Analysis
-
max time kernel
131s -
max time network
133s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
19/09/2024, 03:22
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
f2c5d5ed8edc15c3265aa1b152e7f1d2a4b60ebd65f5aa315e72fd5a024c4828.exe
Resource
win7-20240903-en
windows7-x64
9 signatures
150 seconds
Behavioral task
behavioral2
Sample
f2c5d5ed8edc15c3265aa1b152e7f1d2a4b60ebd65f5aa315e72fd5a024c4828.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
f2c5d5ed8edc15c3265aa1b152e7f1d2a4b60ebd65f5aa315e72fd5a024c4828.exe
-
Size
80KB
-
MD5
514436bf1d9991f9baeefdade1d49c62
-
SHA1
9ab84f276165dc6170d9000ee10288d0642acfe9
-
SHA256
f2c5d5ed8edc15c3265aa1b152e7f1d2a4b60ebd65f5aa315e72fd5a024c4828
-
SHA512
5ad9e18595b8b4db2205f200da9ab6471d97ed76982d23cfb153ef9f05a105b2600c284fdffbe463ff1eacc949f520f0902cf460d032d4cd3ba4f78f6fabd440
-
SSDEEP
1536:5NCpYQ7NX2qB2E9Z1eywLd7000oZMfGtPcZPU2LGCYrum8SPG2:S9N2t4ZIywLd7000oBtPcZ1GVT8SL
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfqjhmhk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aooolbep.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgbccm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aihfjd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Noqofdlj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikejbjip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lcpqgbkj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oeoklp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkpfjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Opdpih32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jikjmbmb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmipdq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pnplqn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pfdbpjmi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eeailhme.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qbhnga32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhjknljl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjamhd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Almifk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dnnoip32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khimhefk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ikgpmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hembndee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jcmkjeko.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbjhelnp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eijigg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npmjij32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkhdgfen.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjapfjnb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jckeokan.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkinmlnm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbbjhini.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dcglfjgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cpedckdl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjfjee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pkigbfja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ncbfcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Akgcdc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bekmei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fiilblom.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggfobofl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omdnbd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iacepmik.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikdlmmbh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhapmphg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ciaddaaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iiokacgp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehbihj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aohbbqme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lccdghmc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jginej32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iameid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mihikgod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ladpcb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bbpeghpe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fhiphi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eieplhlf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Emgnje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ehekjk32.exe -
Executes dropped EXE 64 IoCs
pid Process 2512 Kfidgk32.exe 4892 Kanidd32.exe 3252 Kfkamk32.exe 1800 Kjfmminc.exe 1468 Kmeiie32.exe 1656 Lelajb32.exe 4400 Lhjnfn32.exe 3516 Ljijci32.exe 2912 Lennpb32.exe 1432 Lfpkhjae.exe 5788 Lmjcdd32.exe 1852 Ldckan32.exe 2984 Lfbgmj32.exe 1828 Laglkb32.exe 5492 Ldfhgn32.exe 2936 Lokldg32.exe 2332 Lajhpbme.exe 4812 Lkbmih32.exe 3276 Malefbkc.exe 5212 Mehafq32.exe 4588 Mopeofjl.exe 3472 Mmebpbod.exe 2092 Moeoje32.exe 3156 Mklpof32.exe 1340 Mknlef32.exe 4480 Najagp32.exe 4848 Nkbfpeec.exe 5112 Namnmp32.exe 6072 Ngifef32.exe 1968 Noqofdlj.exe 224 Nncoaq32.exe 4436 Ndmgnkja.exe 1068 Nkgoke32.exe 5868 Nnfkgp32.exe 5372 Nhkpdi32.exe 5960 Nkjlqd32.exe 5544 Oacdmo32.exe 4124 Ogqmee32.exe 2372 Ohpiphlb.exe 1608 Oojalb32.exe 2400 Oolnabal.exe 5700 Onakco32.exe 4088 Philfgdh.exe 1896 Pnfdnnbo.exe 4476 Phlikg32.exe 3812 Poeahaib.exe 3656 Phneqf32.exe 5072 Pohnnqgo.exe 2448 Pfbfjk32.exe 2568 Pkonbamc.exe 2684 Pfdbpjmi.exe 3712 Pgeogb32.exe 4456 Qnpgdmjd.exe 1228 Qdipag32.exe 4744 Qoocnpag.exe 1956 Qdllffpo.exe 4112 Agjhbbob.exe 3184 Aoapcood.exe 5780 Abpmpkoh.exe 4584 Adnilfnl.exe 5880 Agmehamp.exe 4352 Adqeaf32.exe 2616 Akjnnpcf.exe 5436 Afpbkicl.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Jlnbhe32.exe Jdgjgh32.exe File created C:\Windows\SysWOW64\Ljnqoldc.dll Plfipakk.exe File opened for modification C:\Windows\SysWOW64\Cediab32.exe Cojqdhid.exe File created C:\Windows\SysWOW64\Ijiflg32.dll Afpbkicl.exe File created C:\Windows\SysWOW64\Dbghhd32.dll Dcbckk32.exe File created C:\Windows\SysWOW64\Efjbne32.exe Emanepld.exe File created C:\Windows\SysWOW64\Nkjqme32.exe Ndphpk32.exe File opened for modification C:\Windows\SysWOW64\Ocqncp32.exe Process not Found File created C:\Windows\SysWOW64\Ghpblhco.dll Okaabg32.exe File opened for modification C:\Windows\SysWOW64\Kfbfmi32.exe Kklbop32.exe File created C:\Windows\SysWOW64\Cnjkgf32.exe Cohkinob.exe File created C:\Windows\SysWOW64\Qpikao32.exe Qecgcfmf.exe File opened for modification C:\Windows\SysWOW64\Igpkok32.exe Imjgbb32.exe File created C:\Windows\SysWOW64\Fcgemhic.exe Fmmmqnaf.exe File opened for modification C:\Windows\SysWOW64\Ladpcb32.exe Lkjhfh32.exe File created C:\Windows\SysWOW64\Cjgpdg32.dll Ghcbohpp.exe File created C:\Windows\SysWOW64\Afpbkicl.exe Akjnnpcf.exe File opened for modification C:\Windows\SysWOW64\Oeoklp32.exe Onecof32.exe File opened for modification C:\Windows\SysWOW64\Ffhnocfd.exe Fcibchgq.exe File created C:\Windows\SysWOW64\Hgbhfhcl.dll Hpejlc32.exe File created C:\Windows\SysWOW64\Jckeokan.exe Jifabb32.exe File created C:\Windows\SysWOW64\Dgkbfjeg.exe Dodjemee.exe File created C:\Windows\SysWOW64\Ibagmiie.exe Process not Found File created C:\Windows\SysWOW64\Oolnabal.exe Oojalb32.exe File created C:\Windows\SysWOW64\Dfcqod32.exe Dojlhg32.exe File opened for modification C:\Windows\SysWOW64\Igieoleg.exe Iobmmoed.exe File created C:\Windows\SysWOW64\Npognfpo.exe Nkboeobh.exe File opened for modification C:\Windows\SysWOW64\Dgomaf32.exe Daeddlco.exe File created C:\Windows\SysWOW64\Omnqhbap.exe Oibdhd32.exe File created C:\Windows\SysWOW64\Ifckmnbd.dll Aemqdk32.exe File opened for modification C:\Windows\SysWOW64\Fkiapn32.exe Femigg32.exe File created C:\Windows\SysWOW64\Pmlfjj32.dll Kffphhmj.exe File created C:\Windows\SysWOW64\Gmdknbko.dll Docckfai.exe File created C:\Windows\SysWOW64\Ldkfno32.exe Lonnfg32.exe File opened for modification C:\Windows\SysWOW64\Lplaaiqd.exe Lmneemaq.exe File created C:\Windows\SysWOW64\Malnklgg.exe Lplaaiqd.exe File created C:\Windows\SysWOW64\Mfomda32.exe Mdaqhf32.exe File created C:\Windows\SysWOW64\Pllieg32.exe Peaahmcd.exe File created C:\Windows\SysWOW64\Pqkdmc32.exe Process not Found File created C:\Windows\SysWOW64\Peqkdjmm.dll Gcfjfqah.exe File opened for modification C:\Windows\SysWOW64\Qkcackeb.exe Qdihfq32.exe File created C:\Windows\SysWOW64\Pobbadje.dll Anhcpeon.exe File opened for modification C:\Windows\SysWOW64\Cikkga32.exe Ccacjgfb.exe File created C:\Windows\SysWOW64\Ijngkf32.exe Igpkok32.exe File opened for modification C:\Windows\SysWOW64\Ckiipa32.exe Bdpqcg32.exe File opened for modification C:\Windows\SysWOW64\Dadlmanj.exe Dpcpei32.exe File created C:\Windows\SysWOW64\Kaemgn32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Ogqmee32.exe Oacdmo32.exe File opened for modification C:\Windows\SysWOW64\Gllajf32.exe Gccmaack.exe File created C:\Windows\SysWOW64\Dpbmfghh.dll Mmiealgc.exe File created C:\Windows\SysWOW64\Blmjdmok.dll Bjfjee32.exe File created C:\Windows\SysWOW64\Keppcl32.dll Nfeepdbg.exe File created C:\Windows\SysWOW64\Mhihkjfj.exe Mqbpjmeg.exe File created C:\Windows\SysWOW64\Iofienka.dll Process not Found File created C:\Windows\SysWOW64\Ddhbcl32.dll Bmlofhca.exe File created C:\Windows\SysWOW64\Eielej32.dll Eflocepa.exe File opened for modification C:\Windows\SysWOW64\Ldblon32.exe Ladpcb32.exe File created C:\Windows\SysWOW64\Kclcblfk.dll Process not Found File created C:\Windows\SysWOW64\Cnnllhpa.exe Clpppmqn.exe File created C:\Windows\SysWOW64\Nojgmmgl.dll Oiqomj32.exe File created C:\Windows\SysWOW64\Ajaqjfbp.exe Agcdnjcl.exe File opened for modification C:\Windows\SysWOW64\Eqbcqnph.exe Eflocepa.exe File created C:\Windows\SysWOW64\Pnhgep32.dll Imgbdh32.exe File opened for modification C:\Windows\SysWOW64\Fiajfi32.exe Fbgbione.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 10616 11248 Process not Found 1233 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cegnol32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbamcm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdheol32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kffphhmj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dqhpjohb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kanbjn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Befmpdmq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljjicl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Beippj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Biljib32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iooimi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojhnlh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olpjii32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmhlijpm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pljcjn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmdhnhkp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hahedoci.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffhnocfd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eieplhlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikejbjip.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njmopj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icbbimih.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oggllnkl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnndhi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gflapl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bejhhd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmkbeg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhalcm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abmhbplf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbklli32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpjjpe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kppbejka.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcglfjgf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jognokdi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccendc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kanidd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Faqflb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjkiephp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djipbbne.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emgnje32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihicah32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ioeicajh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehbihj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdkbdllj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nkgoke32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Admkgifd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flfjjkgi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apnkfelb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjocaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmjcdd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hohjgpmo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkaqgjme.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onbpop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpejlc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmkpipaf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elaobdmm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eliecc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pllppnnm.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdmgdjbb.dll" Kggjghkd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qpkppbho.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oikngeoo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fbgbione.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfhapinj.dll" Dojlhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Glmqjj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ejgdim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkbdoa32.dll" Hcflch32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Faqflb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfllgl32.dll" Claenb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npppdb32.dll" Abjdbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfpiamoj.dll" Eelpqi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emmdjc32.dll" Jjpmfpid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jjpmfpid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjhhib32.dll" Igmjhnej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edijfd32.dll" Qajhigcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inogbj32.dll" Lkbmih32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bkfmjnii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hqhdnc32.dll" Mfhpilbc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Efgono32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fcfocb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbdijhno.dll" Hcidoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Limghpqe.dll" Akbjidbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igioikpj.dll" Ckqoapgd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Helkdnaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcakilpk.dll" Acaanp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dadlmanj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cihjeq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajbfppjh.dll" Fgffka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dioiki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nfeepdbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gnhifonl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eikpan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejhaop32.dll" Ejglcq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nnimia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdhmhona.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cfljnejl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihgqiiph.dll" Ipohpdbb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mhpeelnd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gbcaemdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hpcmfchg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bjhpqn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hklpaeno.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Phmnfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnbhjhfh.dll" Ngcngfgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Knhbflbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Omigmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dddajj32.dll" Iehkpmgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egleni32.dll" Lmeapbpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bqpppi32.dll" Ehekjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phhjdncl.dll" Lcdjba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Admkgifd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kgpodk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhbggd32.dll" Mdibplaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naohpdqd.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bbpeghpe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmpolhlc.dll" Njceqili.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Akgjnj32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5560 wrote to memory of 2512 5560 f2c5d5ed8edc15c3265aa1b152e7f1d2a4b60ebd65f5aa315e72fd5a024c4828.exe 89 PID 5560 wrote to memory of 2512 5560 f2c5d5ed8edc15c3265aa1b152e7f1d2a4b60ebd65f5aa315e72fd5a024c4828.exe 89 PID 5560 wrote to memory of 2512 5560 f2c5d5ed8edc15c3265aa1b152e7f1d2a4b60ebd65f5aa315e72fd5a024c4828.exe 89 PID 2512 wrote to memory of 4892 2512 Kfidgk32.exe 90 PID 2512 wrote to memory of 4892 2512 Kfidgk32.exe 90 PID 2512 wrote to memory of 4892 2512 Kfidgk32.exe 90 PID 4892 wrote to memory of 3252 4892 Kanidd32.exe 91 PID 4892 wrote to memory of 3252 4892 Kanidd32.exe 91 PID 4892 wrote to memory of 3252 4892 Kanidd32.exe 91 PID 3252 wrote to memory of 1800 3252 Kfkamk32.exe 92 PID 3252 wrote to memory of 1800 3252 Kfkamk32.exe 92 PID 3252 wrote to memory of 1800 3252 Kfkamk32.exe 92 PID 1800 wrote to memory of 1468 1800 Kjfmminc.exe 93 PID 1800 wrote to memory of 1468 1800 Kjfmminc.exe 93 PID 1800 wrote to memory of 1468 1800 Kjfmminc.exe 93 PID 1468 wrote to memory of 1656 1468 Kmeiie32.exe 94 PID 1468 wrote to memory of 1656 1468 Kmeiie32.exe 94 PID 1468 wrote to memory of 1656 1468 Kmeiie32.exe 94 PID 1656 wrote to memory of 4400 1656 Lelajb32.exe 95 PID 1656 wrote to memory of 4400 1656 Lelajb32.exe 95 PID 1656 wrote to memory of 4400 1656 Lelajb32.exe 95 PID 4400 wrote to memory of 3516 4400 Lhjnfn32.exe 96 PID 4400 wrote to memory of 3516 4400 Lhjnfn32.exe 96 PID 4400 wrote to memory of 3516 4400 Lhjnfn32.exe 96 PID 3516 wrote to memory of 2912 3516 Ljijci32.exe 97 PID 3516 wrote to memory of 2912 3516 Ljijci32.exe 97 PID 3516 wrote to memory of 2912 3516 Ljijci32.exe 97 PID 2912 wrote to memory of 1432 2912 Lennpb32.exe 98 PID 2912 wrote to memory of 1432 2912 Lennpb32.exe 98 PID 2912 wrote to memory of 1432 2912 Lennpb32.exe 98 PID 1432 wrote to memory of 5788 1432 Lfpkhjae.exe 99 PID 1432 wrote to memory of 5788 1432 Lfpkhjae.exe 99 PID 1432 wrote to memory of 5788 1432 Lfpkhjae.exe 99 PID 5788 wrote to memory of 1852 5788 Lmjcdd32.exe 100 PID 5788 wrote to memory of 1852 5788 Lmjcdd32.exe 100 PID 5788 wrote to memory of 1852 5788 Lmjcdd32.exe 100 PID 1852 wrote to memory of 2984 1852 Ldckan32.exe 101 PID 1852 wrote to memory of 2984 1852 Ldckan32.exe 101 PID 1852 wrote to memory of 2984 1852 Ldckan32.exe 101 PID 2984 wrote to memory of 1828 2984 Lfbgmj32.exe 102 PID 2984 wrote to memory of 1828 2984 Lfbgmj32.exe 102 PID 2984 wrote to memory of 1828 2984 Lfbgmj32.exe 102 PID 1828 wrote to memory of 5492 1828 Laglkb32.exe 103 PID 1828 wrote to memory of 5492 1828 Laglkb32.exe 103 PID 1828 wrote to memory of 5492 1828 Laglkb32.exe 103 PID 5492 wrote to memory of 2936 5492 Ldfhgn32.exe 104 PID 5492 wrote to memory of 2936 5492 Ldfhgn32.exe 104 PID 5492 wrote to memory of 2936 5492 Ldfhgn32.exe 104 PID 2936 wrote to memory of 2332 2936 Lokldg32.exe 105 PID 2936 wrote to memory of 2332 2936 Lokldg32.exe 105 PID 2936 wrote to memory of 2332 2936 Lokldg32.exe 105 PID 2332 wrote to memory of 4812 2332 Lajhpbme.exe 106 PID 2332 wrote to memory of 4812 2332 Lajhpbme.exe 106 PID 2332 wrote to memory of 4812 2332 Lajhpbme.exe 106 PID 4812 wrote to memory of 3276 4812 Lkbmih32.exe 107 PID 4812 wrote to memory of 3276 4812 Lkbmih32.exe 107 PID 4812 wrote to memory of 3276 4812 Lkbmih32.exe 107 PID 3276 wrote to memory of 5212 3276 Malefbkc.exe 108 PID 3276 wrote to memory of 5212 3276 Malefbkc.exe 108 PID 3276 wrote to memory of 5212 3276 Malefbkc.exe 108 PID 5212 wrote to memory of 4588 5212 Mehafq32.exe 109 PID 5212 wrote to memory of 4588 5212 Mehafq32.exe 109 PID 5212 wrote to memory of 4588 5212 Mehafq32.exe 109 PID 4588 wrote to memory of 3472 4588 Mopeofjl.exe 110
Processes
-
C:\Users\Admin\AppData\Local\Temp\f2c5d5ed8edc15c3265aa1b152e7f1d2a4b60ebd65f5aa315e72fd5a024c4828.exe"C:\Users\Admin\AppData\Local\Temp\f2c5d5ed8edc15c3265aa1b152e7f1d2a4b60ebd65f5aa315e72fd5a024c4828.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:5560 -
C:\Windows\SysWOW64\Kfidgk32.exeC:\Windows\system32\Kfidgk32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Windows\SysWOW64\Kanidd32.exeC:\Windows\system32\Kanidd32.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4892 -
C:\Windows\SysWOW64\Kfkamk32.exeC:\Windows\system32\Kfkamk32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3252 -
C:\Windows\SysWOW64\Kjfmminc.exeC:\Windows\system32\Kjfmminc.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1800 -
C:\Windows\SysWOW64\Kmeiie32.exeC:\Windows\system32\Kmeiie32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1468 -
C:\Windows\SysWOW64\Lelajb32.exeC:\Windows\system32\Lelajb32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Windows\SysWOW64\Lhjnfn32.exeC:\Windows\system32\Lhjnfn32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4400 -
C:\Windows\SysWOW64\Ljijci32.exeC:\Windows\system32\Ljijci32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3516 -
C:\Windows\SysWOW64\Lennpb32.exeC:\Windows\system32\Lennpb32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Windows\SysWOW64\Lfpkhjae.exeC:\Windows\system32\Lfpkhjae.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1432 -
C:\Windows\SysWOW64\Lmjcdd32.exeC:\Windows\system32\Lmjcdd32.exe12⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5788 -
C:\Windows\SysWOW64\Ldckan32.exeC:\Windows\system32\Ldckan32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1852 -
C:\Windows\SysWOW64\Lfbgmj32.exeC:\Windows\system32\Lfbgmj32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Windows\SysWOW64\Laglkb32.exeC:\Windows\system32\Laglkb32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1828 -
C:\Windows\SysWOW64\Ldfhgn32.exeC:\Windows\system32\Ldfhgn32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5492 -
C:\Windows\SysWOW64\Lokldg32.exeC:\Windows\system32\Lokldg32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Windows\SysWOW64\Lajhpbme.exeC:\Windows\system32\Lajhpbme.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Windows\SysWOW64\Lkbmih32.exeC:\Windows\system32\Lkbmih32.exe19⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4812 -
C:\Windows\SysWOW64\Malefbkc.exeC:\Windows\system32\Malefbkc.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3276 -
C:\Windows\SysWOW64\Mehafq32.exeC:\Windows\system32\Mehafq32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5212 -
C:\Windows\SysWOW64\Mopeofjl.exeC:\Windows\system32\Mopeofjl.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4588 -
C:\Windows\SysWOW64\Mmebpbod.exeC:\Windows\system32\Mmebpbod.exe23⤵
- Executes dropped EXE
PID:3472 -
C:\Windows\SysWOW64\Moeoje32.exeC:\Windows\system32\Moeoje32.exe24⤵
- Executes dropped EXE
PID:2092 -
C:\Windows\SysWOW64\Mklpof32.exeC:\Windows\system32\Mklpof32.exe25⤵
- Executes dropped EXE
PID:3156 -
C:\Windows\SysWOW64\Mknlef32.exeC:\Windows\system32\Mknlef32.exe26⤵
- Executes dropped EXE
PID:1340 -
C:\Windows\SysWOW64\Najagp32.exeC:\Windows\system32\Najagp32.exe27⤵
- Executes dropped EXE
PID:4480 -
C:\Windows\SysWOW64\Nkbfpeec.exeC:\Windows\system32\Nkbfpeec.exe28⤵
- Executes dropped EXE
PID:4848 -
C:\Windows\SysWOW64\Namnmp32.exeC:\Windows\system32\Namnmp32.exe29⤵
- Executes dropped EXE
PID:5112 -
C:\Windows\SysWOW64\Ngifef32.exeC:\Windows\system32\Ngifef32.exe30⤵
- Executes dropped EXE
PID:6072 -
C:\Windows\SysWOW64\Noqofdlj.exeC:\Windows\system32\Noqofdlj.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1968 -
C:\Windows\SysWOW64\Nncoaq32.exeC:\Windows\system32\Nncoaq32.exe32⤵
- Executes dropped EXE
PID:224 -
C:\Windows\SysWOW64\Ndmgnkja.exeC:\Windows\system32\Ndmgnkja.exe33⤵
- Executes dropped EXE
PID:4436 -
C:\Windows\SysWOW64\Nkgoke32.exeC:\Windows\system32\Nkgoke32.exe34⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1068 -
C:\Windows\SysWOW64\Nnfkgp32.exeC:\Windows\system32\Nnfkgp32.exe35⤵
- Executes dropped EXE
PID:5868 -
C:\Windows\SysWOW64\Nhkpdi32.exeC:\Windows\system32\Nhkpdi32.exe36⤵
- Executes dropped EXE
PID:5372 -
C:\Windows\SysWOW64\Nkjlqd32.exeC:\Windows\system32\Nkjlqd32.exe37⤵
- Executes dropped EXE
PID:5960 -
C:\Windows\SysWOW64\Oacdmo32.exeC:\Windows\system32\Oacdmo32.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5544 -
C:\Windows\SysWOW64\Ogqmee32.exeC:\Windows\system32\Ogqmee32.exe39⤵
- Executes dropped EXE
PID:4124 -
C:\Windows\SysWOW64\Ohpiphlb.exeC:\Windows\system32\Ohpiphlb.exe40⤵
- Executes dropped EXE
PID:2372 -
C:\Windows\SysWOW64\Oojalb32.exeC:\Windows\system32\Oojalb32.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1608 -
C:\Windows\SysWOW64\Oolnabal.exeC:\Windows\system32\Oolnabal.exe42⤵
- Executes dropped EXE
PID:2400 -
C:\Windows\SysWOW64\Onakco32.exeC:\Windows\system32\Onakco32.exe43⤵
- Executes dropped EXE
PID:5700 -
C:\Windows\SysWOW64\Philfgdh.exeC:\Windows\system32\Philfgdh.exe44⤵
- Executes dropped EXE
PID:4088 -
C:\Windows\SysWOW64\Pnfdnnbo.exeC:\Windows\system32\Pnfdnnbo.exe45⤵
- Executes dropped EXE
PID:1896 -
C:\Windows\SysWOW64\Phlikg32.exeC:\Windows\system32\Phlikg32.exe46⤵
- Executes dropped EXE
PID:4476 -
C:\Windows\SysWOW64\Poeahaib.exeC:\Windows\system32\Poeahaib.exe47⤵
- Executes dropped EXE
PID:3812 -
C:\Windows\SysWOW64\Phneqf32.exeC:\Windows\system32\Phneqf32.exe48⤵
- Executes dropped EXE
PID:3656 -
C:\Windows\SysWOW64\Pohnnqgo.exeC:\Windows\system32\Pohnnqgo.exe49⤵
- Executes dropped EXE
PID:5072 -
C:\Windows\SysWOW64\Pfbfjk32.exeC:\Windows\system32\Pfbfjk32.exe50⤵
- Executes dropped EXE
PID:2448 -
C:\Windows\SysWOW64\Pkonbamc.exeC:\Windows\system32\Pkonbamc.exe51⤵
- Executes dropped EXE
PID:2568 -
C:\Windows\SysWOW64\Pfdbpjmi.exeC:\Windows\system32\Pfdbpjmi.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2684 -
C:\Windows\SysWOW64\Pgeogb32.exeC:\Windows\system32\Pgeogb32.exe53⤵
- Executes dropped EXE
PID:3712 -
C:\Windows\SysWOW64\Qnpgdmjd.exeC:\Windows\system32\Qnpgdmjd.exe54⤵
- Executes dropped EXE
PID:4456 -
C:\Windows\SysWOW64\Qdipag32.exeC:\Windows\system32\Qdipag32.exe55⤵
- Executes dropped EXE
PID:1228 -
C:\Windows\SysWOW64\Qoocnpag.exeC:\Windows\system32\Qoocnpag.exe56⤵
- Executes dropped EXE
PID:4744 -
C:\Windows\SysWOW64\Qdllffpo.exeC:\Windows\system32\Qdllffpo.exe57⤵
- Executes dropped EXE
PID:1956 -
C:\Windows\SysWOW64\Agjhbbob.exeC:\Windows\system32\Agjhbbob.exe58⤵
- Executes dropped EXE
PID:4112 -
C:\Windows\SysWOW64\Aoapcood.exeC:\Windows\system32\Aoapcood.exe59⤵
- Executes dropped EXE
PID:3184 -
C:\Windows\SysWOW64\Abpmpkoh.exeC:\Windows\system32\Abpmpkoh.exe60⤵
- Executes dropped EXE
PID:5780 -
C:\Windows\SysWOW64\Adnilfnl.exeC:\Windows\system32\Adnilfnl.exe61⤵
- Executes dropped EXE
PID:4584 -
C:\Windows\SysWOW64\Agmehamp.exeC:\Windows\system32\Agmehamp.exe62⤵
- Executes dropped EXE
PID:5880 -
C:\Windows\SysWOW64\Adqeaf32.exeC:\Windows\system32\Adqeaf32.exe63⤵
- Executes dropped EXE
PID:4352 -
C:\Windows\SysWOW64\Akjnnpcf.exeC:\Windows\system32\Akjnnpcf.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2616 -
C:\Windows\SysWOW64\Afpbkicl.exeC:\Windows\system32\Afpbkicl.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5436 -
C:\Windows\SysWOW64\Akmjdpac.exeC:\Windows\system32\Akmjdpac.exe66⤵PID:5192
-
C:\Windows\SysWOW64\Afboah32.exeC:\Windows\system32\Afboah32.exe67⤵PID:3676
-
C:\Windows\SysWOW64\Afdkfh32.exeC:\Windows\system32\Afdkfh32.exe68⤵PID:3120
-
C:\Windows\SysWOW64\Bkadoo32.exeC:\Windows\system32\Bkadoo32.exe69⤵PID:6076
-
C:\Windows\SysWOW64\Bbklli32.exeC:\Windows\system32\Bbklli32.exe70⤵
- System Location Discovery: System Language Discovery
PID:708 -
C:\Windows\SysWOW64\Bbklli32.exeC:\Windows\system32\Bbklli32.exe71⤵PID:4824
-
C:\Windows\SysWOW64\Bejhhd32.exeC:\Windows\system32\Bejhhd32.exe72⤵
- System Location Discovery: System Language Discovery
PID:4452 -
C:\Windows\SysWOW64\Bfieagka.exeC:\Windows\system32\Bfieagka.exe73⤵PID:4416
-
C:\Windows\SysWOW64\Bkfmjnii.exeC:\Windows\system32\Bkfmjnii.exe74⤵
- Modifies registry class
PID:4836 -
C:\Windows\SysWOW64\Bbpeghpe.exeC:\Windows\system32\Bbpeghpe.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3032 -
C:\Windows\SysWOW64\Bgmnooom.exeC:\Windows\system32\Bgmnooom.exe76⤵PID:244
-
C:\Windows\SysWOW64\Bngfli32.exeC:\Windows\system32\Bngfli32.exe77⤵PID:316
-
C:\Windows\SysWOW64\Bfnnmg32.exeC:\Windows\system32\Bfnnmg32.exe78⤵PID:4468
-
C:\Windows\SysWOW64\Biljib32.exeC:\Windows\system32\Biljib32.exe79⤵
- System Location Discovery: System Language Discovery
PID:6132 -
C:\Windows\SysWOW64\Bbeobhlp.exeC:\Windows\system32\Bbeobhlp.exe80⤵PID:5248
-
C:\Windows\SysWOW64\Clmckmcq.exeC:\Windows\system32\Clmckmcq.exe81⤵PID:3220
-
C:\Windows\SysWOW64\Cfbhhfbg.exeC:\Windows\system32\Cfbhhfbg.exe82⤵PID:1524
-
C:\Windows\SysWOW64\Ciaddaaj.exeC:\Windows\system32\Ciaddaaj.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4712 -
C:\Windows\SysWOW64\Clpppmqn.exeC:\Windows\system32\Clpppmqn.exe84⤵
- Drops file in System32 directory
PID:4404 -
C:\Windows\SysWOW64\Cnnllhpa.exeC:\Windows\system32\Cnnllhpa.exe85⤵PID:5688
-
C:\Windows\SysWOW64\Clbmfm32.exeC:\Windows\system32\Clbmfm32.exe86⤵PID:4144
-
C:\Windows\SysWOW64\Cblebgfh.exeC:\Windows\system32\Cblebgfh.exe87⤵PID:5368
-
C:\Windows\SysWOW64\Cejaobel.exeC:\Windows\system32\Cejaobel.exe88⤵PID:2896
-
C:\Windows\SysWOW64\Cemndbci.exeC:\Windows\system32\Cemndbci.exe89⤵PID:3352
-
C:\Windows\SysWOW64\Cihjeq32.exeC:\Windows\system32\Cihjeq32.exe90⤵
- Modifies registry class
PID:856 -
C:\Windows\SysWOW64\Clffalkf.exeC:\Windows\system32\Clffalkf.exe91⤵PID:5424
-
C:\Windows\SysWOW64\Cpbbak32.exeC:\Windows\system32\Cpbbak32.exe92⤵PID:1044
-
C:\Windows\SysWOW64\Cfljnejl.exeC:\Windows\system32\Cfljnejl.exe93⤵
- Modifies registry class
PID:3116 -
C:\Windows\SysWOW64\Cfljnejl.exeC:\Windows\system32\Cfljnejl.exe94⤵PID:4620
-
C:\Windows\SysWOW64\Dijgjpip.exeC:\Windows\system32\Dijgjpip.exe95⤵PID:5224
-
C:\Windows\SysWOW64\Dlicflic.exeC:\Windows\system32\Dlicflic.exe96⤵PID:2392
-
C:\Windows\SysWOW64\Dfngcdhi.exeC:\Windows\system32\Dfngcdhi.exe97⤵PID:5660
-
C:\Windows\SysWOW64\Dojlhg32.exeC:\Windows\system32\Dojlhg32.exe98⤵
- Drops file in System32 directory
- Modifies registry class
PID:5464 -
C:\Windows\SysWOW64\Dfcqod32.exeC:\Windows\system32\Dfcqod32.exe99⤵PID:768
-
C:\Windows\SysWOW64\Dhdmfljb.exeC:\Windows\system32\Dhdmfljb.exe100⤵PID:1372
-
C:\Windows\SysWOW64\Dehnpp32.exeC:\Windows\system32\Dehnpp32.exe101⤵PID:1932
-
C:\Windows\SysWOW64\Doqbifpl.exeC:\Windows\system32\Doqbifpl.exe102⤵PID:1204
-
C:\Windows\SysWOW64\Eekjep32.exeC:\Windows\system32\Eekjep32.exe103⤵PID:4156
-
C:\Windows\SysWOW64\Eoconenj.exeC:\Windows\system32\Eoconenj.exe104⤵PID:4944
-
C:\Windows\SysWOW64\Elgohj32.exeC:\Windows\system32\Elgohj32.exe105⤵PID:3828
-
C:\Windows\SysWOW64\Eikpan32.exeC:\Windows\system32\Eikpan32.exe106⤵
- Modifies registry class
PID:1792 -
C:\Windows\SysWOW64\Eohhie32.exeC:\Windows\system32\Eohhie32.exe107⤵PID:5884
-
C:\Windows\SysWOW64\Efopjbjg.exeC:\Windows\system32\Efopjbjg.exe108⤵PID:5280
-
C:\Windows\SysWOW64\Ehpmbj32.exeC:\Windows\system32\Ehpmbj32.exe109⤵PID:1532
-
C:\Windows\SysWOW64\Ebeapc32.exeC:\Windows\system32\Ebeapc32.exe110⤵PID:1392
-
C:\Windows\SysWOW64\Ehbihj32.exeC:\Windows\system32\Ehbihj32.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:5812 -
C:\Windows\SysWOW64\Epiaig32.exeC:\Windows\system32\Epiaig32.exe112⤵PID:1336
-
C:\Windows\SysWOW64\Fgcjea32.exeC:\Windows\system32\Fgcjea32.exe113⤵PID:4804
-
C:\Windows\SysWOW64\Fplnogmb.exeC:\Windows\system32\Fplnogmb.exe114⤵PID:4924
-
C:\Windows\SysWOW64\Fgffka32.exeC:\Windows\system32\Fgffka32.exe115⤵
- Modifies registry class
PID:3176 -
C:\Windows\SysWOW64\Fidbgm32.exeC:\Windows\system32\Fidbgm32.exe116⤵PID:4036
-
C:\Windows\SysWOW64\Fpnkdfko.exeC:\Windows\system32\Fpnkdfko.exe117⤵PID:5096
-
C:\Windows\SysWOW64\Fekclnif.exeC:\Windows\system32\Fekclnif.exe118⤵PID:1140
-
C:\Windows\SysWOW64\Fhiphi32.exeC:\Windows\system32\Fhiphi32.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5036 -
C:\Windows\SysWOW64\Fcodfa32.exeC:\Windows\system32\Fcodfa32.exe120⤵PID:5160
-
C:\Windows\SysWOW64\Fiilblom.exeC:\Windows\system32\Fiilblom.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2088
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-