Analysis
-
max time kernel
115s -
max time network
119s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
06/10/2024, 11:51
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
cbff781603ebdb97b4fed0d96c956bf2921857468b478bf85b6c7428fb4b0986N.exe
Resource
win7-20240903-en
windows7-x64
9 signatures
120 seconds
Behavioral task
behavioral2
Sample
cbff781603ebdb97b4fed0d96c956bf2921857468b478bf85b6c7428fb4b0986N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
8 signatures
120 seconds
General
-
Target
cbff781603ebdb97b4fed0d96c956bf2921857468b478bf85b6c7428fb4b0986N.exe
-
Size
92KB
-
MD5
8a478c9868e19ca53fa4acca9aaff8e0
-
SHA1
83bf1c4ba2726cf34eacde3b9999f6a2ad8ed0cc
-
SHA256
cbff781603ebdb97b4fed0d96c956bf2921857468b478bf85b6c7428fb4b0986
-
SHA512
ffcc9df673d33d77f64966439b24710a205ee359e5c149a397436b872b60575458da058c3c6a840dd786b251cc5c4211a1c0d711582370dd876471d88a67eae2
-
SSDEEP
1536:Owc5Q8WNsabTDFLov/f5kJrUG845nb/3O0E10OjOWf6jOMq1O/nKQrUoR24HsUs:OwcnWNsaRAf+rD5bWN7jRf8cd6THsR
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdphnmjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mhenpk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kkdoje32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmahff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mihikgod.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnjbbl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glajeiml.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkcpia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eblgon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Geflne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pocpqcpm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnbeggmi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhmfba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Miflehaf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pifghmae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mbcjimda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Haobnpkc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Clohhbli.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnfpcada.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ejkenpnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ilqmam32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejkenpnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fhkecb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mmdlflki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Elaobdmm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bcinie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lfimmhkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mmlhpaji.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npmjij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oijgmokc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bnbeggmi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdaqhf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojhnlh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkegbfgp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kolaqh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnmmmbll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oefamoma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jbghpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ndgpnogo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mmcnap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Omkmhlpf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epgpajdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jacnegep.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anqfepaj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eepbabjj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgpcklpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iodaikfl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lggeej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fdmfcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lnikmjdm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ajjcoqdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jojboa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nibbklke.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkamdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pfoamp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fqiiamjp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmfpgmil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lobhqdec.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djoohk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecoiapdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pmbcik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Epgpajdp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjpoio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nifele32.exe -
Executes dropped EXE 64 IoCs
pid Process 1128 Mfkcibdl.exe 3128 Mmdlflki.exe 1684 Mpchbhjl.exe 956 Mjiloqjb.exe 1748 Miklkm32.exe 2688 Mdaqhf32.exe 1340 Mfomda32.exe 2608 Mphamg32.exe 828 Nfaijand.exe 5032 Nmlafk32.exe 1740 Nhafcd32.exe 4416 Nibbklke.exe 3232 Ndhgie32.exe 4828 Nieoal32.exe 4656 Ndjcne32.exe 2372 Nkdlkope.exe 868 Nandhi32.exe 1372 Ngklppei.exe 4408 Naqqmieo.exe 892 Ndomiddc.exe 4588 Oileakbj.exe 1660 Oacmchcl.exe 1384 Odaiodbp.exe 2424 Oaejhh32.exe 4704 Oiqomj32.exe 4300 Ohaokbfd.exe 860 Oajccgmd.exe 4420 Okbhlm32.exe 4660 Onqdhh32.exe 2924 Pjgemi32.exe 3040 Pnenchoc.exe 1924 Pdofpb32.exe 660 Ppffec32.exe 2420 Pafcofcg.exe 1544 Pjahchpb.exe 764 Qdflaa32.exe 3572 Qdihfq32.exe 4424 Aamipe32.exe 656 Ajhndgjj.exe 3096 Adnbapjp.exe 4716 Anffje32.exe 3720 Aqdbfa32.exe 996 Anhcpeon.exe 5016 Ahngmnnd.exe 4264 Aklciimh.exe 3404 Abflfc32.exe 3748 Akopoi32.exe 2236 Bqkigp32.exe 1456 Bkamdi32.exe 3504 Bbkeacqo.exe 940 Bggnijof.exe 3740 Bbmbgb32.exe 676 Bdlncn32.exe 452 Bndblcdq.exe 1820 Biigildg.exe 2004 Bglgdi32.exe 3964 Bdphnmjk.exe 1688 Bjmpfdhb.exe 3044 Cebdcmhh.exe 4600 Cjomldfp.exe 4948 Cqiehnml.exe 3716 Cgcmeh32.exe 5104 Cbiabq32.exe 4360 Cjdfgc32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Nifnao32.exe Nblfee32.exe File created C:\Windows\SysWOW64\Hmdlhk32.exe Hhhdpd32.exe File created C:\Windows\SysWOW64\Fmlngh32.dll Ehhpge32.exe File created C:\Windows\SysWOW64\Ggfcbi32.dll Lobhqdec.exe File created C:\Windows\SysWOW64\Hhpaki32.exe Haeino32.exe File created C:\Windows\SysWOW64\Odighm32.dll Ipohpdbb.exe File created C:\Windows\SysWOW64\Egfolf32.dll Lbcabo32.exe File created C:\Windows\SysWOW64\Einmdadf.dll Eenflbll.exe File created C:\Windows\SysWOW64\Ahgnqlhk.dll Ildpbfmf.exe File created C:\Windows\SysWOW64\Dkkqnnfc.dll Dqbadf32.exe File created C:\Windows\SysWOW64\Cabgompp.dll Nldjnk32.exe File opened for modification C:\Windows\SysWOW64\Jjefao32.exe Jcknee32.exe File opened for modification C:\Windows\SysWOW64\Mcnmhpoj.exe Mihikgod.exe File created C:\Windows\SysWOW64\Imofip32.exe Iolfmcbb.exe File created C:\Windows\SysWOW64\Dbghhd32.dll Dcbckk32.exe File created C:\Windows\SysWOW64\Jknbhdmb.dll Nkdlkope.exe File created C:\Windows\SysWOW64\Cdfbnhhc.dll Mmahff32.exe File opened for modification C:\Windows\SysWOW64\Jkeloa32.exe Jnalem32.exe File opened for modification C:\Windows\SysWOW64\Mnbnchlb.exe Moomgl32.exe File created C:\Windows\SysWOW64\Moajmk32.exe Mmcnap32.exe File opened for modification C:\Windows\SysWOW64\Dcbckk32.exe Dmhkoaco.exe File created C:\Windows\SysWOW64\Ejbonb32.dll Acpkbf32.exe File created C:\Windows\SysWOW64\Bfnknk32.dll Dqgjoenq.exe File created C:\Windows\SysWOW64\Gdclcmba.exe Gmjcgb32.exe File created C:\Windows\SysWOW64\Ioeicajh.exe Ihkpgg32.exe File created C:\Windows\SysWOW64\Olejcaja.dll Nehekq32.exe File opened for modification C:\Windows\SysWOW64\Himgjbii.exe Hligqnjp.exe File created C:\Windows\SysWOW64\Jcdglg32.dll Kkdoje32.exe File created C:\Windows\SysWOW64\Cogadadh.dll Lmmokgne.exe File created C:\Windows\SysWOW64\Qmjpdddo.dll Benjkijd.exe File opened for modification C:\Windows\SysWOW64\Akopoi32.exe Abflfc32.exe File opened for modification C:\Windows\SysWOW64\Pkfjmfld.exe Pboblika.exe File opened for modification C:\Windows\SysWOW64\Iaokdn32.exe Ikechced.exe File created C:\Windows\SysWOW64\Cqccqo32.dll Hepoddcc.exe File opened for modification C:\Windows\SysWOW64\Kddpnpdn.exe Koggehff.exe File opened for modification C:\Windows\SysWOW64\Hhojqcil.exe Hphbpehj.exe File opened for modification C:\Windows\SysWOW64\Eeomfioh.exe Ejglcq32.exe File opened for modification C:\Windows\SysWOW64\Midoph32.exe Mbjgcnll.exe File created C:\Windows\SysWOW64\Acdeneij.exe Aljmal32.exe File created C:\Windows\SysWOW64\Mieeka32.exe Mbkmngfn.exe File created C:\Windows\SysWOW64\Opiidhoj.exe Omkmhlpf.exe File created C:\Windows\SysWOW64\Ejhehcge.dll Pohilc32.exe File opened for modification C:\Windows\SysWOW64\Lhiodm32.exe Laofhbmp.exe File created C:\Windows\SysWOW64\Okiboajh.dll Eeomfioh.exe File created C:\Windows\SysWOW64\Ioafchai.exe Ijdnka32.exe File opened for modification C:\Windows\SysWOW64\Jnalem32.exe Jkcpia32.exe File created C:\Windows\SysWOW64\Ljglnmdi.exe Lobhqdec.exe File opened for modification C:\Windows\SysWOW64\Mmlhpaji.exe Lbgcch32.exe File created C:\Windows\SysWOW64\Hqhdnc32.dll Miflehaf.exe File opened for modification C:\Windows\SysWOW64\Ipohpdbb.exe Impldi32.exe File created C:\Windows\SysWOW64\Jjefao32.exe Jcknee32.exe File opened for modification C:\Windows\SysWOW64\Jkfcigkm.exe Jjefao32.exe File created C:\Windows\SysWOW64\Plimpg32.exe Pmfldkei.exe File created C:\Windows\SysWOW64\Bijfpm32.dll Oileakbj.exe File created C:\Windows\SysWOW64\Fcfmla32.dll Pfjgbapo.exe File created C:\Windows\SysWOW64\Fhdocc32.exe Fjpoio32.exe File created C:\Windows\SysWOW64\Cgffmigc.dll Qpibke32.exe File opened for modification C:\Windows\SysWOW64\Hhhdpd32.exe Hdlhoefk.exe File created C:\Windows\SysWOW64\Pfffnphj.dll Jjefao32.exe File created C:\Windows\SysWOW64\Qdloal32.dll Ghmkol32.exe File created C:\Windows\SysWOW64\Pfoamp32.exe Pohilc32.exe File opened for modification C:\Windows\SysWOW64\Gnkflo32.exe Gfcnka32.exe File opened for modification C:\Windows\SysWOW64\Ikgicmpe.exe Idmafc32.exe File created C:\Windows\SysWOW64\Gmdaif32.dll Fblpflfg.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4656 3600 WerFault.exe 742 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffjkdc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjhdkajh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qpibke32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nildajdg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ecoiapdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oflkqc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nqlbqlmm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qdhalj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qdflaa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcggga32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apaofk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjabgm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnkkij32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmfldkei.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfkcibdl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jchaoe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgbmdd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hoglbc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbdijpjh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oileakbj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hoiihcde.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfoamp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhhdpd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mboqnm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmnmbbgp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikbfbdgf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obcled32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qciebg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlponebi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmmqgo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oefamoma.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Embdofop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nehekq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obnbjdfi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bodano32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhpjbgne.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onqdhh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iapbodql.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlialb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlphmafm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpgnmcdh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oapllk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oaejhh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdmfcn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emdjjo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jknocljn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgphggpe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpgihh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhdlbp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmhnea32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anffje32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdjeklfj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnalem32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhiodm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpchbhjl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkiclepa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obeikc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Focakm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofalfi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaibhj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iabodcnj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnahbk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfaaebnj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijpcbn32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qhcpmn32.dll" Ladpcb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cqmgigfk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nicalpak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ackkcmja.dll" Bnbeggmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipndco32.dll" Ffjkdc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Conhfaeh.dll" Habeni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eofjcclq.dll" Flodilma.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iplkje32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pgmkbg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Emdaee32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jndhkmfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agbmiaob.dll" Pidjcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pfjgbapo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkjoha32.dll" Anqfepaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fopielld.dll" Pfmdgq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Agkqiobl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pdjeklfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qciebg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qibmoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpfkkl32.dll" Oefamoma.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iaqapggb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dboljifq.dll" Lgqhki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cnokmkfh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cgcmeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpcdmick.dll" Cknbkpif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hahedoci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kllpihkg.dll" Oijgmokc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Habeni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jkfcigkm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eakdje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ampojimo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nnpcjplf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Impppk32.dll" Npmjij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jihgnf32.dll" Nblfee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ppffec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekiofe32.dll" Golcak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Djalnkbo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nldjnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nacemc32.dll" Pifghmae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjnlnaiq.dll" Eejcki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmdaif32.dll" Fblpflfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Midoph32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Npmjij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qhdpkoii.dll" Gklnem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kdpfbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Anffje32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iabodcnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iemdkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dlcaca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idokgndh.dll" Jpoagb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nieggill.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ghbkdald.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eaegqc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lbgcch32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dgplai32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hjimaole.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nhafcd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnneimjn.dll" Qdfefkll.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Emlgedge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egikekfa.dll" Fdmfcn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bpgnmcdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oflcnqal.dll" Geflne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jqiejphh.dll" Mihikgod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ikechced.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2312 wrote to memory of 1128 2312 cbff781603ebdb97b4fed0d96c956bf2921857468b478bf85b6c7428fb4b0986N.exe 91 PID 2312 wrote to memory of 1128 2312 cbff781603ebdb97b4fed0d96c956bf2921857468b478bf85b6c7428fb4b0986N.exe 91 PID 2312 wrote to memory of 1128 2312 cbff781603ebdb97b4fed0d96c956bf2921857468b478bf85b6c7428fb4b0986N.exe 91 PID 1128 wrote to memory of 3128 1128 Mfkcibdl.exe 92 PID 1128 wrote to memory of 3128 1128 Mfkcibdl.exe 92 PID 1128 wrote to memory of 3128 1128 Mfkcibdl.exe 92 PID 3128 wrote to memory of 1684 3128 Mmdlflki.exe 93 PID 3128 wrote to memory of 1684 3128 Mmdlflki.exe 93 PID 3128 wrote to memory of 1684 3128 Mmdlflki.exe 93 PID 1684 wrote to memory of 956 1684 Mpchbhjl.exe 94 PID 1684 wrote to memory of 956 1684 Mpchbhjl.exe 94 PID 1684 wrote to memory of 956 1684 Mpchbhjl.exe 94 PID 956 wrote to memory of 1748 956 Mjiloqjb.exe 95 PID 956 wrote to memory of 1748 956 Mjiloqjb.exe 95 PID 956 wrote to memory of 1748 956 Mjiloqjb.exe 95 PID 1748 wrote to memory of 2688 1748 Miklkm32.exe 96 PID 1748 wrote to memory of 2688 1748 Miklkm32.exe 96 PID 1748 wrote to memory of 2688 1748 Miklkm32.exe 96 PID 2688 wrote to memory of 1340 2688 Mdaqhf32.exe 97 PID 2688 wrote to memory of 1340 2688 Mdaqhf32.exe 97 PID 2688 wrote to memory of 1340 2688 Mdaqhf32.exe 97 PID 1340 wrote to memory of 2608 1340 Mfomda32.exe 98 PID 1340 wrote to memory of 2608 1340 Mfomda32.exe 98 PID 1340 wrote to memory of 2608 1340 Mfomda32.exe 98 PID 2608 wrote to memory of 828 2608 Mphamg32.exe 99 PID 2608 wrote to memory of 828 2608 Mphamg32.exe 99 PID 2608 wrote to memory of 828 2608 Mphamg32.exe 99 PID 828 wrote to memory of 5032 828 Nfaijand.exe 100 PID 828 wrote to memory of 5032 828 Nfaijand.exe 100 PID 828 wrote to memory of 5032 828 Nfaijand.exe 100 PID 5032 wrote to memory of 1740 5032 Nmlafk32.exe 101 PID 5032 wrote to memory of 1740 5032 Nmlafk32.exe 101 PID 5032 wrote to memory of 1740 5032 Nmlafk32.exe 101 PID 1740 wrote to memory of 4416 1740 Nhafcd32.exe 102 PID 1740 wrote to memory of 4416 1740 Nhafcd32.exe 102 PID 1740 wrote to memory of 4416 1740 Nhafcd32.exe 102 PID 4416 wrote to memory of 3232 4416 Nibbklke.exe 103 PID 4416 wrote to memory of 3232 4416 Nibbklke.exe 103 PID 4416 wrote to memory of 3232 4416 Nibbklke.exe 103 PID 3232 wrote to memory of 4828 3232 Ndhgie32.exe 104 PID 3232 wrote to memory of 4828 3232 Ndhgie32.exe 104 PID 3232 wrote to memory of 4828 3232 Ndhgie32.exe 104 PID 4828 wrote to memory of 4656 4828 Nieoal32.exe 105 PID 4828 wrote to memory of 4656 4828 Nieoal32.exe 105 PID 4828 wrote to memory of 4656 4828 Nieoal32.exe 105 PID 4656 wrote to memory of 2372 4656 Ndjcne32.exe 106 PID 4656 wrote to memory of 2372 4656 Ndjcne32.exe 106 PID 4656 wrote to memory of 2372 4656 Ndjcne32.exe 106 PID 2372 wrote to memory of 868 2372 Nkdlkope.exe 107 PID 2372 wrote to memory of 868 2372 Nkdlkope.exe 107 PID 2372 wrote to memory of 868 2372 Nkdlkope.exe 107 PID 868 wrote to memory of 1372 868 Nandhi32.exe 108 PID 868 wrote to memory of 1372 868 Nandhi32.exe 108 PID 868 wrote to memory of 1372 868 Nandhi32.exe 108 PID 1372 wrote to memory of 4408 1372 Ngklppei.exe 109 PID 1372 wrote to memory of 4408 1372 Ngklppei.exe 109 PID 1372 wrote to memory of 4408 1372 Ngklppei.exe 109 PID 4408 wrote to memory of 892 4408 Naqqmieo.exe 110 PID 4408 wrote to memory of 892 4408 Naqqmieo.exe 110 PID 4408 wrote to memory of 892 4408 Naqqmieo.exe 110 PID 892 wrote to memory of 4588 892 Ndomiddc.exe 111 PID 892 wrote to memory of 4588 892 Ndomiddc.exe 111 PID 892 wrote to memory of 4588 892 Ndomiddc.exe 111 PID 4588 wrote to memory of 1660 4588 Oileakbj.exe 112
Processes
-
C:\Users\Admin\AppData\Local\Temp\cbff781603ebdb97b4fed0d96c956bf2921857468b478bf85b6c7428fb4b0986N.exe"C:\Users\Admin\AppData\Local\Temp\cbff781603ebdb97b4fed0d96c956bf2921857468b478bf85b6c7428fb4b0986N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2312 -
C:\Windows\SysWOW64\Mfkcibdl.exeC:\Windows\system32\Mfkcibdl.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1128 -
C:\Windows\SysWOW64\Mmdlflki.exeC:\Windows\system32\Mmdlflki.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3128 -
C:\Windows\SysWOW64\Mpchbhjl.exeC:\Windows\system32\Mpchbhjl.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1684 -
C:\Windows\SysWOW64\Mjiloqjb.exeC:\Windows\system32\Mjiloqjb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:956 -
C:\Windows\SysWOW64\Miklkm32.exeC:\Windows\system32\Miklkm32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Windows\SysWOW64\Mdaqhf32.exeC:\Windows\system32\Mdaqhf32.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\SysWOW64\Mfomda32.exeC:\Windows\system32\Mfomda32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1340 -
C:\Windows\SysWOW64\Mphamg32.exeC:\Windows\system32\Mphamg32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Windows\SysWOW64\Nfaijand.exeC:\Windows\system32\Nfaijand.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:828 -
C:\Windows\SysWOW64\Nmlafk32.exeC:\Windows\system32\Nmlafk32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5032 -
C:\Windows\SysWOW64\Nhafcd32.exeC:\Windows\system32\Nhafcd32.exe12⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\Windows\SysWOW64\Nibbklke.exeC:\Windows\system32\Nibbklke.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4416 -
C:\Windows\SysWOW64\Ndhgie32.exeC:\Windows\system32\Ndhgie32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3232 -
C:\Windows\SysWOW64\Nieoal32.exeC:\Windows\system32\Nieoal32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4828 -
C:\Windows\SysWOW64\Ndjcne32.exeC:\Windows\system32\Ndjcne32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4656 -
C:\Windows\SysWOW64\Nkdlkope.exeC:\Windows\system32\Nkdlkope.exe17⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Windows\SysWOW64\Nandhi32.exeC:\Windows\system32\Nandhi32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:868 -
C:\Windows\SysWOW64\Ngklppei.exeC:\Windows\system32\Ngklppei.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1372 -
C:\Windows\SysWOW64\Naqqmieo.exeC:\Windows\system32\Naqqmieo.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4408 -
C:\Windows\SysWOW64\Ndomiddc.exeC:\Windows\system32\Ndomiddc.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:892 -
C:\Windows\SysWOW64\Oileakbj.exeC:\Windows\system32\Oileakbj.exe22⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4588 -
C:\Windows\SysWOW64\Oacmchcl.exeC:\Windows\system32\Oacmchcl.exe23⤵
- Executes dropped EXE
PID:1660 -
C:\Windows\SysWOW64\Odaiodbp.exeC:\Windows\system32\Odaiodbp.exe24⤵
- Executes dropped EXE
PID:1384 -
C:\Windows\SysWOW64\Oaejhh32.exeC:\Windows\system32\Oaejhh32.exe25⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2424 -
C:\Windows\SysWOW64\Oiqomj32.exeC:\Windows\system32\Oiqomj32.exe26⤵
- Executes dropped EXE
PID:4704 -
C:\Windows\SysWOW64\Ohaokbfd.exeC:\Windows\system32\Ohaokbfd.exe27⤵
- Executes dropped EXE
PID:4300 -
C:\Windows\SysWOW64\Oajccgmd.exeC:\Windows\system32\Oajccgmd.exe28⤵
- Executes dropped EXE
PID:860 -
C:\Windows\SysWOW64\Okbhlm32.exeC:\Windows\system32\Okbhlm32.exe29⤵
- Executes dropped EXE
PID:4420 -
C:\Windows\SysWOW64\Onqdhh32.exeC:\Windows\system32\Onqdhh32.exe30⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4660 -
C:\Windows\SysWOW64\Pjgemi32.exeC:\Windows\system32\Pjgemi32.exe31⤵
- Executes dropped EXE
PID:2924 -
C:\Windows\SysWOW64\Pnenchoc.exeC:\Windows\system32\Pnenchoc.exe32⤵
- Executes dropped EXE
PID:3040 -
C:\Windows\SysWOW64\Pdofpb32.exeC:\Windows\system32\Pdofpb32.exe33⤵
- Executes dropped EXE
PID:1924 -
C:\Windows\SysWOW64\Ppffec32.exeC:\Windows\system32\Ppffec32.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:660 -
C:\Windows\SysWOW64\Pafcofcg.exeC:\Windows\system32\Pafcofcg.exe35⤵
- Executes dropped EXE
PID:2420 -
C:\Windows\SysWOW64\Pjahchpb.exeC:\Windows\system32\Pjahchpb.exe36⤵
- Executes dropped EXE
PID:1544 -
C:\Windows\SysWOW64\Qdflaa32.exeC:\Windows\system32\Qdflaa32.exe37⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:764 -
C:\Windows\SysWOW64\Qdihfq32.exeC:\Windows\system32\Qdihfq32.exe38⤵
- Executes dropped EXE
PID:3572 -
C:\Windows\SysWOW64\Aamipe32.exeC:\Windows\system32\Aamipe32.exe39⤵
- Executes dropped EXE
PID:4424 -
C:\Windows\SysWOW64\Ajhndgjj.exeC:\Windows\system32\Ajhndgjj.exe40⤵
- Executes dropped EXE
PID:656 -
C:\Windows\SysWOW64\Adnbapjp.exeC:\Windows\system32\Adnbapjp.exe41⤵
- Executes dropped EXE
PID:3096 -
C:\Windows\SysWOW64\Anffje32.exeC:\Windows\system32\Anffje32.exe42⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4716 -
C:\Windows\SysWOW64\Aqdbfa32.exeC:\Windows\system32\Aqdbfa32.exe43⤵
- Executes dropped EXE
PID:3720 -
C:\Windows\SysWOW64\Anhcpeon.exeC:\Windows\system32\Anhcpeon.exe44⤵
- Executes dropped EXE
PID:996 -
C:\Windows\SysWOW64\Ahngmnnd.exeC:\Windows\system32\Ahngmnnd.exe45⤵
- Executes dropped EXE
PID:5016 -
C:\Windows\SysWOW64\Aklciimh.exeC:\Windows\system32\Aklciimh.exe46⤵
- Executes dropped EXE
PID:4264 -
C:\Windows\SysWOW64\Abflfc32.exeC:\Windows\system32\Abflfc32.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3404 -
C:\Windows\SysWOW64\Akopoi32.exeC:\Windows\system32\Akopoi32.exe48⤵
- Executes dropped EXE
PID:3748 -
C:\Windows\SysWOW64\Bqkigp32.exeC:\Windows\system32\Bqkigp32.exe49⤵
- Executes dropped EXE
PID:2236 -
C:\Windows\SysWOW64\Bkamdi32.exeC:\Windows\system32\Bkamdi32.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1456 -
C:\Windows\SysWOW64\Bbkeacqo.exeC:\Windows\system32\Bbkeacqo.exe51⤵
- Executes dropped EXE
PID:3504 -
C:\Windows\SysWOW64\Bggnijof.exeC:\Windows\system32\Bggnijof.exe52⤵
- Executes dropped EXE
PID:940 -
C:\Windows\SysWOW64\Bbmbgb32.exeC:\Windows\system32\Bbmbgb32.exe53⤵
- Executes dropped EXE
PID:3740 -
C:\Windows\SysWOW64\Bdlncn32.exeC:\Windows\system32\Bdlncn32.exe54⤵
- Executes dropped EXE
PID:676 -
C:\Windows\SysWOW64\Bndblcdq.exeC:\Windows\system32\Bndblcdq.exe55⤵
- Executes dropped EXE
PID:452 -
C:\Windows\SysWOW64\Biigildg.exeC:\Windows\system32\Biigildg.exe56⤵
- Executes dropped EXE
PID:1820 -
C:\Windows\SysWOW64\Bglgdi32.exeC:\Windows\system32\Bglgdi32.exe57⤵
- Executes dropped EXE
PID:2004 -
C:\Windows\SysWOW64\Bdphnmjk.exeC:\Windows\system32\Bdphnmjk.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3964 -
C:\Windows\SysWOW64\Bjmpfdhb.exeC:\Windows\system32\Bjmpfdhb.exe59⤵
- Executes dropped EXE
PID:1688 -
C:\Windows\SysWOW64\Cebdcmhh.exeC:\Windows\system32\Cebdcmhh.exe60⤵
- Executes dropped EXE
PID:3044 -
C:\Windows\SysWOW64\Cjomldfp.exeC:\Windows\system32\Cjomldfp.exe61⤵
- Executes dropped EXE
PID:4600 -
C:\Windows\SysWOW64\Cqiehnml.exeC:\Windows\system32\Cqiehnml.exe62⤵
- Executes dropped EXE
PID:4948 -
C:\Windows\SysWOW64\Cgcmeh32.exeC:\Windows\system32\Cgcmeh32.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:3716 -
C:\Windows\SysWOW64\Cbiabq32.exeC:\Windows\system32\Cbiabq32.exe64⤵
- Executes dropped EXE
PID:5104 -
C:\Windows\SysWOW64\Cjdfgc32.exeC:\Windows\system32\Cjdfgc32.exe65⤵
- Executes dropped EXE
PID:4360 -
C:\Windows\SysWOW64\Canocm32.exeC:\Windows\system32\Canocm32.exe66⤵PID:2460
-
C:\Windows\SysWOW64\Cghgpgqd.exeC:\Windows\system32\Cghgpgqd.exe67⤵PID:1480
-
C:\Windows\SysWOW64\Celgjlpn.exeC:\Windows\system32\Celgjlpn.exe68⤵PID:1388
-
C:\Windows\SysWOW64\Cgjcfgoa.exeC:\Windows\system32\Cgjcfgoa.exe69⤵PID:944
-
C:\Windows\SysWOW64\Dndlba32.exeC:\Windows\system32\Dndlba32.exe70⤵PID:4440
-
C:\Windows\SysWOW64\Dijppjfd.exeC:\Windows\system32\Dijppjfd.exe71⤵PID:2328
-
C:\Windows\SysWOW64\Daeddlco.exeC:\Windows\system32\Daeddlco.exe72⤵PID:1532
-
C:\Windows\SysWOW64\Dlkiaece.exeC:\Windows\system32\Dlkiaece.exe73⤵PID:3776
-
C:\Windows\SysWOW64\Dnienqbi.exeC:\Windows\system32\Dnienqbi.exe74⤵PID:4544
-
C:\Windows\SysWOW64\Dioiki32.exeC:\Windows\system32\Dioiki32.exe75⤵PID:4608
-
C:\Windows\SysWOW64\Dlmegd32.exeC:\Windows\system32\Dlmegd32.exe76⤵PID:2708
-
C:\Windows\SysWOW64\Dajnol32.exeC:\Windows\system32\Dajnol32.exe77⤵PID:2216
-
C:\Windows\SysWOW64\Djbbhafj.exeC:\Windows\system32\Djbbhafj.exe78⤵PID:904
-
C:\Windows\SysWOW64\Elaobdmm.exeC:\Windows\system32\Elaobdmm.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2800 -
C:\Windows\SysWOW64\Eblgon32.exeC:\Windows\system32\Eblgon32.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1680 -
C:\Windows\SysWOW64\Eejcki32.exeC:\Windows\system32\Eejcki32.exe81⤵
- Modifies registry class
PID:1848 -
C:\Windows\SysWOW64\Ehhpge32.exeC:\Windows\system32\Ehhpge32.exe82⤵
- Drops file in System32 directory
PID:5152 -
C:\Windows\SysWOW64\Ejglcq32.exeC:\Windows\system32\Ejglcq32.exe83⤵
- Drops file in System32 directory
PID:5212 -
C:\Windows\SysWOW64\Eeomfioh.exeC:\Windows\system32\Eeomfioh.exe84⤵
- Drops file in System32 directory
PID:5276 -
C:\Windows\SysWOW64\Ejkenpnp.exeC:\Windows\system32\Ejkenpnp.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5320 -
C:\Windows\SysWOW64\Eaenkj32.exeC:\Windows\system32\Eaenkj32.exe86⤵PID:5372
-
C:\Windows\SysWOW64\Ehofhdli.exeC:\Windows\system32\Ehofhdli.exe87⤵PID:5412
-
C:\Windows\SysWOW64\Ebejem32.exeC:\Windows\system32\Ebejem32.exe88⤵PID:5492
-
C:\Windows\SysWOW64\Fjpoio32.exeC:\Windows\system32\Fjpoio32.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5536 -
C:\Windows\SysWOW64\Fhdocc32.exeC:\Windows\system32\Fhdocc32.exe90⤵PID:5580
-
C:\Windows\SysWOW64\Fkbkoo32.exeC:\Windows\system32\Fkbkoo32.exe91⤵PID:5624
-
C:\Windows\SysWOW64\Fehplggn.exeC:\Windows\system32\Fehplggn.exe92⤵PID:5672
-
C:\Windows\SysWOW64\Fhflhcfa.exeC:\Windows\system32\Fhflhcfa.exe93⤵PID:5716
-
C:\Windows\SysWOW64\Fblpflfg.exeC:\Windows\system32\Fblpflfg.exe94⤵
- Drops file in System32 directory
- Modifies registry class
PID:5760 -
C:\Windows\SysWOW64\Faopah32.exeC:\Windows\system32\Faopah32.exe95⤵PID:5804
-
C:\Windows\SysWOW64\Focakm32.exeC:\Windows\system32\Focakm32.exe96⤵
- System Location Discovery: System Language Discovery
PID:5848 -
C:\Windows\SysWOW64\Femigg32.exeC:\Windows\system32\Femigg32.exe97⤵PID:5900
-
C:\Windows\SysWOW64\Fhkecb32.exeC:\Windows\system32\Fhkecb32.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5952 -
C:\Windows\SysWOW64\Fkiapn32.exeC:\Windows\system32\Fkiapn32.exe99⤵PID:5996
-
C:\Windows\SysWOW64\Fbqiak32.exeC:\Windows\system32\Fbqiak32.exe100⤵PID:6056
-
C:\Windows\SysWOW64\Ghmbib32.exeC:\Windows\system32\Ghmbib32.exe101⤵PID:6112
-
C:\Windows\SysWOW64\Gklnem32.exeC:\Windows\system32\Gklnem32.exe102⤵
- Modifies registry class
PID:5192 -
C:\Windows\SysWOW64\Gbcffk32.exeC:\Windows\system32\Gbcffk32.exe103⤵PID:5272
-
C:\Windows\SysWOW64\Gaffbg32.exeC:\Windows\system32\Gaffbg32.exe104⤵PID:5332
-
C:\Windows\SysWOW64\Gimoce32.exeC:\Windows\system32\Gimoce32.exe105⤵PID:5384
-
C:\Windows\SysWOW64\Ghpooanf.exeC:\Windows\system32\Ghpooanf.exe106⤵PID:5524
-
C:\Windows\SysWOW64\Gknkkmmj.exeC:\Windows\system32\Gknkkmmj.exe107⤵PID:5648
-
C:\Windows\SysWOW64\Gahcgg32.exeC:\Windows\system32\Gahcgg32.exe108⤵PID:5768
-
C:\Windows\SysWOW64\Gedohfmp.exeC:\Windows\system32\Gedohfmp.exe109⤵PID:5832
-
C:\Windows\SysWOW64\Ghbkdald.exeC:\Windows\system32\Ghbkdald.exe110⤵
- Modifies registry class
PID:5932 -
C:\Windows\SysWOW64\Glngep32.exeC:\Windows\system32\Glngep32.exe111⤵PID:5988
-
C:\Windows\SysWOW64\Golcak32.exeC:\Windows\system32\Golcak32.exe112⤵
- Modifies registry class
PID:6104 -
C:\Windows\SysWOW64\Gbhpajlj.exeC:\Windows\system32\Gbhpajlj.exe113⤵PID:5244
-
C:\Windows\SysWOW64\Geflne32.exeC:\Windows\system32\Geflne32.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5400 -
C:\Windows\SysWOW64\Glpdjpbj.exeC:\Windows\system32\Glpdjpbj.exe115⤵PID:5612
-
C:\Windows\SysWOW64\Gehice32.exeC:\Windows\system32\Gehice32.exe116⤵PID:5788
-
C:\Windows\SysWOW64\Gaoihfoo.exeC:\Windows\system32\Gaoihfoo.exe117⤵PID:5916
-
C:\Windows\SysWOW64\Hocjaj32.exeC:\Windows\system32\Hocjaj32.exe118⤵PID:6072
-
C:\Windows\SysWOW64\Hlgjko32.exeC:\Windows\system32\Hlgjko32.exe119⤵PID:5312
-
C:\Windows\SysWOW64\Hoefgj32.exeC:\Windows\system32\Hoefgj32.exe120⤵PID:5572
-
C:\Windows\SysWOW64\Hepoddcc.exeC:\Windows\system32\Hepoddcc.exe121⤵
- Drops file in System32 directory
PID:5844
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-