Analysis
-
max time kernel
124s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20250217-en -
resource tags
arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system -
submitted
06/03/2025, 15:31
Behavioral task
behavioral1
Sample
fd5c77ef2c8ecb6e932b4ad231a7a12dee8c09cac7928417c1619aa22281f1d7.exe
Resource
win7-20240903-en
windows7-x64
11 signatures
150 seconds
Behavioral task
behavioral2
Sample
fd5c77ef2c8ecb6e932b4ad231a7a12dee8c09cac7928417c1619aa22281f1d7.exe
Resource
win10v2004-20250217-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
fd5c77ef2c8ecb6e932b4ad231a7a12dee8c09cac7928417c1619aa22281f1d7.exe
-
Size
346KB
-
MD5
0d66986d9079d8022184d392dfc69ae6
-
SHA1
d6d12fbc81d2a69f13b5f8a2470f3cce811c83e2
-
SHA256
fd5c77ef2c8ecb6e932b4ad231a7a12dee8c09cac7928417c1619aa22281f1d7
-
SHA512
c04c0098c70389176130b89ddb664b0d0023fcd2aed054c48e8152f29058d9bba8a47b6339f30c2b61a6b4454b560290cf831c75888c4144c3375e6a646952e5
-
SSDEEP
3072:jVMZpwrwoDR1PgU5QdDrFDHZtObmOm3AIpwbjshrmP24ho1mtye3lFDrFDHZtOkF:RMMPDRlho5t13LJhrmMsFj5tzOvfFOM6
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://tat-neftbank.ru/kkq.php
http://tat-neftbank.ru/wcmd.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdkifmjq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kolabf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cnkkjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dnmhpg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbjoeojc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iojbpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jpaekqhh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ggkqgaol.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kheekkjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oejbfmpg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnahdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmennnni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ilqoobdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ilnlom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Niojoeel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Haodle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Omegjomb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qmhlgmmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Adkgje32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddgplado.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jmeede32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cpbjkn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egaejeej.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckmonl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbbpmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iepaaico.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hbgkei32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlblcn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kofdhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mokfja32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gflhoo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgcihgaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iialhaad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iehmmb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcegclgp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jebfng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ofkgcobj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Egened32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbkkik32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oophlo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plkpcfal.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efjbcakl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oacoqnci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Emanjldl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bedgjgkg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpiecd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Baannc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebdlangb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jhifomdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bddjpd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chglab32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epmmqheb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eejeiocj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fnlmhc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Joahqn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjjkaabc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgeakekd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hlepcdoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ioolkncg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgnomg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iacngdgj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eojiqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ofckhj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdgged32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 3580 Nmnqjp32.exe 436 Oloahhki.exe 4792 Onnmdcjm.exe 1396 Oalipoiq.exe 3208 Ojdnid32.exe 2760 Oejbfmpg.exe 4188 Ohhnbhok.exe 2520 Omegjomb.exe 1696 Odoogi32.exe 2928 Ojigdcll.exe 3484 Oacoqnci.exe 1996 Okkdic32.exe 2316 Paelfmaf.exe 4908 Plkpcfal.exe 2108 Pmlmkn32.exe 2912 Pahilmoc.exe 1204 Plmmif32.exe 1332 Pkpmdbfd.exe 2604 Ponfka32.exe 4884 Phfjcf32.exe 4448 Pkegpb32.exe 1732 Pmcclm32.exe 2964 Paoollik.exe 3228 Pdmkhgho.exe 700 Phigif32.exe 1752 Qemhbj32.exe 3460 Qmhlgmmm.exe 2100 Qhmqdemc.exe 4336 Amjillkj.exe 3036 Aafemk32.exe 4356 Aojefobm.exe 1556 Ahbjoe32.exe 5048 Anobgl32.exe 1728 Anaomkdb.exe 2944 Adkgje32.exe 4500 Aoalgn32.exe 2784 Ahippdbe.exe 2900 Bochmn32.exe 2792 Baadiiif.exe 3288 Bdpaeehj.exe 2728 Bkjiao32.exe 4556 Boeebnhp.exe 4828 Badanigc.exe 644 Bepmoh32.exe 1892 Bhnikc32.exe 4224 Bohbhmfm.exe 3900 Bnkbcj32.exe 3416 Bddjpd32.exe 3872 Bkobmnka.exe 2716 Bnmoijje.exe 3300 Bedgjgkg.exe 2636 Bdgged32.exe 3964 Bkaobnio.exe 4780 Bomkcm32.exe 4208 Bakgoh32.exe 712 Bheplb32.exe 2684 Ckclhn32.exe 2948 Cnahdi32.exe 1828 Cfipef32.exe 1952 Chglab32.exe 1688 Cndeii32.exe 4332 Cbpajgmf.exe 3436 Cfkmkf32.exe 4008 Cleegp32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Okhbek32.dll Cdkifmjq.exe File opened for modification C:\Windows\SysWOW64\Kpiqfima.exe Kiphjo32.exe File created C:\Windows\SysWOW64\Naagioah.dll Nckkfp32.exe File created C:\Windows\SysWOW64\Hopnfa32.dll Ponfka32.exe File created C:\Windows\SysWOW64\Bepmoh32.exe Badanigc.exe File opened for modification C:\Windows\SysWOW64\Ckmonl32.exe Cljobphg.exe File created C:\Windows\SysWOW64\Ehcplf32.dll Dbkqfe32.exe File created C:\Windows\SysWOW64\Mogcihaj.exe Mqdcnl32.exe File opened for modification C:\Windows\SysWOW64\Fofilp32.exe Fgoakc32.exe File opened for modification C:\Windows\SysWOW64\Jekjcaef.exe Jaonbc32.exe File created C:\Windows\SysWOW64\Kdohflaf.dll Lhenai32.exe File created C:\Windows\SysWOW64\Fkmjaa32.exe Finnef32.exe File created C:\Windows\SysWOW64\Fallih32.dll Hbgkei32.exe File opened for modification C:\Windows\SysWOW64\Njgqhicg.exe Nbphglbe.exe File opened for modification C:\Windows\SysWOW64\Oihmedma.exe Ofjqihnn.exe File created C:\Windows\SysWOW64\Onnnbnbp.dll Pmkofa32.exe File created C:\Windows\SysWOW64\Kmeddp32.dll Bochmn32.exe File created C:\Windows\SysWOW64\Iahici32.dll Bdpaeehj.exe File opened for modification C:\Windows\SysWOW64\Eejeiocj.exe Eblimcdf.exe File opened for modification C:\Windows\SysWOW64\Fmfgek32.exe Fflohaij.exe File created C:\Windows\SysWOW64\Goglcahb.exe Gpelhd32.exe File created C:\Windows\SysWOW64\Cikamapb.dll Hmbphg32.exe File opened for modification C:\Windows\SysWOW64\Klfaapbl.exe Kgiiiidd.exe File created C:\Windows\SysWOW64\Edqnimdf.dll Kgiiiidd.exe File created C:\Windows\SysWOW64\Hojpmg32.dll Paelfmaf.exe File opened for modification C:\Windows\SysWOW64\Jebfng32.exe Johnamkm.exe File created C:\Windows\SysWOW64\Dkodcb32.dll Mnhdgpii.exe File created C:\Windows\SysWOW64\Pmiikh32.exe Pfoann32.exe File opened for modification C:\Windows\SysWOW64\Mnmmboed.exe Mcgiefen.exe File created C:\Windows\SysWOW64\Apmhiq32.exe Amnlme32.exe File opened for modification C:\Windows\SysWOW64\Bgbpaipl.exe Bddcenpi.exe File created C:\Windows\SysWOW64\Ekellcop.dll Egaejeej.exe File created C:\Windows\SysWOW64\Jfniqp32.dll Ojigdcll.exe File opened for modification C:\Windows\SysWOW64\Boeebnhp.exe Bkjiao32.exe File created C:\Windows\SysWOW64\Efeihb32.exe Ennqfenp.exe File opened for modification C:\Windows\SysWOW64\Hlbcnd32.exe Hidgai32.exe File created C:\Windows\SysWOW64\Jilfifme.exe Jofalmmp.exe File created C:\Windows\SysWOW64\Mnhdgpii.exe Mfqlfb32.exe File created C:\Windows\SysWOW64\Ocaebc32.exe Oabhfg32.exe File created C:\Windows\SysWOW64\Nqgnfcmm.dll Eojiqb32.exe File created C:\Windows\SysWOW64\Ojdnid32.exe Oalipoiq.exe File opened for modification C:\Windows\SysWOW64\Cbpajgmf.exe Cndeii32.exe File created C:\Windows\SysWOW64\Chlflabp.exe Cfnjpfcl.exe File opened for modification C:\Windows\SysWOW64\Dooaoj32.exe Dmadco32.exe File created C:\Windows\SysWOW64\Ilmjim32.dll Gbnoiqdq.exe File opened for modification C:\Windows\SysWOW64\Johnamkm.exe Jilfifme.exe File created C:\Windows\SysWOW64\Cfiedd32.dll Knenkbio.exe File opened for modification C:\Windows\SysWOW64\Loighj32.exe Kjlopc32.exe File opened for modification C:\Windows\SysWOW64\Plkpcfal.exe Paelfmaf.exe File created C:\Windows\SysWOW64\Emoadlfo.exe Eicedn32.exe File created C:\Windows\SysWOW64\Bdmmeo32.exe Aaoaic32.exe File created C:\Windows\SysWOW64\Pghien32.dll Ckgohf32.exe File opened for modification C:\Windows\SysWOW64\Hihibbjo.exe Haaaaeim.exe File created C:\Windows\SysWOW64\Jahqiaeb.exe Jojdlfeo.exe File created C:\Windows\SysWOW64\Lchfib32.exe Llnnmhfe.exe File opened for modification C:\Windows\SysWOW64\Mpclce32.exe Mlhqcgnk.exe File opened for modification C:\Windows\SysWOW64\Okkdic32.exe Oacoqnci.exe File created C:\Windows\SysWOW64\Jomnmjjb.dll Boeebnhp.exe File created C:\Windows\SysWOW64\Micgbemj.dll Clgbmp32.exe File opened for modification C:\Windows\SysWOW64\Goglcahb.exe Gpelhd32.exe File created C:\Windows\SysWOW64\Jghpbk32.exe Joahqn32.exe File opened for modification C:\Windows\SysWOW64\Jocefm32.exe Jpaekqhh.exe File created C:\Windows\SysWOW64\Ciipkkdj.dll Bhblllfo.exe File created C:\Windows\SysWOW64\Ghfedh32.dll Fgoakc32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 13512 13432 WerFault.exe 683 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amjillkj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aojefobm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gidnkkpc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hoaojp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgeakekd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbiockdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emoadlfo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gikdkj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oophlo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpaekqhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agimkk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kofdhd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cndeii32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gifkpknp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpelhd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qaqegecm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Modpib32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efeihb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkaclqkk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpiqfima.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emanjldl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbbicl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilfennic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oalipoiq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdpaeehj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebnfbcbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfhndpol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfodeohd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfglfdkb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dngjff32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jocefm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnepna32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcpcdg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fecadghc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkmjaa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kifojnol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Paoollik.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Baadiiif.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmkigh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nqbpojnp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddgibkpc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdecgbfa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahmjjoig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hifmmb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llnnmhfe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofegni32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chlflabp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnmhpg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hoclopne.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jekqmhia.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahaceo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnkfmm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgcjfbed.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kplmliko.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggmmlamj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhenai32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmfgek32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dndgfpbo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lindkm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcgdhkem.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmdlmg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgifbhid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dqnjgl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbdehlip.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qaqegecm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ebdlangb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eglfjicq.dll" Fkmjaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cdbfab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aqmiic32.dll" Iepaaico.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qodeajbg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Feqeog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amhmnagf.dll" Johggfha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nhegig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pjaleemj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 fd5c77ef2c8ecb6e932b4ad231a7a12dee8c09cac7928417c1619aa22281f1d7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mimcmnpn.dll" Ahbjoe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bochmn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gmfplibd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iophfi32.dll" Hfaajnfb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lgpoihnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cpfcfmlp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ddgibkpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gofdmmgd.dll" Bnmoijje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhcmcm32.dll" Dheibpje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fpdcag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gifkpknp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iohejo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nfohgqlg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbdcakkc.dll" Gokbgpeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ilnlom32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jocefm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cocjiehd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jeegfibg.dll" Dkhgod32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gaqhjggp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmdaih32.dll" Kabcopmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbblcj32.dll" Epmmqheb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hfcnpn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iebngial.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Klfaapbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mcgiefen.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pfoann32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebjjgd32.dll" Dolmodpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Haclqq32.dll" Ggkqgaol.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pahilmoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eglmfnhm.dll" Baadiiif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ilqoobdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgffoo32.dll" Iidphgcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekaacddn.dll" Ocaebc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Keiifian.dll" Qfkqjmdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpbhgp32.dll" Edgbii32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fqbliicp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhghaf32.dll" Odoogi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qjalckog.dll" Qmhlgmmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anhaoj32.dll" Fqbliicp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fgcjfbed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmapoggk.dll" Gnblnlhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gaqhjggp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Goniok32.dll" Iialhaad.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iamamcop.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gfeaopqo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gmojkj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hlepcdoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mogcihaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nchkcb32.dll" Dahmfpap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dahmfpap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpaqbf32.dll" Hpkknmgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jppnpjel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qemhbj32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2884 wrote to memory of 3580 2884 fd5c77ef2c8ecb6e932b4ad231a7a12dee8c09cac7928417c1619aa22281f1d7.exe 88 PID 2884 wrote to memory of 3580 2884 fd5c77ef2c8ecb6e932b4ad231a7a12dee8c09cac7928417c1619aa22281f1d7.exe 88 PID 2884 wrote to memory of 3580 2884 fd5c77ef2c8ecb6e932b4ad231a7a12dee8c09cac7928417c1619aa22281f1d7.exe 88 PID 3580 wrote to memory of 436 3580 Nmnqjp32.exe 89 PID 3580 wrote to memory of 436 3580 Nmnqjp32.exe 89 PID 3580 wrote to memory of 436 3580 Nmnqjp32.exe 89 PID 436 wrote to memory of 4792 436 Oloahhki.exe 90 PID 436 wrote to memory of 4792 436 Oloahhki.exe 90 PID 436 wrote to memory of 4792 436 Oloahhki.exe 90 PID 4792 wrote to memory of 1396 4792 Onnmdcjm.exe 92 PID 4792 wrote to memory of 1396 4792 Onnmdcjm.exe 92 PID 4792 wrote to memory of 1396 4792 Onnmdcjm.exe 92 PID 1396 wrote to memory of 3208 1396 Oalipoiq.exe 93 PID 1396 wrote to memory of 3208 1396 Oalipoiq.exe 93 PID 1396 wrote to memory of 3208 1396 Oalipoiq.exe 93 PID 3208 wrote to memory of 2760 3208 Ojdnid32.exe 94 PID 3208 wrote to memory of 2760 3208 Ojdnid32.exe 94 PID 3208 wrote to memory of 2760 3208 Ojdnid32.exe 94 PID 2760 wrote to memory of 4188 2760 Oejbfmpg.exe 95 PID 2760 wrote to memory of 4188 2760 Oejbfmpg.exe 95 PID 2760 wrote to memory of 4188 2760 Oejbfmpg.exe 95 PID 4188 wrote to memory of 2520 4188 Ohhnbhok.exe 96 PID 4188 wrote to memory of 2520 4188 Ohhnbhok.exe 96 PID 4188 wrote to memory of 2520 4188 Ohhnbhok.exe 96 PID 2520 wrote to memory of 1696 2520 Omegjomb.exe 97 PID 2520 wrote to memory of 1696 2520 Omegjomb.exe 97 PID 2520 wrote to memory of 1696 2520 Omegjomb.exe 97 PID 1696 wrote to memory of 2928 1696 Odoogi32.exe 98 PID 1696 wrote to memory of 2928 1696 Odoogi32.exe 98 PID 1696 wrote to memory of 2928 1696 Odoogi32.exe 98 PID 2928 wrote to memory of 3484 2928 Ojigdcll.exe 99 PID 2928 wrote to memory of 3484 2928 Ojigdcll.exe 99 PID 2928 wrote to memory of 3484 2928 Ojigdcll.exe 99 PID 3484 wrote to memory of 1996 3484 Oacoqnci.exe 101 PID 3484 wrote to memory of 1996 3484 Oacoqnci.exe 101 PID 3484 wrote to memory of 1996 3484 Oacoqnci.exe 101 PID 1996 wrote to memory of 2316 1996 Okkdic32.exe 102 PID 1996 wrote to memory of 2316 1996 Okkdic32.exe 102 PID 1996 wrote to memory of 2316 1996 Okkdic32.exe 102 PID 2316 wrote to memory of 4908 2316 Paelfmaf.exe 103 PID 2316 wrote to memory of 4908 2316 Paelfmaf.exe 103 PID 2316 wrote to memory of 4908 2316 Paelfmaf.exe 103 PID 4908 wrote to memory of 2108 4908 Plkpcfal.exe 104 PID 4908 wrote to memory of 2108 4908 Plkpcfal.exe 104 PID 4908 wrote to memory of 2108 4908 Plkpcfal.exe 104 PID 2108 wrote to memory of 2912 2108 Pmlmkn32.exe 105 PID 2108 wrote to memory of 2912 2108 Pmlmkn32.exe 105 PID 2108 wrote to memory of 2912 2108 Pmlmkn32.exe 105 PID 2912 wrote to memory of 1204 2912 Pahilmoc.exe 106 PID 2912 wrote to memory of 1204 2912 Pahilmoc.exe 106 PID 2912 wrote to memory of 1204 2912 Pahilmoc.exe 106 PID 1204 wrote to memory of 1332 1204 Plmmif32.exe 107 PID 1204 wrote to memory of 1332 1204 Plmmif32.exe 107 PID 1204 wrote to memory of 1332 1204 Plmmif32.exe 107 PID 1332 wrote to memory of 2604 1332 Pkpmdbfd.exe 108 PID 1332 wrote to memory of 2604 1332 Pkpmdbfd.exe 108 PID 1332 wrote to memory of 2604 1332 Pkpmdbfd.exe 108 PID 2604 wrote to memory of 4884 2604 Ponfka32.exe 109 PID 2604 wrote to memory of 4884 2604 Ponfka32.exe 109 PID 2604 wrote to memory of 4884 2604 Ponfka32.exe 109 PID 4884 wrote to memory of 4448 4884 Phfjcf32.exe 110 PID 4884 wrote to memory of 4448 4884 Phfjcf32.exe 110 PID 4884 wrote to memory of 4448 4884 Phfjcf32.exe 110 PID 4448 wrote to memory of 1732 4448 Pkegpb32.exe 111
Processes
-
C:\Users\Admin\AppData\Local\Temp\fd5c77ef2c8ecb6e932b4ad231a7a12dee8c09cac7928417c1619aa22281f1d7.exe"C:\Users\Admin\AppData\Local\Temp\fd5c77ef2c8ecb6e932b4ad231a7a12dee8c09cac7928417c1619aa22281f1d7.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Windows\SysWOW64\Nmnqjp32.exeC:\Windows\system32\Nmnqjp32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3580 -
C:\Windows\SysWOW64\Oloahhki.exeC:\Windows\system32\Oloahhki.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:436 -
C:\Windows\SysWOW64\Onnmdcjm.exeC:\Windows\system32\Onnmdcjm.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4792 -
C:\Windows\SysWOW64\Oalipoiq.exeC:\Windows\system32\Oalipoiq.exe5⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1396 -
C:\Windows\SysWOW64\Ojdnid32.exeC:\Windows\system32\Ojdnid32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3208 -
C:\Windows\SysWOW64\Oejbfmpg.exeC:\Windows\system32\Oejbfmpg.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\SysWOW64\Ohhnbhok.exeC:\Windows\system32\Ohhnbhok.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4188 -
C:\Windows\SysWOW64\Omegjomb.exeC:\Windows\system32\Omegjomb.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Windows\SysWOW64\Odoogi32.exeC:\Windows\system32\Odoogi32.exe10⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1696 -
C:\Windows\SysWOW64\Ojigdcll.exeC:\Windows\system32\Ojigdcll.exe11⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Windows\SysWOW64\Oacoqnci.exeC:\Windows\system32\Oacoqnci.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3484 -
C:\Windows\SysWOW64\Okkdic32.exeC:\Windows\system32\Okkdic32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Windows\SysWOW64\Paelfmaf.exeC:\Windows\system32\Paelfmaf.exe14⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Windows\SysWOW64\Plkpcfal.exeC:\Windows\system32\Plkpcfal.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4908 -
C:\Windows\SysWOW64\Pmlmkn32.exeC:\Windows\system32\Pmlmkn32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2108 -
C:\Windows\SysWOW64\Pahilmoc.exeC:\Windows\system32\Pahilmoc.exe17⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Windows\SysWOW64\Plmmif32.exeC:\Windows\system32\Plmmif32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1204 -
C:\Windows\SysWOW64\Pkpmdbfd.exeC:\Windows\system32\Pkpmdbfd.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1332 -
C:\Windows\SysWOW64\Ponfka32.exeC:\Windows\system32\Ponfka32.exe20⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Windows\SysWOW64\Phfjcf32.exeC:\Windows\system32\Phfjcf32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4884 -
C:\Windows\SysWOW64\Pkegpb32.exeC:\Windows\system32\Pkegpb32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4448 -
C:\Windows\SysWOW64\Pmcclm32.exeC:\Windows\system32\Pmcclm32.exe23⤵
- Executes dropped EXE
PID:1732 -
C:\Windows\SysWOW64\Paoollik.exeC:\Windows\system32\Paoollik.exe24⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2964 -
C:\Windows\SysWOW64\Pdmkhgho.exeC:\Windows\system32\Pdmkhgho.exe25⤵
- Executes dropped EXE
PID:3228 -
C:\Windows\SysWOW64\Phigif32.exeC:\Windows\system32\Phigif32.exe26⤵
- Executes dropped EXE
PID:700 -
C:\Windows\SysWOW64\Qemhbj32.exeC:\Windows\system32\Qemhbj32.exe27⤵
- Executes dropped EXE
- Modifies registry class
PID:1752 -
C:\Windows\SysWOW64\Qmhlgmmm.exeC:\Windows\system32\Qmhlgmmm.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3460 -
C:\Windows\SysWOW64\Qhmqdemc.exeC:\Windows\system32\Qhmqdemc.exe29⤵
- Executes dropped EXE
PID:2100 -
C:\Windows\SysWOW64\Amjillkj.exeC:\Windows\system32\Amjillkj.exe30⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4336 -
C:\Windows\SysWOW64\Aafemk32.exeC:\Windows\system32\Aafemk32.exe31⤵
- Executes dropped EXE
PID:3036 -
C:\Windows\SysWOW64\Aojefobm.exeC:\Windows\system32\Aojefobm.exe32⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4356 -
C:\Windows\SysWOW64\Ahbjoe32.exeC:\Windows\system32\Ahbjoe32.exe33⤵
- Executes dropped EXE
- Modifies registry class
PID:1556 -
C:\Windows\SysWOW64\Anobgl32.exeC:\Windows\system32\Anobgl32.exe34⤵
- Executes dropped EXE
PID:5048 -
C:\Windows\SysWOW64\Anaomkdb.exeC:\Windows\system32\Anaomkdb.exe35⤵
- Executes dropped EXE
PID:1728 -
C:\Windows\SysWOW64\Adkgje32.exeC:\Windows\system32\Adkgje32.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2944 -
C:\Windows\SysWOW64\Aoalgn32.exeC:\Windows\system32\Aoalgn32.exe37⤵
- Executes dropped EXE
PID:4500 -
C:\Windows\SysWOW64\Ahippdbe.exeC:\Windows\system32\Ahippdbe.exe38⤵
- Executes dropped EXE
PID:2784 -
C:\Windows\SysWOW64\Bochmn32.exeC:\Windows\system32\Bochmn32.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2900 -
C:\Windows\SysWOW64\Baadiiif.exeC:\Windows\system32\Baadiiif.exe40⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2792 -
C:\Windows\SysWOW64\Bdpaeehj.exeC:\Windows\system32\Bdpaeehj.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3288 -
C:\Windows\SysWOW64\Bkjiao32.exeC:\Windows\system32\Bkjiao32.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2728 -
C:\Windows\SysWOW64\Boeebnhp.exeC:\Windows\system32\Boeebnhp.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4556 -
C:\Windows\SysWOW64\Badanigc.exeC:\Windows\system32\Badanigc.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4828 -
C:\Windows\SysWOW64\Bepmoh32.exeC:\Windows\system32\Bepmoh32.exe45⤵
- Executes dropped EXE
PID:644 -
C:\Windows\SysWOW64\Bhnikc32.exeC:\Windows\system32\Bhnikc32.exe46⤵
- Executes dropped EXE
PID:1892 -
C:\Windows\SysWOW64\Bohbhmfm.exeC:\Windows\system32\Bohbhmfm.exe47⤵
- Executes dropped EXE
PID:4224 -
C:\Windows\SysWOW64\Bnkbcj32.exeC:\Windows\system32\Bnkbcj32.exe48⤵
- Executes dropped EXE
PID:3900 -
C:\Windows\SysWOW64\Bddjpd32.exeC:\Windows\system32\Bddjpd32.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3416 -
C:\Windows\SysWOW64\Bkobmnka.exeC:\Windows\system32\Bkobmnka.exe50⤵
- Executes dropped EXE
PID:3872 -
C:\Windows\SysWOW64\Bnmoijje.exeC:\Windows\system32\Bnmoijje.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:2716 -
C:\Windows\SysWOW64\Bedgjgkg.exeC:\Windows\system32\Bedgjgkg.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3300 -
C:\Windows\SysWOW64\Bdgged32.exeC:\Windows\system32\Bdgged32.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2636 -
C:\Windows\SysWOW64\Bkaobnio.exeC:\Windows\system32\Bkaobnio.exe54⤵
- Executes dropped EXE
PID:3964 -
C:\Windows\SysWOW64\Bomkcm32.exeC:\Windows\system32\Bomkcm32.exe55⤵
- Executes dropped EXE
PID:4780 -
C:\Windows\SysWOW64\Bakgoh32.exeC:\Windows\system32\Bakgoh32.exe56⤵
- Executes dropped EXE
PID:4208 -
C:\Windows\SysWOW64\Bheplb32.exeC:\Windows\system32\Bheplb32.exe57⤵
- Executes dropped EXE
PID:712 -
C:\Windows\SysWOW64\Ckclhn32.exeC:\Windows\system32\Ckclhn32.exe58⤵
- Executes dropped EXE
PID:2684 -
C:\Windows\SysWOW64\Cnahdi32.exeC:\Windows\system32\Cnahdi32.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2948 -
C:\Windows\SysWOW64\Cfipef32.exeC:\Windows\system32\Cfipef32.exe60⤵
- Executes dropped EXE
PID:1828 -
C:\Windows\SysWOW64\Chglab32.exeC:\Windows\system32\Chglab32.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1952 -
C:\Windows\SysWOW64\Cndeii32.exeC:\Windows\system32\Cndeii32.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1688 -
C:\Windows\SysWOW64\Cbpajgmf.exeC:\Windows\system32\Cbpajgmf.exe63⤵
- Executes dropped EXE
PID:4332 -
C:\Windows\SysWOW64\Cfkmkf32.exeC:\Windows\system32\Cfkmkf32.exe64⤵
- Executes dropped EXE
PID:3436 -
C:\Windows\SysWOW64\Cleegp32.exeC:\Windows\system32\Cleegp32.exe65⤵
- Executes dropped EXE
PID:4008 -
C:\Windows\SysWOW64\Cocacl32.exeC:\Windows\system32\Cocacl32.exe66⤵PID:4384
-
C:\Windows\SysWOW64\Cbbnpg32.exeC:\Windows\system32\Cbbnpg32.exe67⤵PID:116
-
C:\Windows\SysWOW64\Cfnjpfcl.exeC:\Windows\system32\Cfnjpfcl.exe68⤵
- Drops file in System32 directory
PID:216 -
C:\Windows\SysWOW64\Chlflabp.exeC:\Windows\system32\Chlflabp.exe69⤵
- System Location Discovery: System Language Discovery
PID:4576 -
C:\Windows\SysWOW64\Clgbmp32.exeC:\Windows\system32\Clgbmp32.exe70⤵
- Drops file in System32 directory
PID:2236 -
C:\Windows\SysWOW64\Cofnik32.exeC:\Windows\system32\Cofnik32.exe71⤵PID:4080
-
C:\Windows\SysWOW64\Cnindhpg.exeC:\Windows\system32\Cnindhpg.exe72⤵PID:2388
-
C:\Windows\SysWOW64\Cfpffeaj.exeC:\Windows\system32\Cfpffeaj.exe73⤵PID:4684
-
C:\Windows\SysWOW64\Cdbfab32.exeC:\Windows\system32\Cdbfab32.exe74⤵
- Modifies registry class
PID:2044 -
C:\Windows\SysWOW64\Cljobphg.exeC:\Windows\system32\Cljobphg.exe75⤵
- Drops file in System32 directory
PID:4536 -
C:\Windows\SysWOW64\Ckmonl32.exeC:\Windows\system32\Ckmonl32.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2000 -
C:\Windows\SysWOW64\Cnkkjh32.exeC:\Windows\system32\Cnkkjh32.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4732 -
C:\Windows\SysWOW64\Cbfgkffn.exeC:\Windows\system32\Cbfgkffn.exe78⤵PID:4524
-
C:\Windows\SysWOW64\Cdecgbfa.exeC:\Windows\system32\Cdecgbfa.exe79⤵
- System Location Discovery: System Language Discovery
PID:3624 -
C:\Windows\SysWOW64\Dmlkhofd.exeC:\Windows\system32\Dmlkhofd.exe80⤵PID:4172
-
C:\Windows\SysWOW64\Dkokcl32.exeC:\Windows\system32\Dkokcl32.exe81⤵PID:4688
-
C:\Windows\SysWOW64\Dnmhpg32.exeC:\Windows\system32\Dnmhpg32.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:4880 -
C:\Windows\SysWOW64\Dbicpfdk.exeC:\Windows\system32\Dbicpfdk.exe83⤵PID:1972
-
C:\Windows\SysWOW64\Ddgplado.exeC:\Windows\system32\Ddgplado.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5084 -
C:\Windows\SysWOW64\Dmohno32.exeC:\Windows\system32\Dmohno32.exe85⤵PID:4388
-
C:\Windows\SysWOW64\Dkahilkl.exeC:\Windows\system32\Dkahilkl.exe86⤵PID:400
-
C:\Windows\SysWOW64\Dnpdegjp.exeC:\Windows\system32\Dnpdegjp.exe87⤵PID:5132
-
C:\Windows\SysWOW64\Dbkqfe32.exeC:\Windows\system32\Dbkqfe32.exe88⤵
- Drops file in System32 directory
PID:5176 -
C:\Windows\SysWOW64\Dfglfdkb.exeC:\Windows\system32\Dfglfdkb.exe89⤵
- System Location Discovery: System Language Discovery
PID:5220 -
C:\Windows\SysWOW64\Dheibpje.exeC:\Windows\system32\Dheibpje.exe90⤵
- Modifies registry class
PID:5268 -
C:\Windows\SysWOW64\Dmadco32.exeC:\Windows\system32\Dmadco32.exe91⤵
- Drops file in System32 directory
PID:5316 -
C:\Windows\SysWOW64\Dooaoj32.exeC:\Windows\system32\Dooaoj32.exe92⤵PID:5360
-
C:\Windows\SysWOW64\Dbnmke32.exeC:\Windows\system32\Dbnmke32.exe93⤵PID:5404
-
C:\Windows\SysWOW64\Dndnpf32.exeC:\Windows\system32\Dndnpf32.exe94⤵PID:5452
-
C:\Windows\SysWOW64\Dflfac32.exeC:\Windows\system32\Dflfac32.exe95⤵PID:5496
-
C:\Windows\SysWOW64\Dijbno32.exeC:\Windows\system32\Dijbno32.exe96⤵PID:5540
-
C:\Windows\SysWOW64\Dmennnni.exeC:\Windows\system32\Dmennnni.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5584 -
C:\Windows\SysWOW64\Dodjjimm.exeC:\Windows\system32\Dodjjimm.exe98⤵PID:5632
-
C:\Windows\SysWOW64\Dngjff32.exeC:\Windows\system32\Dngjff32.exe99⤵
- System Location Discovery: System Language Discovery
PID:5676 -
C:\Windows\SysWOW64\Dfnbgc32.exeC:\Windows\system32\Dfnbgc32.exe100⤵PID:5720
-
C:\Windows\SysWOW64\Eiloco32.exeC:\Windows\system32\Eiloco32.exe101⤵PID:5764
-
C:\Windows\SysWOW64\Eofgpikj.exeC:\Windows\system32\Eofgpikj.exe102⤵PID:5812
-
C:\Windows\SysWOW64\Enigke32.exeC:\Windows\system32\Enigke32.exe103⤵PID:5856
-
C:\Windows\SysWOW64\Efpomccg.exeC:\Windows\system32\Efpomccg.exe104⤵PID:5900
-
C:\Windows\SysWOW64\Eecphp32.exeC:\Windows\system32\Eecphp32.exe105⤵PID:5944
-
C:\Windows\SysWOW64\Emjgim32.exeC:\Windows\system32\Emjgim32.exe106⤵PID:5988
-
C:\Windows\SysWOW64\Eoideh32.exeC:\Windows\system32\Eoideh32.exe107⤵PID:6032
-
C:\Windows\SysWOW64\Enkdaepb.exeC:\Windows\system32\Enkdaepb.exe108⤵PID:6076
-
C:\Windows\SysWOW64\Efblbbqd.exeC:\Windows\system32\Efblbbqd.exe109⤵PID:6128
-
C:\Windows\SysWOW64\Eiahnnph.exeC:\Windows\system32\Eiahnnph.exe110⤵PID:5144
-
C:\Windows\SysWOW64\Ekodjiol.exeC:\Windows\system32\Ekodjiol.exe111⤵PID:5236
-
C:\Windows\SysWOW64\Ennqfenp.exeC:\Windows\system32\Ennqfenp.exe112⤵
- Drops file in System32 directory
PID:5308 -
C:\Windows\SysWOW64\Efeihb32.exeC:\Windows\system32\Efeihb32.exe113⤵
- System Location Discovery: System Language Discovery
PID:5376 -
C:\Windows\SysWOW64\Eicedn32.exeC:\Windows\system32\Eicedn32.exe114⤵
- Drops file in System32 directory
PID:5444 -
C:\Windows\SysWOW64\Emoadlfo.exeC:\Windows\system32\Emoadlfo.exe115⤵
- System Location Discovery: System Language Discovery
PID:5536 -
C:\Windows\SysWOW64\Epmmqheb.exeC:\Windows\system32\Epmmqheb.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5596 -
C:\Windows\SysWOW64\Eblimcdf.exeC:\Windows\system32\Eblimcdf.exe117⤵
- Drops file in System32 directory
PID:5668 -
C:\Windows\SysWOW64\Eejeiocj.exeC:\Windows\system32\Eejeiocj.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5748 -
C:\Windows\SysWOW64\Emanjldl.exeC:\Windows\system32\Emanjldl.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:5828 -
C:\Windows\SysWOW64\Eppjfgcp.exeC:\Windows\system32\Eppjfgcp.exe120⤵PID:5888
-
C:\Windows\SysWOW64\Ebnfbcbc.exeC:\Windows\system32\Ebnfbcbc.exe121⤵
- System Location Discovery: System Language Discovery
PID:5956
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-