Analysis
-
max time kernel
95s -
max time network
106s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
02/10/2024, 13:20
Behavioral task
behavioral1
Sample
74562e348afdb9157cd2b1802c195e19f18b88d9c6a54dad9ba8fe38a40834b4N.exe
Resource
win7-20240903-en
windows7-x64
9 signatures
120 seconds
Behavioral task
behavioral2
Sample
74562e348afdb9157cd2b1802c195e19f18b88d9c6a54dad9ba8fe38a40834b4N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
8 signatures
120 seconds
General
-
Target
74562e348afdb9157cd2b1802c195e19f18b88d9c6a54dad9ba8fe38a40834b4N.exe
-
Size
128KB
-
MD5
8fc05f4e029535eda91def0ca6cf86e0
-
SHA1
49f298c87ce313818d19e28b7d082b3d3e253ece
-
SHA256
74562e348afdb9157cd2b1802c195e19f18b88d9c6a54dad9ba8fe38a40834b4
-
SHA512
d3b4c55337cd24af30aa1282414bf5e6d60793298cc56708167d2d43192aeaa6bfcff2c0c67b18ebb86e433a3e9502ab4358c014e99ed2f6b1054ad576b23212
-
SSDEEP
3072:R+3u9VgEN59ub/b7x1CVMIuPzdH13+EE+RaZ6r+GDZnr:R+3u9VgEN59ub/b7x1CHuPzd5IF6rfBr
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eiobceef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lmaamn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mngegmbc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkeekk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mchppmij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bohbhmfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fihnomjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qmgelf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ckfphc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffclcgfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Komhll32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmnbfhal.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahgjejhd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knooej32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmbjcljl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fbjmhh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdbjhbbd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibfnqmpf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njfkmphe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pllgnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mnmdme32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oanfen32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chglab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jenmcggo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lqojclne.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcbpjg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hckeoeno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Emoadlfo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jghpbk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcanll32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhbolp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Phedhmhi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmofagfp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mepfiq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aknifq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dkhnjk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gejopl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oanokhdb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Akpoaj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aonoao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qlggjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qikgco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bhcjqinf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bcinna32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Meiioonj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ojigdcll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pknqoc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojdgnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nbnpcj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkadfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Onnmdcjm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fijkdmhn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gejopl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adcjop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aaldccip.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lggldm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Malpia32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnipbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bmjkic32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnbakghm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nognnj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnaaib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mbgjbkfg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbcmakpl.exe -
Executes dropped EXE 64 IoCs
pid Process 5072 Lhmmjbkf.exe 4356 Mngegmbc.exe 1428 Meamcg32.exe 1528 Mniallpq.exe 2808 Mecjif32.exe 4100 Mlmbfqoj.exe 1172 Mbgjbkfg.exe 2136 Mblcnj32.exe 4944 Maodigil.exe 4584 Mldhfpib.exe 4124 Nbnpcj32.exe 4932 Njiegl32.exe 912 Nacmdf32.exe 1660 Nhmeapmd.exe 2196 Nognnj32.exe 1728 Nafjjf32.exe 4972 Nlkngo32.exe 3276 Nojjcj32.exe 2292 Neccpd32.exe 2456 Nhbolp32.exe 2588 Nefped32.exe 3264 Nhdlao32.exe 3960 Olbdhn32.exe 2016 Ooqqdi32.exe 2396 Oocmii32.exe 560 Oihagaji.exe 3720 Okjnnj32.exe 2840 Oeoblb32.exe 4248 Oklkdi32.exe 3620 Obcceg32.exe 3388 Pllgnl32.exe 4596 Pcepkfld.exe 5052 Piphgq32.exe 3032 Pkadoiip.exe 4768 Pakllc32.exe 2624 Phedhmhi.exe 1072 Poomegpf.exe 4348 Pamiaboj.exe 3912 Pidabppl.exe 2112 Pkenjh32.exe 4132 Pekbga32.exe 4388 Plejdkmm.exe 2148 Pcobaedj.exe 4012 Piijno32.exe 4592 Qlggjk32.exe 3780 Qcaofebg.exe 672 Qikgco32.exe 3592 Qljcoj32.exe 524 Qohpkf32.exe 968 Ajndioga.exe 4392 Akoqpg32.exe 3288 Acfhad32.exe 1612 Ahcajk32.exe 3156 Aomifecf.exe 1124 Achegd32.exe 2208 Ahenokjf.exe 2404 Aoofle32.exe 1956 Afinioip.exe 1844 Ahgjejhd.exe 400 Aoabad32.exe 4552 Afkknogn.exe 2900 Aleckinj.exe 1076 Aodogdmn.exe 2128 Bjicdmmd.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Eppqqn32.exe Embddb32.exe File created C:\Windows\SysWOW64\Glldgljg.exe Gkkgpc32.exe File opened for modification C:\Windows\SysWOW64\Mjodla32.exe Mcelpggq.exe File created C:\Windows\SysWOW64\Ckjknfnh.exe Cdpcal32.exe File opened for modification C:\Windows\SysWOW64\Eifaim32.exe Eblimcdf.exe File created C:\Windows\SysWOW64\Fogmlp32.dll Hlepcdoa.exe File created C:\Windows\SysWOW64\Iinjhh32.exe Ipeeobbe.exe File created C:\Windows\SysWOW64\Pdbeojmh.dll Mjodla32.exe File opened for modification C:\Windows\SysWOW64\Aknbkjfh.exe Adcjop32.exe File created C:\Windows\SysWOW64\Efhlhh32.exe Epndknin.exe File created C:\Windows\SysWOW64\Jbfadafe.dll Gbofcghl.exe File opened for modification C:\Windows\SysWOW64\Hplicjok.exe Hmnmgnoh.exe File created C:\Windows\SysWOW64\Kcpahpmd.exe Kmfhkf32.exe File created C:\Windows\SysWOW64\Pmmanjof.dll Qmepam32.exe File created C:\Windows\SysWOW64\Enjgeopm.dll Npepkf32.exe File created C:\Windows\SysWOW64\Lklbdm32.exe Kdbjhbbd.exe File created C:\Windows\SysWOW64\Mgobel32.exe Mepfiq32.exe File created C:\Windows\SysWOW64\Eblimcdf.exe Emoadlfo.exe File created C:\Windows\SysWOW64\Kngkqbgl.exe Kgnbdh32.exe File created C:\Windows\SysWOW64\Bhkfkmmg.exe Baannc32.exe File opened for modification C:\Windows\SysWOW64\Cdpcal32.exe Cnfkdb32.exe File opened for modification C:\Windows\SysWOW64\Bjicdmmd.exe Aodogdmn.exe File created C:\Windows\SysWOW64\Iljpij32.exe Hkicaahi.exe File created C:\Windows\SysWOW64\Hkbado32.dll Ipflihfq.exe File created C:\Windows\SysWOW64\Palbgl32.exe Pkbjjbda.exe File opened for modification C:\Windows\SysWOW64\Lopmii32.exe Lmaamn32.exe File created C:\Windows\SysWOW64\Kolfbd32.dll Bnoddcef.exe File opened for modification C:\Windows\SysWOW64\Bljlfh32.exe Bjlpjm32.exe File created C:\Windows\SysWOW64\Fnnjmbpm.exe Fiaael32.exe File created C:\Windows\SysWOW64\Jocefm32.exe Jghpbk32.exe File created C:\Windows\SysWOW64\Onpjichj.exe Ohfami32.exe File opened for modification C:\Windows\SysWOW64\Kpcjgnhb.exe Kjjbjd32.exe File opened for modification C:\Windows\SysWOW64\Emmdom32.exe Efblbbqd.exe File created C:\Windows\SysWOW64\Cnfkdb32.exe Cglbhhga.exe File created C:\Windows\SysWOW64\Ephccnmj.dll Bhcjqinf.exe File created C:\Windows\SysWOW64\Hkicaahi.exe Hcblpdgg.exe File created C:\Windows\SysWOW64\Ojigdcll.exe Odoogi32.exe File created C:\Windows\SysWOW64\Ckbemgcp.exe Cdimqm32.exe File created C:\Windows\SysWOW64\Gdliee32.dll Pllgnl32.exe File created C:\Windows\SysWOW64\Odepdabi.dll Lndagg32.exe File created C:\Windows\SysWOW64\Ghoqak32.dll Oodcdb32.exe File opened for modification C:\Windows\SysWOW64\Ojdgnn32.exe Ocjoadei.exe File created C:\Windows\SysWOW64\Qlejfm32.dll Dpbdopck.exe File created C:\Windows\SysWOW64\Knhakh32.exe Kjmfjj32.exe File created C:\Windows\SysWOW64\Bdinlh32.dll Fbjmhh32.exe File created C:\Windows\SysWOW64\Fdccbl32.exe Fllkqn32.exe File created C:\Windows\SysWOW64\Jabdjc32.dll Jgbjbp32.exe File opened for modification C:\Windows\SysWOW64\Oodcdb32.exe Ojigdcll.exe File created C:\Windows\SysWOW64\Lqppgj32.dll Boenhgdd.exe File created C:\Windows\SysWOW64\Fmpbqoqg.dll Cmmbbejp.exe File created C:\Windows\SysWOW64\Aknifq32.exe Ahpmjejp.exe File created C:\Windows\SysWOW64\Cjafgpmo.dll Flfkkhid.exe File created C:\Windows\SysWOW64\Kgiiiidd.exe Kpoalo32.exe File created C:\Windows\SysWOW64\Dmlijb32.dll Piijno32.exe File created C:\Windows\SysWOW64\Ggahedjn.exe Glldgljg.exe File opened for modification C:\Windows\SysWOW64\Icknfcol.exe Ipmbjgpi.exe File created C:\Windows\SysWOW64\Gabmaqlh.dll Ojigdcll.exe File created C:\Windows\SysWOW64\Dlgaff32.dll Aonoao32.exe File opened for modification C:\Windows\SysWOW64\Ckmonl32.exe Cbdjeg32.exe File created C:\Windows\SysWOW64\Mnhkbfme.exe Mgobel32.exe File created C:\Windows\SysWOW64\Oghdfilo.dll Ecbjkngo.exe File created C:\Windows\SysWOW64\Pdnjmc32.dll Lqikmc32.exe File created C:\Windows\SysWOW64\Pknqoc32.exe Pddhbipj.exe File created C:\Windows\SysWOW64\Kbpnnj32.dll Efafgifc.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 12740 12412 WerFault.exe 679 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odoogi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbelcblk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmfplibd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Embddb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpcfmkff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggahedjn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kqphfe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Boeebnhp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enbjad32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iibccgep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mngegmbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okjnnj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cihclh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgpcliao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pocpfphe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eblimcdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lqojclne.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhhiemoj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbofcghl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knooej32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lqpamb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipflihfq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aeaanjkl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgkfnh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpcjgnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkenjh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plejdkmm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahenokjf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qmepam32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahaceo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Baadiiif.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljeafb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkdjfb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohmhmh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gemkelcd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpgind32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bljlfh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbpajgmf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnkkjh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efblbbqd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojhpimhp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qfmmplad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qmgelf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eppqqn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igbalblk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eecphp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mblcnj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffnknafg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmaamn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bomkcm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flfkkhid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmhgmmbf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahcajk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dckdjomg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Innfnl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kggcnoic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aojefobm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpbpbecj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Holfoqcm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nafjjf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ooqqdi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijegcm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cncnob32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bohbhmfm.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcnfjkma.dll" Ilccoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lnmkfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gpbpbecj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ipeeobbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aogiap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdifpa32.dll" Gejopl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfjehbcf.dll" Iikmbh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Alnfpcag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmggcl32.dll" Komhll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjkakfla.dll" Lgpoihnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Boenhgdd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fnnjmbpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mmpmnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pjmjdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fpjcgm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hmnmgnoh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Igbalblk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhnjoi32.dll" Fimhjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nbnpcj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dndnpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Klahfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgmodn32.dll" Bkgeainn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mglfplgk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hoclopne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mfnoqc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dahcld32.dll" Iomoenej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjajmpkj.dll" Ijegcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lqndhcdc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Blielbfi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hffken32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gicaifkq.dll" Igbalblk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ipmbjgpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ooqqdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngqpijkf.dll" Cbbdjm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lcjcnoej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ohcegi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Phaahggp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dpkmal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iaqdae32.dll" Jpaleglc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbpcnkaj.dll" Gmafajfi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Opeiadfg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cnaaib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnbcohkd.dll" Elbhjp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hdehni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ohhnbhok.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kgiiiidd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cdimqm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ceifibod.dll" Qljcoj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ecgcfm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gljgbllj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cglbhhga.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gblbca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Koodbl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hidgai32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pmlfqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mblcnj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qikgco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Akoqpg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Emmdom32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nognnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncgjgp32.dll" Djjebh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Meamcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jiiicf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kgflcifg.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1440 wrote to memory of 5072 1440 74562e348afdb9157cd2b1802c195e19f18b88d9c6a54dad9ba8fe38a40834b4N.exe 82 PID 1440 wrote to memory of 5072 1440 74562e348afdb9157cd2b1802c195e19f18b88d9c6a54dad9ba8fe38a40834b4N.exe 82 PID 1440 wrote to memory of 5072 1440 74562e348afdb9157cd2b1802c195e19f18b88d9c6a54dad9ba8fe38a40834b4N.exe 82 PID 5072 wrote to memory of 4356 5072 Lhmmjbkf.exe 83 PID 5072 wrote to memory of 4356 5072 Lhmmjbkf.exe 83 PID 5072 wrote to memory of 4356 5072 Lhmmjbkf.exe 83 PID 4356 wrote to memory of 1428 4356 Mngegmbc.exe 84 PID 4356 wrote to memory of 1428 4356 Mngegmbc.exe 84 PID 4356 wrote to memory of 1428 4356 Mngegmbc.exe 84 PID 1428 wrote to memory of 1528 1428 Meamcg32.exe 85 PID 1428 wrote to memory of 1528 1428 Meamcg32.exe 85 PID 1428 wrote to memory of 1528 1428 Meamcg32.exe 85 PID 1528 wrote to memory of 2808 1528 Mniallpq.exe 86 PID 1528 wrote to memory of 2808 1528 Mniallpq.exe 86 PID 1528 wrote to memory of 2808 1528 Mniallpq.exe 86 PID 2808 wrote to memory of 4100 2808 Mecjif32.exe 87 PID 2808 wrote to memory of 4100 2808 Mecjif32.exe 87 PID 2808 wrote to memory of 4100 2808 Mecjif32.exe 87 PID 4100 wrote to memory of 1172 4100 Mlmbfqoj.exe 88 PID 4100 wrote to memory of 1172 4100 Mlmbfqoj.exe 88 PID 4100 wrote to memory of 1172 4100 Mlmbfqoj.exe 88 PID 1172 wrote to memory of 2136 1172 Mbgjbkfg.exe 89 PID 1172 wrote to memory of 2136 1172 Mbgjbkfg.exe 89 PID 1172 wrote to memory of 2136 1172 Mbgjbkfg.exe 89 PID 2136 wrote to memory of 4944 2136 Mblcnj32.exe 90 PID 2136 wrote to memory of 4944 2136 Mblcnj32.exe 90 PID 2136 wrote to memory of 4944 2136 Mblcnj32.exe 90 PID 4944 wrote to memory of 4584 4944 Maodigil.exe 91 PID 4944 wrote to memory of 4584 4944 Maodigil.exe 91 PID 4944 wrote to memory of 4584 4944 Maodigil.exe 91 PID 4584 wrote to memory of 4124 4584 Mldhfpib.exe 92 PID 4584 wrote to memory of 4124 4584 Mldhfpib.exe 92 PID 4584 wrote to memory of 4124 4584 Mldhfpib.exe 92 PID 4124 wrote to memory of 4932 4124 Nbnpcj32.exe 93 PID 4124 wrote to memory of 4932 4124 Nbnpcj32.exe 93 PID 4124 wrote to memory of 4932 4124 Nbnpcj32.exe 93 PID 4932 wrote to memory of 912 4932 Njiegl32.exe 94 PID 4932 wrote to memory of 912 4932 Njiegl32.exe 94 PID 4932 wrote to memory of 912 4932 Njiegl32.exe 94 PID 912 wrote to memory of 1660 912 Nacmdf32.exe 95 PID 912 wrote to memory of 1660 912 Nacmdf32.exe 95 PID 912 wrote to memory of 1660 912 Nacmdf32.exe 95 PID 1660 wrote to memory of 2196 1660 Nhmeapmd.exe 96 PID 1660 wrote to memory of 2196 1660 Nhmeapmd.exe 96 PID 1660 wrote to memory of 2196 1660 Nhmeapmd.exe 96 PID 2196 wrote to memory of 1728 2196 Nognnj32.exe 97 PID 2196 wrote to memory of 1728 2196 Nognnj32.exe 97 PID 2196 wrote to memory of 1728 2196 Nognnj32.exe 97 PID 1728 wrote to memory of 4972 1728 Nafjjf32.exe 98 PID 1728 wrote to memory of 4972 1728 Nafjjf32.exe 98 PID 1728 wrote to memory of 4972 1728 Nafjjf32.exe 98 PID 4972 wrote to memory of 3276 4972 Nlkngo32.exe 99 PID 4972 wrote to memory of 3276 4972 Nlkngo32.exe 99 PID 4972 wrote to memory of 3276 4972 Nlkngo32.exe 99 PID 3276 wrote to memory of 2292 3276 Nojjcj32.exe 100 PID 3276 wrote to memory of 2292 3276 Nojjcj32.exe 100 PID 3276 wrote to memory of 2292 3276 Nojjcj32.exe 100 PID 2292 wrote to memory of 2456 2292 Neccpd32.exe 101 PID 2292 wrote to memory of 2456 2292 Neccpd32.exe 101 PID 2292 wrote to memory of 2456 2292 Neccpd32.exe 101 PID 2456 wrote to memory of 2588 2456 Nhbolp32.exe 102 PID 2456 wrote to memory of 2588 2456 Nhbolp32.exe 102 PID 2456 wrote to memory of 2588 2456 Nhbolp32.exe 102 PID 2588 wrote to memory of 3264 2588 Nefped32.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\74562e348afdb9157cd2b1802c195e19f18b88d9c6a54dad9ba8fe38a40834b4N.exe"C:\Users\Admin\AppData\Local\Temp\74562e348afdb9157cd2b1802c195e19f18b88d9c6a54dad9ba8fe38a40834b4N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1440 -
C:\Windows\SysWOW64\Lhmmjbkf.exeC:\Windows\system32\Lhmmjbkf.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5072 -
C:\Windows\SysWOW64\Mngegmbc.exeC:\Windows\system32\Mngegmbc.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4356 -
C:\Windows\SysWOW64\Meamcg32.exeC:\Windows\system32\Meamcg32.exe4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1428 -
C:\Windows\SysWOW64\Mniallpq.exeC:\Windows\system32\Mniallpq.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1528 -
C:\Windows\SysWOW64\Mecjif32.exeC:\Windows\system32\Mecjif32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Windows\SysWOW64\Mlmbfqoj.exeC:\Windows\system32\Mlmbfqoj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4100 -
C:\Windows\SysWOW64\Mbgjbkfg.exeC:\Windows\system32\Mbgjbkfg.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1172 -
C:\Windows\SysWOW64\Mblcnj32.exeC:\Windows\system32\Mblcnj32.exe9⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2136 -
C:\Windows\SysWOW64\Maodigil.exeC:\Windows\system32\Maodigil.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4944 -
C:\Windows\SysWOW64\Mldhfpib.exeC:\Windows\system32\Mldhfpib.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4584 -
C:\Windows\SysWOW64\Nbnpcj32.exeC:\Windows\system32\Nbnpcj32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4124 -
C:\Windows\SysWOW64\Njiegl32.exeC:\Windows\system32\Njiegl32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4932 -
C:\Windows\SysWOW64\Nacmdf32.exeC:\Windows\system32\Nacmdf32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:912 -
C:\Windows\SysWOW64\Nhmeapmd.exeC:\Windows\system32\Nhmeapmd.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1660 -
C:\Windows\SysWOW64\Nognnj32.exeC:\Windows\system32\Nognnj32.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Windows\SysWOW64\Nafjjf32.exeC:\Windows\system32\Nafjjf32.exe17⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Windows\SysWOW64\Nlkngo32.exeC:\Windows\system32\Nlkngo32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4972 -
C:\Windows\SysWOW64\Nojjcj32.exeC:\Windows\system32\Nojjcj32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3276 -
C:\Windows\SysWOW64\Neccpd32.exeC:\Windows\system32\Neccpd32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2292 -
C:\Windows\SysWOW64\Nhbolp32.exeC:\Windows\system32\Nhbolp32.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2456 -
C:\Windows\SysWOW64\Nefped32.exeC:\Windows\system32\Nefped32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Windows\SysWOW64\Nhdlao32.exeC:\Windows\system32\Nhdlao32.exe23⤵
- Executes dropped EXE
PID:3264 -
C:\Windows\SysWOW64\Olbdhn32.exeC:\Windows\system32\Olbdhn32.exe24⤵
- Executes dropped EXE
PID:3960 -
C:\Windows\SysWOW64\Ooqqdi32.exeC:\Windows\system32\Ooqqdi32.exe25⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2016 -
C:\Windows\SysWOW64\Oocmii32.exeC:\Windows\system32\Oocmii32.exe26⤵
- Executes dropped EXE
PID:2396 -
C:\Windows\SysWOW64\Oihagaji.exeC:\Windows\system32\Oihagaji.exe27⤵
- Executes dropped EXE
PID:560 -
C:\Windows\SysWOW64\Okjnnj32.exeC:\Windows\system32\Okjnnj32.exe28⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3720 -
C:\Windows\SysWOW64\Oeoblb32.exeC:\Windows\system32\Oeoblb32.exe29⤵
- Executes dropped EXE
PID:2840 -
C:\Windows\SysWOW64\Oklkdi32.exeC:\Windows\system32\Oklkdi32.exe30⤵
- Executes dropped EXE
PID:4248 -
C:\Windows\SysWOW64\Obcceg32.exeC:\Windows\system32\Obcceg32.exe31⤵
- Executes dropped EXE
PID:3620 -
C:\Windows\SysWOW64\Pllgnl32.exeC:\Windows\system32\Pllgnl32.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:3388 -
C:\Windows\SysWOW64\Pcepkfld.exeC:\Windows\system32\Pcepkfld.exe33⤵
- Executes dropped EXE
PID:4596 -
C:\Windows\SysWOW64\Piphgq32.exeC:\Windows\system32\Piphgq32.exe34⤵
- Executes dropped EXE
PID:5052 -
C:\Windows\SysWOW64\Pkadoiip.exeC:\Windows\system32\Pkadoiip.exe35⤵
- Executes dropped EXE
PID:3032 -
C:\Windows\SysWOW64\Pakllc32.exeC:\Windows\system32\Pakllc32.exe36⤵
- Executes dropped EXE
PID:4768 -
C:\Windows\SysWOW64\Phedhmhi.exeC:\Windows\system32\Phedhmhi.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2624 -
C:\Windows\SysWOW64\Poomegpf.exeC:\Windows\system32\Poomegpf.exe38⤵
- Executes dropped EXE
PID:1072 -
C:\Windows\SysWOW64\Pamiaboj.exeC:\Windows\system32\Pamiaboj.exe39⤵
- Executes dropped EXE
PID:4348 -
C:\Windows\SysWOW64\Pidabppl.exeC:\Windows\system32\Pidabppl.exe40⤵
- Executes dropped EXE
PID:3912 -
C:\Windows\SysWOW64\Pkenjh32.exeC:\Windows\system32\Pkenjh32.exe41⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2112 -
C:\Windows\SysWOW64\Pekbga32.exeC:\Windows\system32\Pekbga32.exe42⤵
- Executes dropped EXE
PID:4132 -
C:\Windows\SysWOW64\Plejdkmm.exeC:\Windows\system32\Plejdkmm.exe43⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4388 -
C:\Windows\SysWOW64\Pcobaedj.exeC:\Windows\system32\Pcobaedj.exe44⤵
- Executes dropped EXE
PID:2148 -
C:\Windows\SysWOW64\Piijno32.exeC:\Windows\system32\Piijno32.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4012 -
C:\Windows\SysWOW64\Qlggjk32.exeC:\Windows\system32\Qlggjk32.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4592 -
C:\Windows\SysWOW64\Qcaofebg.exeC:\Windows\system32\Qcaofebg.exe47⤵
- Executes dropped EXE
PID:3780 -
C:\Windows\SysWOW64\Qikgco32.exeC:\Windows\system32\Qikgco32.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:672 -
C:\Windows\SysWOW64\Qljcoj32.exeC:\Windows\system32\Qljcoj32.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:3592 -
C:\Windows\SysWOW64\Qohpkf32.exeC:\Windows\system32\Qohpkf32.exe50⤵
- Executes dropped EXE
PID:524 -
C:\Windows\SysWOW64\Ajndioga.exeC:\Windows\system32\Ajndioga.exe51⤵
- Executes dropped EXE
PID:968 -
C:\Windows\SysWOW64\Akoqpg32.exeC:\Windows\system32\Akoqpg32.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:4392 -
C:\Windows\SysWOW64\Acfhad32.exeC:\Windows\system32\Acfhad32.exe53⤵
- Executes dropped EXE
PID:3288 -
C:\Windows\SysWOW64\Ahcajk32.exeC:\Windows\system32\Ahcajk32.exe54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1612 -
C:\Windows\SysWOW64\Aomifecf.exeC:\Windows\system32\Aomifecf.exe55⤵
- Executes dropped EXE
PID:3156 -
C:\Windows\SysWOW64\Achegd32.exeC:\Windows\system32\Achegd32.exe56⤵
- Executes dropped EXE
PID:1124 -
C:\Windows\SysWOW64\Ahenokjf.exeC:\Windows\system32\Ahenokjf.exe57⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2208 -
C:\Windows\SysWOW64\Aoofle32.exeC:\Windows\system32\Aoofle32.exe58⤵
- Executes dropped EXE
PID:2404 -
C:\Windows\SysWOW64\Afinioip.exeC:\Windows\system32\Afinioip.exe59⤵
- Executes dropped EXE
PID:1956 -
C:\Windows\SysWOW64\Ahgjejhd.exeC:\Windows\system32\Ahgjejhd.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1844 -
C:\Windows\SysWOW64\Aoabad32.exeC:\Windows\system32\Aoabad32.exe61⤵
- Executes dropped EXE
PID:400 -
C:\Windows\SysWOW64\Afkknogn.exeC:\Windows\system32\Afkknogn.exe62⤵
- Executes dropped EXE
PID:4552 -
C:\Windows\SysWOW64\Aleckinj.exeC:\Windows\system32\Aleckinj.exe63⤵
- Executes dropped EXE
PID:2900 -
C:\Windows\SysWOW64\Aodogdmn.exeC:\Windows\system32\Aodogdmn.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1076 -
C:\Windows\SysWOW64\Bjicdmmd.exeC:\Windows\system32\Bjicdmmd.exe65⤵
- Executes dropped EXE
PID:2128 -
C:\Windows\SysWOW64\Bkkple32.exeC:\Windows\system32\Bkkple32.exe66⤵PID:4492
-
C:\Windows\SysWOW64\Boflmdkk.exeC:\Windows\system32\Boflmdkk.exe67⤵PID:4300
-
C:\Windows\SysWOW64\Bjlpjm32.exeC:\Windows\system32\Bjlpjm32.exe68⤵
- Drops file in System32 directory
PID:3224 -
C:\Windows\SysWOW64\Bljlfh32.exeC:\Windows\system32\Bljlfh32.exe69⤵
- System Location Discovery: System Language Discovery
PID:2200 -
C:\Windows\SysWOW64\Bohibc32.exeC:\Windows\system32\Bohibc32.exe70⤵PID:4916
-
C:\Windows\SysWOW64\Bjnmpl32.exeC:\Windows\system32\Bjnmpl32.exe71⤵PID:1724
-
C:\Windows\SysWOW64\Bmlilh32.exeC:\Windows\system32\Bmlilh32.exe72⤵PID:2752
-
C:\Windows\SysWOW64\Bokehc32.exeC:\Windows\system32\Bokehc32.exe73⤵PID:1984
-
C:\Windows\SysWOW64\Bhcjqinf.exeC:\Windows\system32\Bhcjqinf.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:4792 -
C:\Windows\SysWOW64\Bmofagfp.exeC:\Windows\system32\Bmofagfp.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4344 -
C:\Windows\SysWOW64\Bcinna32.exeC:\Windows\system32\Bcinna32.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4548 -
C:\Windows\SysWOW64\Bjbfklei.exeC:\Windows\system32\Bjbfklei.exe77⤵PID:3436
-
C:\Windows\SysWOW64\Bkdcbd32.exeC:\Windows\system32\Bkdcbd32.exe78⤵PID:4456
-
C:\Windows\SysWOW64\Cfigpm32.exeC:\Windows\system32\Cfigpm32.exe79⤵PID:840
-
C:\Windows\SysWOW64\Cihclh32.exeC:\Windows\system32\Cihclh32.exe80⤵
- System Location Discovery: System Language Discovery
PID:4036 -
C:\Windows\SysWOW64\Ckfphc32.exeC:\Windows\system32\Ckfphc32.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3204 -
C:\Windows\SysWOW64\Cfldelik.exeC:\Windows\system32\Cfldelik.exe82⤵PID:1644
-
C:\Windows\SysWOW64\Ckilmcgb.exeC:\Windows\system32\Ckilmcgb.exe83⤵PID:516
-
C:\Windows\SysWOW64\Cbbdjm32.exeC:\Windows\system32\Cbbdjm32.exe84⤵
- Modifies registry class
PID:2788 -
C:\Windows\SysWOW64\Cmhigf32.exeC:\Windows\system32\Cmhigf32.exe85⤵PID:2080
-
C:\Windows\SysWOW64\Ccbadp32.exeC:\Windows\system32\Ccbadp32.exe86⤵PID:3992
-
C:\Windows\SysWOW64\Cjliajmo.exeC:\Windows\system32\Cjliajmo.exe87⤵PID:1220
-
C:\Windows\SysWOW64\Coiaiakf.exeC:\Windows\system32\Coiaiakf.exe88⤵PID:1504
-
C:\Windows\SysWOW64\Cbgnemjj.exeC:\Windows\system32\Cbgnemjj.exe89⤵PID:4884
-
C:\Windows\SysWOW64\Cmmbbejp.exeC:\Windows\system32\Cmmbbejp.exe90⤵
- Drops file in System32 directory
PID:2924 -
C:\Windows\SysWOW64\Ckpbnb32.exeC:\Windows\system32\Ckpbnb32.exe91⤵PID:4020
-
C:\Windows\SysWOW64\Dfefkkqp.exeC:\Windows\system32\Dfefkkqp.exe92⤵PID:1280
-
C:\Windows\SysWOW64\Diccgfpd.exeC:\Windows\system32\Diccgfpd.exe93⤵PID:2232
-
C:\Windows\SysWOW64\Dkbocbog.exeC:\Windows\system32\Dkbocbog.exe94⤵PID:1492
-
C:\Windows\SysWOW64\Dcigeooj.exeC:\Windows\system32\Dcigeooj.exe95⤵PID:3796
-
C:\Windows\SysWOW64\Djcoai32.exeC:\Windows\system32\Djcoai32.exe96⤵PID:2620
-
C:\Windows\SysWOW64\Dmalne32.exeC:\Windows\system32\Dmalne32.exe97⤵PID:3176
-
C:\Windows\SysWOW64\Dckdjomg.exeC:\Windows\system32\Dckdjomg.exe98⤵
- System Location Discovery: System Language Discovery
PID:4900 -
C:\Windows\SysWOW64\Dfjpfj32.exeC:\Windows\system32\Dfjpfj32.exe99⤵PID:4016
-
C:\Windows\SysWOW64\Djelgied.exeC:\Windows\system32\Djelgied.exe100⤵PID:2980
-
C:\Windows\SysWOW64\Dpbdopck.exeC:\Windows\system32\Dpbdopck.exe101⤵
- Drops file in System32 directory
PID:1000 -
C:\Windows\SysWOW64\Dflmlj32.exeC:\Windows\system32\Dflmlj32.exe102⤵PID:3292
-
C:\Windows\SysWOW64\Dikihe32.exeC:\Windows\system32\Dikihe32.exe103⤵PID:4056
-
C:\Windows\SysWOW64\Dlieda32.exeC:\Windows\system32\Dlieda32.exe104⤵PID:4860
-
C:\Windows\SysWOW64\Dbcmakpl.exeC:\Windows\system32\Dbcmakpl.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3324 -
C:\Windows\SysWOW64\Djjebh32.exeC:\Windows\system32\Djjebh32.exe106⤵
- Modifies registry class
PID:1348 -
C:\Windows\SysWOW64\Dmhand32.exeC:\Windows\system32\Dmhand32.exe107⤵PID:4692
-
C:\Windows\SysWOW64\Ecbjkngo.exeC:\Windows\system32\Ecbjkngo.exe108⤵
- Drops file in System32 directory
PID:1840 -
C:\Windows\SysWOW64\Efafgifc.exeC:\Windows\system32\Efafgifc.exe109⤵
- Drops file in System32 directory
PID:4228 -
C:\Windows\SysWOW64\Eiobceef.exeC:\Windows\system32\Eiobceef.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:336 -
C:\Windows\SysWOW64\Epikpo32.exeC:\Windows\system32\Epikpo32.exe111⤵PID:2376
-
C:\Windows\SysWOW64\Ebhglj32.exeC:\Windows\system32\Ebhglj32.exe112⤵PID:4852
-
C:\Windows\SysWOW64\Eiaoid32.exeC:\Windows\system32\Eiaoid32.exe113⤵PID:2280
-
C:\Windows\SysWOW64\Elpkep32.exeC:\Windows\system32\Elpkep32.exe114⤵PID:4364
-
C:\Windows\SysWOW64\Ecgcfm32.exeC:\Windows\system32\Ecgcfm32.exe115⤵
- Modifies registry class
PID:5128 -
C:\Windows\SysWOW64\Ebjcajjd.exeC:\Windows\system32\Ebjcajjd.exe116⤵PID:5172
-
C:\Windows\SysWOW64\Elbhjp32.exeC:\Windows\system32\Elbhjp32.exe117⤵
- Modifies registry class
PID:5216 -
C:\Windows\SysWOW64\Epndknin.exeC:\Windows\system32\Epndknin.exe118⤵
- Drops file in System32 directory
PID:5260 -
C:\Windows\SysWOW64\Efhlhh32.exeC:\Windows\system32\Efhlhh32.exe119⤵PID:5304
-
C:\Windows\SysWOW64\Embddb32.exeC:\Windows\system32\Embddb32.exe120⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:5348 -
C:\Windows\SysWOW64\Eppqqn32.exeC:\Windows\system32\Eppqqn32.exe121⤵
- System Location Discovery: System Language Discovery
PID:5392
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-