Analysis
-
max time kernel
92s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20/11/2024, 02:40
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
dc6a92ff6458eac9a847fdbe6d48311360a49a5865a615b77a001ab61e681712N.exe
Resource
win7-20240729-en
windows7-x64
10 signatures
120 seconds
Behavioral task
behavioral2
Sample
dc6a92ff6458eac9a847fdbe6d48311360a49a5865a615b77a001ab61e681712N.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
120 seconds
General
-
Target
dc6a92ff6458eac9a847fdbe6d48311360a49a5865a615b77a001ab61e681712N.exe
-
Size
63KB
-
MD5
cddb42af3c6a27736b02425fdca5a4d0
-
SHA1
b48d03b98427ecad458bc50738a07dd51fef5ced
-
SHA256
dc6a92ff6458eac9a847fdbe6d48311360a49a5865a615b77a001ab61e681712
-
SHA512
3434fe7ab2615badefa662efe0392f3b7ca92fc12b3b408d8c7a86a459104767b7497ae0ec2a64ae370dde16b0810e65f52ae8e8216da69e64d10a258da0ba8a
-
SSDEEP
1536:zePTPkvCrXDF8bkloHiKdDPNw4AyH1juIZo:zersvic9dZIyH1juIZo
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Edcgcfja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hknamkdi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kejeilma.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnoneglj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Canlon32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkbpda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhhncehb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fkllanen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Opqdknbo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qqopml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Npabof32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pqknlbmp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccjlfi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmgjjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hbhjje32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aiakammb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Golamlib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Miomggom.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qfilocfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gdppeb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhogff32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mihffh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nehjagbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gecmcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ikhdcj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgdonf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ogbploeb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oqonpdgn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmjhpdil.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bcnljkjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eajebj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emqegkll.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mliphc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aompdgbl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bcnepefp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njgjbllq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pggbnlbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ghfbkanp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mbqkomke.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncadfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pjnbobdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pplcglgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aqmlnjio.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mccooc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idbfbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nlihoq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plgdpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bglepipb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Agbkpdea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Biadhkop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Egdqdagb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdkpapgd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjbkjb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbmhod32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojefcj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qcnccm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhokmgpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qqopml32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opmakd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chhdlhfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hdkpapgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nemcmg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lopecoga.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlciih32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 1104 Lbmhod32.exe 4944 Lifqkn32.exe 884 Lpqihhbp.exe 3852 Mboeddad.exe 4716 Mpcenhpn.exe 4744 Mepnfone.exe 4564 Mljfbiea.exe 5100 Mccooc32.exe 60 Minglmdk.exe 444 Mpgoig32.exe 3980 Mgageace.exe 5044 Mmkpbl32.exe 1984 Mgddka32.exe 2136 Mlqlch32.exe 4852 Nckepbgf.exe 3916 Nlciih32.exe 1128 Ndjajeni.exe 4432 Njgjbllq.exe 1292 Npabof32.exe 3360 Nenjgm32.exe 1168 Npcodf32.exe 2308 Ndoked32.exe 2460 Nfpgmmpb.exe 1912 Nljoig32.exe 2956 Ndagjd32.exe 3936 Nfbdblnp.exe 1000 Nnilcjnb.exe 4548 Nlllof32.exe 3760 Ogbploeb.exe 4072 Oloidfcj.exe 4424 Ociaap32.exe 3856 Ojbinjbc.exe 4492 Opmakd32.exe 4100 Ogfjgo32.exe 928 Ojefcj32.exe 3080 Oqonpdgn.exe 3784 Ocmjlpfa.exe 940 Ojgbij32.exe 2984 Oqakfdek.exe 3120 Ocpgbodo.exe 4964 Ojjooilk.exe 2160 Omhlkeko.exe 5092 Pcbdgo32.exe 2420 Pmjhpdil.exe 3092 Pcdqmo32.exe 384 Pjnijihf.exe 4176 Pmmefd32.exe 4320 Pcgmbnnf.exe 1964 Pnlapgnl.exe 2724 Pqknlbmp.exe 2696 Pgdfim32.exe 5088 Pnoneglj.exe 5112 Pqmjab32.exe 3568 Pggbnlbj.exe 4788 Pjeojhbn.exe 4800 Qmdkfcaa.exe 1136 Qcnccm32.exe 4584 Qjhlpgpk.exe 4316 Qqadmagh.exe 3532 Qgllil32.exe 4872 Amhdab32.exe 1440 Acbmnmdi.exe 876 Ajlekg32.exe 3316 Aebihpkl.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Faojcbab.dll Lbekcoec.exe File created C:\Windows\SysWOW64\Emcmheej.dll Ojefcj32.exe File created C:\Windows\SysWOW64\Loaofnji.dll Ojjooilk.exe File created C:\Windows\SysWOW64\Jjflhj32.dll Anogldng.exe File created C:\Windows\SysWOW64\Ogfjgo32.exe Opmakd32.exe File created C:\Windows\SysWOW64\Jimngd32.dll Agglej32.exe File created C:\Windows\SysWOW64\Hdkpapgd.exe Hggohl32.exe File created C:\Windows\SysWOW64\Jokjjbno.dll Inhneeio.exe File created C:\Windows\SysWOW64\Jinkikkb.exe Jkjjpg32.exe File created C:\Windows\SysWOW64\Kepamp32.dll Lbieon32.exe File opened for modification C:\Windows\SysWOW64\Qcnccm32.exe Qmdkfcaa.exe File created C:\Windows\SysWOW64\Feochgff.exe Fgnckpog.exe File created C:\Windows\SysWOW64\Aiakammb.exe Agpoje32.exe File opened for modification C:\Windows\SysWOW64\Qmdkfcaa.exe Pjeojhbn.exe File opened for modification C:\Windows\SysWOW64\Doicia32.exe Dhokmgpm.exe File created C:\Windows\SysWOW64\Jnpcfd32.exe Iicknm32.exe File created C:\Windows\SysWOW64\Kjleehki.dll Lpilmcdl.exe File opened for modification C:\Windows\SysWOW64\Agkeoeki.exe Qodmnhjg.exe File created C:\Windows\SysWOW64\Bogbae32.dll Aqhccj32.exe File created C:\Windows\SysWOW64\Cnmcnb32.exe Bhckqh32.exe File created C:\Windows\SysWOW64\Bmmpii32.exe Biadhkop.exe File created C:\Windows\SysWOW64\Kijjejae.exe Kbpbhp32.exe File created C:\Windows\SysWOW64\Nbhlhm32.dll Canlon32.exe File created C:\Windows\SysWOW64\Dkbpda32.exe Dhcdhf32.exe File created C:\Windows\SysWOW64\Ccnkoj32.dll Nehjagbo.exe File created C:\Windows\SysWOW64\Pnlapgnl.exe Pcgmbnnf.exe File created C:\Windows\SysWOW64\Gkibbp32.dll Aakfcp32.exe File opened for modification C:\Windows\SysWOW64\Kbilhq32.exe Jlmgegjf.exe File created C:\Windows\SysWOW64\Mldllahm.dll Qgllil32.exe File opened for modification C:\Windows\SysWOW64\Nenjgm32.exe Npabof32.exe File created C:\Windows\SysWOW64\Bpnqpd32.dll Cenakl32.exe File opened for modification C:\Windows\SysWOW64\Fgijpp32.exe Fdknce32.exe File created C:\Windows\SysWOW64\Ieebgooi.exe Ibffkcpe.exe File created C:\Windows\SysWOW64\Lambknaa.dll Jelihn32.exe File created C:\Windows\SysWOW64\Coefbb32.dll Ogcfgiod.exe File created C:\Windows\SysWOW64\Agkeoeki.exe Qodmnhjg.exe File created C:\Windows\SysWOW64\Ofjidh32.dll Minglmdk.exe File opened for modification C:\Windows\SysWOW64\Bnadadld.exe Agglej32.exe File created C:\Windows\SysWOW64\Jhlqjb32.dll Cnopcb32.exe File opened for modification C:\Windows\SysWOW64\Lhfmge32.exe Licmkhij.exe File created C:\Windows\SysWOW64\Ngomli32.exe Nlihoq32.exe File created C:\Windows\SysWOW64\Ghnelogk.dll Mboeddad.exe File created C:\Windows\SysWOW64\Nhobfi32.dll Acbmnmdi.exe File created C:\Windows\SysWOW64\Apfnef32.dll Gdppeb32.exe File created C:\Windows\SysWOW64\Aqngbi32.dll Ibopkdfn.exe File opened for modification C:\Windows\SysWOW64\Olehko32.exe Ooagak32.exe File opened for modification C:\Windows\SysWOW64\Aqmlnjio.exe Aiedml32.exe File created C:\Windows\SysWOW64\Epgokd32.dll Ndoked32.exe File created C:\Windows\SysWOW64\Jlocihjb.dll Bcnljkjl.exe File created C:\Windows\SysWOW64\Geqfeclf.dll Ccjlfi32.exe File opened for modification C:\Windows\SysWOW64\Dkbpda32.exe Dhcdhf32.exe File created C:\Windows\SysWOW64\Njhibcga.dll Oipend32.exe File created C:\Windows\SysWOW64\Oomfcogj.dll Bjhdgeai.exe File opened for modification C:\Windows\SysWOW64\Ehjjhefp.exe Dobfpp32.exe File created C:\Windows\SysWOW64\Jelihn32.exe Jooppg32.exe File created C:\Windows\SysWOW64\Khnggmgp.dll Pojjgiba.exe File created C:\Windows\SysWOW64\Cnopcb32.exe Ccjlfi32.exe File opened for modification C:\Windows\SysWOW64\Npabof32.exe Njgjbllq.exe File opened for modification C:\Windows\SysWOW64\Npcodf32.exe Nenjgm32.exe File created C:\Windows\SysWOW64\Ggeikohp.exe Gecmcf32.exe File created C:\Windows\SysWOW64\Feebcp32.dll Kejeilma.exe File opened for modification C:\Windows\SysWOW64\Opqdknbo.exe Olehko32.exe File opened for modification C:\Windows\SysWOW64\Njgjbllq.exe Ndjajeni.exe File created C:\Windows\SysWOW64\Lbieon32.exe Llpmbd32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 8728 8636 WerFault.exe 372 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emqegkll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpilmcdl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nemcmg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pggbnlbj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pomgmi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qodmnhjg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Faakbipp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gecmcf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mboeddad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocmjlpfa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcbdgo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Miomggom.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pljafneq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dokpoq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eeokaiei.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibffkcpe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hknamkdi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlmgegjf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klfjlebk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfpiid32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agkeoeki.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lifqkn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oqonpdgn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hohahjod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bihablgj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phcopoib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aiakammb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mccooc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gochmk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhppmd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlciih32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhokmgpm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhhfjc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkbpda32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oimihe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfbdblnp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnamib32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhcdhf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agpedkjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jelihn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Licmkhij.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgijpp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdgffq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbhapl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojbinjbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pqknlbmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afebeg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eoilpoig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ammnmbig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmimhpoj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edcgcfja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgnckpog.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgoecgef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aohfig32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndjajeni.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfpgmmpb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qgllil32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qgihifml.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Biadhkop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mljfbiea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogfjgo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbieon32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhijle32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pohnbjdd.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fageamqg.dll" Dhokmgpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agddhb32.dll" Agkeoeki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nnilcjnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bebbom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cnopcb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ngomli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Chhdlhfe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fkllanen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jooppg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qodmnhjg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mccooc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Caicdcpj.dll" Bebbom32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ikokdi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lhogff32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nlpeib32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pemlcdpf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bmmpii32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ocmjlpfa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bebbom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bjhdgeai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kggfknab.dll" Agpedkjp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ammnmbig.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mhppmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bnadadld.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hbhjje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icigpifa.dll" Lhfmge32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mbqkomke.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pnoneglj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hohahjod.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Llpmbd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hdgffq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iicknm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fdknce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cekihpcl.dll" Ggeikohp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ahonlmoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Amodhkci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mlqlch32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ojjooilk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Canlon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nhiccb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ogbploeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pggbnlbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cnamib32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mmkpbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nlllof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpnqpd32.dll" Cenakl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbdjmenm.dll" Edcgcfja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adhmgg32.dll" Jnpcfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mihffh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fkllanen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qqopml32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qmdkfcaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qmdkfcaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leibaqof.dll" Bjokgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkkfalhg.dll" Jenenmgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbfeno32.dll" Olpoppnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Amhngl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lbieon32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ooagak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdbfom32.dll" Fopbqnco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Faakbipp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nemcmg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bcpbed32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Licmkhij.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5012 wrote to memory of 1104 5012 dc6a92ff6458eac9a847fdbe6d48311360a49a5865a615b77a001ab61e681712N.exe 83 PID 5012 wrote to memory of 1104 5012 dc6a92ff6458eac9a847fdbe6d48311360a49a5865a615b77a001ab61e681712N.exe 83 PID 5012 wrote to memory of 1104 5012 dc6a92ff6458eac9a847fdbe6d48311360a49a5865a615b77a001ab61e681712N.exe 83 PID 1104 wrote to memory of 4944 1104 Lbmhod32.exe 84 PID 1104 wrote to memory of 4944 1104 Lbmhod32.exe 84 PID 1104 wrote to memory of 4944 1104 Lbmhod32.exe 84 PID 4944 wrote to memory of 884 4944 Lifqkn32.exe 85 PID 4944 wrote to memory of 884 4944 Lifqkn32.exe 85 PID 4944 wrote to memory of 884 4944 Lifqkn32.exe 85 PID 884 wrote to memory of 3852 884 Lpqihhbp.exe 86 PID 884 wrote to memory of 3852 884 Lpqihhbp.exe 86 PID 884 wrote to memory of 3852 884 Lpqihhbp.exe 86 PID 3852 wrote to memory of 4716 3852 Mboeddad.exe 88 PID 3852 wrote to memory of 4716 3852 Mboeddad.exe 88 PID 3852 wrote to memory of 4716 3852 Mboeddad.exe 88 PID 4716 wrote to memory of 4744 4716 Mpcenhpn.exe 89 PID 4716 wrote to memory of 4744 4716 Mpcenhpn.exe 89 PID 4716 wrote to memory of 4744 4716 Mpcenhpn.exe 89 PID 4744 wrote to memory of 4564 4744 Mepnfone.exe 90 PID 4744 wrote to memory of 4564 4744 Mepnfone.exe 90 PID 4744 wrote to memory of 4564 4744 Mepnfone.exe 90 PID 4564 wrote to memory of 5100 4564 Mljfbiea.exe 91 PID 4564 wrote to memory of 5100 4564 Mljfbiea.exe 91 PID 4564 wrote to memory of 5100 4564 Mljfbiea.exe 91 PID 5100 wrote to memory of 60 5100 Mccooc32.exe 92 PID 5100 wrote to memory of 60 5100 Mccooc32.exe 92 PID 5100 wrote to memory of 60 5100 Mccooc32.exe 92 PID 60 wrote to memory of 444 60 Minglmdk.exe 93 PID 60 wrote to memory of 444 60 Minglmdk.exe 93 PID 60 wrote to memory of 444 60 Minglmdk.exe 93 PID 444 wrote to memory of 3980 444 Mpgoig32.exe 94 PID 444 wrote to memory of 3980 444 Mpgoig32.exe 94 PID 444 wrote to memory of 3980 444 Mpgoig32.exe 94 PID 3980 wrote to memory of 5044 3980 Mgageace.exe 96 PID 3980 wrote to memory of 5044 3980 Mgageace.exe 96 PID 3980 wrote to memory of 5044 3980 Mgageace.exe 96 PID 5044 wrote to memory of 1984 5044 Mmkpbl32.exe 97 PID 5044 wrote to memory of 1984 5044 Mmkpbl32.exe 97 PID 5044 wrote to memory of 1984 5044 Mmkpbl32.exe 97 PID 1984 wrote to memory of 2136 1984 Mgddka32.exe 98 PID 1984 wrote to memory of 2136 1984 Mgddka32.exe 98 PID 1984 wrote to memory of 2136 1984 Mgddka32.exe 98 PID 2136 wrote to memory of 4852 2136 Mlqlch32.exe 99 PID 2136 wrote to memory of 4852 2136 Mlqlch32.exe 99 PID 2136 wrote to memory of 4852 2136 Mlqlch32.exe 99 PID 4852 wrote to memory of 3916 4852 Nckepbgf.exe 100 PID 4852 wrote to memory of 3916 4852 Nckepbgf.exe 100 PID 4852 wrote to memory of 3916 4852 Nckepbgf.exe 100 PID 3916 wrote to memory of 1128 3916 Nlciih32.exe 101 PID 3916 wrote to memory of 1128 3916 Nlciih32.exe 101 PID 3916 wrote to memory of 1128 3916 Nlciih32.exe 101 PID 1128 wrote to memory of 4432 1128 Ndjajeni.exe 102 PID 1128 wrote to memory of 4432 1128 Ndjajeni.exe 102 PID 1128 wrote to memory of 4432 1128 Ndjajeni.exe 102 PID 4432 wrote to memory of 1292 4432 Njgjbllq.exe 103 PID 4432 wrote to memory of 1292 4432 Njgjbllq.exe 103 PID 4432 wrote to memory of 1292 4432 Njgjbllq.exe 103 PID 1292 wrote to memory of 3360 1292 Npabof32.exe 104 PID 1292 wrote to memory of 3360 1292 Npabof32.exe 104 PID 1292 wrote to memory of 3360 1292 Npabof32.exe 104 PID 3360 wrote to memory of 1168 3360 Nenjgm32.exe 105 PID 3360 wrote to memory of 1168 3360 Nenjgm32.exe 105 PID 3360 wrote to memory of 1168 3360 Nenjgm32.exe 105 PID 1168 wrote to memory of 2308 1168 Npcodf32.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\dc6a92ff6458eac9a847fdbe6d48311360a49a5865a615b77a001ab61e681712N.exe"C:\Users\Admin\AppData\Local\Temp\dc6a92ff6458eac9a847fdbe6d48311360a49a5865a615b77a001ab61e681712N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:5012 -
C:\Windows\SysWOW64\Lbmhod32.exeC:\Windows\system32\Lbmhod32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1104 -
C:\Windows\SysWOW64\Lifqkn32.exeC:\Windows\system32\Lifqkn32.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4944 -
C:\Windows\SysWOW64\Lpqihhbp.exeC:\Windows\system32\Lpqihhbp.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:884 -
C:\Windows\SysWOW64\Mboeddad.exeC:\Windows\system32\Mboeddad.exe5⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3852 -
C:\Windows\SysWOW64\Mpcenhpn.exeC:\Windows\system32\Mpcenhpn.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4716 -
C:\Windows\SysWOW64\Mepnfone.exeC:\Windows\system32\Mepnfone.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4744 -
C:\Windows\SysWOW64\Mljfbiea.exeC:\Windows\system32\Mljfbiea.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4564 -
C:\Windows\SysWOW64\Mccooc32.exeC:\Windows\system32\Mccooc32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5100 -
C:\Windows\SysWOW64\Minglmdk.exeC:\Windows\system32\Minglmdk.exe10⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:60 -
C:\Windows\SysWOW64\Mpgoig32.exeC:\Windows\system32\Mpgoig32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:444 -
C:\Windows\SysWOW64\Mgageace.exeC:\Windows\system32\Mgageace.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3980 -
C:\Windows\SysWOW64\Mmkpbl32.exeC:\Windows\system32\Mmkpbl32.exe13⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5044 -
C:\Windows\SysWOW64\Mgddka32.exeC:\Windows\system32\Mgddka32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\Windows\SysWOW64\Mlqlch32.exeC:\Windows\system32\Mlqlch32.exe15⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2136 -
C:\Windows\SysWOW64\Nckepbgf.exeC:\Windows\system32\Nckepbgf.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4852 -
C:\Windows\SysWOW64\Nlciih32.exeC:\Windows\system32\Nlciih32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3916 -
C:\Windows\SysWOW64\Ndjajeni.exeC:\Windows\system32\Ndjajeni.exe18⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1128 -
C:\Windows\SysWOW64\Njgjbllq.exeC:\Windows\system32\Njgjbllq.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4432 -
C:\Windows\SysWOW64\Npabof32.exeC:\Windows\system32\Npabof32.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1292 -
C:\Windows\SysWOW64\Nenjgm32.exeC:\Windows\system32\Nenjgm32.exe21⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3360 -
C:\Windows\SysWOW64\Npcodf32.exeC:\Windows\system32\Npcodf32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1168 -
C:\Windows\SysWOW64\Ndoked32.exeC:\Windows\system32\Ndoked32.exe23⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2308 -
C:\Windows\SysWOW64\Nfpgmmpb.exeC:\Windows\system32\Nfpgmmpb.exe24⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2460 -
C:\Windows\SysWOW64\Nljoig32.exeC:\Windows\system32\Nljoig32.exe25⤵
- Executes dropped EXE
PID:1912 -
C:\Windows\SysWOW64\Ndagjd32.exeC:\Windows\system32\Ndagjd32.exe26⤵
- Executes dropped EXE
PID:2956 -
C:\Windows\SysWOW64\Nfbdblnp.exeC:\Windows\system32\Nfbdblnp.exe27⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3936 -
C:\Windows\SysWOW64\Nnilcjnb.exeC:\Windows\system32\Nnilcjnb.exe28⤵
- Executes dropped EXE
- Modifies registry class
PID:1000 -
C:\Windows\SysWOW64\Nlllof32.exeC:\Windows\system32\Nlllof32.exe29⤵
- Executes dropped EXE
- Modifies registry class
PID:4548 -
C:\Windows\SysWOW64\Ogbploeb.exeC:\Windows\system32\Ogbploeb.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3760 -
C:\Windows\SysWOW64\Oloidfcj.exeC:\Windows\system32\Oloidfcj.exe31⤵
- Executes dropped EXE
PID:4072 -
C:\Windows\SysWOW64\Ociaap32.exeC:\Windows\system32\Ociaap32.exe32⤵
- Executes dropped EXE
PID:4424 -
C:\Windows\SysWOW64\Ojbinjbc.exeC:\Windows\system32\Ojbinjbc.exe33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3856 -
C:\Windows\SysWOW64\Opmakd32.exeC:\Windows\system32\Opmakd32.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4492 -
C:\Windows\SysWOW64\Ogfjgo32.exeC:\Windows\system32\Ogfjgo32.exe35⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4100 -
C:\Windows\SysWOW64\Ojefcj32.exeC:\Windows\system32\Ojefcj32.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:928 -
C:\Windows\SysWOW64\Oqonpdgn.exeC:\Windows\system32\Oqonpdgn.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3080 -
C:\Windows\SysWOW64\Ocmjlpfa.exeC:\Windows\system32\Ocmjlpfa.exe38⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3784 -
C:\Windows\SysWOW64\Ojgbij32.exeC:\Windows\system32\Ojgbij32.exe39⤵
- Executes dropped EXE
PID:940 -
C:\Windows\SysWOW64\Oqakfdek.exeC:\Windows\system32\Oqakfdek.exe40⤵
- Executes dropped EXE
PID:2984 -
C:\Windows\SysWOW64\Ocpgbodo.exeC:\Windows\system32\Ocpgbodo.exe41⤵
- Executes dropped EXE
PID:3120 -
C:\Windows\SysWOW64\Ojjooilk.exeC:\Windows\system32\Ojjooilk.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4964 -
C:\Windows\SysWOW64\Omhlkeko.exeC:\Windows\system32\Omhlkeko.exe43⤵
- Executes dropped EXE
PID:2160 -
C:\Windows\SysWOW64\Pcbdgo32.exeC:\Windows\system32\Pcbdgo32.exe44⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5092 -
C:\Windows\SysWOW64\Pmjhpdil.exeC:\Windows\system32\Pmjhpdil.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2420 -
C:\Windows\SysWOW64\Pcdqmo32.exeC:\Windows\system32\Pcdqmo32.exe46⤵
- Executes dropped EXE
PID:3092 -
C:\Windows\SysWOW64\Pjnijihf.exeC:\Windows\system32\Pjnijihf.exe47⤵
- Executes dropped EXE
PID:384 -
C:\Windows\SysWOW64\Pmmefd32.exeC:\Windows\system32\Pmmefd32.exe48⤵
- Executes dropped EXE
PID:4176 -
C:\Windows\SysWOW64\Pcgmbnnf.exeC:\Windows\system32\Pcgmbnnf.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4320 -
C:\Windows\SysWOW64\Pnlapgnl.exeC:\Windows\system32\Pnlapgnl.exe50⤵
- Executes dropped EXE
PID:1964 -
C:\Windows\SysWOW64\Pqknlbmp.exeC:\Windows\system32\Pqknlbmp.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2724 -
C:\Windows\SysWOW64\Pgdfim32.exeC:\Windows\system32\Pgdfim32.exe52⤵
- Executes dropped EXE
PID:2696 -
C:\Windows\SysWOW64\Pnoneglj.exeC:\Windows\system32\Pnoneglj.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:5088 -
C:\Windows\SysWOW64\Pqmjab32.exeC:\Windows\system32\Pqmjab32.exe54⤵
- Executes dropped EXE
PID:5112 -
C:\Windows\SysWOW64\Pggbnlbj.exeC:\Windows\system32\Pggbnlbj.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3568 -
C:\Windows\SysWOW64\Pjeojhbn.exeC:\Windows\system32\Pjeojhbn.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4788 -
C:\Windows\SysWOW64\Qmdkfcaa.exeC:\Windows\system32\Qmdkfcaa.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4800 -
C:\Windows\SysWOW64\Qcnccm32.exeC:\Windows\system32\Qcnccm32.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1136 -
C:\Windows\SysWOW64\Qjhlpgpk.exeC:\Windows\system32\Qjhlpgpk.exe59⤵
- Executes dropped EXE
PID:4584 -
C:\Windows\SysWOW64\Qqadmagh.exeC:\Windows\system32\Qqadmagh.exe60⤵
- Executes dropped EXE
PID:4316 -
C:\Windows\SysWOW64\Qgllil32.exeC:\Windows\system32\Qgllil32.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3532 -
C:\Windows\SysWOW64\Amhdab32.exeC:\Windows\system32\Amhdab32.exe62⤵
- Executes dropped EXE
PID:4872 -
C:\Windows\SysWOW64\Acbmnmdi.exeC:\Windows\system32\Acbmnmdi.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1440 -
C:\Windows\SysWOW64\Ajlekg32.exeC:\Windows\system32\Ajlekg32.exe64⤵
- Executes dropped EXE
PID:876 -
C:\Windows\SysWOW64\Aebihpkl.exeC:\Windows\system32\Aebihpkl.exe65⤵
- Executes dropped EXE
PID:3316 -
C:\Windows\SysWOW64\Agpedkjp.exeC:\Windows\system32\Agpedkjp.exe66⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2720 -
C:\Windows\SysWOW64\Ammnmbig.exeC:\Windows\system32\Ammnmbig.exe67⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3076 -
C:\Windows\SysWOW64\Aedfnoii.exeC:\Windows\system32\Aedfnoii.exe68⤵PID:1872
-
C:\Windows\SysWOW64\Afebeg32.exeC:\Windows\system32\Afebeg32.exe69⤵
- System Location Discovery: System Language Discovery
PID:4892 -
C:\Windows\SysWOW64\Aakfcp32.exeC:\Windows\system32\Aakfcp32.exe70⤵
- Drops file in System32 directory
PID:4516 -
C:\Windows\SysWOW64\Ageopj32.exeC:\Windows\system32\Ageopj32.exe71⤵PID:4752
-
C:\Windows\SysWOW64\Anogldng.exeC:\Windows\system32\Anogldng.exe72⤵
- Drops file in System32 directory
PID:4080 -
C:\Windows\SysWOW64\Agglej32.exeC:\Windows\system32\Agglej32.exe73⤵
- Drops file in System32 directory
PID:1988 -
C:\Windows\SysWOW64\Bnadadld.exeC:\Windows\system32\Bnadadld.exe74⤵
- Modifies registry class
PID:3224 -
C:\Windows\SysWOW64\Bcnljkjl.exeC:\Windows\system32\Bcnljkjl.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2252 -
C:\Windows\SysWOW64\Bjhdgeai.exeC:\Windows\system32\Bjhdgeai.exe76⤵
- Drops file in System32 directory
- Modifies registry class
PID:2148 -
C:\Windows\SysWOW64\Bmfqcqql.exeC:\Windows\system32\Bmfqcqql.exe77⤵PID:1272
-
C:\Windows\SysWOW64\Bglepipb.exeC:\Windows\system32\Bglepipb.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4128 -
C:\Windows\SysWOW64\Bmimhpoj.exeC:\Windows\system32\Bmimhpoj.exe79⤵
- System Location Discovery: System Language Discovery
PID:2452 -
C:\Windows\SysWOW64\Bccfej32.exeC:\Windows\system32\Bccfej32.exe80⤵PID:4276
-
C:\Windows\SysWOW64\Bnhjbcfl.exeC:\Windows\system32\Bnhjbcfl.exe81⤵PID:3900
-
C:\Windows\SysWOW64\Bebbom32.exeC:\Windows\system32\Bebbom32.exe82⤵
- Modifies registry class
PID:2632 -
C:\Windows\SysWOW64\Bjokgd32.exeC:\Windows\system32\Bjokgd32.exe83⤵
- Modifies registry class
PID:3044 -
C:\Windows\SysWOW64\Bmngcp32.exeC:\Windows\system32\Bmngcp32.exe84⤵PID:4216
-
C:\Windows\SysWOW64\Bhckqh32.exeC:\Windows\system32\Bhckqh32.exe85⤵
- Drops file in System32 directory
PID:4020 -
C:\Windows\SysWOW64\Cnmcnb32.exeC:\Windows\system32\Cnmcnb32.exe86⤵PID:5072
-
C:\Windows\SysWOW64\Ccjlfi32.exeC:\Windows\system32\Ccjlfi32.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3972 -
C:\Windows\SysWOW64\Cnopcb32.exeC:\Windows\system32\Cnopcb32.exe88⤵
- Drops file in System32 directory
- Modifies registry class
PID:4632 -
C:\Windows\SysWOW64\Canlon32.exeC:\Windows\system32\Canlon32.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:5020 -
C:\Windows\SysWOW64\Chhdlhfe.exeC:\Windows\system32\Chhdlhfe.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5160 -
C:\Windows\SysWOW64\Cnamib32.exeC:\Windows\system32\Cnamib32.exe91⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5220 -
C:\Windows\SysWOW64\Capiemme.exeC:\Windows\system32\Capiemme.exe92⤵PID:5264
-
C:\Windows\SysWOW64\Cdoeaili.exeC:\Windows\system32\Cdoeaili.exe93⤵PID:5308
-
C:\Windows\SysWOW64\Cjhmnc32.exeC:\Windows\system32\Cjhmnc32.exe94⤵PID:5352
-
C:\Windows\SysWOW64\Cmgjjn32.exeC:\Windows\system32\Cmgjjn32.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5400 -
C:\Windows\SysWOW64\Cenakl32.exeC:\Windows\system32\Cenakl32.exe96⤵
- Drops file in System32 directory
- Modifies registry class
PID:5444 -
C:\Windows\SysWOW64\Cjkjcb32.exeC:\Windows\system32\Cjkjcb32.exe97⤵PID:5504
-
C:\Windows\SysWOW64\Dhokmgpm.exeC:\Windows\system32\Dhokmgpm.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5548 -
C:\Windows\SysWOW64\Doicia32.exeC:\Windows\system32\Doicia32.exe99⤵PID:5592
-
C:\Windows\SysWOW64\Dmlcennd.exeC:\Windows\system32\Dmlcennd.exe100⤵PID:5640
-
C:\Windows\SysWOW64\Deckfkof.exeC:\Windows\system32\Deckfkof.exe101⤵PID:5684
-
C:\Windows\SysWOW64\Dokpoq32.exeC:\Windows\system32\Dokpoq32.exe102⤵
- System Location Discovery: System Language Discovery
PID:5728 -
C:\Windows\SysWOW64\Deehkk32.exeC:\Windows\system32\Deehkk32.exe103⤵PID:5768
-
C:\Windows\SysWOW64\Dhcdhf32.exeC:\Windows\system32\Dhcdhf32.exe104⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:5812 -
C:\Windows\SysWOW64\Dkbpda32.exeC:\Windows\system32\Dkbpda32.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:5856 -
C:\Windows\SysWOW64\Dhfqmf32.exeC:\Windows\system32\Dhfqmf32.exe106⤵PID:5896
-
C:\Windows\SysWOW64\Dmbiem32.exeC:\Windows\system32\Dmbiem32.exe107⤵PID:5940
-
C:\Windows\SysWOW64\Dejafj32.exeC:\Windows\system32\Dejafj32.exe108⤵PID:5980
-
C:\Windows\SysWOW64\Dhhncehb.exeC:\Windows\system32\Dhhncehb.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6024 -
C:\Windows\SysWOW64\Dobfpp32.exeC:\Windows\system32\Dobfpp32.exe110⤵
- Drops file in System32 directory
PID:6068 -
C:\Windows\SysWOW64\Ehjjhefp.exeC:\Windows\system32\Ehjjhefp.exe111⤵PID:6116
-
C:\Windows\SysWOW64\Eodbeo32.exeC:\Windows\system32\Eodbeo32.exe112⤵PID:5136
-
C:\Windows\SysWOW64\Eeokaiei.exeC:\Windows\system32\Eeokaiei.exe113⤵
- System Location Discovery: System Language Discovery
PID:5236 -
C:\Windows\SysWOW64\Eogokokj.exeC:\Windows\system32\Eogokokj.exe114⤵PID:5300
-
C:\Windows\SysWOW64\Edcgcfja.exeC:\Windows\system32\Edcgcfja.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5372 -
C:\Windows\SysWOW64\Eoilpoig.exeC:\Windows\system32\Eoilpoig.exe116⤵
- System Location Discovery: System Language Discovery
PID:5440 -
C:\Windows\SysWOW64\Egdqdagb.exeC:\Windows\system32\Egdqdagb.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5536 -
C:\Windows\SysWOW64\Eajebj32.exeC:\Windows\system32\Eajebj32.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5604 -
C:\Windows\SysWOW64\Eggmjq32.exeC:\Windows\system32\Eggmjq32.exe119⤵PID:5672
-
C:\Windows\SysWOW64\Emqegkll.exeC:\Windows\system32\Emqegkll.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:5752 -
C:\Windows\SysWOW64\Fdknce32.exeC:\Windows\system32\Fdknce32.exe121⤵
- Drops file in System32 directory
- Modifies registry class
PID:5820
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-