Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
102s -
max time network
102s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
14/10/2024, 12:08
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
c6d8930ea0ec173974fe33d0ed00ae7ded9a0b2eca01df4b3b84eeddd144339bN.exe
Resource
win7-20240708-en
windows7-x64
9 signatures
120 seconds
Behavioral task
behavioral2
Sample
c6d8930ea0ec173974fe33d0ed00ae7ded9a0b2eca01df4b3b84eeddd144339bN.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
120 seconds
General
-
Target
c6d8930ea0ec173974fe33d0ed00ae7ded9a0b2eca01df4b3b84eeddd144339bN.exe
-
Size
52KB
-
MD5
59c26499553afc48ee90b3f845571f80
-
SHA1
06605978e2ae031813a7edeeb98b4dce1b61b19e
-
SHA256
c6d8930ea0ec173974fe33d0ed00ae7ded9a0b2eca01df4b3b84eeddd144339b
-
SHA512
9b7dea0c777a723fbc7fb57d07c79cb5fde8dbbe1cd6346edad414809ca50a026c479b4e2f773f2443c077447f1482e58718abe072f4989015fe0cb79e340ca9
-
SSDEEP
768:mh/uoOcgEZ3S6U6uEB9G5ZAVEKbBTpZd45FFgHWwj7V4kGrs/1H5F/s5MABvKWe:o+wQhqVEKTZd45FFgHWwjZ4wkMAdKZ
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://tat-neftbank.ru/kkq.php
http://tat-neftbank.ru/wcmd.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aghhla32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kncfihgq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iibalfmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mnhaao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Phgogl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppqdni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbfedeoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ecpmkepg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Afnemn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bfkkde32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fghche32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gikiopej.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhffqnlm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Occqof32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dadkhapo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kqbbedfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mlliejcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oeoikl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikmdkjhl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikqnffnq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idnljkpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nncammgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhqoqbik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ihfejdgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dcdnpfjd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kngijaop.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kilngg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Loioflhd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dgijjlla.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oeoikl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Acjillnd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpndae32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpkpoq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ciljpfnp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npnnblmo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgedao32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olmkbe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmnfgnle.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jljpoqdm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kqhalm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Keekahla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mblagi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mpmeknkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mflgcg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olihblon.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mebqhp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ninfpl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plpghd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gecmganl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbbfjm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijigme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jljpoqdm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lgipie32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfinoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Elobdigp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Inqqmkgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oeafpk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Emfeok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kqhalm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pghpecfi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfghcl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Labkla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ninfpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qccbkmdl.exe -
Executes dropped EXE 64 IoCs
pid Process 512 Faghoece.exe 3360 Fdfdkqbi.exe 744 Fgdqglbm.exe 4248 Fokhiibo.exe 1104 Fnnidf32.exe 4408 Feeqec32.exe 4400 Fhcmao32.exe 636 Fkbinj32.exe 2964 Foneni32.exe 4488 Falajd32.exe 556 Fhfjgogm.exe 2188 Fopbdi32.exe 2420 Fannpd32.exe 3096 Fhhfmnej.exe 3664 Foboih32.exe 3032 Faqkedkk.exe 1360 Gdogaojo.exe 2424 Ggncnkjb.exe 2628 Gnglje32.exe 1868 Ghmphn32.exe 5084 Gnjhpd32.exe 1184 Ghommmob.exe 4132 Gecmganl.exe 552 Golapg32.exe 3748 Gkbbdh32.exe 1720 Galjabam.exe 3460 Hhfbnl32.exe 2264 Hoqkkfpg.exe 3712 Hboggbok.exe 2268 Hhioclgg.exe 2736 Hbadla32.exe 4292 Hhklilde.exe 4296 Hnhdabcl.exe 1584 Hdbmnm32.exe 2716 Hklekg32.exe 3384 Hnjagb32.exe 2008 Hhpedk32.exe 376 Hknapf32.exe 3104 Hnmnlb32.exe 2828 Ifdfno32.exe 2880 Ikqnffnq.exe 2772 Ibjgbp32.exe 3016 Iidoojlj.exe 1596 Ioogld32.exe 688 Inaggaka.exe 4344 Idkpdk32.exe 1856 Ibopnpah.exe 3628 Idnljkpl.exe 4432 Ikgdfe32.exe 4804 Ibamcooe.exe 2456 Iilepi32.exe 3296 Ikjale32.exe 4848 Jfpeinel.exe 4112 Johjbc32.exe 4832 Jnkjnpbg.exe 2192 Jfbbomci.exe 1840 Jedbjj32.exe 752 Jgcofe32.exe 2492 Jbhcdnim.exe 920 Jfdodm32.exe 2640 Jegopjha.exe 4496 Jpmcmbhg.exe 4588 Jbkpingk.exe 3616 Jffljm32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Ikopge32.dll Ajkgiepi.exe File created C:\Windows\SysWOW64\Hebjngcc.dll Knkcdn32.exe File opened for modification C:\Windows\SysWOW64\Mpmeknkb.exe Micmnd32.exe File created C:\Windows\SysWOW64\Dmmicbdq.exe Djomgg32.exe File created C:\Windows\SysWOW64\Nhnhfgia.dll Obefjo32.exe File created C:\Windows\SysWOW64\Nadjnhdq.exe Nnfnbmem.exe File created C:\Windows\SysWOW64\Hmpqlgam.exe Hdglca32.exe File opened for modification C:\Windows\SysWOW64\Knkcdn32.exe Klmghb32.exe File created C:\Windows\SysWOW64\Ppcqdikg.exe Pjihgo32.exe File opened for modification C:\Windows\SysWOW64\Fmnbjp32.exe Fibfiame.exe File created C:\Windows\SysWOW64\Hkknpqnj.exe Hgpbpb32.exe File created C:\Windows\SysWOW64\Pjeqblql.dll Iqmpcg32.exe File created C:\Windows\SysWOW64\Jnhfnj32.exe Jkijao32.exe File created C:\Windows\SysWOW64\Jofiej32.dll Neefdm32.exe File opened for modification C:\Windows\SysWOW64\Ncecpc32.exe Nafgdh32.exe File opened for modification C:\Windows\SysWOW64\Nhqoqbik.exe Ncecpc32.exe File created C:\Windows\SysWOW64\Moknna32.dll Acjillnd.exe File opened for modification C:\Windows\SysWOW64\Kqchqmpf.exe Kmhlpo32.exe File opened for modification C:\Windows\SysWOW64\Ncbfjdcd.exe Nadjnhdq.exe File created C:\Windows\SysWOW64\Ohpigm32.exe Oeamka32.exe File created C:\Windows\SysWOW64\Dhnpcabf.dll Dmklmb32.exe File created C:\Windows\SysWOW64\Hgilocli.exe Hdjpcgme.exe File opened for modification C:\Windows\SysWOW64\Mbpdhb32.exe Mjilfe32.exe File created C:\Windows\SysWOW64\Ijckmaeb.dll Qojcpnjq.exe File created C:\Windows\SysWOW64\Pkocel32.dll Icoopkpo.exe File created C:\Windows\SysWOW64\Nolebiho.exe Nlmifnik.exe File opened for modification C:\Windows\SysWOW64\Nejgjbkf.exe Ncljnglc.exe File opened for modification C:\Windows\SysWOW64\Agdoaall.exe Qqjgdh32.exe File opened for modification C:\Windows\SysWOW64\Oahgelgg.exe Obefjo32.exe File created C:\Windows\SysWOW64\Giabab32.dll Hpechaki.exe File created C:\Windows\SysWOW64\Ppdhmj32.dll Idnljkpl.exe File opened for modification C:\Windows\SysWOW64\Jfdodm32.exe Jbhcdnim.exe File created C:\Windows\SysWOW64\Nkpnlfnm.dll Polgoq32.exe File created C:\Windows\SysWOW64\Combci32.exe Cmnfgnle.exe File created C:\Windows\SysWOW64\Hlldmb32.exe Himgag32.exe File opened for modification C:\Windows\SysWOW64\Mpbofm32.exe Mhkgep32.exe File opened for modification C:\Windows\SysWOW64\Djlpag32.exe Dhndel32.exe File opened for modification C:\Windows\SysWOW64\Cocomk32.exe Ckhcllkj.exe File created C:\Windows\SysWOW64\Hnmnlb32.exe Hknapf32.exe File created C:\Windows\SysWOW64\Dimcgdpm.exe Dfogki32.exe File created C:\Windows\SysWOW64\Hnbdlm32.exe Hkdhpa32.exe File opened for modification C:\Windows\SysWOW64\Aolpenhn.exe Akqdeo32.exe File created C:\Windows\SysWOW64\Eqaklhoh.dll Nnfnbmem.exe File created C:\Windows\SysWOW64\Lfdnhdkc.dll Bmcmffjn.exe File opened for modification C:\Windows\SysWOW64\Gdefhh32.exe Gnlnknin.exe File created C:\Windows\SysWOW64\Oobdha32.exe Oldhlf32.exe File created C:\Windows\SysWOW64\Djilaaef.exe Dfnpqb32.exe File opened for modification C:\Windows\SysWOW64\Icjeel32.exe Ipliiq32.exe File created C:\Windows\SysWOW64\Lkfild32.dll Jjpmnd32.exe File opened for modification C:\Windows\SysWOW64\Neniig32.exe Nabmiifc.exe File created C:\Windows\SysWOW64\Lhlipf32.dll Ocemdfdh.exe File opened for modification C:\Windows\SysWOW64\Cjcmkh32.exe Cgdaom32.exe File opened for modification C:\Windows\SysWOW64\Incmbkec.exe Igiefq32.exe File opened for modification C:\Windows\SysWOW64\Jkndmnne.exe Jhpgqboa.exe File created C:\Windows\SysWOW64\Kqbbedfd.exe Kbobjg32.exe File opened for modification C:\Windows\SysWOW64\Lqjnal32.exe Lnlbeq32.exe File created C:\Windows\SysWOW64\Cpfcmq32.exe Ciljpfnp.exe File created C:\Windows\SysWOW64\Oeoikl32.exe Oacmjm32.exe File created C:\Windows\SysWOW64\Edjjfd32.dll Kbclefkd.exe File created C:\Windows\SysWOW64\Mhamdk32.exe Mebqhp32.exe File created C:\Windows\SysWOW64\Ancjjodo.dll Qeclmh32.exe File created C:\Windows\SysWOW64\Efipla32.exe Epphpgkc.exe File created C:\Windows\SysWOW64\Cifihg32.dll Fppqfdmq.exe File created C:\Windows\SysWOW64\Mohdeh32.dll Ighnkj32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 15480 15616 WerFault.exe 899 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ligfho32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akcajo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hifaqhga.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmfglfle.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plpobk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dckadnek.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehejfkad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihdhedio.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idjboo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nncammgp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbigna32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdfdkqbi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Moniak32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Poagdffg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgedao32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcbdmioj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acafga32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhpqkk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihhapc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glpdad32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbfhkfib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfinoe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cocomk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcmgog32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klmghb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpkpoq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgcjmfna.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kikgladd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlldmb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkpboe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppcqdikg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oaejpmij.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phfhmeko.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plfnicob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghconfga.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgboeado.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnofegmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnkeaebf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhcmao32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Keghgg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfpggiif.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmbkeoai.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcphgi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjfoae32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oaqqdm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djdcfb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmdapilj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdiiha32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkqleb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngcmcfha.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpklhpag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knmipg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmpifphe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdjpcgme.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljkpegnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfkkde32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipqbdpqk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmlianng.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lieamfpe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bckimq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkhhdc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjmdoe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkbmhm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mifjdcbb.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 4588 Jbkpingk.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odponlod.dll" Lpoijpgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhfjkh32.dll" Cjcmkh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kncfihgq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjdqcd32.dll" Jgmgfjfe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kilngg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjlkkq32.dll" Nolebiho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iqmpcg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oodana32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aolpenhn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cojenjnk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bompgbmg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jkbmhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Djliga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fpndae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jdhnqm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kqfefmnc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ncecpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mambio32.dll" Lhmjcbcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgmmen32.dll" Olihblon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bpaibaia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbpmflkh.dll" Cfedejhd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hdoing32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ihfejdgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kkdccg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Djlpag32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Epnbdmaa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hkknpqnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Labkla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mohdeh32.dll" Ighnkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chadkm32.dll" Jgaaai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fgdqglbm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qeclmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Akqdeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alnagq32.dll" Emflia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olhidc32.dll" Mggljcae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dggndm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lckhfj32.dll" Daobmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dfogki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nafdjp32.dll" Jbeodh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afkegj32.dll" Ejgibo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjaogm32.dll" Lnnokqig.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mnkeaebf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oogncajf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ahkkob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bjpgok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajjihd32.dll" Fpnkkk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kbclefkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjifck32.dll" Kgqdmmil.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Johjbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnjief32.dll" Llhpjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhljfd32.dll" Mipinnbl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pkbhcale.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Necbaf32.dll" Jdcden32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mmmobl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hdiiha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpgjecpc.dll" Fokhiibo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bjgnoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehggcp32.dll" Lnofegmc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nqmmba32.dll" Bkopfmce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cbbkif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqqpee32.dll" Cjkppc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ihfejdgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcceamlo.dll" Kncfihgq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fmjnjjde.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5048 wrote to memory of 512 5048 c6d8930ea0ec173974fe33d0ed00ae7ded9a0b2eca01df4b3b84eeddd144339bN.exe 84 PID 5048 wrote to memory of 512 5048 c6d8930ea0ec173974fe33d0ed00ae7ded9a0b2eca01df4b3b84eeddd144339bN.exe 84 PID 5048 wrote to memory of 512 5048 c6d8930ea0ec173974fe33d0ed00ae7ded9a0b2eca01df4b3b84eeddd144339bN.exe 84 PID 512 wrote to memory of 3360 512 Faghoece.exe 85 PID 512 wrote to memory of 3360 512 Faghoece.exe 85 PID 512 wrote to memory of 3360 512 Faghoece.exe 85 PID 3360 wrote to memory of 744 3360 Fdfdkqbi.exe 87 PID 3360 wrote to memory of 744 3360 Fdfdkqbi.exe 87 PID 3360 wrote to memory of 744 3360 Fdfdkqbi.exe 87 PID 744 wrote to memory of 4248 744 Fgdqglbm.exe 88 PID 744 wrote to memory of 4248 744 Fgdqglbm.exe 88 PID 744 wrote to memory of 4248 744 Fgdqglbm.exe 88 PID 4248 wrote to memory of 1104 4248 Fokhiibo.exe 89 PID 4248 wrote to memory of 1104 4248 Fokhiibo.exe 89 PID 4248 wrote to memory of 1104 4248 Fokhiibo.exe 89 PID 1104 wrote to memory of 4408 1104 Fnnidf32.exe 90 PID 1104 wrote to memory of 4408 1104 Fnnidf32.exe 90 PID 1104 wrote to memory of 4408 1104 Fnnidf32.exe 90 PID 4408 wrote to memory of 4400 4408 Feeqec32.exe 91 PID 4408 wrote to memory of 4400 4408 Feeqec32.exe 91 PID 4408 wrote to memory of 4400 4408 Feeqec32.exe 91 PID 4400 wrote to memory of 636 4400 Fhcmao32.exe 92 PID 4400 wrote to memory of 636 4400 Fhcmao32.exe 92 PID 4400 wrote to memory of 636 4400 Fhcmao32.exe 92 PID 636 wrote to memory of 2964 636 Fkbinj32.exe 93 PID 636 wrote to memory of 2964 636 Fkbinj32.exe 93 PID 636 wrote to memory of 2964 636 Fkbinj32.exe 93 PID 2964 wrote to memory of 4488 2964 Foneni32.exe 95 PID 2964 wrote to memory of 4488 2964 Foneni32.exe 95 PID 2964 wrote to memory of 4488 2964 Foneni32.exe 95 PID 4488 wrote to memory of 556 4488 Falajd32.exe 96 PID 4488 wrote to memory of 556 4488 Falajd32.exe 96 PID 4488 wrote to memory of 556 4488 Falajd32.exe 96 PID 556 wrote to memory of 2188 556 Fhfjgogm.exe 97 PID 556 wrote to memory of 2188 556 Fhfjgogm.exe 97 PID 556 wrote to memory of 2188 556 Fhfjgogm.exe 97 PID 2188 wrote to memory of 2420 2188 Fopbdi32.exe 98 PID 2188 wrote to memory of 2420 2188 Fopbdi32.exe 98 PID 2188 wrote to memory of 2420 2188 Fopbdi32.exe 98 PID 2420 wrote to memory of 3096 2420 Fannpd32.exe 99 PID 2420 wrote to memory of 3096 2420 Fannpd32.exe 99 PID 2420 wrote to memory of 3096 2420 Fannpd32.exe 99 PID 3096 wrote to memory of 3664 3096 Fhhfmnej.exe 100 PID 3096 wrote to memory of 3664 3096 Fhhfmnej.exe 100 PID 3096 wrote to memory of 3664 3096 Fhhfmnej.exe 100 PID 3664 wrote to memory of 3032 3664 Foboih32.exe 101 PID 3664 wrote to memory of 3032 3664 Foboih32.exe 101 PID 3664 wrote to memory of 3032 3664 Foboih32.exe 101 PID 3032 wrote to memory of 1360 3032 Faqkedkk.exe 102 PID 3032 wrote to memory of 1360 3032 Faqkedkk.exe 102 PID 3032 wrote to memory of 1360 3032 Faqkedkk.exe 102 PID 1360 wrote to memory of 2424 1360 Gdogaojo.exe 103 PID 1360 wrote to memory of 2424 1360 Gdogaojo.exe 103 PID 1360 wrote to memory of 2424 1360 Gdogaojo.exe 103 PID 2424 wrote to memory of 2628 2424 Ggncnkjb.exe 104 PID 2424 wrote to memory of 2628 2424 Ggncnkjb.exe 104 PID 2424 wrote to memory of 2628 2424 Ggncnkjb.exe 104 PID 2628 wrote to memory of 1868 2628 Gnglje32.exe 105 PID 2628 wrote to memory of 1868 2628 Gnglje32.exe 105 PID 2628 wrote to memory of 1868 2628 Gnglje32.exe 105 PID 1868 wrote to memory of 5084 1868 Ghmphn32.exe 106 PID 1868 wrote to memory of 5084 1868 Ghmphn32.exe 106 PID 1868 wrote to memory of 5084 1868 Ghmphn32.exe 106 PID 5084 wrote to memory of 1184 5084 Gnjhpd32.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\c6d8930ea0ec173974fe33d0ed00ae7ded9a0b2eca01df4b3b84eeddd144339bN.exe"C:\Users\Admin\AppData\Local\Temp\c6d8930ea0ec173974fe33d0ed00ae7ded9a0b2eca01df4b3b84eeddd144339bN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:5048 -
C:\Windows\SysWOW64\Faghoece.exeC:\Windows\system32\Faghoece.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:512 -
C:\Windows\SysWOW64\Fdfdkqbi.exeC:\Windows\system32\Fdfdkqbi.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3360 -
C:\Windows\SysWOW64\Fgdqglbm.exeC:\Windows\system32\Fgdqglbm.exe4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:744 -
C:\Windows\SysWOW64\Fokhiibo.exeC:\Windows\system32\Fokhiibo.exe5⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4248 -
C:\Windows\SysWOW64\Fnnidf32.exeC:\Windows\system32\Fnnidf32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1104 -
C:\Windows\SysWOW64\Feeqec32.exeC:\Windows\system32\Feeqec32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4408 -
C:\Windows\SysWOW64\Fhcmao32.exeC:\Windows\system32\Fhcmao32.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4400 -
C:\Windows\SysWOW64\Fkbinj32.exeC:\Windows\system32\Fkbinj32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:636 -
C:\Windows\SysWOW64\Foneni32.exeC:\Windows\system32\Foneni32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Windows\SysWOW64\Falajd32.exeC:\Windows\system32\Falajd32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4488 -
C:\Windows\SysWOW64\Fhfjgogm.exeC:\Windows\system32\Fhfjgogm.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:556 -
C:\Windows\SysWOW64\Fopbdi32.exeC:\Windows\system32\Fopbdi32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Windows\SysWOW64\Fannpd32.exeC:\Windows\system32\Fannpd32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Windows\SysWOW64\Fhhfmnej.exeC:\Windows\system32\Fhhfmnej.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3096 -
C:\Windows\SysWOW64\Foboih32.exeC:\Windows\system32\Foboih32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3664 -
C:\Windows\SysWOW64\Faqkedkk.exeC:\Windows\system32\Faqkedkk.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Windows\SysWOW64\Gdogaojo.exeC:\Windows\system32\Gdogaojo.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1360 -
C:\Windows\SysWOW64\Ggncnkjb.exeC:\Windows\system32\Ggncnkjb.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Windows\SysWOW64\Gnglje32.exeC:\Windows\system32\Gnglje32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\SysWOW64\Ghmphn32.exeC:\Windows\system32\Ghmphn32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1868 -
C:\Windows\SysWOW64\Gnjhpd32.exeC:\Windows\system32\Gnjhpd32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5084 -
C:\Windows\SysWOW64\Ghommmob.exeC:\Windows\system32\Ghommmob.exe23⤵
- Executes dropped EXE
PID:1184 -
C:\Windows\SysWOW64\Gecmganl.exeC:\Windows\system32\Gecmganl.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4132 -
C:\Windows\SysWOW64\Golapg32.exeC:\Windows\system32\Golapg32.exe25⤵
- Executes dropped EXE
PID:552 -
C:\Windows\SysWOW64\Gkbbdh32.exeC:\Windows\system32\Gkbbdh32.exe26⤵
- Executes dropped EXE
PID:3748 -
C:\Windows\SysWOW64\Galjabam.exeC:\Windows\system32\Galjabam.exe27⤵
- Executes dropped EXE
PID:1720 -
C:\Windows\SysWOW64\Hhfbnl32.exeC:\Windows\system32\Hhfbnl32.exe28⤵
- Executes dropped EXE
PID:3460 -
C:\Windows\SysWOW64\Hoqkkfpg.exeC:\Windows\system32\Hoqkkfpg.exe29⤵
- Executes dropped EXE
PID:2264 -
C:\Windows\SysWOW64\Hboggbok.exeC:\Windows\system32\Hboggbok.exe30⤵
- Executes dropped EXE
PID:3712 -
C:\Windows\SysWOW64\Hhioclgg.exeC:\Windows\system32\Hhioclgg.exe31⤵
- Executes dropped EXE
PID:2268 -
C:\Windows\SysWOW64\Hbadla32.exeC:\Windows\system32\Hbadla32.exe32⤵
- Executes dropped EXE
PID:2736 -
C:\Windows\SysWOW64\Hhklilde.exeC:\Windows\system32\Hhklilde.exe33⤵
- Executes dropped EXE
PID:4292 -
C:\Windows\SysWOW64\Hnhdabcl.exeC:\Windows\system32\Hnhdabcl.exe34⤵
- Executes dropped EXE
PID:4296 -
C:\Windows\SysWOW64\Hdbmnm32.exeC:\Windows\system32\Hdbmnm32.exe35⤵
- Executes dropped EXE
PID:1584 -
C:\Windows\SysWOW64\Hklekg32.exeC:\Windows\system32\Hklekg32.exe36⤵
- Executes dropped EXE
PID:2716 -
C:\Windows\SysWOW64\Hnjagb32.exeC:\Windows\system32\Hnjagb32.exe37⤵
- Executes dropped EXE
PID:3384 -
C:\Windows\SysWOW64\Hhpedk32.exeC:\Windows\system32\Hhpedk32.exe38⤵
- Executes dropped EXE
PID:2008 -
C:\Windows\SysWOW64\Hknapf32.exeC:\Windows\system32\Hknapf32.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:376 -
C:\Windows\SysWOW64\Hnmnlb32.exeC:\Windows\system32\Hnmnlb32.exe40⤵
- Executes dropped EXE
PID:3104 -
C:\Windows\SysWOW64\Ifdfno32.exeC:\Windows\system32\Ifdfno32.exe41⤵
- Executes dropped EXE
PID:2828 -
C:\Windows\SysWOW64\Ikqnffnq.exeC:\Windows\system32\Ikqnffnq.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2880 -
C:\Windows\SysWOW64\Ibjgbp32.exeC:\Windows\system32\Ibjgbp32.exe43⤵
- Executes dropped EXE
PID:2772 -
C:\Windows\SysWOW64\Iidoojlj.exeC:\Windows\system32\Iidoojlj.exe44⤵
- Executes dropped EXE
PID:3016 -
C:\Windows\SysWOW64\Ioogld32.exeC:\Windows\system32\Ioogld32.exe45⤵
- Executes dropped EXE
PID:1596 -
C:\Windows\SysWOW64\Inaggaka.exeC:\Windows\system32\Inaggaka.exe46⤵
- Executes dropped EXE
PID:688 -
C:\Windows\SysWOW64\Idkpdk32.exeC:\Windows\system32\Idkpdk32.exe47⤵
- Executes dropped EXE
PID:4344 -
C:\Windows\SysWOW64\Ibopnpah.exeC:\Windows\system32\Ibopnpah.exe48⤵
- Executes dropped EXE
PID:1856 -
C:\Windows\SysWOW64\Idnljkpl.exeC:\Windows\system32\Idnljkpl.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:3628 -
C:\Windows\SysWOW64\Ikgdfe32.exeC:\Windows\system32\Ikgdfe32.exe50⤵
- Executes dropped EXE
PID:4432 -
C:\Windows\SysWOW64\Ibamcooe.exeC:\Windows\system32\Ibamcooe.exe51⤵
- Executes dropped EXE
PID:4804 -
C:\Windows\SysWOW64\Iilepi32.exeC:\Windows\system32\Iilepi32.exe52⤵
- Executes dropped EXE
PID:2456 -
C:\Windows\SysWOW64\Ikjale32.exeC:\Windows\system32\Ikjale32.exe53⤵
- Executes dropped EXE
PID:3296 -
C:\Windows\SysWOW64\Jfpeinel.exeC:\Windows\system32\Jfpeinel.exe54⤵
- Executes dropped EXE
PID:4848 -
C:\Windows\SysWOW64\Johjbc32.exeC:\Windows\system32\Johjbc32.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:4112 -
C:\Windows\SysWOW64\Jnkjnpbg.exeC:\Windows\system32\Jnkjnpbg.exe56⤵
- Executes dropped EXE
PID:4832 -
C:\Windows\SysWOW64\Jfbbomci.exeC:\Windows\system32\Jfbbomci.exe57⤵
- Executes dropped EXE
PID:2192 -
C:\Windows\SysWOW64\Jedbjj32.exeC:\Windows\system32\Jedbjj32.exe58⤵
- Executes dropped EXE
PID:1840 -
C:\Windows\SysWOW64\Jgcofe32.exeC:\Windows\system32\Jgcofe32.exe59⤵
- Executes dropped EXE
PID:752 -
C:\Windows\SysWOW64\Jbhcdnim.exeC:\Windows\system32\Jbhcdnim.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2492 -
C:\Windows\SysWOW64\Jfdodm32.exeC:\Windows\system32\Jfdodm32.exe61⤵
- Executes dropped EXE
PID:920 -
C:\Windows\SysWOW64\Jegopjha.exeC:\Windows\system32\Jegopjha.exe62⤵
- Executes dropped EXE
PID:2640 -
C:\Windows\SysWOW64\Jpmcmbhg.exeC:\Windows\system32\Jpmcmbhg.exe63⤵
- Executes dropped EXE
PID:4496 -
C:\Windows\SysWOW64\Jbkpingk.exeC:\Windows\system32\Jbkpingk.exe64⤵
- Executes dropped EXE
- System Network Configuration Discovery: Internet Connection Discovery
PID:4588 -
C:\Windows\SysWOW64\Jffljm32.exeC:\Windows\system32\Jffljm32.exe65⤵
- Executes dropped EXE
PID:3616 -
C:\Windows\SysWOW64\Jghhaeeb.exeC:\Windows\system32\Jghhaeeb.exe66⤵PID:4688
-
C:\Windows\SysWOW64\Jpopcbfd.exeC:\Windows\system32\Jpopcbfd.exe67⤵PID:3060
-
C:\Windows\SysWOW64\Jbmloneh.exeC:\Windows\system32\Jbmloneh.exe68⤵PID:5028
-
C:\Windows\SysWOW64\Jelhki32.exeC:\Windows\system32\Jelhki32.exe69⤵PID:1896
-
C:\Windows\SysWOW64\Jigdlhle.exeC:\Windows\system32\Jigdlhle.exe70⤵PID:5080
-
C:\Windows\SysWOW64\Jleahcki.exeC:\Windows\system32\Jleahcki.exe71⤵PID:3504
-
C:\Windows\SysWOW64\Kbpidm32.exeC:\Windows\system32\Kbpidm32.exe72⤵PID:3516
-
C:\Windows\SysWOW64\Keneqi32.exeC:\Windows\system32\Keneqi32.exe73⤵PID:5024
-
C:\Windows\SysWOW64\Kglamd32.exeC:\Windows\system32\Kglamd32.exe74⤵PID:4404
-
C:\Windows\SysWOW64\Klhnmcif.exeC:\Windows\system32\Klhnmcif.exe75⤵PID:1700
-
C:\Windows\SysWOW64\Kbbfjm32.exeC:\Windows\system32\Kbbfjm32.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3932 -
C:\Windows\SysWOW64\Kilngg32.exeC:\Windows\system32\Kilngg32.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2144 -
C:\Windows\SysWOW64\Khonbdoj.exeC:\Windows\system32\Khonbdoj.exe78⤵PID:2204
-
C:\Windows\SysWOW64\Kpffcapl.exeC:\Windows\system32\Kpffcapl.exe79⤵PID:4512
-
C:\Windows\SysWOW64\Kbdbpmop.exeC:\Windows\system32\Kbdbpmop.exe80⤵PID:2960
-
C:\Windows\SysWOW64\Kfpnpk32.exeC:\Windows\system32\Kfpnpk32.exe81⤵PID:3996
-
C:\Windows\SysWOW64\Khakhcmg.exeC:\Windows\system32\Khakhcmg.exe82⤵PID:4944
-
C:\Windows\SysWOW64\Klmghb32.exeC:\Windows\system32\Klmghb32.exe83⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1680 -
C:\Windows\SysWOW64\Knkcdn32.exeC:\Windows\system32\Knkcdn32.exe84⤵
- Drops file in System32 directory
PID:4088 -
C:\Windows\SysWOW64\Kbgoelmm.exeC:\Windows\system32\Kbgoelmm.exe85⤵PID:2712
-
C:\Windows\SysWOW64\Keekahla.exeC:\Windows\system32\Keekahla.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3052 -
C:\Windows\SysWOW64\Khchmc32.exeC:\Windows\system32\Khchmc32.exe87⤵PID:3604
-
C:\Windows\SysWOW64\Kpkpoq32.exeC:\Windows\system32\Kpkpoq32.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1520 -
C:\Windows\SysWOW64\Kbilkl32.exeC:\Windows\system32\Kbilkl32.exe89⤵PID:3204
-
C:\Windows\SysWOW64\Keghgg32.exeC:\Windows\system32\Keghgg32.exe90⤵
- System Location Discovery: System Language Discovery
PID:1492 -
C:\Windows\SysWOW64\Khfdcc32.exeC:\Windows\system32\Khfdcc32.exe91⤵PID:976
-
C:\Windows\SysWOW64\Lpmldp32.exeC:\Windows\system32\Lpmldp32.exe92⤵PID:3144
-
C:\Windows\SysWOW64\Lnpmpmpo.exeC:\Windows\system32\Lnpmpmpo.exe93⤵PID:1764
-
C:\Windows\SysWOW64\Lfgdajaa.exeC:\Windows\system32\Lfgdajaa.exe94⤵PID:3500
-
C:\Windows\SysWOW64\Lieamfpe.exeC:\Windows\system32\Lieamfpe.exe95⤵
- System Location Discovery: System Language Discovery
PID:2460 -
C:\Windows\SysWOW64\Llcmia32.exeC:\Windows\system32\Llcmia32.exe96⤵PID:4416
-
C:\Windows\SysWOW64\Lpoijpgb.exeC:\Windows\system32\Lpoijpgb.exe97⤵
- Modifies registry class
PID:4252 -
C:\Windows\SysWOW64\Lhjnnbem.exeC:\Windows\system32\Lhjnnbem.exe98⤵PID:232
-
C:\Windows\SysWOW64\Llfjoa32.exeC:\Windows\system32\Llfjoa32.exe99⤵PID:4956
-
C:\Windows\SysWOW64\Lbpbkkdc.exeC:\Windows\system32\Lbpbkkdc.exe100⤵PID:3264
-
C:\Windows\SysWOW64\Lenngfcf.exeC:\Windows\system32\Lenngfcf.exe101⤵PID:2304
-
C:\Windows\SysWOW64\Lhmjcbcj.exeC:\Windows\system32\Lhmjcbcj.exe102⤵
- Modifies registry class
PID:2116 -
C:\Windows\SysWOW64\Lpdbeo32.exeC:\Windows\system32\Lpdbeo32.exe103⤵PID:4240
-
C:\Windows\SysWOW64\Logbpljg.exeC:\Windows\system32\Logbpljg.exe104⤵PID:3960
-
C:\Windows\SysWOW64\Leqkmf32.exeC:\Windows\system32\Leqkmf32.exe105⤵PID:3452
-
C:\Windows\SysWOW64\Lilgnejm.exeC:\Windows\system32\Lilgnejm.exe106⤵PID:4976
-
C:\Windows\SysWOW64\Llkcjpiq.exeC:\Windows\system32\Llkcjpiq.exe107⤵PID:992
-
C:\Windows\SysWOW64\Loioflhd.exeC:\Windows\system32\Loioflhd.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5136 -
C:\Windows\SysWOW64\Lfpggiif.exeC:\Windows\system32\Lfpggiif.exe109⤵
- System Location Discovery: System Language Discovery
PID:5180 -
C:\Windows\SysWOW64\Lioccdhj.exeC:\Windows\system32\Lioccdhj.exe110⤵PID:5224
-
C:\Windows\SysWOW64\Mlmpopgn.exeC:\Windows\system32\Mlmpopgn.exe111⤵PID:5268
-
C:\Windows\SysWOW64\Moklkkfa.exeC:\Windows\system32\Moklkkfa.exe112⤵PID:5312
-
C:\Windows\SysWOW64\Mfbdmi32.exeC:\Windows\system32\Mfbdmi32.exe113⤵PID:5356
-
C:\Windows\SysWOW64\Miapid32.exeC:\Windows\system32\Miapid32.exe114⤵PID:5400
-
C:\Windows\SysWOW64\Mlomep32.exeC:\Windows\system32\Mlomep32.exe115⤵PID:5444
-
C:\Windows\SysWOW64\Mpkhenmd.exeC:\Windows\system32\Mpkhenmd.exe116⤵PID:5488
-
C:\Windows\SysWOW64\Moniak32.exeC:\Windows\system32\Moniak32.exe117⤵
- System Location Discovery: System Language Discovery
PID:5532 -
C:\Windows\SysWOW64\Mfeabh32.exeC:\Windows\system32\Mfeabh32.exe118⤵PID:5576
-
C:\Windows\SysWOW64\Micmnd32.exeC:\Windows\system32\Micmnd32.exe119⤵
- Drops file in System32 directory
PID:5620 -
C:\Windows\SysWOW64\Mpmeknkb.exeC:\Windows\system32\Mpmeknkb.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5664 -
C:\Windows\SysWOW64\Mblagi32.exeC:\Windows\system32\Mblagi32.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5708
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-