Analysis
-
max time kernel
92s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09-10-2024 12:24
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ef278af3b7621aa1c8ad6120a04dff8f537674cae46bf45e412c7e4c367f2144N.exe
Resource
win7-20240903-en
windows7-x64
9 signatures
120 seconds
Behavioral task
behavioral2
Sample
ef278af3b7621aa1c8ad6120a04dff8f537674cae46bf45e412c7e4c367f2144N.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
8 signatures
120 seconds
General
-
Target
ef278af3b7621aa1c8ad6120a04dff8f537674cae46bf45e412c7e4c367f2144N.exe
-
Size
71KB
-
MD5
9befed82f26f9c67c1cf1cba3a08b350
-
SHA1
4a5a74bb6181016aba3c2d591971b2ac46cb457d
-
SHA256
ef278af3b7621aa1c8ad6120a04dff8f537674cae46bf45e412c7e4c367f2144
-
SHA512
3fb7f7e3decd3a6c075f09a28da41e4ff0752ade3ab46951cf0a58c7a82cf11bf22faf4f6933ca767f215e6d93d58db3ea1daaab0dc6fc42ddd982257ce95047
-
SSDEEP
1536:d1Fi8TK8kaBL8CPmZjArCd0PzzRQTK1P+ATT:djRTgaBL9prCGPfe+P+A3
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://viruslist.com/wcmd.txt
http://viruslist.com/ppslog.php
http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Inddje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Infapela.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khfdpgng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Meadah32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhgfncab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mmicll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aakfcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Agglej32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phekfogp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jinkikkb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amkagb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anogldng.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bccfej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ihihgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ahonlmoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bmmpii32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmbpoofo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djpcnbmn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eokhfn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgcfmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hbkgpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ooagak32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmmpii32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njifhljn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ofijckhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fncblj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfmpjejf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mchhjbii.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Feochgff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Feochgff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Opqdknbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ocopgiac.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agpoje32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfcogecg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eajebj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gggfanfm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnffcajl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfjjjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mlklnbpc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojgloc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Phlippoj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acilde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Adplbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eokhfn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kieajj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cnmcnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nbogqk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afpbpbpa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhckqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hkckhk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Keeknl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dffdcccb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Faednh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nifchfhe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mepnfone.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mljfbiea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qdmpmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Khmjqf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mfcmqknf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nghflj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ajiaka32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmbmlmbl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfdfkddo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ieebgooi.exe -
Executes dropped EXE 64 IoCs
pid Process 3504 Lghdockp.exe 2972 Lifqkn32.exe 4520 Lmbmlmbl.exe 4408 Ldlehg32.exe 3416 Memapppg.exe 4808 Mlgjmi32.exe 1780 Mdnang32.exe 4564 Mepnfone.exe 4580 Mljfbiea.exe 60 Mebkko32.exe 444 Mmicll32.exe 3704 Mdckifda.exe 228 Mipcambi.exe 1188 Mlnpnh32.exe 1684 Mchhjbii.exe 2628 Mlqlch32.exe 1176 Ngfqqa32.exe 4276 Nidmml32.exe 404 Njgjbllq.exe 3960 Nlefngkd.exe 4528 Nconka32.exe 2308 Njifhljn.exe 3476 Ndoked32.exe 1920 Ngmgap32.exe 5112 Nljoig32.exe 3936 Ncdgfaol.exe 4784 Nfbdblnp.exe 2908 Nnilcjnb.exe 1740 Ophhpene.exe 1196 Ocfdlqmi.exe 4472 Ofeqhl32.exe 4436 Onlhii32.exe 4776 Opjeee32.exe 640 Ociaap32.exe 4748 Ojbinjbc.exe 1132 Opmakd32.exe 4948 Ockngp32.exe 4760 Ofijckhg.exe 2712 Ojefcj32.exe 3824 Oqonpdgn.exe 4824 Ocmjlpfa.exe 4960 Ojgbij32.exe 4832 Ojjooilk.exe 1016 Pgnphnke.exe 4968 Pjlldiji.exe 2612 Pqfdac32.exe 2016 Pcdqmo32.exe 1896 Pjnijihf.exe 3956 Pqhafcoc.exe 4632 Pcgmbnnf.exe 1388 Pjqeoh32.exe 5088 Pqknlbmp.exe 5072 Pgdfim32.exe 2740 Pnoneglj.exe 3748 Pqmjab32.exe 1860 Pfjcji32.exe 3584 Pjeojhbn.exe 3676 Qqoggb32.exe 5064 Qflpoi32.exe 632 Qmfhlcoo.exe 2208 Qdmpmp32.exe 2124 Qfolehep.exe 3096 Anedfffb.exe 1368 Adplbp32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Mdckifda.exe Mmicll32.exe File opened for modification C:\Windows\SysWOW64\Keeknl32.exe Kbgoba32.exe File created C:\Windows\SysWOW64\Gkdfpepb.dll Liapfi32.exe File created C:\Windows\SysWOW64\Ngomli32.exe Nccqlkkp.exe File created C:\Windows\SysWOW64\Qjehpanb.exe Qgfldf32.exe File created C:\Windows\SysWOW64\Pojjgiba.exe Phqbko32.exe File opened for modification C:\Windows\SysWOW64\Fhfjdclb.exe Ealagi32.exe File created C:\Windows\SysWOW64\Mlmohk32.dll Hhdoloap.exe File opened for modification C:\Windows\SysWOW64\Klfjlebk.exe Kelaokko.exe File opened for modification C:\Windows\SysWOW64\Lopecoga.exe Llbigdhn.exe File created C:\Windows\SysWOW64\Aodeabmj.dll Ochjgj32.exe File opened for modification C:\Windows\SysWOW64\Oqonpdgn.exe Ojefcj32.exe File created C:\Windows\SysWOW64\Lhekcplc.dll Bnhjbcfl.exe File opened for modification C:\Windows\SysWOW64\Gdmcpb32.exe Gaogdg32.exe File created C:\Windows\SysWOW64\Bflalped.exe Bobiof32.exe File created C:\Windows\SysWOW64\Ohneobmn.dll Mlnpnh32.exe File created C:\Windows\SysWOW64\Gnmolp32.dll Bmngcp32.exe File opened for modification C:\Windows\SysWOW64\Gnfhihjd.exe Gkglmlkq.exe File created C:\Windows\SysWOW64\Oojaql32.exe Oimihe32.exe File opened for modification C:\Windows\SysWOW64\Bggdkd32.exe Aqmlnjio.exe File opened for modification C:\Windows\SysWOW64\Lifqkn32.exe Lghdockp.exe File created C:\Windows\SysWOW64\Lejnpi32.exe Lopecoga.exe File created C:\Windows\SysWOW64\Lgeegp32.dll Mojhjnog.exe File opened for modification C:\Windows\SysWOW64\Pgabig32.exe Pojjgiba.exe File opened for modification C:\Windows\SysWOW64\Ohbfiage.exe Ogaiai32.exe File created C:\Windows\SysWOW64\Aiedml32.exe Afghqa32.exe File opened for modification C:\Windows\SysWOW64\Njifhljn.exe Nconka32.exe File created C:\Windows\SysWOW64\Pcgfebgh.dll Ndoked32.exe File created C:\Windows\SysWOW64\Ijfpig32.dll Ophhpene.exe File created C:\Windows\SysWOW64\Jgakpcfl.dll Jndmacoa.exe File opened for modification C:\Windows\SysWOW64\Opqdknbo.exe Ojgloc32.exe File created C:\Windows\SysWOW64\Lifqkn32.exe Lghdockp.exe File created C:\Windows\SysWOW64\Epopmd32.dll Jbkpfb32.exe File opened for modification C:\Windows\SysWOW64\Biogck32.exe Bjlggnjh.exe File opened for modification C:\Windows\SysWOW64\Cdoeaili.exe Cmdmdo32.exe File opened for modification C:\Windows\SysWOW64\Fnhlgjfd.exe Fkiokn32.exe File created C:\Windows\SysWOW64\Hkqockbf.exe Hgebbl32.exe File created C:\Windows\SysWOW64\Qodmnhjg.exe Qleaamkc.exe File created C:\Windows\SysWOW64\Olhbhlpi.dll Mmicll32.exe File created C:\Windows\SysWOW64\Lblogd32.dll Djpcnbmn.exe File created C:\Windows\SysWOW64\Lehhen32.dll Edcgcfja.exe File created C:\Windows\SysWOW64\Lnmooc32.dll Fhfjdclb.exe File opened for modification C:\Windows\SysWOW64\Agbkpdea.exe Acfoof32.exe File created C:\Windows\SysWOW64\Pnoneglj.exe Pgdfim32.exe File opened for modification C:\Windows\SysWOW64\Chhdlhfe.exe Ceihplga.exe File created C:\Windows\SysWOW64\Ieebgooi.exe Ibffkcpe.exe File created C:\Windows\SysWOW64\Kbkimpnn.exe Klapqf32.exe File created C:\Windows\SysWOW64\Kbpbhp32.exe Klfjlebk.exe File created C:\Windows\SysWOW64\Dhfqmf32.exe Degdaj32.exe File opened for modification C:\Windows\SysWOW64\Dejafj32.exe Dmbiem32.exe File opened for modification C:\Windows\SysWOW64\Ghfbkanp.exe Gdkgjb32.exe File created C:\Windows\SysWOW64\Najdei32.dll Lpilmcdl.exe File created C:\Windows\SysWOW64\Foiegl32.exe Fhpmjbch.exe File opened for modification C:\Windows\SysWOW64\Acbfdfqn.exe Aqcjhkaj.exe File opened for modification C:\Windows\SysWOW64\Bccfej32.exe Bnfmmc32.exe File created C:\Windows\SysWOW64\Ehdmodne.exe Eeeqbhoa.exe File created C:\Windows\SysWOW64\Ibhfqh32.dll Jpffqfdb.exe File created C:\Windows\SysWOW64\Gcmhba32.dll Ojgloc32.exe File created C:\Windows\SysWOW64\Niapki32.dll Aqjphj32.exe File created C:\Windows\SysWOW64\Nidmml32.exe Ngfqqa32.exe File created C:\Windows\SysWOW64\Akmgei32.dll Nljoig32.exe File opened for modification C:\Windows\SysWOW64\Pqmjab32.exe Pnoneglj.exe File created C:\Windows\SysWOW64\Likblpff.dll Nhnlnb32.exe File created C:\Windows\SysWOW64\Oqonpdgn.exe Ojefcj32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 9640 9548 WerFault.exe 451 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aqjphj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmbmlmbl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcqipk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkglmlkq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nemcmg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oheboa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afebeg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehjjhefp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edcgcfja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olnbjp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bimkmk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oeiche32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofijckhg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnhjbcfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfakhc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egbdoaie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdbmkaoo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oibbcdnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcammi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aqffmkpg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnadadld.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdoeaili.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfcdjm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfejfk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nghflj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgnphnke.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjfqhcei.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjkjcb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghfbkanp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opqdknbo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jndmacoa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajnkfp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ammgblek.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojjooilk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnmcnb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Domldpcd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ealagi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgebbl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppjgaljd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjeago32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfchlopl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aqijmq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfmamdkm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfpomp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlklnbpc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Moleonmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnjadg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbkgpe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idpilp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldlehg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocfdlqmi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojbinjbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojgbij32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggnlampe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkhnjg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jiehcmcm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knbiba32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Leakjk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlgjmi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgdfim32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qfolehep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgknnb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hojnnj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nppkdp32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pgdfim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbdaobnl.dll" Fdogodpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbhfao32.dll" Dmnpjmla.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cmbpoofo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Moleonmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Afghqa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbpchile.dll" Onlhii32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bjjalepf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adhmgg32.dll" Jiehcmcm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dffdcccb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Moaaga32.dll" Gaogdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khnggmgp.dll" Pojjgiba.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bjhdgeai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bidkcf32.dll" Jinkikkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gehcca32.dll" Ngmgap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lccdjk32.dll" Pgdfim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Linncaic.dll" Bncqgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npgojn32.dll" Dmbiem32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Eajebj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gdijecgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lmbmlmbl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nidmml32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jfpomp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qodmnhjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Aqmlnjio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Becokd32.dll" Hdbmkaoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmijki32.dll" Igoehk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpjjfmkk.dll" Ekbikomi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ppjgaljd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Amkagb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpjafjkk.dll" Bjjalepf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ooagak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flbedadb.dll" Fkllanen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ieebgooi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnqhbjia.dll" Ghbipb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Qlcdlmmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hdkpapgd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jndmacoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lfcdjm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pljafneq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pcdjbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fddejlgm.dll" Qqoggb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Inddje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihjoek32.dll" Afpbpbpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghfeongm.dll" Nghflj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pemlcdpf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jgjedi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pcammi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gaafmbpl.dll" Dmefklfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eigmbage.dll" Faednh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdnkbgfn.dll" Agpoje32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pfbfod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Aqcjhkaj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lhadlfcj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nfejfk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Emlllk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Inmgpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Colpjg32.dll" Dhagbfnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekmhalag.dll" Ikjaiijk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fafabe32.dll" Khfdpgng.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lifjahgh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ncadfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Neopbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llegpbnp.dll" Mipcambi.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3536 wrote to memory of 3504 3536 ef278af3b7621aa1c8ad6120a04dff8f537674cae46bf45e412c7e4c367f2144N.exe 84 PID 3536 wrote to memory of 3504 3536 ef278af3b7621aa1c8ad6120a04dff8f537674cae46bf45e412c7e4c367f2144N.exe 84 PID 3536 wrote to memory of 3504 3536 ef278af3b7621aa1c8ad6120a04dff8f537674cae46bf45e412c7e4c367f2144N.exe 84 PID 3504 wrote to memory of 2972 3504 Lghdockp.exe 85 PID 3504 wrote to memory of 2972 3504 Lghdockp.exe 85 PID 3504 wrote to memory of 2972 3504 Lghdockp.exe 85 PID 2972 wrote to memory of 4520 2972 Lifqkn32.exe 86 PID 2972 wrote to memory of 4520 2972 Lifqkn32.exe 86 PID 2972 wrote to memory of 4520 2972 Lifqkn32.exe 86 PID 4520 wrote to memory of 4408 4520 Lmbmlmbl.exe 87 PID 4520 wrote to memory of 4408 4520 Lmbmlmbl.exe 87 PID 4520 wrote to memory of 4408 4520 Lmbmlmbl.exe 87 PID 4408 wrote to memory of 3416 4408 Ldlehg32.exe 88 PID 4408 wrote to memory of 3416 4408 Ldlehg32.exe 88 PID 4408 wrote to memory of 3416 4408 Ldlehg32.exe 88 PID 3416 wrote to memory of 4808 3416 Memapppg.exe 89 PID 3416 wrote to memory of 4808 3416 Memapppg.exe 89 PID 3416 wrote to memory of 4808 3416 Memapppg.exe 89 PID 4808 wrote to memory of 1780 4808 Mlgjmi32.exe 91 PID 4808 wrote to memory of 1780 4808 Mlgjmi32.exe 91 PID 4808 wrote to memory of 1780 4808 Mlgjmi32.exe 91 PID 1780 wrote to memory of 4564 1780 Mdnang32.exe 92 PID 1780 wrote to memory of 4564 1780 Mdnang32.exe 92 PID 1780 wrote to memory of 4564 1780 Mdnang32.exe 92 PID 4564 wrote to memory of 4580 4564 Mepnfone.exe 93 PID 4564 wrote to memory of 4580 4564 Mepnfone.exe 93 PID 4564 wrote to memory of 4580 4564 Mepnfone.exe 93 PID 4580 wrote to memory of 60 4580 Mljfbiea.exe 94 PID 4580 wrote to memory of 60 4580 Mljfbiea.exe 94 PID 4580 wrote to memory of 60 4580 Mljfbiea.exe 94 PID 60 wrote to memory of 444 60 Mebkko32.exe 95 PID 60 wrote to memory of 444 60 Mebkko32.exe 95 PID 60 wrote to memory of 444 60 Mebkko32.exe 95 PID 444 wrote to memory of 3704 444 Mmicll32.exe 96 PID 444 wrote to memory of 3704 444 Mmicll32.exe 96 PID 444 wrote to memory of 3704 444 Mmicll32.exe 96 PID 3704 wrote to memory of 228 3704 Mdckifda.exe 97 PID 3704 wrote to memory of 228 3704 Mdckifda.exe 97 PID 3704 wrote to memory of 228 3704 Mdckifda.exe 97 PID 228 wrote to memory of 1188 228 Mipcambi.exe 98 PID 228 wrote to memory of 1188 228 Mipcambi.exe 98 PID 228 wrote to memory of 1188 228 Mipcambi.exe 98 PID 1188 wrote to memory of 1684 1188 Mlnpnh32.exe 99 PID 1188 wrote to memory of 1684 1188 Mlnpnh32.exe 99 PID 1188 wrote to memory of 1684 1188 Mlnpnh32.exe 99 PID 1684 wrote to memory of 2628 1684 Mchhjbii.exe 100 PID 1684 wrote to memory of 2628 1684 Mchhjbii.exe 100 PID 1684 wrote to memory of 2628 1684 Mchhjbii.exe 100 PID 2628 wrote to memory of 1176 2628 Mlqlch32.exe 101 PID 2628 wrote to memory of 1176 2628 Mlqlch32.exe 101 PID 2628 wrote to memory of 1176 2628 Mlqlch32.exe 101 PID 1176 wrote to memory of 4276 1176 Ngfqqa32.exe 102 PID 1176 wrote to memory of 4276 1176 Ngfqqa32.exe 102 PID 1176 wrote to memory of 4276 1176 Ngfqqa32.exe 102 PID 4276 wrote to memory of 404 4276 Nidmml32.exe 103 PID 4276 wrote to memory of 404 4276 Nidmml32.exe 103 PID 4276 wrote to memory of 404 4276 Nidmml32.exe 103 PID 404 wrote to memory of 3960 404 Njgjbllq.exe 104 PID 404 wrote to memory of 3960 404 Njgjbllq.exe 104 PID 404 wrote to memory of 3960 404 Njgjbllq.exe 104 PID 3960 wrote to memory of 4528 3960 Nlefngkd.exe 105 PID 3960 wrote to memory of 4528 3960 Nlefngkd.exe 105 PID 3960 wrote to memory of 4528 3960 Nlefngkd.exe 105 PID 4528 wrote to memory of 2308 4528 Nconka32.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\ef278af3b7621aa1c8ad6120a04dff8f537674cae46bf45e412c7e4c367f2144N.exe"C:\Users\Admin\AppData\Local\Temp\ef278af3b7621aa1c8ad6120a04dff8f537674cae46bf45e412c7e4c367f2144N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3536 -
C:\Windows\SysWOW64\Lghdockp.exeC:\Windows\system32\Lghdockp.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3504 -
C:\Windows\SysWOW64\Lifqkn32.exeC:\Windows\system32\Lifqkn32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\SysWOW64\Lmbmlmbl.exeC:\Windows\system32\Lmbmlmbl.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4520 -
C:\Windows\SysWOW64\Ldlehg32.exeC:\Windows\system32\Ldlehg32.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4408 -
C:\Windows\SysWOW64\Memapppg.exeC:\Windows\system32\Memapppg.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3416 -
C:\Windows\SysWOW64\Mlgjmi32.exeC:\Windows\system32\Mlgjmi32.exe7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4808 -
C:\Windows\SysWOW64\Mdnang32.exeC:\Windows\system32\Mdnang32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1780 -
C:\Windows\SysWOW64\Mepnfone.exeC:\Windows\system32\Mepnfone.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4564 -
C:\Windows\SysWOW64\Mljfbiea.exeC:\Windows\system32\Mljfbiea.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4580 -
C:\Windows\SysWOW64\Mebkko32.exeC:\Windows\system32\Mebkko32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:60 -
C:\Windows\SysWOW64\Mmicll32.exeC:\Windows\system32\Mmicll32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:444 -
C:\Windows\SysWOW64\Mdckifda.exeC:\Windows\system32\Mdckifda.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3704 -
C:\Windows\SysWOW64\Mipcambi.exeC:\Windows\system32\Mipcambi.exe14⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:228 -
C:\Windows\SysWOW64\Mlnpnh32.exeC:\Windows\system32\Mlnpnh32.exe15⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1188 -
C:\Windows\SysWOW64\Mchhjbii.exeC:\Windows\system32\Mchhjbii.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1684 -
C:\Windows\SysWOW64\Mlqlch32.exeC:\Windows\system32\Mlqlch32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\SysWOW64\Ngfqqa32.exeC:\Windows\system32\Ngfqqa32.exe18⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1176 -
C:\Windows\SysWOW64\Nidmml32.exeC:\Windows\system32\Nidmml32.exe19⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4276 -
C:\Windows\SysWOW64\Njgjbllq.exeC:\Windows\system32\Njgjbllq.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:404 -
C:\Windows\SysWOW64\Nlefngkd.exeC:\Windows\system32\Nlefngkd.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3960 -
C:\Windows\SysWOW64\Nconka32.exeC:\Windows\system32\Nconka32.exe22⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4528 -
C:\Windows\SysWOW64\Njifhljn.exeC:\Windows\system32\Njifhljn.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2308 -
C:\Windows\SysWOW64\Ndoked32.exeC:\Windows\system32\Ndoked32.exe24⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3476 -
C:\Windows\SysWOW64\Ngmgap32.exeC:\Windows\system32\Ngmgap32.exe25⤵
- Executes dropped EXE
- Modifies registry class
PID:1920 -
C:\Windows\SysWOW64\Nljoig32.exeC:\Windows\system32\Nljoig32.exe26⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5112 -
C:\Windows\SysWOW64\Ncdgfaol.exeC:\Windows\system32\Ncdgfaol.exe27⤵
- Executes dropped EXE
PID:3936 -
C:\Windows\SysWOW64\Nfbdblnp.exeC:\Windows\system32\Nfbdblnp.exe28⤵
- Executes dropped EXE
PID:4784 -
C:\Windows\SysWOW64\Nnilcjnb.exeC:\Windows\system32\Nnilcjnb.exe29⤵
- Executes dropped EXE
PID:2908 -
C:\Windows\SysWOW64\Ophhpene.exeC:\Windows\system32\Ophhpene.exe30⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1740 -
C:\Windows\SysWOW64\Ocfdlqmi.exeC:\Windows\system32\Ocfdlqmi.exe31⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1196 -
C:\Windows\SysWOW64\Ofeqhl32.exeC:\Windows\system32\Ofeqhl32.exe32⤵
- Executes dropped EXE
PID:4472 -
C:\Windows\SysWOW64\Onlhii32.exeC:\Windows\system32\Onlhii32.exe33⤵
- Executes dropped EXE
- Modifies registry class
PID:4436 -
C:\Windows\SysWOW64\Opjeee32.exeC:\Windows\system32\Opjeee32.exe34⤵
- Executes dropped EXE
PID:4776 -
C:\Windows\SysWOW64\Ociaap32.exeC:\Windows\system32\Ociaap32.exe35⤵
- Executes dropped EXE
PID:640 -
C:\Windows\SysWOW64\Ojbinjbc.exeC:\Windows\system32\Ojbinjbc.exe36⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4748 -
C:\Windows\SysWOW64\Opmakd32.exeC:\Windows\system32\Opmakd32.exe37⤵
- Executes dropped EXE
PID:1132 -
C:\Windows\SysWOW64\Ockngp32.exeC:\Windows\system32\Ockngp32.exe38⤵
- Executes dropped EXE
PID:4948 -
C:\Windows\SysWOW64\Ofijckhg.exeC:\Windows\system32\Ofijckhg.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4760 -
C:\Windows\SysWOW64\Ojefcj32.exeC:\Windows\system32\Ojefcj32.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2712 -
C:\Windows\SysWOW64\Oqonpdgn.exeC:\Windows\system32\Oqonpdgn.exe41⤵
- Executes dropped EXE
PID:3824 -
C:\Windows\SysWOW64\Ocmjlpfa.exeC:\Windows\system32\Ocmjlpfa.exe42⤵
- Executes dropped EXE
PID:4824 -
C:\Windows\SysWOW64\Ojgbij32.exeC:\Windows\system32\Ojgbij32.exe43⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4960 -
C:\Windows\SysWOW64\Ojjooilk.exeC:\Windows\system32\Ojjooilk.exe44⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4832 -
C:\Windows\SysWOW64\Pgnphnke.exeC:\Windows\system32\Pgnphnke.exe45⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1016 -
C:\Windows\SysWOW64\Pjlldiji.exeC:\Windows\system32\Pjlldiji.exe46⤵
- Executes dropped EXE
PID:4968 -
C:\Windows\SysWOW64\Pqfdac32.exeC:\Windows\system32\Pqfdac32.exe47⤵
- Executes dropped EXE
PID:2612 -
C:\Windows\SysWOW64\Pcdqmo32.exeC:\Windows\system32\Pcdqmo32.exe48⤵
- Executes dropped EXE
PID:2016 -
C:\Windows\SysWOW64\Pjnijihf.exeC:\Windows\system32\Pjnijihf.exe49⤵
- Executes dropped EXE
PID:1896 -
C:\Windows\SysWOW64\Pqhafcoc.exeC:\Windows\system32\Pqhafcoc.exe50⤵
- Executes dropped EXE
PID:3956 -
C:\Windows\SysWOW64\Pcgmbnnf.exeC:\Windows\system32\Pcgmbnnf.exe51⤵
- Executes dropped EXE
PID:4632 -
C:\Windows\SysWOW64\Pjqeoh32.exeC:\Windows\system32\Pjqeoh32.exe52⤵
- Executes dropped EXE
PID:1388 -
C:\Windows\SysWOW64\Pqknlbmp.exeC:\Windows\system32\Pqknlbmp.exe53⤵
- Executes dropped EXE
PID:5088 -
C:\Windows\SysWOW64\Pgdfim32.exeC:\Windows\system32\Pgdfim32.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5072 -
C:\Windows\SysWOW64\Pnoneglj.exeC:\Windows\system32\Pnoneglj.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2740 -
C:\Windows\SysWOW64\Pqmjab32.exeC:\Windows\system32\Pqmjab32.exe56⤵
- Executes dropped EXE
PID:3748 -
C:\Windows\SysWOW64\Pfjcji32.exeC:\Windows\system32\Pfjcji32.exe57⤵
- Executes dropped EXE
PID:1860 -
C:\Windows\SysWOW64\Pjeojhbn.exeC:\Windows\system32\Pjeojhbn.exe58⤵
- Executes dropped EXE
PID:3584 -
C:\Windows\SysWOW64\Qqoggb32.exeC:\Windows\system32\Qqoggb32.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:3676 -
C:\Windows\SysWOW64\Qflpoi32.exeC:\Windows\system32\Qflpoi32.exe60⤵
- Executes dropped EXE
PID:5064 -
C:\Windows\SysWOW64\Qmfhlcoo.exeC:\Windows\system32\Qmfhlcoo.exe61⤵
- Executes dropped EXE
PID:632 -
C:\Windows\SysWOW64\Qdmpmp32.exeC:\Windows\system32\Qdmpmp32.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2208 -
C:\Windows\SysWOW64\Qfolehep.exeC:\Windows\system32\Qfolehep.exe63⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2124 -
C:\Windows\SysWOW64\Anedfffb.exeC:\Windows\system32\Anedfffb.exe64⤵
- Executes dropped EXE
PID:3096 -
C:\Windows\SysWOW64\Adplbp32.exeC:\Windows\system32\Adplbp32.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1368 -
C:\Windows\SysWOW64\Agniok32.exeC:\Windows\system32\Agniok32.exe66⤵PID:2400
-
C:\Windows\SysWOW64\Amkagb32.exeC:\Windows\system32\Amkagb32.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:764 -
C:\Windows\SysWOW64\Aqfmhacc.exeC:\Windows\system32\Aqfmhacc.exe68⤵PID:5092
-
C:\Windows\SysWOW64\Afcfph32.exeC:\Windows\system32\Afcfph32.exe69⤵PID:5080
-
C:\Windows\SysWOW64\Aqijmq32.exeC:\Windows\system32\Aqijmq32.exe70⤵
- System Location Discovery: System Language Discovery
PID:4996 -
C:\Windows\SysWOW64\Aedfnoii.exeC:\Windows\system32\Aedfnoii.exe71⤵PID:1540
-
C:\Windows\SysWOW64\Afebeg32.exeC:\Windows\system32\Afebeg32.exe72⤵
- System Location Discovery: System Language Discovery
PID:456 -
C:\Windows\SysWOW64\Aakfcp32.exeC:\Windows\system32\Aakfcp32.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2508 -
C:\Windows\SysWOW64\Ageopj32.exeC:\Windows\system32\Ageopj32.exe74⤵PID:1988
-
C:\Windows\SysWOW64\Anogldng.exeC:\Windows\system32\Anogldng.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3224 -
C:\Windows\SysWOW64\Agglej32.exeC:\Windows\system32\Agglej32.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4584 -
C:\Windows\SysWOW64\Bnadadld.exeC:\Windows\system32\Bnadadld.exe77⤵
- System Location Discovery: System Language Discovery
PID:648 -
C:\Windows\SysWOW64\Bcnljkjl.exeC:\Windows\system32\Bcnljkjl.exe78⤵PID:448
-
C:\Windows\SysWOW64\Bjhdgeai.exeC:\Windows\system32\Bjhdgeai.exe79⤵
- Modifies registry class
PID:2604 -
C:\Windows\SysWOW64\Bncqgd32.exeC:\Windows\system32\Bncqgd32.exe80⤵
- Modifies registry class
PID:1652 -
C:\Windows\SysWOW64\Benidnao.exeC:\Windows\system32\Benidnao.exe81⤵PID:3316
-
C:\Windows\SysWOW64\Bcqipk32.exeC:\Windows\system32\Bcqipk32.exe82⤵
- System Location Discovery: System Language Discovery
PID:2184 -
C:\Windows\SysWOW64\Bjjalepf.exeC:\Windows\system32\Bjjalepf.exe83⤵
- Modifies registry class
PID:4516 -
C:\Windows\SysWOW64\Bnfmmc32.exeC:\Windows\system32\Bnfmmc32.exe84⤵
- Drops file in System32 directory
PID:1120 -
C:\Windows\SysWOW64\Bccfej32.exeC:\Windows\system32\Bccfej32.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2372 -
C:\Windows\SysWOW64\Bnhjbcfl.exeC:\Windows\system32\Bnhjbcfl.exe86⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3112 -
C:\Windows\SysWOW64\Bfcogecg.exeC:\Windows\system32\Bfcogecg.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1664 -
C:\Windows\SysWOW64\Bmngcp32.exeC:\Windows\system32\Bmngcp32.exe88⤵
- Drops file in System32 directory
PID:3492 -
C:\Windows\SysWOW64\Bcgopjba.exeC:\Windows\system32\Bcgopjba.exe89⤵PID:224
-
C:\Windows\SysWOW64\Bhckqh32.exeC:\Windows\system32\Bhckqh32.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3272 -
C:\Windows\SysWOW64\Cnmcnb32.exeC:\Windows\system32\Cnmcnb32.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2252 -
C:\Windows\SysWOW64\Cakpjn32.exeC:\Windows\system32\Cakpjn32.exe92⤵PID:4592
-
C:\Windows\SysWOW64\Chehfhhh.exeC:\Windows\system32\Chehfhhh.exe93⤵PID:3864
-
C:\Windows\SysWOW64\Cfhhbe32.exeC:\Windows\system32\Cfhhbe32.exe94⤵PID:1728
-
C:\Windows\SysWOW64\Cmbpoofo.exeC:\Windows\system32\Cmbpoofo.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1328 -
C:\Windows\SysWOW64\Ceihplga.exeC:\Windows\system32\Ceihplga.exe96⤵
- Drops file in System32 directory
PID:2696 -
C:\Windows\SysWOW64\Chhdlhfe.exeC:\Windows\system32\Chhdlhfe.exe97⤵PID:3448
-
C:\Windows\SysWOW64\Cjfqhcei.exeC:\Windows\system32\Cjfqhcei.exe98⤵
- System Location Discovery: System Language Discovery
PID:4444 -
C:\Windows\SysWOW64\Cmdmdo32.exeC:\Windows\system32\Cmdmdo32.exe99⤵
- Drops file in System32 directory
PID:4088 -
C:\Windows\SysWOW64\Cdoeaili.exeC:\Windows\system32\Cdoeaili.exe100⤵
- System Location Discovery: System Language Discovery
PID:4904 -
C:\Windows\SysWOW64\Cfmamdkm.exeC:\Windows\system32\Cfmamdkm.exe101⤵
- System Location Discovery: System Language Discovery
PID:3972 -
C:\Windows\SysWOW64\Cndinalo.exeC:\Windows\system32\Cndinalo.exe102⤵PID:928
-
C:\Windows\SysWOW64\Cenakl32.exeC:\Windows\system32\Cenakl32.exe103⤵PID:1456
-
C:\Windows\SysWOW64\Chlngg32.exeC:\Windows\system32\Chlngg32.exe104⤵PID:4280
-
C:\Windows\SysWOW64\Cjkjcb32.exeC:\Windows\system32\Cjkjcb32.exe105⤵
- System Location Discovery: System Language Discovery
PID:1868 -
C:\Windows\SysWOW64\Cnffcajl.exeC:\Windows\system32\Cnffcajl.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3800 -
C:\Windows\SysWOW64\Cepnqkai.exeC:\Windows\system32\Cepnqkai.exe107⤵PID:5132
-
C:\Windows\SysWOW64\Cdcolh32.exeC:\Windows\system32\Cdcolh32.exe108⤵PID:5176
-
C:\Windows\SysWOW64\Dfakhc32.exeC:\Windows\system32\Dfakhc32.exe109⤵
- System Location Discovery: System Language Discovery
PID:5220 -
C:\Windows\SysWOW64\Dmlcennd.exeC:\Windows\system32\Dmlcennd.exe110⤵PID:5264
-
C:\Windows\SysWOW64\Dagoel32.exeC:\Windows\system32\Dagoel32.exe111⤵PID:5308
-
C:\Windows\SysWOW64\Dhagbfnj.exeC:\Windows\system32\Dhagbfnj.exe112⤵
- Modifies registry class
PID:5352 -
C:\Windows\SysWOW64\Djpcnbmn.exeC:\Windows\system32\Djpcnbmn.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5396 -
C:\Windows\SysWOW64\Dmnpjmla.exeC:\Windows\system32\Dmnpjmla.exe114⤵
- Modifies registry class
PID:5436 -
C:\Windows\SysWOW64\Dffdcccb.exeC:\Windows\system32\Dffdcccb.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5480 -
C:\Windows\SysWOW64\Domldpcd.exeC:\Windows\system32\Domldpcd.exe116⤵
- System Location Discovery: System Language Discovery
PID:5524 -
C:\Windows\SysWOW64\Degdaj32.exeC:\Windows\system32\Degdaj32.exe117⤵
- Drops file in System32 directory
PID:5568 -
C:\Windows\SysWOW64\Dhfqmf32.exeC:\Windows\system32\Dhfqmf32.exe118⤵PID:5612
-
C:\Windows\SysWOW64\Dkdmia32.exeC:\Windows\system32\Dkdmia32.exe119⤵PID:5656
-
C:\Windows\SysWOW64\Dmbiem32.exeC:\Windows\system32\Dmbiem32.exe120⤵
- Drops file in System32 directory
- Modifies registry class
PID:5700 -
C:\Windows\SysWOW64\Dejafj32.exeC:\Windows\system32\Dejafj32.exe121⤵PID:5744
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-