Analysis
-
max time kernel
93s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10/12/2024, 01:58
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e873bf9539e94d3fec6387809fa77230eb1048d13f8595f9eed09a213b5b588e.exe
Resource
win7-20240903-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
e873bf9539e94d3fec6387809fa77230eb1048d13f8595f9eed09a213b5b588e.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
e873bf9539e94d3fec6387809fa77230eb1048d13f8595f9eed09a213b5b588e.exe
-
Size
88KB
-
MD5
e72e95f9ccd5e1bae746475993ba413e
-
SHA1
26691e7f7eace3adfc53c1b3ad9decb231d37991
-
SHA256
e873bf9539e94d3fec6387809fa77230eb1048d13f8595f9eed09a213b5b588e
-
SHA512
f71f12ee260e4e131d5dcf656e79d0c843f9d33cf27c924963e5e6a9966214e802008ab3b40776c0c2da98e5d0383c3821ec8350c5265806dece61d17e6eafea
-
SSDEEP
1536:L3sGxaeoVlMMlQvlnej/vfhoKfb9EG6yjaBKll+EDtHoSKyo3IgK0LIjPnouy8L:L3LxaTMMKeTF9T6yVll+EDtHouo4tgIV
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajlekg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Egmjdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lbladn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Neopbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ngomli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bgknfcmf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpebch32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jeilbn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olpoppnk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qleaamkc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bopmif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pdhfbacf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hojnnj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbpiab32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kflninba.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pomgmi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qflpoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ekkcjp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emniakno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fogham32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hbhjje32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgjedi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Daqblk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppemfm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifbblb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pqhafcoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cmbpoofo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bckijehc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odmgfb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cakpjn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hojnnj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgoecgef.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bappnpkh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifpefbja.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nohdkl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agbkpdea.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibdifc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fneobj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbnecplk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mfjjjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Miomggom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qqadmagh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ofgmml32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qfolehep.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhhfjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jgakeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mlfcbc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhiccb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Plagfm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nfpgmmpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cicqnjmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fhpmjbch.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Goedbkag.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llbigdhn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mimpagqp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nplaiqdg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmfjhj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpippeho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qfolehep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Onqbdihj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdhfbacf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qqadmagh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ajanffhq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Afjlqgkb.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 2852 Lefkpq32.exe 1032 Llpcljnl.exe 3608 Ldgkmhno.exe 3448 Lffhjcmb.exe 3972 Lmppfm32.exe 2544 Ldjhcgll.exe 2772 Lekekp32.exe 3096 Lmbmlmbl.exe 3080 Mboeddad.exe 3020 Memapppg.exe 4280 Mlgjmi32.exe 1440 Mcabjcoa.exe 2840 Mepnfone.exe 1696 Mmgfgl32.exe 4980 Mpebch32.exe 2988 Minglmdk.exe 116 Mllchico.exe 1764 Mgageace.exe 5104 Mipcambi.exe 4020 Megdfnhm.exe 4888 Nnpimkfl.exe 1176 Nnbebk32.exe 1896 Npabof32.exe 1840 Nlhbdgia.exe 3620 Nfpgmmpb.exe 1340 Npekjeph.exe 3472 Ngpcgp32.exe 2892 Nlllof32.exe 3500 Ophhpene.exe 5072 Ojplhkdf.exe 2740 Opjeee32.exe 3816 Ofgmml32.exe 2492 Opmakd32.exe 4800 Ockngp32.exe 688 Onqbdihj.exe 3224 Odjjqc32.exe 4112 Oflfhkee.exe 2600 Olfoee32.exe 4328 Odmgfb32.exe 1888 Ojjooilk.exe 3396 Omhlkeko.exe 3364 Pjlldiji.exe 976 Pqfdac32.exe 4008 Pgplnmib.exe 4264 Pnjejgpo.exe 3544 Pqhafcoc.exe 3128 Pfeiojnj.exe 2604 Pqknlbmp.exe 4896 Pgdfim32.exe 2260 Pjcbeh32.exe 640 Pdhfbacf.exe 4952 Pckfnn32.exe 1868 Pnakkf32.exe 180 Qqoggb32.exe 4128 Qflpoi32.exe 380 Qjhlpgpk.exe 3672 Qqadmagh.exe 5080 Qcppimfl.exe 4276 Qfolehep.exe 4320 Amhdab32.exe 4076 Ajlekg32.exe 3900 Aqfmhacc.exe 456 Afcfph32.exe 4596 Anjnae32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Bhlemopg.dll Fdaddd32.exe File created C:\Windows\SysWOW64\Biogck32.exe Bfqkgp32.exe File opened for modification C:\Windows\SysWOW64\Bebbom32.exe Bjmnbd32.exe File created C:\Windows\SysWOW64\Dhbgclnj.dll Gefjif32.exe File created C:\Windows\SysWOW64\Mnknjegk.dll Afghqa32.exe File created C:\Windows\SysWOW64\Edfdhego.exe Emlllk32.exe File created C:\Windows\SysWOW64\Gehfofol.exe Gonnblgo.exe File created C:\Windows\SysWOW64\Plagfm32.exe Pfgojchl.exe File opened for modification C:\Windows\SysWOW64\Afboeano.exe Aqffmkpg.exe File created C:\Windows\SysWOW64\Oflfhkee.exe Odjjqc32.exe File created C:\Windows\SysWOW64\Emlllk32.exe Eknppp32.exe File created C:\Windows\SysWOW64\Klapqf32.exe Keghdl32.exe File created C:\Windows\SysWOW64\Mlecjp32.dll Qgfldf32.exe File created C:\Windows\SysWOW64\Cdlhki32.exe Canlon32.exe File created C:\Windows\SysWOW64\Fogham32.exe Fkllanen.exe File opened for modification C:\Windows\SysWOW64\Mhkgbdlp.exe Mfjjjl32.exe File created C:\Windows\SysWOW64\Hnlqmnoo.dll Nppkdp32.exe File created C:\Windows\SysWOW64\Lmbmlmbl.exe Lekekp32.exe File created C:\Windows\SysWOW64\Mpebch32.exe Mmgfgl32.exe File created C:\Windows\SysWOW64\Mgageace.exe Mllchico.exe File opened for modification C:\Windows\SysWOW64\Bjmnbd32.exe Bccfej32.exe File opened for modification C:\Windows\SysWOW64\Dokpoq32.exe Dmlcennd.exe File opened for modification C:\Windows\SysWOW64\Nplaiqdg.exe Nhdjhcce.exe File created C:\Windows\SysWOW64\Pfbfod32.exe Pgoecgef.exe File opened for modification C:\Windows\SysWOW64\Aofjch32.exe Aqcjhkaj.exe File opened for modification C:\Windows\SysWOW64\Pjlldiji.exe Omhlkeko.exe File created C:\Windows\SysWOW64\Hnnamhjg.dll Pfeiojnj.exe File opened for modification C:\Windows\SysWOW64\Cfmamdkm.exe Chjaag32.exe File created C:\Windows\SysWOW64\Ndnleh32.dll Cabfjmkc.exe File created C:\Windows\SysWOW64\Jinkikkb.exe Jbdbmace.exe File created C:\Windows\SysWOW64\Mldllahm.dll Qfolehep.exe File opened for modification C:\Windows\SysWOW64\Goedbkag.exe Ghklfq32.exe File created C:\Windows\SysWOW64\Hoadoigj.exe Hhglbo32.exe File created C:\Windows\SysWOW64\Hdcgkj32.dll Lechpjdf.exe File created C:\Windows\SysWOW64\Ojdgmgll.dll Noehelej.exe File created C:\Windows\SysWOW64\Keabimfi.dll Bfnnap32.exe File opened for modification C:\Windows\SysWOW64\Ockngp32.exe Opmakd32.exe File opened for modification C:\Windows\SysWOW64\Opmakd32.exe Ofgmml32.exe File created C:\Windows\SysWOW64\Eajebj32.exe Emniakno.exe File opened for modification C:\Windows\SysWOW64\Lfeaomjf.exe Llpmbd32.exe File created C:\Windows\SysWOW64\Meogkiji.exe Mflgpl32.exe File opened for modification C:\Windows\SysWOW64\Mcabjcoa.exe Mlgjmi32.exe File opened for modification C:\Windows\SysWOW64\Mgageace.exe Mllchico.exe File created C:\Windows\SysWOW64\Nfpgmmpb.exe Nlhbdgia.exe File created C:\Windows\SysWOW64\Cpjkogep.dll Cjhmnc32.exe File created C:\Windows\SysWOW64\Cmhbheik.dll Pfgojchl.exe File opened for modification C:\Windows\SysWOW64\Celeel32.exe Cmdmdo32.exe File created C:\Windows\SysWOW64\Iipohm32.exe Ifbblb32.exe File opened for modification C:\Windows\SysWOW64\Oeffce32.exe Oedjmfha.exe File created C:\Windows\SysWOW64\Bgnkkckd.exe Bimkmk32.exe File opened for modification C:\Windows\SysWOW64\Lechpjdf.exe Lnipcp32.exe File created C:\Windows\SysWOW64\Neopbf32.exe Noehelej.exe File opened for modification C:\Windows\SysWOW64\Biadhkop.exe Bpippeho.exe File created C:\Windows\SysWOW64\Olehko32.exe Oghpbh32.exe File created C:\Windows\SysWOW64\Ibdllp32.dll Pqfdac32.exe File created C:\Windows\SysWOW64\Egdqdagb.exe Edfdhego.exe File created C:\Windows\SysWOW64\Bccfej32.exe Bmimhpoj.exe File created C:\Windows\SysWOW64\Cmdmdo32.exe Cjfqhcei.exe File created C:\Windows\SysWOW64\Emniakno.exe Egdqdagb.exe File opened for modification C:\Windows\SysWOW64\Joamef32.exe Jgjedi32.exe File opened for modification C:\Windows\SysWOW64\Llpmbd32.exe Liapfi32.exe File created C:\Windows\SysWOW64\Mfcmqknf.exe Mpieda32.exe File opened for modification C:\Windows\SysWOW64\Qodmnhjg.exe Qleaamkc.exe File opened for modification C:\Windows\SysWOW64\Oflfhkee.exe Odjjqc32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 8724 8516 WerFault.exe 415 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnagdf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikjaiijk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpebch32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhnilp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kijjejae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfeaomjf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjihdc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qfkieb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pqhafcoc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iilemnkh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojplhkdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofgmml32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbpiab32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plagfm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcabjcoa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Minglmdk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifklkc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgakeh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbladn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mldfmcfk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocfmajin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cakiohmo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amhdab32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gecmcf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghdfea32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oedjmfha.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qoaqhhlj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afcfph32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aclpdklo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkjjpg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgoecgef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cabfjmkc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnokofaj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opjeee32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcnljkjl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmdmdo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chjaag32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnbpkcad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aofjch32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldjhcgll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Megdfnhm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfihmabf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfejfk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pckfnn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khknkgjb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlklnbpc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bimkmk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlhbdgia.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfeiojnj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhbbgpcb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgonohdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Licmkhij.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdlhki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Golamlib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Meogkiji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjhdgeai.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eknppp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eonekn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Keeknl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nemcmg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olpoppnk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmppfm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dalhqlbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egdqdagb.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mflgpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apfkdnkk.dll" Qodmnhjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oljcdici.dll" Canlon32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ghklfq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mbchemic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bfnnap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bgnkkckd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Odmgfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Igekijlj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ghdfea32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Egdqdagb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jenenmgo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kflninba.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lpdbbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Caedacjk.dll" Lnipcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mfcmqknf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bmimhpoj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pdhfbacf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhobfi32.dll" Amhdab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ajcklf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdchfg32.dll" Kndfhaao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Neopbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pjlldiji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qqadmagh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bfcogecg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dfiaibap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bidkcf32.dll" Jgakeh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ofgmml32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nfpgmmpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aclpdklo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cjhmnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmhbheik.dll" Pfgojchl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mipcambi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Faednh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pgoecgef.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pomgmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Biadhkop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eknppp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leibaqof.dll" Bfcogecg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibbljhbc.dll" Nghflj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ocfmajin.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aqhccj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjojdjno.dll" Bimkmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lmbmlmbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gdppeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlecjp32.dll" Qgfldf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qfolehep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aqffmkpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Edcgcfja.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Khknkgjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oncgehgf.dll" Lejnpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gkeogmmc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nlllof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnnamhjg.dll" Pfeiojnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jbbfgafh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mlfcbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nhiccb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mepnfone.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghpcaolp.dll" Mlklnbpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ibicacnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igbmja32.dll" Omhlkeko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ajanffhq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njfhad32.dll" Bglepipb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Npbhjp32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4088 wrote to memory of 2852 4088 e873bf9539e94d3fec6387809fa77230eb1048d13f8595f9eed09a213b5b588e.exe 81 PID 4088 wrote to memory of 2852 4088 e873bf9539e94d3fec6387809fa77230eb1048d13f8595f9eed09a213b5b588e.exe 81 PID 4088 wrote to memory of 2852 4088 e873bf9539e94d3fec6387809fa77230eb1048d13f8595f9eed09a213b5b588e.exe 81 PID 2852 wrote to memory of 1032 2852 Lefkpq32.exe 82 PID 2852 wrote to memory of 1032 2852 Lefkpq32.exe 82 PID 2852 wrote to memory of 1032 2852 Lefkpq32.exe 82 PID 1032 wrote to memory of 3608 1032 Llpcljnl.exe 83 PID 1032 wrote to memory of 3608 1032 Llpcljnl.exe 83 PID 1032 wrote to memory of 3608 1032 Llpcljnl.exe 83 PID 3608 wrote to memory of 3448 3608 Ldgkmhno.exe 84 PID 3608 wrote to memory of 3448 3608 Ldgkmhno.exe 84 PID 3608 wrote to memory of 3448 3608 Ldgkmhno.exe 84 PID 3448 wrote to memory of 3972 3448 Lffhjcmb.exe 85 PID 3448 wrote to memory of 3972 3448 Lffhjcmb.exe 85 PID 3448 wrote to memory of 3972 3448 Lffhjcmb.exe 85 PID 3972 wrote to memory of 2544 3972 Lmppfm32.exe 86 PID 3972 wrote to memory of 2544 3972 Lmppfm32.exe 86 PID 3972 wrote to memory of 2544 3972 Lmppfm32.exe 86 PID 2544 wrote to memory of 2772 2544 Ldjhcgll.exe 87 PID 2544 wrote to memory of 2772 2544 Ldjhcgll.exe 87 PID 2544 wrote to memory of 2772 2544 Ldjhcgll.exe 87 PID 2772 wrote to memory of 3096 2772 Lekekp32.exe 88 PID 2772 wrote to memory of 3096 2772 Lekekp32.exe 88 PID 2772 wrote to memory of 3096 2772 Lekekp32.exe 88 PID 3096 wrote to memory of 3080 3096 Lmbmlmbl.exe 89 PID 3096 wrote to memory of 3080 3096 Lmbmlmbl.exe 89 PID 3096 wrote to memory of 3080 3096 Lmbmlmbl.exe 89 PID 3080 wrote to memory of 3020 3080 Mboeddad.exe 90 PID 3080 wrote to memory of 3020 3080 Mboeddad.exe 90 PID 3080 wrote to memory of 3020 3080 Mboeddad.exe 90 PID 3020 wrote to memory of 4280 3020 Memapppg.exe 91 PID 3020 wrote to memory of 4280 3020 Memapppg.exe 91 PID 3020 wrote to memory of 4280 3020 Memapppg.exe 91 PID 4280 wrote to memory of 1440 4280 Mlgjmi32.exe 92 PID 4280 wrote to memory of 1440 4280 Mlgjmi32.exe 92 PID 4280 wrote to memory of 1440 4280 Mlgjmi32.exe 92 PID 1440 wrote to memory of 2840 1440 Mcabjcoa.exe 93 PID 1440 wrote to memory of 2840 1440 Mcabjcoa.exe 93 PID 1440 wrote to memory of 2840 1440 Mcabjcoa.exe 93 PID 2840 wrote to memory of 1696 2840 Mepnfone.exe 94 PID 2840 wrote to memory of 1696 2840 Mepnfone.exe 94 PID 2840 wrote to memory of 1696 2840 Mepnfone.exe 94 PID 1696 wrote to memory of 4980 1696 Mmgfgl32.exe 95 PID 1696 wrote to memory of 4980 1696 Mmgfgl32.exe 95 PID 1696 wrote to memory of 4980 1696 Mmgfgl32.exe 95 PID 4980 wrote to memory of 2988 4980 Mpebch32.exe 96 PID 4980 wrote to memory of 2988 4980 Mpebch32.exe 96 PID 4980 wrote to memory of 2988 4980 Mpebch32.exe 96 PID 2988 wrote to memory of 116 2988 Minglmdk.exe 97 PID 2988 wrote to memory of 116 2988 Minglmdk.exe 97 PID 2988 wrote to memory of 116 2988 Minglmdk.exe 97 PID 116 wrote to memory of 1764 116 Mllchico.exe 98 PID 116 wrote to memory of 1764 116 Mllchico.exe 98 PID 116 wrote to memory of 1764 116 Mllchico.exe 98 PID 1764 wrote to memory of 5104 1764 Mgageace.exe 99 PID 1764 wrote to memory of 5104 1764 Mgageace.exe 99 PID 1764 wrote to memory of 5104 1764 Mgageace.exe 99 PID 5104 wrote to memory of 4020 5104 Mipcambi.exe 100 PID 5104 wrote to memory of 4020 5104 Mipcambi.exe 100 PID 5104 wrote to memory of 4020 5104 Mipcambi.exe 100 PID 4020 wrote to memory of 4888 4020 Megdfnhm.exe 101 PID 4020 wrote to memory of 4888 4020 Megdfnhm.exe 101 PID 4020 wrote to memory of 4888 4020 Megdfnhm.exe 101 PID 4888 wrote to memory of 1176 4888 Nnpimkfl.exe 102
Processes
-
C:\Users\Admin\AppData\Local\Temp\e873bf9539e94d3fec6387809fa77230eb1048d13f8595f9eed09a213b5b588e.exe"C:\Users\Admin\AppData\Local\Temp\e873bf9539e94d3fec6387809fa77230eb1048d13f8595f9eed09a213b5b588e.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4088 -
C:\Windows\SysWOW64\Lefkpq32.exeC:\Windows\system32\Lefkpq32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Windows\SysWOW64\Llpcljnl.exeC:\Windows\system32\Llpcljnl.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1032 -
C:\Windows\SysWOW64\Ldgkmhno.exeC:\Windows\system32\Ldgkmhno.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3608 -
C:\Windows\SysWOW64\Lffhjcmb.exeC:\Windows\system32\Lffhjcmb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3448 -
C:\Windows\SysWOW64\Lmppfm32.exeC:\Windows\system32\Lmppfm32.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3972 -
C:\Windows\SysWOW64\Ldjhcgll.exeC:\Windows\system32\Ldjhcgll.exe7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Windows\SysWOW64\Lekekp32.exeC:\Windows\system32\Lekekp32.exe8⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\SysWOW64\Lmbmlmbl.exeC:\Windows\system32\Lmbmlmbl.exe9⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3096 -
C:\Windows\SysWOW64\Mboeddad.exeC:\Windows\system32\Mboeddad.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3080 -
C:\Windows\SysWOW64\Memapppg.exeC:\Windows\system32\Memapppg.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3020 -
C:\Windows\SysWOW64\Mlgjmi32.exeC:\Windows\system32\Mlgjmi32.exe12⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4280 -
C:\Windows\SysWOW64\Mcabjcoa.exeC:\Windows\system32\Mcabjcoa.exe13⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1440 -
C:\Windows\SysWOW64\Mepnfone.exeC:\Windows\system32\Mepnfone.exe14⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Windows\SysWOW64\Mmgfgl32.exeC:\Windows\system32\Mmgfgl32.exe15⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1696 -
C:\Windows\SysWOW64\Mpebch32.exeC:\Windows\system32\Mpebch32.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4980 -
C:\Windows\SysWOW64\Minglmdk.exeC:\Windows\system32\Minglmdk.exe17⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Windows\SysWOW64\Mllchico.exeC:\Windows\system32\Mllchico.exe18⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:116 -
C:\Windows\SysWOW64\Mgageace.exeC:\Windows\system32\Mgageace.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1764 -
C:\Windows\SysWOW64\Mipcambi.exeC:\Windows\system32\Mipcambi.exe20⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5104 -
C:\Windows\SysWOW64\Megdfnhm.exeC:\Windows\system32\Megdfnhm.exe21⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4020 -
C:\Windows\SysWOW64\Nnpimkfl.exeC:\Windows\system32\Nnpimkfl.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4888 -
C:\Windows\SysWOW64\Nnbebk32.exeC:\Windows\system32\Nnbebk32.exe23⤵
- Executes dropped EXE
PID:1176 -
C:\Windows\SysWOW64\Npabof32.exeC:\Windows\system32\Npabof32.exe24⤵
- Executes dropped EXE
PID:1896 -
C:\Windows\SysWOW64\Nlhbdgia.exeC:\Windows\system32\Nlhbdgia.exe25⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1840 -
C:\Windows\SysWOW64\Nfpgmmpb.exeC:\Windows\system32\Nfpgmmpb.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3620 -
C:\Windows\SysWOW64\Npekjeph.exeC:\Windows\system32\Npekjeph.exe27⤵
- Executes dropped EXE
PID:1340 -
C:\Windows\SysWOW64\Ngpcgp32.exeC:\Windows\system32\Ngpcgp32.exe28⤵
- Executes dropped EXE
PID:3472 -
C:\Windows\SysWOW64\Nlllof32.exeC:\Windows\system32\Nlllof32.exe29⤵
- Executes dropped EXE
- Modifies registry class
PID:2892 -
C:\Windows\SysWOW64\Ophhpene.exeC:\Windows\system32\Ophhpene.exe30⤵
- Executes dropped EXE
PID:3500 -
C:\Windows\SysWOW64\Ojplhkdf.exeC:\Windows\system32\Ojplhkdf.exe31⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5072 -
C:\Windows\SysWOW64\Opjeee32.exeC:\Windows\system32\Opjeee32.exe32⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2740 -
C:\Windows\SysWOW64\Ofgmml32.exeC:\Windows\system32\Ofgmml32.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3816 -
C:\Windows\SysWOW64\Opmakd32.exeC:\Windows\system32\Opmakd32.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2492 -
C:\Windows\SysWOW64\Ockngp32.exeC:\Windows\system32\Ockngp32.exe35⤵
- Executes dropped EXE
PID:4800 -
C:\Windows\SysWOW64\Onqbdihj.exeC:\Windows\system32\Onqbdihj.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:688 -
C:\Windows\SysWOW64\Odjjqc32.exeC:\Windows\system32\Odjjqc32.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3224 -
C:\Windows\SysWOW64\Oflfhkee.exeC:\Windows\system32\Oflfhkee.exe38⤵
- Executes dropped EXE
PID:4112 -
C:\Windows\SysWOW64\Olfoee32.exeC:\Windows\system32\Olfoee32.exe39⤵
- Executes dropped EXE
PID:2600 -
C:\Windows\SysWOW64\Odmgfb32.exeC:\Windows\system32\Odmgfb32.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4328 -
C:\Windows\SysWOW64\Ojjooilk.exeC:\Windows\system32\Ojjooilk.exe41⤵
- Executes dropped EXE
PID:1888 -
C:\Windows\SysWOW64\Omhlkeko.exeC:\Windows\system32\Omhlkeko.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3396 -
C:\Windows\SysWOW64\Pjlldiji.exeC:\Windows\system32\Pjlldiji.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:3364 -
C:\Windows\SysWOW64\Pqfdac32.exeC:\Windows\system32\Pqfdac32.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:976 -
C:\Windows\SysWOW64\Pgplnmib.exeC:\Windows\system32\Pgplnmib.exe45⤵
- Executes dropped EXE
PID:4008 -
C:\Windows\SysWOW64\Pnjejgpo.exeC:\Windows\system32\Pnjejgpo.exe46⤵
- Executes dropped EXE
PID:4264 -
C:\Windows\SysWOW64\Pqhafcoc.exeC:\Windows\system32\Pqhafcoc.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3544 -
C:\Windows\SysWOW64\Pfeiojnj.exeC:\Windows\system32\Pfeiojnj.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3128 -
C:\Windows\SysWOW64\Pqknlbmp.exeC:\Windows\system32\Pqknlbmp.exe49⤵
- Executes dropped EXE
PID:2604 -
C:\Windows\SysWOW64\Pgdfim32.exeC:\Windows\system32\Pgdfim32.exe50⤵
- Executes dropped EXE
PID:4896 -
C:\Windows\SysWOW64\Pjcbeh32.exeC:\Windows\system32\Pjcbeh32.exe51⤵
- Executes dropped EXE
PID:2260 -
C:\Windows\SysWOW64\Pdhfbacf.exeC:\Windows\system32\Pdhfbacf.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:640 -
C:\Windows\SysWOW64\Pckfnn32.exeC:\Windows\system32\Pckfnn32.exe53⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4952 -
C:\Windows\SysWOW64\Pnakkf32.exeC:\Windows\system32\Pnakkf32.exe54⤵
- Executes dropped EXE
PID:1868 -
C:\Windows\SysWOW64\Qqoggb32.exeC:\Windows\system32\Qqoggb32.exe55⤵
- Executes dropped EXE
PID:180 -
C:\Windows\SysWOW64\Qflpoi32.exeC:\Windows\system32\Qflpoi32.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4128 -
C:\Windows\SysWOW64\Qjhlpgpk.exeC:\Windows\system32\Qjhlpgpk.exe57⤵
- Executes dropped EXE
PID:380 -
C:\Windows\SysWOW64\Qqadmagh.exeC:\Windows\system32\Qqadmagh.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3672 -
C:\Windows\SysWOW64\Qcppimfl.exeC:\Windows\system32\Qcppimfl.exe59⤵
- Executes dropped EXE
PID:5080 -
C:\Windows\SysWOW64\Qfolehep.exeC:\Windows\system32\Qfolehep.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4276 -
C:\Windows\SysWOW64\Amhdab32.exeC:\Windows\system32\Amhdab32.exe61⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4320 -
C:\Windows\SysWOW64\Ajlekg32.exeC:\Windows\system32\Ajlekg32.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4076 -
C:\Windows\SysWOW64\Aqfmhacc.exeC:\Windows\system32\Aqfmhacc.exe63⤵
- Executes dropped EXE
PID:3900 -
C:\Windows\SysWOW64\Afcfph32.exeC:\Windows\system32\Afcfph32.exe64⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:456 -
C:\Windows\SysWOW64\Anjnae32.exeC:\Windows\system32\Anjnae32.exe65⤵
- Executes dropped EXE
PID:4596 -
C:\Windows\SysWOW64\Aqijmq32.exeC:\Windows\system32\Aqijmq32.exe66⤵PID:3568
-
C:\Windows\SysWOW64\Ajanffhq.exeC:\Windows\system32\Ajanffhq.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:4080 -
C:\Windows\SysWOW64\Aakfcp32.exeC:\Windows\system32\Aakfcp32.exe68⤵PID:2960
-
C:\Windows\SysWOW64\Ageopj32.exeC:\Windows\system32\Ageopj32.exe69⤵PID:4880
-
C:\Windows\SysWOW64\Afhokgme.exeC:\Windows\system32\Afhokgme.exe70⤵PID:4472
-
C:\Windows\SysWOW64\Ajcklf32.exeC:\Windows\system32\Ajcklf32.exe71⤵
- Modifies registry class
PID:1720 -
C:\Windows\SysWOW64\Aclpdklo.exeC:\Windows\system32\Aclpdklo.exe72⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1616 -
C:\Windows\SysWOW64\Afjlqgkb.exeC:\Windows\system32\Afjlqgkb.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:476 -
C:\Windows\SysWOW64\Bappnpkh.exeC:\Windows\system32\Bappnpkh.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:884 -
C:\Windows\SysWOW64\Bcnljkjl.exeC:\Windows\system32\Bcnljkjl.exe75⤵
- System Location Discovery: System Language Discovery
PID:2928 -
C:\Windows\SysWOW64\Bjhdgeai.exeC:\Windows\system32\Bjhdgeai.exe76⤵
- System Location Discovery: System Language Discovery
PID:3528 -
C:\Windows\SysWOW64\Bmfqcqql.exeC:\Windows\system32\Bmfqcqql.exe77⤵PID:1276
-
C:\Windows\SysWOW64\Bglepipb.exeC:\Windows\system32\Bglepipb.exe78⤵
- Modifies registry class
PID:4396 -
C:\Windows\SysWOW64\Bmimhpoj.exeC:\Windows\system32\Bmimhpoj.exe79⤵
- Drops file in System32 directory
- Modifies registry class
PID:1828 -
C:\Windows\SysWOW64\Bccfej32.exeC:\Windows\system32\Bccfej32.exe80⤵
- Drops file in System32 directory
PID:2720 -
C:\Windows\SysWOW64\Bjmnbd32.exeC:\Windows\system32\Bjmnbd32.exe81⤵
- Drops file in System32 directory
PID:3092 -
C:\Windows\SysWOW64\Bebbom32.exeC:\Windows\system32\Bebbom32.exe82⤵PID:2816
-
C:\Windows\SysWOW64\Bfcogecg.exeC:\Windows\system32\Bfcogecg.exe83⤵
- Modifies registry class
PID:2100 -
C:\Windows\SysWOW64\Bmngcp32.exeC:\Windows\system32\Bmngcp32.exe84⤵PID:2024
-
C:\Windows\SysWOW64\Bhckqh32.exeC:\Windows\system32\Bhckqh32.exe85⤵PID:2196
-
C:\Windows\SysWOW64\Cnmcnb32.exeC:\Windows\system32\Cnmcnb32.exe86⤵PID:4548
-
C:\Windows\SysWOW64\Cakpjn32.exeC:\Windows\system32\Cakpjn32.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4036 -
C:\Windows\SysWOW64\Cfhhbe32.exeC:\Windows\system32\Cfhhbe32.exe88⤵PID:4492
-
C:\Windows\SysWOW64\Cmbpoofo.exeC:\Windows\system32\Cmbpoofo.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4828 -
C:\Windows\SysWOW64\Canlon32.exeC:\Windows\system32\Canlon32.exe90⤵
- Drops file in System32 directory
- Modifies registry class
PID:940 -
C:\Windows\SysWOW64\Cdlhki32.exeC:\Windows\system32\Cdlhki32.exe91⤵
- System Location Discovery: System Language Discovery
PID:3532 -
C:\Windows\SysWOW64\Cfkegd32.exeC:\Windows\system32\Cfkegd32.exe92⤵PID:384
-
C:\Windows\SysWOW64\Cjfqhcei.exeC:\Windows\system32\Cjfqhcei.exe93⤵
- Drops file in System32 directory
PID:2640 -
C:\Windows\SysWOW64\Cmdmdo32.exeC:\Windows\system32\Cmdmdo32.exe94⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3932 -
C:\Windows\SysWOW64\Celeel32.exeC:\Windows\system32\Celeel32.exe95⤵PID:2364
-
C:\Windows\SysWOW64\Chjaag32.exeC:\Windows\system32\Chjaag32.exe96⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1596 -
C:\Windows\SysWOW64\Cfmamdkm.exeC:\Windows\system32\Cfmamdkm.exe97⤵PID:3312
-
C:\Windows\SysWOW64\Cjhmnc32.exeC:\Windows\system32\Cjhmnc32.exe98⤵
- Drops file in System32 directory
- Modifies registry class
PID:4692 -
C:\Windows\SysWOW64\Cmgjjn32.exeC:\Windows\system32\Cmgjjn32.exe99⤵PID:1160
-
C:\Windows\SysWOW64\Cabfjmkc.exeC:\Windows\system32\Cabfjmkc.exe100⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2760 -
C:\Windows\SysWOW64\Cdcolh32.exeC:\Windows\system32\Cdcolh32.exe101⤵PID:2696
-
C:\Windows\SysWOW64\Dmlcennd.exeC:\Windows\system32\Dmlcennd.exe102⤵
- Drops file in System32 directory
PID:4000 -
C:\Windows\SysWOW64\Dokpoq32.exeC:\Windows\system32\Dokpoq32.exe103⤵PID:2908
-
C:\Windows\SysWOW64\Deehkk32.exeC:\Windows\system32\Deehkk32.exe104⤵PID:2336
-
C:\Windows\SysWOW64\Dffdcccb.exeC:\Windows\system32\Dffdcccb.exe105⤵PID:5016
-
C:\Windows\SysWOW64\Dalhqlbh.exeC:\Windows\system32\Dalhqlbh.exe106⤵
- System Location Discovery: System Language Discovery
PID:5140 -
C:\Windows\SysWOW64\Dhfqmf32.exeC:\Windows\system32\Dhfqmf32.exe107⤵PID:5184
-
C:\Windows\SysWOW64\Dfiaibap.exeC:\Windows\system32\Dfiaibap.exe108⤵
- Modifies registry class
PID:5228 -
C:\Windows\SysWOW64\Dmbiem32.exeC:\Windows\system32\Dmbiem32.exe109⤵PID:5272
-
C:\Windows\SysWOW64\Dejafj32.exeC:\Windows\system32\Dejafj32.exe110⤵PID:5316
-
C:\Windows\SysWOW64\Dkfjoagf.exeC:\Windows\system32\Dkfjoagf.exe111⤵PID:5360
-
C:\Windows\SysWOW64\Daqblk32.exeC:\Windows\system32\Daqblk32.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5404 -
C:\Windows\SysWOW64\Egmjdb32.exeC:\Windows\system32\Egmjdb32.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5452 -
C:\Windows\SysWOW64\Eodbeo32.exeC:\Windows\system32\Eodbeo32.exe114⤵PID:5496
-
C:\Windows\SysWOW64\Eeokaiei.exeC:\Windows\system32\Eeokaiei.exe115⤵PID:5540
-
C:\Windows\SysWOW64\Ehmgne32.exeC:\Windows\system32\Ehmgne32.exe116⤵PID:5584
-
C:\Windows\SysWOW64\Ekkcjp32.exeC:\Windows\system32\Ekkcjp32.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5628 -
C:\Windows\SysWOW64\Eaekgjjn.exeC:\Windows\system32\Eaekgjjn.exe118⤵PID:5676
-
C:\Windows\SysWOW64\Edcgcfja.exeC:\Windows\system32\Edcgcfja.exe119⤵
- Modifies registry class
PID:5720 -
C:\Windows\SysWOW64\Eknppp32.exeC:\Windows\system32\Eknppp32.exe120⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5764 -
C:\Windows\SysWOW64\Emlllk32.exeC:\Windows\system32\Emlllk32.exe121⤵
- Drops file in System32 directory
PID:5808
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-