Analysis
-
max time kernel
91s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08-12-2024 01:14
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
9705fc4cfd37917f667230b8f0f52c3cfa5a2e38e5945c9aa22e2f40f856a833.exe
Resource
win7-20240708-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
9705fc4cfd37917f667230b8f0f52c3cfa5a2e38e5945c9aa22e2f40f856a833.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
9705fc4cfd37917f667230b8f0f52c3cfa5a2e38e5945c9aa22e2f40f856a833.exe
-
Size
90KB
-
MD5
bb48f698cc41a6ff134493e77fb8387f
-
SHA1
ff29a7125cf89d9fbb2038988efe255e4e630fbc
-
SHA256
9705fc4cfd37917f667230b8f0f52c3cfa5a2e38e5945c9aa22e2f40f856a833
-
SHA512
e82851c270b3a57edbdb21c68a96eb3904319753fd8c01a9f257a4159894042947629d20e1064dda2371a35c6b8336b2ebae0af2976ec8524cd31825c9d1d620
-
SSDEEP
1536:7GXnO5CNKd7BgdKa7YvWfG1Ofu85fI9yVnQQC4fl8k/7TZP:7ynaGw6ExWOUfDf83T498a7TZP
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://tat-neftbank.ru/kkq.php
http://tat-neftbank.ru/wcmd.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hhglbo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amkagb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfhhbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Idbfbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pgoecgef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhokmgpm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edfdhego.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qjjheg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aokcngdo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nockpmgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Agmbde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Beeodm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Edfdhego.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iglhckde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jnpcfd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mikclg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afjlqgkb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fncblj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Inkjkd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aofjch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bmddma32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emgbqldg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mihffh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbchemic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Opngfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pjnbobdj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bijnhleg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ambgha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ambgha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gaogdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Onekoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dkfjoagf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hddiqaml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmoakd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Golamlib.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Celeel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mppbnb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhppmd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Moleonmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nidmml32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnhjbcfl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgdfim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hohahjod.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iojgegoo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nidfbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ohbfiage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ammgblek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Acicol32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibffkcpe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bagfooep.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emlllk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emniakno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oeffce32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agkeoeki.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocmjlpfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pddmga32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjodmn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ammnmbig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Klapqf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acicol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hoadoigj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ikhdcj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbbono32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lopecoga.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 1536 Mchhjbii.exe 1132 Mnnlgkho.exe 316 Mplhdghc.exe 3616 Nckepbgf.exe 476 Nidmml32.exe 2540 Ndjajeni.exe 2772 Nghmfqmm.exe 3096 Nnbebk32.exe 2324 Npabof32.exe 3540 Ngkjlpkj.exe 1468 Nlhbdgia.exe 2992 Ncakqaqo.exe 4576 Njlcmk32.exe 3492 Npekjeph.exe 4568 Ncdgfaol.exe 2120 Ngpcgp32.exe 228 Njnpck32.exe 3152 Nlllof32.exe 5104 Odcdpd32.exe 1792 Ogbploeb.exe 3864 Onlhii32.exe 1472 Opjeee32.exe 4176 Ociaap32.exe 3632 Ogdmaocp.exe 3548 Opmakd32.exe 4076 Ojefcj32.exe 1168 Ocmjlpfa.exe 2696 Ojgbij32.exe 1120 Ocpgbodo.exe 4912 Onekoh32.exe 3984 Pnghdh32.exe 1400 Pfcmij32.exe 4784 Pddmga32.exe 4800 Pfeiojnj.exe 688 Pmoakd32.exe 3600 Pgdfim32.exe 3848 Pqmjab32.exe 3456 Pggbnlbj.exe 4340 Pnakkf32.exe 2852 Qdkcgqad.exe 1616 Qgiodlqh.exe 1148 Qncgqf32.exe 1160 Qmfhlcoo.exe 960 Qdmpmp32.exe 4948 Qjjheg32.exe 4504 Amhdab32.exe 4716 Aqdqbaee.exe 4744 Acbmnmdi.exe 1032 Anhaledo.exe 448 Amkagb32.exe 3236 Agpedkjp.exe 876 Ammnmbig.exe 3980 Aedfnoii.exe 4972 Afebeg32.exe 1552 Ampkbagd.exe 3800 Acicol32.exe 4844 Afhokgme.exe 1504 Ajcklf32.exe 1872 Ambgha32.exe 3104 Afjlqgkb.exe 4116 Bmddma32.exe 4528 Bcnljkjl.exe 2308 Bncqgd32.exe 2632 Benidnao.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Pgdfim32.exe Pmoakd32.exe File opened for modification C:\Windows\SysWOW64\Emniakno.exe Egdqdagb.exe File created C:\Windows\SysWOW64\Gnecnd32.dll Knnpgbgg.exe File opened for modification C:\Windows\SysWOW64\Noehelej.exe Nlgliaef.exe File opened for modification C:\Windows\SysWOW64\Pgminggi.exe Pcammi32.exe File created C:\Windows\SysWOW64\Pohnbjdd.exe Pljafneq.exe File opened for modification C:\Windows\SysWOW64\Ocmjlpfa.exe Ojefcj32.exe File opened for modification C:\Windows\SysWOW64\Afebeg32.exe Aedfnoii.exe File created C:\Windows\SysWOW64\Kbnggn32.dll Cfhhbe32.exe File created C:\Windows\SysWOW64\Jnbpkcad.exe Jiehcmcm.exe File opened for modification C:\Windows\SysWOW64\Pjkejcfm.exe Pgminggi.exe File opened for modification C:\Windows\SysWOW64\Eeokaiei.exe Emgbqldg.exe File created C:\Windows\SysWOW64\Pphjlm32.exe Phqbko32.exe File created C:\Windows\SysWOW64\Qlilanbh.dll Nlhbdgia.exe File created C:\Windows\SysWOW64\Onekoh32.exe Ocpgbodo.exe File created C:\Windows\SysWOW64\Ldjbokge.dll Pnakkf32.exe File created C:\Windows\SysWOW64\Jeilbn32.exe Jfglgadi.exe File opened for modification C:\Windows\SysWOW64\Nidfbf32.exe Nplaiqdg.exe File opened for modification C:\Windows\SysWOW64\Jfnbgp32.exe Jpdikffd.exe File created C:\Windows\SysWOW64\Joanpj32.dll Knbiba32.exe File opened for modification C:\Windows\SysWOW64\Mefmlh32.exe Mfcmqknf.exe File created C:\Windows\SysWOW64\Qjhpan32.dll Ohiljpam.exe File created C:\Windows\SysWOW64\Pfgojchl.exe Pjpoeb32.exe File created C:\Windows\SysWOW64\Onlhii32.exe Ogbploeb.exe File opened for modification C:\Windows\SysWOW64\Cegljmid.exe Cnmcnb32.exe File created C:\Windows\SysWOW64\Jfociegn.dll Edfdhego.exe File opened for modification C:\Windows\SysWOW64\Eonekn32.exe Eggmjq32.exe File opened for modification C:\Windows\SysWOW64\Mfjjjl32.exe Mppbnb32.exe File created C:\Windows\SysWOW64\Nockpmgl.exe Nhiccb32.exe File created C:\Windows\SysWOW64\Cfhdmdld.dll Amhdab32.exe File created C:\Windows\SysWOW64\Libnjkek.dll Fnhlgjfd.exe File opened for modification C:\Windows\SysWOW64\Leedejbd.exe Lbghiocp.exe File created C:\Windows\SysWOW64\Gcmieg32.dll Afekka32.exe File opened for modification C:\Windows\SysWOW64\Ikagjh32.exe Iegomnmf.exe File created C:\Windows\SysWOW64\Lpilmcdl.exe Lhadlfcj.exe File created C:\Windows\SysWOW64\Lehakj32.exe Loninpid.exe File opened for modification C:\Windows\SysWOW64\Pmoakd32.exe Pfeiojnj.exe File created C:\Windows\SysWOW64\Bbhjcj32.dll Gdkgjb32.exe File created C:\Windows\SysWOW64\Bljmpb32.dll Olpoppnk.exe File created C:\Windows\SysWOW64\Dohcnbae.dll Aichgm32.exe File created C:\Windows\SysWOW64\Caddef32.dll Faonmibc.exe File created C:\Windows\SysWOW64\Fobofmal.exe Fgkgepqj.exe File created C:\Windows\SysWOW64\Mjmilige.dll Nckepbgf.exe File created C:\Windows\SysWOW64\Nghmfqmm.exe Ndjajeni.exe File created C:\Windows\SysWOW64\Npgojn32.dll Dmbiem32.exe File created C:\Windows\SysWOW64\Ncbfki32.dll Khmjqf32.exe File opened for modification C:\Windows\SysWOW64\Meadah32.exe Mbchemic.exe File created C:\Windows\SysWOW64\Bggdkd32.exe Bopmif32.exe File opened for modification C:\Windows\SysWOW64\Emgbqldg.exe Ekifdqec.exe File created C:\Windows\SysWOW64\Bcdkpdph.exe Bqfodh32.exe File opened for modification C:\Windows\SysWOW64\Bfcogecg.exe Bagfooep.exe File opened for modification C:\Windows\SysWOW64\Kfiaco32.exe Knbiba32.exe File created C:\Windows\SysWOW64\Dllcch32.dll Mlnicbnq.exe File created C:\Windows\SysWOW64\Ndnojjpq.dll Ngjcajgo.exe File created C:\Windows\SysWOW64\Hlkcoo32.dll Olehko32.exe File opened for modification C:\Windows\SysWOW64\Pfcmij32.exe Pnghdh32.exe File created C:\Windows\SysWOW64\Fnjhmida.exe Fkllanen.exe File created C:\Windows\SysWOW64\Opbdanco.dll Fnjhmida.exe File opened for modification C:\Windows\SysWOW64\Iofmjh32.exe Igoehk32.exe File created C:\Windows\SysWOW64\Mihffh32.exe Mfjjjl32.exe File created C:\Windows\SysWOW64\Koqgnp32.dll Facghh32.exe File opened for modification C:\Windows\SysWOW64\Inkjkd32.exe Iklnoihi.exe File created C:\Windows\SysWOW64\Hlenmajn.dll Mfjjjl32.exe File opened for modification C:\Windows\SysWOW64\Bgnkkckd.exe Bpfcjeja.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 8808 7448 WerFault.exe 427 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfjjjl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bglepipb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dokpoq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emniakno.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbbono32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgknnb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npabof32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlllof32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opjeee32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnhjbcfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oolnfkoa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qdmpmp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnjhmida.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jelihn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nccqlkkp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgnafinp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Domldpcd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjeago32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmefklfj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idpilp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhppmd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nidfbf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nekgggpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njlcmk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfeiojnj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnpcfd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khknkgjb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngpcgp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hohahjod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jniflb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hojnnj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aofjch32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bopmif32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcdkpdph.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfqgdn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhfmge32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oipend32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agkeoeki.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ociaap32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmbpoofo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Celeel32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edfdhego.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Meadah32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nockpmgl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fejjnh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlmgegjf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khfdpgng.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knbiba32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ieebgooi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mikclg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mecqfh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjnbobdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncdgfaol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qncgqf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdlhki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmifon32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ammgblek.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hoadoigj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkfaehpn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klapqf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnipcp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlhbdgia.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npekjeph.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onekoh32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eapijcmq.dll" Cffkleae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fageamqg.dll" Dhokmgpm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lpilmcdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ccghfcne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qjjheg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Amhdab32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bglepipb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgmbll32.dll" Igoehk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jeilbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdokfa32.dll" Mikclg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mchhjbii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jioojpgh.dll" Hoadoigj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pjkejcfm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bihablgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ndjajeni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bglepipb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Biadhkop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ncakqaqo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nijlieef.dll" Iojgegoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhjodd32.dll" Bimkmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olheph32.dll" Bmddma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gabgjf32.dll" Emlllk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbhfao32.dll" Deehkk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dmefklfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhgqdabm.dll" Pgoecgef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjcako32.dll" Qqopml32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nlllof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qghbgn32.dll" Ambgha32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iglhckde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngcjocan.dll" Olledp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pjnbobdj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mplhdghc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Acfoof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkaflc32.dll" Fkdfpokf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hojnnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kaajlppf.dll" Mihffh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gidlnd32.dll" Bjlggnjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Amhdab32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ocmjlpfa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dejafj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fgijpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Khfdpgng.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bgpgab32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ociaap32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Limgkiob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahooenki.dll" Lpilmcdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lopecoga.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ohgodq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enhqln32.dll" Fkllanen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Afjlqgkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jkfaehpn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkcdfoba.dll" Ajiaka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ammgblek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Onekoh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jiehcmcm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jnbpkcad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bljmpb32.dll" Olpoppnk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Acdbifok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Emgbqldg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dadqfhla.dll" Kbgoba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aiedml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Keabimfi.dll" Bfnnap32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fncblj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Benidnao.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1656 wrote to memory of 1536 1656 9705fc4cfd37917f667230b8f0f52c3cfa5a2e38e5945c9aa22e2f40f856a833.exe 81 PID 1656 wrote to memory of 1536 1656 9705fc4cfd37917f667230b8f0f52c3cfa5a2e38e5945c9aa22e2f40f856a833.exe 81 PID 1656 wrote to memory of 1536 1656 9705fc4cfd37917f667230b8f0f52c3cfa5a2e38e5945c9aa22e2f40f856a833.exe 81 PID 1536 wrote to memory of 1132 1536 Mchhjbii.exe 82 PID 1536 wrote to memory of 1132 1536 Mchhjbii.exe 82 PID 1536 wrote to memory of 1132 1536 Mchhjbii.exe 82 PID 1132 wrote to memory of 316 1132 Mnnlgkho.exe 83 PID 1132 wrote to memory of 316 1132 Mnnlgkho.exe 83 PID 1132 wrote to memory of 316 1132 Mnnlgkho.exe 83 PID 316 wrote to memory of 3616 316 Mplhdghc.exe 84 PID 316 wrote to memory of 3616 316 Mplhdghc.exe 84 PID 316 wrote to memory of 3616 316 Mplhdghc.exe 84 PID 3616 wrote to memory of 476 3616 Nckepbgf.exe 85 PID 3616 wrote to memory of 476 3616 Nckepbgf.exe 85 PID 3616 wrote to memory of 476 3616 Nckepbgf.exe 85 PID 476 wrote to memory of 2540 476 Nidmml32.exe 86 PID 476 wrote to memory of 2540 476 Nidmml32.exe 86 PID 476 wrote to memory of 2540 476 Nidmml32.exe 86 PID 2540 wrote to memory of 2772 2540 Ndjajeni.exe 87 PID 2540 wrote to memory of 2772 2540 Ndjajeni.exe 87 PID 2540 wrote to memory of 2772 2540 Ndjajeni.exe 87 PID 2772 wrote to memory of 3096 2772 Nghmfqmm.exe 88 PID 2772 wrote to memory of 3096 2772 Nghmfqmm.exe 88 PID 2772 wrote to memory of 3096 2772 Nghmfqmm.exe 88 PID 3096 wrote to memory of 2324 3096 Nnbebk32.exe 89 PID 3096 wrote to memory of 2324 3096 Nnbebk32.exe 89 PID 3096 wrote to memory of 2324 3096 Nnbebk32.exe 89 PID 2324 wrote to memory of 3540 2324 Npabof32.exe 90 PID 2324 wrote to memory of 3540 2324 Npabof32.exe 90 PID 2324 wrote to memory of 3540 2324 Npabof32.exe 90 PID 3540 wrote to memory of 1468 3540 Ngkjlpkj.exe 91 PID 3540 wrote to memory of 1468 3540 Ngkjlpkj.exe 91 PID 3540 wrote to memory of 1468 3540 Ngkjlpkj.exe 91 PID 1468 wrote to memory of 2992 1468 Nlhbdgia.exe 92 PID 1468 wrote to memory of 2992 1468 Nlhbdgia.exe 92 PID 1468 wrote to memory of 2992 1468 Nlhbdgia.exe 92 PID 2992 wrote to memory of 4576 2992 Ncakqaqo.exe 93 PID 2992 wrote to memory of 4576 2992 Ncakqaqo.exe 93 PID 2992 wrote to memory of 4576 2992 Ncakqaqo.exe 93 PID 4576 wrote to memory of 3492 4576 Njlcmk32.exe 94 PID 4576 wrote to memory of 3492 4576 Njlcmk32.exe 94 PID 4576 wrote to memory of 3492 4576 Njlcmk32.exe 94 PID 3492 wrote to memory of 4568 3492 Npekjeph.exe 95 PID 3492 wrote to memory of 4568 3492 Npekjeph.exe 95 PID 3492 wrote to memory of 4568 3492 Npekjeph.exe 95 PID 4568 wrote to memory of 2120 4568 Ncdgfaol.exe 96 PID 4568 wrote to memory of 2120 4568 Ncdgfaol.exe 96 PID 4568 wrote to memory of 2120 4568 Ncdgfaol.exe 96 PID 2120 wrote to memory of 228 2120 Ngpcgp32.exe 97 PID 2120 wrote to memory of 228 2120 Ngpcgp32.exe 97 PID 2120 wrote to memory of 228 2120 Ngpcgp32.exe 97 PID 228 wrote to memory of 3152 228 Njnpck32.exe 98 PID 228 wrote to memory of 3152 228 Njnpck32.exe 98 PID 228 wrote to memory of 3152 228 Njnpck32.exe 98 PID 3152 wrote to memory of 5104 3152 Nlllof32.exe 99 PID 3152 wrote to memory of 5104 3152 Nlllof32.exe 99 PID 3152 wrote to memory of 5104 3152 Nlllof32.exe 99 PID 5104 wrote to memory of 1792 5104 Odcdpd32.exe 100 PID 5104 wrote to memory of 1792 5104 Odcdpd32.exe 100 PID 5104 wrote to memory of 1792 5104 Odcdpd32.exe 100 PID 1792 wrote to memory of 3864 1792 Ogbploeb.exe 101 PID 1792 wrote to memory of 3864 1792 Ogbploeb.exe 101 PID 1792 wrote to memory of 3864 1792 Ogbploeb.exe 101 PID 3864 wrote to memory of 1472 3864 Onlhii32.exe 102
Processes
-
C:\Users\Admin\AppData\Local\Temp\9705fc4cfd37917f667230b8f0f52c3cfa5a2e38e5945c9aa22e2f40f856a833.exe"C:\Users\Admin\AppData\Local\Temp\9705fc4cfd37917f667230b8f0f52c3cfa5a2e38e5945c9aa22e2f40f856a833.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Windows\SysWOW64\Mchhjbii.exeC:\Windows\system32\Mchhjbii.exe2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1536 -
C:\Windows\SysWOW64\Mnnlgkho.exeC:\Windows\system32\Mnnlgkho.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1132 -
C:\Windows\SysWOW64\Mplhdghc.exeC:\Windows\system32\Mplhdghc.exe4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:316 -
C:\Windows\SysWOW64\Nckepbgf.exeC:\Windows\system32\Nckepbgf.exe5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3616 -
C:\Windows\SysWOW64\Nidmml32.exeC:\Windows\system32\Nidmml32.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:476 -
C:\Windows\SysWOW64\Ndjajeni.exeC:\Windows\system32\Ndjajeni.exe7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Windows\SysWOW64\Nghmfqmm.exeC:\Windows\system32\Nghmfqmm.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\SysWOW64\Nnbebk32.exeC:\Windows\system32\Nnbebk32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3096 -
C:\Windows\SysWOW64\Npabof32.exeC:\Windows\system32\Npabof32.exe10⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Windows\SysWOW64\Ngkjlpkj.exeC:\Windows\system32\Ngkjlpkj.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3540 -
C:\Windows\SysWOW64\Nlhbdgia.exeC:\Windows\system32\Nlhbdgia.exe12⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1468 -
C:\Windows\SysWOW64\Ncakqaqo.exeC:\Windows\system32\Ncakqaqo.exe13⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\Windows\SysWOW64\Njlcmk32.exeC:\Windows\system32\Njlcmk32.exe14⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4576 -
C:\Windows\SysWOW64\Npekjeph.exeC:\Windows\system32\Npekjeph.exe15⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3492 -
C:\Windows\SysWOW64\Ncdgfaol.exeC:\Windows\system32\Ncdgfaol.exe16⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4568 -
C:\Windows\SysWOW64\Ngpcgp32.exeC:\Windows\system32\Ngpcgp32.exe17⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Windows\SysWOW64\Njnpck32.exeC:\Windows\system32\Njnpck32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:228 -
C:\Windows\SysWOW64\Nlllof32.exeC:\Windows\system32\Nlllof32.exe19⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3152 -
C:\Windows\SysWOW64\Odcdpd32.exeC:\Windows\system32\Odcdpd32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5104 -
C:\Windows\SysWOW64\Ogbploeb.exeC:\Windows\system32\Ogbploeb.exe21⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1792 -
C:\Windows\SysWOW64\Onlhii32.exeC:\Windows\system32\Onlhii32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3864 -
C:\Windows\SysWOW64\Opjeee32.exeC:\Windows\system32\Opjeee32.exe23⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1472 -
C:\Windows\SysWOW64\Ociaap32.exeC:\Windows\system32\Ociaap32.exe24⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4176 -
C:\Windows\SysWOW64\Ogdmaocp.exeC:\Windows\system32\Ogdmaocp.exe25⤵
- Executes dropped EXE
PID:3632 -
C:\Windows\SysWOW64\Opmakd32.exeC:\Windows\system32\Opmakd32.exe26⤵
- Executes dropped EXE
PID:3548 -
C:\Windows\SysWOW64\Ojefcj32.exeC:\Windows\system32\Ojefcj32.exe27⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4076 -
C:\Windows\SysWOW64\Ocmjlpfa.exeC:\Windows\system32\Ocmjlpfa.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1168 -
C:\Windows\SysWOW64\Ojgbij32.exeC:\Windows\system32\Ojgbij32.exe29⤵
- Executes dropped EXE
PID:2696 -
C:\Windows\SysWOW64\Ocpgbodo.exeC:\Windows\system32\Ocpgbodo.exe30⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1120 -
C:\Windows\SysWOW64\Onekoh32.exeC:\Windows\system32\Onekoh32.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4912 -
C:\Windows\SysWOW64\Pnghdh32.exeC:\Windows\system32\Pnghdh32.exe32⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3984 -
C:\Windows\SysWOW64\Pfcmij32.exeC:\Windows\system32\Pfcmij32.exe33⤵
- Executes dropped EXE
PID:1400 -
C:\Windows\SysWOW64\Pddmga32.exeC:\Windows\system32\Pddmga32.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4784 -
C:\Windows\SysWOW64\Pfeiojnj.exeC:\Windows\system32\Pfeiojnj.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4800 -
C:\Windows\SysWOW64\Pmoakd32.exeC:\Windows\system32\Pmoakd32.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:688 -
C:\Windows\SysWOW64\Pgdfim32.exeC:\Windows\system32\Pgdfim32.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3600 -
C:\Windows\SysWOW64\Pqmjab32.exeC:\Windows\system32\Pqmjab32.exe38⤵
- Executes dropped EXE
PID:3848 -
C:\Windows\SysWOW64\Pggbnlbj.exeC:\Windows\system32\Pggbnlbj.exe39⤵
- Executes dropped EXE
PID:3456 -
C:\Windows\SysWOW64\Pnakkf32.exeC:\Windows\system32\Pnakkf32.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4340 -
C:\Windows\SysWOW64\Qdkcgqad.exeC:\Windows\system32\Qdkcgqad.exe41⤵
- Executes dropped EXE
PID:2852 -
C:\Windows\SysWOW64\Qgiodlqh.exeC:\Windows\system32\Qgiodlqh.exe42⤵
- Executes dropped EXE
PID:1616 -
C:\Windows\SysWOW64\Qncgqf32.exeC:\Windows\system32\Qncgqf32.exe43⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1148 -
C:\Windows\SysWOW64\Qmfhlcoo.exeC:\Windows\system32\Qmfhlcoo.exe44⤵
- Executes dropped EXE
PID:1160 -
C:\Windows\SysWOW64\Qdmpmp32.exeC:\Windows\system32\Qdmpmp32.exe45⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:960 -
C:\Windows\SysWOW64\Qjjheg32.exeC:\Windows\system32\Qjjheg32.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4948 -
C:\Windows\SysWOW64\Amhdab32.exeC:\Windows\system32\Amhdab32.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4504 -
C:\Windows\SysWOW64\Aqdqbaee.exeC:\Windows\system32\Aqdqbaee.exe48⤵
- Executes dropped EXE
PID:4716 -
C:\Windows\SysWOW64\Acbmnmdi.exeC:\Windows\system32\Acbmnmdi.exe49⤵
- Executes dropped EXE
PID:4744 -
C:\Windows\SysWOW64\Anhaledo.exeC:\Windows\system32\Anhaledo.exe50⤵
- Executes dropped EXE
PID:1032 -
C:\Windows\SysWOW64\Amkagb32.exeC:\Windows\system32\Amkagb32.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:448 -
C:\Windows\SysWOW64\Agpedkjp.exeC:\Windows\system32\Agpedkjp.exe52⤵
- Executes dropped EXE
PID:3236 -
C:\Windows\SysWOW64\Ammnmbig.exeC:\Windows\system32\Ammnmbig.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:876 -
C:\Windows\SysWOW64\Aedfnoii.exeC:\Windows\system32\Aedfnoii.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3980 -
C:\Windows\SysWOW64\Afebeg32.exeC:\Windows\system32\Afebeg32.exe55⤵
- Executes dropped EXE
PID:4972 -
C:\Windows\SysWOW64\Ampkbagd.exeC:\Windows\system32\Ampkbagd.exe56⤵
- Executes dropped EXE
PID:1552 -
C:\Windows\SysWOW64\Acicol32.exeC:\Windows\system32\Acicol32.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3800 -
C:\Windows\SysWOW64\Afhokgme.exeC:\Windows\system32\Afhokgme.exe58⤵
- Executes dropped EXE
PID:4844 -
C:\Windows\SysWOW64\Ajcklf32.exeC:\Windows\system32\Ajcklf32.exe59⤵
- Executes dropped EXE
PID:1504 -
C:\Windows\SysWOW64\Ambgha32.exeC:\Windows\system32\Ambgha32.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1872 -
C:\Windows\SysWOW64\Afjlqgkb.exeC:\Windows\system32\Afjlqgkb.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3104 -
C:\Windows\SysWOW64\Bmddma32.exeC:\Windows\system32\Bmddma32.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4116 -
C:\Windows\SysWOW64\Bcnljkjl.exeC:\Windows\system32\Bcnljkjl.exe63⤵
- Executes dropped EXE
PID:4528 -
C:\Windows\SysWOW64\Bncqgd32.exeC:\Windows\system32\Bncqgd32.exe64⤵
- Executes dropped EXE
PID:2308 -
C:\Windows\SysWOW64\Benidnao.exeC:\Windows\system32\Benidnao.exe65⤵
- Executes dropped EXE
- Modifies registry class
PID:2632 -
C:\Windows\SysWOW64\Bglepipb.exeC:\Windows\system32\Bglepipb.exe66⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4596 -
C:\Windows\SysWOW64\Bnfmmc32.exeC:\Windows\system32\Bnfmmc32.exe67⤵PID:1832
-
C:\Windows\SysWOW64\Badiio32.exeC:\Windows\system32\Badiio32.exe68⤵PID:2336
-
C:\Windows\SysWOW64\Bgnafinp.exeC:\Windows\system32\Bgnafinp.exe69⤵
- System Location Discovery: System Language Discovery
PID:2908 -
C:\Windows\SysWOW64\Bnhjbcfl.exeC:\Windows\system32\Bnhjbcfl.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1260 -
C:\Windows\SysWOW64\Bagfooep.exeC:\Windows\system32\Bagfooep.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:896 -
C:\Windows\SysWOW64\Bfcogecg.exeC:\Windows\system32\Bfcogecg.exe72⤵PID:4332
-
C:\Windows\SysWOW64\Bmngcp32.exeC:\Windows\system32\Bmngcp32.exe73⤵PID:1548
-
C:\Windows\SysWOW64\Beeodm32.exeC:\Windows\system32\Beeodm32.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3532 -
C:\Windows\SysWOW64\Cffkleae.exeC:\Windows\system32\Cffkleae.exe75⤵
- Modifies registry class
PID:4592 -
C:\Windows\SysWOW64\Cnmcnb32.exeC:\Windows\system32\Cnmcnb32.exe76⤵
- Drops file in System32 directory
PID:3852 -
C:\Windows\SysWOW64\Cegljmid.exeC:\Windows\system32\Cegljmid.exe77⤵PID:1596
-
C:\Windows\SysWOW64\Cfhhbe32.exeC:\Windows\system32\Cfhhbe32.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1368 -
C:\Windows\SysWOW64\Cmbpoofo.exeC:\Windows\system32\Cmbpoofo.exe79⤵
- System Location Discovery: System Language Discovery
PID:2840 -
C:\Windows\SysWOW64\Cdlhki32.exeC:\Windows\system32\Cdlhki32.exe80⤵
- System Location Discovery: System Language Discovery
PID:3704 -
C:\Windows\SysWOW64\Cfkegd32.exeC:\Windows\system32\Cfkegd32.exe81⤵PID:4304
-
C:\Windows\SysWOW64\Celeel32.exeC:\Windows\system32\Celeel32.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1188 -
C:\Windows\SysWOW64\Cfmamdkm.exeC:\Windows\system32\Cfmamdkm.exe83⤵PID:2752
-
C:\Windows\SysWOW64\Cjhmnc32.exeC:\Windows\system32\Cjhmnc32.exe84⤵PID:3588
-
C:\Windows\SysWOW64\Cmgjjn32.exeC:\Windows\system32\Cmgjjn32.exe85⤵PID:2724
-
C:\Windows\SysWOW64\Chlngg32.exeC:\Windows\system32\Chlngg32.exe86⤵PID:2892
-
C:\Windows\SysWOW64\Cmifon32.exeC:\Windows\system32\Cmifon32.exe87⤵
- System Location Discovery: System Language Discovery
PID:4184 -
C:\Windows\SysWOW64\Dhokmgpm.exeC:\Windows\system32\Dhokmgpm.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:472 -
C:\Windows\SysWOW64\Doicia32.exeC:\Windows\system32\Doicia32.exe89⤵PID:4728
-
C:\Windows\SysWOW64\Deckfkof.exeC:\Windows\system32\Deckfkof.exe90⤵PID:4472
-
C:\Windows\SysWOW64\Dfdgnc32.exeC:\Windows\system32\Dfdgnc32.exe91⤵PID:3428
-
C:\Windows\SysWOW64\Dokpoq32.exeC:\Windows\system32\Dokpoq32.exe92⤵
- System Location Discovery: System Language Discovery
PID:4364 -
C:\Windows\SysWOW64\Dmnpjmla.exeC:\Windows\system32\Dmnpjmla.exe93⤵PID:4444
-
C:\Windows\SysWOW64\Deehkk32.exeC:\Windows\system32\Deehkk32.exe94⤵
- Modifies registry class
PID:4824 -
C:\Windows\SysWOW64\Dffdcccb.exeC:\Windows\system32\Dffdcccb.exe95⤵PID:840
-
C:\Windows\SysWOW64\Domldpcd.exeC:\Windows\system32\Domldpcd.exe96⤵
- System Location Discovery: System Language Discovery
PID:1128 -
C:\Windows\SysWOW64\Ddjemgal.exeC:\Windows\system32\Ddjemgal.exe97⤵PID:1228
-
C:\Windows\SysWOW64\Dmbiem32.exeC:\Windows\system32\Dmbiem32.exe98⤵
- Drops file in System32 directory
PID:4732 -
C:\Windows\SysWOW64\Dejafj32.exeC:\Windows\system32\Dejafj32.exe99⤵
- Modifies registry class
PID:3932 -
C:\Windows\SysWOW64\Dgknnb32.exeC:\Windows\system32\Dgknnb32.exe100⤵
- System Location Discovery: System Language Discovery
PID:4456 -
C:\Windows\SysWOW64\Dkfjoagf.exeC:\Windows\system32\Dkfjoagf.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3608 -
C:\Windows\SysWOW64\Dmefklfj.exeC:\Windows\system32\Dmefklfj.exe102⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:868 -
C:\Windows\SysWOW64\Ddonhf32.exeC:\Windows\system32\Ddonhf32.exe103⤵PID:1016
-
C:\Windows\SysWOW64\Ekifdqec.exeC:\Windows\system32\Ekifdqec.exe104⤵
- Drops file in System32 directory
PID:4432 -
C:\Windows\SysWOW64\Emgbqldg.exeC:\Windows\system32\Emgbqldg.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2640 -
C:\Windows\SysWOW64\Eeokaiei.exeC:\Windows\system32\Eeokaiei.exe106⤵PID:3760
-
C:\Windows\SysWOW64\Egpgiakg.exeC:\Windows\system32\Egpgiakg.exe107⤵PID:3288
-
C:\Windows\SysWOW64\Ekkcjp32.exeC:\Windows\system32\Ekkcjp32.exe108⤵PID:3772
-
C:\Windows\SysWOW64\Eknppp32.exeC:\Windows\system32\Eknppp32.exe109⤵PID:3624
-
C:\Windows\SysWOW64\Emlllk32.exeC:\Windows\system32\Emlllk32.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3676 -
C:\Windows\SysWOW64\Edfdhego.exeC:\Windows\system32\Edfdhego.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3052 -
C:\Windows\SysWOW64\Egdqdagb.exeC:\Windows\system32\Egdqdagb.exe112⤵
- Drops file in System32 directory
PID:1840 -
C:\Windows\SysWOW64\Emniakno.exeC:\Windows\system32\Emniakno.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:4936 -
C:\Windows\SysWOW64\Eeeqbhoa.exeC:\Windows\system32\Eeeqbhoa.exe114⤵PID:2948
-
C:\Windows\SysWOW64\Eggmjq32.exeC:\Windows\system32\Eggmjq32.exe115⤵
- Drops file in System32 directory
PID:1176 -
C:\Windows\SysWOW64\Eonekn32.exeC:\Windows\system32\Eonekn32.exe116⤵PID:4756
-
C:\Windows\SysWOW64\Ealagi32.exeC:\Windows\system32\Ealagi32.exe117⤵PID:4544
-
C:\Windows\SysWOW64\Eehnhhmo.exeC:\Windows\system32\Eehnhhmo.exe118⤵PID:5172
-
C:\Windows\SysWOW64\Fgijpp32.exeC:\Windows\system32\Fgijpp32.exe119⤵
- Modifies registry class
PID:5224 -
C:\Windows\SysWOW64\Fkdfpokf.exeC:\Windows\system32\Fkdfpokf.exe120⤵
- Modifies registry class
PID:5268 -
C:\Windows\SysWOW64\Fncblj32.exeC:\Windows\system32\Fncblj32.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5324
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-