Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
94s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
24/01/2025, 06:05
Behavioral task
behavioral1
Sample
12dda8e9b3e2def35a1c6f3e2095fbd580437e0db811a16b5d88bfe414d81542.exe
Resource
win7-20240729-en
windows7-x64
12 signatures
120 seconds
General
-
Target
12dda8e9b3e2def35a1c6f3e2095fbd580437e0db811a16b5d88bfe414d81542.exe
-
Size
93KB
-
MD5
6b8be7773d4f154852e06b559f998869
-
SHA1
48006665bad15ac427eba784640ab9c8e35b053b
-
SHA256
12dda8e9b3e2def35a1c6f3e2095fbd580437e0db811a16b5d88bfe414d81542
-
SHA512
bad461de6e828d15c82fc57bea0d019e886166dda06d8ef840ebf39a1f64d23cb2891fa5b9431a715e2f32a4f413a67cff38df8d4f1f1332e2ec5bc8155b734f
-
SSDEEP
1536:D86xBYGnQPpPNL7ZLYwRV1DaYfMZRWuLsV+1b:DZBYIUJ3LYwRVgYfc0DV+1b
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebejfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Knfeeimj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Igfclkdj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfqgab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hgiepjga.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjamia32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjjlkk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkdliame.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljnlecmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Knbiofhg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjfjka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cgndoeag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Camddhoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Glkmmefl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emeoooml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ggilil32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipflihfq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nojjcj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hibafp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chglab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cnkkjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hglipp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jiaglp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epjajeqo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mnmmboed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mfhfhong.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpeohh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmpfbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Efffmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Edmclccp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lgcjdd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lihpif32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flinkojm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmndpq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipjoja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ohcegi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipeeobbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekpmbddq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hgghjjid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dikihe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdehni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Naecop32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adgbpc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngaionfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Knalji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Glipgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hfcnpn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjaqpbkh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iklgah32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihphkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gpnmbl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnldla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nomncpcg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbbhqn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pdfehh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fimodc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jknfcofa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njmqnobn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abbkcpma.exe -
Berbew family
-
Njrat family
-
Executes dropped EXE 64 IoCs
pid Process 400 Pcijeb32.exe 4780 Pjcbbmif.exe 4792 Pmannhhj.exe 2716 Pclgkb32.exe 380 Pfjcgn32.exe 3220 Pqpgdfnp.exe 4804 Pgioqq32.exe 1532 Pncgmkmj.exe 3456 Pdmpje32.exe 2864 Pgllfp32.exe 1508 Pnfdcjkg.exe 828 Pcbmka32.exe 8 Pjmehkqk.exe 4652 Qceiaa32.exe 4156 Qfcfml32.exe 4600 Qmmnjfnl.exe 4488 Qcgffqei.exe 3428 Qffbbldm.exe 1688 Ampkof32.exe 2208 Adgbpc32.exe 1200 Afhohlbj.exe 2600 Ambgef32.exe 916 Afjlnk32.exe 4788 Amddjegd.exe 948 Agjhgngj.exe 768 Aabmqd32.exe 624 Aglemn32.exe 3672 Accfbokl.exe 2564 Bagflcje.exe 4952 Beeoaapl.exe 5100 Bchomn32.exe 2940 Bffkij32.exe 4620 Beglgani.exe 3056 Bgehcmmm.exe 2084 Bmbplc32.exe 468 Bhhdil32.exe 3684 Belebq32.exe 3092 Cfmajipb.exe 3976 Cjinkg32.exe 3124 Cenahpha.exe 908 Cfpnph32.exe 676 Cnffqf32.exe 1040 Ceqnmpfo.exe 1060 Cfbkeh32.exe 2508 Cmlcbbcj.exe 2180 Cdfkolkf.exe 2188 Cjpckf32.exe 3008 Cmnpgb32.exe 3216 Cdhhdlid.exe 4508 Cffdpghg.exe 4884 Cnnlaehj.exe 3704 Ddjejl32.exe 1792 Dhfajjoj.exe 3500 Danecp32.exe 1776 Dejacond.exe 1388 Djgjlelk.exe 636 Dmefhako.exe 628 Ddonekbl.exe 1044 Dfnjafap.exe 4284 Daconoae.exe 640 Deokon32.exe 3720 Dkkcge32.exe 2768 Daekdooc.exe 4404 Dhocqigp.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Eklikcef.dll Gflhoo32.exe File created C:\Windows\SysWOW64\Jifpbd32.dll Hkehkocf.exe File created C:\Windows\SysWOW64\Nnbebofc.dll Kfjapcii.exe File opened for modification C:\Windows\SysWOW64\Kinmcg32.exe Kageaj32.exe File opened for modification C:\Windows\SysWOW64\Gbfldf32.exe Gphphj32.exe File created C:\Windows\SysWOW64\Ifomef32.dll Process not Found File created C:\Windows\SysWOW64\Ehaaclak.dll Pqpgdfnp.exe File created C:\Windows\SysWOW64\Lpneegel.exe Lidmhmnp.exe File created C:\Windows\SysWOW64\Gkgmdnki.dll Dkahilkl.exe File created C:\Windows\SysWOW64\Lqkqhm32.exe Lnldla32.exe File created C:\Windows\SysWOW64\Nebmekoi.exe Nbcqiope.exe File opened for modification C:\Windows\SysWOW64\Bqmeal32.exe Bifmqo32.exe File created C:\Windows\SysWOW64\Epllglpf.dll Ebejfk32.exe File created C:\Windows\SysWOW64\Aefjii32.exe Anobgl32.exe File created C:\Windows\SysWOW64\Bochmn32.exe Ahippdbe.exe File opened for modification C:\Windows\SysWOW64\Olehhc32.exe Oekpkigo.exe File opened for modification C:\Windows\SysWOW64\Nlkngo32.exe Nhpbfpka.exe File created C:\Windows\SysWOW64\Bopocbcq.exe Bheffh32.exe File opened for modification C:\Windows\SysWOW64\Oenlqi32.exe Ogklelna.exe File created C:\Windows\SysWOW64\Phjenbhp.exe Ppopjp32.exe File opened for modification C:\Windows\SysWOW64\Injcmc32.exe Iklgah32.exe File created C:\Windows\SysWOW64\Dpcpem32.dll Hcpojd32.exe File created C:\Windows\SysWOW64\Fkccgodj.dll Ffqhcq32.exe File opened for modification C:\Windows\SysWOW64\Ehkclgmb.exe Emeoooml.exe File created C:\Windows\SysWOW64\Lobfem32.dll Jgonlm32.exe File created C:\Windows\SysWOW64\Fnpeoe32.dll Cfigpm32.exe File opened for modification C:\Windows\SysWOW64\Djgjlelk.exe Dejacond.exe File created C:\Windows\SysWOW64\Gfameb32.dll Mifcejnj.exe File opened for modification C:\Windows\SysWOW64\Pknqoc32.exe Plkpcfal.exe File opened for modification C:\Windows\SysWOW64\Hplbickp.exe Hibjli32.exe File opened for modification C:\Windows\SysWOW64\Ocaebc32.exe Process not Found File created C:\Windows\SysWOW64\Mbedga32.exe Mpghkf32.exe File created C:\Windows\SysWOW64\Qjlnnemp.exe Qgnbaj32.exe File created C:\Windows\SysWOW64\Kqdaadln.exe Knfeeimj.exe File opened for modification C:\Windows\SysWOW64\Ogfcjm32.exe Nplkmckj.exe File created C:\Windows\SysWOW64\Aaohcj32.exe Aoalgn32.exe File created C:\Windows\SysWOW64\Dhclmp32.exe Ddgplado.exe File created C:\Windows\SysWOW64\Dimini32.dll Kbpbed32.exe File opened for modification C:\Windows\SysWOW64\Ogcnmc32.exe Process not Found File created C:\Windows\SysWOW64\Pcbmka32.exe Pnfdcjkg.exe File created C:\Windows\SysWOW64\Hbhhgenc.dll Ealadnik.exe File created C:\Windows\SysWOW64\Idpeeehm.dll Ogpepl32.exe File created C:\Windows\SysWOW64\Gcedencn.dll Qhmqdemc.exe File opened for modification C:\Windows\SysWOW64\Pfiddm32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Gepmlimi.exe Gnhdkl32.exe File created C:\Windows\SysWOW64\Jjlmclqa.exe Jgnqgqan.exe File created C:\Windows\SysWOW64\Kodoah32.dll Nnfgcd32.exe File opened for modification C:\Windows\SysWOW64\Eejeiocj.exe Eblimcdf.exe File opened for modification C:\Windows\SysWOW64\Ljkifn32.exe Lijlof32.exe File opened for modification C:\Windows\SysWOW64\Kclgmq32.exe Kmaopfjm.exe File created C:\Windows\SysWOW64\Jdbnaa32.dll Qmmnjfnl.exe File created C:\Windows\SysWOW64\Knbiofhg.exe Kldmckic.exe File created C:\Windows\SysWOW64\Kflnfcgg.exe Kbpbed32.exe File opened for modification C:\Windows\SysWOW64\Lghcocol.exe Lejgch32.exe File created C:\Windows\SysWOW64\Aplhmakj.dll Dbndfl32.exe File created C:\Windows\SysWOW64\Cbokknag.dll Fkeodaai.exe File created C:\Windows\SysWOW64\Jiaglp32.exe Jbgoof32.exe File opened for modification C:\Windows\SysWOW64\Nafjjf32.exe Nognnj32.exe File opened for modification C:\Windows\SysWOW64\Pmannhhj.exe Pjcbbmif.exe File opened for modification C:\Windows\SysWOW64\Knchpiom.exe Kjhloj32.exe File opened for modification C:\Windows\SysWOW64\Agbkmijg.exe Qlmgopjq.exe File created C:\Windows\SysWOW64\Lqpamb32.exe Lmdemd32.exe File opened for modification C:\Windows\SysWOW64\Akoqpg32.exe Ahqddk32.exe File created C:\Windows\SysWOW64\Dgnkfj32.dll Hginecde.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 7688 5692 Process not Found 1211 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejalcgkg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qjnkcekm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnfjbdmk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkaicd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpqkad32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Embddb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmoiqneg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgjijmin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eejeiocj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fddqghpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oeaoab32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjhloj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Coohhlpe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdpjlb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npedmdab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpggamqc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipflihfq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcbpjg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nceefd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kiejmi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbjmhh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aoalgn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdgged32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfhfhong.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghkeio32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmpqfq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cijpahho.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcphab32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knlleepl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nomncpcg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kelkaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fedmqk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnbakghm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbphdn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcidmkpq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfgipd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgknhl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epjajeqo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nemmoe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dapkni32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffobhg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffqhcq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Monjjgkb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djgjlelk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnoklk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Loeolc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejlbhh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fneggdhg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmdlmg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljilqnlm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhoqeibl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebommi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fonnop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opcqnb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iklgah32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehdmlhcj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekbihd32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ahqddk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ebommi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffcnippo.dll" Amddjegd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bffkij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hclnnc32.dll" Fbajbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ingpmmgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cglblmfn.dll" Qlimed32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bddjpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ngjkfd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cbphdn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gmeakf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Giqkkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mamjbp32.dll" Njinmf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qqffjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Giidol32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bopocbcq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fpggamqc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Njmhhefi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mifcejnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmmhebph.dll" Bfqkddfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmiakk32.dll" Djdflp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lhkgoiqe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Glipgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Alnfpcag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jgkmgk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qfcfml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddqhja32.dll" Fnobem32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gnhdkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Panfqmhb.dll" Pcijeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjcgfjdk.dll" Nelfeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pfjcgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmjkjk32.dll" Cfbkeh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hginecde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eiokinbk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jqiipljg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjknojbk.dll" Qlgpod32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bcahmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gaocia32.dll" Idkkpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hflkamml.dll" Mccfdmmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jeqbpb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qikgco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klbjgbff.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Alpbecod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Emeoooml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pgdokkfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dfiildio.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Flkdfh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cffmfadl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Headjohq.dll" Mniallpq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Efblbbqd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imbajm32.dll" Belebq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gnhdkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nahffe32.dll" Jhpqaiji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kqdaadln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldqmlddk.dll" Miomdk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggqecq32.dll" Emhkdmlg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjdhbppo.dll" Jcanll32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1480 wrote to memory of 400 1480 12dda8e9b3e2def35a1c6f3e2095fbd580437e0db811a16b5d88bfe414d81542.exe 82 PID 1480 wrote to memory of 400 1480 12dda8e9b3e2def35a1c6f3e2095fbd580437e0db811a16b5d88bfe414d81542.exe 82 PID 1480 wrote to memory of 400 1480 12dda8e9b3e2def35a1c6f3e2095fbd580437e0db811a16b5d88bfe414d81542.exe 82 PID 400 wrote to memory of 4780 400 Pcijeb32.exe 83 PID 400 wrote to memory of 4780 400 Pcijeb32.exe 83 PID 400 wrote to memory of 4780 400 Pcijeb32.exe 83 PID 4780 wrote to memory of 4792 4780 Pjcbbmif.exe 84 PID 4780 wrote to memory of 4792 4780 Pjcbbmif.exe 84 PID 4780 wrote to memory of 4792 4780 Pjcbbmif.exe 84 PID 4792 wrote to memory of 2716 4792 Pmannhhj.exe 85 PID 4792 wrote to memory of 2716 4792 Pmannhhj.exe 85 PID 4792 wrote to memory of 2716 4792 Pmannhhj.exe 85 PID 2716 wrote to memory of 380 2716 Pclgkb32.exe 86 PID 2716 wrote to memory of 380 2716 Pclgkb32.exe 86 PID 2716 wrote to memory of 380 2716 Pclgkb32.exe 86 PID 380 wrote to memory of 3220 380 Pfjcgn32.exe 87 PID 380 wrote to memory of 3220 380 Pfjcgn32.exe 87 PID 380 wrote to memory of 3220 380 Pfjcgn32.exe 87 PID 3220 wrote to memory of 4804 3220 Pqpgdfnp.exe 88 PID 3220 wrote to memory of 4804 3220 Pqpgdfnp.exe 88 PID 3220 wrote to memory of 4804 3220 Pqpgdfnp.exe 88 PID 4804 wrote to memory of 1532 4804 Pgioqq32.exe 89 PID 4804 wrote to memory of 1532 4804 Pgioqq32.exe 89 PID 4804 wrote to memory of 1532 4804 Pgioqq32.exe 89 PID 1532 wrote to memory of 3456 1532 Pncgmkmj.exe 90 PID 1532 wrote to memory of 3456 1532 Pncgmkmj.exe 90 PID 1532 wrote to memory of 3456 1532 Pncgmkmj.exe 90 PID 3456 wrote to memory of 2864 3456 Pdmpje32.exe 91 PID 3456 wrote to memory of 2864 3456 Pdmpje32.exe 91 PID 3456 wrote to memory of 2864 3456 Pdmpje32.exe 91 PID 2864 wrote to memory of 1508 2864 Pgllfp32.exe 92 PID 2864 wrote to memory of 1508 2864 Pgllfp32.exe 92 PID 2864 wrote to memory of 1508 2864 Pgllfp32.exe 92 PID 1508 wrote to memory of 828 1508 Pnfdcjkg.exe 93 PID 1508 wrote to memory of 828 1508 Pnfdcjkg.exe 93 PID 1508 wrote to memory of 828 1508 Pnfdcjkg.exe 93 PID 828 wrote to memory of 8 828 Pcbmka32.exe 94 PID 828 wrote to memory of 8 828 Pcbmka32.exe 94 PID 828 wrote to memory of 8 828 Pcbmka32.exe 94 PID 8 wrote to memory of 4652 8 Pjmehkqk.exe 95 PID 8 wrote to memory of 4652 8 Pjmehkqk.exe 95 PID 8 wrote to memory of 4652 8 Pjmehkqk.exe 95 PID 4652 wrote to memory of 4156 4652 Qceiaa32.exe 96 PID 4652 wrote to memory of 4156 4652 Qceiaa32.exe 96 PID 4652 wrote to memory of 4156 4652 Qceiaa32.exe 96 PID 4156 wrote to memory of 4600 4156 Qfcfml32.exe 97 PID 4156 wrote to memory of 4600 4156 Qfcfml32.exe 97 PID 4156 wrote to memory of 4600 4156 Qfcfml32.exe 97 PID 4600 wrote to memory of 4488 4600 Qmmnjfnl.exe 98 PID 4600 wrote to memory of 4488 4600 Qmmnjfnl.exe 98 PID 4600 wrote to memory of 4488 4600 Qmmnjfnl.exe 98 PID 4488 wrote to memory of 3428 4488 Qcgffqei.exe 99 PID 4488 wrote to memory of 3428 4488 Qcgffqei.exe 99 PID 4488 wrote to memory of 3428 4488 Qcgffqei.exe 99 PID 3428 wrote to memory of 1688 3428 Qffbbldm.exe 100 PID 3428 wrote to memory of 1688 3428 Qffbbldm.exe 100 PID 3428 wrote to memory of 1688 3428 Qffbbldm.exe 100 PID 1688 wrote to memory of 2208 1688 Ampkof32.exe 101 PID 1688 wrote to memory of 2208 1688 Ampkof32.exe 101 PID 1688 wrote to memory of 2208 1688 Ampkof32.exe 101 PID 2208 wrote to memory of 1200 2208 Adgbpc32.exe 102 PID 2208 wrote to memory of 1200 2208 Adgbpc32.exe 102 PID 2208 wrote to memory of 1200 2208 Adgbpc32.exe 102 PID 1200 wrote to memory of 2600 1200 Afhohlbj.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\12dda8e9b3e2def35a1c6f3e2095fbd580437e0db811a16b5d88bfe414d81542.exe"C:\Users\Admin\AppData\Local\Temp\12dda8e9b3e2def35a1c6f3e2095fbd580437e0db811a16b5d88bfe414d81542.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1480 -
C:\Windows\SysWOW64\Pcijeb32.exeC:\Windows\system32\Pcijeb32.exe2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:400 -
C:\Windows\SysWOW64\Pjcbbmif.exeC:\Windows\system32\Pjcbbmif.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4780 -
C:\Windows\SysWOW64\Pmannhhj.exeC:\Windows\system32\Pmannhhj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4792 -
C:\Windows\SysWOW64\Pclgkb32.exeC:\Windows\system32\Pclgkb32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\SysWOW64\Pfjcgn32.exeC:\Windows\system32\Pfjcgn32.exe6⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:380 -
C:\Windows\SysWOW64\Pqpgdfnp.exeC:\Windows\system32\Pqpgdfnp.exe7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3220 -
C:\Windows\SysWOW64\Pgioqq32.exeC:\Windows\system32\Pgioqq32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4804 -
C:\Windows\SysWOW64\Pncgmkmj.exeC:\Windows\system32\Pncgmkmj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1532 -
C:\Windows\SysWOW64\Pdmpje32.exeC:\Windows\system32\Pdmpje32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3456 -
C:\Windows\SysWOW64\Pgllfp32.exeC:\Windows\system32\Pgllfp32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Windows\SysWOW64\Pnfdcjkg.exeC:\Windows\system32\Pnfdcjkg.exe12⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1508 -
C:\Windows\SysWOW64\Pcbmka32.exeC:\Windows\system32\Pcbmka32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:828 -
C:\Windows\SysWOW64\Pjmehkqk.exeC:\Windows\system32\Pjmehkqk.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:8 -
C:\Windows\SysWOW64\Qceiaa32.exeC:\Windows\system32\Qceiaa32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4652 -
C:\Windows\SysWOW64\Qfcfml32.exeC:\Windows\system32\Qfcfml32.exe16⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4156 -
C:\Windows\SysWOW64\Qmmnjfnl.exeC:\Windows\system32\Qmmnjfnl.exe17⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4600 -
C:\Windows\SysWOW64\Qcgffqei.exeC:\Windows\system32\Qcgffqei.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4488 -
C:\Windows\SysWOW64\Qffbbldm.exeC:\Windows\system32\Qffbbldm.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3428 -
C:\Windows\SysWOW64\Ampkof32.exeC:\Windows\system32\Ampkof32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Windows\SysWOW64\Adgbpc32.exeC:\Windows\system32\Adgbpc32.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Windows\SysWOW64\Afhohlbj.exeC:\Windows\system32\Afhohlbj.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1200 -
C:\Windows\SysWOW64\Ambgef32.exeC:\Windows\system32\Ambgef32.exe23⤵
- Executes dropped EXE
PID:2600 -
C:\Windows\SysWOW64\Afjlnk32.exeC:\Windows\system32\Afjlnk32.exe24⤵
- Executes dropped EXE
PID:916 -
C:\Windows\SysWOW64\Amddjegd.exeC:\Windows\system32\Amddjegd.exe25⤵
- Executes dropped EXE
- Modifies registry class
PID:4788 -
C:\Windows\SysWOW64\Agjhgngj.exeC:\Windows\system32\Agjhgngj.exe26⤵
- Executes dropped EXE
PID:948 -
C:\Windows\SysWOW64\Aabmqd32.exeC:\Windows\system32\Aabmqd32.exe27⤵
- Executes dropped EXE
PID:768 -
C:\Windows\SysWOW64\Aglemn32.exeC:\Windows\system32\Aglemn32.exe28⤵
- Executes dropped EXE
PID:624 -
C:\Windows\SysWOW64\Accfbokl.exeC:\Windows\system32\Accfbokl.exe29⤵
- Executes dropped EXE
PID:3672 -
C:\Windows\SysWOW64\Bagflcje.exeC:\Windows\system32\Bagflcje.exe30⤵
- Executes dropped EXE
PID:2564 -
C:\Windows\SysWOW64\Beeoaapl.exeC:\Windows\system32\Beeoaapl.exe31⤵
- Executes dropped EXE
PID:4952 -
C:\Windows\SysWOW64\Bchomn32.exeC:\Windows\system32\Bchomn32.exe32⤵
- Executes dropped EXE
PID:5100 -
C:\Windows\SysWOW64\Bffkij32.exeC:\Windows\system32\Bffkij32.exe33⤵
- Executes dropped EXE
- Modifies registry class
PID:2940 -
C:\Windows\SysWOW64\Beglgani.exeC:\Windows\system32\Beglgani.exe34⤵
- Executes dropped EXE
PID:4620 -
C:\Windows\SysWOW64\Bgehcmmm.exeC:\Windows\system32\Bgehcmmm.exe35⤵
- Executes dropped EXE
PID:3056 -
C:\Windows\SysWOW64\Bmbplc32.exeC:\Windows\system32\Bmbplc32.exe36⤵
- Executes dropped EXE
PID:2084 -
C:\Windows\SysWOW64\Bhhdil32.exeC:\Windows\system32\Bhhdil32.exe37⤵
- Executes dropped EXE
PID:468 -
C:\Windows\SysWOW64\Belebq32.exeC:\Windows\system32\Belebq32.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:3684 -
C:\Windows\SysWOW64\Cfmajipb.exeC:\Windows\system32\Cfmajipb.exe39⤵
- Executes dropped EXE
PID:3092 -
C:\Windows\SysWOW64\Cjinkg32.exeC:\Windows\system32\Cjinkg32.exe40⤵
- Executes dropped EXE
PID:3976 -
C:\Windows\SysWOW64\Cenahpha.exeC:\Windows\system32\Cenahpha.exe41⤵
- Executes dropped EXE
PID:3124 -
C:\Windows\SysWOW64\Cfpnph32.exeC:\Windows\system32\Cfpnph32.exe42⤵
- Executes dropped EXE
PID:908 -
C:\Windows\SysWOW64\Cnffqf32.exeC:\Windows\system32\Cnffqf32.exe43⤵
- Executes dropped EXE
PID:676 -
C:\Windows\SysWOW64\Ceqnmpfo.exeC:\Windows\system32\Ceqnmpfo.exe44⤵
- Executes dropped EXE
PID:1040 -
C:\Windows\SysWOW64\Cfbkeh32.exeC:\Windows\system32\Cfbkeh32.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:1060 -
C:\Windows\SysWOW64\Cmlcbbcj.exeC:\Windows\system32\Cmlcbbcj.exe46⤵
- Executes dropped EXE
PID:2508 -
C:\Windows\SysWOW64\Cdfkolkf.exeC:\Windows\system32\Cdfkolkf.exe47⤵
- Executes dropped EXE
PID:2180 -
C:\Windows\SysWOW64\Cjpckf32.exeC:\Windows\system32\Cjpckf32.exe48⤵
- Executes dropped EXE
PID:2188 -
C:\Windows\SysWOW64\Cmnpgb32.exeC:\Windows\system32\Cmnpgb32.exe49⤵
- Executes dropped EXE
PID:3008 -
C:\Windows\SysWOW64\Cdhhdlid.exeC:\Windows\system32\Cdhhdlid.exe50⤵
- Executes dropped EXE
PID:3216 -
C:\Windows\SysWOW64\Cffdpghg.exeC:\Windows\system32\Cffdpghg.exe51⤵
- Executes dropped EXE
PID:4508 -
C:\Windows\SysWOW64\Cnnlaehj.exeC:\Windows\system32\Cnnlaehj.exe52⤵
- Executes dropped EXE
PID:4884 -
C:\Windows\SysWOW64\Ddjejl32.exeC:\Windows\system32\Ddjejl32.exe53⤵
- Executes dropped EXE
PID:3704 -
C:\Windows\SysWOW64\Dhfajjoj.exeC:\Windows\system32\Dhfajjoj.exe54⤵
- Executes dropped EXE
PID:1792 -
C:\Windows\SysWOW64\Danecp32.exeC:\Windows\system32\Danecp32.exe55⤵
- Executes dropped EXE
PID:3500 -
C:\Windows\SysWOW64\Dejacond.exeC:\Windows\system32\Dejacond.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1776 -
C:\Windows\SysWOW64\Djgjlelk.exeC:\Windows\system32\Djgjlelk.exe57⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1388 -
C:\Windows\SysWOW64\Dmefhako.exeC:\Windows\system32\Dmefhako.exe58⤵
- Executes dropped EXE
PID:636 -
C:\Windows\SysWOW64\Ddonekbl.exeC:\Windows\system32\Ddonekbl.exe59⤵
- Executes dropped EXE
PID:628 -
C:\Windows\SysWOW64\Dfnjafap.exeC:\Windows\system32\Dfnjafap.exe60⤵
- Executes dropped EXE
PID:1044 -
C:\Windows\SysWOW64\Daconoae.exeC:\Windows\system32\Daconoae.exe61⤵
- Executes dropped EXE
PID:4284 -
C:\Windows\SysWOW64\Deokon32.exeC:\Windows\system32\Deokon32.exe62⤵
- Executes dropped EXE
PID:640 -
C:\Windows\SysWOW64\Dkkcge32.exeC:\Windows\system32\Dkkcge32.exe63⤵
- Executes dropped EXE
PID:3720 -
C:\Windows\SysWOW64\Daekdooc.exeC:\Windows\system32\Daekdooc.exe64⤵
- Executes dropped EXE
PID:2768 -
C:\Windows\SysWOW64\Dhocqigp.exeC:\Windows\system32\Dhocqigp.exe65⤵
- Executes dropped EXE
PID:4404 -
C:\Windows\SysWOW64\Dahhio32.exeC:\Windows\system32\Dahhio32.exe66⤵PID:3080
-
C:\Windows\SysWOW64\Ehapfiem.exeC:\Windows\system32\Ehapfiem.exe67⤵PID:4848
-
C:\Windows\SysWOW64\Ekpmbddq.exeC:\Windows\system32\Ekpmbddq.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4748 -
C:\Windows\SysWOW64\Emoinpcd.exeC:\Windows\system32\Emoinpcd.exe69⤵PID:1332
-
C:\Windows\SysWOW64\Ehdmlhcj.exeC:\Windows\system32\Ehdmlhcj.exe70⤵
- System Location Discovery: System Language Discovery
PID:1404 -
C:\Windows\SysWOW64\Ekbihd32.exeC:\Windows\system32\Ekbihd32.exe71⤵
- System Location Discovery: System Language Discovery
PID:1440 -
C:\Windows\SysWOW64\Ealadnik.exeC:\Windows\system32\Ealadnik.exe72⤵
- Drops file in System32 directory
PID:1576 -
C:\Windows\SysWOW64\Edknqiho.exeC:\Windows\system32\Edknqiho.exe73⤵PID:3756
-
C:\Windows\SysWOW64\Ekefmc32.exeC:\Windows\system32\Ekefmc32.exe74⤵PID:3388
-
C:\Windows\SysWOW64\Eaonjngh.exeC:\Windows\system32\Eaonjngh.exe75⤵PID:3668
-
C:\Windows\SysWOW64\Edmjfifl.exeC:\Windows\system32\Edmjfifl.exe76⤵PID:2280
-
C:\Windows\SysWOW64\Eglgbdep.exeC:\Windows\system32\Eglgbdep.exe77⤵PID:4940
-
C:\Windows\SysWOW64\Emeoooml.exeC:\Windows\system32\Emeoooml.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:4636 -
C:\Windows\SysWOW64\Ehkclgmb.exeC:\Windows\system32\Ehkclgmb.exe79⤵PID:2220
-
C:\Windows\SysWOW64\Eoekia32.exeC:\Windows\system32\Eoekia32.exe80⤵PID:3656
-
C:\Windows\SysWOW64\Emhldnkj.exeC:\Windows\system32\Emhldnkj.exe81⤵PID:2324
-
C:\Windows\SysWOW64\Fhmpagkp.exeC:\Windows\system32\Fhmpagkp.exe82⤵PID:4824
-
C:\Windows\SysWOW64\Fnjhjn32.exeC:\Windows\system32\Fnjhjn32.exe83⤵PID:1616
-
C:\Windows\SysWOW64\Fddqghpd.exeC:\Windows\system32\Fddqghpd.exe84⤵
- System Location Discovery: System Language Discovery
PID:2228 -
C:\Windows\SysWOW64\Fknicb32.exeC:\Windows\system32\Fknicb32.exe85⤵PID:1484
-
C:\Windows\SysWOW64\Fedmqk32.exeC:\Windows\system32\Fedmqk32.exe86⤵
- System Location Discovery: System Language Discovery
PID:1184 -
C:\Windows\SysWOW64\Fhbimf32.exeC:\Windows\system32\Fhbimf32.exe87⤵PID:4588
-
C:\Windows\SysWOW64\Fnobem32.exeC:\Windows\system32\Fnobem32.exe88⤵
- Modifies registry class
PID:632 -
C:\Windows\SysWOW64\Fhdfbfdh.exeC:\Windows\system32\Fhdfbfdh.exe89⤵PID:4492
-
C:\Windows\SysWOW64\Fonnop32.exeC:\Windows\system32\Fonnop32.exe90⤵
- System Location Discovery: System Language Discovery
PID:4028 -
C:\Windows\SysWOW64\Famjkl32.exeC:\Windows\system32\Famjkl32.exe91⤵PID:3560
-
C:\Windows\SysWOW64\Fhgbhfbe.exeC:\Windows\system32\Fhgbhfbe.exe92⤵PID:2200
-
C:\Windows\SysWOW64\Fkeodaai.exeC:\Windows\system32\Fkeodaai.exe93⤵
- Drops file in System32 directory
PID:4684 -
C:\Windows\SysWOW64\Gaogak32.exeC:\Windows\system32\Gaogak32.exe94⤵PID:1400
-
C:\Windows\SysWOW64\Gekcaj32.exeC:\Windows\system32\Gekcaj32.exe95⤵PID:1100
-
C:\Windows\SysWOW64\Gkglja32.exeC:\Windows\system32\Gkglja32.exe96⤵PID:5056
-
C:\Windows\SysWOW64\Gnfhfl32.exeC:\Windows\system32\Gnfhfl32.exe97⤵PID:3852
-
C:\Windows\SysWOW64\Gdppbfff.exeC:\Windows\system32\Gdppbfff.exe98⤵PID:4348
-
C:\Windows\SysWOW64\Ggnlobej.exeC:\Windows\system32\Ggnlobej.exe99⤵PID:404
-
C:\Windows\SysWOW64\Gnhdkl32.exeC:\Windows\system32\Gnhdkl32.exe100⤵
- Drops file in System32 directory
- Modifies registry class
PID:4832 -
C:\Windows\SysWOW64\Gepmlimi.exeC:\Windows\system32\Gepmlimi.exe101⤵PID:1552
-
C:\Windows\SysWOW64\Gdbmhf32.exeC:\Windows\system32\Gdbmhf32.exe102⤵PID:1360
-
C:\Windows\SysWOW64\Gkleeplq.exeC:\Windows\system32\Gkleeplq.exe103⤵PID:1896
-
C:\Windows\SysWOW64\Gfbibikg.exeC:\Windows\system32\Gfbibikg.exe104⤵PID:4172
-
C:\Windows\SysWOW64\Ggcfja32.exeC:\Windows\system32\Ggcfja32.exe105⤵PID:4632
-
C:\Windows\SysWOW64\Gojnko32.exeC:\Windows\system32\Gojnko32.exe106⤵PID:4908
-
C:\Windows\SysWOW64\Gfdfgiid.exeC:\Windows\system32\Gfdfgiid.exe107⤵PID:2236
-
C:\Windows\SysWOW64\Gdgfce32.exeC:\Windows\system32\Gdgfce32.exe108⤵PID:2876
-
C:\Windows\SysWOW64\Gkaopp32.exeC:\Windows\system32\Gkaopp32.exe109⤵PID:3160
-
C:\Windows\SysWOW64\Hnoklk32.exeC:\Windows\system32\Hnoklk32.exe110⤵
- System Location Discovery: System Language Discovery
PID:3544 -
C:\Windows\SysWOW64\Hdicienl.exeC:\Windows\system32\Hdicienl.exe111⤵PID:3332
-
C:\Windows\SysWOW64\Hheoid32.exeC:\Windows\system32\Hheoid32.exe112⤵PID:1652
-
C:\Windows\SysWOW64\Hkckeo32.exeC:\Windows\system32\Hkckeo32.exe113⤵PID:3584
-
C:\Windows\SysWOW64\Hbmcbime.exeC:\Windows\system32\Hbmcbime.exe114⤵PID:2632
-
C:\Windows\SysWOW64\Hhgloc32.exeC:\Windows\system32\Hhgloc32.exe115⤵PID:3184
-
C:\Windows\SysWOW64\Hgjljpkm.exeC:\Windows\system32\Hgjljpkm.exe116⤵PID:2020
-
C:\Windows\SysWOW64\Hkehkocf.exeC:\Windows\system32\Hkehkocf.exe117⤵
- Drops file in System32 directory
PID:4392 -
C:\Windows\SysWOW64\Hfklhhcl.exeC:\Windows\system32\Hfklhhcl.exe118⤵PID:5144
-
C:\Windows\SysWOW64\Hglipp32.exeC:\Windows\system32\Hglipp32.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5188 -
C:\Windows\SysWOW64\Hocqam32.exeC:\Windows\system32\Hocqam32.exe120⤵PID:5232
-
C:\Windows\SysWOW64\Hfningai.exeC:\Windows\system32\Hfningai.exe121⤵PID:5276
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-