Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
95s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/12/2024, 01:23
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
9b7d69b68b262e057d9897df7e26c6e219bdd14c92df802598868e8755c970f4.exe
Resource
win7-20240903-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
9b7d69b68b262e057d9897df7e26c6e219bdd14c92df802598868e8755c970f4.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
9b7d69b68b262e057d9897df7e26c6e219bdd14c92df802598868e8755c970f4.exe
-
Size
80KB
-
MD5
45dd59093dbfafb9366209249bf2b697
-
SHA1
404a77dd134dc40e8caf3ec3286089be34ad7725
-
SHA256
9b7d69b68b262e057d9897df7e26c6e219bdd14c92df802598868e8755c970f4
-
SHA512
2be5225fb1539dcec09eb8380e7611b642753e61c517a6a8c497f091ce3f8dd1f1983e25212246d9c6c70b5c66125e92f6d6731756a132553c7a8dd42e7e7559
-
SSDEEP
1536:RhYQ6K+93eG5V6A3+OKXRv88SaED8/D6a242LjJ9VqDlzVxyh+CbxMa:r6KcOG5LuXvlMD8/QjJ9IDlRxyhTb7
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qadoba32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fechomko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgeakekd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkphhgfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhfppabl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aogbfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Igfclkdj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jenmcggo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjpijpdg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abponp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hpchib32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oaompd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpofii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Flfkkhid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kjmfjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aednci32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cglgjeci.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogfcjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Digehphc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hekgfj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjeiodek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dbcmakpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nclikl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iepaaico.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nopfpgip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Emjgim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ohjlgefb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afgacokc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmafajfi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmfplibd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dihlbf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjadje32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogklelna.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epokedmj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahenokjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdecgbfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mimpolee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajeadd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibcaknbi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bahdob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jhijqj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdpmbc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgbchj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amodep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ccnncgmc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhflnpoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gpaqbbld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hnodaecc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oadfkdgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dihlbf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffnknafg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nflkbanj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmnbfhal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Caageq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kiejmi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljbfpo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffclcgfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lkeekk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eokqkh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knenkbio.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oljaccjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pfnegggi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fipbdikp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gdoihpbk.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 432 Lpneegel.exe 3712 Lejnmncd.exe 3800 Lppbkgcj.exe 1112 Locbfd32.exe 4008 Lihfcm32.exe 2024 Llgcph32.exe 4920 Lbqklb32.exe 1984 Leoghn32.exe 868 Llipehgk.exe 3732 Lbchba32.exe 3276 Mimpolee.exe 2568 Mpghkf32.exe 2388 Mbedga32.exe 2504 Mfaqhp32.exe 3832 Miomdk32.exe 3080 Mpieqeko.exe 1136 Mfcmmp32.exe 3348 Mibijk32.exe 1444 Mplafeil.exe 1580 Mffjcopi.exe 1396 Midfokpm.exe 1228 Moaogand.exe 4108 Mekgdl32.exe 4880 Mleoafmn.exe 968 Mockmala.exe 2196 Niipjj32.exe 720 Nlglfe32.exe 2576 Nbadcpbh.exe 3288 Neppokal.exe 936 Nlihle32.exe 1288 Ngomin32.exe 320 Npgabc32.exe 2992 Ngaionfl.exe 828 Nhbfff32.exe 916 Nomncpcg.exe 4864 Neffpj32.exe 2988 Nlqomd32.exe 4024 Ogfcjm32.exe 548 Oidofh32.exe 884 Ocmconhk.exe 4444 Ohjlgefb.exe 2720 Ogklelna.exe 4852 Oiihahme.exe 2480 Opcqnb32.exe 5084 Ogmijllo.exe 556 Oljaccjf.exe 3984 Ohqbhdpj.exe 2776 Ollnhb32.exe 3808 Pgbbek32.exe 2624 Ploknb32.exe 3392 Pjbkgfej.exe 4152 Pckppl32.exe 456 Poaqemao.exe 1924 Phjenbhp.exe 1576 Pfnegggi.exe 2316 Qcbfakec.exe 1588 Qqffjo32.exe 1492 Qcdbfk32.exe 4076 Qjnkcekm.exe 2716 Aokcklid.exe 2200 Afelhf32.exe 4400 Amodep32.exe 4596 Aqkpeopg.exe 4164 Acilajpk.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Bgolif32.dll Aflaie32.exe File created C:\Windows\SysWOW64\Knflpoqf.exe Kkhpdcab.exe File created C:\Windows\SysWOW64\Obonfmck.dll Kjpijpdg.exe File opened for modification C:\Windows\SysWOW64\Bljlfh32.exe Bhoqeibl.exe File opened for modification C:\Windows\SysWOW64\Mfcmmp32.exe Mpieqeko.exe File created C:\Windows\SysWOW64\Ilmjim32.dll Gncchb32.exe File opened for modification C:\Windows\SysWOW64\Imgicgca.exe Iepaaico.exe File opened for modification C:\Windows\SysWOW64\Adfgdpmi.exe Aagkhd32.exe File opened for modification C:\Windows\SysWOW64\Fmkqpkla.exe Fechomko.exe File opened for modification C:\Windows\SysWOW64\Ljgpkonp.exe Lieccf32.exe File created C:\Windows\SysWOW64\Dpglbfpm.dll Mnmdme32.exe File opened for modification C:\Windows\SysWOW64\Qqffjo32.exe Qcbfakec.exe File created C:\Windows\SysWOW64\Cjafgpmo.dll Flfkkhid.exe File opened for modification C:\Windows\SysWOW64\Bmhocd32.exe Bgnffj32.exe File created C:\Windows\SysWOW64\Dqboip32.dll Bfendmoc.exe File created C:\Windows\SysWOW64\Knbbep32.exe Kjffdalb.exe File opened for modification C:\Windows\SysWOW64\Lgffic32.exe Legjmh32.exe File created C:\Windows\SysWOW64\Cgieglah.dll Pifnhpmi.exe File opened for modification C:\Windows\SysWOW64\Gfodeohd.exe Gbchdp32.exe File created C:\Windows\SysWOW64\Fhoaad32.dll Ngaionfl.exe File created C:\Windows\SysWOW64\Fflohaij.exe Fneggdhg.exe File created C:\Windows\SysWOW64\Nchkcb32.dll Dahmfpap.exe File created C:\Windows\SysWOW64\Fpjqcaao.dll Epikpo32.exe File created C:\Windows\SysWOW64\Dppadp32.dll Ajjjocap.exe File opened for modification C:\Windows\SysWOW64\Okjnnj32.exe Ohkbbn32.exe File created C:\Windows\SysWOW64\Plbmokop.exe Pidabppl.exe File opened for modification C:\Windows\SysWOW64\Qikgco32.exe Qadoba32.exe File opened for modification C:\Windows\SysWOW64\Ipeeobbe.exe Imgicgca.exe File created C:\Windows\SysWOW64\Joahqn32.exe Impliekg.exe File created C:\Windows\SysWOW64\Kgkfnh32.exe Kncaec32.exe File created C:\Windows\SysWOW64\Mibijk32.exe Mfcmmp32.exe File created C:\Windows\SysWOW64\Kfpcoefj.exe Kcbfcigf.exe File created C:\Windows\SysWOW64\Dkbnla32.dll Bahdob32.exe File created C:\Windows\SysWOW64\Lihfcm32.exe Locbfd32.exe File created C:\Windows\SysWOW64\Lqikmc32.exe Lmmolepp.exe File opened for modification C:\Windows\SysWOW64\Pmcclm32.exe Pkegpb32.exe File created C:\Windows\SysWOW64\Caojpaij.exe Ckebcg32.exe File created C:\Windows\SysWOW64\Qiginoqd.dll Amaqjp32.exe File created C:\Windows\SysWOW64\Jhijqj32.exe Indfca32.exe File opened for modification C:\Windows\SysWOW64\Gpqjglii.exe Glengm32.exe File created C:\Windows\SysWOW64\Hginecde.exe Hpofii32.exe File created C:\Windows\SysWOW64\Ecgamkhq.dll Igdnabjh.exe File created C:\Windows\SysWOW64\Empmffib.dll Inqbclob.exe File created C:\Windows\SysWOW64\Pfogpg32.dll Ehcfaboo.exe File opened for modification C:\Windows\SysWOW64\Bhpfqcln.exe Bebjdgmj.exe File opened for modification C:\Windows\SysWOW64\Mcgiefen.exe Mmmqhl32.exe File created C:\Windows\SysWOW64\Pjigamma.dll Jhijqj32.exe File created C:\Windows\SysWOW64\Ankkea32.dll Efeihb32.exe File created C:\Windows\SysWOW64\Lmmolepp.exe Ljobpiql.exe File created C:\Windows\SysWOW64\Kageaj32.exe Kniieo32.exe File opened for modification C:\Windows\SysWOW64\Mlkepaam.exe Meamcg32.exe File created C:\Windows\SysWOW64\Ombnni32.dll Llmhaold.exe File created C:\Windows\SysWOW64\Biafno32.dll Cdbpgl32.exe File created C:\Windows\SysWOW64\Hncfnebg.dll Gdoihpbk.exe File created C:\Windows\SysWOW64\Jkchlonc.dll Cofnik32.exe File opened for modification C:\Windows\SysWOW64\Flfkkhid.exe Fihnomjp.exe File opened for modification C:\Windows\SysWOW64\Nmkmjjaa.exe Njmqnobn.exe File created C:\Windows\SysWOW64\Cggimh32.exe Cpmapodj.exe File created C:\Windows\SysWOW64\Ocmcjb32.dll Fbfcmhpg.exe File created C:\Windows\SysWOW64\Ppmflc32.dll Iqipio32.exe File created C:\Windows\SysWOW64\Kebncn32.dll Djcoai32.exe File created C:\Windows\SysWOW64\Ojmcpd32.dll Poimpapp.exe File created C:\Windows\SysWOW64\Ighkgpcl.dll Ngomin32.exe File created C:\Windows\SysWOW64\Nbcpja32.dll Bckkca32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 17348 17272 WerFault.exe 990 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Inqbclob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aekddhcb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfipef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njmqnobn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnifekmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qadoba32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhpqaiji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgkfnh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aopemh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nggnadib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bochmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkeldnpi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oelolmnd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phjenbhp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jncoikmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljhnlb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cadlbk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kqphfe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdbpgl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmklglpn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Coknoaic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aomifecf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdmkhgho.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Caageq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njghbl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fimodc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipflihfq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnfiplog.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Miomdk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhmeapmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekdnei32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aokcklid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmbfbn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbjkkl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phbhcmjl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hoobdp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfhjkabi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mqdcnl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnfpinmi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpfcfmlp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dapkni32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knfeeimj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnahdi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Impliekg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lomqcjie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iklgah32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knnhjcog.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acmobchj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnhkbfme.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cofnik32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enkdaepb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epagkd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Boflmdkk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efjbcakl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajdjin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fggocmhf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Koodbl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Biogppeg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehhpla32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oifeab32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjdaodja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpchib32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igfclkdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jphkkpbp.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhjlnlii.dll" Pojcjh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fpjcgm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Flfkkhid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofdljpcg.dll" Fhflnpoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Igchfiof.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oiknlagg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpkddhpn.dll" Lclpdncg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nclikl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nbadcpbh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qcbfakec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bcghch32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Efjbcakl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfjehbcf.dll" Imgicgca.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hmbfbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlgaff32.dll" Aonoao32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eokqkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Foalam32.dll" Lpneegel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kilpmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klobfk32.dll" Ahqddk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhmedh32.dll" Ahcajk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blnlefae.dll" Coiaiakf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jmbhoeid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Paeelgnj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pjbkgfej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ghmbno32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kqbkfkal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ajjjocap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eadpldgf.dll" Kinmcg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ojfcdnjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efeichoo.dll" Cimmggfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lgibpf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dmbbhkjf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kjhcjq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mnphmkji.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Akhcfe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lqpamb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gpelhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgffoo32.dll" Igfclkdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lahoec32.dll" Bkphhgfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eagaoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icahfh32.dll" Kelkaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Acmobchj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jihaej32.dll" Mmpdhboj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pmoiqneg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hncmmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abcgjd32.dll" Mngegmbc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jjlmclqa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mcgiefen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jnpfop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iadenp32.dll" Nkqkhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdafpj32.dll" Kgninn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Knfeeimj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kodoah32.dll" Nmigoagp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bnoknihb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgmioggn.dll" Fneggdhg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mcbpjg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hnodaecc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkddkljd.dll" Mhfppabl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ejalcgkg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mcgiefen.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bgnffj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlmeco32.dll" Mekgdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lclpdncg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lgibpf32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1856 wrote to memory of 432 1856 9b7d69b68b262e057d9897df7e26c6e219bdd14c92df802598868e8755c970f4.exe 82 PID 1856 wrote to memory of 432 1856 9b7d69b68b262e057d9897df7e26c6e219bdd14c92df802598868e8755c970f4.exe 82 PID 1856 wrote to memory of 432 1856 9b7d69b68b262e057d9897df7e26c6e219bdd14c92df802598868e8755c970f4.exe 82 PID 432 wrote to memory of 3712 432 Lpneegel.exe 83 PID 432 wrote to memory of 3712 432 Lpneegel.exe 83 PID 432 wrote to memory of 3712 432 Lpneegel.exe 83 PID 3712 wrote to memory of 3800 3712 Lejnmncd.exe 84 PID 3712 wrote to memory of 3800 3712 Lejnmncd.exe 84 PID 3712 wrote to memory of 3800 3712 Lejnmncd.exe 84 PID 3800 wrote to memory of 1112 3800 Lppbkgcj.exe 85 PID 3800 wrote to memory of 1112 3800 Lppbkgcj.exe 85 PID 3800 wrote to memory of 1112 3800 Lppbkgcj.exe 85 PID 1112 wrote to memory of 4008 1112 Locbfd32.exe 86 PID 1112 wrote to memory of 4008 1112 Locbfd32.exe 86 PID 1112 wrote to memory of 4008 1112 Locbfd32.exe 86 PID 4008 wrote to memory of 2024 4008 Lihfcm32.exe 87 PID 4008 wrote to memory of 2024 4008 Lihfcm32.exe 87 PID 4008 wrote to memory of 2024 4008 Lihfcm32.exe 87 PID 2024 wrote to memory of 4920 2024 Llgcph32.exe 88 PID 2024 wrote to memory of 4920 2024 Llgcph32.exe 88 PID 2024 wrote to memory of 4920 2024 Llgcph32.exe 88 PID 4920 wrote to memory of 1984 4920 Lbqklb32.exe 89 PID 4920 wrote to memory of 1984 4920 Lbqklb32.exe 89 PID 4920 wrote to memory of 1984 4920 Lbqklb32.exe 89 PID 1984 wrote to memory of 868 1984 Leoghn32.exe 90 PID 1984 wrote to memory of 868 1984 Leoghn32.exe 90 PID 1984 wrote to memory of 868 1984 Leoghn32.exe 90 PID 868 wrote to memory of 3732 868 Llipehgk.exe 91 PID 868 wrote to memory of 3732 868 Llipehgk.exe 91 PID 868 wrote to memory of 3732 868 Llipehgk.exe 91 PID 3732 wrote to memory of 3276 3732 Lbchba32.exe 92 PID 3732 wrote to memory of 3276 3732 Lbchba32.exe 92 PID 3732 wrote to memory of 3276 3732 Lbchba32.exe 92 PID 3276 wrote to memory of 2568 3276 Mimpolee.exe 93 PID 3276 wrote to memory of 2568 3276 Mimpolee.exe 93 PID 3276 wrote to memory of 2568 3276 Mimpolee.exe 93 PID 2568 wrote to memory of 2388 2568 Mpghkf32.exe 94 PID 2568 wrote to memory of 2388 2568 Mpghkf32.exe 94 PID 2568 wrote to memory of 2388 2568 Mpghkf32.exe 94 PID 2388 wrote to memory of 2504 2388 Mbedga32.exe 95 PID 2388 wrote to memory of 2504 2388 Mbedga32.exe 95 PID 2388 wrote to memory of 2504 2388 Mbedga32.exe 95 PID 2504 wrote to memory of 3832 2504 Mfaqhp32.exe 96 PID 2504 wrote to memory of 3832 2504 Mfaqhp32.exe 96 PID 2504 wrote to memory of 3832 2504 Mfaqhp32.exe 96 PID 3832 wrote to memory of 3080 3832 Miomdk32.exe 97 PID 3832 wrote to memory of 3080 3832 Miomdk32.exe 97 PID 3832 wrote to memory of 3080 3832 Miomdk32.exe 97 PID 3080 wrote to memory of 1136 3080 Mpieqeko.exe 98 PID 3080 wrote to memory of 1136 3080 Mpieqeko.exe 98 PID 3080 wrote to memory of 1136 3080 Mpieqeko.exe 98 PID 1136 wrote to memory of 3348 1136 Mfcmmp32.exe 99 PID 1136 wrote to memory of 3348 1136 Mfcmmp32.exe 99 PID 1136 wrote to memory of 3348 1136 Mfcmmp32.exe 99 PID 3348 wrote to memory of 1444 3348 Mibijk32.exe 100 PID 3348 wrote to memory of 1444 3348 Mibijk32.exe 100 PID 3348 wrote to memory of 1444 3348 Mibijk32.exe 100 PID 1444 wrote to memory of 1580 1444 Mplafeil.exe 101 PID 1444 wrote to memory of 1580 1444 Mplafeil.exe 101 PID 1444 wrote to memory of 1580 1444 Mplafeil.exe 101 PID 1580 wrote to memory of 1396 1580 Mffjcopi.exe 102 PID 1580 wrote to memory of 1396 1580 Mffjcopi.exe 102 PID 1580 wrote to memory of 1396 1580 Mffjcopi.exe 102 PID 1396 wrote to memory of 1228 1396 Midfokpm.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\9b7d69b68b262e057d9897df7e26c6e219bdd14c92df802598868e8755c970f4.exe"C:\Users\Admin\AppData\Local\Temp\9b7d69b68b262e057d9897df7e26c6e219bdd14c92df802598868e8755c970f4.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1856 -
C:\Windows\SysWOW64\Lpneegel.exeC:\Windows\system32\Lpneegel.exe2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:432 -
C:\Windows\SysWOW64\Lejnmncd.exeC:\Windows\system32\Lejnmncd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3712 -
C:\Windows\SysWOW64\Lppbkgcj.exeC:\Windows\system32\Lppbkgcj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3800 -
C:\Windows\SysWOW64\Locbfd32.exeC:\Windows\system32\Locbfd32.exe5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1112 -
C:\Windows\SysWOW64\Lihfcm32.exeC:\Windows\system32\Lihfcm32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4008 -
C:\Windows\SysWOW64\Llgcph32.exeC:\Windows\system32\Llgcph32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Windows\SysWOW64\Lbqklb32.exeC:\Windows\system32\Lbqklb32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4920 -
C:\Windows\SysWOW64\Leoghn32.exeC:\Windows\system32\Leoghn32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\Windows\SysWOW64\Llipehgk.exeC:\Windows\system32\Llipehgk.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:868 -
C:\Windows\SysWOW64\Lbchba32.exeC:\Windows\system32\Lbchba32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3732 -
C:\Windows\SysWOW64\Mimpolee.exeC:\Windows\system32\Mimpolee.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3276 -
C:\Windows\SysWOW64\Mpghkf32.exeC:\Windows\system32\Mpghkf32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Windows\SysWOW64\Mbedga32.exeC:\Windows\system32\Mbedga32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\Windows\SysWOW64\Mfaqhp32.exeC:\Windows\system32\Mfaqhp32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Windows\SysWOW64\Miomdk32.exeC:\Windows\system32\Miomdk32.exe16⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3832 -
C:\Windows\SysWOW64\Mpieqeko.exeC:\Windows\system32\Mpieqeko.exe17⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3080 -
C:\Windows\SysWOW64\Mfcmmp32.exeC:\Windows\system32\Mfcmmp32.exe18⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1136 -
C:\Windows\SysWOW64\Mibijk32.exeC:\Windows\system32\Mibijk32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3348 -
C:\Windows\SysWOW64\Mplafeil.exeC:\Windows\system32\Mplafeil.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1444 -
C:\Windows\SysWOW64\Mffjcopi.exeC:\Windows\system32\Mffjcopi.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1580 -
C:\Windows\SysWOW64\Midfokpm.exeC:\Windows\system32\Midfokpm.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1396 -
C:\Windows\SysWOW64\Moaogand.exeC:\Windows\system32\Moaogand.exe23⤵
- Executes dropped EXE
PID:1228 -
C:\Windows\SysWOW64\Mekgdl32.exeC:\Windows\system32\Mekgdl32.exe24⤵
- Executes dropped EXE
- Modifies registry class
PID:4108 -
C:\Windows\SysWOW64\Mleoafmn.exeC:\Windows\system32\Mleoafmn.exe25⤵
- Executes dropped EXE
PID:4880 -
C:\Windows\SysWOW64\Mockmala.exeC:\Windows\system32\Mockmala.exe26⤵
- Executes dropped EXE
PID:968 -
C:\Windows\SysWOW64\Niipjj32.exeC:\Windows\system32\Niipjj32.exe27⤵
- Executes dropped EXE
PID:2196 -
C:\Windows\SysWOW64\Nlglfe32.exeC:\Windows\system32\Nlglfe32.exe28⤵
- Executes dropped EXE
PID:720 -
C:\Windows\SysWOW64\Nbadcpbh.exeC:\Windows\system32\Nbadcpbh.exe29⤵
- Executes dropped EXE
- Modifies registry class
PID:2576 -
C:\Windows\SysWOW64\Neppokal.exeC:\Windows\system32\Neppokal.exe30⤵
- Executes dropped EXE
PID:3288 -
C:\Windows\SysWOW64\Nlihle32.exeC:\Windows\system32\Nlihle32.exe31⤵
- Executes dropped EXE
PID:936 -
C:\Windows\SysWOW64\Ngomin32.exeC:\Windows\system32\Ngomin32.exe32⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1288 -
C:\Windows\SysWOW64\Npgabc32.exeC:\Windows\system32\Npgabc32.exe33⤵
- Executes dropped EXE
PID:320 -
C:\Windows\SysWOW64\Ngaionfl.exeC:\Windows\system32\Ngaionfl.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2992 -
C:\Windows\SysWOW64\Nhbfff32.exeC:\Windows\system32\Nhbfff32.exe35⤵
- Executes dropped EXE
PID:828 -
C:\Windows\SysWOW64\Nomncpcg.exeC:\Windows\system32\Nomncpcg.exe36⤵
- Executes dropped EXE
PID:916 -
C:\Windows\SysWOW64\Neffpj32.exeC:\Windows\system32\Neffpj32.exe37⤵
- Executes dropped EXE
PID:4864 -
C:\Windows\SysWOW64\Nlqomd32.exeC:\Windows\system32\Nlqomd32.exe38⤵
- Executes dropped EXE
PID:2988 -
C:\Windows\SysWOW64\Ogfcjm32.exeC:\Windows\system32\Ogfcjm32.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4024 -
C:\Windows\SysWOW64\Oidofh32.exeC:\Windows\system32\Oidofh32.exe40⤵
- Executes dropped EXE
PID:548 -
C:\Windows\SysWOW64\Ocmconhk.exeC:\Windows\system32\Ocmconhk.exe41⤵
- Executes dropped EXE
PID:884 -
C:\Windows\SysWOW64\Ohjlgefb.exeC:\Windows\system32\Ohjlgefb.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4444 -
C:\Windows\SysWOW64\Ogklelna.exeC:\Windows\system32\Ogklelna.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2720 -
C:\Windows\SysWOW64\Oiihahme.exeC:\Windows\system32\Oiihahme.exe44⤵
- Executes dropped EXE
PID:4852 -
C:\Windows\SysWOW64\Opcqnb32.exeC:\Windows\system32\Opcqnb32.exe45⤵
- Executes dropped EXE
PID:2480 -
C:\Windows\SysWOW64\Ogmijllo.exeC:\Windows\system32\Ogmijllo.exe46⤵
- Executes dropped EXE
PID:5084 -
C:\Windows\SysWOW64\Oljaccjf.exeC:\Windows\system32\Oljaccjf.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:556 -
C:\Windows\SysWOW64\Ohqbhdpj.exeC:\Windows\system32\Ohqbhdpj.exe48⤵
- Executes dropped EXE
PID:3984 -
C:\Windows\SysWOW64\Ollnhb32.exeC:\Windows\system32\Ollnhb32.exe49⤵
- Executes dropped EXE
PID:2776 -
C:\Windows\SysWOW64\Pgbbek32.exeC:\Windows\system32\Pgbbek32.exe50⤵
- Executes dropped EXE
PID:3808 -
C:\Windows\SysWOW64\Ploknb32.exeC:\Windows\system32\Ploknb32.exe51⤵
- Executes dropped EXE
PID:2624 -
C:\Windows\SysWOW64\Pjbkgfej.exeC:\Windows\system32\Pjbkgfej.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:3392 -
C:\Windows\SysWOW64\Pckppl32.exeC:\Windows\system32\Pckppl32.exe53⤵
- Executes dropped EXE
PID:4152 -
C:\Windows\SysWOW64\Poaqemao.exeC:\Windows\system32\Poaqemao.exe54⤵
- Executes dropped EXE
PID:456 -
C:\Windows\SysWOW64\Phjenbhp.exeC:\Windows\system32\Phjenbhp.exe55⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1924 -
C:\Windows\SysWOW64\Pfnegggi.exeC:\Windows\system32\Pfnegggi.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1576 -
C:\Windows\SysWOW64\Qcbfakec.exeC:\Windows\system32\Qcbfakec.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2316 -
C:\Windows\SysWOW64\Qqffjo32.exeC:\Windows\system32\Qqffjo32.exe58⤵
- Executes dropped EXE
PID:1588 -
C:\Windows\SysWOW64\Qcdbfk32.exeC:\Windows\system32\Qcdbfk32.exe59⤵
- Executes dropped EXE
PID:1492 -
C:\Windows\SysWOW64\Qjnkcekm.exeC:\Windows\system32\Qjnkcekm.exe60⤵
- Executes dropped EXE
PID:4076 -
C:\Windows\SysWOW64\Aokcklid.exeC:\Windows\system32\Aokcklid.exe61⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2716 -
C:\Windows\SysWOW64\Afelhf32.exeC:\Windows\system32\Afelhf32.exe62⤵
- Executes dropped EXE
PID:2200 -
C:\Windows\SysWOW64\Amodep32.exeC:\Windows\system32\Amodep32.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4400 -
C:\Windows\SysWOW64\Aqkpeopg.exeC:\Windows\system32\Aqkpeopg.exe64⤵
- Executes dropped EXE
PID:4596 -
C:\Windows\SysWOW64\Acilajpk.exeC:\Windows\system32\Acilajpk.exe65⤵
- Executes dropped EXE
PID:4164 -
C:\Windows\SysWOW64\Amaqjp32.exeC:\Windows\system32\Amaqjp32.exe66⤵
- Drops file in System32 directory
PID:2152 -
C:\Windows\SysWOW64\Ackigjmh.exeC:\Windows\system32\Ackigjmh.exe67⤵PID:1284
-
C:\Windows\SysWOW64\Ajeadd32.exeC:\Windows\system32\Ajeadd32.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3200 -
C:\Windows\SysWOW64\Aihaoqlp.exeC:\Windows\system32\Aihaoqlp.exe69⤵PID:1400
-
C:\Windows\SysWOW64\Acnemi32.exeC:\Windows\system32\Acnemi32.exe70⤵PID:760
-
C:\Windows\SysWOW64\Aflaie32.exeC:\Windows\system32\Aflaie32.exe71⤵
- Drops file in System32 directory
PID:3820 -
C:\Windows\SysWOW64\Aqaffn32.exeC:\Windows\system32\Aqaffn32.exe72⤵PID:4392
-
C:\Windows\SysWOW64\Afnnnd32.exeC:\Windows\system32\Afnnnd32.exe73⤵PID:3444
-
C:\Windows\SysWOW64\Ajjjocap.exeC:\Windows\system32\Ajjjocap.exe74⤵
- Drops file in System32 directory
- Modifies registry class
PID:2260 -
C:\Windows\SysWOW64\Bqdblmhl.exeC:\Windows\system32\Bqdblmhl.exe75⤵PID:2348
-
C:\Windows\SysWOW64\Bjlgdc32.exeC:\Windows\system32\Bjlgdc32.exe76⤵PID:2252
-
C:\Windows\SysWOW64\Biogppeg.exeC:\Windows\system32\Biogppeg.exe77⤵
- System Location Discovery: System Language Discovery
PID:1736 -
C:\Windows\SysWOW64\Bqfoamfj.exeC:\Windows\system32\Bqfoamfj.exe78⤵PID:1928
-
C:\Windows\SysWOW64\Bjodjb32.exeC:\Windows\system32\Bjodjb32.exe79⤵PID:3632
-
C:\Windows\SysWOW64\Bmmpfn32.exeC:\Windows\system32\Bmmpfn32.exe80⤵PID:3376
-
C:\Windows\SysWOW64\Bcghch32.exeC:\Windows\system32\Bcghch32.exe81⤵
- Modifies registry class
PID:5044 -
C:\Windows\SysWOW64\Bjaqpbkh.exeC:\Windows\system32\Bjaqpbkh.exe82⤵PID:2236
-
C:\Windows\SysWOW64\Bpnihiio.exeC:\Windows\system32\Bpnihiio.exe83⤵PID:716
-
C:\Windows\SysWOW64\Bgeaifia.exeC:\Windows\system32\Bgeaifia.exe84⤵PID:4292
-
C:\Windows\SysWOW64\Bclang32.exeC:\Windows\system32\Bclang32.exe85⤵PID:4420
-
C:\Windows\SysWOW64\Bihjfnmm.exeC:\Windows\system32\Bihjfnmm.exe86⤵PID:3224
-
C:\Windows\SysWOW64\Ccnncgmc.exeC:\Windows\system32\Ccnncgmc.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4636 -
C:\Windows\SysWOW64\Cjhfpa32.exeC:\Windows\system32\Cjhfpa32.exe88⤵PID:2240
-
C:\Windows\SysWOW64\Cabomkll.exeC:\Windows\system32\Cabomkll.exe89⤵PID:1220
-
C:\Windows\SysWOW64\Cglgjeci.exeC:\Windows\system32\Cglgjeci.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:220 -
C:\Windows\SysWOW64\Cjjcfabm.exeC:\Windows\system32\Cjjcfabm.exe91⤵PID:4908
-
C:\Windows\SysWOW64\Cadlbk32.exeC:\Windows\system32\Cadlbk32.exe92⤵
- System Location Discovery: System Language Discovery
PID:3716 -
C:\Windows\SysWOW64\Ccchof32.exeC:\Windows\system32\Ccchof32.exe93⤵PID:1452
-
C:\Windows\SysWOW64\Cfadkb32.exeC:\Windows\system32\Cfadkb32.exe94⤵PID:920
-
C:\Windows\SysWOW64\Cmklglpn.exeC:\Windows\system32\Cmklglpn.exe95⤵
- System Location Discovery: System Language Discovery
PID:3020 -
C:\Windows\SysWOW64\Cceddf32.exeC:\Windows\system32\Cceddf32.exe96⤵PID:5020
-
C:\Windows\SysWOW64\Cfcqpa32.exeC:\Windows\system32\Cfcqpa32.exe97⤵PID:4088
-
C:\Windows\SysWOW64\Cibmlmeb.exeC:\Windows\system32\Cibmlmeb.exe98⤵PID:1764
-
C:\Windows\SysWOW64\Cpleig32.exeC:\Windows\system32\Cpleig32.exe99⤵PID:2412
-
C:\Windows\SysWOW64\Cjaifp32.exeC:\Windows\system32\Cjaifp32.exe100⤵PID:3036
-
C:\Windows\SysWOW64\Dmpfbk32.exeC:\Windows\system32\Dmpfbk32.exe101⤵PID:2248
-
C:\Windows\SysWOW64\Dcjnoece.exeC:\Windows\system32\Dcjnoece.exe102⤵PID:3320
-
C:\Windows\SysWOW64\Dfhjkabi.exeC:\Windows\system32\Dfhjkabi.exe103⤵
- System Location Discovery: System Language Discovery
PID:4844 -
C:\Windows\SysWOW64\Dmbbhkjf.exeC:\Windows\system32\Dmbbhkjf.exe104⤵
- Modifies registry class
PID:2228 -
C:\Windows\SysWOW64\Dpqodfij.exeC:\Windows\system32\Dpqodfij.exe105⤵PID:2096
-
C:\Windows\SysWOW64\Dhhfedil.exeC:\Windows\system32\Dhhfedil.exe106⤵PID:1972
-
C:\Windows\SysWOW64\Djfcaohp.exeC:\Windows\system32\Djfcaohp.exe107⤵PID:1688
-
C:\Windows\SysWOW64\Dapkni32.exeC:\Windows\system32\Dapkni32.exe108⤵
- System Location Discovery: System Language Discovery
PID:700 -
C:\Windows\SysWOW64\Dhjckcgi.exeC:\Windows\system32\Dhjckcgi.exe109⤵PID:3468
-
C:\Windows\SysWOW64\Djhpgofm.exeC:\Windows\system32\Djhpgofm.exe110⤵PID:4144
-
C:\Windows\SysWOW64\Dabhdinj.exeC:\Windows\system32\Dabhdinj.exe111⤵PID:5056
-
C:\Windows\SysWOW64\Dhlpqc32.exeC:\Windows\system32\Dhlpqc32.exe112⤵PID:3076
-
C:\Windows\SysWOW64\Djklmo32.exeC:\Windows\system32\Djklmo32.exe113⤵PID:3628
-
C:\Windows\SysWOW64\Dmihij32.exeC:\Windows\system32\Dmihij32.exe114⤵PID:3240
-
C:\Windows\SysWOW64\Ddcqedkk.exeC:\Windows\system32\Ddcqedkk.exe115⤵PID:4760
-
C:\Windows\SysWOW64\Dfamapjo.exeC:\Windows\system32\Dfamapjo.exe116⤵PID:3040
-
C:\Windows\SysWOW64\Eagaoh32.exeC:\Windows\system32\Eagaoh32.exe117⤵
- Modifies registry class
PID:412 -
C:\Windows\SysWOW64\Edemkd32.exeC:\Windows\system32\Edemkd32.exe118⤵PID:1224
-
C:\Windows\SysWOW64\Ejpfhnpe.exeC:\Windows\system32\Ejpfhnpe.exe119⤵PID:5012
-
C:\Windows\SysWOW64\Eplnpeol.exeC:\Windows\system32\Eplnpeol.exe120⤵PID:1784
-
C:\Windows\SysWOW64\Ehcfaboo.exeC:\Windows\system32\Ehcfaboo.exe121⤵
- Drops file in System32 directory
PID:1408
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-