Analysis
-
max time kernel
96s -
max time network
129s -
platform
windows10-2004_x64 -
resource
win10v2004-20250217-en -
resource tags
arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system -
submitted
24/02/2025, 07:28
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e2d8a2dff58c7a61235fa253e8ff9eb329d477acf0d678ae200376cbfc04f6a1.exe
Resource
win7-20250207-en
windows7-x64
13 signatures
150 seconds
Behavioral task
behavioral2
Sample
e2d8a2dff58c7a61235fa253e8ff9eb329d477acf0d678ae200376cbfc04f6a1.exe
Resource
win10v2004-20250217-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
e2d8a2dff58c7a61235fa253e8ff9eb329d477acf0d678ae200376cbfc04f6a1.exe
-
Size
96KB
-
MD5
aeb8c20a607182335c63356f683aa48a
-
SHA1
f53327a096fed96e5504f974cf9f329041830538
-
SHA256
e2d8a2dff58c7a61235fa253e8ff9eb329d477acf0d678ae200376cbfc04f6a1
-
SHA512
b33dc1877528b62f925172780a062d2654c20e9bef7b6ee4e4ad3611894dbf11f454cfb0e5bea030e1d4dbb827ae3b82812e5f7bb5c74ee0a80adbcdb0cb34c3
-
SSDEEP
1536:vMnDjFdQ7Db7wOMWHYBMloFGS2Lw7RZObZUUWaegPYAi:UnHFi7Db7wpWHTaCwClUUWae3
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkcpql32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgiaemic.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfhbga32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebfign32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpmhdmea.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kheekkjl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cancekeo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cacmpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ekngemhd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lnldla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ppikbm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qcnjijoe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enemaimp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fqphic32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lncjlq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nglhld32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qdaniq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dggbcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hpmhdmea.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahfmpnql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kngkqbgl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnafno32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnfpinmi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opclldhj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnplfj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Caojpaij.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebaplnie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Amcehdod.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcimdh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mqimikfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nfjola32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iondqhpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ofegni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Piapkbeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ephbhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njmqnobn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pjbcplpe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qmgelf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bddcenpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Joqafgni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mfnhfm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfgklkoc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qikbaaml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bmjkic32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpclce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oflmnh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckbncapd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dgpeha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Egbken32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Caojpaij.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hejqldci.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mapppn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjfogbjb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Daollh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ephbhd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edihdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fcbnpnme.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfpcoefj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpfgmnfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qdaniq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chnlgjlb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekngemhd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jebfng32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpmdfonj.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 2684 Jilfifme.exe 1200 Jljbeali.exe 1908 Jebfng32.exe 3912 Jniood32.exe 3712 Jphkkpbp.exe 2436 Jedccfqg.exe 4456 Jnlkedai.exe 2352 Komhll32.exe 4276 Kjblje32.exe 3976 Kpmdfonj.exe 4472 Kgflcifg.exe 2768 Knqepc32.exe 3212 Koaagkcb.exe 3396 Kflide32.exe 3272 Klfaapbl.exe 932 Kcpjnjii.exe 5104 Kjjbjd32.exe 3584 Kcbfcigf.exe 3492 Kfpcoefj.exe 896 Kngkqbgl.exe 1000 Lpfgmnfp.exe 1568 Loighj32.exe 1976 Lgpoihnl.exe 4732 Lqhdbm32.exe 3760 Lgbloglj.exe 1812 Lnldla32.exe 1184 Lomqcjie.exe 2272 Lcimdh32.exe 1588 Lnoaaaad.exe 2268 Lqmmmmph.exe 1544 Lggejg32.exe 2812 Lmdnbn32.exe 3240 Lcnfohmi.exe 1596 Lflbkcll.exe 1332 Lncjlq32.exe 5060 Mqafhl32.exe 3764 Mgloefco.exe 3876 Mnegbp32.exe 4008 Mqdcnl32.exe 4548 Mcbpjg32.exe 1232 Mfqlfb32.exe 1952 Mnhdgpii.exe 3036 Moipoh32.exe 3136 Mgphpe32.exe 552 Mjodla32.exe 2340 Mqimikfj.exe 3884 Mgbefe32.exe 4564 Mfeeabda.exe 4384 Mjaabq32.exe 3160 Mqkiok32.exe 2816 Mcifkf32.exe 924 Mfhbga32.exe 740 Mjcngpjh.exe 4940 Nnojho32.exe 2348 Nopfpgip.exe 4680 Nfjola32.exe 4376 Nnafno32.exe 2900 Npbceggm.exe 2952 Nflkbanj.exe 676 Nmfcok32.exe 1176 Nglhld32.exe 408 Nnfpinmi.exe 5000 Npgmpf32.exe 4992 Ngndaccj.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Mqafhl32.exe Lncjlq32.exe File opened for modification C:\Windows\SysWOW64\Cnaaib32.exe Ckbemgcp.exe File created C:\Windows\SysWOW64\Hanpdgfl.dll Kiphjo32.exe File created C:\Windows\SysWOW64\Calfpk32.exe Ckbncapd.exe File opened for modification C:\Windows\SysWOW64\Ciihjmcj.exe Cgklmacf.exe File opened for modification C:\Windows\SysWOW64\Cacmpj32.exe Cmgqpkip.exe File created C:\Windows\SysWOW64\Lpmkebjc.dll Bhhiemoj.exe File opened for modification C:\Windows\SysWOW64\Dgeenfog.exe Ddgibkpc.exe File opened for modification C:\Windows\SysWOW64\Ehbnigjj.exe Ebifmm32.exe File opened for modification C:\Windows\SysWOW64\Iolhkh32.exe Ihbponja.exe File created C:\Windows\SysWOW64\Fjoiip32.dll Mhanngbl.exe File created C:\Windows\SysWOW64\Fiplni32.dll Cgklmacf.exe File opened for modification C:\Windows\SysWOW64\Ephbhd32.exe Ejojljqa.exe File created C:\Windows\SysWOW64\Nhbjnc32.dll Ephbhd32.exe File created C:\Windows\SysWOW64\Ppgegd32.exe Pjkmomfn.exe File opened for modification C:\Windows\SysWOW64\Aaenbd32.exe Qdaniq32.exe File opened for modification C:\Windows\SysWOW64\Mbdiknlb.exe Mofmobmo.exe File created C:\Windows\SysWOW64\Fnhbmgmk.exe Fcbnpnme.exe File created C:\Windows\SysWOW64\Fachkklb.dll Fnhbmgmk.exe File created C:\Windows\SysWOW64\Dnbdlf32.dll Lcimdh32.exe File created C:\Windows\SysWOW64\Qkicbhla.dll Cglbhhga.exe File created C:\Windows\SysWOW64\Haclqq32.dll Gbnhoj32.exe File created C:\Windows\SysWOW64\Mmacdg32.dll Kjblje32.exe File opened for modification C:\Windows\SysWOW64\Doagjc32.exe Dkekjdck.exe File opened for modification C:\Windows\SysWOW64\Enfckp32.exe Dglkoeio.exe File created C:\Windows\SysWOW64\Hicpgc32.exe Halhfe32.exe File created C:\Windows\SysWOW64\Icembg32.dll Ejlnfjbd.exe File created C:\Windows\SysWOW64\Ebaplnie.exe Enfckp32.exe File opened for modification C:\Windows\SysWOW64\Iafkld32.exe Ihmfco32.exe File created C:\Windows\SysWOW64\Mhanngbl.exe Mcdeeq32.exe File opened for modification C:\Windows\SysWOW64\Aalmimfd.exe Ajaelc32.exe File created C:\Windows\SysWOW64\Gbjlkd32.dll Fbaahf32.exe File created C:\Windows\SysWOW64\Iolgql32.dll Fcbnpnme.exe File opened for modification C:\Windows\SysWOW64\Aagkhd32.exe Afbgkl32.exe File created C:\Windows\SysWOW64\Bmjkic32.exe Bklomh32.exe File opened for modification C:\Windows\SysWOW64\Ckjknfnh.exe Cpdgqmnb.exe File created C:\Windows\SysWOW64\Aobmce32.dll Fqeioiam.exe File opened for modification C:\Windows\SysWOW64\Gbpedjnb.exe Gpaihooo.exe File created C:\Windows\SysWOW64\Foolmeif.dll Dcibca32.exe File created C:\Windows\SysWOW64\Coqncejg.exe Chfegk32.exe File created C:\Windows\SysWOW64\Kmmcjnkq.dll Halhfe32.exe File created C:\Windows\SysWOW64\Jikoopij.exe Jlgoek32.exe File created C:\Windows\SysWOW64\Oiagde32.exe Obgohklm.exe File opened for modification C:\Windows\SysWOW64\Bjhkmbho.exe Bapgdm32.exe File created C:\Windows\SysWOW64\Dncpkjoc.exe Dgihop32.exe File created C:\Windows\SysWOW64\Odanidih.dll Edihdb32.exe File opened for modification C:\Windows\SysWOW64\Jilfifme.exe e2d8a2dff58c7a61235fa253e8ff9eb329d477acf0d678ae200376cbfc04f6a1.exe File created C:\Windows\SysWOW64\Fjohgj32.dll Kekbjo32.exe File created C:\Windows\SysWOW64\Lggejg32.exe Lqmmmmph.exe File opened for modification C:\Windows\SysWOW64\Hejqldci.exe Hpmhdmea.exe File created C:\Windows\SysWOW64\Kpibgp32.dll Ojdgnn32.exe File created C:\Windows\SysWOW64\Ofmdio32.exe Opclldhj.exe File opened for modification C:\Windows\SysWOW64\Mohidbkl.exe Mbdiknlb.exe File opened for modification C:\Windows\SysWOW64\Daollh32.exe Dncpkjoc.exe File created C:\Windows\SysWOW64\Ekngemhd.exe Egbken32.exe File opened for modification C:\Windows\SysWOW64\Jebfng32.exe Jljbeali.exe File opened for modification C:\Windows\SysWOW64\Mjodla32.exe Mgphpe32.exe File created C:\Windows\SysWOW64\Amcehdod.exe Ahfmpnql.exe File opened for modification C:\Windows\SysWOW64\Mqafhl32.exe Lncjlq32.exe File created C:\Windows\SysWOW64\Lpghll32.dll Ompfej32.exe File created C:\Windows\SysWOW64\Bgelgi32.exe Bdfpkm32.exe File opened for modification C:\Windows\SysWOW64\Jikoopij.exe Jlgoek32.exe File created C:\Windows\SysWOW64\Deaiemli.dll Pidlqb32.exe File created C:\Windows\SysWOW64\Epgldbkn.dll Qppaclio.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 9556 9424 WerFault.exe 469 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnlhncgi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dggkipii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e2d8a2dff58c7a61235fa253e8ff9eb329d477acf0d678ae200376cbfc04f6a1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lflbkcll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcbpjg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jekjcaef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngndaccj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jikoopij.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dalofi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eaaiahei.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epdime32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klfaapbl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ondljl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afbgkl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bobabg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Baannc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckbemgcp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekcgkb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iafkld32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nflkbanj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojdgnn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpmhdmea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oqoefand.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcbkml32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekngemhd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Famhmfkl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhhiemoj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebaplnie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkofga32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfnhfm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qiiflaoo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eajlhg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ompfej32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mqkiok32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnojho32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfqlfb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chnlgjlb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amnebo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjkmomfn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgpcliao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lafmjp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbnlaldg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bacjdbch.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eoepebho.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebifmm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ledepn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfepdg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egkddo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjocbhbo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aagkhd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dglkoeio.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edplhjhi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnibokbd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlgoek32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obgohklm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aabkbono.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enlcahgh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jniood32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npbceggm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enfckp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfagighf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adepji32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cacmpj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onkidm32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlhmjl32.dll" Pfccogfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Labnlj32.dll" Bpjmph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbjlkd32.dll" Fbaahf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Komhll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hihibbjo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ihbponja.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nqfbpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apmpkall.dll" Bigbmpco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fkgillpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bkgeainn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fdmaoahm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fnkfmm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Halhfe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dggkipii.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pdmdnadc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gebekb32.dll" Fkofga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Glhimp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iolhkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maenpfhk.dll" Oiagde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnhgglaj.dll" Aalmimfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ngndaccj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Onkidm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnffoibg.dll" Ondljl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lelgfl32.dll" Cammjakm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gillppii.dll" Hnibokbd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ephbhd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bkibgh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cpdgqmnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kfcfimfi.dll" Pmlfqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pmlfqh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Caojpaij.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cpfcfmlp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eqncnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojehbail.dll" Fajbjh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kadpdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Obgohklm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Klfaapbl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Komhll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkjpda32.dll" Lpfgmnfp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eoepebho.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pakdbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qikbaaml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Adgmoigj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bapgdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Koaagkcb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Moipoh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mjodla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ddhomdje.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mqimikfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehojko32.dll" Bknlbhhe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcknij32.dll" Ddgibkpc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jbojlfdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pedfeccm.dll" Dggkipii.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node e2d8a2dff58c7a61235fa253e8ff9eb329d477acf0d678ae200376cbfc04f6a1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Chfegk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Caojpaij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehblpall.dll" Edeeci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhpapf32.dll" Fbmohmoh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odibfg32.dll" Pfojdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pafpga32.dll" Qpbnhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aammfkln.dll" Dinael32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kpmdfonj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nnafno32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aaldccip.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4388 wrote to memory of 2684 4388 e2d8a2dff58c7a61235fa253e8ff9eb329d477acf0d678ae200376cbfc04f6a1.exe 84 PID 4388 wrote to memory of 2684 4388 e2d8a2dff58c7a61235fa253e8ff9eb329d477acf0d678ae200376cbfc04f6a1.exe 84 PID 4388 wrote to memory of 2684 4388 e2d8a2dff58c7a61235fa253e8ff9eb329d477acf0d678ae200376cbfc04f6a1.exe 84 PID 2684 wrote to memory of 1200 2684 Jilfifme.exe 85 PID 2684 wrote to memory of 1200 2684 Jilfifme.exe 85 PID 2684 wrote to memory of 1200 2684 Jilfifme.exe 85 PID 1200 wrote to memory of 1908 1200 Jljbeali.exe 86 PID 1200 wrote to memory of 1908 1200 Jljbeali.exe 86 PID 1200 wrote to memory of 1908 1200 Jljbeali.exe 86 PID 1908 wrote to memory of 3912 1908 Jebfng32.exe 87 PID 1908 wrote to memory of 3912 1908 Jebfng32.exe 87 PID 1908 wrote to memory of 3912 1908 Jebfng32.exe 87 PID 3912 wrote to memory of 3712 3912 Jniood32.exe 89 PID 3912 wrote to memory of 3712 3912 Jniood32.exe 89 PID 3912 wrote to memory of 3712 3912 Jniood32.exe 89 PID 3712 wrote to memory of 2436 3712 Jphkkpbp.exe 90 PID 3712 wrote to memory of 2436 3712 Jphkkpbp.exe 90 PID 3712 wrote to memory of 2436 3712 Jphkkpbp.exe 90 PID 2436 wrote to memory of 4456 2436 Jedccfqg.exe 92 PID 2436 wrote to memory of 4456 2436 Jedccfqg.exe 92 PID 2436 wrote to memory of 4456 2436 Jedccfqg.exe 92 PID 4456 wrote to memory of 2352 4456 Jnlkedai.exe 93 PID 4456 wrote to memory of 2352 4456 Jnlkedai.exe 93 PID 4456 wrote to memory of 2352 4456 Jnlkedai.exe 93 PID 2352 wrote to memory of 4276 2352 Komhll32.exe 94 PID 2352 wrote to memory of 4276 2352 Komhll32.exe 94 PID 2352 wrote to memory of 4276 2352 Komhll32.exe 94 PID 4276 wrote to memory of 3976 4276 Kjblje32.exe 95 PID 4276 wrote to memory of 3976 4276 Kjblje32.exe 95 PID 4276 wrote to memory of 3976 4276 Kjblje32.exe 95 PID 3976 wrote to memory of 4472 3976 Kpmdfonj.exe 96 PID 3976 wrote to memory of 4472 3976 Kpmdfonj.exe 96 PID 3976 wrote to memory of 4472 3976 Kpmdfonj.exe 96 PID 4472 wrote to memory of 2768 4472 Kgflcifg.exe 97 PID 4472 wrote to memory of 2768 4472 Kgflcifg.exe 97 PID 4472 wrote to memory of 2768 4472 Kgflcifg.exe 97 PID 2768 wrote to memory of 3212 2768 Knqepc32.exe 98 PID 2768 wrote to memory of 3212 2768 Knqepc32.exe 98 PID 2768 wrote to memory of 3212 2768 Knqepc32.exe 98 PID 3212 wrote to memory of 3396 3212 Koaagkcb.exe 99 PID 3212 wrote to memory of 3396 3212 Koaagkcb.exe 99 PID 3212 wrote to memory of 3396 3212 Koaagkcb.exe 99 PID 3396 wrote to memory of 3272 3396 Kflide32.exe 100 PID 3396 wrote to memory of 3272 3396 Kflide32.exe 100 PID 3396 wrote to memory of 3272 3396 Kflide32.exe 100 PID 3272 wrote to memory of 932 3272 Klfaapbl.exe 101 PID 3272 wrote to memory of 932 3272 Klfaapbl.exe 101 PID 3272 wrote to memory of 932 3272 Klfaapbl.exe 101 PID 932 wrote to memory of 5104 932 Kcpjnjii.exe 102 PID 932 wrote to memory of 5104 932 Kcpjnjii.exe 102 PID 932 wrote to memory of 5104 932 Kcpjnjii.exe 102 PID 5104 wrote to memory of 3584 5104 Kjjbjd32.exe 104 PID 5104 wrote to memory of 3584 5104 Kjjbjd32.exe 104 PID 5104 wrote to memory of 3584 5104 Kjjbjd32.exe 104 PID 3584 wrote to memory of 3492 3584 Kcbfcigf.exe 106 PID 3584 wrote to memory of 3492 3584 Kcbfcigf.exe 106 PID 3584 wrote to memory of 3492 3584 Kcbfcigf.exe 106 PID 3492 wrote to memory of 896 3492 Kfpcoefj.exe 107 PID 3492 wrote to memory of 896 3492 Kfpcoefj.exe 107 PID 3492 wrote to memory of 896 3492 Kfpcoefj.exe 107 PID 896 wrote to memory of 1000 896 Kngkqbgl.exe 108 PID 896 wrote to memory of 1000 896 Kngkqbgl.exe 108 PID 896 wrote to memory of 1000 896 Kngkqbgl.exe 108 PID 1000 wrote to memory of 1568 1000 Lpfgmnfp.exe 109
Processes
-
C:\Users\Admin\AppData\Local\Temp\e2d8a2dff58c7a61235fa253e8ff9eb329d477acf0d678ae200376cbfc04f6a1.exe"C:\Users\Admin\AppData\Local\Temp\e2d8a2dff58c7a61235fa253e8ff9eb329d477acf0d678ae200376cbfc04f6a1.exe"1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4388 -
C:\Windows\SysWOW64\Jilfifme.exeC:\Windows\system32\Jilfifme.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Windows\SysWOW64\Jljbeali.exeC:\Windows\system32\Jljbeali.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1200 -
C:\Windows\SysWOW64\Jebfng32.exeC:\Windows\system32\Jebfng32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1908 -
C:\Windows\SysWOW64\Jniood32.exeC:\Windows\system32\Jniood32.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3912 -
C:\Windows\SysWOW64\Jphkkpbp.exeC:\Windows\system32\Jphkkpbp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3712 -
C:\Windows\SysWOW64\Jedccfqg.exeC:\Windows\system32\Jedccfqg.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2436 -
C:\Windows\SysWOW64\Jnlkedai.exeC:\Windows\system32\Jnlkedai.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4456 -
C:\Windows\SysWOW64\Komhll32.exeC:\Windows\system32\Komhll32.exe9⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Windows\SysWOW64\Kjblje32.exeC:\Windows\system32\Kjblje32.exe10⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4276 -
C:\Windows\SysWOW64\Kpmdfonj.exeC:\Windows\system32\Kpmdfonj.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3976 -
C:\Windows\SysWOW64\Kgflcifg.exeC:\Windows\system32\Kgflcifg.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4472 -
C:\Windows\SysWOW64\Knqepc32.exeC:\Windows\system32\Knqepc32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Windows\SysWOW64\Koaagkcb.exeC:\Windows\system32\Koaagkcb.exe14⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3212 -
C:\Windows\SysWOW64\Kflide32.exeC:\Windows\system32\Kflide32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3396 -
C:\Windows\SysWOW64\Klfaapbl.exeC:\Windows\system32\Klfaapbl.exe16⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3272 -
C:\Windows\SysWOW64\Kcpjnjii.exeC:\Windows\system32\Kcpjnjii.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:932 -
C:\Windows\SysWOW64\Kjjbjd32.exeC:\Windows\system32\Kjjbjd32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5104 -
C:\Windows\SysWOW64\Kcbfcigf.exeC:\Windows\system32\Kcbfcigf.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3584 -
C:\Windows\SysWOW64\Kfpcoefj.exeC:\Windows\system32\Kfpcoefj.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3492 -
C:\Windows\SysWOW64\Kngkqbgl.exeC:\Windows\system32\Kngkqbgl.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:896 -
C:\Windows\SysWOW64\Lpfgmnfp.exeC:\Windows\system32\Lpfgmnfp.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1000 -
C:\Windows\SysWOW64\Loighj32.exeC:\Windows\system32\Loighj32.exe23⤵
- Executes dropped EXE
PID:1568 -
C:\Windows\SysWOW64\Lgpoihnl.exeC:\Windows\system32\Lgpoihnl.exe24⤵
- Executes dropped EXE
PID:1976 -
C:\Windows\SysWOW64\Lqhdbm32.exeC:\Windows\system32\Lqhdbm32.exe25⤵
- Executes dropped EXE
PID:4732 -
C:\Windows\SysWOW64\Lgbloglj.exeC:\Windows\system32\Lgbloglj.exe26⤵
- Executes dropped EXE
PID:3760 -
C:\Windows\SysWOW64\Lnldla32.exeC:\Windows\system32\Lnldla32.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1812 -
C:\Windows\SysWOW64\Lomqcjie.exeC:\Windows\system32\Lomqcjie.exe28⤵
- Executes dropped EXE
PID:1184 -
C:\Windows\SysWOW64\Lcimdh32.exeC:\Windows\system32\Lcimdh32.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2272 -
C:\Windows\SysWOW64\Lnoaaaad.exeC:\Windows\system32\Lnoaaaad.exe30⤵
- Executes dropped EXE
PID:1588 -
C:\Windows\SysWOW64\Lqmmmmph.exeC:\Windows\system32\Lqmmmmph.exe31⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2268 -
C:\Windows\SysWOW64\Lggejg32.exeC:\Windows\system32\Lggejg32.exe32⤵
- Executes dropped EXE
PID:1544 -
C:\Windows\SysWOW64\Lmdnbn32.exeC:\Windows\system32\Lmdnbn32.exe33⤵
- Executes dropped EXE
PID:2812 -
C:\Windows\SysWOW64\Lcnfohmi.exeC:\Windows\system32\Lcnfohmi.exe34⤵
- Executes dropped EXE
PID:3240 -
C:\Windows\SysWOW64\Lflbkcll.exeC:\Windows\system32\Lflbkcll.exe35⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1596 -
C:\Windows\SysWOW64\Lncjlq32.exeC:\Windows\system32\Lncjlq32.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1332 -
C:\Windows\SysWOW64\Mqafhl32.exeC:\Windows\system32\Mqafhl32.exe37⤵
- Executes dropped EXE
PID:5060 -
C:\Windows\SysWOW64\Mgloefco.exeC:\Windows\system32\Mgloefco.exe38⤵
- Executes dropped EXE
PID:3764 -
C:\Windows\SysWOW64\Mnegbp32.exeC:\Windows\system32\Mnegbp32.exe39⤵
- Executes dropped EXE
PID:3876 -
C:\Windows\SysWOW64\Mqdcnl32.exeC:\Windows\system32\Mqdcnl32.exe40⤵
- Executes dropped EXE
PID:4008 -
C:\Windows\SysWOW64\Mcbpjg32.exeC:\Windows\system32\Mcbpjg32.exe41⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4548 -
C:\Windows\SysWOW64\Mfqlfb32.exeC:\Windows\system32\Mfqlfb32.exe42⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1232 -
C:\Windows\SysWOW64\Mnhdgpii.exeC:\Windows\system32\Mnhdgpii.exe43⤵
- Executes dropped EXE
PID:1952 -
C:\Windows\SysWOW64\Moipoh32.exeC:\Windows\system32\Moipoh32.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:3036 -
C:\Windows\SysWOW64\Mgphpe32.exeC:\Windows\system32\Mgphpe32.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3136 -
C:\Windows\SysWOW64\Mjodla32.exeC:\Windows\system32\Mjodla32.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:552 -
C:\Windows\SysWOW64\Mqimikfj.exeC:\Windows\system32\Mqimikfj.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2340 -
C:\Windows\SysWOW64\Mgbefe32.exeC:\Windows\system32\Mgbefe32.exe48⤵
- Executes dropped EXE
PID:3884 -
C:\Windows\SysWOW64\Mfeeabda.exeC:\Windows\system32\Mfeeabda.exe49⤵
- Executes dropped EXE
PID:4564 -
C:\Windows\SysWOW64\Mjaabq32.exeC:\Windows\system32\Mjaabq32.exe50⤵
- Executes dropped EXE
PID:4384 -
C:\Windows\SysWOW64\Mqkiok32.exeC:\Windows\system32\Mqkiok32.exe51⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3160 -
C:\Windows\SysWOW64\Mcifkf32.exeC:\Windows\system32\Mcifkf32.exe52⤵
- Executes dropped EXE
PID:2816 -
C:\Windows\SysWOW64\Mfhbga32.exeC:\Windows\system32\Mfhbga32.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:924 -
C:\Windows\SysWOW64\Mjcngpjh.exeC:\Windows\system32\Mjcngpjh.exe54⤵
- Executes dropped EXE
PID:740 -
C:\Windows\SysWOW64\Nnojho32.exeC:\Windows\system32\Nnojho32.exe55⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4940 -
C:\Windows\SysWOW64\Nopfpgip.exeC:\Windows\system32\Nopfpgip.exe56⤵
- Executes dropped EXE
PID:2348 -
C:\Windows\SysWOW64\Nfjola32.exeC:\Windows\system32\Nfjola32.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4680 -
C:\Windows\SysWOW64\Nnafno32.exeC:\Windows\system32\Nnafno32.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4376 -
C:\Windows\SysWOW64\Npbceggm.exeC:\Windows\system32\Npbceggm.exe59⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2900 -
C:\Windows\SysWOW64\Nflkbanj.exeC:\Windows\system32\Nflkbanj.exe60⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2952 -
C:\Windows\SysWOW64\Nmfcok32.exeC:\Windows\system32\Nmfcok32.exe61⤵
- Executes dropped EXE
PID:676 -
C:\Windows\SysWOW64\Nglhld32.exeC:\Windows\system32\Nglhld32.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1176 -
C:\Windows\SysWOW64\Nnfpinmi.exeC:\Windows\system32\Nnfpinmi.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:408 -
C:\Windows\SysWOW64\Npgmpf32.exeC:\Windows\system32\Npgmpf32.exe64⤵
- Executes dropped EXE
PID:5000 -
C:\Windows\SysWOW64\Ngndaccj.exeC:\Windows\system32\Ngndaccj.exe65⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4992 -
C:\Windows\SysWOW64\Njmqnobn.exeC:\Windows\system32\Njmqnobn.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4552 -
C:\Windows\SysWOW64\Ngqagcag.exeC:\Windows\system32\Ngqagcag.exe67⤵PID:4184
-
C:\Windows\SysWOW64\Onkidm32.exeC:\Windows\system32\Onkidm32.exe68⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2844 -
C:\Windows\SysWOW64\Ogcnmc32.exeC:\Windows\system32\Ogcnmc32.exe69⤵PID:2612
-
C:\Windows\SysWOW64\Ompfej32.exeC:\Windows\system32\Ompfej32.exe70⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3820 -
C:\Windows\SysWOW64\Ocjoadei.exeC:\Windows\system32\Ocjoadei.exe71⤵PID:4784
-
C:\Windows\SysWOW64\Ofhknodl.exeC:\Windows\system32\Ofhknodl.exe72⤵PID:4520
-
C:\Windows\SysWOW64\Ojdgnn32.exeC:\Windows\system32\Ojdgnn32.exe73⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4860 -
C:\Windows\SysWOW64\Oanokhdb.exeC:\Windows\system32\Oanokhdb.exe74⤵PID:1584
-
C:\Windows\SysWOW64\Ofkgcobj.exeC:\Windows\system32\Ofkgcobj.exe75⤵PID:1136
-
C:\Windows\SysWOW64\Omdppiif.exeC:\Windows\system32\Omdppiif.exe76⤵PID:1736
-
C:\Windows\SysWOW64\Opclldhj.exeC:\Windows\system32\Opclldhj.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2728 -
C:\Windows\SysWOW64\Ofmdio32.exeC:\Windows\system32\Ofmdio32.exe78⤵PID:744
-
C:\Windows\SysWOW64\Ondljl32.exeC:\Windows\system32\Ondljl32.exe79⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2120 -
C:\Windows\SysWOW64\Oabhfg32.exeC:\Windows\system32\Oabhfg32.exe80⤵PID:3484
-
C:\Windows\SysWOW64\Ohlqcagj.exeC:\Windows\system32\Ohlqcagj.exe81⤵PID:1100
-
C:\Windows\SysWOW64\Pjkmomfn.exeC:\Windows\system32\Pjkmomfn.exe82⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:452 -
C:\Windows\SysWOW64\Ppgegd32.exeC:\Windows\system32\Ppgegd32.exe83⤵PID:1020
-
C:\Windows\SysWOW64\Pccahbmn.exeC:\Windows\system32\Pccahbmn.exe84⤵PID:4676
-
C:\Windows\SysWOW64\Pmlfqh32.exeC:\Windows\system32\Pmlfqh32.exe85⤵
- Modifies registry class
PID:640 -
C:\Windows\SysWOW64\Pmnbfhal.exeC:\Windows\system32\Pmnbfhal.exe86⤵PID:1856
-
C:\Windows\SysWOW64\Paiogf32.exeC:\Windows\system32\Paiogf32.exe87⤵PID:1428
-
C:\Windows\SysWOW64\Pjbcplpe.exeC:\Windows\system32\Pjbcplpe.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1540 -
C:\Windows\SysWOW64\Pmpolgoi.exeC:\Windows\system32\Pmpolgoi.exe89⤵PID:4140
-
C:\Windows\SysWOW64\Pfiddm32.exeC:\Windows\system32\Pfiddm32.exe90⤵PID:4340
-
C:\Windows\SysWOW64\Pnplfj32.exeC:\Windows\system32\Pnplfj32.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3148 -
C:\Windows\SysWOW64\Pdmdnadc.exeC:\Windows\system32\Pdmdnadc.exe92⤵
- Modifies registry class
PID:4980 -
C:\Windows\SysWOW64\Qobhkjdi.exeC:\Windows\system32\Qobhkjdi.exe93⤵PID:1316
-
C:\Windows\SysWOW64\Qpcecb32.exeC:\Windows\system32\Qpcecb32.exe94⤵PID:2668
-
C:\Windows\SysWOW64\Qmgelf32.exeC:\Windows\system32\Qmgelf32.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4024 -
C:\Windows\SysWOW64\Qdaniq32.exeC:\Windows\system32\Qdaniq32.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:4840 -
C:\Windows\SysWOW64\Aaenbd32.exeC:\Windows\system32\Aaenbd32.exe97⤵PID:5168
-
C:\Windows\SysWOW64\Afbgkl32.exeC:\Windows\system32\Afbgkl32.exe98⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:5216 -
C:\Windows\SysWOW64\Aagkhd32.exeC:\Windows\system32\Aagkhd32.exe99⤵
- System Location Discovery: System Language Discovery
PID:5260 -
C:\Windows\SysWOW64\Agdcpkll.exeC:\Windows\system32\Agdcpkll.exe100⤵PID:5304
-
C:\Windows\SysWOW64\Aokkahlo.exeC:\Windows\system32\Aokkahlo.exe101⤵PID:5348
-
C:\Windows\SysWOW64\Apmhiq32.exeC:\Windows\system32\Apmhiq32.exe102⤵PID:5396
-
C:\Windows\SysWOW64\Ahdpjn32.exeC:\Windows\system32\Ahdpjn32.exe103⤵PID:5444
-
C:\Windows\SysWOW64\Aonhghjl.exeC:\Windows\system32\Aonhghjl.exe104⤵PID:5484
-
C:\Windows\SysWOW64\Aaldccip.exeC:\Windows\system32\Aaldccip.exe105⤵
- Modifies registry class
PID:5528 -
C:\Windows\SysWOW64\Adkqoohc.exeC:\Windows\system32\Adkqoohc.exe106⤵PID:5572
-
C:\Windows\SysWOW64\Ahfmpnql.exeC:\Windows\system32\Ahfmpnql.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5616 -
C:\Windows\SysWOW64\Amcehdod.exeC:\Windows\system32\Amcehdod.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5692 -
C:\Windows\SysWOW64\Apaadpng.exeC:\Windows\system32\Apaadpng.exe109⤵PID:5736
-
C:\Windows\SysWOW64\Bhhiemoj.exeC:\Windows\system32\Bhhiemoj.exe110⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:5788 -
C:\Windows\SysWOW64\Bkgeainn.exeC:\Windows\system32\Bkgeainn.exe111⤵
- Modifies registry class
PID:5832 -
C:\Windows\SysWOW64\Bobabg32.exeC:\Windows\system32\Bobabg32.exe112⤵
- System Location Discovery: System Language Discovery
PID:5876 -
C:\Windows\SysWOW64\Baannc32.exeC:\Windows\system32\Baannc32.exe113⤵
- System Location Discovery: System Language Discovery
PID:5920 -
C:\Windows\SysWOW64\Bdojjo32.exeC:\Windows\system32\Bdojjo32.exe114⤵PID:5964
-
C:\Windows\SysWOW64\Bhkfkmmg.exeC:\Windows\system32\Bhkfkmmg.exe115⤵PID:6008
-
C:\Windows\SysWOW64\Bkibgh32.exeC:\Windows\system32\Bkibgh32.exe116⤵
- Modifies registry class
PID:6056 -
C:\Windows\SysWOW64\Bmhocd32.exeC:\Windows\system32\Bmhocd32.exe117⤵PID:6100
-
C:\Windows\SysWOW64\Bacjdbch.exeC:\Windows\system32\Bacjdbch.exe118⤵
- System Location Discovery: System Language Discovery
PID:4724 -
C:\Windows\SysWOW64\Bdagpnbk.exeC:\Windows\system32\Bdagpnbk.exe119⤵PID:5208
-
C:\Windows\SysWOW64\Bgpcliao.exeC:\Windows\system32\Bgpcliao.exe120⤵
- System Location Discovery: System Language Discovery
PID:5268 -
C:\Windows\SysWOW64\Bklomh32.exeC:\Windows\system32\Bklomh32.exe121⤵
- Drops file in System32 directory
PID:5332
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-