Analysis
-
max time kernel
94s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25-12-2024 17:47
Behavioral task
behavioral1
Sample
a272e9321eec55e212282696966890cd9f13e3ba3ddad2510c65965307716505.exe
Resource
win7-20241010-en
windows7-x64
10 signatures
120 seconds
Behavioral task
behavioral2
Sample
a272e9321eec55e212282696966890cd9f13e3ba3ddad2510c65965307716505.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
120 seconds
General
-
Target
a272e9321eec55e212282696966890cd9f13e3ba3ddad2510c65965307716505.exe
-
Size
101KB
-
MD5
b493eae15a0a31ea86ae973cc3baf6d4
-
SHA1
afc5247bfe528f3524667fbd4a55cde972c83569
-
SHA256
a272e9321eec55e212282696966890cd9f13e3ba3ddad2510c65965307716505
-
SHA512
aa5e7f401bd1f83d68389cc952f3e8a1a2f67c40cacc31408e82704aba89ee3e04067e9f9db21143177c58d693a5d666dce3552fab50371320a3ae1fc43b1d94
-
SSDEEP
3072:CXhaCRYc6HWduXqbyu0sY7q5AnrHY4vDXZ:jCRkHl853Anr44vDXZ
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://tat-neftbank.ru/kkq.php
http://tat-neftbank.ru/wcmd.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pqdqof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qjoankoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cabfga32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jehokgge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgfqmfde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mlefklpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmdkch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cmgjgcgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dgbdlf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ifefimom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ifgbnlmj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njciko32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klljnp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qgcbgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Acjclpcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bganhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bmngqdpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cmiflbel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chokikeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qddfkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Klljnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kipkhdeq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjagjhnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jioaqfcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjpckf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ldanqkki.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfmepi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chokikeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iicbehnq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdnidn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipbdmaah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lmgfda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Anogiicl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Immapg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qddfkd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afjlnk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jblpek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Beglgani.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgkjhe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kipkhdeq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pdpmpdbd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjagjhnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdabcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pjcbbmif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pgefeajb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aqncedbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Olmeci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mdmnlj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bganhm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnkplejl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Leihbeib.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llemdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mdckfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ncbknfed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Afjlnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aeniabfd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bffkij32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbdgfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Imoneg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pdifoehl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjjhbl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qdbiedpa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qffbbldm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hflcbngh.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 3836 Flceckoj.exe 1140 Fkffog32.exe 1400 Fbpnkama.exe 2980 Fhjfhl32.exe 2628 Gododflk.exe 2680 Gfngap32.exe 5048 Glhonj32.exe 628 Gofkje32.exe 4748 Gbdgfa32.exe 876 Ghopckpi.exe 5068 Gkmlofol.exe 2064 Gfbploob.exe 4588 Ghaliknf.exe 3120 Gkoiefmj.exe 2660 Gmoeoidl.exe 3468 Gomakdcp.exe 2464 Gfgjgo32.exe 1804 Hmabdibj.exe 4976 Hfifmnij.exe 1236 Hmcojh32.exe 2164 Hobkfd32.exe 4388 Hflcbngh.exe 4432 Hmfkoh32.exe 3944 Hcpclbfa.exe 3832 Hfnphn32.exe 1960 Hmhhehlb.exe 3648 Hcbpab32.exe 4600 Hfqlnm32.exe 1288 Hioiji32.exe 2828 Hoiafcic.exe 4240 Hcdmga32.exe 2420 Hfcicmqp.exe 1460 Iiaephpc.exe 4044 Immapg32.exe 3548 Icgjmapi.exe 3924 Ifefimom.exe 928 Iicbehnq.exe 2244 Imoneg32.exe 4660 Ifgbnlmj.exe 3424 Ippggbck.exe 3960 Iihkpg32.exe 216 Ipbdmaah.exe 884 Ifllil32.exe 4448 Iikhfg32.exe 5036 Ipdqba32.exe 8 Jfoiokfb.exe 4872 Jimekgff.exe 2780 Jpgmha32.exe 3672 Jcbihpel.exe 880 Jedeph32.exe 3664 Jioaqfcc.exe 3700 Jmknaell.exe 376 Jbhfjljd.exe 828 Jianff32.exe 1544 Jlpkba32.exe 336 Jcgbco32.exe 1196 Jehokgge.exe 2596 Jidklf32.exe 4160 Jpnchp32.exe 3136 Jblpek32.exe 1204 Jeklag32.exe 4072 Jlednamo.exe 4608 Kboljk32.exe 1128 Kemhff32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Mlopkm32.exe Mipcob32.exe File created C:\Windows\SysWOW64\Nphhmj32.exe Njnpppkn.exe File created C:\Windows\SysWOW64\Ofeilobp.exe Ocgmpccl.exe File created C:\Windows\SysWOW64\Gfnphnen.dll Afjlnk32.exe File created C:\Windows\SysWOW64\Jfihel32.dll Belebq32.exe File created C:\Windows\SysWOW64\Ghekjiam.dll Chokikeb.exe File created C:\Windows\SysWOW64\Fbpnkama.exe Fkffog32.exe File created C:\Windows\SysWOW64\Lmppcbjd.exe Leihbeib.exe File created C:\Windows\SysWOW64\Cdfkolkf.exe Ceckcp32.exe File created C:\Windows\SysWOW64\Ddonekbl.exe Dobfld32.exe File created C:\Windows\SysWOW64\Ihjahg32.dll Ghopckpi.exe File opened for modification C:\Windows\SysWOW64\Jehokgge.exe Jcgbco32.exe File opened for modification C:\Windows\SysWOW64\Miemjaci.exe Mgfqmfde.exe File created C:\Windows\SysWOW64\Aeniabfd.exe Andqdh32.exe File opened for modification C:\Windows\SysWOW64\Cdabcm32.exe Cabfga32.exe File opened for modification C:\Windows\SysWOW64\Flceckoj.exe a272e9321eec55e212282696966890cd9f13e3ba3ddad2510c65965307716505.exe File created C:\Windows\SysWOW64\Fhjfhl32.exe Fbpnkama.exe File opened for modification C:\Windows\SysWOW64\Ojllan32.exe Ofqpqo32.exe File opened for modification C:\Windows\SysWOW64\Pdkcde32.exe Pmdkch32.exe File opened for modification C:\Windows\SysWOW64\Pgnilpah.exe Pdpmpdbd.exe File opened for modification C:\Windows\SysWOW64\Banllbdn.exe Bmbplc32.exe File created C:\Windows\SysWOW64\Oammoc32.dll Ddonekbl.exe File opened for modification C:\Windows\SysWOW64\Jedeph32.exe Jcbihpel.exe File created C:\Windows\SysWOW64\Ndfqbhia.exe Nnlhfn32.exe File created C:\Windows\SysWOW64\Ncmlocln.dll Lbjlfi32.exe File created C:\Windows\SysWOW64\Mmbfpp32.exe Melnob32.exe File created C:\Windows\SysWOW64\Panfqmhb.dll Pgefeajb.exe File created C:\Windows\SysWOW64\Qjoankoi.exe Qgqeappe.exe File opened for modification C:\Windows\SysWOW64\Kfmepi32.exe Kdnidn32.exe File created C:\Windows\SysWOW64\Fbnkjc32.dll Kfmepi32.exe File created C:\Windows\SysWOW64\Pmdfog32.dll Kfoafi32.exe File created C:\Windows\SysWOW64\Jfnbea32.dll Kdcbom32.exe File created C:\Windows\SysWOW64\Ngpccdlj.exe Ndaggimg.exe File opened for modification C:\Windows\SysWOW64\Qgcbgo32.exe Qddfkd32.exe File created C:\Windows\SysWOW64\Afjlnk32.exe Aqncedbp.exe File created C:\Windows\SysWOW64\Gfbploob.exe Gkmlofol.exe File created C:\Windows\SysWOW64\Pacghh32.dll Iihkpg32.exe File created C:\Windows\SysWOW64\Bmemac32.exe Bjfaeh32.exe File created C:\Windows\SysWOW64\Hjfhhm32.dll Cndikf32.exe File created C:\Windows\SysWOW64\Bagcnd32.dll Mgagbf32.exe File created C:\Windows\SysWOW64\Npcoakfp.exe Mnebeogl.exe File opened for modification C:\Windows\SysWOW64\Mdckfk32.exe Lllcen32.exe File created C:\Windows\SysWOW64\Pmoahijl.exe Ofeilobp.exe File created C:\Windows\SysWOW64\Ifefimom.exe Icgjmapi.exe File opened for modification C:\Windows\SysWOW64\Kimnbd32.exe Kfoafi32.exe File opened for modification C:\Windows\SysWOW64\Ncbknfed.exe Npcoakfp.exe File opened for modification C:\Windows\SysWOW64\Njqmepik.exe Ngbpidjh.exe File created C:\Windows\SysWOW64\Njciko32.exe Ngdmod32.exe File opened for modification C:\Windows\SysWOW64\Ajkaii32.exe Aglemn32.exe File created C:\Windows\SysWOW64\Ifmafkkf.dll Gkoiefmj.exe File opened for modification C:\Windows\SysWOW64\Jbhfjljd.exe Jmknaell.exe File opened for modification C:\Windows\SysWOW64\Jpnchp32.exe Jidklf32.exe File created C:\Windows\SysWOW64\Miemjaci.exe Mgfqmfde.exe File created C:\Windows\SysWOW64\Pqdqof32.exe Pjjhbl32.exe File created C:\Windows\SysWOW64\Fmjkjk32.dll Cjmgfgdf.exe File created C:\Windows\SysWOW64\Chcddk32.exe Ceehho32.exe File created C:\Windows\SysWOW64\Hcdmga32.exe Hoiafcic.exe File opened for modification C:\Windows\SysWOW64\Ipbdmaah.exe Iihkpg32.exe File created C:\Windows\SysWOW64\Qjkmdp32.dll Ndaggimg.exe File created C:\Windows\SysWOW64\Dmgabj32.dll Oqfdnhfk.exe File created C:\Windows\SysWOW64\Pgefeajb.exe Pcijeb32.exe File opened for modification C:\Windows\SysWOW64\Anogiicl.exe Afhohlbj.exe File opened for modification C:\Windows\SysWOW64\Aeniabfd.exe Andqdh32.exe File created C:\Windows\SysWOW64\Dmllipeg.exe Dgbdlf32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 7888 7792 WerFault.exe 324 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmnldp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qqijje32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdfkolkf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llemdo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncfdie32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bchomn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlpkba32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klngdpdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmdina32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aminee32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cajlhqjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anogiicl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjmnoi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgbdlf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jidklf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngbpidjh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdkcde32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afhohlbj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkoiefmj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nngokoej.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmfhig32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcbihpel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdmpje32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acjclpcf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmdkch32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocgmpccl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qgcbgo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdcbom32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjokdipf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdcoim32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dobfld32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmbfpp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfbploob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlednamo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdehlk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojllan32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgokmgjm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agoabn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddmaok32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngpccdlj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajanck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hoiafcic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iicbehnq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klljnp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmgfda32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlefklpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgioqq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Belebq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcbpab32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iikhfg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flceckoj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfoafi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pggbkagp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghopckpi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kipkhdeq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcmabg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmpcfdmg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmemac32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjkjpgfi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhjfhl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icgjmapi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lingibiq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgfqmfde.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njqmepik.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmijnn32.dll" Melnob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lffnijnj.dll" Mdmnlj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccdlci32.dll" Pdpmpdbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qqijje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bffkij32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cfbkeh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gbdgfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhccdhqf.dll" Kbfbkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jpnchp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kmncnb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lekehdgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ojllan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ceehho32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jcgbco32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jpnchp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hcdmga32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kdcbom32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kbhoqj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ofeilobp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qjoankoi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ghopckpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hfqlnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kimnbd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pgefeajb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjelcfha.dll" Dobfld32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Glhonj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iiaephpc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Npcoakfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fibbmq32.dll" Njqmepik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ooojbbid.dll" Aminee32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hmfkoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhgaocmg.dll" Kbhoqj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jeklag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jioaqfcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpphah32.dll" Jehokgge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdkfmkdc.dll" Kmncnb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lgokmgjm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ndfqbhia.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aadifclh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpcnha32.dll" Bfhhoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmjkjk32.dll" Cjmgfgdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gododflk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkcfedla.dll" Hfnphn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ceckcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kahdohfm.dll" Dogogcpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kdcbom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Klngdpdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pgefeajb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ochpdn32.dll" Pjjhbl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aminee32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cndikf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hfcicmqp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ngpccdlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ofqpqo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Panfqmhb.dll" Pgefeajb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pqmjog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfddbh32.dll" Ajkaii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hoiafcic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pldhcm32.dll" Iiaephpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qihfjd32.dll" Bmbplc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbnamnpl.dll" Pggbkagp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ampkof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jcbihpel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmdfog32.dll" Kfoafi32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2364 wrote to memory of 3836 2364 a272e9321eec55e212282696966890cd9f13e3ba3ddad2510c65965307716505.exe 82 PID 2364 wrote to memory of 3836 2364 a272e9321eec55e212282696966890cd9f13e3ba3ddad2510c65965307716505.exe 82 PID 2364 wrote to memory of 3836 2364 a272e9321eec55e212282696966890cd9f13e3ba3ddad2510c65965307716505.exe 82 PID 3836 wrote to memory of 1140 3836 Flceckoj.exe 83 PID 3836 wrote to memory of 1140 3836 Flceckoj.exe 83 PID 3836 wrote to memory of 1140 3836 Flceckoj.exe 83 PID 1140 wrote to memory of 1400 1140 Fkffog32.exe 84 PID 1140 wrote to memory of 1400 1140 Fkffog32.exe 84 PID 1140 wrote to memory of 1400 1140 Fkffog32.exe 84 PID 1400 wrote to memory of 2980 1400 Fbpnkama.exe 85 PID 1400 wrote to memory of 2980 1400 Fbpnkama.exe 85 PID 1400 wrote to memory of 2980 1400 Fbpnkama.exe 85 PID 2980 wrote to memory of 2628 2980 Fhjfhl32.exe 86 PID 2980 wrote to memory of 2628 2980 Fhjfhl32.exe 86 PID 2980 wrote to memory of 2628 2980 Fhjfhl32.exe 86 PID 2628 wrote to memory of 2680 2628 Gododflk.exe 87 PID 2628 wrote to memory of 2680 2628 Gododflk.exe 87 PID 2628 wrote to memory of 2680 2628 Gododflk.exe 87 PID 2680 wrote to memory of 5048 2680 Gfngap32.exe 88 PID 2680 wrote to memory of 5048 2680 Gfngap32.exe 88 PID 2680 wrote to memory of 5048 2680 Gfngap32.exe 88 PID 5048 wrote to memory of 628 5048 Glhonj32.exe 89 PID 5048 wrote to memory of 628 5048 Glhonj32.exe 89 PID 5048 wrote to memory of 628 5048 Glhonj32.exe 89 PID 628 wrote to memory of 4748 628 Gofkje32.exe 90 PID 628 wrote to memory of 4748 628 Gofkje32.exe 90 PID 628 wrote to memory of 4748 628 Gofkje32.exe 90 PID 4748 wrote to memory of 876 4748 Gbdgfa32.exe 91 PID 4748 wrote to memory of 876 4748 Gbdgfa32.exe 91 PID 4748 wrote to memory of 876 4748 Gbdgfa32.exe 91 PID 876 wrote to memory of 5068 876 Ghopckpi.exe 92 PID 876 wrote to memory of 5068 876 Ghopckpi.exe 92 PID 876 wrote to memory of 5068 876 Ghopckpi.exe 92 PID 5068 wrote to memory of 2064 5068 Gkmlofol.exe 93 PID 5068 wrote to memory of 2064 5068 Gkmlofol.exe 93 PID 5068 wrote to memory of 2064 5068 Gkmlofol.exe 93 PID 2064 wrote to memory of 4588 2064 Gfbploob.exe 94 PID 2064 wrote to memory of 4588 2064 Gfbploob.exe 94 PID 2064 wrote to memory of 4588 2064 Gfbploob.exe 94 PID 4588 wrote to memory of 3120 4588 Ghaliknf.exe 95 PID 4588 wrote to memory of 3120 4588 Ghaliknf.exe 95 PID 4588 wrote to memory of 3120 4588 Ghaliknf.exe 95 PID 3120 wrote to memory of 2660 3120 Gkoiefmj.exe 96 PID 3120 wrote to memory of 2660 3120 Gkoiefmj.exe 96 PID 3120 wrote to memory of 2660 3120 Gkoiefmj.exe 96 PID 2660 wrote to memory of 3468 2660 Gmoeoidl.exe 97 PID 2660 wrote to memory of 3468 2660 Gmoeoidl.exe 97 PID 2660 wrote to memory of 3468 2660 Gmoeoidl.exe 97 PID 3468 wrote to memory of 2464 3468 Gomakdcp.exe 98 PID 3468 wrote to memory of 2464 3468 Gomakdcp.exe 98 PID 3468 wrote to memory of 2464 3468 Gomakdcp.exe 98 PID 2464 wrote to memory of 1804 2464 Gfgjgo32.exe 99 PID 2464 wrote to memory of 1804 2464 Gfgjgo32.exe 99 PID 2464 wrote to memory of 1804 2464 Gfgjgo32.exe 99 PID 1804 wrote to memory of 4976 1804 Hmabdibj.exe 100 PID 1804 wrote to memory of 4976 1804 Hmabdibj.exe 100 PID 1804 wrote to memory of 4976 1804 Hmabdibj.exe 100 PID 4976 wrote to memory of 1236 4976 Hfifmnij.exe 101 PID 4976 wrote to memory of 1236 4976 Hfifmnij.exe 101 PID 4976 wrote to memory of 1236 4976 Hfifmnij.exe 101 PID 1236 wrote to memory of 2164 1236 Hmcojh32.exe 102 PID 1236 wrote to memory of 2164 1236 Hmcojh32.exe 102 PID 1236 wrote to memory of 2164 1236 Hmcojh32.exe 102 PID 2164 wrote to memory of 4388 2164 Hobkfd32.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\a272e9321eec55e212282696966890cd9f13e3ba3ddad2510c65965307716505.exe"C:\Users\Admin\AppData\Local\Temp\a272e9321eec55e212282696966890cd9f13e3ba3ddad2510c65965307716505.exe"1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Windows\SysWOW64\Flceckoj.exeC:\Windows\system32\Flceckoj.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3836 -
C:\Windows\SysWOW64\Fkffog32.exeC:\Windows\system32\Fkffog32.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1140 -
C:\Windows\SysWOW64\Fbpnkama.exeC:\Windows\system32\Fbpnkama.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1400 -
C:\Windows\SysWOW64\Fhjfhl32.exeC:\Windows\system32\Fhjfhl32.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Windows\SysWOW64\Gododflk.exeC:\Windows\system32\Gododflk.exe6⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\SysWOW64\Gfngap32.exeC:\Windows\system32\Gfngap32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Windows\SysWOW64\Glhonj32.exeC:\Windows\system32\Glhonj32.exe8⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5048 -
C:\Windows\SysWOW64\Gofkje32.exeC:\Windows\system32\Gofkje32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:628 -
C:\Windows\SysWOW64\Gbdgfa32.exeC:\Windows\system32\Gbdgfa32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4748 -
C:\Windows\SysWOW64\Ghopckpi.exeC:\Windows\system32\Ghopckpi.exe11⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:876 -
C:\Windows\SysWOW64\Gkmlofol.exeC:\Windows\system32\Gkmlofol.exe12⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5068 -
C:\Windows\SysWOW64\Gfbploob.exeC:\Windows\system32\Gfbploob.exe13⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Windows\SysWOW64\Ghaliknf.exeC:\Windows\system32\Ghaliknf.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4588 -
C:\Windows\SysWOW64\Gkoiefmj.exeC:\Windows\system32\Gkoiefmj.exe15⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3120 -
C:\Windows\SysWOW64\Gmoeoidl.exeC:\Windows\system32\Gmoeoidl.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\SysWOW64\Gomakdcp.exeC:\Windows\system32\Gomakdcp.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3468 -
C:\Windows\SysWOW64\Gfgjgo32.exeC:\Windows\system32\Gfgjgo32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2464 -
C:\Windows\SysWOW64\Hmabdibj.exeC:\Windows\system32\Hmabdibj.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1804 -
C:\Windows\SysWOW64\Hfifmnij.exeC:\Windows\system32\Hfifmnij.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4976 -
C:\Windows\SysWOW64\Hmcojh32.exeC:\Windows\system32\Hmcojh32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1236 -
C:\Windows\SysWOW64\Hobkfd32.exeC:\Windows\system32\Hobkfd32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Windows\SysWOW64\Hflcbngh.exeC:\Windows\system32\Hflcbngh.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4388 -
C:\Windows\SysWOW64\Hmfkoh32.exeC:\Windows\system32\Hmfkoh32.exe24⤵
- Executes dropped EXE
- Modifies registry class
PID:4432 -
C:\Windows\SysWOW64\Hcpclbfa.exeC:\Windows\system32\Hcpclbfa.exe25⤵
- Executes dropped EXE
PID:3944 -
C:\Windows\SysWOW64\Hfnphn32.exeC:\Windows\system32\Hfnphn32.exe26⤵
- Executes dropped EXE
- Modifies registry class
PID:3832 -
C:\Windows\SysWOW64\Hmhhehlb.exeC:\Windows\system32\Hmhhehlb.exe27⤵
- Executes dropped EXE
PID:1960 -
C:\Windows\SysWOW64\Hcbpab32.exeC:\Windows\system32\Hcbpab32.exe28⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3648 -
C:\Windows\SysWOW64\Hfqlnm32.exeC:\Windows\system32\Hfqlnm32.exe29⤵
- Executes dropped EXE
- Modifies registry class
PID:4600 -
C:\Windows\SysWOW64\Hioiji32.exeC:\Windows\system32\Hioiji32.exe30⤵
- Executes dropped EXE
PID:1288 -
C:\Windows\SysWOW64\Hoiafcic.exeC:\Windows\system32\Hoiafcic.exe31⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2828 -
C:\Windows\SysWOW64\Hcdmga32.exeC:\Windows\system32\Hcdmga32.exe32⤵
- Executes dropped EXE
- Modifies registry class
PID:4240 -
C:\Windows\SysWOW64\Hfcicmqp.exeC:\Windows\system32\Hfcicmqp.exe33⤵
- Executes dropped EXE
- Modifies registry class
PID:2420 -
C:\Windows\SysWOW64\Iiaephpc.exeC:\Windows\system32\Iiaephpc.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:1460 -
C:\Windows\SysWOW64\Immapg32.exeC:\Windows\system32\Immapg32.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4044 -
C:\Windows\SysWOW64\Icgjmapi.exeC:\Windows\system32\Icgjmapi.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3548 -
C:\Windows\SysWOW64\Ifefimom.exeC:\Windows\system32\Ifefimom.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3924 -
C:\Windows\SysWOW64\Iicbehnq.exeC:\Windows\system32\Iicbehnq.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:928 -
C:\Windows\SysWOW64\Imoneg32.exeC:\Windows\system32\Imoneg32.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2244 -
C:\Windows\SysWOW64\Ifgbnlmj.exeC:\Windows\system32\Ifgbnlmj.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4660 -
C:\Windows\SysWOW64\Ippggbck.exeC:\Windows\system32\Ippggbck.exe41⤵
- Executes dropped EXE
PID:3424 -
C:\Windows\SysWOW64\Iihkpg32.exeC:\Windows\system32\Iihkpg32.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3960 -
C:\Windows\SysWOW64\Ipbdmaah.exeC:\Windows\system32\Ipbdmaah.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:216 -
C:\Windows\SysWOW64\Ifllil32.exeC:\Windows\system32\Ifllil32.exe44⤵
- Executes dropped EXE
PID:884 -
C:\Windows\SysWOW64\Iikhfg32.exeC:\Windows\system32\Iikhfg32.exe45⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4448 -
C:\Windows\SysWOW64\Ipdqba32.exeC:\Windows\system32\Ipdqba32.exe46⤵
- Executes dropped EXE
PID:5036 -
C:\Windows\SysWOW64\Jfoiokfb.exeC:\Windows\system32\Jfoiokfb.exe47⤵
- Executes dropped EXE
PID:8 -
C:\Windows\SysWOW64\Jimekgff.exeC:\Windows\system32\Jimekgff.exe48⤵
- Executes dropped EXE
PID:4872 -
C:\Windows\SysWOW64\Jpgmha32.exeC:\Windows\system32\Jpgmha32.exe49⤵
- Executes dropped EXE
PID:2780 -
C:\Windows\SysWOW64\Jcbihpel.exeC:\Windows\system32\Jcbihpel.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3672 -
C:\Windows\SysWOW64\Jedeph32.exeC:\Windows\system32\Jedeph32.exe51⤵
- Executes dropped EXE
PID:880 -
C:\Windows\SysWOW64\Jioaqfcc.exeC:\Windows\system32\Jioaqfcc.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3664 -
C:\Windows\SysWOW64\Jmknaell.exeC:\Windows\system32\Jmknaell.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3700 -
C:\Windows\SysWOW64\Jbhfjljd.exeC:\Windows\system32\Jbhfjljd.exe54⤵
- Executes dropped EXE
PID:376 -
C:\Windows\SysWOW64\Jianff32.exeC:\Windows\system32\Jianff32.exe55⤵
- Executes dropped EXE
PID:828 -
C:\Windows\SysWOW64\Jlpkba32.exeC:\Windows\system32\Jlpkba32.exe56⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1544 -
C:\Windows\SysWOW64\Jcgbco32.exeC:\Windows\system32\Jcgbco32.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:336 -
C:\Windows\SysWOW64\Jehokgge.exeC:\Windows\system32\Jehokgge.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1196 -
C:\Windows\SysWOW64\Jidklf32.exeC:\Windows\system32\Jidklf32.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2596 -
C:\Windows\SysWOW64\Jpnchp32.exeC:\Windows\system32\Jpnchp32.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:4160 -
C:\Windows\SysWOW64\Jblpek32.exeC:\Windows\system32\Jblpek32.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3136 -
C:\Windows\SysWOW64\Jeklag32.exeC:\Windows\system32\Jeklag32.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:1204 -
C:\Windows\SysWOW64\Jlednamo.exeC:\Windows\system32\Jlednamo.exe63⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4072 -
C:\Windows\SysWOW64\Kboljk32.exeC:\Windows\system32\Kboljk32.exe64⤵
- Executes dropped EXE
PID:4608 -
C:\Windows\SysWOW64\Kemhff32.exeC:\Windows\system32\Kemhff32.exe65⤵
- Executes dropped EXE
PID:1128 -
C:\Windows\SysWOW64\Kmdqgd32.exeC:\Windows\system32\Kmdqgd32.exe66⤵PID:3460
-
C:\Windows\SysWOW64\Kdnidn32.exeC:\Windows\system32\Kdnidn32.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5000 -
C:\Windows\SysWOW64\Kfmepi32.exeC:\Windows\system32\Kfmepi32.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:4980 -
C:\Windows\SysWOW64\Kikame32.exeC:\Windows\system32\Kikame32.exe69⤵PID:4496
-
C:\Windows\SysWOW64\Kpeiioac.exeC:\Windows\system32\Kpeiioac.exe70⤵PID:4140
-
C:\Windows\SysWOW64\Kfoafi32.exeC:\Windows\system32\Kfoafi32.exe71⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4424 -
C:\Windows\SysWOW64\Kimnbd32.exeC:\Windows\system32\Kimnbd32.exe72⤵
- Modifies registry class
PID:1968 -
C:\Windows\SysWOW64\Klljnp32.exeC:\Windows\system32\Klljnp32.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:3472 -
C:\Windows\SysWOW64\Kdcbom32.exeC:\Windows\system32\Kdcbom32.exe74⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3512 -
C:\Windows\SysWOW64\Kbfbkj32.exeC:\Windows\system32\Kbfbkj32.exe75⤵
- Modifies registry class
PID:2580 -
C:\Windows\SysWOW64\Kipkhdeq.exeC:\Windows\system32\Kipkhdeq.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:388 -
C:\Windows\SysWOW64\Klngdpdd.exeC:\Windows\system32\Klngdpdd.exe77⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4060 -
C:\Windows\SysWOW64\Kbhoqj32.exeC:\Windows\system32\Kbhoqj32.exe78⤵
- Modifies registry class
PID:2588 -
C:\Windows\SysWOW64\Kibgmdcn.exeC:\Windows\system32\Kibgmdcn.exe79⤵PID:4704
-
C:\Windows\SysWOW64\Kmncnb32.exeC:\Windows\system32\Kmncnb32.exe80⤵
- Modifies registry class
PID:4224 -
C:\Windows\SysWOW64\Lbjlfi32.exeC:\Windows\system32\Lbjlfi32.exe81⤵
- Drops file in System32 directory
PID:1044 -
C:\Windows\SysWOW64\Leihbeib.exeC:\Windows\system32\Leihbeib.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3656 -
C:\Windows\SysWOW64\Lmppcbjd.exeC:\Windows\system32\Lmppcbjd.exe83⤵PID:3480
-
C:\Windows\SysWOW64\Lpnlpnih.exeC:\Windows\system32\Lpnlpnih.exe84⤵PID:2992
-
C:\Windows\SysWOW64\Lekehdgp.exeC:\Windows\system32\Lekehdgp.exe85⤵
- Modifies registry class
PID:804 -
C:\Windows\SysWOW64\Llemdo32.exeC:\Windows\system32\Llemdo32.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2056 -
C:\Windows\SysWOW64\Ldleel32.exeC:\Windows\system32\Ldleel32.exe87⤵PID:5024
-
C:\Windows\SysWOW64\Lboeaifi.exeC:\Windows\system32\Lboeaifi.exe88⤵PID:3392
-
C:\Windows\SysWOW64\Lmdina32.exeC:\Windows\system32\Lmdina32.exe89⤵
- System Location Discovery: System Language Discovery
PID:3092 -
C:\Windows\SysWOW64\Lpcfkm32.exeC:\Windows\system32\Lpcfkm32.exe90⤵PID:1576
-
C:\Windows\SysWOW64\Lbabgh32.exeC:\Windows\system32\Lbabgh32.exe91⤵PID:1528
-
C:\Windows\SysWOW64\Lepncd32.exeC:\Windows\system32\Lepncd32.exe92⤵PID:1424
-
C:\Windows\SysWOW64\Lmgfda32.exeC:\Windows\system32\Lmgfda32.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:3232 -
C:\Windows\SysWOW64\Ldanqkki.exeC:\Windows\system32\Ldanqkki.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3088 -
C:\Windows\SysWOW64\Lgokmgjm.exeC:\Windows\system32\Lgokmgjm.exe95⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:432 -
C:\Windows\SysWOW64\Lingibiq.exeC:\Windows\system32\Lingibiq.exe96⤵
- System Location Discovery: System Language Discovery
PID:3060 -
C:\Windows\SysWOW64\Lllcen32.exeC:\Windows\system32\Lllcen32.exe97⤵
- Drops file in System32 directory
PID:3968 -
C:\Windows\SysWOW64\Mdckfk32.exeC:\Windows\system32\Mdckfk32.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1808 -
C:\Windows\SysWOW64\Mgagbf32.exeC:\Windows\system32\Mgagbf32.exe99⤵
- Drops file in System32 directory
PID:1648 -
C:\Windows\SysWOW64\Mipcob32.exeC:\Windows\system32\Mipcob32.exe100⤵
- Drops file in System32 directory
PID:3864 -
C:\Windows\SysWOW64\Mlopkm32.exeC:\Windows\system32\Mlopkm32.exe101⤵PID:4880
-
C:\Windows\SysWOW64\Mdehlk32.exeC:\Windows\system32\Mdehlk32.exe102⤵
- System Location Discovery: System Language Discovery
PID:4328 -
C:\Windows\SysWOW64\Mgddhf32.exeC:\Windows\system32\Mgddhf32.exe103⤵PID:4080
-
C:\Windows\SysWOW64\Mmnldp32.exeC:\Windows\system32\Mmnldp32.exe104⤵
- System Location Discovery: System Language Discovery
PID:2060 -
C:\Windows\SysWOW64\Mlampmdo.exeC:\Windows\system32\Mlampmdo.exe105⤵PID:3428
-
C:\Windows\SysWOW64\Mdhdajea.exeC:\Windows\system32\Mdhdajea.exe106⤵PID:3216
-
C:\Windows\SysWOW64\Mgfqmfde.exeC:\Windows\system32\Mgfqmfde.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2976 -
C:\Windows\SysWOW64\Miemjaci.exeC:\Windows\system32\Miemjaci.exe108⤵PID:2432
-
C:\Windows\SysWOW64\Mpoefk32.exeC:\Windows\system32\Mpoefk32.exe109⤵PID:3208
-
C:\Windows\SysWOW64\Mcmabg32.exeC:\Windows\system32\Mcmabg32.exe110⤵
- System Location Discovery: System Language Discovery
PID:1328 -
C:\Windows\SysWOW64\Melnob32.exeC:\Windows\system32\Melnob32.exe111⤵
- Drops file in System32 directory
- Modifies registry class
PID:2760 -
C:\Windows\SysWOW64\Mmbfpp32.exeC:\Windows\system32\Mmbfpp32.exe112⤵
- System Location Discovery: System Language Discovery
PID:5124 -
C:\Windows\SysWOW64\Mlefklpj.exeC:\Windows\system32\Mlefklpj.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:5168 -
C:\Windows\SysWOW64\Mdmnlj32.exeC:\Windows\system32\Mdmnlj32.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5212 -
C:\Windows\SysWOW64\Mgkjhe32.exeC:\Windows\system32\Mgkjhe32.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5252 -
C:\Windows\SysWOW64\Mnebeogl.exeC:\Windows\system32\Mnebeogl.exe116⤵
- Drops file in System32 directory
PID:5296 -
C:\Windows\SysWOW64\Npcoakfp.exeC:\Windows\system32\Npcoakfp.exe117⤵
- Drops file in System32 directory
- Modifies registry class
PID:5340 -
C:\Windows\SysWOW64\Ncbknfed.exeC:\Windows\system32\Ncbknfed.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5392 -
C:\Windows\SysWOW64\Nilcjp32.exeC:\Windows\system32\Nilcjp32.exe119⤵PID:5436
-
C:\Windows\SysWOW64\Nngokoej.exeC:\Windows\system32\Nngokoej.exe120⤵
- System Location Discovery: System Language Discovery
PID:5480 -
C:\Windows\SysWOW64\Ndaggimg.exeC:\Windows\system32\Ndaggimg.exe121⤵
- Drops file in System32 directory
PID:5524
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-