Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
110s -
max time network
111s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
29/10/2024, 08:59
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
6b6c3659a2447483620898283618e3f9603efbb5205ea6aed3a66c641f412557N.exe
Resource
win7-20241010-en
windows7-x64
13 signatures
120 seconds
Behavioral task
behavioral2
Sample
6b6c3659a2447483620898283618e3f9603efbb5205ea6aed3a66c641f412557N.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
120 seconds
General
-
Target
6b6c3659a2447483620898283618e3f9603efbb5205ea6aed3a66c641f412557N.exe
-
Size
96KB
-
MD5
a9f1c091108a599949fc789b5690b2f0
-
SHA1
bdfa6591e13950898873979ea64c1460774ed4bf
-
SHA256
6b6c3659a2447483620898283618e3f9603efbb5205ea6aed3a66c641f412557
-
SHA512
300d9b1e3a248dfa06d373aed0bcb09a26d22fc57599ca9610368c55f177b00846b6e26d4c786c59b0551db5342cbaadbe140a8f1c3a010bccdad3511578e064
-
SSDEEP
1536:BfyD0Hpj9lE+S8dhJyIcuHaqBsT1Ntn2L57RZObZUUWaegPYA:BfyAHpld6INHE1vM5ClUUWae
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phlacbfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Agiamhdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jnpfop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ohmhmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Akqfkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jokkgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nmipdk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkjafn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agimkk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfcmmp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oogpjbbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gahjgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djdflp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djcoai32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpeohh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Phelcc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aihaoqlp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epjajeqo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkjeomld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Meepdp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odjeljhd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lflgmqhd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lppbkgcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhdjehhj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkqkhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jjjpnlbd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lflbkcll.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjbcplpe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qodeajbg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jghabl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chnlgjlb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Igdnabjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cacckp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkndie32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pomgjn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oemefcap.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plbmokop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bckkca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mlbkap32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aonoao32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bckkca32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glgcbf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qmgelf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chnbbqpn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ahjgjj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdigadjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nmlddqem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbpajgmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dngjff32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibaeen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dkndie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kqbkfkal.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohiemobf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbdoof32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akqfkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Digehphc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hheoid32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nojjcj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lggldm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plbfdekd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mcelpggq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qodeajbg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkaqnk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mminhceb.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 4800 Ggcfja32.exe 1836 Gahjgj32.exe 3156 Gdgfce32.exe 752 Ggeboaob.exe 3300 Hnoklk32.exe 4092 Hheoid32.exe 5096 Hbmcbime.exe 3976 Hhgloc32.exe 4760 Hbpphi32.exe 1044 Hdnldd32.exe 2936 Hocqam32.exe 4512 Hfningai.exe 4632 Hkjafn32.exe 1368 Hfpecg32.exe 3868 Hkmnln32.exe 2848 Ibffhhek.exe 4136 Igcoqocb.exe 324 Ifdonfka.exe 1056 Iomcgl32.exe 4864 Ifgldfio.exe 2020 Ighhln32.exe 2548 Ifihif32.exe 1100 Ieliebnf.exe 4848 Indmnh32.exe 4180 Iijaka32.exe 2568 Jbbfdfkn.exe 336 Jeqbpb32.exe 1808 Jkkjmlan.exe 4412 Jnifigpa.exe 4948 Jiokfpph.exe 3324 Joiccj32.exe 1664 Jeekkafl.exe 3292 Jnnpdg32.exe 956 Jbileede.exe 2364 Jicdap32.exe 3360 Jkaqnk32.exe 2120 Jfgdkd32.exe 3680 Jghabl32.exe 4724 Knbiofhg.exe 536 Kihnmohm.exe 4608 Klfjijgq.exe 4996 Kbpbed32.exe 380 Kijjbofj.exe 5028 Kpdboimg.exe 3084 Kngcje32.exe 2284 Kimghn32.exe 1576 Klkcdj32.exe 1828 Kbekqdjh.exe 3784 Kfqgab32.exe 2040 Klmpiiai.exe 1672 Kbghfc32.exe 2388 Kefdbo32.exe 2480 Kiaqcnpb.exe 1436 Llpmoiof.exe 2000 Lehaho32.exe 4620 Lhfmdj32.exe 3728 Lnqeqd32.exe 1608 Lifjnm32.exe 1880 Lppbkgcj.exe 4404 Locbfd32.exe 2620 Lemkcnaa.exe 1468 Lpbopfag.exe 4076 Lflgmqhd.exe 3148 Lhncdi32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Micgbemj.dll Ckjbhmad.exe File opened for modification C:\Windows\SysWOW64\Eecphp32.exe Ebdcld32.exe File created C:\Windows\SysWOW64\Lobfem32.dll Jkkjmlan.exe File created C:\Windows\SysWOW64\Jicdap32.exe Jbileede.exe File opened for modification C:\Windows\SysWOW64\Ijcahd32.exe Igedlh32.exe File opened for modification C:\Windows\SysWOW64\Codhnb32.exe Cfldelik.exe File created C:\Windows\SysWOW64\Nccokk32.exe Neqopnhb.exe File created C:\Windows\SysWOW64\Gjkmhmpl.dll Dclkee32.exe File opened for modification C:\Windows\SysWOW64\Oocmii32.exe Ohiemobf.exe File created C:\Windows\SysWOW64\Plpqil32.exe Pibdmp32.exe File created C:\Windows\SysWOW64\Addaif32.exe Amjillkj.exe File created C:\Windows\SysWOW64\Elcenjob.dll Phlacbfm.exe File created C:\Windows\SysWOW64\Pmcclm32.exe Plbfdekd.exe File created C:\Windows\SysWOW64\Pokhgc32.dll Hdnldd32.exe File created C:\Windows\SysWOW64\Pilehehn.dll Lbchba32.exe File created C:\Windows\SysWOW64\Qhmqdemc.exe Qachgk32.exe File created C:\Windows\SysWOW64\Komhll32.exe Jnlkedai.exe File opened for modification C:\Windows\SysWOW64\Mpnnle32.exe Midfokpm.exe File created C:\Windows\SysWOW64\Pfillg32.exe Pgflqkdd.exe File created C:\Windows\SysWOW64\Bfpfngma.dll Glengm32.exe File created C:\Windows\SysWOW64\Gedapeof.dll Kkpbin32.exe File created C:\Windows\SysWOW64\Mdkgabfn.dll Enpmld32.exe File created C:\Windows\SysWOW64\Ngmpcn32.exe Npchgdcd.exe File created C:\Windows\SysWOW64\Dpifba32.dll Poomegpf.exe File created C:\Windows\SysWOW64\Pekbga32.exe Pcmeke32.exe File created C:\Windows\SysWOW64\Jbklgfdh.dll Imgicgca.exe File opened for modification C:\Windows\SysWOW64\Dkndie32.exe Dhphmj32.exe File opened for modification C:\Windows\SysWOW64\Gahcmd32.exe Ghpocngo.exe File created C:\Windows\SysWOW64\Dajkgl32.dll Jqiipljg.exe File opened for modification C:\Windows\SysWOW64\Fbbpmb32.exe Fmfgek32.exe File created C:\Windows\SysWOW64\Edhjghdk.dll Cnahdi32.exe File created C:\Windows\SysWOW64\Ifgldfio.exe Iomcgl32.exe File created C:\Windows\SysWOW64\Dhkgkgoe.dll Kbpbed32.exe File created C:\Windows\SysWOW64\Cpeohh32.exe Cjhfpa32.exe File created C:\Windows\SysWOW64\Bqcmhb32.dll Gijekg32.exe File created C:\Windows\SysWOW64\Faaigehd.dll Mnphmkji.exe File created C:\Windows\SysWOW64\Jfgdkd32.exe Jkaqnk32.exe File opened for modification C:\Windows\SysWOW64\Phhhhc32.exe Pfillg32.exe File opened for modification C:\Windows\SysWOW64\Ibhkfm32.exe Ilnbicff.exe File created C:\Windows\SysWOW64\Jcleff32.dll Ngjkfd32.exe File created C:\Windows\SysWOW64\Jldajape.dll Jkomneim.exe File created C:\Windows\SysWOW64\Dfpcgbim.dll Kqphfe32.exe File created C:\Windows\SysWOW64\Fmgejhgn.exe Edopabqn.exe File created C:\Windows\SysWOW64\Nahgoe32.exe Nojjcj32.exe File created C:\Windows\SysWOW64\Ahiiai32.dll Lqikmc32.exe File opened for modification C:\Windows\SysWOW64\Emanjldl.exe Enpmld32.exe File opened for modification C:\Windows\SysWOW64\Fiodpl32.exe Fnipbc32.exe File created C:\Windows\SysWOW64\Hnoklk32.exe Ggeboaob.exe File created C:\Windows\SysWOW64\Bifmqo32.exe Bpnihiio.exe File created C:\Windows\SysWOW64\Acddcaom.dll Lldopb32.exe File created C:\Windows\SysWOW64\Pcmeke32.exe Pkenjh32.exe File opened for modification C:\Windows\SysWOW64\Coiaiakf.exe Cbeapmll.exe File opened for modification C:\Windows\SysWOW64\Cmipblaq.exe Cimcan32.exe File opened for modification C:\Windows\SysWOW64\Blielbfi.exe Bnhenj32.exe File created C:\Windows\SysWOW64\Jghpbk32.exe Ipoheakj.exe File created C:\Windows\SysWOW64\Ekaacddn.dll Opeiadfg.exe File opened for modification C:\Windows\SysWOW64\Bhbcfbjk.exe Bnmoijje.exe File opened for modification C:\Windows\SysWOW64\Iakiia32.exe Ijcahd32.exe File created C:\Windows\SysWOW64\Glipgf32.exe Gikdkj32.exe File opened for modification C:\Windows\SysWOW64\Mqimikfj.exe Mgphpe32.exe File created C:\Windows\SysWOW64\Cmnmphdf.dll Mpqkad32.exe File opened for modification C:\Windows\SysWOW64\Oogpjbbb.exe Ohmhmh32.exe File created C:\Windows\SysWOW64\Jocgnlha.dll Pldcjeia.exe File created C:\Windows\SysWOW64\Hbkbod32.dll Kihnmohm.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 6668 6056 WerFault.exe 810 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkaqnk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kngcje32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kefdbo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nemcjk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghpocngo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgadgf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nefped32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pibdmp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnahdi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oaplqh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgnkhg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qaflgago.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pldcjeia.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpmapodj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ighhln32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnlkedai.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdhkcb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Baegibae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pomgjn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcnqpo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Geaepk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhamkipi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fimodc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qachgk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibhkfm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfjfecno.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mqimikfj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amlogfel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcpikkge.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmlddqem.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ponfka32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcpjnjii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfaqhp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npchgdcd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggpbjkpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpcjgnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnoklk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnifigpa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opemca32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efkphnbd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Johnamkm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Midfokpm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngdfdmdi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oklkdi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpabni32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfnfjehl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njfkmphe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alcfei32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmdjapgb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmfgek32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcfggkac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bogkmgba.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdkifmjq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mqdcnl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olehhc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnhidk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aolblopj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbpajgmf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbkqfe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ennqfenp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmfkhmdi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjffdalb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pamiaboj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlmdbh32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddnnfbmk.dll" Ijcahd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gipdap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbgbpn32.dll" Mkmkkjko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pmcclm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bdickcpo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Chiblk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akmmffmb.dll" Kbghfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjkmhmpl.dll" Dclkee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Feaabknn.dll" Pamiaboj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mjlhgaqp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pfoann32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Igcoqocb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmlgah32.dll" Ngmpcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nlnbgddc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfmifiap.dll" Fmfgek32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hbpphi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iomcgl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Embkoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iddljmpc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mnphmkji.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mnpabe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ahippdbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgjbkhen.dll" Hfpecg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nlfelogp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocjggbdl.dll" Gmdjapgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aolece32.dll" Fmmmfj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kcpjnjii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iocbnhog.dll" Mfeeabda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mjcngpjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Podmed32.dll" Fmnkkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccmbmpbk.dll" Oeehkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lfgipd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dhphmj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gkkgpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jqiipljg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Inqbclob.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Akqfkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdlhkf32.dll" Cnfaohbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cpmapodj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Locbfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idcondbo.dll" Eibfck32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ckjknfnh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jbileede.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Igchfiof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpmehf32.dll" Pkenjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Injmlc32.dll" Dmdhcddh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fiodpl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gppcmeem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkfoel32.dll" Ofmdio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qljjjqlc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bgelgi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qgnbaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikaqhj32.dll" Mhppji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjdlfi32.dll" Flmqlg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bgnffj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hfningai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jcphab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejoaandc.dll" Aekddhcb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Agimkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cpglnhad.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ebgpad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgdbei32.dll" Jbbfdfkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acddcaom.dll" Lldopb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ejalcgkg.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3012 wrote to memory of 4800 3012 6b6c3659a2447483620898283618e3f9603efbb5205ea6aed3a66c641f412557N.exe 85 PID 3012 wrote to memory of 4800 3012 6b6c3659a2447483620898283618e3f9603efbb5205ea6aed3a66c641f412557N.exe 85 PID 3012 wrote to memory of 4800 3012 6b6c3659a2447483620898283618e3f9603efbb5205ea6aed3a66c641f412557N.exe 85 PID 4800 wrote to memory of 1836 4800 Ggcfja32.exe 86 PID 4800 wrote to memory of 1836 4800 Ggcfja32.exe 86 PID 4800 wrote to memory of 1836 4800 Ggcfja32.exe 86 PID 1836 wrote to memory of 3156 1836 Gahjgj32.exe 87 PID 1836 wrote to memory of 3156 1836 Gahjgj32.exe 87 PID 1836 wrote to memory of 3156 1836 Gahjgj32.exe 87 PID 3156 wrote to memory of 752 3156 Gdgfce32.exe 88 PID 3156 wrote to memory of 752 3156 Gdgfce32.exe 88 PID 3156 wrote to memory of 752 3156 Gdgfce32.exe 88 PID 752 wrote to memory of 3300 752 Ggeboaob.exe 89 PID 752 wrote to memory of 3300 752 Ggeboaob.exe 89 PID 752 wrote to memory of 3300 752 Ggeboaob.exe 89 PID 3300 wrote to memory of 4092 3300 Hnoklk32.exe 90 PID 3300 wrote to memory of 4092 3300 Hnoklk32.exe 90 PID 3300 wrote to memory of 4092 3300 Hnoklk32.exe 90 PID 4092 wrote to memory of 5096 4092 Hheoid32.exe 91 PID 4092 wrote to memory of 5096 4092 Hheoid32.exe 91 PID 4092 wrote to memory of 5096 4092 Hheoid32.exe 91 PID 5096 wrote to memory of 3976 5096 Hbmcbime.exe 92 PID 5096 wrote to memory of 3976 5096 Hbmcbime.exe 92 PID 5096 wrote to memory of 3976 5096 Hbmcbime.exe 92 PID 3976 wrote to memory of 4760 3976 Hhgloc32.exe 93 PID 3976 wrote to memory of 4760 3976 Hhgloc32.exe 93 PID 3976 wrote to memory of 4760 3976 Hhgloc32.exe 93 PID 4760 wrote to memory of 1044 4760 Hbpphi32.exe 94 PID 4760 wrote to memory of 1044 4760 Hbpphi32.exe 94 PID 4760 wrote to memory of 1044 4760 Hbpphi32.exe 94 PID 1044 wrote to memory of 2936 1044 Hdnldd32.exe 95 PID 1044 wrote to memory of 2936 1044 Hdnldd32.exe 95 PID 1044 wrote to memory of 2936 1044 Hdnldd32.exe 95 PID 2936 wrote to memory of 4512 2936 Hocqam32.exe 97 PID 2936 wrote to memory of 4512 2936 Hocqam32.exe 97 PID 2936 wrote to memory of 4512 2936 Hocqam32.exe 97 PID 4512 wrote to memory of 4632 4512 Hfningai.exe 98 PID 4512 wrote to memory of 4632 4512 Hfningai.exe 98 PID 4512 wrote to memory of 4632 4512 Hfningai.exe 98 PID 4632 wrote to memory of 1368 4632 Hkjafn32.exe 99 PID 4632 wrote to memory of 1368 4632 Hkjafn32.exe 99 PID 4632 wrote to memory of 1368 4632 Hkjafn32.exe 99 PID 1368 wrote to memory of 3868 1368 Hfpecg32.exe 100 PID 1368 wrote to memory of 3868 1368 Hfpecg32.exe 100 PID 1368 wrote to memory of 3868 1368 Hfpecg32.exe 100 PID 3868 wrote to memory of 2848 3868 Hkmnln32.exe 101 PID 3868 wrote to memory of 2848 3868 Hkmnln32.exe 101 PID 3868 wrote to memory of 2848 3868 Hkmnln32.exe 101 PID 2848 wrote to memory of 4136 2848 Ibffhhek.exe 102 PID 2848 wrote to memory of 4136 2848 Ibffhhek.exe 102 PID 2848 wrote to memory of 4136 2848 Ibffhhek.exe 102 PID 4136 wrote to memory of 324 4136 Igcoqocb.exe 104 PID 4136 wrote to memory of 324 4136 Igcoqocb.exe 104 PID 4136 wrote to memory of 324 4136 Igcoqocb.exe 104 PID 324 wrote to memory of 1056 324 Ifdonfka.exe 105 PID 324 wrote to memory of 1056 324 Ifdonfka.exe 105 PID 324 wrote to memory of 1056 324 Ifdonfka.exe 105 PID 1056 wrote to memory of 4864 1056 Iomcgl32.exe 106 PID 1056 wrote to memory of 4864 1056 Iomcgl32.exe 106 PID 1056 wrote to memory of 4864 1056 Iomcgl32.exe 106 PID 4864 wrote to memory of 2020 4864 Ifgldfio.exe 107 PID 4864 wrote to memory of 2020 4864 Ifgldfio.exe 107 PID 4864 wrote to memory of 2020 4864 Ifgldfio.exe 107 PID 2020 wrote to memory of 2548 2020 Ighhln32.exe 109
Processes
-
C:\Users\Admin\AppData\Local\Temp\6b6c3659a2447483620898283618e3f9603efbb5205ea6aed3a66c641f412557N.exe"C:\Users\Admin\AppData\Local\Temp\6b6c3659a2447483620898283618e3f9603efbb5205ea6aed3a66c641f412557N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Windows\SysWOW64\Ggcfja32.exeC:\Windows\system32\Ggcfja32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4800 -
C:\Windows\SysWOW64\Gahjgj32.exeC:\Windows\system32\Gahjgj32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1836 -
C:\Windows\SysWOW64\Gdgfce32.exeC:\Windows\system32\Gdgfce32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3156 -
C:\Windows\SysWOW64\Ggeboaob.exeC:\Windows\system32\Ggeboaob.exe5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:752 -
C:\Windows\SysWOW64\Hnoklk32.exeC:\Windows\system32\Hnoklk32.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3300 -
C:\Windows\SysWOW64\Hheoid32.exeC:\Windows\system32\Hheoid32.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4092 -
C:\Windows\SysWOW64\Hbmcbime.exeC:\Windows\system32\Hbmcbime.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5096 -
C:\Windows\SysWOW64\Hhgloc32.exeC:\Windows\system32\Hhgloc32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3976 -
C:\Windows\SysWOW64\Hbpphi32.exeC:\Windows\system32\Hbpphi32.exe10⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4760 -
C:\Windows\SysWOW64\Hdnldd32.exeC:\Windows\system32\Hdnldd32.exe11⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1044 -
C:\Windows\SysWOW64\Hocqam32.exeC:\Windows\system32\Hocqam32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Windows\SysWOW64\Hfningai.exeC:\Windows\system32\Hfningai.exe13⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4512 -
C:\Windows\SysWOW64\Hkjafn32.exeC:\Windows\system32\Hkjafn32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4632 -
C:\Windows\SysWOW64\Hfpecg32.exeC:\Windows\system32\Hfpecg32.exe15⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1368 -
C:\Windows\SysWOW64\Hkmnln32.exeC:\Windows\system32\Hkmnln32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3868 -
C:\Windows\SysWOW64\Ibffhhek.exeC:\Windows\system32\Ibffhhek.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Windows\SysWOW64\Igcoqocb.exeC:\Windows\system32\Igcoqocb.exe18⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4136 -
C:\Windows\SysWOW64\Ifdonfka.exeC:\Windows\system32\Ifdonfka.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:324 -
C:\Windows\SysWOW64\Iomcgl32.exeC:\Windows\system32\Iomcgl32.exe20⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1056 -
C:\Windows\SysWOW64\Ifgldfio.exeC:\Windows\system32\Ifgldfio.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4864 -
C:\Windows\SysWOW64\Ighhln32.exeC:\Windows\system32\Ighhln32.exe22⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Windows\SysWOW64\Ifihif32.exeC:\Windows\system32\Ifihif32.exe23⤵
- Executes dropped EXE
PID:2548 -
C:\Windows\SysWOW64\Ieliebnf.exeC:\Windows\system32\Ieliebnf.exe24⤵
- Executes dropped EXE
PID:1100 -
C:\Windows\SysWOW64\Indmnh32.exeC:\Windows\system32\Indmnh32.exe25⤵
- Executes dropped EXE
PID:4848 -
C:\Windows\SysWOW64\Iijaka32.exeC:\Windows\system32\Iijaka32.exe26⤵
- Executes dropped EXE
PID:4180 -
C:\Windows\SysWOW64\Jbbfdfkn.exeC:\Windows\system32\Jbbfdfkn.exe27⤵
- Executes dropped EXE
- Modifies registry class
PID:2568 -
C:\Windows\SysWOW64\Jeqbpb32.exeC:\Windows\system32\Jeqbpb32.exe28⤵
- Executes dropped EXE
PID:336 -
C:\Windows\SysWOW64\Jkkjmlan.exeC:\Windows\system32\Jkkjmlan.exe29⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1808 -
C:\Windows\SysWOW64\Jnifigpa.exeC:\Windows\system32\Jnifigpa.exe30⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4412 -
C:\Windows\SysWOW64\Jiokfpph.exeC:\Windows\system32\Jiokfpph.exe31⤵
- Executes dropped EXE
PID:4948 -
C:\Windows\SysWOW64\Joiccj32.exeC:\Windows\system32\Joiccj32.exe32⤵
- Executes dropped EXE
PID:3324 -
C:\Windows\SysWOW64\Jeekkafl.exeC:\Windows\system32\Jeekkafl.exe33⤵
- Executes dropped EXE
PID:1664 -
C:\Windows\SysWOW64\Jnnpdg32.exeC:\Windows\system32\Jnnpdg32.exe34⤵
- Executes dropped EXE
PID:3292 -
C:\Windows\SysWOW64\Jbileede.exeC:\Windows\system32\Jbileede.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:956 -
C:\Windows\SysWOW64\Jicdap32.exeC:\Windows\system32\Jicdap32.exe36⤵
- Executes dropped EXE
PID:2364 -
C:\Windows\SysWOW64\Jkaqnk32.exeC:\Windows\system32\Jkaqnk32.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3360 -
C:\Windows\SysWOW64\Jfgdkd32.exeC:\Windows\system32\Jfgdkd32.exe38⤵
- Executes dropped EXE
PID:2120 -
C:\Windows\SysWOW64\Jghabl32.exeC:\Windows\system32\Jghabl32.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3680 -
C:\Windows\SysWOW64\Knbiofhg.exeC:\Windows\system32\Knbiofhg.exe40⤵
- Executes dropped EXE
PID:4724 -
C:\Windows\SysWOW64\Kihnmohm.exeC:\Windows\system32\Kihnmohm.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:536 -
C:\Windows\SysWOW64\Klfjijgq.exeC:\Windows\system32\Klfjijgq.exe42⤵
- Executes dropped EXE
PID:4608 -
C:\Windows\SysWOW64\Kbpbed32.exeC:\Windows\system32\Kbpbed32.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4996 -
C:\Windows\SysWOW64\Kijjbofj.exeC:\Windows\system32\Kijjbofj.exe44⤵
- Executes dropped EXE
PID:380 -
C:\Windows\SysWOW64\Kpdboimg.exeC:\Windows\system32\Kpdboimg.exe45⤵
- Executes dropped EXE
PID:5028 -
C:\Windows\SysWOW64\Kngcje32.exeC:\Windows\system32\Kngcje32.exe46⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3084 -
C:\Windows\SysWOW64\Kimghn32.exeC:\Windows\system32\Kimghn32.exe47⤵
- Executes dropped EXE
PID:2284 -
C:\Windows\SysWOW64\Klkcdj32.exeC:\Windows\system32\Klkcdj32.exe48⤵
- Executes dropped EXE
PID:1576 -
C:\Windows\SysWOW64\Kbekqdjh.exeC:\Windows\system32\Kbekqdjh.exe49⤵
- Executes dropped EXE
PID:1828 -
C:\Windows\SysWOW64\Kfqgab32.exeC:\Windows\system32\Kfqgab32.exe50⤵
- Executes dropped EXE
PID:3784 -
C:\Windows\SysWOW64\Klmpiiai.exeC:\Windows\system32\Klmpiiai.exe51⤵
- Executes dropped EXE
PID:2040 -
C:\Windows\SysWOW64\Kbghfc32.exeC:\Windows\system32\Kbghfc32.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:1672 -
C:\Windows\SysWOW64\Kefdbo32.exeC:\Windows\system32\Kefdbo32.exe53⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2388 -
C:\Windows\SysWOW64\Kiaqcnpb.exeC:\Windows\system32\Kiaqcnpb.exe54⤵
- Executes dropped EXE
PID:2480 -
C:\Windows\SysWOW64\Llpmoiof.exeC:\Windows\system32\Llpmoiof.exe55⤵
- Executes dropped EXE
PID:1436 -
C:\Windows\SysWOW64\Lehaho32.exeC:\Windows\system32\Lehaho32.exe56⤵
- Executes dropped EXE
PID:2000 -
C:\Windows\SysWOW64\Lhfmdj32.exeC:\Windows\system32\Lhfmdj32.exe57⤵
- Executes dropped EXE
PID:4620 -
C:\Windows\SysWOW64\Lnqeqd32.exeC:\Windows\system32\Lnqeqd32.exe58⤵
- Executes dropped EXE
PID:3728 -
C:\Windows\SysWOW64\Lifjnm32.exeC:\Windows\system32\Lifjnm32.exe59⤵
- Executes dropped EXE
PID:1608 -
C:\Windows\SysWOW64\Lppbkgcj.exeC:\Windows\system32\Lppbkgcj.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1880 -
C:\Windows\SysWOW64\Locbfd32.exeC:\Windows\system32\Locbfd32.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:4404 -
C:\Windows\SysWOW64\Lemkcnaa.exeC:\Windows\system32\Lemkcnaa.exe62⤵
- Executes dropped EXE
PID:2620 -
C:\Windows\SysWOW64\Lpbopfag.exeC:\Windows\system32\Lpbopfag.exe63⤵
- Executes dropped EXE
PID:1468 -
C:\Windows\SysWOW64\Lflgmqhd.exeC:\Windows\system32\Lflgmqhd.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4076 -
C:\Windows\SysWOW64\Lhncdi32.exeC:\Windows\system32\Lhncdi32.exe65⤵
- Executes dropped EXE
PID:3148 -
C:\Windows\SysWOW64\Lpekef32.exeC:\Windows\system32\Lpekef32.exe66⤵PID:3740
-
C:\Windows\SysWOW64\Lbchba32.exeC:\Windows\system32\Lbchba32.exe67⤵
- Drops file in System32 directory
PID:4344 -
C:\Windows\SysWOW64\Mhppji32.exeC:\Windows\system32\Mhppji32.exe68⤵
- Modifies registry class
PID:5076 -
C:\Windows\SysWOW64\Mpghkf32.exeC:\Windows\system32\Mpghkf32.exe69⤵PID:100
-
C:\Windows\SysWOW64\Mfaqhp32.exeC:\Windows\system32\Mfaqhp32.exe70⤵
- System Location Discovery: System Language Discovery
PID:4648 -
C:\Windows\SysWOW64\Miomdk32.exeC:\Windows\system32\Miomdk32.exe71⤵PID:1776
-
C:\Windows\SysWOW64\Mfcmmp32.exeC:\Windows\system32\Mfcmmp32.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1876 -
C:\Windows\SysWOW64\Mhdjehhj.exeC:\Windows\system32\Mhdjehhj.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4952 -
C:\Windows\SysWOW64\Mffjcopi.exeC:\Windows\system32\Mffjcopi.exe74⤵PID:2268
-
C:\Windows\SysWOW64\Midfokpm.exeC:\Windows\system32\Midfokpm.exe75⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1720 -
C:\Windows\SysWOW64\Mpnnle32.exeC:\Windows\system32\Mpnnle32.exe76⤵PID:1088
-
C:\Windows\SysWOW64\Mhicpg32.exeC:\Windows\system32\Mhicpg32.exe77⤵PID:1492
-
C:\Windows\SysWOW64\Mpqkad32.exeC:\Windows\system32\Mpqkad32.exe78⤵
- Drops file in System32 directory
PID:3968 -
C:\Windows\SysWOW64\Nemcjk32.exeC:\Windows\system32\Nemcjk32.exe79⤵
- System Location Discovery: System Language Discovery
PID:2764 -
C:\Windows\SysWOW64\Npchgdcd.exeC:\Windows\system32\Npchgdcd.exe80⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3708 -
C:\Windows\SysWOW64\Ngmpcn32.exeC:\Windows\system32\Ngmpcn32.exe81⤵
- Modifies registry class
PID:1764 -
C:\Windows\SysWOW64\Nhnlkfpp.exeC:\Windows\system32\Nhnlkfpp.exe82⤵PID:4428
-
C:\Windows\SysWOW64\Ngomin32.exeC:\Windows\system32\Ngomin32.exe83⤵PID:4248
-
C:\Windows\SysWOW64\Nlleaeff.exeC:\Windows\system32\Nlleaeff.exe84⤵PID:4612
-
C:\Windows\SysWOW64\Ngaionfl.exeC:\Windows\system32\Ngaionfl.exe85⤵PID:3120
-
C:\Windows\SysWOW64\Nlnbgddc.exeC:\Windows\system32\Nlnbgddc.exe86⤵
- Modifies registry class
PID:4012 -
C:\Windows\SysWOW64\Ngdfdmdi.exeC:\Windows\system32\Ngdfdmdi.exe87⤵
- System Location Discovery: System Language Discovery
PID:2484 -
C:\Windows\SysWOW64\Nlqomd32.exeC:\Windows\system32\Nlqomd32.exe88⤵PID:4476
-
C:\Windows\SysWOW64\Ncjginjn.exeC:\Windows\system32\Ncjginjn.exe89⤵PID:4524
-
C:\Windows\SysWOW64\Oeicejia.exeC:\Windows\system32\Oeicejia.exe90⤵PID:2456
-
C:\Windows\SysWOW64\Olckbd32.exeC:\Windows\system32\Olckbd32.exe91⤵PID:832
-
C:\Windows\SysWOW64\Ooagno32.exeC:\Windows\system32\Ooagno32.exe92⤵PID:2108
-
C:\Windows\SysWOW64\Olehhc32.exeC:\Windows\system32\Olehhc32.exe93⤵
- System Location Discovery: System Language Discovery
PID:1188 -
C:\Windows\SysWOW64\Oocddono.exeC:\Windows\system32\Oocddono.exe94⤵PID:1488
-
C:\Windows\SysWOW64\Oenlqi32.exeC:\Windows\system32\Oenlqi32.exe95⤵PID:5092
-
C:\Windows\SysWOW64\Olgemcli.exeC:\Windows\system32\Olgemcli.exe96⤵PID:5132
-
C:\Windows\SysWOW64\Ocamjm32.exeC:\Windows\system32\Ocamjm32.exe97⤵PID:5176
-
C:\Windows\SysWOW64\Oepifi32.exeC:\Windows\system32\Oepifi32.exe98⤵PID:5224
-
C:\Windows\SysWOW64\Ohnebd32.exeC:\Windows\system32\Ohnebd32.exe99⤵PID:5268
-
C:\Windows\SysWOW64\Opemca32.exeC:\Windows\system32\Opemca32.exe100⤵
- System Location Discovery: System Language Discovery
PID:5312 -
C:\Windows\SysWOW64\Ocdjpmac.exeC:\Windows\system32\Ocdjpmac.exe101⤵PID:5356
-
C:\Windows\SysWOW64\Ojnblg32.exeC:\Windows\system32\Ojnblg32.exe102⤵PID:5420
-
C:\Windows\SysWOW64\Ollnhb32.exeC:\Windows\system32\Ollnhb32.exe103⤵PID:5468
-
C:\Windows\SysWOW64\Ookjdn32.exeC:\Windows\system32\Ookjdn32.exe104⤵PID:5528
-
C:\Windows\SysWOW64\Ocffempp.exeC:\Windows\system32\Ocffempp.exe105⤵PID:5572
-
C:\Windows\SysWOW64\Pedbahod.exeC:\Windows\system32\Pedbahod.exe106⤵PID:5620
-
C:\Windows\SysWOW64\Phcomcng.exeC:\Windows\system32\Phcomcng.exe107⤵PID:5668
-
C:\Windows\SysWOW64\Ppjgoaoj.exeC:\Windows\system32\Ppjgoaoj.exe108⤵PID:5732
-
C:\Windows\SysWOW64\Pomgjn32.exeC:\Windows\system32\Pomgjn32.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:5784 -
C:\Windows\SysWOW64\Pfgogh32.exeC:\Windows\system32\Pfgogh32.exe110⤵PID:5832
-
C:\Windows\SysWOW64\Phelcc32.exeC:\Windows\system32\Phelcc32.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5876 -
C:\Windows\SysWOW64\Plagcbdn.exeC:\Windows\system32\Plagcbdn.exe112⤵PID:5952
-
C:\Windows\SysWOW64\Poodpmca.exeC:\Windows\system32\Poodpmca.exe113⤵PID:6024
-
C:\Windows\SysWOW64\Pgflqkdd.exeC:\Windows\system32\Pgflqkdd.exe114⤵
- Drops file in System32 directory
PID:6072 -
C:\Windows\SysWOW64\Pfillg32.exeC:\Windows\system32\Pfillg32.exe115⤵
- Drops file in System32 directory
PID:6112 -
C:\Windows\SysWOW64\Phhhhc32.exeC:\Windows\system32\Phhhhc32.exe116⤵PID:5128
-
C:\Windows\SysWOW64\Ppopjp32.exeC:\Windows\system32\Ppopjp32.exe117⤵PID:5216
-
C:\Windows\SysWOW64\Pcmlfl32.exeC:\Windows\system32\Pcmlfl32.exe118⤵PID:5284
-
C:\Windows\SysWOW64\Pgihfj32.exeC:\Windows\system32\Pgihfj32.exe119⤵PID:5348
-
C:\Windows\SysWOW64\Pjgebf32.exeC:\Windows\system32\Pjgebf32.exe120⤵PID:5460
-
C:\Windows\SysWOW64\Pleaoa32.exeC:\Windows\system32\Pleaoa32.exe121⤵PID:5548
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-