Analysis
-
max time kernel
94s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08-12-2024 03:43
Behavioral task
behavioral1
Sample
dc0bbb263dfe2df49435c3061c68b8b5f51cd30c31105dbf49c054a97e2d3ce7.exe
Resource
win7-20241010-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
dc0bbb263dfe2df49435c3061c68b8b5f51cd30c31105dbf49c054a97e2d3ce7.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
dc0bbb263dfe2df49435c3061c68b8b5f51cd30c31105dbf49c054a97e2d3ce7.exe
-
Size
488KB
-
MD5
a7fe64715214df87c08337ef43dbfea2
-
SHA1
5d2ecd792cac571f9466e5ec00ebc27310cde15a
-
SHA256
dc0bbb263dfe2df49435c3061c68b8b5f51cd30c31105dbf49c054a97e2d3ce7
-
SHA512
30859762747600e0017e7c45390d044bde6dc01ae052ebc96dc5cda52c001f84366e718d67fb61ea8bc89755737c42844511823d328699c8f30555fc555415a4
-
SSDEEP
6144:cg7S68N+R1k3V6on/TNId/1fon/T9P7GSon/TNId/1fon/T2oI0YokOsfY7Uon2J:ccS6xR1k7NIVyeNIVy2oIvPKiKO
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pimfpc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Baadiiif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chnbbqpn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eqlfhjig.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hemmac32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Haafcb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djelgied.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eblpgjha.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alpbecod.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Coadnlnb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pefhlaie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ljhefhha.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gnnccl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfpcoefj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oiknlagg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jocefm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nbphglbe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfldelik.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Popbpqjh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iolhkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nfnamjhk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgkkkcbc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcmdaljn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blielbfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mmmqhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qcclld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kjmfjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cnfaohbj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dakikoom.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbjkkl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgdejd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emanjldl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmiikh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qhlkilba.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfdjinjo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abbkcpma.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gegkpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nlphbnoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Phincl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glipgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kjlopc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ibcjqgnm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ieccbbkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bfngdn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecbjkngo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kcpahpmd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lqmmmmph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jgbjbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pjdpelnc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhgkgijg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lbgalmej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bahkih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iojbpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jcmdaljn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmbjcljl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pkhjph32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebgpad32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbcncibp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edeeci32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oihmedma.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Naecop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eiloco32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbelcblk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahgjejhd.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 1132 Fmlneg32.exe 1492 Fpjjac32.exe 4148 Fpmggb32.exe 1416 Fielph32.exe 1124 Ggilil32.exe 1592 Gpaqbbld.exe 2996 Gaamlecg.exe 2752 Ggnedlao.exe 3276 Gacjadad.exe 224 Gnjjfegi.exe 4984 Ggbook32.exe 4608 Giqkkf32.exe 4260 Hgelek32.exe 5060 Hjchaf32.exe 2812 Hkbdki32.exe 1728 Hdmein32.exe 876 Haafcb32.exe 2420 Hnhghcki.exe 4032 Igqkqiai.exe 588 Iafonaao.exe 3052 Inmpcc32.exe 952 Igedlh32.exe 1196 Iqmidndd.exe 3420 Ijfnmc32.exe 1656 Idkbkl32.exe 1404 Jkhgmf32.exe 4680 Jqdoem32.exe 4528 Jnhpoamf.exe 2008 Jgadgf32.exe 5012 Jqiipljg.exe 4264 Jjamia32.exe 3652 Jibmgi32.exe 3492 Jnpfop32.exe 4140 Kdinljnk.exe 4532 Kjffdalb.exe 616 Kqpoakco.exe 4972 Kgjgne32.exe 4280 Kjhcjq32.exe 4316 Kbpkkn32.exe 3872 Kgmcce32.exe 3612 Kjkpoq32.exe 2808 Kaehljpj.exe 772 Kgopidgf.exe 3048 Kjmmepfj.exe 2560 Kbddfmgl.exe 4100 Kecabifp.exe 2080 Kinmcg32.exe 4968 Kjpijpdg.exe 4496 Lbgalmej.exe 3504 Lgcjdd32.exe 1672 Ljbfpo32.exe 1268 Lalnmiia.exe 4772 Licfngjd.exe 1796 Ljdceo32.exe 760 Lbkkgl32.exe 1924 Lejgch32.exe 1904 Lnbklm32.exe 2384 Laqhhi32.exe 1336 Llflea32.exe 3236 Leopnglc.exe 728 Mngegmbc.exe 1872 Milidebi.exe 3412 Mlkepaam.exe 4040 Mahnhhod.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Elpkep32.exe Eiaoid32.exe File opened for modification C:\Windows\SysWOW64\Kqphfe32.exe Kkconn32.exe File opened for modification C:\Windows\SysWOW64\Mmmqhl32.exe Mfchlbfd.exe File created C:\Windows\SysWOW64\Mmihfl32.dll Cnaaib32.exe File opened for modification C:\Windows\SysWOW64\Foclgq32.exe Fdnhih32.exe File created C:\Windows\SysWOW64\Mbibfm32.exe Mokfja32.exe File created C:\Windows\SysWOW64\Acigfpbp.dll Akoqpg32.exe File opened for modification C:\Windows\SysWOW64\Cnahdi32.exe Ckclhn32.exe File created C:\Windows\SysWOW64\Blcnqjjo.dll Piapkbeg.exe File created C:\Windows\SysWOW64\Iafonaao.exe Igqkqiai.exe File opened for modification C:\Windows\SysWOW64\Ahcajk32.exe Aaiimadl.exe File created C:\Windows\SysWOW64\Fbhpch32.exe Fpjcgm32.exe File opened for modification C:\Windows\SysWOW64\Jgpmmp32.exe Jdaaaeqg.exe File created C:\Windows\SysWOW64\Pneall32.dll Phfcipoo.exe File created C:\Windows\SysWOW64\Gkbofaoj.dll Eiaoid32.exe File created C:\Windows\SysWOW64\Miongake.dll Nagpeo32.exe File opened for modification C:\Windows\SysWOW64\Qhmqdemc.exe Qachgk32.exe File opened for modification C:\Windows\SysWOW64\Bgkiaj32.exe Aaoaic32.exe File opened for modification C:\Windows\SysWOW64\Oemefcap.exe Oocmii32.exe File created C:\Windows\SysWOW64\Jnlbojee.exe Jgbjbp32.exe File created C:\Windows\SysWOW64\Fbqdpi32.dll Iipfmggc.exe File created C:\Windows\SysWOW64\Ganldgib.exe Gpmomo32.exe File created C:\Windows\SysWOW64\Nfnamjhk.exe Nqaiecjd.exe File opened for modification C:\Windows\SysWOW64\Hdokdg32.exe Hmechmip.exe File created C:\Windows\SysWOW64\Anmfbl32.exe Aknifq32.exe File created C:\Windows\SysWOW64\Eiokinbk.exe Ebdcld32.exe File created C:\Windows\SysWOW64\Gifjfmcq.dll Jilfifme.exe File opened for modification C:\Windows\SysWOW64\Llmhaold.exe Ljnlecmp.exe File opened for modification C:\Windows\SysWOW64\Fbplml32.exe Foapaa32.exe File created C:\Windows\SysWOW64\Alapqh32.dll Mqjbddpl.exe File opened for modification C:\Windows\SysWOW64\Jnhidk32.exe Jkimho32.exe File created C:\Windows\SysWOW64\Pkgcea32.exe Pdmkhgho.exe File opened for modification C:\Windows\SysWOW64\Iebngial.exe Iohejo32.exe File created C:\Windows\SysWOW64\Aoibcl32.dll Dqbcbkab.exe File opened for modification C:\Windows\SysWOW64\Iajdgcab.exe Iolhkh32.exe File opened for modification C:\Windows\SysWOW64\Bohibc32.exe Bhoqeibl.exe File created C:\Windows\SysWOW64\Dcigeooj.exe Dmoohe32.exe File opened for modification C:\Windows\SysWOW64\Ohfami32.exe Oalipoiq.exe File created C:\Windows\SysWOW64\Chnidloo.dll Bheplb32.exe File created C:\Windows\SysWOW64\Bajqda32.exe Boldhf32.exe File created C:\Windows\SysWOW64\Ddhnoefl.dll Oimkbaed.exe File created C:\Windows\SysWOW64\Bahkih32.exe Bllbaa32.exe File created C:\Windows\SysWOW64\Lggejg32.exe Lqmmmmph.exe File created C:\Windows\SysWOW64\Ahaceo32.exe Apjkcadp.exe File opened for modification C:\Windows\SysWOW64\Jahqiaeb.exe Jpgdai32.exe File opened for modification C:\Windows\SysWOW64\Llqjbhdc.exe Ljbnfleo.exe File opened for modification C:\Windows\SysWOW64\Iphioh32.exe Injmcmej.exe File created C:\Windows\SysWOW64\Naecop32.exe Nnfgcd32.exe File opened for modification C:\Windows\SysWOW64\Bakgoh32.exe Bkaobnio.exe File opened for modification C:\Windows\SysWOW64\Aknbkjfh.exe Adcjop32.exe File created C:\Windows\SysWOW64\Oklkdi32.exe Oiknlagg.exe File created C:\Windows\SysWOW64\Ahenokjf.exe Aakebqbj.exe File created C:\Windows\SysWOW64\Ckhain32.dll Gkmdecbg.exe File created C:\Windows\SysWOW64\Hekgfj32.exe Hblkjo32.exe File opened for modification C:\Windows\SysWOW64\Kabcopmg.exe Kocgbend.exe File opened for modification C:\Windows\SysWOW64\Pfhmjf32.exe Pakdbp32.exe File created C:\Windows\SysWOW64\Aggpfkjj.exe Adhdjpjf.exe File created C:\Windows\SysWOW64\Ccbolagk.dll Gaebef32.exe File opened for modification C:\Windows\SysWOW64\Mjlalkmd.exe Mbdiknlb.exe File created C:\Windows\SysWOW64\Boflmdkk.exe Blhpqhlh.exe File opened for modification C:\Windows\SysWOW64\Ilafiihp.exe Ijcjmmil.exe File created C:\Windows\SysWOW64\Gpgind32.exe Gmimai32.exe File created C:\Windows\SysWOW64\Ghndhd32.dll Mgeakekd.exe File opened for modification C:\Windows\SysWOW64\Cpbjkn32.exe Coqncejg.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3840 3368 WerFault.exe 937 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghojbq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bepmoh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akoqpg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgdpni32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lqmmmmph.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eklajcmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oqhoeb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjhloj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Coadnlnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebgpad32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dojqjdbl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Injmcmej.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfldelik.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akqfkp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cohkokgj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbgalmej.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iljpij32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Foapaa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebommi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mokfja32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijfnmc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahgjejhd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgaokl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Baadiiif.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blielbfi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eeelnp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijcjmmil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iggjga32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnfgcd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njmhhefi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmfcok32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Doojec32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fffhifdk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pecellgl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epmmqheb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmfgek32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbldphde.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpgdai32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iphioh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amlogfel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpapnfhg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfccogfc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Popbpqjh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlblcn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbqmiinl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eiieicml.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmpdhboj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oanfen32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kqdaadln.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mogcihaj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljhnlb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilnlom32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjkpoq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mngegmbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qhngolpo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmkigh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjhacf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgqfdnah.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfchlbfd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akpoaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgopidgf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lddgmbpb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gghdaa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjnffjkl.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imjfmjln.dll" Jkhgmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oibqpk32.dll" Nhahaiec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hmmfmhll.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nnbnhedj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ngjkfd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ebgpad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eklajcmc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mlkepaam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dmhand32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aphblj32.dll" Bkaobnio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpkpbaea.dll" Mmkdcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpbdco32.dll" Hlblcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Obnehj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmgjnl32.dll" Omfekbdh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Abbkcpma.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hgdejd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anqlll32.dll" Oldjcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbopqlen.dll" Pdmkhgho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Klahfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Peaggfjj.dll" Mqafhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pmphaaln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ingcceof.dll" Oehlkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klinjgke.dll" Akamff32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Icknfcol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iooogokm.dll" Kfpcoefj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbandhne.dll" Qacameaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nqoloc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdmjaa32.dll" Eppqqn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lekmnajj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Knenkbio.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kfpcoefj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpkhqmjb.dll" Coqncejg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kocgbend.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jddnfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lnohlgep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iefgbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fkofga32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Llflea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Illddp32.dll" Lkchelci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnfpnk32.dll" Ppjbmc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nbphglbe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iloidijb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmeddp32.dll" Akglloai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdlhkf32.dll" Cnfaohbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gacjadad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hildmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mnpabe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcodim32.dll" Nhpbfpka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgpfqchb.dll" Jadgnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cdecgbfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocgjojai.dll" Njljch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Danihi32.dll" Qhmqdemc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Opbean32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjonng32.dll" Pkhjph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kjhloj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lgjijmin.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Olbdhn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Peieba32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Maggnali.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ohfami32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dmlkhofd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fielph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmnoab32.dll" Kqpoakco.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kecabifp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2004 wrote to memory of 1132 2004 dc0bbb263dfe2df49435c3061c68b8b5f51cd30c31105dbf49c054a97e2d3ce7.exe 83 PID 2004 wrote to memory of 1132 2004 dc0bbb263dfe2df49435c3061c68b8b5f51cd30c31105dbf49c054a97e2d3ce7.exe 83 PID 2004 wrote to memory of 1132 2004 dc0bbb263dfe2df49435c3061c68b8b5f51cd30c31105dbf49c054a97e2d3ce7.exe 83 PID 1132 wrote to memory of 1492 1132 Fmlneg32.exe 84 PID 1132 wrote to memory of 1492 1132 Fmlneg32.exe 84 PID 1132 wrote to memory of 1492 1132 Fmlneg32.exe 84 PID 1492 wrote to memory of 4148 1492 Fpjjac32.exe 85 PID 1492 wrote to memory of 4148 1492 Fpjjac32.exe 85 PID 1492 wrote to memory of 4148 1492 Fpjjac32.exe 85 PID 4148 wrote to memory of 1416 4148 Fpmggb32.exe 86 PID 4148 wrote to memory of 1416 4148 Fpmggb32.exe 86 PID 4148 wrote to memory of 1416 4148 Fpmggb32.exe 86 PID 1416 wrote to memory of 1124 1416 Fielph32.exe 87 PID 1416 wrote to memory of 1124 1416 Fielph32.exe 87 PID 1416 wrote to memory of 1124 1416 Fielph32.exe 87 PID 1124 wrote to memory of 1592 1124 Ggilil32.exe 88 PID 1124 wrote to memory of 1592 1124 Ggilil32.exe 88 PID 1124 wrote to memory of 1592 1124 Ggilil32.exe 88 PID 1592 wrote to memory of 2996 1592 Gpaqbbld.exe 89 PID 1592 wrote to memory of 2996 1592 Gpaqbbld.exe 89 PID 1592 wrote to memory of 2996 1592 Gpaqbbld.exe 89 PID 2996 wrote to memory of 2752 2996 Gaamlecg.exe 90 PID 2996 wrote to memory of 2752 2996 Gaamlecg.exe 90 PID 2996 wrote to memory of 2752 2996 Gaamlecg.exe 90 PID 2752 wrote to memory of 3276 2752 Ggnedlao.exe 91 PID 2752 wrote to memory of 3276 2752 Ggnedlao.exe 91 PID 2752 wrote to memory of 3276 2752 Ggnedlao.exe 91 PID 3276 wrote to memory of 224 3276 Gacjadad.exe 92 PID 3276 wrote to memory of 224 3276 Gacjadad.exe 92 PID 3276 wrote to memory of 224 3276 Gacjadad.exe 92 PID 224 wrote to memory of 4984 224 Gnjjfegi.exe 93 PID 224 wrote to memory of 4984 224 Gnjjfegi.exe 93 PID 224 wrote to memory of 4984 224 Gnjjfegi.exe 93 PID 4984 wrote to memory of 4608 4984 Ggbook32.exe 94 PID 4984 wrote to memory of 4608 4984 Ggbook32.exe 94 PID 4984 wrote to memory of 4608 4984 Ggbook32.exe 94 PID 4608 wrote to memory of 4260 4608 Giqkkf32.exe 95 PID 4608 wrote to memory of 4260 4608 Giqkkf32.exe 95 PID 4608 wrote to memory of 4260 4608 Giqkkf32.exe 95 PID 4260 wrote to memory of 5060 4260 Hgelek32.exe 96 PID 4260 wrote to memory of 5060 4260 Hgelek32.exe 96 PID 4260 wrote to memory of 5060 4260 Hgelek32.exe 96 PID 5060 wrote to memory of 2812 5060 Hjchaf32.exe 97 PID 5060 wrote to memory of 2812 5060 Hjchaf32.exe 97 PID 5060 wrote to memory of 2812 5060 Hjchaf32.exe 97 PID 2812 wrote to memory of 1728 2812 Hkbdki32.exe 98 PID 2812 wrote to memory of 1728 2812 Hkbdki32.exe 98 PID 2812 wrote to memory of 1728 2812 Hkbdki32.exe 98 PID 1728 wrote to memory of 876 1728 Hdmein32.exe 99 PID 1728 wrote to memory of 876 1728 Hdmein32.exe 99 PID 1728 wrote to memory of 876 1728 Hdmein32.exe 99 PID 876 wrote to memory of 2420 876 Haafcb32.exe 100 PID 876 wrote to memory of 2420 876 Haafcb32.exe 100 PID 876 wrote to memory of 2420 876 Haafcb32.exe 100 PID 2420 wrote to memory of 4032 2420 Hnhghcki.exe 101 PID 2420 wrote to memory of 4032 2420 Hnhghcki.exe 101 PID 2420 wrote to memory of 4032 2420 Hnhghcki.exe 101 PID 4032 wrote to memory of 588 4032 Igqkqiai.exe 102 PID 4032 wrote to memory of 588 4032 Igqkqiai.exe 102 PID 4032 wrote to memory of 588 4032 Igqkqiai.exe 102 PID 588 wrote to memory of 3052 588 Iafonaao.exe 103 PID 588 wrote to memory of 3052 588 Iafonaao.exe 103 PID 588 wrote to memory of 3052 588 Iafonaao.exe 103 PID 3052 wrote to memory of 952 3052 Inmpcc32.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\dc0bbb263dfe2df49435c3061c68b8b5f51cd30c31105dbf49c054a97e2d3ce7.exe"C:\Users\Admin\AppData\Local\Temp\dc0bbb263dfe2df49435c3061c68b8b5f51cd30c31105dbf49c054a97e2d3ce7.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Windows\SysWOW64\Fmlneg32.exeC:\Windows\system32\Fmlneg32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1132 -
C:\Windows\SysWOW64\Fpjjac32.exeC:\Windows\system32\Fpjjac32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1492 -
C:\Windows\SysWOW64\Fpmggb32.exeC:\Windows\system32\Fpmggb32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4148 -
C:\Windows\SysWOW64\Fielph32.exeC:\Windows\system32\Fielph32.exe5⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1416 -
C:\Windows\SysWOW64\Ggilil32.exeC:\Windows\system32\Ggilil32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1124 -
C:\Windows\SysWOW64\Gpaqbbld.exeC:\Windows\system32\Gpaqbbld.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1592 -
C:\Windows\SysWOW64\Gaamlecg.exeC:\Windows\system32\Gaamlecg.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Windows\SysWOW64\Ggnedlao.exeC:\Windows\system32\Ggnedlao.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\SysWOW64\Gacjadad.exeC:\Windows\system32\Gacjadad.exe10⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3276 -
C:\Windows\SysWOW64\Gnjjfegi.exeC:\Windows\system32\Gnjjfegi.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:224 -
C:\Windows\SysWOW64\Ggbook32.exeC:\Windows\system32\Ggbook32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4984 -
C:\Windows\SysWOW64\Giqkkf32.exeC:\Windows\system32\Giqkkf32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4608 -
C:\Windows\SysWOW64\Hgelek32.exeC:\Windows\system32\Hgelek32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4260 -
C:\Windows\SysWOW64\Hjchaf32.exeC:\Windows\system32\Hjchaf32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5060 -
C:\Windows\SysWOW64\Hkbdki32.exeC:\Windows\system32\Hkbdki32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Windows\SysWOW64\Hdmein32.exeC:\Windows\system32\Hdmein32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Windows\SysWOW64\Haafcb32.exeC:\Windows\system32\Haafcb32.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:876 -
C:\Windows\SysWOW64\Hnhghcki.exeC:\Windows\system32\Hnhghcki.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Windows\SysWOW64\Igqkqiai.exeC:\Windows\system32\Igqkqiai.exe20⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4032 -
C:\Windows\SysWOW64\Iafonaao.exeC:\Windows\system32\Iafonaao.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:588 -
C:\Windows\SysWOW64\Inmpcc32.exeC:\Windows\system32\Inmpcc32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Windows\SysWOW64\Igedlh32.exeC:\Windows\system32\Igedlh32.exe23⤵
- Executes dropped EXE
PID:952 -
C:\Windows\SysWOW64\Iqmidndd.exeC:\Windows\system32\Iqmidndd.exe24⤵
- Executes dropped EXE
PID:1196 -
C:\Windows\SysWOW64\Ijfnmc32.exeC:\Windows\system32\Ijfnmc32.exe25⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3420 -
C:\Windows\SysWOW64\Idkbkl32.exeC:\Windows\system32\Idkbkl32.exe26⤵
- Executes dropped EXE
PID:1656 -
C:\Windows\SysWOW64\Jkhgmf32.exeC:\Windows\system32\Jkhgmf32.exe27⤵
- Executes dropped EXE
- Modifies registry class
PID:1404 -
C:\Windows\SysWOW64\Jqdoem32.exeC:\Windows\system32\Jqdoem32.exe28⤵
- Executes dropped EXE
PID:4680 -
C:\Windows\SysWOW64\Jnhpoamf.exeC:\Windows\system32\Jnhpoamf.exe29⤵
- Executes dropped EXE
PID:4528 -
C:\Windows\SysWOW64\Jgadgf32.exeC:\Windows\system32\Jgadgf32.exe30⤵
- Executes dropped EXE
PID:2008 -
C:\Windows\SysWOW64\Jqiipljg.exeC:\Windows\system32\Jqiipljg.exe31⤵
- Executes dropped EXE
PID:5012 -
C:\Windows\SysWOW64\Jjamia32.exeC:\Windows\system32\Jjamia32.exe32⤵
- Executes dropped EXE
PID:4264 -
C:\Windows\SysWOW64\Jibmgi32.exeC:\Windows\system32\Jibmgi32.exe33⤵
- Executes dropped EXE
PID:3652 -
C:\Windows\SysWOW64\Jnpfop32.exeC:\Windows\system32\Jnpfop32.exe34⤵
- Executes dropped EXE
PID:3492 -
C:\Windows\SysWOW64\Kdinljnk.exeC:\Windows\system32\Kdinljnk.exe35⤵
- Executes dropped EXE
PID:4140 -
C:\Windows\SysWOW64\Kjffdalb.exeC:\Windows\system32\Kjffdalb.exe36⤵
- Executes dropped EXE
PID:4532 -
C:\Windows\SysWOW64\Kqpoakco.exeC:\Windows\system32\Kqpoakco.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:616 -
C:\Windows\SysWOW64\Kgjgne32.exeC:\Windows\system32\Kgjgne32.exe38⤵
- Executes dropped EXE
PID:4972 -
C:\Windows\SysWOW64\Kjhcjq32.exeC:\Windows\system32\Kjhcjq32.exe39⤵
- Executes dropped EXE
PID:4280 -
C:\Windows\SysWOW64\Kbpkkn32.exeC:\Windows\system32\Kbpkkn32.exe40⤵
- Executes dropped EXE
PID:4316 -
C:\Windows\SysWOW64\Kgmcce32.exeC:\Windows\system32\Kgmcce32.exe41⤵
- Executes dropped EXE
PID:3872 -
C:\Windows\SysWOW64\Kjkpoq32.exeC:\Windows\system32\Kjkpoq32.exe42⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3612 -
C:\Windows\SysWOW64\Kaehljpj.exeC:\Windows\system32\Kaehljpj.exe43⤵
- Executes dropped EXE
PID:2808 -
C:\Windows\SysWOW64\Kgopidgf.exeC:\Windows\system32\Kgopidgf.exe44⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:772 -
C:\Windows\SysWOW64\Kjmmepfj.exeC:\Windows\system32\Kjmmepfj.exe45⤵
- Executes dropped EXE
PID:3048 -
C:\Windows\SysWOW64\Kbddfmgl.exeC:\Windows\system32\Kbddfmgl.exe46⤵
- Executes dropped EXE
PID:2560 -
C:\Windows\SysWOW64\Kecabifp.exeC:\Windows\system32\Kecabifp.exe47⤵
- Executes dropped EXE
- Modifies registry class
PID:4100 -
C:\Windows\SysWOW64\Kinmcg32.exeC:\Windows\system32\Kinmcg32.exe48⤵
- Executes dropped EXE
PID:2080 -
C:\Windows\SysWOW64\Kjpijpdg.exeC:\Windows\system32\Kjpijpdg.exe49⤵
- Executes dropped EXE
PID:4968 -
C:\Windows\SysWOW64\Lbgalmej.exeC:\Windows\system32\Lbgalmej.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4496 -
C:\Windows\SysWOW64\Lgcjdd32.exeC:\Windows\system32\Lgcjdd32.exe51⤵
- Executes dropped EXE
PID:3504 -
C:\Windows\SysWOW64\Ljbfpo32.exeC:\Windows\system32\Ljbfpo32.exe52⤵
- Executes dropped EXE
PID:1672 -
C:\Windows\SysWOW64\Lalnmiia.exeC:\Windows\system32\Lalnmiia.exe53⤵
- Executes dropped EXE
PID:1268 -
C:\Windows\SysWOW64\Licfngjd.exeC:\Windows\system32\Licfngjd.exe54⤵
- Executes dropped EXE
PID:4772 -
C:\Windows\SysWOW64\Ljdceo32.exeC:\Windows\system32\Ljdceo32.exe55⤵
- Executes dropped EXE
PID:1796 -
C:\Windows\SysWOW64\Lbkkgl32.exeC:\Windows\system32\Lbkkgl32.exe56⤵
- Executes dropped EXE
PID:760 -
C:\Windows\SysWOW64\Lejgch32.exeC:\Windows\system32\Lejgch32.exe57⤵
- Executes dropped EXE
PID:1924 -
C:\Windows\SysWOW64\Lnbklm32.exeC:\Windows\system32\Lnbklm32.exe58⤵
- Executes dropped EXE
PID:1904 -
C:\Windows\SysWOW64\Laqhhi32.exeC:\Windows\system32\Laqhhi32.exe59⤵
- Executes dropped EXE
PID:2384 -
C:\Windows\SysWOW64\Llflea32.exeC:\Windows\system32\Llflea32.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:1336 -
C:\Windows\SysWOW64\Leopnglc.exeC:\Windows\system32\Leopnglc.exe61⤵
- Executes dropped EXE
PID:3236 -
C:\Windows\SysWOW64\Mngegmbc.exeC:\Windows\system32\Mngegmbc.exe62⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:728 -
C:\Windows\SysWOW64\Milidebi.exeC:\Windows\system32\Milidebi.exe63⤵
- Executes dropped EXE
PID:1872 -
C:\Windows\SysWOW64\Mlkepaam.exeC:\Windows\system32\Mlkepaam.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:3412 -
C:\Windows\SysWOW64\Mahnhhod.exeC:\Windows\system32\Mahnhhod.exe65⤵
- Executes dropped EXE
PID:4040 -
C:\Windows\SysWOW64\Miofjepg.exeC:\Windows\system32\Miofjepg.exe66⤵PID:4332
-
C:\Windows\SysWOW64\Mjpbam32.exeC:\Windows\system32\Mjpbam32.exe67⤵PID:2412
-
C:\Windows\SysWOW64\Miaboe32.exeC:\Windows\system32\Miaboe32.exe68⤵PID:3840
-
C:\Windows\SysWOW64\Mlpokp32.exeC:\Windows\system32\Mlpokp32.exe69⤵PID:3920
-
C:\Windows\SysWOW64\Mbighjdd.exeC:\Windows\system32\Mbighjdd.exe70⤵PID:824
-
C:\Windows\SysWOW64\Micoed32.exeC:\Windows\system32\Micoed32.exe71⤵PID:4144
-
C:\Windows\SysWOW64\Mjellmbp.exeC:\Windows\system32\Mjellmbp.exe72⤵PID:3516
-
C:\Windows\SysWOW64\Maodigil.exeC:\Windows\system32\Maodigil.exe73⤵PID:4956
-
C:\Windows\SysWOW64\Nbnpcj32.exeC:\Windows\system32\Nbnpcj32.exe74⤵PID:4408
-
C:\Windows\SysWOW64\Nlfelogp.exeC:\Windows\system32\Nlfelogp.exe75⤵PID:3936
-
C:\Windows\SysWOW64\Nbqmiinl.exeC:\Windows\system32\Nbqmiinl.exe76⤵
- System Location Discovery: System Language Discovery
PID:3572 -
C:\Windows\SysWOW64\Nliaao32.exeC:\Windows\system32\Nliaao32.exe77⤵PID:2824
-
C:\Windows\SysWOW64\Nhpbfpka.exeC:\Windows\system32\Nhpbfpka.exe78⤵
- Modifies registry class
PID:3064 -
C:\Windows\SysWOW64\Nbefdijg.exeC:\Windows\system32\Nbefdijg.exe79⤵PID:216
-
C:\Windows\SysWOW64\Nhbolp32.exeC:\Windows\system32\Nhbolp32.exe80⤵PID:5092
-
C:\Windows\SysWOW64\Najceeoo.exeC:\Windows\system32\Najceeoo.exe81⤵PID:4844
-
C:\Windows\SysWOW64\Nlphbnoe.exeC:\Windows\system32\Nlphbnoe.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3000 -
C:\Windows\SysWOW64\Objpoh32.exeC:\Windows\system32\Objpoh32.exe83⤵PID:3356
-
C:\Windows\SysWOW64\Oehlkc32.exeC:\Windows\system32\Oehlkc32.exe84⤵
- Modifies registry class
PID:4484 -
C:\Windows\SysWOW64\Olbdhn32.exeC:\Windows\system32\Olbdhn32.exe85⤵
- Modifies registry class
PID:1540 -
C:\Windows\SysWOW64\Oifeab32.exeC:\Windows\system32\Oifeab32.exe86⤵PID:444
-
C:\Windows\SysWOW64\Oocmii32.exeC:\Windows\system32\Oocmii32.exe87⤵
- Drops file in System32 directory
PID:3020 -
C:\Windows\SysWOW64\Oemefcap.exeC:\Windows\system32\Oemefcap.exe88⤵PID:1928
-
C:\Windows\SysWOW64\Olgncmim.exeC:\Windows\system32\Olgncmim.exe89⤵PID:2484
-
C:\Windows\SysWOW64\Obafpg32.exeC:\Windows\system32\Obafpg32.exe90⤵PID:1756
-
C:\Windows\SysWOW64\Oiknlagg.exeC:\Windows\system32\Oiknlagg.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:4932 -
C:\Windows\SysWOW64\Oklkdi32.exeC:\Windows\system32\Oklkdi32.exe92⤵PID:2064
-
C:\Windows\SysWOW64\Oeaoab32.exeC:\Windows\system32\Oeaoab32.exe93⤵PID:4516
-
C:\Windows\SysWOW64\Oimkbaed.exeC:\Windows\system32\Oimkbaed.exe94⤵
- Drops file in System32 directory
PID:2160 -
C:\Windows\SysWOW64\Pkogiikb.exeC:\Windows\system32\Pkogiikb.exe95⤵PID:4848
-
C:\Windows\SysWOW64\Pedlgbkh.exeC:\Windows\system32\Pedlgbkh.exe96⤵PID:3588
-
C:\Windows\SysWOW64\Piphgq32.exeC:\Windows\system32\Piphgq32.exe97⤵PID:3284
-
C:\Windows\SysWOW64\Pkadoiip.exeC:\Windows\system32\Pkadoiip.exe98⤵PID:4356
-
C:\Windows\SysWOW64\Pefhlaie.exeC:\Windows\system32\Pefhlaie.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1568 -
C:\Windows\SysWOW64\Phedhmhi.exeC:\Windows\system32\Phedhmhi.exe100⤵PID:3372
-
C:\Windows\SysWOW64\Poomegpf.exeC:\Windows\system32\Poomegpf.exe101⤵PID:1760
-
C:\Windows\SysWOW64\Peieba32.exeC:\Windows\system32\Peieba32.exe102⤵
- Modifies registry class
PID:4708 -
C:\Windows\SysWOW64\Phganm32.exeC:\Windows\system32\Phganm32.exe103⤵PID:2436
-
C:\Windows\SysWOW64\Pkenjh32.exeC:\Windows\system32\Pkenjh32.exe104⤵PID:956
-
C:\Windows\SysWOW64\Papfgbmg.exeC:\Windows\system32\Papfgbmg.exe105⤵PID:4876
-
C:\Windows\SysWOW64\Phincl32.exeC:\Windows\system32\Phincl32.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2476 -
C:\Windows\SysWOW64\Pkhjph32.exeC:\Windows\system32\Pkhjph32.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2756 -
C:\Windows\SysWOW64\Pcobaedj.exeC:\Windows\system32\Pcobaedj.exe108⤵PID:4788
-
C:\Windows\SysWOW64\Qhlkilba.exeC:\Windows\system32\Qhlkilba.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4060 -
C:\Windows\SysWOW64\Qofcff32.exeC:\Windows\system32\Qofcff32.exe110⤵PID:2364
-
C:\Windows\SysWOW64\Qepkbpak.exeC:\Windows\system32\Qepkbpak.exe111⤵PID:2796
-
C:\Windows\SysWOW64\Qhngolpo.exeC:\Windows\system32\Qhngolpo.exe112⤵
- System Location Discovery: System Language Discovery
PID:3524 -
C:\Windows\SysWOW64\Qcclld32.exeC:\Windows\system32\Qcclld32.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1300 -
C:\Windows\SysWOW64\Qebhhp32.exeC:\Windows\system32\Qebhhp32.exe114⤵PID:684
-
C:\Windows\SysWOW64\Ahqddk32.exeC:\Windows\system32\Ahqddk32.exe115⤵PID:5132
-
C:\Windows\SysWOW64\Akoqpg32.exeC:\Windows\system32\Akoqpg32.exe116⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:5176 -
C:\Windows\SysWOW64\Aaiimadl.exeC:\Windows\system32\Aaiimadl.exe117⤵
- Drops file in System32 directory
PID:5220 -
C:\Windows\SysWOW64\Ahcajk32.exeC:\Windows\system32\Ahcajk32.exe118⤵PID:5264
-
C:\Windows\SysWOW64\Akamff32.exeC:\Windows\system32\Akamff32.exe119⤵
- Modifies registry class
PID:5308 -
C:\Windows\SysWOW64\Aakebqbj.exeC:\Windows\system32\Aakebqbj.exe120⤵
- Drops file in System32 directory
PID:5352 -
C:\Windows\SysWOW64\Ahenokjf.exeC:\Windows\system32\Ahenokjf.exe121⤵PID:5396
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-