Nccfan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Migpeggf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aaofcc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Blnmgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lngbgfej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Npbhce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ohebhf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bijnaaje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Didjnn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Liocjo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mimpkm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ffpoid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Liocjo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jgganili.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Acobmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nccfan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fiiaon32.dll" Lnchlj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Anmjpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fkioed32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nobdol32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fbqjojdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Icmbafld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kgkdnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epppqeoo.dll" Chjakm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjnnbfaf.dll" Hdicef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iglhlajb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jpopim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfllai32.dll" Epehlgel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgohbpim.dll" Ifpephpo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Djommaop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmimql32.dll" Ghaboacf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gblijh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ohokhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Goelff32.dll" Aklcghpj.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2496 wrote to memory of 3860 2496 9219c5bb7a177fa57e2984b73b2e610ffbbc9335844992a90787b354fef68bf2N.exe 89 PID 2496 wrote to memory of 3860 2496 9219c5bb7a177fa57e2984b73b2e610ffbbc9335844992a90787b354fef68bf2N.exe 89 PID 2496 wrote to memory of 3860 2496 9219c5bb7a177fa57e2984b73b2e610ffbbc9335844992a90787b354fef68bf2N.exe 89 PID 3860 wrote to memory of 2076 3860 Kbjclm32.exe 90 PID 3860 wrote to memory of 2076 3860 Kbjclm32.exe 90 PID 3860 wrote to memory of 2076 3860 Kbjclm32.exe 90 PID 2076 wrote to memory of 592 2076 Kickhg32.exe 91 PID 2076 wrote to memory of 592 2076 Kickhg32.exe 91 PID 2076 wrote to memory of 592 2076 Kickhg32.exe 91 PID 592 wrote to memory of 3096 592 Kblpalgf.exe 92 PID 592 wrote to memory of 3096 592 Kblpalgf.exe 92 PID 592 wrote to memory of 3096 592 Kblpalgf.exe 92 PID 3096 wrote to memory of 700 3096 Kmacoefl.exe 93 PID 3096 wrote to memory of 700 3096 Kmacoefl.exe 93 PID 3096 wrote to memory of 700 3096 Kmacoefl.exe 93 PID 700 wrote to memory of 1436 700 Kbnlgled.exe 94 PID 700 wrote to memory of 1436 700 Kbnlgled.exe 94 PID 700 wrote to memory of 1436 700 Kbnlgled.exe 94 PID 1436 wrote to memory of 4440 1436 Kihdcf32.exe 95 PID 1436 wrote to memory of 4440 1436 Kihdcf32.exe 95 PID 1436 wrote to memory of 4440 1436 Kihdcf32.exe 95 PID 4440 wrote to memory of 4608 4440 Llgqpakd.exe 96 PID 4440 wrote to memory of 4608 4440 Llgqpakd.exe 96 PID 4440 wrote to memory of 4608 4440 Llgqpakd.exe 96 PID 4608 wrote to memory of 4860 4608 Ldniqolf.exe 97 PID 4608 wrote to memory of 4860 4608 Ldniqolf.exe 97 PID 4608 wrote to memory of 4860 4608 Ldniqolf.exe 97 PID 4860 wrote to memory of 3532 4860 Lmfmid32.exe 98 PID 4860 wrote to memory of 3532 4860 Lmfmid32.exe 98 PID 4860 wrote to memory of 3532 4860 Lmfmid32.exe 98 PID 3532 wrote to memory of 2380 3532 Lbcebk32.exe 99 PID 3532 wrote to memory of 2380 3532 Lbcebk32.exe 99 PID 3532 wrote to memory of 2380 3532 Lbcebk32.exe 99 PID 2380 wrote to memory of 2360 2380 Lmijod32.exe 100 PID 2380 wrote to memory of 2360 2380 Lmijod32.exe 100 PID 2380 wrote to memory of 2360 2380 Lmijod32.exe 100 PID 2360 wrote to memory of 3776 2360 Llngpq32.exe 101 PID 2360 wrote to memory of 3776 2360 Llngpq32.exe 101 PID 2360 wrote to memory of 3776 2360 Llngpq32.exe 101 PID 3776 wrote to memory of 1864 3776 Lbjlbj32.exe 102 PID 3776 wrote to memory of 1864 3776 Lbjlbj32.exe 102 PID 3776 wrote to memory of 1864 3776 Lbjlbj32.exe 102 PID 1864 wrote to memory of 3900 1864 Lehhof32.exe 103 PID 1864 wrote to memory of 3900 1864 Lehhof32.exe 103 PID 1864 wrote to memory of 3900 1864 Lehhof32.exe 103 PID 3900 wrote to memory of 2388 3900 Mekdde32.exe 104 PID 3900 wrote to memory of 2388 3900 Mekdde32.exe 104 PID 3900 wrote to memory of 2388 3900 Mekdde32.exe 104 PID 2388 wrote to memory of 2924 2388 Mcoenjfa.exe 105 PID 2388 wrote to memory of 2924 2388 Mcoenjfa.exe 105 PID 2388 wrote to memory of 2924 2388 Mcoenjfa.exe 105 PID 2924 wrote to memory of 1920 2924 Mlgjfo32.exe 106 PID 2924 wrote to memory of 1920 2924 Mlgjfo32.exe 106 PID 2924 wrote to memory of 1920 2924 Mlgjfo32.exe 106 PID 1920 wrote to memory of 512 1920 Mgmndh32.exe 107 PID 1920 wrote to memory of 512 1920 Mgmndh32.exe 107 PID 1920 wrote to memory of 512 1920 Mgmndh32.exe 107 PID 512 wrote to memory of 1948 512 Mpebmnch.exe 108 PID 512 wrote to memory of 1948 512 Mpebmnch.exe 108 PID 512 wrote to memory of 1948 512 Mpebmnch.exe 108 PID 1948 wrote to memory of 5096 1948 Mgokihke.exe 109 PID 1948 wrote to memory of 5096 1948 Mgokihke.exe 109 PID 1948 wrote to memory of 5096 1948 Mgokihke.exe 109 PID 5096 wrote to memory of 3360 5096 Mdckbljo.exe 110
Processes
-
C:\Users\Admin\AppData\Local\Temp\9219c5bb7a177fa57e2984b73b2e610ffbbc9335844992a90787b354fef68bf2N.exe"C:\Users\Admin\AppData\Local\Temp\9219c5bb7a177fa57e2984b73b2e610ffbbc9335844992a90787b354fef68bf2N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2496 -
C:\Windows\SysWOW64\Kbjclm32.exeC:\Windows\system32\Kbjclm32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3860 -
C:\Windows\SysWOW64\Kickhg32.exeC:\Windows\system32\Kickhg32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2076 -
C:\Windows\SysWOW64\Kblpalgf.exeC:\Windows\system32\Kblpalgf.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:592 -
C:\Windows\SysWOW64\Kmacoefl.exeC:\Windows\system32\Kmacoefl.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3096 -
C:\Windows\SysWOW64\Kbnlgled.exeC:\Windows\system32\Kbnlgled.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:700 -
C:\Windows\SysWOW64\Kihdcf32.exeC:\Windows\system32\Kihdcf32.exe7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1436 -
C:\Windows\SysWOW64\Llgqpakd.exeC:\Windows\system32\Llgqpakd.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4440 -
C:\Windows\SysWOW64\Ldniqolf.exeC:\Windows\system32\Ldniqolf.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4608 -
C:\Windows\SysWOW64\Lmfmid32.exeC:\Windows\system32\Lmfmid32.exe10⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4860 -
C:\Windows\SysWOW64\Lbcebk32.exeC:\Windows\system32\Lbcebk32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3532 -
C:\Windows\SysWOW64\Lmijod32.exeC:\Windows\system32\Lmijod32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Windows\SysWOW64\Llngpq32.exeC:\Windows\system32\Llngpq32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Windows\SysWOW64\Lbjlbj32.exeC:\Windows\system32\Lbjlbj32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3776 -
C:\Windows\SysWOW64\Lehhof32.exeC:\Windows\system32\Lehhof32.exe15⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1864 -
C:\Windows\SysWOW64\Mekdde32.exeC:\Windows\system32\Mekdde32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3900 -
C:\Windows\SysWOW64\Mcoenjfa.exeC:\Windows\system32\Mcoenjfa.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\Windows\SysWOW64\Mlgjfo32.exeC:\Windows\system32\Mlgjfo32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Windows\SysWOW64\Mgmndh32.exeC:\Windows\system32\Mgmndh32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1920 -
C:\Windows\SysWOW64\Mpebmnch.exeC:\Windows\system32\Mpebmnch.exe20⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:512 -
C:\Windows\SysWOW64\Mgokihke.exeC:\Windows\system32\Mgokihke.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1948 -
C:\Windows\SysWOW64\Mdckbljo.exeC:\Windows\system32\Mdckbljo.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5096 -
C:\Windows\SysWOW64\Nnkpla32.exeC:\Windows\system32\Nnkpla32.exe23⤵
- Executes dropped EXE
PID:3360 -
C:\Windows\SysWOW64\Ngdddg32.exeC:\Windows\system32\Ngdddg32.exe24⤵
- Executes dropped EXE
PID:4144 -
C:\Windows\SysWOW64\Nlqlmn32.exeC:\Windows\system32\Nlqlmn32.exe25⤵
- Executes dropped EXE
PID:4756 -
C:\Windows\SysWOW64\Npoeclkn.exeC:\Windows\system32\Npoeclkn.exe26⤵
- Executes dropped EXE
PID:3320 -
C:\Windows\SysWOW64\Npabhl32.exeC:\Windows\system32\Npabhl32.exe27⤵
- Executes dropped EXE
PID:4436 -
C:\Windows\SysWOW64\Ngkjefqh.exeC:\Windows\system32\Ngkjefqh.exe28⤵
- Executes dropped EXE
PID:2428 -
C:\Windows\SysWOW64\Nfpgfb32.exeC:\Windows\system32\Nfpgfb32.exe29⤵
- Executes dropped EXE
PID:1440 -
C:\Windows\SysWOW64\Oljocm32.exeC:\Windows\system32\Oljocm32.exe30⤵
- Executes dropped EXE
PID:672 -
C:\Windows\SysWOW64\Onilmpdo.exeC:\Windows\system32\Onilmpdo.exe31⤵
- Executes dropped EXE
PID:2984 -
C:\Windows\SysWOW64\Ocfdefbf.exeC:\Windows\system32\Ocfdefbf.exe32⤵
- Executes dropped EXE
PID:4840 -
C:\Windows\SysWOW64\Onlhbobl.exeC:\Windows\system32\Onlhbobl.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3024 -
C:\Windows\SysWOW64\Olaeclgd.exeC:\Windows\system32\Olaeclgd.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4564 -
C:\Windows\SysWOW64\Ojefmpen.exeC:\Windows\system32\Ojefmpen.exe35⤵
- Executes dropped EXE
PID:2896 -
C:\Windows\SysWOW64\Odjjjh32.exeC:\Windows\system32\Odjjjh32.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1872 -
C:\Windows\SysWOW64\Pncocnld.exeC:\Windows\system32\Pncocnld.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:996 -
C:\Windows\SysWOW64\Pgkclc32.exeC:\Windows\system32\Pgkclc32.exe38⤵
- Executes dropped EXE
PID:1688 -
C:\Windows\SysWOW64\Pqcgeiie.exeC:\Windows\system32\Pqcgeiie.exe39⤵
- Executes dropped EXE
PID:4360 -
C:\Windows\SysWOW64\Pjllnopf.exeC:\Windows\system32\Pjllnopf.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1504 -
C:\Windows\SysWOW64\Pcdqfd32.exeC:\Windows\system32\Pcdqfd32.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1320 -
C:\Windows\SysWOW64\Pjnicomc.exeC:\Windows\system32\Pjnicomc.exe42⤵
- Executes dropped EXE
PID:4628 -
C:\Windows\SysWOW64\Pcgmld32.exeC:\Windows\system32\Pcgmld32.exe43⤵
- Executes dropped EXE
PID:4572 -
C:\Windows\SysWOW64\Pmoaei32.exeC:\Windows\system32\Pmoaei32.exe44⤵
- Executes dropped EXE
PID:2344 -
C:\Windows\SysWOW64\Qfgfnoae.exeC:\Windows\system32\Qfgfnoae.exe45⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:760 -
C:\Windows\SysWOW64\Qckfgcpo.exeC:\Windows\system32\Qckfgcpo.exe46⤵
- Executes dropped EXE
PID:1744 -
C:\Windows\SysWOW64\Qnakdl32.exeC:\Windows\system32\Qnakdl32.exe47⤵
- Executes dropped EXE
PID:3960 -
C:\Windows\SysWOW64\Agiomafe.exeC:\Windows\system32\Agiomafe.exe48⤵
- Executes dropped EXE
PID:4356 -
C:\Windows\SysWOW64\Amfhehdl.exeC:\Windows\system32\Amfhehdl.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:808 -
C:\Windows\SysWOW64\Afnlnn32.exeC:\Windows\system32\Afnlnn32.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5020 -
C:\Windows\SysWOW64\Aeplle32.exeC:\Windows\system32\Aeplle32.exe51⤵
- Executes dropped EXE
PID:2636 -
C:\Windows\SysWOW64\Ajledl32.exeC:\Windows\system32\Ajledl32.exe52⤵
- Executes dropped EXE
PID:264 -
C:\Windows\SysWOW64\Aebiae32.exeC:\Windows\system32\Aebiae32.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3316 -
C:\Windows\SysWOW64\Afcfimgg.exeC:\Windows\system32\Afcfimgg.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:4968 -
C:\Windows\SysWOW64\Aedfgeof.exeC:\Windows\system32\Aedfgeof.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4196 -
C:\Windows\SysWOW64\Afebom32.exeC:\Windows\system32\Afebom32.exe56⤵
- Executes dropped EXE
PID:552 -
C:\Windows\SysWOW64\Anmjpj32.exeC:\Windows\system32\Anmjpj32.exe57⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4004 -
C:\Windows\SysWOW64\Aefbmdmd.exeC:\Windows\system32\Aefbmdmd.exe58⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1216 -
C:\Windows\SysWOW64\Bfhodm32.exeC:\Windows\system32\Bfhodm32.exe59⤵
- Executes dropped EXE
PID:4984 -
C:\Windows\SysWOW64\Bnogfj32.exeC:\Windows\system32\Bnogfj32.exe60⤵
- Executes dropped EXE
PID:3440 -
C:\Windows\SysWOW64\Beiobd32.exeC:\Windows\system32\Beiobd32.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2084 -
C:\Windows\SysWOW64\Bgglop32.exeC:\Windows\system32\Bgglop32.exe62⤵
- Executes dropped EXE
PID:2060 -
C:\Windows\SysWOW64\Bnadkjab.exeC:\Windows\system32\Bnadkjab.exe63⤵
- Executes dropped EXE
PID:1988 -
C:\Windows\SysWOW64\Beklhd32.exeC:\Windows\system32\Beklhd32.exe64⤵
- Executes dropped EXE
PID:4476 -
C:\Windows\SysWOW64\Bflhplom.exeC:\Windows\system32\Bflhplom.exe65⤵
- Executes dropped EXE
PID:3064 -
C:\Windows\SysWOW64\Bncqqioo.exeC:\Windows\system32\Bncqqioo.exe66⤵PID:1620
-
C:\Windows\SysWOW64\Benincgl.exeC:\Windows\system32\Benincgl.exe67⤵PID:3208
-
C:\Windows\SysWOW64\Bglejofp.exeC:\Windows\system32\Bglejofp.exe68⤵PID:4824
-
C:\Windows\SysWOW64\Bnfmfi32.exeC:\Windows\system32\Bnfmfi32.exe69⤵PID:1136
-
C:\Windows\SysWOW64\Badibd32.exeC:\Windows\system32\Badibd32.exe70⤵PID:4352
-
C:\Windows\SysWOW64\Bhnaoodm.exeC:\Windows\system32\Bhnaoodm.exe71⤵PID:4072
-
C:\Windows\SysWOW64\Bmkjgebd.exeC:\Windows\system32\Bmkjgebd.exe72⤵PID:2396
-
C:\Windows\SysWOW64\Ccebdpia.exeC:\Windows\system32\Ccebdpia.exe73⤵PID:1692
-
C:\Windows\SysWOW64\Cfcopkie.exeC:\Windows\system32\Cfcopkie.exe74⤵PID:3524
-
C:\Windows\SysWOW64\Cmmgme32.exeC:\Windows\system32\Cmmgme32.exe75⤵PID:3648
-
C:\Windows\SysWOW64\Cedonb32.exeC:\Windows\system32\Cedonb32.exe76⤵PID:1056
-
C:\Windows\SysWOW64\Cffkfkfb.exeC:\Windows\system32\Cffkfkfb.exe77⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4556 -
C:\Windows\SysWOW64\Cjagfi32.exeC:\Windows\system32\Cjagfi32.exe78⤵
- Modifies registry class
PID:216 -
C:\Windows\SysWOW64\Cmpcbe32.exeC:\Windows\system32\Cmpcbe32.exe79⤵PID:2120
-
C:\Windows\SysWOW64\Ceglcb32.exeC:\Windows\system32\Ceglcb32.exe80⤵PID:4092
-
C:\Windows\SysWOW64\Chehpnne.exeC:\Windows\system32\Chehpnne.exe81⤵
- System Location Discovery: System Language Discovery
PID:3568 -
C:\Windows\SysWOW64\Ceihibmo.exeC:\Windows\system32\Ceihibmo.exe82⤵PID:3408
-
C:\Windows\SysWOW64\Cfjeaj32.exeC:\Windows\system32\Cfjeaj32.exe83⤵PID:4832
-
C:\Windows\SysWOW64\Cmdmndjj.exeC:\Windows\system32\Cmdmndjj.exe84⤵PID:4600
-
C:\Windows\SysWOW64\Cdoejn32.exeC:\Windows\system32\Cdoejn32.exe85⤵PID:5136
-
C:\Windows\SysWOW64\Chjakm32.exeC:\Windows\system32\Chjakm32.exe86⤵
- Modifies registry class
PID:5180 -
C:\Windows\SysWOW64\Cndihgal.exeC:\Windows\system32\Cndihgal.exe87⤵
- System Location Discovery: System Language Discovery
PID:5224 -
C:\Windows\SysWOW64\Dabfdbpp.exeC:\Windows\system32\Dabfdbpp.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5268 -
C:\Windows\SysWOW64\Ddabpnod.exeC:\Windows\system32\Ddabpnod.exe89⤵PID:5312
-
C:\Windows\SysWOW64\Djkjmh32.exeC:\Windows\system32\Djkjmh32.exe90⤵PID:5356
-
C:\Windows\SysWOW64\Dmific32.exeC:\Windows\system32\Dmific32.exe91⤵PID:5400
-
C:\Windows\SysWOW64\Dfakaile.exeC:\Windows\system32\Dfakaile.exe92⤵PID:5448
-
C:\Windows\SysWOW64\Doiccf32.exeC:\Windows\system32\Doiccf32.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5492 -
C:\Windows\SysWOW64\Dfdggi32.exeC:\Windows\system32\Dfdggi32.exe94⤵PID:5556
-
C:\Windows\SysWOW64\Dokphf32.exeC:\Windows\system32\Dokphf32.exe95⤵PID:5620
-
C:\Windows\SysWOW64\Dkbpmgqi.exeC:\Windows\system32\Dkbpmgqi.exe96⤵
- Drops file in System32 directory
PID:5672 -
C:\Windows\SysWOW64\Degdkp32.exeC:\Windows\system32\Degdkp32.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5716 -
C:\Windows\SysWOW64\Dhfqgk32.exeC:\Windows\system32\Dhfqgk32.exe98⤵PID:5760
-
C:\Windows\SysWOW64\Dopicego.exeC:\Windows\system32\Dopicego.exe99⤵PID:5808
-
C:\Windows\SysWOW64\Eanepafc.exeC:\Windows\system32\Eanepafc.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5852 -
C:\Windows\SysWOW64\Egknhhdj.exeC:\Windows\system32\Egknhhdj.exe101⤵PID:5904
-
C:\Windows\SysWOW64\Emefdblg.exeC:\Windows\system32\Emefdblg.exe102⤵PID:5948
-
C:\Windows\SysWOW64\Edonal32.exeC:\Windows\system32\Edonal32.exe103⤵
- System Location Discovery: System Language Discovery
PID:5992 -
C:\Windows\SysWOW64\Ekifnfkq.exeC:\Windows\system32\Ekifnfkq.exe104⤵PID:6036
-
C:\Windows\SysWOW64\Emgbjajd.exeC:\Windows\system32\Emgbjajd.exe105⤵
- Drops file in System32 directory
PID:6080 -
C:\Windows\SysWOW64\Ehmggjij.exeC:\Windows\system32\Ehmggjij.exe106⤵PID:6124
-
C:\Windows\SysWOW64\Emjopaha.exeC:\Windows\system32\Emjopaha.exe107⤵PID:5164
-
C:\Windows\SysWOW64\Eaekpppk.exeC:\Windows\system32\Eaekpppk.exe108⤵
- System Location Discovery: System Language Discovery
PID:5232 -
C:\Windows\SysWOW64\Egbdhgnb.exeC:\Windows\system32\Egbdhgnb.exe109⤵PID:5304
-
C:\Windows\SysWOW64\Eaghfpnh.exeC:\Windows\system32\Eaghfpnh.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5372 -
C:\Windows\SysWOW64\Ehapbj32.exeC:\Windows\system32\Ehapbj32.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:5456 -
C:\Windows\SysWOW64\Fokhodmb.exeC:\Windows\system32\Fokhodmb.exe112⤵PID:5532
-
C:\Windows\SysWOW64\Fnnikq32.exeC:\Windows\system32\Fnnikq32.exe113⤵PID:5636
-
C:\Windows\SysWOW64\Fhdmhicb.exeC:\Windows\system32\Fhdmhicb.exe114⤵
- Drops file in System32 directory
PID:5704 -
C:\Windows\SysWOW64\Fkbidebf.exeC:\Windows\system32\Fkbidebf.exe115⤵
- System Location Discovery: System Language Discovery
PID:5792 -
C:\Windows\SysWOW64\Fnqeppaj.exeC:\Windows\system32\Fnqeppaj.exe116⤵PID:5868
-
C:\Windows\SysWOW64\Falaao32.exeC:\Windows\system32\Falaao32.exe117⤵
- Modifies registry class
PID:5960 -
C:\Windows\SysWOW64\Fehmanbl.exeC:\Windows\system32\Fehmanbl.exe118⤵PID:6052
-
C:\Windows\SysWOW64\Fgijif32.exeC:\Windows\system32\Fgijif32.exe119⤵PID:5144
-
C:\Windows\SysWOW64\Fopbjc32.exeC:\Windows\system32\Fopbjc32.exe120⤵PID:5252
-
C:\Windows\SysWOW64\Fejjgmpi.exeC:\Windows\system32\Fejjgmpi.exe121⤵
- Drops file in System32 directory
PID:5396
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-