Analysis
-
max time kernel
95s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2024, 12:28
Static task
static1
Behavioral task
behavioral1
Sample
4e455fa0ebd6ba4cb62c891ae274415b8f5736443ceffbbc68dd5e3574a87b84N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
4e455fa0ebd6ba4cb62c891ae274415b8f5736443ceffbbc68dd5e3574a87b84N.exe
Resource
win10v2004-20241007-en
General
-
Target
4e455fa0ebd6ba4cb62c891ae274415b8f5736443ceffbbc68dd5e3574a87b84N.exe
-
Size
64KB
-
MD5
bb1a882fa17d09afd4dc03c1d75ae6c1
-
SHA1
7ec3999eb0eb89352d1b436101397ce28addf416
-
SHA256
9ba7911c9e727162da05b268ab3b2c78f7b31a99eeeea2c2fed291e372547200
-
SHA512
f18c28edd9ce5fed838dd351236652e542c1e5fb4f1a827edf6fdee55d14c1a1f01385b413b53c87f95e924cd48c2d20c12bef7411bf5b7b9c0858339d3f7b1c
-
SSDEEP
768:AEEe7vLYqJnFTS/38uwvQ7tPx6rIe/wG7icZA8EM8jM1AzD56vhVksiwXwiYE/1o:Avmw/38u8FAzD56vliwgZmwZuYDPv
Malware Config
Extracted
berbew
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gpelhd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjcmngnj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lqpamb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbpajgmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ebdcld32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Boflmdkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Coiaiakf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bheplb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdglmkeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pfoann32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aadghn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jocefm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpolbo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kqphfe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fngcmcfe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fefedmil.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdfjld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ekqckmfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Modpib32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffmfchle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Adikdfna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iidphgcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Flmqlg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Klbnajqc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qcnjijoe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcffnbee.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgqgfl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aoabad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bcddcbab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dbnmke32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbfldf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qhmqdemc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmladm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lancko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fgqgfl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ciafbg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjjiej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fpgpgfmh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jahqiaeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eqmlccdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fjocbhbo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdjbiheb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljfhqh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iogopi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gpgind32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ibgdlg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fdmaoahm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmcclm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aogbfi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mledmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ciafbg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgdejd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pidlqb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akccap32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jilfifme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eqiibjlj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhnojl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddfbgelh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccmgiaig.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elnoopdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fbjmhh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ieccbbkn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qjhbfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mnkggfkb.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 4752 Plpqil32.exe 5028 Peieba32.exe 4952 Pkenjh32.exe 4940 Papfgbmg.exe 884 Phincl32.exe 3488 Pkhjph32.exe 5032 Pcobaedj.exe 1256 Piijno32.exe 3372 Qkjgegae.exe 2884 Qadoba32.exe 320 Qhngolpo.exe 4544 Qohpkf32.exe 3968 Qebhhp32.exe 3860 Akoqpg32.exe 4728 Aojlaeei.exe 3612 Ajpqnneo.exe 2288 Alnmjjdb.exe 3836 Achegd32.exe 1880 Ahenokjf.exe 4944 Ackbmcjl.exe 3876 Ahgjejhd.exe 1864 Aoabad32.exe 4900 Afkknogn.exe 2488 Ahjgjj32.exe 3432 Akhcfe32.exe 2992 Aodogdmn.exe 2700 Bjicdmmd.exe 4356 Boflmdkk.exe 760 Bhoqeibl.exe 2268 Bcddcbab.exe 2896 Bbgeno32.exe 4504 Bjnmpl32.exe 4352 Bhamkipi.exe 3912 Bkoigdom.exe 4416 Bcfahbpo.exe 3708 Bhcjqinf.exe 2560 Bombmcec.exe 4312 Bblnindg.exe 3636 Bjbfklei.exe 632 Bmabggdm.exe 4784 Bckkca32.exe 3116 Cfigpm32.exe 3640 Cmcolgbj.exe 3440 Ckfphc32.exe 4648 Ccmgiaig.exe 2280 Cjgpfk32.exe 4864 Ckilmcgb.exe 3824 Ccpdoqgd.exe 5068 Cfnqklgh.exe 2216 Cmhigf32.exe 4776 Cofecami.exe 1672 Cfqmpl32.exe 804 Cioilg32.exe 3800 Coiaiakf.exe 3340 Cbgnemjj.exe 1452 Ciafbg32.exe 2652 Coknoaic.exe 2708 Dfefkkqp.exe 1396 Diccgfpd.exe 3500 Dpnkdq32.exe 1548 Dfgcakon.exe 2764 Difpmfna.exe 3872 Dkdliame.exe 944 Dbndfl32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Efjimhnh.exe Embddb32.exe File opened for modification C:\Windows\SysWOW64\Bhnikc32.exe Boeebnhp.exe File created C:\Windows\SysWOW64\Ipjoja32.exe Ibfnqmpf.exe File created C:\Windows\SysWOW64\Hpfohk32.dll Nimmifgo.exe File created C:\Windows\SysWOW64\Pjphcf32.dll Ofckhj32.exe File created C:\Windows\SysWOW64\Pfccogfc.exe Pcegclgp.exe File created C:\Windows\SysWOW64\Bkoigdom.exe Bhamkipi.exe File created C:\Windows\SysWOW64\Khiofk32.exe Kapfiqoj.exe File created C:\Windows\SysWOW64\Nfqnbjfi.exe Nqcejcha.exe File opened for modification C:\Windows\SysWOW64\Fpkibf32.exe Fmmmfj32.exe File created C:\Windows\SysWOW64\Bpldbefn.dll Ommceclc.exe File opened for modification C:\Windows\SysWOW64\Hgdejd32.exe Hdehni32.exe File created C:\Windows\SysWOW64\Nfamlc32.dll Jgnqgqan.exe File created C:\Windows\SysWOW64\Fknajfhe.dll Fngcmcfe.exe File created C:\Windows\SysWOW64\Geoapenf.exe Gpaihooo.exe File opened for modification C:\Windows\SysWOW64\Ofgdcipq.exe Ocihgnam.exe File created C:\Windows\SysWOW64\Ecqieiii.dll Ajpqnneo.exe File opened for modification C:\Windows\SysWOW64\Bbgeno32.exe Bcddcbab.exe File opened for modification C:\Windows\SysWOW64\Ebaplnie.exe Dglkoeio.exe File created C:\Windows\SysWOW64\Ggmkff32.dll Jilfifme.exe File opened for modification C:\Windows\SysWOW64\Phincl32.exe Papfgbmg.exe File opened for modification C:\Windows\SysWOW64\Cjgpfk32.exe Ccmgiaig.exe File created C:\Windows\SysWOW64\Fpjqcaao.dll Elnoopdj.exe File created C:\Windows\SysWOW64\Gbchdp32.exe Gpelhd32.exe File created C:\Windows\SysWOW64\Ojemig32.exe Obnehj32.exe File created C:\Windows\SysWOW64\Ejhmqp32.dll Fbhpch32.exe File created C:\Windows\SysWOW64\Lenicahg.exe Lmgabcge.exe File created C:\Windows\SysWOW64\Gakiqbgc.dll Diccgfpd.exe File created C:\Windows\SysWOW64\Lielhgaa.dll Amqhbe32.exe File opened for modification C:\Windows\SysWOW64\Fgiaemic.exe Fdkdibjp.exe File created C:\Windows\SysWOW64\Gbjlkd32.dll Fnffhgon.exe File created C:\Windows\SysWOW64\Fgllff32.dll Bcddcbab.exe File created C:\Windows\SysWOW64\Kideagnd.dll Hkbmqb32.exe File opened for modification C:\Windows\SysWOW64\Gbchdp32.exe Gpelhd32.exe File created C:\Windows\SysWOW64\Qachgk32.exe Qlgpod32.exe File created C:\Windows\SysWOW64\Kncaec32.exe Kgiiiidd.exe File created C:\Windows\SysWOW64\Aggpfkjj.exe Ahaceo32.exe File opened for modification C:\Windows\SysWOW64\Kapfiqoj.exe Klbnajqc.exe File created C:\Windows\SysWOW64\Mjlalkmd.exe Mcaipa32.exe File created C:\Windows\SysWOW64\Ggamph32.dll Djhimica.exe File created C:\Windows\SysWOW64\Hhcmlj32.dll Innfnl32.exe File created C:\Windows\SysWOW64\Paoollik.exe Pmcclm32.exe File created C:\Windows\SysWOW64\Nqobhgmh.dll Mlofcf32.exe File opened for modification C:\Windows\SysWOW64\Dpopbepi.exe Dkbgjo32.exe File opened for modification C:\Windows\SysWOW64\Ennqfenp.exe Emmdom32.exe File created C:\Windows\SysWOW64\Gfjkjo32.exe Gncchb32.exe File opened for modification C:\Windows\SysWOW64\Jaonbc32.exe Jhgiim32.exe File created C:\Windows\SysWOW64\Fpgpgfmh.exe Fngcmcfe.exe File created C:\Windows\SysWOW64\Bnnkgo32.dll Kpoalo32.exe File created C:\Windows\SysWOW64\Lopmii32.exe Lnoaaaad.exe File created C:\Windows\SysWOW64\Iimcma32.exe Iogopi32.exe File opened for modification C:\Windows\SysWOW64\Bbdpad32.exe Bpedeiff.exe File opened for modification C:\Windows\SysWOW64\Ahgjejhd.exe Ackbmcjl.exe File opened for modification C:\Windows\SysWOW64\Ldgccb32.exe Ljaoeini.exe File created C:\Windows\SysWOW64\Felbnn32.exe Efgemb32.exe File opened for modification C:\Windows\SysWOW64\Piijno32.exe Pcobaedj.exe File opened for modification C:\Windows\SysWOW64\Jekqmhia.exe Iidphgcn.exe File created C:\Windows\SysWOW64\Edommp32.dll Eiahnnph.exe File created C:\Windows\SysWOW64\Iidphgcn.exe Ickglm32.exe File created C:\Windows\SysWOW64\Mcgckb32.dll Iogopi32.exe File opened for modification C:\Windows\SysWOW64\Enlcahgh.exe Egbken32.exe File opened for modification C:\Windows\SysWOW64\Icknfcol.exe Ilafiihp.exe File opened for modification C:\Windows\SysWOW64\Ndflak32.exe Nhokljge.exe File created C:\Windows\SysWOW64\Bdickcpo.exe Bnoknihb.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2464 13508 WerFault.exe 782 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmfmde32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojemig32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffaong32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glgjlm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icdheded.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aojefobm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnmoijje.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehlhih32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Piocecgj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qjhbfd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Biiobo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enopghee.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gqnejaff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfnqklgh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddligq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glipgf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfaajnfb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnbeeiji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kocgbend.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgjijmin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbojlfdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Manmoq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ecgcfm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jilfifme.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnnljj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnffhgon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkcigjel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmpjoloh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efjimhnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdlfhj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Paoollik.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpcjgnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddnobj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Laiipofp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebejfk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjjiej32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ennqfenp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljbnfleo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Modpib32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omegjomb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnindhpg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcpmen32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpgnjo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbhpch32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfkbde32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldgccb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Meepdp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmadco32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Felbnn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Geldkfpi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lenicahg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhokljge.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njedbjej.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dinael32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpmcmf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ingpmmgm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jekqmhia.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jojdlfeo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eqmlccdi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gifkpknp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipeeobbe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fniihmpf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofckhj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckilmcgb.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Deqcbpld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hoeieolb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ipeeobbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Almoijfo.dll" Kfnfjehl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fipkjb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nnbnhedj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhcmlj32.dll" Innfnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Keimof32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ofmdio32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lancko32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fjmfmh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qlgpod32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ifomll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bomkcm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fecadghc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mjmoag32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cmpjoloh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hnnljj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ljbnfleo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnidqf32.dll" Fgiaemic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojmcpd32.dll" Plkpcfal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiahpo32.dll" Cpogkhnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hobbfhjl.dll" Mledmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hfcnpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jaonbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpcelk32.dll" Gljgbllj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pahilmoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fekmfnbj.dll" Bbaclegm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlqjei32.dll" Fimodc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gikkfqmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hlnjbedi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fopjdidn.dll" Mmpmnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pkbjjbda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pnmopk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aidehpea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eclhcj32.dll" Egegjn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ckilmcgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkbofaoj.dll" Ejoomhmi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hiiggoaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Olanmgig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Glipgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpfohk32.dll" Nimmifgo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ofgdcipq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbkjdh32.dll" Qebhhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhbmpk32.dll" Difpmfna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnhpfk32.dll" Djgdkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flakaffp.dll" Fdepgkgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpaoan32.dll" Fnkfmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ljbnfleo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Adikdfna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gifkpknp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acpklg32.dll" Ckilmcgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aobbbd32.dll" Igpdfb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bbgeno32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cfigpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ibfnqmpf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Njbgmjgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aagdnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Boflmdkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ohmhmh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kegpifod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lmbhgd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aajohjon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pldcjeia.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3292 wrote to memory of 4752 3292 4e455fa0ebd6ba4cb62c891ae274415b8f5736443ceffbbc68dd5e3574a87b84N.exe 83 PID 3292 wrote to memory of 4752 3292 4e455fa0ebd6ba4cb62c891ae274415b8f5736443ceffbbc68dd5e3574a87b84N.exe 83 PID 3292 wrote to memory of 4752 3292 4e455fa0ebd6ba4cb62c891ae274415b8f5736443ceffbbc68dd5e3574a87b84N.exe 83 PID 4752 wrote to memory of 5028 4752 Plpqil32.exe 84 PID 4752 wrote to memory of 5028 4752 Plpqil32.exe 84 PID 4752 wrote to memory of 5028 4752 Plpqil32.exe 84 PID 5028 wrote to memory of 4952 5028 Peieba32.exe 85 PID 5028 wrote to memory of 4952 5028 Peieba32.exe 85 PID 5028 wrote to memory of 4952 5028 Peieba32.exe 85 PID 4952 wrote to memory of 4940 4952 Pkenjh32.exe 86 PID 4952 wrote to memory of 4940 4952 Pkenjh32.exe 86 PID 4952 wrote to memory of 4940 4952 Pkenjh32.exe 86 PID 4940 wrote to memory of 884 4940 Papfgbmg.exe 87 PID 4940 wrote to memory of 884 4940 Papfgbmg.exe 87 PID 4940 wrote to memory of 884 4940 Papfgbmg.exe 87 PID 884 wrote to memory of 3488 884 Phincl32.exe 88 PID 884 wrote to memory of 3488 884 Phincl32.exe 88 PID 884 wrote to memory of 3488 884 Phincl32.exe 88 PID 3488 wrote to memory of 5032 3488 Pkhjph32.exe 89 PID 3488 wrote to memory of 5032 3488 Pkhjph32.exe 89 PID 3488 wrote to memory of 5032 3488 Pkhjph32.exe 89 PID 5032 wrote to memory of 1256 5032 Pcobaedj.exe 91 PID 5032 wrote to memory of 1256 5032 Pcobaedj.exe 91 PID 5032 wrote to memory of 1256 5032 Pcobaedj.exe 91 PID 1256 wrote to memory of 3372 1256 Piijno32.exe 92 PID 1256 wrote to memory of 3372 1256 Piijno32.exe 92 PID 1256 wrote to memory of 3372 1256 Piijno32.exe 92 PID 3372 wrote to memory of 2884 3372 Qkjgegae.exe 93 PID 3372 wrote to memory of 2884 3372 Qkjgegae.exe 93 PID 3372 wrote to memory of 2884 3372 Qkjgegae.exe 93 PID 2884 wrote to memory of 320 2884 Qadoba32.exe 94 PID 2884 wrote to memory of 320 2884 Qadoba32.exe 94 PID 2884 wrote to memory of 320 2884 Qadoba32.exe 94 PID 320 wrote to memory of 4544 320 Qhngolpo.exe 95 PID 320 wrote to memory of 4544 320 Qhngolpo.exe 95 PID 320 wrote to memory of 4544 320 Qhngolpo.exe 95 PID 4544 wrote to memory of 3968 4544 Qohpkf32.exe 96 PID 4544 wrote to memory of 3968 4544 Qohpkf32.exe 96 PID 4544 wrote to memory of 3968 4544 Qohpkf32.exe 96 PID 3968 wrote to memory of 3860 3968 Qebhhp32.exe 97 PID 3968 wrote to memory of 3860 3968 Qebhhp32.exe 97 PID 3968 wrote to memory of 3860 3968 Qebhhp32.exe 97 PID 3860 wrote to memory of 4728 3860 Akoqpg32.exe 98 PID 3860 wrote to memory of 4728 3860 Akoqpg32.exe 98 PID 3860 wrote to memory of 4728 3860 Akoqpg32.exe 98 PID 4728 wrote to memory of 3612 4728 Aojlaeei.exe 100 PID 4728 wrote to memory of 3612 4728 Aojlaeei.exe 100 PID 4728 wrote to memory of 3612 4728 Aojlaeei.exe 100 PID 3612 wrote to memory of 2288 3612 Ajpqnneo.exe 101 PID 3612 wrote to memory of 2288 3612 Ajpqnneo.exe 101 PID 3612 wrote to memory of 2288 3612 Ajpqnneo.exe 101 PID 2288 wrote to memory of 3836 2288 Alnmjjdb.exe 102 PID 2288 wrote to memory of 3836 2288 Alnmjjdb.exe 102 PID 2288 wrote to memory of 3836 2288 Alnmjjdb.exe 102 PID 3836 wrote to memory of 1880 3836 Achegd32.exe 103 PID 3836 wrote to memory of 1880 3836 Achegd32.exe 103 PID 3836 wrote to memory of 1880 3836 Achegd32.exe 103 PID 1880 wrote to memory of 4944 1880 Ahenokjf.exe 104 PID 1880 wrote to memory of 4944 1880 Ahenokjf.exe 104 PID 1880 wrote to memory of 4944 1880 Ahenokjf.exe 104 PID 4944 wrote to memory of 3876 4944 Ackbmcjl.exe 105 PID 4944 wrote to memory of 3876 4944 Ackbmcjl.exe 105 PID 4944 wrote to memory of 3876 4944 Ackbmcjl.exe 105 PID 3876 wrote to memory of 1864 3876 Ahgjejhd.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\4e455fa0ebd6ba4cb62c891ae274415b8f5736443ceffbbc68dd5e3574a87b84N.exe"C:\Users\Admin\AppData\Local\Temp\4e455fa0ebd6ba4cb62c891ae274415b8f5736443ceffbbc68dd5e3574a87b84N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3292 -
C:\Windows\SysWOW64\Plpqil32.exeC:\Windows\system32\Plpqil32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4752 -
C:\Windows\SysWOW64\Peieba32.exeC:\Windows\system32\Peieba32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5028 -
C:\Windows\SysWOW64\Pkenjh32.exeC:\Windows\system32\Pkenjh32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4952 -
C:\Windows\SysWOW64\Papfgbmg.exeC:\Windows\system32\Papfgbmg.exe5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4940 -
C:\Windows\SysWOW64\Phincl32.exeC:\Windows\system32\Phincl32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:884 -
C:\Windows\SysWOW64\Pkhjph32.exeC:\Windows\system32\Pkhjph32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3488 -
C:\Windows\SysWOW64\Pcobaedj.exeC:\Windows\system32\Pcobaedj.exe8⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5032 -
C:\Windows\SysWOW64\Piijno32.exeC:\Windows\system32\Piijno32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1256 -
C:\Windows\SysWOW64\Qkjgegae.exeC:\Windows\system32\Qkjgegae.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3372 -
C:\Windows\SysWOW64\Qadoba32.exeC:\Windows\system32\Qadoba32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Windows\SysWOW64\Qhngolpo.exeC:\Windows\system32\Qhngolpo.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:320 -
C:\Windows\SysWOW64\Qohpkf32.exeC:\Windows\system32\Qohpkf32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4544 -
C:\Windows\SysWOW64\Qebhhp32.exeC:\Windows\system32\Qebhhp32.exe14⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3968 -
C:\Windows\SysWOW64\Akoqpg32.exeC:\Windows\system32\Akoqpg32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3860 -
C:\Windows\SysWOW64\Aojlaeei.exeC:\Windows\system32\Aojlaeei.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4728 -
C:\Windows\SysWOW64\Ajpqnneo.exeC:\Windows\system32\Ajpqnneo.exe17⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3612 -
C:\Windows\SysWOW64\Alnmjjdb.exeC:\Windows\system32\Alnmjjdb.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2288 -
C:\Windows\SysWOW64\Achegd32.exeC:\Windows\system32\Achegd32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3836 -
C:\Windows\SysWOW64\Ahenokjf.exeC:\Windows\system32\Ahenokjf.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1880 -
C:\Windows\SysWOW64\Ackbmcjl.exeC:\Windows\system32\Ackbmcjl.exe21⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4944 -
C:\Windows\SysWOW64\Ahgjejhd.exeC:\Windows\system32\Ahgjejhd.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3876 -
C:\Windows\SysWOW64\Aoabad32.exeC:\Windows\system32\Aoabad32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1864 -
C:\Windows\SysWOW64\Afkknogn.exeC:\Windows\system32\Afkknogn.exe24⤵
- Executes dropped EXE
PID:4900 -
C:\Windows\SysWOW64\Ahjgjj32.exeC:\Windows\system32\Ahjgjj32.exe25⤵
- Executes dropped EXE
PID:2488 -
C:\Windows\SysWOW64\Akhcfe32.exeC:\Windows\system32\Akhcfe32.exe26⤵
- Executes dropped EXE
PID:3432 -
C:\Windows\SysWOW64\Aodogdmn.exeC:\Windows\system32\Aodogdmn.exe27⤵
- Executes dropped EXE
PID:2992 -
C:\Windows\SysWOW64\Bjicdmmd.exeC:\Windows\system32\Bjicdmmd.exe28⤵
- Executes dropped EXE
PID:2700 -
C:\Windows\SysWOW64\Boflmdkk.exeC:\Windows\system32\Boflmdkk.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4356 -
C:\Windows\SysWOW64\Bhoqeibl.exeC:\Windows\system32\Bhoqeibl.exe30⤵
- Executes dropped EXE
PID:760 -
C:\Windows\SysWOW64\Bcddcbab.exeC:\Windows\system32\Bcddcbab.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2268 -
C:\Windows\SysWOW64\Bbgeno32.exeC:\Windows\system32\Bbgeno32.exe32⤵
- Executes dropped EXE
- Modifies registry class
PID:2896 -
C:\Windows\SysWOW64\Bjnmpl32.exeC:\Windows\system32\Bjnmpl32.exe33⤵
- Executes dropped EXE
PID:4504 -
C:\Windows\SysWOW64\Bhamkipi.exeC:\Windows\system32\Bhamkipi.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4352 -
C:\Windows\SysWOW64\Bkoigdom.exeC:\Windows\system32\Bkoigdom.exe35⤵
- Executes dropped EXE
PID:3912 -
C:\Windows\SysWOW64\Bcfahbpo.exeC:\Windows\system32\Bcfahbpo.exe36⤵
- Executes dropped EXE
PID:4416 -
C:\Windows\SysWOW64\Bhcjqinf.exeC:\Windows\system32\Bhcjqinf.exe37⤵
- Executes dropped EXE
PID:3708 -
C:\Windows\SysWOW64\Bombmcec.exeC:\Windows\system32\Bombmcec.exe38⤵
- Executes dropped EXE
PID:2560 -
C:\Windows\SysWOW64\Bblnindg.exeC:\Windows\system32\Bblnindg.exe39⤵
- Executes dropped EXE
PID:4312 -
C:\Windows\SysWOW64\Bjbfklei.exeC:\Windows\system32\Bjbfklei.exe40⤵
- Executes dropped EXE
PID:3636 -
C:\Windows\SysWOW64\Bmabggdm.exeC:\Windows\system32\Bmabggdm.exe41⤵
- Executes dropped EXE
PID:632 -
C:\Windows\SysWOW64\Bckkca32.exeC:\Windows\system32\Bckkca32.exe42⤵
- Executes dropped EXE
PID:4784 -
C:\Windows\SysWOW64\Cfigpm32.exeC:\Windows\system32\Cfigpm32.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:3116 -
C:\Windows\SysWOW64\Cmcolgbj.exeC:\Windows\system32\Cmcolgbj.exe44⤵
- Executes dropped EXE
PID:3640 -
C:\Windows\SysWOW64\Ckfphc32.exeC:\Windows\system32\Ckfphc32.exe45⤵
- Executes dropped EXE
PID:3440 -
C:\Windows\SysWOW64\Ccmgiaig.exeC:\Windows\system32\Ccmgiaig.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4648 -
C:\Windows\SysWOW64\Cjgpfk32.exeC:\Windows\system32\Cjgpfk32.exe47⤵
- Executes dropped EXE
PID:2280 -
C:\Windows\SysWOW64\Ckilmcgb.exeC:\Windows\system32\Ckilmcgb.exe48⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4864 -
C:\Windows\SysWOW64\Ccpdoqgd.exeC:\Windows\system32\Ccpdoqgd.exe49⤵
- Executes dropped EXE
PID:3824 -
C:\Windows\SysWOW64\Cfnqklgh.exeC:\Windows\system32\Cfnqklgh.exe50⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5068 -
C:\Windows\SysWOW64\Cmhigf32.exeC:\Windows\system32\Cmhigf32.exe51⤵
- Executes dropped EXE
PID:2216 -
C:\Windows\SysWOW64\Cofecami.exeC:\Windows\system32\Cofecami.exe52⤵
- Executes dropped EXE
PID:4776 -
C:\Windows\SysWOW64\Cfqmpl32.exeC:\Windows\system32\Cfqmpl32.exe53⤵
- Executes dropped EXE
PID:1672 -
C:\Windows\SysWOW64\Cioilg32.exeC:\Windows\system32\Cioilg32.exe54⤵
- Executes dropped EXE
PID:804 -
C:\Windows\SysWOW64\Coiaiakf.exeC:\Windows\system32\Coiaiakf.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3800 -
C:\Windows\SysWOW64\Cbgnemjj.exeC:\Windows\system32\Cbgnemjj.exe56⤵
- Executes dropped EXE
PID:3340 -
C:\Windows\SysWOW64\Ciafbg32.exeC:\Windows\system32\Ciafbg32.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1452 -
C:\Windows\SysWOW64\Coknoaic.exeC:\Windows\system32\Coknoaic.exe58⤵
- Executes dropped EXE
PID:2652 -
C:\Windows\SysWOW64\Dfefkkqp.exeC:\Windows\system32\Dfefkkqp.exe59⤵
- Executes dropped EXE
PID:2708 -
C:\Windows\SysWOW64\Diccgfpd.exeC:\Windows\system32\Diccgfpd.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1396 -
C:\Windows\SysWOW64\Dpnkdq32.exeC:\Windows\system32\Dpnkdq32.exe61⤵
- Executes dropped EXE
PID:3500 -
C:\Windows\SysWOW64\Dfgcakon.exeC:\Windows\system32\Dfgcakon.exe62⤵
- Executes dropped EXE
PID:1548 -
C:\Windows\SysWOW64\Difpmfna.exeC:\Windows\system32\Difpmfna.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:2764 -
C:\Windows\SysWOW64\Dkdliame.exeC:\Windows\system32\Dkdliame.exe64⤵
- Executes dropped EXE
PID:3872 -
C:\Windows\SysWOW64\Dbndfl32.exeC:\Windows\system32\Dbndfl32.exe65⤵
- Executes dropped EXE
PID:944 -
C:\Windows\SysWOW64\Dpbdopck.exeC:\Windows\system32\Dpbdopck.exe66⤵PID:1012
-
C:\Windows\SysWOW64\Djhimica.exeC:\Windows\system32\Djhimica.exe67⤵
- Drops file in System32 directory
PID:536 -
C:\Windows\SysWOW64\Dlieda32.exeC:\Windows\system32\Dlieda32.exe68⤵PID:3516
-
C:\Windows\SysWOW64\Dcpmen32.exeC:\Windows\system32\Dcpmen32.exe69⤵
- System Location Discovery: System Language Discovery
PID:2608 -
C:\Windows\SysWOW64\Dimenegi.exeC:\Windows\system32\Dimenegi.exe70⤵PID:3296
-
C:\Windows\SysWOW64\Dpgnjo32.exeC:\Windows\system32\Dpgnjo32.exe71⤵
- System Location Discovery: System Language Discovery
PID:1044 -
C:\Windows\SysWOW64\Ebejfk32.exeC:\Windows\system32\Ebejfk32.exe72⤵
- System Location Discovery: System Language Discovery
PID:1296 -
C:\Windows\SysWOW64\Ejlbhh32.exeC:\Windows\system32\Ejlbhh32.exe73⤵PID:1572
-
C:\Windows\SysWOW64\Elnoopdj.exeC:\Windows\system32\Elnoopdj.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1692 -
C:\Windows\SysWOW64\Ebhglj32.exeC:\Windows\system32\Ebhglj32.exe75⤵PID:3616
-
C:\Windows\SysWOW64\Ejoomhmi.exeC:\Windows\system32\Ejoomhmi.exe76⤵
- Modifies registry class
PID:2464 -
C:\Windows\SysWOW64\Elpkep32.exeC:\Windows\system32\Elpkep32.exe77⤵PID:4884
-
C:\Windows\SysWOW64\Ecgcfm32.exeC:\Windows\system32\Ecgcfm32.exe78⤵
- System Location Discovery: System Language Discovery
PID:4564 -
C:\Windows\SysWOW64\Ejalcgkg.exeC:\Windows\system32\Ejalcgkg.exe79⤵PID:1040
-
C:\Windows\SysWOW64\Emphocjj.exeC:\Windows\system32\Emphocjj.exe80⤵PID:5000
-
C:\Windows\SysWOW64\Eblpgjha.exeC:\Windows\system32\Eblpgjha.exe81⤵PID:3672
-
C:\Windows\SysWOW64\Embddb32.exeC:\Windows\system32\Embddb32.exe82⤵
- Drops file in System32 directory
PID:2052 -
C:\Windows\SysWOW64\Efjimhnh.exeC:\Windows\system32\Efjimhnh.exe83⤵
- System Location Discovery: System Language Discovery
PID:5076 -
C:\Windows\SysWOW64\Eiieicml.exeC:\Windows\system32\Eiieicml.exe84⤵PID:2408
-
C:\Windows\SysWOW64\Fpbmfn32.exeC:\Windows\system32\Fpbmfn32.exe85⤵PID:2296
-
C:\Windows\SysWOW64\Ffmfchle.exeC:\Windows\system32\Ffmfchle.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:116 -
C:\Windows\SysWOW64\Flinkojm.exeC:\Windows\system32\Flinkojm.exe87⤵PID:3928
-
C:\Windows\SysWOW64\Fdqfll32.exeC:\Windows\system32\Fdqfll32.exe88⤵PID:4680
-
C:\Windows\SysWOW64\Fimodc32.exeC:\Windows\system32\Fimodc32.exe89⤵
- Modifies registry class
PID:2716 -
C:\Windows\SysWOW64\Fllkqn32.exeC:\Windows\system32\Fllkqn32.exe90⤵PID:3152
-
C:\Windows\SysWOW64\Fbfcmhpg.exeC:\Windows\system32\Fbfcmhpg.exe91⤵PID:4048
-
C:\Windows\SysWOW64\Ffaong32.exeC:\Windows\system32\Ffaong32.exe92⤵
- System Location Discovery: System Language Discovery
PID:4824 -
C:\Windows\SysWOW64\Fipkjb32.exeC:\Windows\system32\Fipkjb32.exe93⤵
- Modifies registry class
PID:2516 -
C:\Windows\SysWOW64\Fdepgkgj.exeC:\Windows\system32\Fdepgkgj.exe94⤵
- Modifies registry class
PID:1600 -
C:\Windows\SysWOW64\Fbhpch32.exeC:\Windows\system32\Fbhpch32.exe95⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4672 -
C:\Windows\SysWOW64\Fibhpbea.exeC:\Windows\system32\Fibhpbea.exe96⤵PID:5148
-
C:\Windows\SysWOW64\Flqdlnde.exeC:\Windows\system32\Flqdlnde.exe97⤵PID:5196
-
C:\Windows\SysWOW64\Fdglmkeg.exeC:\Windows\system32\Fdglmkeg.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5264 -
C:\Windows\SysWOW64\Fbjmhh32.exeC:\Windows\system32\Fbjmhh32.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5340 -
C:\Windows\SysWOW64\Fideeaco.exeC:\Windows\system32\Fideeaco.exe100⤵PID:5400
-
C:\Windows\SysWOW64\Fmpqfq32.exeC:\Windows\system32\Fmpqfq32.exe101⤵PID:5448
-
C:\Windows\SysWOW64\Gdjibj32.exeC:\Windows\system32\Gdjibj32.exe102⤵PID:5492
-
C:\Windows\SysWOW64\Gfheof32.exeC:\Windows\system32\Gfheof32.exe103⤵PID:5536
-
C:\Windows\SysWOW64\Gmbmkpie.exeC:\Windows\system32\Gmbmkpie.exe104⤵PID:5584
-
C:\Windows\SysWOW64\Gpqjglii.exeC:\Windows\system32\Gpqjglii.exe105⤵PID:5624
-
C:\Windows\SysWOW64\Gdlfhj32.exeC:\Windows\system32\Gdlfhj32.exe106⤵
- System Location Discovery: System Language Discovery
PID:5668 -
C:\Windows\SysWOW64\Gfkbde32.exeC:\Windows\system32\Gfkbde32.exe107⤵
- System Location Discovery: System Language Discovery
PID:5712 -
C:\Windows\SysWOW64\Giinpa32.exeC:\Windows\system32\Giinpa32.exe108⤵PID:5764
-
C:\Windows\SysWOW64\Glgjlm32.exeC:\Windows\system32\Glgjlm32.exe109⤵
- System Location Discovery: System Language Discovery
PID:5808 -
C:\Windows\SysWOW64\Gdobnj32.exeC:\Windows\system32\Gdobnj32.exe110⤵PID:5852
-
C:\Windows\SysWOW64\Gfmojenc.exeC:\Windows\system32\Gfmojenc.exe111⤵PID:5896
-
C:\Windows\SysWOW64\Gikkfqmf.exeC:\Windows\system32\Gikkfqmf.exe112⤵
- Modifies registry class
PID:5936 -
C:\Windows\SysWOW64\Gljgbllj.exeC:\Windows\system32\Gljgbllj.exe113⤵
- Modifies registry class
PID:5976 -
C:\Windows\SysWOW64\Gkkgpc32.exeC:\Windows\system32\Gkkgpc32.exe114⤵PID:6016
-
C:\Windows\SysWOW64\Gmiclo32.exeC:\Windows\system32\Gmiclo32.exe115⤵PID:6056
-
C:\Windows\SysWOW64\Gphphj32.exeC:\Windows\system32\Gphphj32.exe116⤵PID:6100
-
C:\Windows\SysWOW64\Gbfldf32.exeC:\Windows\system32\Gbfldf32.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3144 -
C:\Windows\SysWOW64\Gkmdecbg.exeC:\Windows\system32\Gkmdecbg.exe118⤵PID:5176
-
C:\Windows\SysWOW64\Hloqml32.exeC:\Windows\system32\Hloqml32.exe119⤵PID:5284
-
C:\Windows\SysWOW64\Hdehni32.exeC:\Windows\system32\Hdehni32.exe120⤵
- Drops file in System32 directory
PID:5388 -
C:\Windows\SysWOW64\Hgdejd32.exeC:\Windows\system32\Hgdejd32.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5476 -
C:\Windows\SysWOW64\Hibafp32.exeC:\Windows\system32\Hibafp32.exe122⤵PID:5544
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-