Analysis
-
max time kernel
114s -
max time network
92s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
17-12-2024 10:23
Behavioral task
behavioral1
Sample
786106edbbecf0807d70821bebb5b5fd63a9dfb0511883dc89b22bb85eec91f3.exe
Resource
win7-20240903-en
General
-
Target
786106edbbecf0807d70821bebb5b5fd63a9dfb0511883dc89b22bb85eec91f3.exe
-
Size
93KB
-
MD5
0afce24e9e24c2c6cb4f0f113be5ab45
-
SHA1
3ee4afdb99e71e1328d445c6a1b467389c521113
-
SHA256
786106edbbecf0807d70821bebb5b5fd63a9dfb0511883dc89b22bb85eec91f3
-
SHA512
9d17539842ac7613ee4c44d89089978f24193ff907317aef3f82ccc23238f97905a95bdd7a416ba14a0111ca2a83d2d09a1ecf46ae2cdb568adad36ad4a47bd5
-
SSDEEP
1536:Vj1IwfyQTYTgcAr95LVui1DaYfMZRWuLsV+1T:VbhOyRhEigYfc0DV+1T
Malware Config
Extracted
berbew
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpilmcdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nijehoad.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aoelnkam.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgqigmnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ppemfm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qclena32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lebaed32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Giincl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmjphjdg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnihhjin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Achejo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Naicfmeq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afboeano.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Igpdin32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jqchnbek.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bebbom32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjopfmme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fjakfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pphjlm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohloie32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aoboikcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lbghiocp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nlfeokbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cpnikd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jdhnnacl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mibpgm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjqeoh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogfcmhma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gpqjjg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngomli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eagabceo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ooijfe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mecjlb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igpdin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kpmlaenj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qodmnhjg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iqklbi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Incmpo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Infapela.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nlgliaef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ehjcnobd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikfgom32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnmnigdl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iacbkm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acaoipmb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocmjlpfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkglmlkq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pacfno32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlfpgc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kflninba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhiccb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlakdk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnpcfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nlakdk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pafccopl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qcmlig32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djaiikgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bbmbklla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qopbcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pfgfdikg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olknjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmmfhbim.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbghiocp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Adohabag.exe -
Berbew family
-
Njrat family
-
Executes dropped EXE 64 IoCs
pid Process 1888 Llnggk32.exe 1624 Lbhocegl.exe 1592 Lefkpq32.exe 3616 Lmmcqn32.exe 2972 Lbjlid32.exe 4520 Liddfolf.exe 4264 Lpnlbi32.exe 3416 Lbmhod32.exe 2928 Lmbmlmbl.exe 2236 Mboeddad.exe 3528 Miiman32.exe 1652 Mlgjmi32.exe 4824 Mcabjcoa.exe 3512 Mljfbiea.exe 764 Mgokpbeh.exe 2120 Mdckifda.exe 116 Medgan32.exe 4544 Mlnpnh32.exe 5104 Mdehof32.exe 1684 Megdfnhm.exe 4240 Mibpgm32.exe 1472 Mlqlch32.exe 4176 Ndhdde32.exe 4996 Nlciih32.exe 4320 Neknam32.exe 2112 Nlefngkd.exe 2724 Ndlnoelf.exe 4516 Njifhljn.exe 4680 Ndoked32.exe 1912 Njlcmk32.exe 2080 Ncdgfaol.exe 1192 Nnilcjnb.exe 5016 Odcdpd32.exe 4548 Ogbploeb.exe 2960 Onlhii32.exe 1332 Odfqecdl.exe 4380 Ofgmml32.exe 3636 Onneoi32.exe 4340 Odhmkcbi.exe 1720 Ogfjgo32.exe 4084 Ojefcj32.exe 1648 Olcbpe32.exe 3532 Ocmjlpfa.exe 2652 Oflfhkee.exe 928 Olfoee32.exe 1664 Ocpgbodo.exe 3080 Ojjooilk.exe 3020 Onekoh32.exe 4564 Pdoclbla.exe 3608 Pfqpcj32.exe 3236 Pqfdac32.exe 444 Pdapabjo.exe 3704 Pjnijihf.exe 244 Pqhafcoc.exe 2800 Pgbicm32.exe 2136 Pjqeoh32.exe 4852 Pqknlbmp.exe 3916 Pcijhnld.exe 1872 Pfgfdikg.exe 4892 Pmanaccd.exe 3956 Pdhfbacf.exe 4736 Pggbnlbj.exe 4124 Pnakkf32.exe 3500 Qcnccm32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Bmcmck32.exe Bggdkd32.exe File created C:\Windows\SysWOW64\Copigf32.dll Lkjebhgo.exe File created C:\Windows\SysWOW64\Kneffngb.dll Ojmgkq32.exe File created C:\Windows\SysWOW64\Dkdmia32.exe Ddjemgal.exe File created C:\Windows\SysWOW64\Iqklbi32.exe Inmpfn32.exe File created C:\Windows\SysWOW64\Elnobkpe.exe Ejlbkcjf.exe File opened for modification C:\Windows\SysWOW64\Ckfpko32.exe Cihcoc32.exe File created C:\Windows\SysWOW64\Jjmqhhdc.dll Mogldn32.exe File created C:\Windows\SysWOW64\Noqojm32.exe Nlbbna32.exe File created C:\Windows\SysWOW64\Ibbljhbc.dll Nekgggpl.exe File created C:\Windows\SysWOW64\Bcbokd32.exe Bpfcjeja.exe File created C:\Windows\SysWOW64\Inmngn32.dll Ahngagki.exe File created C:\Windows\SysWOW64\Bbdhlkej.exe Boflpoff.exe File created C:\Windows\SysWOW64\Cbiagj32.exe Cokeko32.exe File created C:\Windows\SysWOW64\Ifaeek32.dll Qkbjmnol.exe File created C:\Windows\SysWOW64\Mogldn32.exe Mhmcgdim.exe File created C:\Windows\SysWOW64\Aiedml32.exe Afghqa32.exe File created C:\Windows\SysWOW64\Bjjjbolj.exe Bfnnap32.exe File created C:\Windows\SysWOW64\Mniaohkk.exe Mbbajgeg.exe File opened for modification C:\Windows\SysWOW64\Glgjoh32.exe Giincl32.exe File created C:\Windows\SysWOW64\Hkbmcnil.exe Hckebqij.exe File opened for modification C:\Windows\SysWOW64\Hhglbo32.exe Hfioec32.exe File created C:\Windows\SysWOW64\Mbnnjnmh.exe Mppbnb32.exe File created C:\Windows\SysWOW64\Gdjjaa32.dll Nemcmg32.exe File created C:\Windows\SysWOW64\Lfiena32.dll Phneep32.exe File created C:\Windows\SysWOW64\Hhaklipf.exe Hdfolj32.exe File opened for modification C:\Windows\SysWOW64\Bcddfn32.exe Bkmmdp32.exe File created C:\Windows\SysWOW64\Clkflc32.dll Glpdoi32.exe File opened for modification C:\Windows\SysWOW64\Adohabag.exe Aemhee32.exe File created C:\Windows\SysWOW64\Jlmcaj32.dll Aklmclga.exe File created C:\Windows\SysWOW64\Nfnfko32.dll Mhkgbdlp.exe File opened for modification C:\Windows\SysWOW64\Bmkccjik.exe Bjlggnjh.exe File opened for modification C:\Windows\SysWOW64\Aakfcp32.exe Ajanffhq.exe File created C:\Windows\SysWOW64\Nbcjhmdo.dll Eliegl32.exe File created C:\Windows\SysWOW64\Mcipphjf.dll Gmbmnk32.exe File created C:\Windows\SysWOW64\Qkbjmnol.exe Qkbjmnol.exe File created C:\Windows\SysWOW64\Kjepmfca.exe Kggcqk32.exe File opened for modification C:\Windows\SysWOW64\Nnilcjnb.exe Ncdgfaol.exe File opened for modification C:\Windows\SysWOW64\Kicddk32.exe Keghdl32.exe File opened for modification C:\Windows\SysWOW64\Lpilmcdl.exe Lhadlfcj.exe File created C:\Windows\SysWOW64\Mefmlh32.exe Mfcmqknf.exe File created C:\Windows\SysWOW64\Fmgemc32.exe Fikildjp.exe File opened for modification C:\Windows\SysWOW64\Qhgaahaa.exe Qamidn32.exe File opened for modification C:\Windows\SysWOW64\Jncolghj.exe Jkdcpkif.exe File created C:\Windows\SysWOW64\Pbpboj32.dll Lbhocegl.exe File opened for modification C:\Windows\SysWOW64\Dfakhc32.exe Cepnqkai.exe File created C:\Windows\SysWOW64\Kkaflc32.dll Fgijpp32.exe File created C:\Windows\SysWOW64\Llmfap32.dll Mglfbhbe.exe File created C:\Windows\SysWOW64\Aemhee32.exe Aaalegbc.exe File created C:\Windows\SysWOW64\Mgdeil32.dll Qeeaef32.exe File opened for modification C:\Windows\SysWOW64\Deehkk32.exe Dailkl32.exe File opened for modification C:\Windows\SysWOW64\Egbdoaie.exe Edcgcfja.exe File created C:\Windows\SysWOW64\Eiqbimdp.dll Agbkpdea.exe File opened for modification C:\Windows\SysWOW64\Cpnikd32.exe Cmomoi32.exe File created C:\Windows\SysWOW64\Gkljbjqm.dll Dmpeeg32.exe File created C:\Windows\SysWOW64\Idmeliae.exe Incmpo32.exe File created C:\Windows\SysWOW64\Okedff32.exe Olbdkihm.exe File opened for modification C:\Windows\SysWOW64\Qflpoi32.exe Qcnccm32.exe File created C:\Windows\SysWOW64\Cnmcnb32.exe Bhckqh32.exe File opened for modification C:\Windows\SysWOW64\Eabhgd32.exe Eikpeg32.exe File created C:\Windows\SysWOW64\Fmihjied.dll Pacfno32.exe File created C:\Windows\SysWOW64\Idnjkkod.dll Qmfhlcoo.exe File opened for modification C:\Windows\SysWOW64\Jkjjpg32.exe Jeqbcmel.exe File created C:\Windows\SysWOW64\Kgipfjbk.exe Kqohip32.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aakfcp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjfnpo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Liqikb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qodmnhjg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmcmck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjgnlo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nndjqpnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Baicdncn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdpkigap.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmhija32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdehaddb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilhcfeke.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qflpoi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhaklipf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kapodf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlbofm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Neglmk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmmcqn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Capiemme.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pckpcgge.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lglmljqh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdhnnacl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aemhee32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnilcjnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbnecplk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nidfbf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hahcpo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lefkpq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eabhgd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajlekg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfmpjejf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kflninba.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpnikd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nelmbq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pafccopl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajnkfp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dadlefed.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edhjco32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbpknifl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fknifnck.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kiagokip.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dalhqlbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fneobj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cflchg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ingpph32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbhemj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efnide32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdjiefno.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cndinalo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggnlampe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igcocjnm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjlggnjh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlqlch32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgjhkjbe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nghflj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohokoe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajoaqfjc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmpkdpig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Delnljgl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbgoba32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikgnic32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpjegcmf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbhocegl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qcnccm32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imemlanp.dll" Ebndig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lmpkdpig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gncdiahk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mgokpbeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ogfcmhma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gljjgogh.dll" Miofmqka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajkehe32.dll" Fikbbnfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bekbkbno.dll" Kcikjlng.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qkbjmnol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icnbfe32.dll" Alkimo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lpnlbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bidkcf32.dll" Jfpomp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lechpjdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mniaohkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lglbca32.dll" Pchlcael.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kecpomjn.dll" Cokeko32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ebejifid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Elnobkpe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ifdoaa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nnbmkp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aaalegbc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ahkdaa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fikbbnfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jlmgegjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoamnkcf.dll" Nghflj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Emchfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pkpmgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddmgkb32.dll" Mdehof32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dagoel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlmlnmcj.dll" Infapela.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Opljpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpaqmo32.dll" Fmohbnee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mnfnob32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ajoaqfjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkbhdfqh.dll" Ijgaoqap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jioolo32.dll" Jgedocho.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lebaed32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nophpg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ohbookci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckckdj32.dll" Acclopko.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hdclldfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khigbg32.dll" Hhdhbind.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gplpmejl.dll" Ljobce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnecnd32.dll" Kbilhq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kindoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdimfghp.dll" Mlcobmbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Feadfaab.dll" Jgfjjmcp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kjepmfca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mgglgh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qalbjg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jkjjpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dfakhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nakgdp32.dll" Klfjlebk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bcpbed32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oimbno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hojpgkjh.dll" Ooijfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blkljneq.dll" Anjiogfe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qflpoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbpkfj32.dll" Jjfnpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fflefcgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gkbkgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nhgfncab.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bgnkkckd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naegngee.dll" Ccmgll32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4088 wrote to memory of 1888 4088 786106edbbecf0807d70821bebb5b5fd63a9dfb0511883dc89b22bb85eec91f3.exe 81 PID 4088 wrote to memory of 1888 4088 786106edbbecf0807d70821bebb5b5fd63a9dfb0511883dc89b22bb85eec91f3.exe 81 PID 4088 wrote to memory of 1888 4088 786106edbbecf0807d70821bebb5b5fd63a9dfb0511883dc89b22bb85eec91f3.exe 81 PID 1888 wrote to memory of 1624 1888 Llnggk32.exe 82 PID 1888 wrote to memory of 1624 1888 Llnggk32.exe 82 PID 1888 wrote to memory of 1624 1888 Llnggk32.exe 82 PID 1624 wrote to memory of 1592 1624 Lbhocegl.exe 83 PID 1624 wrote to memory of 1592 1624 Lbhocegl.exe 83 PID 1624 wrote to memory of 1592 1624 Lbhocegl.exe 83 PID 1592 wrote to memory of 3616 1592 Lefkpq32.exe 84 PID 1592 wrote to memory of 3616 1592 Lefkpq32.exe 84 PID 1592 wrote to memory of 3616 1592 Lefkpq32.exe 84 PID 3616 wrote to memory of 2972 3616 Lmmcqn32.exe 85 PID 3616 wrote to memory of 2972 3616 Lmmcqn32.exe 85 PID 3616 wrote to memory of 2972 3616 Lmmcqn32.exe 85 PID 2972 wrote to memory of 4520 2972 Lbjlid32.exe 86 PID 2972 wrote to memory of 4520 2972 Lbjlid32.exe 86 PID 2972 wrote to memory of 4520 2972 Lbjlid32.exe 86 PID 4520 wrote to memory of 4264 4520 Liddfolf.exe 87 PID 4520 wrote to memory of 4264 4520 Liddfolf.exe 87 PID 4520 wrote to memory of 4264 4520 Liddfolf.exe 87 PID 4264 wrote to memory of 3416 4264 Lpnlbi32.exe 88 PID 4264 wrote to memory of 3416 4264 Lpnlbi32.exe 88 PID 4264 wrote to memory of 3416 4264 Lpnlbi32.exe 88 PID 3416 wrote to memory of 2928 3416 Lbmhod32.exe 89 PID 3416 wrote to memory of 2928 3416 Lbmhod32.exe 89 PID 3416 wrote to memory of 2928 3416 Lbmhod32.exe 89 PID 2928 wrote to memory of 2236 2928 Lmbmlmbl.exe 90 PID 2928 wrote to memory of 2236 2928 Lmbmlmbl.exe 90 PID 2928 wrote to memory of 2236 2928 Lmbmlmbl.exe 90 PID 2236 wrote to memory of 3528 2236 Mboeddad.exe 91 PID 2236 wrote to memory of 3528 2236 Mboeddad.exe 91 PID 2236 wrote to memory of 3528 2236 Mboeddad.exe 91 PID 3528 wrote to memory of 1652 3528 Miiman32.exe 92 PID 3528 wrote to memory of 1652 3528 Miiman32.exe 92 PID 3528 wrote to memory of 1652 3528 Miiman32.exe 92 PID 1652 wrote to memory of 4824 1652 Mlgjmi32.exe 93 PID 1652 wrote to memory of 4824 1652 Mlgjmi32.exe 93 PID 1652 wrote to memory of 4824 1652 Mlgjmi32.exe 93 PID 4824 wrote to memory of 3512 4824 Mcabjcoa.exe 94 PID 4824 wrote to memory of 3512 4824 Mcabjcoa.exe 94 PID 4824 wrote to memory of 3512 4824 Mcabjcoa.exe 94 PID 3512 wrote to memory of 764 3512 Mljfbiea.exe 95 PID 3512 wrote to memory of 764 3512 Mljfbiea.exe 95 PID 3512 wrote to memory of 764 3512 Mljfbiea.exe 95 PID 764 wrote to memory of 2120 764 Mgokpbeh.exe 96 PID 764 wrote to memory of 2120 764 Mgokpbeh.exe 96 PID 764 wrote to memory of 2120 764 Mgokpbeh.exe 96 PID 2120 wrote to memory of 116 2120 Mdckifda.exe 97 PID 2120 wrote to memory of 116 2120 Mdckifda.exe 97 PID 2120 wrote to memory of 116 2120 Mdckifda.exe 97 PID 116 wrote to memory of 4544 116 Medgan32.exe 98 PID 116 wrote to memory of 4544 116 Medgan32.exe 98 PID 116 wrote to memory of 4544 116 Medgan32.exe 98 PID 4544 wrote to memory of 5104 4544 Mlnpnh32.exe 99 PID 4544 wrote to memory of 5104 4544 Mlnpnh32.exe 99 PID 4544 wrote to memory of 5104 4544 Mlnpnh32.exe 99 PID 5104 wrote to memory of 1684 5104 Mdehof32.exe 100 PID 5104 wrote to memory of 1684 5104 Mdehof32.exe 100 PID 5104 wrote to memory of 1684 5104 Mdehof32.exe 100 PID 1684 wrote to memory of 4240 1684 Megdfnhm.exe 101 PID 1684 wrote to memory of 4240 1684 Megdfnhm.exe 101 PID 1684 wrote to memory of 4240 1684 Megdfnhm.exe 101 PID 4240 wrote to memory of 1472 4240 Mibpgm32.exe 102
Processes
-
C:\Users\Admin\AppData\Local\Temp\786106edbbecf0807d70821bebb5b5fd63a9dfb0511883dc89b22bb85eec91f3.exe"C:\Users\Admin\AppData\Local\Temp\786106edbbecf0807d70821bebb5b5fd63a9dfb0511883dc89b22bb85eec91f3.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4088 -
C:\Windows\SysWOW64\Llnggk32.exeC:\Windows\system32\Llnggk32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1888 -
C:\Windows\SysWOW64\Lbhocegl.exeC:\Windows\system32\Lbhocegl.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Windows\SysWOW64\Lefkpq32.exeC:\Windows\system32\Lefkpq32.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1592 -
C:\Windows\SysWOW64\Lmmcqn32.exeC:\Windows\system32\Lmmcqn32.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3616 -
C:\Windows\SysWOW64\Lbjlid32.exeC:\Windows\system32\Lbjlid32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\SysWOW64\Liddfolf.exeC:\Windows\system32\Liddfolf.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4520 -
C:\Windows\SysWOW64\Lpnlbi32.exeC:\Windows\system32\Lpnlbi32.exe8⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4264 -
C:\Windows\SysWOW64\Lbmhod32.exeC:\Windows\system32\Lbmhod32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3416 -
C:\Windows\SysWOW64\Lmbmlmbl.exeC:\Windows\system32\Lmbmlmbl.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Windows\SysWOW64\Mboeddad.exeC:\Windows\system32\Mboeddad.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Windows\SysWOW64\Miiman32.exeC:\Windows\system32\Miiman32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3528 -
C:\Windows\SysWOW64\Mlgjmi32.exeC:\Windows\system32\Mlgjmi32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1652 -
C:\Windows\SysWOW64\Mcabjcoa.exeC:\Windows\system32\Mcabjcoa.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4824 -
C:\Windows\SysWOW64\Mljfbiea.exeC:\Windows\system32\Mljfbiea.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3512 -
C:\Windows\SysWOW64\Mgokpbeh.exeC:\Windows\system32\Mgokpbeh.exe16⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:764 -
C:\Windows\SysWOW64\Mdckifda.exeC:\Windows\system32\Mdckifda.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Windows\SysWOW64\Medgan32.exeC:\Windows\system32\Medgan32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:116 -
C:\Windows\SysWOW64\Mlnpnh32.exeC:\Windows\system32\Mlnpnh32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4544 -
C:\Windows\SysWOW64\Mdehof32.exeC:\Windows\system32\Mdehof32.exe20⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5104 -
C:\Windows\SysWOW64\Megdfnhm.exeC:\Windows\system32\Megdfnhm.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1684 -
C:\Windows\SysWOW64\Mibpgm32.exeC:\Windows\system32\Mibpgm32.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4240 -
C:\Windows\SysWOW64\Mlqlch32.exeC:\Windows\system32\Mlqlch32.exe23⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1472 -
C:\Windows\SysWOW64\Ndhdde32.exeC:\Windows\system32\Ndhdde32.exe24⤵
- Executes dropped EXE
PID:4176 -
C:\Windows\SysWOW64\Nlciih32.exeC:\Windows\system32\Nlciih32.exe25⤵
- Executes dropped EXE
PID:4996 -
C:\Windows\SysWOW64\Neknam32.exeC:\Windows\system32\Neknam32.exe26⤵
- Executes dropped EXE
PID:4320 -
C:\Windows\SysWOW64\Nlefngkd.exeC:\Windows\system32\Nlefngkd.exe27⤵
- Executes dropped EXE
PID:2112 -
C:\Windows\SysWOW64\Ndlnoelf.exeC:\Windows\system32\Ndlnoelf.exe28⤵
- Executes dropped EXE
PID:2724 -
C:\Windows\SysWOW64\Njifhljn.exeC:\Windows\system32\Njifhljn.exe29⤵
- Executes dropped EXE
PID:4516 -
C:\Windows\SysWOW64\Ndoked32.exeC:\Windows\system32\Ndoked32.exe30⤵
- Executes dropped EXE
PID:4680 -
C:\Windows\SysWOW64\Njlcmk32.exeC:\Windows\system32\Njlcmk32.exe31⤵
- Executes dropped EXE
PID:1912 -
C:\Windows\SysWOW64\Ncdgfaol.exeC:\Windows\system32\Ncdgfaol.exe32⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2080 -
C:\Windows\SysWOW64\Nnilcjnb.exeC:\Windows\system32\Nnilcjnb.exe33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1192 -
C:\Windows\SysWOW64\Odcdpd32.exeC:\Windows\system32\Odcdpd32.exe34⤵
- Executes dropped EXE
PID:5016 -
C:\Windows\SysWOW64\Ogbploeb.exeC:\Windows\system32\Ogbploeb.exe35⤵
- Executes dropped EXE
PID:4548 -
C:\Windows\SysWOW64\Onlhii32.exeC:\Windows\system32\Onlhii32.exe36⤵
- Executes dropped EXE
PID:2960 -
C:\Windows\SysWOW64\Odfqecdl.exeC:\Windows\system32\Odfqecdl.exe37⤵
- Executes dropped EXE
PID:1332 -
C:\Windows\SysWOW64\Ofgmml32.exeC:\Windows\system32\Ofgmml32.exe38⤵
- Executes dropped EXE
PID:4380 -
C:\Windows\SysWOW64\Onneoi32.exeC:\Windows\system32\Onneoi32.exe39⤵
- Executes dropped EXE
PID:3636 -
C:\Windows\SysWOW64\Odhmkcbi.exeC:\Windows\system32\Odhmkcbi.exe40⤵
- Executes dropped EXE
PID:4340 -
C:\Windows\SysWOW64\Ogfjgo32.exeC:\Windows\system32\Ogfjgo32.exe41⤵
- Executes dropped EXE
PID:1720 -
C:\Windows\SysWOW64\Ojefcj32.exeC:\Windows\system32\Ojefcj32.exe42⤵
- Executes dropped EXE
PID:4084 -
C:\Windows\SysWOW64\Olcbpe32.exeC:\Windows\system32\Olcbpe32.exe43⤵
- Executes dropped EXE
PID:1648 -
C:\Windows\SysWOW64\Ocmjlpfa.exeC:\Windows\system32\Ocmjlpfa.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3532 -
C:\Windows\SysWOW64\Oflfhkee.exeC:\Windows\system32\Oflfhkee.exe45⤵
- Executes dropped EXE
PID:2652 -
C:\Windows\SysWOW64\Olfoee32.exeC:\Windows\system32\Olfoee32.exe46⤵
- Executes dropped EXE
PID:928 -
C:\Windows\SysWOW64\Ocpgbodo.exeC:\Windows\system32\Ocpgbodo.exe47⤵
- Executes dropped EXE
PID:1664 -
C:\Windows\SysWOW64\Ojjooilk.exeC:\Windows\system32\Ojjooilk.exe48⤵
- Executes dropped EXE
PID:3080 -
C:\Windows\SysWOW64\Onekoh32.exeC:\Windows\system32\Onekoh32.exe49⤵
- Executes dropped EXE
PID:3020 -
C:\Windows\SysWOW64\Pdoclbla.exeC:\Windows\system32\Pdoclbla.exe50⤵
- Executes dropped EXE
PID:4564 -
C:\Windows\SysWOW64\Pfqpcj32.exeC:\Windows\system32\Pfqpcj32.exe51⤵
- Executes dropped EXE
PID:3608 -
C:\Windows\SysWOW64\Pqfdac32.exeC:\Windows\system32\Pqfdac32.exe52⤵
- Executes dropped EXE
PID:3236 -
C:\Windows\SysWOW64\Pdapabjo.exeC:\Windows\system32\Pdapabjo.exe53⤵
- Executes dropped EXE
PID:444 -
C:\Windows\SysWOW64\Pjnijihf.exeC:\Windows\system32\Pjnijihf.exe54⤵
- Executes dropped EXE
PID:3704 -
C:\Windows\SysWOW64\Pqhafcoc.exeC:\Windows\system32\Pqhafcoc.exe55⤵
- Executes dropped EXE
PID:244 -
C:\Windows\SysWOW64\Pgbicm32.exeC:\Windows\system32\Pgbicm32.exe56⤵
- Executes dropped EXE
PID:2800 -
C:\Windows\SysWOW64\Pjqeoh32.exeC:\Windows\system32\Pjqeoh32.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2136 -
C:\Windows\SysWOW64\Pqknlbmp.exeC:\Windows\system32\Pqknlbmp.exe58⤵
- Executes dropped EXE
PID:4852 -
C:\Windows\SysWOW64\Pcijhnld.exeC:\Windows\system32\Pcijhnld.exe59⤵
- Executes dropped EXE
PID:3916 -
C:\Windows\SysWOW64\Pfgfdikg.exeC:\Windows\system32\Pfgfdikg.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1872 -
C:\Windows\SysWOW64\Pmanaccd.exeC:\Windows\system32\Pmanaccd.exe61⤵
- Executes dropped EXE
PID:4892 -
C:\Windows\SysWOW64\Pdhfbacf.exeC:\Windows\system32\Pdhfbacf.exe62⤵
- Executes dropped EXE
PID:3956 -
C:\Windows\SysWOW64\Pggbnlbj.exeC:\Windows\system32\Pggbnlbj.exe63⤵
- Executes dropped EXE
PID:4736 -
C:\Windows\SysWOW64\Pnakkf32.exeC:\Windows\system32\Pnakkf32.exe64⤵
- Executes dropped EXE
PID:4124 -
C:\Windows\SysWOW64\Qcnccm32.exeC:\Windows\system32\Qcnccm32.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3500 -
C:\Windows\SysWOW64\Qflpoi32.exeC:\Windows\system32\Qflpoi32.exe66⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4440 -
C:\Windows\SysWOW64\Qmfhlcoo.exeC:\Windows\system32\Qmfhlcoo.exe67⤵
- Drops file in System32 directory
PID:3936 -
C:\Windows\SysWOW64\Qqadmagh.exeC:\Windows\system32\Qqadmagh.exe68⤵PID:1000
-
C:\Windows\SysWOW64\Qfolehep.exeC:\Windows\system32\Qfolehep.exe69⤵PID:336
-
C:\Windows\SysWOW64\Anedfffb.exeC:\Windows\system32\Anedfffb.exe70⤵PID:4992
-
C:\Windows\SysWOW64\Aqdqbaee.exeC:\Windows\system32\Aqdqbaee.exe71⤵PID:3524
-
C:\Windows\SysWOW64\Acbmnmdi.exeC:\Windows\system32\Acbmnmdi.exe72⤵PID:4316
-
C:\Windows\SysWOW64\Ajlekg32.exeC:\Windows\system32\Ajlekg32.exe73⤵
- System Location Discovery: System Language Discovery
PID:3428 -
C:\Windows\SysWOW64\Aqfmhacc.exeC:\Windows\system32\Aqfmhacc.exe74⤵PID:976
-
C:\Windows\SysWOW64\Aebihpkl.exeC:\Windows\system32\Aebihpkl.exe75⤵PID:2148
-
C:\Windows\SysWOW64\Ajoaqfjc.exeC:\Windows\system32\Ajoaqfjc.exe76⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4760 -
C:\Windows\SysWOW64\Aqijmq32.exeC:\Windows\system32\Aqijmq32.exe77⤵PID:3540
-
C:\Windows\SysWOW64\Agbbjkhm.exeC:\Windows\system32\Agbbjkhm.exe78⤵PID:3364
-
C:\Windows\SysWOW64\Ajanffhq.exeC:\Windows\system32\Ajanffhq.exe79⤵
- Drops file in System32 directory
PID:4104 -
C:\Windows\SysWOW64\Aakfcp32.exeC:\Windows\system32\Aakfcp32.exe80⤵
- System Location Discovery: System Language Discovery
PID:3980 -
C:\Windows\SysWOW64\Acicol32.exeC:\Windows\system32\Acicol32.exe81⤵PID:4128
-
C:\Windows\SysWOW64\Anogldng.exeC:\Windows\system32\Anogldng.exe82⤵PID:3800
-
C:\Windows\SysWOW64\Agglej32.exeC:\Windows\system32\Agglej32.exe83⤵PID:5080
-
C:\Windows\SysWOW64\Bnadadld.exeC:\Windows\system32\Bnadadld.exe84⤵PID:908
-
C:\Windows\SysWOW64\Bappnpkh.exeC:\Windows\system32\Bappnpkh.exe85⤵PID:1340
-
C:\Windows\SysWOW64\Bgjhkjbe.exeC:\Windows\system32\Bgjhkjbe.exe86⤵
- System Location Discovery: System Language Discovery
PID:2812 -
C:\Windows\SysWOW64\Bncqgd32.exeC:\Windows\system32\Bncqgd32.exe87⤵PID:3816
-
C:\Windows\SysWOW64\Babmco32.exeC:\Windows\system32\Babmco32.exe88⤵PID:4932
-
C:\Windows\SysWOW64\Bglepipb.exeC:\Windows\system32\Bglepipb.exe89⤵PID:1536
-
C:\Windows\SysWOW64\Badiio32.exeC:\Windows\system32\Badiio32.exe90⤵PID:3812
-
C:\Windows\SysWOW64\Bgnafinp.exeC:\Windows\system32\Bgnafinp.exe91⤵PID:3088
-
C:\Windows\SysWOW64\Bnhjbcfl.exeC:\Windows\system32\Bnhjbcfl.exe92⤵PID:2604
-
C:\Windows\SysWOW64\Bagfooep.exeC:\Windows\system32\Bagfooep.exe93⤵PID:4980
-
C:\Windows\SysWOW64\Bebbom32.exeC:\Windows\system32\Bebbom32.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3424 -
C:\Windows\SysWOW64\Bhqnki32.exeC:\Windows\system32\Bhqnki32.exe95⤵PID:2752
-
C:\Windows\SysWOW64\Bnkfhcdj.exeC:\Windows\system32\Bnkfhcdj.exe96⤵PID:3960
-
C:\Windows\SysWOW64\Baicdncn.exeC:\Windows\system32\Baicdncn.exe97⤵
- System Location Discovery: System Language Discovery
PID:1388 -
C:\Windows\SysWOW64\Beeodm32.exeC:\Windows\system32\Beeodm32.exe98⤵PID:2276
-
C:\Windows\SysWOW64\Bhckqh32.exeC:\Windows\system32\Bhckqh32.exe99⤵
- Drops file in System32 directory
PID:1972 -
C:\Windows\SysWOW64\Cnmcnb32.exeC:\Windows\system32\Cnmcnb32.exe100⤵PID:2772
-
C:\Windows\SysWOW64\Cakpjn32.exeC:\Windows\system32\Cakpjn32.exe101⤵PID:4728
-
C:\Windows\SysWOW64\Cegljmid.exeC:\Windows\system32\Cegljmid.exe102⤵PID:3152
-
C:\Windows\SysWOW64\Cnopcb32.exeC:\Windows\system32\Cnopcb32.exe103⤵PID:2204
-
C:\Windows\SysWOW64\Canlon32.exeC:\Windows\system32\Canlon32.exe104⤵PID:4268
-
C:\Windows\SysWOW64\Cdlhki32.exeC:\Windows\system32\Cdlhki32.exe105⤵PID:1116
-
C:\Windows\SysWOW64\Cfkegd32.exeC:\Windows\system32\Cfkegd32.exe106⤵PID:4948
-
C:\Windows\SysWOW64\Cmdmdo32.exeC:\Windows\system32\Cmdmdo32.exe107⤵PID:4396
-
C:\Windows\SysWOW64\Capiemme.exeC:\Windows\system32\Capiemme.exe108⤵
- System Location Discovery: System Language Discovery
PID:3076 -
C:\Windows\SysWOW64\Cdoeaili.exeC:\Windows\system32\Cdoeaili.exe109⤵PID:3348
-
C:\Windows\SysWOW64\Cjhmnc32.exeC:\Windows\system32\Cjhmnc32.exe110⤵PID:4216
-
C:\Windows\SysWOW64\Cndinalo.exeC:\Windows\system32\Cndinalo.exe111⤵
- System Location Discovery: System Language Discovery
PID:1128 -
C:\Windows\SysWOW64\Cabfjmkc.exeC:\Windows\system32\Cabfjmkc.exe112⤵PID:4752
-
C:\Windows\SysWOW64\Cenakl32.exeC:\Windows\system32\Cenakl32.exe113⤵PID:4972
-
C:\Windows\SysWOW64\Cfonbdij.exeC:\Windows\system32\Cfonbdij.exe114⤵PID:712
-
C:\Windows\SysWOW64\Cmifon32.exeC:\Windows\system32\Cmifon32.exe115⤵PID:4500
-
C:\Windows\SysWOW64\Cepnqkai.exeC:\Windows\system32\Cepnqkai.exe116⤵
- Drops file in System32 directory
PID:5172 -
C:\Windows\SysWOW64\Dfakhc32.exeC:\Windows\system32\Dfakhc32.exe117⤵
- Modifies registry class
PID:5232 -
C:\Windows\SysWOW64\Djmgiboq.exeC:\Windows\system32\Djmgiboq.exe118⤵PID:5292
-
C:\Windows\SysWOW64\Dagoel32.exeC:\Windows\system32\Dagoel32.exe119⤵
- Modifies registry class
PID:5340 -
C:\Windows\SysWOW64\Deckfkof.exeC:\Windows\system32\Deckfkof.exe120⤵PID:5396
-
C:\Windows\SysWOW64\Ddekah32.exeC:\Windows\system32\Ddekah32.exe121⤵PID:5468
-
C:\Windows\SysWOW64\Dfdgnc32.exeC:\Windows\system32\Dfdgnc32.exe122⤵PID:5548
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-