Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
139s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20250217-en -
resource tags
arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system -
submitted
05/03/2025, 12:00
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e708e2c3517e02b20cfc51e5d41e6e5bdd20d1aaf6ce1f35d05cea001a40c0bf.exe
Resource
win7-20241010-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
e708e2c3517e02b20cfc51e5d41e6e5bdd20d1aaf6ce1f35d05cea001a40c0bf.exe
Resource
win10v2004-20250217-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
e708e2c3517e02b20cfc51e5d41e6e5bdd20d1aaf6ce1f35d05cea001a40c0bf.exe
-
Size
45KB
-
MD5
304e64cdd0306ec924ab1aaf333e3445
-
SHA1
5f11573de0f91d336ce6e5ddf6778dfd361f9871
-
SHA256
e708e2c3517e02b20cfc51e5d41e6e5bdd20d1aaf6ce1f35d05cea001a40c0bf
-
SHA512
ceb082bbeb38a23b75791334765fab4f345f0869e746a8a45d242895adef897f5397a9a8badd31420ba4444a5039f7df916bf44ce34aea77a9fb88a6b1574829
-
SSDEEP
768:aUgp5tpqK8dA5KglhgEUN6ug/gXVl+8ABmQaw0Rc5Xs0VObv8PAm/1H56+:yp5tUW71UN6ug/gFl+8ABvX0R8sKWvK/
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://tat-neftbank.ru/kkq.php
http://tat-neftbank.ru/wcmd.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ilphdlqh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bfkbfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cleegp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gpelhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lggejg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Feqeog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gacepg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Joekag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lpjjmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mfbaalbi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alpbecod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Anclbkbp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdpjlb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lggejg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ebaplnie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmhbqbae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hihibbjo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbojlfdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jlgoek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mofmobmo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfpell32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Banjnm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpgind32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jepjhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jphkkpbp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdbpgl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggmmlamj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kofdhd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gimqajgh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oqmhqapg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kedlip32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anclbkbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Blgifbil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hbjoeojc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hlbcnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oifppdpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojemig32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dphiaffa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Coqncejg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbbicl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbkkik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Amnebo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkbjjbda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nqbpojnp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adkqoohc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iogopi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfkbfd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkmeha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ccdihbgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pdkoch32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aekddhcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kgflcifg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aonhghjl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fecadghc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ggfglb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jldbpl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aplaoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfiildio.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfodeohd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obqanjdb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qdphngfl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhgkgijg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Biiobo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omjpeo32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 4616 Ohmhmh32.exe 4504 Okkdic32.exe 1360 Omjpeo32.exe 4168 Peahgl32.exe 3356 Phodcg32.exe 2584 Poimpapp.exe 4864 Pahilmoc.exe 2696 Pdfehh32.exe 2216 Plmmif32.exe 4344 Poliea32.exe 3832 Pefabkej.exe 1920 Phdnngdn.exe 1568 Pkbjjbda.exe 4564 Palbgl32.exe 4008 Pdkoch32.exe 1912 Plbfdekd.exe 1576 Paoollik.exe 4296 Pdmkhgho.exe 4068 Pldcjeia.exe 3384 Pocpfphe.exe 1680 Qaalblgi.exe 3660 Qdphngfl.exe 4032 Qkipkani.exe 3452 Qmhlgmmm.exe 536 Qeodhjmo.exe 2960 Qlimed32.exe 2592 Aogiap32.exe 4456 Aafemk32.exe 2268 Ahpmjejp.exe 1268 Aknifq32.exe 3928 Aahbbkaq.exe 400 Ahbjoe32.exe 4288 Akqfkp32.exe 5000 Aajohjon.exe 3200 Adikdfna.exe 2096 Alpbecod.exe 3064 Aonoao32.exe 3224 Aehgnied.exe 3340 Adkgje32.exe 4152 Albpkc32.exe 3820 Anclbkbp.exe 2052 Aekddhcb.exe 3684 Ahippdbe.exe 1128 Baadiiif.exe 644 Bdpaeehj.exe 3700 Blgifbil.exe 2316 Boeebnhp.exe 3560 Badanigc.exe 3360 Cdnmfclj.exe 2132 Cleegp32.exe 464 Cbbnpg32.exe 556 Cdpjlb32.exe 1120 Clgbmp32.exe 2860 Cnindhpg.exe 2456 Cbdjeg32.exe 844 Cfpffeaj.exe 4832 Cljobphg.exe 3244 Ckmonl32.exe 3024 Cnkkjh32.exe 820 Dmlkhofd.exe 4816 Dokgdkeh.exe 3936 Dbicpfdk.exe 2572 Ddgplado.exe 3940 Dmohno32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Dnbdlf32.dll Lcimdh32.exe File opened for modification C:\Windows\SysWOW64\Qjfmkk32.exe Qhhpop32.exe File created C:\Windows\SysWOW64\Paoinm32.dll Fbbicl32.exe File created C:\Windows\SysWOW64\Ckcdlpbd.dll Fecadghc.exe File created C:\Windows\SysWOW64\Cleegp32.exe Cdnmfclj.exe File created C:\Windows\SysWOW64\Jilfifme.exe Jepjhg32.exe File created C:\Windows\SysWOW64\Jgpfbjlo.exe Johnamkm.exe File created C:\Windows\SysWOW64\Ghndhd32.dll Mfhbga32.exe File created C:\Windows\SysWOW64\Ncchae32.exe Nmipdk32.exe File opened for modification C:\Windows\SysWOW64\Amcehdod.exe Adkqoohc.exe File opened for modification C:\Windows\SysWOW64\Feqeog32.exe Fbbicl32.exe File created C:\Windows\SysWOW64\Mnknop32.dll Joekag32.exe File opened for modification C:\Windows\SysWOW64\Pahilmoc.exe Poimpapp.exe File created C:\Windows\SysWOW64\Fqibbo32.dll Jedccfqg.exe File opened for modification C:\Windows\SysWOW64\Kpanan32.exe Kncaec32.exe File created C:\Windows\SysWOW64\Ncpgam32.dll Lnjgfb32.exe File opened for modification C:\Windows\SysWOW64\Bdfpkm32.exe Boihcf32.exe File opened for modification C:\Windows\SysWOW64\Ekajec32.exe Egened32.exe File created C:\Windows\SysWOW64\Iamamcop.exe Ibjqaf32.exe File created C:\Windows\SysWOW64\Mcoljagj.exe Mpapnfhg.exe File created C:\Windows\SysWOW64\Gengje32.dll Pdkoch32.exe File opened for modification C:\Windows\SysWOW64\Lnoaaaad.exe Lcimdh32.exe File created C:\Windows\SysWOW64\Ocohmc32.exe Oaplqh32.exe File created C:\Windows\SysWOW64\Cncnob32.exe Coqncejg.exe File created C:\Windows\SysWOW64\Jekjcaef.exe Jaonbc32.exe File opened for modification C:\Windows\SysWOW64\Lfiokmkc.exe Lckboblp.exe File created C:\Windows\SysWOW64\Bkfmmb32.dll Nmaciefp.exe File created C:\Windows\SysWOW64\Nfldgk32.exe Noblkqca.exe File created C:\Windows\SysWOW64\Clgbmp32.exe Cdpjlb32.exe File created C:\Windows\SysWOW64\Ifmqfm32.exe Hoeieolb.exe File created C:\Windows\SysWOW64\Lblldc32.dll Ibfnqmpf.exe File created C:\Windows\SysWOW64\Iefgbh32.exe Ibhkfm32.exe File created C:\Windows\SysWOW64\Ogjembbd.dll Lqkqhm32.exe File created C:\Windows\SysWOW64\Fbjieo32.dll Bpdnjple.exe File created C:\Windows\SysWOW64\Ipgkjlmg.exe Ihpcinld.exe File created C:\Windows\SysWOW64\Damlpgkc.dll Njbgmjgl.exe File created C:\Windows\SysWOW64\Almoijfo.dll Kjjbjd32.exe File created C:\Windows\SysWOW64\Kmfpdfnd.dll Fqbliicp.exe File created C:\Windows\SysWOW64\Hlmchoan.exe Hecjke32.exe File opened for modification C:\Windows\SysWOW64\Jbojlfdp.exe Jocnlg32.exe File created C:\Windows\SysWOW64\Njjmni32.exe Ncpeaoih.exe File created C:\Windows\SysWOW64\Ajjokd32.exe Abcgjg32.exe File opened for modification C:\Windows\SysWOW64\Bapgdm32.exe Biiobo32.exe File opened for modification C:\Windows\SysWOW64\Ccppmc32.exe Cpacqg32.exe File opened for modification C:\Windows\SysWOW64\Gemkelcd.exe Gbnoiqdq.exe File created C:\Windows\SysWOW64\Ocdnln32.exe Nmjfodne.exe File opened for modification C:\Windows\SysWOW64\Pmmlla32.exe Pjoppf32.exe File created C:\Windows\SysWOW64\Qclmck32.exe Pjcikejg.exe File created C:\Windows\SysWOW64\Abjmkf32.exe Aplaoj32.exe File created C:\Windows\SysWOW64\Fimgpahk.dll Ddgplado.exe File opened for modification C:\Windows\SysWOW64\Gimqajgh.exe Gfodeohd.exe File opened for modification C:\Windows\SysWOW64\Gmimai32.exe Gimqajgh.exe File created C:\Windows\SysWOW64\Jghpbk32.exe Joahqn32.exe File opened for modification C:\Windows\SysWOW64\Edbiniff.exe Enhpao32.exe File opened for modification C:\Windows\SysWOW64\Egcaod32.exe Eqiibjlj.exe File created C:\Windows\SysWOW64\Kekbjo32.exe Koajmepf.exe File opened for modification C:\Windows\SysWOW64\Njgqhicg.exe Nfldgk32.exe File created C:\Windows\SysWOW64\Pkbjjbda.exe Phdnngdn.exe File created C:\Windows\SysWOW64\Lqmmmmph.exe Lnoaaaad.exe File opened for modification C:\Windows\SysWOW64\Agdcpkll.exe Apjkcadp.exe File created C:\Windows\SysWOW64\Kihgqfld.dll Ggkqgaol.exe File opened for modification C:\Windows\SysWOW64\Iahgad32.exe Ipgkjlmg.exe File created C:\Windows\SysWOW64\Niojoeel.exe Nbebbk32.exe File created C:\Windows\SysWOW64\Ojemig32.exe Oqmhqapg.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 14276 14192 WerFault.exe 693 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnjqmpgg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjmjdm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddkbmj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abmjqe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmbgdl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkhnjk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ieidhh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcfidb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nofefp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbebbk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbdpad32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckidcpjl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amlogfel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eqiibjlj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhhdnf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmjfodne.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qfjjpf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jngbjd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofegni32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njmqnobn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Banjnm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lqkqhm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fooclapd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpnakk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dflfac32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnmopk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amcehdod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckmonl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljqhkckn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgloefco.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cggimh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oonlfo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apeknk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iliinc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgflcifg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adkqoohc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdmfllhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kidben32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qeodhjmo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omopjcjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdocph32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmpjoloh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahippdbe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpimlfke.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfdjinjo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebaplnie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgcjfbed.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmipdk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Offnhpfo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlkfbocp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jaonbc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Johggfha.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Noblkqca.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Baadiiif.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncqlkemc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppgegd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbhmbdle.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfihbk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppikbm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bigbmpco.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjhkmbho.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebimgcfi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhqefjpo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhgkgijg.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dphiaffa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pdfehh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jomnmjjb.dll" Boeebnhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojmjcf32.dll" Gblbca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iedjmioj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jngbjd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bpdnjple.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hlppno32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oifppdpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Njjdho32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Apmhiq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jocnlg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lpjjmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mhoahh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pfccogfc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qfjjpf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qbajeg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dmadco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ffceip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hiipmhmk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kofdhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlhego32.dll" Nimmifgo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ojcpdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pccopc32.dll" Hemdlj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhafck32.dll" Kcbfcigf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Akblfj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cdmfllhn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ebaplnie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Egcaod32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fqbliicp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ilfennic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Poimpapp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpefcn32.dll" Jghpbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kpanan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bddcenpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fecadghc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mhjhmhhd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nblolm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ajjokd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Alpbecod.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gbnoiqdq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amdcghbo.dll" Jilfifme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ihbponja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odibfg32.dll" Pjjfdfbb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ahpmjejp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Enpmld32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fealin32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fpgpgfmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpcncmnn.dll" Iipfmggc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Keimof32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Edbiniff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apjfbb32.dll" Lpjjmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Poliea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jpenfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbjieo32.dll" Bpdnjple.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dhdbhifj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kemooo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nfldgk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ncpeaoih.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oblhcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmcgolla.dll" Gmafajfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkjcgjio.dll" Jenmcggo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qacameaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcmjja32.dll" Jldbpl32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4764 wrote to memory of 4616 4764 e708e2c3517e02b20cfc51e5d41e6e5bdd20d1aaf6ce1f35d05cea001a40c0bf.exe 89 PID 4764 wrote to memory of 4616 4764 e708e2c3517e02b20cfc51e5d41e6e5bdd20d1aaf6ce1f35d05cea001a40c0bf.exe 89 PID 4764 wrote to memory of 4616 4764 e708e2c3517e02b20cfc51e5d41e6e5bdd20d1aaf6ce1f35d05cea001a40c0bf.exe 89 PID 4616 wrote to memory of 4504 4616 Ohmhmh32.exe 90 PID 4616 wrote to memory of 4504 4616 Ohmhmh32.exe 90 PID 4616 wrote to memory of 4504 4616 Ohmhmh32.exe 90 PID 4504 wrote to memory of 1360 4504 Okkdic32.exe 91 PID 4504 wrote to memory of 1360 4504 Okkdic32.exe 91 PID 4504 wrote to memory of 1360 4504 Okkdic32.exe 91 PID 1360 wrote to memory of 4168 1360 Omjpeo32.exe 92 PID 1360 wrote to memory of 4168 1360 Omjpeo32.exe 92 PID 1360 wrote to memory of 4168 1360 Omjpeo32.exe 92 PID 4168 wrote to memory of 3356 4168 Peahgl32.exe 93 PID 4168 wrote to memory of 3356 4168 Peahgl32.exe 93 PID 4168 wrote to memory of 3356 4168 Peahgl32.exe 93 PID 3356 wrote to memory of 2584 3356 Phodcg32.exe 94 PID 3356 wrote to memory of 2584 3356 Phodcg32.exe 94 PID 3356 wrote to memory of 2584 3356 Phodcg32.exe 94 PID 2584 wrote to memory of 4864 2584 Poimpapp.exe 95 PID 2584 wrote to memory of 4864 2584 Poimpapp.exe 95 PID 2584 wrote to memory of 4864 2584 Poimpapp.exe 95 PID 4864 wrote to memory of 2696 4864 Pahilmoc.exe 96 PID 4864 wrote to memory of 2696 4864 Pahilmoc.exe 96 PID 4864 wrote to memory of 2696 4864 Pahilmoc.exe 96 PID 2696 wrote to memory of 2216 2696 Pdfehh32.exe 97 PID 2696 wrote to memory of 2216 2696 Pdfehh32.exe 97 PID 2696 wrote to memory of 2216 2696 Pdfehh32.exe 97 PID 2216 wrote to memory of 4344 2216 Plmmif32.exe 98 PID 2216 wrote to memory of 4344 2216 Plmmif32.exe 98 PID 2216 wrote to memory of 4344 2216 Plmmif32.exe 98 PID 4344 wrote to memory of 3832 4344 Poliea32.exe 99 PID 4344 wrote to memory of 3832 4344 Poliea32.exe 99 PID 4344 wrote to memory of 3832 4344 Poliea32.exe 99 PID 3832 wrote to memory of 1920 3832 Pefabkej.exe 100 PID 3832 wrote to memory of 1920 3832 Pefabkej.exe 100 PID 3832 wrote to memory of 1920 3832 Pefabkej.exe 100 PID 1920 wrote to memory of 1568 1920 Phdnngdn.exe 101 PID 1920 wrote to memory of 1568 1920 Phdnngdn.exe 101 PID 1920 wrote to memory of 1568 1920 Phdnngdn.exe 101 PID 1568 wrote to memory of 4564 1568 Pkbjjbda.exe 102 PID 1568 wrote to memory of 4564 1568 Pkbjjbda.exe 102 PID 1568 wrote to memory of 4564 1568 Pkbjjbda.exe 102 PID 4564 wrote to memory of 4008 4564 Palbgl32.exe 103 PID 4564 wrote to memory of 4008 4564 Palbgl32.exe 103 PID 4564 wrote to memory of 4008 4564 Palbgl32.exe 103 PID 4008 wrote to memory of 1912 4008 Pdkoch32.exe 104 PID 4008 wrote to memory of 1912 4008 Pdkoch32.exe 104 PID 4008 wrote to memory of 1912 4008 Pdkoch32.exe 104 PID 1912 wrote to memory of 1576 1912 Plbfdekd.exe 105 PID 1912 wrote to memory of 1576 1912 Plbfdekd.exe 105 PID 1912 wrote to memory of 1576 1912 Plbfdekd.exe 105 PID 1576 wrote to memory of 4296 1576 Paoollik.exe 106 PID 1576 wrote to memory of 4296 1576 Paoollik.exe 106 PID 1576 wrote to memory of 4296 1576 Paoollik.exe 106 PID 4296 wrote to memory of 4068 4296 Pdmkhgho.exe 107 PID 4296 wrote to memory of 4068 4296 Pdmkhgho.exe 107 PID 4296 wrote to memory of 4068 4296 Pdmkhgho.exe 107 PID 4068 wrote to memory of 3384 4068 Pldcjeia.exe 108 PID 4068 wrote to memory of 3384 4068 Pldcjeia.exe 108 PID 4068 wrote to memory of 3384 4068 Pldcjeia.exe 108 PID 3384 wrote to memory of 1680 3384 Pocpfphe.exe 109 PID 3384 wrote to memory of 1680 3384 Pocpfphe.exe 109 PID 3384 wrote to memory of 1680 3384 Pocpfphe.exe 109 PID 1680 wrote to memory of 3660 1680 Qaalblgi.exe 110
Processes
-
C:\Users\Admin\AppData\Local\Temp\e708e2c3517e02b20cfc51e5d41e6e5bdd20d1aaf6ce1f35d05cea001a40c0bf.exe"C:\Users\Admin\AppData\Local\Temp\e708e2c3517e02b20cfc51e5d41e6e5bdd20d1aaf6ce1f35d05cea001a40c0bf.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4764 -
C:\Windows\SysWOW64\Ohmhmh32.exeC:\Windows\system32\Ohmhmh32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4616 -
C:\Windows\SysWOW64\Okkdic32.exeC:\Windows\system32\Okkdic32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4504 -
C:\Windows\SysWOW64\Omjpeo32.exeC:\Windows\system32\Omjpeo32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1360 -
C:\Windows\SysWOW64\Peahgl32.exeC:\Windows\system32\Peahgl32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4168 -
C:\Windows\SysWOW64\Phodcg32.exeC:\Windows\system32\Phodcg32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3356 -
C:\Windows\SysWOW64\Poimpapp.exeC:\Windows\system32\Poimpapp.exe7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Windows\SysWOW64\Pahilmoc.exeC:\Windows\system32\Pahilmoc.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4864 -
C:\Windows\SysWOW64\Pdfehh32.exeC:\Windows\system32\Pdfehh32.exe9⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Windows\SysWOW64\Plmmif32.exeC:\Windows\system32\Plmmif32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Windows\SysWOW64\Poliea32.exeC:\Windows\system32\Poliea32.exe11⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4344 -
C:\Windows\SysWOW64\Pefabkej.exeC:\Windows\system32\Pefabkej.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3832 -
C:\Windows\SysWOW64\Phdnngdn.exeC:\Windows\system32\Phdnngdn.exe13⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1920 -
C:\Windows\SysWOW64\Pkbjjbda.exeC:\Windows\system32\Pkbjjbda.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1568 -
C:\Windows\SysWOW64\Palbgl32.exeC:\Windows\system32\Palbgl32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4564 -
C:\Windows\SysWOW64\Pdkoch32.exeC:\Windows\system32\Pdkoch32.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4008 -
C:\Windows\SysWOW64\Plbfdekd.exeC:\Windows\system32\Plbfdekd.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1912 -
C:\Windows\SysWOW64\Paoollik.exeC:\Windows\system32\Paoollik.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1576 -
C:\Windows\SysWOW64\Pdmkhgho.exeC:\Windows\system32\Pdmkhgho.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4296 -
C:\Windows\SysWOW64\Pldcjeia.exeC:\Windows\system32\Pldcjeia.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4068 -
C:\Windows\SysWOW64\Pocpfphe.exeC:\Windows\system32\Pocpfphe.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3384 -
C:\Windows\SysWOW64\Qaalblgi.exeC:\Windows\system32\Qaalblgi.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Windows\SysWOW64\Qdphngfl.exeC:\Windows\system32\Qdphngfl.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3660 -
C:\Windows\SysWOW64\Qkipkani.exeC:\Windows\system32\Qkipkani.exe24⤵
- Executes dropped EXE
PID:4032 -
C:\Windows\SysWOW64\Qmhlgmmm.exeC:\Windows\system32\Qmhlgmmm.exe25⤵
- Executes dropped EXE
PID:3452 -
C:\Windows\SysWOW64\Qeodhjmo.exeC:\Windows\system32\Qeodhjmo.exe26⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:536 -
C:\Windows\SysWOW64\Qlimed32.exeC:\Windows\system32\Qlimed32.exe27⤵
- Executes dropped EXE
PID:2960 -
C:\Windows\SysWOW64\Aogiap32.exeC:\Windows\system32\Aogiap32.exe28⤵
- Executes dropped EXE
PID:2592 -
C:\Windows\SysWOW64\Aafemk32.exeC:\Windows\system32\Aafemk32.exe29⤵
- Executes dropped EXE
PID:4456 -
C:\Windows\SysWOW64\Ahpmjejp.exeC:\Windows\system32\Ahpmjejp.exe30⤵
- Executes dropped EXE
- Modifies registry class
PID:2268 -
C:\Windows\SysWOW64\Aknifq32.exeC:\Windows\system32\Aknifq32.exe31⤵
- Executes dropped EXE
PID:1268 -
C:\Windows\SysWOW64\Aahbbkaq.exeC:\Windows\system32\Aahbbkaq.exe32⤵
- Executes dropped EXE
PID:3928 -
C:\Windows\SysWOW64\Ahbjoe32.exeC:\Windows\system32\Ahbjoe32.exe33⤵
- Executes dropped EXE
PID:400 -
C:\Windows\SysWOW64\Akqfkp32.exeC:\Windows\system32\Akqfkp32.exe34⤵
- Executes dropped EXE
PID:4288 -
C:\Windows\SysWOW64\Aajohjon.exeC:\Windows\system32\Aajohjon.exe35⤵
- Executes dropped EXE
PID:5000 -
C:\Windows\SysWOW64\Adikdfna.exeC:\Windows\system32\Adikdfna.exe36⤵
- Executes dropped EXE
PID:3200 -
C:\Windows\SysWOW64\Alpbecod.exeC:\Windows\system32\Alpbecod.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2096 -
C:\Windows\SysWOW64\Aonoao32.exeC:\Windows\system32\Aonoao32.exe38⤵
- Executes dropped EXE
PID:3064 -
C:\Windows\SysWOW64\Aehgnied.exeC:\Windows\system32\Aehgnied.exe39⤵
- Executes dropped EXE
PID:3224 -
C:\Windows\SysWOW64\Adkgje32.exeC:\Windows\system32\Adkgje32.exe40⤵
- Executes dropped EXE
PID:3340 -
C:\Windows\SysWOW64\Albpkc32.exeC:\Windows\system32\Albpkc32.exe41⤵
- Executes dropped EXE
PID:4152 -
C:\Windows\SysWOW64\Anclbkbp.exeC:\Windows\system32\Anclbkbp.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3820 -
C:\Windows\SysWOW64\Aekddhcb.exeC:\Windows\system32\Aekddhcb.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2052 -
C:\Windows\SysWOW64\Ahippdbe.exeC:\Windows\system32\Ahippdbe.exe44⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3684 -
C:\Windows\SysWOW64\Baadiiif.exeC:\Windows\system32\Baadiiif.exe45⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1128 -
C:\Windows\SysWOW64\Bdpaeehj.exeC:\Windows\system32\Bdpaeehj.exe46⤵
- Executes dropped EXE
PID:644 -
C:\Windows\SysWOW64\Blgifbil.exeC:\Windows\system32\Blgifbil.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3700 -
C:\Windows\SysWOW64\Boeebnhp.exeC:\Windows\system32\Boeebnhp.exe48⤵
- Executes dropped EXE
- Modifies registry class
PID:2316 -
C:\Windows\SysWOW64\Badanigc.exeC:\Windows\system32\Badanigc.exe49⤵
- Executes dropped EXE
PID:3560 -
C:\Windows\SysWOW64\Cdnmfclj.exeC:\Windows\system32\Cdnmfclj.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3360 -
C:\Windows\SysWOW64\Cleegp32.exeC:\Windows\system32\Cleegp32.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2132 -
C:\Windows\SysWOW64\Cbbnpg32.exeC:\Windows\system32\Cbbnpg32.exe52⤵
- Executes dropped EXE
PID:464 -
C:\Windows\SysWOW64\Cdpjlb32.exeC:\Windows\system32\Cdpjlb32.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:556 -
C:\Windows\SysWOW64\Clgbmp32.exeC:\Windows\system32\Clgbmp32.exe54⤵
- Executes dropped EXE
PID:1120 -
C:\Windows\SysWOW64\Cnindhpg.exeC:\Windows\system32\Cnindhpg.exe55⤵
- Executes dropped EXE
PID:2860 -
C:\Windows\SysWOW64\Cbdjeg32.exeC:\Windows\system32\Cbdjeg32.exe56⤵
- Executes dropped EXE
PID:2456 -
C:\Windows\SysWOW64\Cfpffeaj.exeC:\Windows\system32\Cfpffeaj.exe57⤵
- Executes dropped EXE
PID:844 -
C:\Windows\SysWOW64\Cljobphg.exeC:\Windows\system32\Cljobphg.exe58⤵
- Executes dropped EXE
PID:4832 -
C:\Windows\SysWOW64\Ckmonl32.exeC:\Windows\system32\Ckmonl32.exe59⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3244 -
C:\Windows\SysWOW64\Cnkkjh32.exeC:\Windows\system32\Cnkkjh32.exe60⤵
- Executes dropped EXE
PID:3024 -
C:\Windows\SysWOW64\Dmlkhofd.exeC:\Windows\system32\Dmlkhofd.exe61⤵
- Executes dropped EXE
PID:820 -
C:\Windows\SysWOW64\Dokgdkeh.exeC:\Windows\system32\Dokgdkeh.exe62⤵
- Executes dropped EXE
PID:4816 -
C:\Windows\SysWOW64\Dbicpfdk.exeC:\Windows\system32\Dbicpfdk.exe63⤵
- Executes dropped EXE
PID:3936 -
C:\Windows\SysWOW64\Ddgplado.exeC:\Windows\system32\Ddgplado.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2572 -
C:\Windows\SysWOW64\Dmohno32.exeC:\Windows\system32\Dmohno32.exe65⤵
- Executes dropped EXE
PID:3940 -
C:\Windows\SysWOW64\Domdjj32.exeC:\Windows\system32\Domdjj32.exe66⤵PID:1520
-
C:\Windows\SysWOW64\Dbkqfe32.exeC:\Windows\system32\Dbkqfe32.exe67⤵PID:628
-
C:\Windows\SysWOW64\Dfglfdkb.exeC:\Windows\system32\Dfglfdkb.exe68⤵PID:3592
-
C:\Windows\SysWOW64\Dmadco32.exeC:\Windows\system32\Dmadco32.exe69⤵
- Modifies registry class
PID:1044 -
C:\Windows\SysWOW64\Dkceokii.exeC:\Windows\system32\Dkceokii.exe70⤵PID:552
-
C:\Windows\SysWOW64\Dfiildio.exeC:\Windows\system32\Dfiildio.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5108 -
C:\Windows\SysWOW64\Digehphc.exeC:\Windows\system32\Digehphc.exe72⤵PID:3588
-
C:\Windows\SysWOW64\Doaneiop.exeC:\Windows\system32\Doaneiop.exe73⤵PID:1060
-
C:\Windows\SysWOW64\Dflfac32.exeC:\Windows\system32\Dflfac32.exe74⤵
- System Location Discovery: System Language Discovery
PID:3804 -
C:\Windows\SysWOW64\Dijbno32.exeC:\Windows\system32\Dijbno32.exe75⤵PID:1144
-
C:\Windows\SysWOW64\Dkhnjk32.exeC:\Windows\system32\Dkhnjk32.exe76⤵
- System Location Discovery: System Language Discovery
PID:4556 -
C:\Windows\SysWOW64\Dngjff32.exeC:\Windows\system32\Dngjff32.exe77⤵PID:2100
-
C:\Windows\SysWOW64\Deqcbpld.exeC:\Windows\system32\Deqcbpld.exe78⤵PID:3980
-
C:\Windows\SysWOW64\Eofgpikj.exeC:\Windows\system32\Eofgpikj.exe79⤵PID:672
-
C:\Windows\SysWOW64\Eiokinbk.exeC:\Windows\system32\Eiokinbk.exe80⤵PID:5152
-
C:\Windows\SysWOW64\Ekmhejao.exeC:\Windows\system32\Ekmhejao.exe81⤵PID:5192
-
C:\Windows\SysWOW64\Eoideh32.exeC:\Windows\system32\Eoideh32.exe82⤵PID:5240
-
C:\Windows\SysWOW64\Eiahnnph.exeC:\Windows\system32\Eiahnnph.exe83⤵PID:5284
-
C:\Windows\SysWOW64\Ebimgcfi.exeC:\Windows\system32\Ebimgcfi.exe84⤵
- System Location Discovery: System Language Discovery
PID:5328 -
C:\Windows\SysWOW64\Enpmld32.exeC:\Windows\system32\Enpmld32.exe85⤵
- Modifies registry class
PID:5372 -
C:\Windows\SysWOW64\Eifaim32.exeC:\Windows\system32\Eifaim32.exe86⤵PID:5416
-
C:\Windows\SysWOW64\Enbjad32.exeC:\Windows\system32\Enbjad32.exe87⤵PID:5460
-
C:\Windows\SysWOW64\Flfkkhid.exeC:\Windows\system32\Flfkkhid.exe88⤵PID:5504
-
C:\Windows\SysWOW64\Feoodn32.exeC:\Windows\system32\Feoodn32.exe89⤵PID:5548
-
C:\Windows\SysWOW64\Fligqhga.exeC:\Windows\system32\Fligqhga.exe90⤵PID:5592
-
C:\Windows\SysWOW64\Fealin32.exeC:\Windows\system32\Fealin32.exe91⤵
- Modifies registry class
PID:5636 -
C:\Windows\SysWOW64\Fpgpgfmh.exeC:\Windows\system32\Fpgpgfmh.exe92⤵
- Modifies registry class
PID:5680 -
C:\Windows\SysWOW64\Ffqhcq32.exeC:\Windows\system32\Ffqhcq32.exe93⤵PID:5724
-
C:\Windows\SysWOW64\Fpimlfke.exeC:\Windows\system32\Fpimlfke.exe94⤵
- System Location Discovery: System Language Discovery
PID:5772 -
C:\Windows\SysWOW64\Ffceip32.exeC:\Windows\system32\Ffceip32.exe95⤵
- Modifies registry class
PID:5816 -
C:\Windows\SysWOW64\Fefedmil.exeC:\Windows\system32\Fefedmil.exe96⤵PID:5860
-
C:\Windows\SysWOW64\Fmmmfj32.exeC:\Windows\system32\Fmmmfj32.exe97⤵PID:5912
-
C:\Windows\SysWOW64\Fpkibf32.exeC:\Windows\system32\Fpkibf32.exe98⤵PID:5956
-
C:\Windows\SysWOW64\Gidnkkpc.exeC:\Windows\system32\Gidnkkpc.exe99⤵PID:6000
-
C:\Windows\SysWOW64\Gpnfge32.exeC:\Windows\system32\Gpnfge32.exe100⤵PID:6044
-
C:\Windows\SysWOW64\Gblbca32.exeC:\Windows\system32\Gblbca32.exe101⤵
- Modifies registry class
PID:6088 -
C:\Windows\SysWOW64\Gfhndpol.exeC:\Windows\system32\Gfhndpol.exe102⤵PID:6136
-
C:\Windows\SysWOW64\Gmafajfi.exeC:\Windows\system32\Gmafajfi.exe103⤵
- Modifies registry class
PID:5180 -
C:\Windows\SysWOW64\Gldglf32.exeC:\Windows\system32\Gldglf32.exe104⤵PID:5252
-
C:\Windows\SysWOW64\Gncchb32.exeC:\Windows\system32\Gncchb32.exe105⤵PID:5300
-
C:\Windows\SysWOW64\Gbnoiqdq.exeC:\Windows\system32\Gbnoiqdq.exe106⤵
- Drops file in System32 directory
- Modifies registry class
PID:5364 -
C:\Windows\SysWOW64\Gemkelcd.exeC:\Windows\system32\Gemkelcd.exe107⤵PID:5432
-
C:\Windows\SysWOW64\Gihgfk32.exeC:\Windows\system32\Gihgfk32.exe108⤵PID:5500
-
C:\Windows\SysWOW64\Glgcbf32.exeC:\Windows\system32\Glgcbf32.exe109⤵PID:5564
-
C:\Windows\SysWOW64\Gnepna32.exeC:\Windows\system32\Gnepna32.exe110⤵PID:5652
-
C:\Windows\SysWOW64\Gbalopbn.exeC:\Windows\system32\Gbalopbn.exe111⤵PID:1412
-
C:\Windows\SysWOW64\Geohklaa.exeC:\Windows\system32\Geohklaa.exe112⤵PID:5780
-
C:\Windows\SysWOW64\Gikdkj32.exeC:\Windows\system32\Gikdkj32.exe113⤵PID:5844
-
C:\Windows\SysWOW64\Glipgf32.exeC:\Windows\system32\Glipgf32.exe114⤵PID:5924
-
C:\Windows\SysWOW64\Gpelhd32.exeC:\Windows\system32\Gpelhd32.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2528 -
C:\Windows\SysWOW64\Gbchdp32.exeC:\Windows\system32\Gbchdp32.exe116⤵PID:6036
-
C:\Windows\SysWOW64\Gfodeohd.exeC:\Windows\system32\Gfodeohd.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:6116 -
C:\Windows\SysWOW64\Gimqajgh.exeC:\Windows\system32\Gimqajgh.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5200 -
C:\Windows\SysWOW64\Gmimai32.exeC:\Windows\system32\Gmimai32.exe119⤵PID:5280
-
C:\Windows\SysWOW64\Gpgind32.exeC:\Windows\system32\Gpgind32.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5380 -
C:\Windows\SysWOW64\Gbeejp32.exeC:\Windows\system32\Gbeejp32.exe121⤵PID:5496
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-