Analysis
-
max time kernel
93s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 06:10
Static task
static1
Behavioral task
behavioral1
Sample
aa446d2be1aa36cf8a0bd729df41000a3db65284c1bb4a944eddf042f9400dcbN.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
aa446d2be1aa36cf8a0bd729df41000a3db65284c1bb4a944eddf042f9400dcbN.exe
Resource
win10v2004-20241007-en
General
-
Target
aa446d2be1aa36cf8a0bd729df41000a3db65284c1bb4a944eddf042f9400dcbN.exe
-
Size
115KB
-
MD5
a4dd4e9d487cdc290c19e9ae8c6c7750
-
SHA1
e8af1c537e2dffecc0c9e6f232e337211eef3532
-
SHA256
aa446d2be1aa36cf8a0bd729df41000a3db65284c1bb4a944eddf042f9400dcb
-
SHA512
e8747ca3dae9cab346548b987307d7faac7953e2d9d19aac7b81098c8a0e274186289fa59fadbe36702e1702282f726e01ac7862af0c3c91b2e1a903cb92b3b9
-
SSDEEP
3072:sm6gHWg2uBVG4xIu9mF7KqZdbrIR/SoQUP5u30KqTKr4:92puj79Y7KqZhrIooQUPoDqTKE
Malware Config
Extracted
berbew
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oelmeleh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ooijiqhc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mmkbllhg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddqbicea.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkmgln32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhlgpljo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmhphc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Halcglnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oimikpng.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehbmpkcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fajeeeac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Efemlh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kncfihgq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dioibnjo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnopfnko.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qlnkdilf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afmocg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lilpcofa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oielpk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pldacdae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dkkjfn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edcgfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Logbpljg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edinel32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhjeoeai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmjnjjde.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnlincim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lmcllm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ighnkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nnfnbmem.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpopcbfd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opbhmk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cacbadnb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnhkhm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Goiejg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjjjej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhndel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Efhjag32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ladhba32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epkndg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Icfljmhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qfdbgo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjlgjieb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jklggnpg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jidalb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ciqmap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hojnaehl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ciigpq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Glkkfeop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kgpmcg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljffjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ccoknill.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cojenjnk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mefcihdd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jipnkibm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llkcjpiq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qhbocj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ciogff32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffglnofp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gdepmbmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kjipdc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fhecmhca.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghjlhhol.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Inlgbl32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 4072 Chehic32.exe 3236 Cnopfnko.exe 2040 Cdlhnd32.exe 1292 Djfqkoqc.exe 2036 Dapihi32.exe 4248 Ddnedd32.exe 1816 Dfmapp32.exe 4036 Dmgjmjnd.exe 4828 Ddqbicea.exe 1680 Dkkjfn32.exe 4644 Dadbchdk.exe 3308 Ddcoocco.exe 3496 Dkmgln32.exe 1688 Dmkchi32.exe 2344 Dgdgqo32.exe 4748 Dailng32.exe 3752 Ddhhjb32.exe 4524 Egfdfn32.exe 4672 Eomlgk32.exe 4032 Ealhcg32.exe 2280 Eheqpa32.exe 912 Eopimkml.exe 3800 Edlaebkd.exe 4880 Egknanjg.exe 1412 Emefng32.exe 2716 Edonkaia.exe 3452 Ehjjkp32.exe 2952 Eodbhj32.exe 3276 Eabodf32.exe 4368 Ehmgapog.exe 3608 Edcgfa32.exe 4440 Fkmpbk32.exe 3264 Fecdpd32.exe 2376 Fhaplo32.exe 4568 Fgdqglbm.exe 1352 Fokhiibo.exe 2212 Fajeeeac.exe 5012 Fdhaapqf.exe 4792 Fgfmmlpj.exe 4616 Foneni32.exe 648 Fnqejfgg.exe 3780 Falajd32.exe 4308 Fdjnfp32.exe 3740 Fgijbk32.exe 2340 Fannpd32.exe 3128 Fkgbijdn.exe 3700 Fneoeeca.exe 1288 Ggncnkjb.exe 1500 Gacgkcih.exe 2940 Gdadgohl.exe 1696 Goghdhhb.exe 3584 Gaedqc32.exe 4988 Gddqmo32.exe 3696 Goiejg32.exe 2476 Gahafc32.exe 5040 Ggdinj32.exe 2832 Golapg32.exe 3964 Gdhjhnbd.exe 2308 Gonnegbj.exe 3156 Hhfbnl32.exe 3168 Hoqkkfpg.exe 4812 Hnckfc32.exe 2244 Hdmccmno.exe 4288 Hglpoi32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Dapihi32.exe Djfqkoqc.exe File created C:\Windows\SysWOW64\Mcbicd32.dll Hklekg32.exe File opened for modification C:\Windows\SysWOW64\Ioljfe32.exe Hbhjmqgp.exe File opened for modification C:\Windows\SysWOW64\Jgeklege.exe Jegopjha.exe File created C:\Windows\SysWOW64\Ochjjebe.exe Ogaied32.exe File created C:\Windows\SysWOW64\Kcobqopj.dll Mbieajlh.exe File created C:\Windows\SysWOW64\Aooced32.exe Ahekijbj.exe File created C:\Windows\SysWOW64\Kaihfc32.exe Kjopiihp.exe File created C:\Windows\SysWOW64\Pbohpe32.dll Fjnocnco.exe File created C:\Windows\SysWOW64\Eclmkm32.dll Gkohjldl.exe File created C:\Windows\SysWOW64\Lnnokqig.exe Lkpboe32.exe File created C:\Windows\SysWOW64\Ipeago32.dll Egfdfn32.exe File created C:\Windows\SysWOW64\Njgagikp.dll Mhfmjqkp.exe File created C:\Windows\SysWOW64\Ajebjloo.dll Mfjjmhql.exe File created C:\Windows\SysWOW64\Imngac32.dll Oeopeb32.exe File created C:\Windows\SysWOW64\Emefng32.exe Egknanjg.exe File created C:\Windows\SysWOW64\Odadlf32.dll Igkakpld.exe File opened for modification C:\Windows\SysWOW64\Nabdcoio.exe Mndhgdjk.exe File created C:\Windows\SysWOW64\Flqecf32.dll Olfebf32.exe File created C:\Windows\SysWOW64\Bbkmlbab.dll Acglfm32.exe File created C:\Windows\SysWOW64\Fkhbbfdn.dll Fcbjad32.exe File opened for modification C:\Windows\SysWOW64\Njahbm32.exe Nhclfbgh.exe File opened for modification C:\Windows\SysWOW64\Cgknin32.exe Bqafldpd.exe File created C:\Windows\SysWOW64\Iajphjab.exe Inndgk32.exe File created C:\Windows\SysWOW64\Jdiekcbc.exe Jbjiohco.exe File created C:\Windows\SysWOW64\Aoeclmpc.exe Alggpaqp.exe File opened for modification C:\Windows\SysWOW64\Bkamlmab.exe Bhbapabo.exe File created C:\Windows\SysWOW64\Hdenjj32.dll Hpechaki.exe File created C:\Windows\SysWOW64\Qllnnini.exe Qjnbbnoe.exe File created C:\Windows\SysWOW64\Iclaen32.dll Hlgjbcdb.exe File created C:\Windows\SysWOW64\Gjoabl32.dll Kebhabjh.exe File opened for modification C:\Windows\SysWOW64\Lilpcofa.exe Ladhba32.exe File opened for modification C:\Windows\SysWOW64\Olfebf32.exe Oelmeleh.exe File opened for modification C:\Windows\SysWOW64\Plfnicob.exe Pihamhpo.exe File created C:\Windows\SysWOW64\Gflein32.exe Gbqjhpja.exe File created C:\Windows\SysWOW64\Hdiiha32.exe Hmpqlgam.exe File opened for modification C:\Windows\SysWOW64\Nkdlbc32.exe Nhfofh32.exe File opened for modification C:\Windows\SysWOW64\Afkamgke.exe Acleallb.exe File created C:\Windows\SysWOW64\Cihcee32.dll Cbiajemo.exe File created C:\Windows\SysWOW64\Fmkdli32.dll Jnlincim.exe File opened for modification C:\Windows\SysWOW64\Gacgkcih.exe Ggncnkjb.exe File created C:\Windows\SysWOW64\Jngcfmeo.dll Bkefgl32.exe File created C:\Windows\SysWOW64\Gikkehnm.dll Eidjhc32.exe File created C:\Windows\SysWOW64\Jdfakm32.exe Jnlincim.exe File opened for modification C:\Windows\SysWOW64\Aijedi32.exe Acmllbpm.exe File created C:\Windows\SysWOW64\Dmmicbdq.exe Dhpqkk32.exe File created C:\Windows\SysWOW64\Fagmde32.dll Edngpkee.exe File created C:\Windows\SysWOW64\Diecii32.dll Fdlcai32.exe File created C:\Windows\SysWOW64\Jeileifo.exe Jffljm32.exe File created C:\Windows\SysWOW64\Jpamhb32.exe Jigdlhle.exe File created C:\Windows\SysWOW64\Ndieeglo.dll Ghjlhhol.exe File created C:\Windows\SysWOW64\Inejhj32.exe Igkakpld.exe File created C:\Windows\SysWOW64\Mcdjifod.exe Mmkbllhg.exe File opened for modification C:\Windows\SysWOW64\Fdjnfp32.exe Falajd32.exe File created C:\Windows\SysWOW64\Jebfej32.exe Ignekfmm.exe File created C:\Windows\SysWOW64\Halcglnb.exe Hjdleo32.exe File opened for modification C:\Windows\SysWOW64\Malnbp32.exe Mnmbfe32.exe File opened for modification C:\Windows\SysWOW64\Mhhcejea.exe Mankhp32.exe File created C:\Windows\SysWOW64\Ebpqab32.exe Ecmpfeaj.exe File created C:\Windows\SysWOW64\Nnkdad32.dll Qimkhg32.exe File opened for modification C:\Windows\SysWOW64\Pfhckq32.exe Pookof32.exe File created C:\Windows\SysWOW64\Gjeehcnf.dll Edinel32.exe File created C:\Windows\SysWOW64\Gjhpab32.dll Kkejmm32.exe File opened for modification C:\Windows\SysWOW64\Jpeloo32.exe Jngpcd32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 14456 15072 WerFault.exe 813 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kaihfc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phfhmeko.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acobgljo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlafop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmcllm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgepedch.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhaplo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehjcaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afnemn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kepklb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lilpcofa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qojcpnjq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djliga32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Foneni32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gddqmo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idhlde32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kncfihgq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acleallb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hklekg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lechbf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlgjbcdb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpaqhh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mankhp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfedejhd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eidjhc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eikphbcm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eldloh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmfglfle.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljjikqkf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aa446d2be1aa36cf8a0bd729df41000a3db65284c1bb4a944eddf042f9400dcbN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpmeknkb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnjnfooj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ecpmkepg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdipacgl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdepmbmo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilcjna32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcmkai32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nkpbgdlj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfddcfck.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijpkamcb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmhadjfg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjnocnco.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndgpec32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhhjop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aqcjkf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhpqkk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffamgf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmgpfo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Giokpimi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdfakm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmokgk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Keekahla.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Niaipbhe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lglciloo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhfofh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acjillnd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bchemjbd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhenea32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbqjhpja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hoqkkfpg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgjgclaa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Palppl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikfgaipa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmkbllhg.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Efopbf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ladhba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cjicjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jkmmbhji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fgdqglbm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dejgfh32.dll" Ifhoiokd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ejhpme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mflceppn.dll" Nbgjha32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dfigecac.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nepfog32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ddhhjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdmhhcao.dll" Dhlgpljo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gbqjhpja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nacjba32.dll" Dfogki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgcbek32.dll" Dmhimmdj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eihlhlad.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Idehdpol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jkicgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oeipja32.dll" Aijedi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjkmfp32.dll" Cocomk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnjple32.dll" Hphfhgla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bhenea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lepmhijl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ndgpec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfaqmm32.dll" Pcmcee32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Acoiab32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cfedejhd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pepnjk32.dll" Diopmdnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bpaibaia.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ggdbdc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgopomle.dll" Jqkleell.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Djfqkoqc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jpopcbfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndjdcbcn.dll" Dmmicbdq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ikmdkjhl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node aa446d2be1aa36cf8a0bd729df41000a3db65284c1bb4a944eddf042f9400dcbN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jpamhb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nabdcoio.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lgipie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjajid32.dll" Mklbjcpf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Diopmdnj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fdlcai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eojincqj.dll" Mhcjjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhefefph.dll" Afnemn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bckimq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hpaqhh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cnopfnko.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pgjlkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqqpee32.dll" Cjkppc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hoqkkfpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jhpgqboa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Igghpa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cicjfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Medfci32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Niaipbhe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffpjgh32.dll" Bqafldpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ameadhfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aknkpd32.dll" Ffamgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gikiopej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afacfi32.dll" Hpodbi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fpndae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jbhcdnim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iiqklnlb.dll" Meognded.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbqohbbj.dll" Fppqfdmq.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2580 wrote to memory of 4072 2580 aa446d2be1aa36cf8a0bd729df41000a3db65284c1bb4a944eddf042f9400dcbN.exe 83 PID 2580 wrote to memory of 4072 2580 aa446d2be1aa36cf8a0bd729df41000a3db65284c1bb4a944eddf042f9400dcbN.exe 83 PID 2580 wrote to memory of 4072 2580 aa446d2be1aa36cf8a0bd729df41000a3db65284c1bb4a944eddf042f9400dcbN.exe 83 PID 4072 wrote to memory of 3236 4072 Chehic32.exe 85 PID 4072 wrote to memory of 3236 4072 Chehic32.exe 85 PID 4072 wrote to memory of 3236 4072 Chehic32.exe 85 PID 3236 wrote to memory of 2040 3236 Cnopfnko.exe 87 PID 3236 wrote to memory of 2040 3236 Cnopfnko.exe 87 PID 3236 wrote to memory of 2040 3236 Cnopfnko.exe 87 PID 2040 wrote to memory of 1292 2040 Cdlhnd32.exe 88 PID 2040 wrote to memory of 1292 2040 Cdlhnd32.exe 88 PID 2040 wrote to memory of 1292 2040 Cdlhnd32.exe 88 PID 1292 wrote to memory of 2036 1292 Djfqkoqc.exe 89 PID 1292 wrote to memory of 2036 1292 Djfqkoqc.exe 89 PID 1292 wrote to memory of 2036 1292 Djfqkoqc.exe 89 PID 2036 wrote to memory of 4248 2036 Dapihi32.exe 90 PID 2036 wrote to memory of 4248 2036 Dapihi32.exe 90 PID 2036 wrote to memory of 4248 2036 Dapihi32.exe 90 PID 4248 wrote to memory of 1816 4248 Ddnedd32.exe 91 PID 4248 wrote to memory of 1816 4248 Ddnedd32.exe 91 PID 4248 wrote to memory of 1816 4248 Ddnedd32.exe 91 PID 1816 wrote to memory of 4036 1816 Dfmapp32.exe 92 PID 1816 wrote to memory of 4036 1816 Dfmapp32.exe 92 PID 1816 wrote to memory of 4036 1816 Dfmapp32.exe 92 PID 4036 wrote to memory of 4828 4036 Dmgjmjnd.exe 94 PID 4036 wrote to memory of 4828 4036 Dmgjmjnd.exe 94 PID 4036 wrote to memory of 4828 4036 Dmgjmjnd.exe 94 PID 4828 wrote to memory of 1680 4828 Ddqbicea.exe 95 PID 4828 wrote to memory of 1680 4828 Ddqbicea.exe 95 PID 4828 wrote to memory of 1680 4828 Ddqbicea.exe 95 PID 1680 wrote to memory of 4644 1680 Dkkjfn32.exe 96 PID 1680 wrote to memory of 4644 1680 Dkkjfn32.exe 96 PID 1680 wrote to memory of 4644 1680 Dkkjfn32.exe 96 PID 4644 wrote to memory of 3308 4644 Dadbchdk.exe 97 PID 4644 wrote to memory of 3308 4644 Dadbchdk.exe 97 PID 4644 wrote to memory of 3308 4644 Dadbchdk.exe 97 PID 3308 wrote to memory of 3496 3308 Ddcoocco.exe 98 PID 3308 wrote to memory of 3496 3308 Ddcoocco.exe 98 PID 3308 wrote to memory of 3496 3308 Ddcoocco.exe 98 PID 3496 wrote to memory of 1688 3496 Dkmgln32.exe 99 PID 3496 wrote to memory of 1688 3496 Dkmgln32.exe 99 PID 3496 wrote to memory of 1688 3496 Dkmgln32.exe 99 PID 1688 wrote to memory of 2344 1688 Dmkchi32.exe 100 PID 1688 wrote to memory of 2344 1688 Dmkchi32.exe 100 PID 1688 wrote to memory of 2344 1688 Dmkchi32.exe 100 PID 2344 wrote to memory of 4748 2344 Dgdgqo32.exe 101 PID 2344 wrote to memory of 4748 2344 Dgdgqo32.exe 101 PID 2344 wrote to memory of 4748 2344 Dgdgqo32.exe 101 PID 4748 wrote to memory of 3752 4748 Dailng32.exe 102 PID 4748 wrote to memory of 3752 4748 Dailng32.exe 102 PID 4748 wrote to memory of 3752 4748 Dailng32.exe 102 PID 3752 wrote to memory of 4524 3752 Ddhhjb32.exe 103 PID 3752 wrote to memory of 4524 3752 Ddhhjb32.exe 103 PID 3752 wrote to memory of 4524 3752 Ddhhjb32.exe 103 PID 4524 wrote to memory of 4672 4524 Egfdfn32.exe 104 PID 4524 wrote to memory of 4672 4524 Egfdfn32.exe 104 PID 4524 wrote to memory of 4672 4524 Egfdfn32.exe 104 PID 4672 wrote to memory of 4032 4672 Eomlgk32.exe 105 PID 4672 wrote to memory of 4032 4672 Eomlgk32.exe 105 PID 4672 wrote to memory of 4032 4672 Eomlgk32.exe 105 PID 4032 wrote to memory of 2280 4032 Ealhcg32.exe 106 PID 4032 wrote to memory of 2280 4032 Ealhcg32.exe 106 PID 4032 wrote to memory of 2280 4032 Ealhcg32.exe 106 PID 2280 wrote to memory of 912 2280 Eheqpa32.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\aa446d2be1aa36cf8a0bd729df41000a3db65284c1bb4a944eddf042f9400dcbN.exe"C:\Users\Admin\AppData\Local\Temp\aa446d2be1aa36cf8a0bd729df41000a3db65284c1bb4a944eddf042f9400dcbN.exe"1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Windows\SysWOW64\Chehic32.exeC:\Windows\system32\Chehic32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4072 -
C:\Windows\SysWOW64\Cnopfnko.exeC:\Windows\system32\Cnopfnko.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3236 -
C:\Windows\SysWOW64\Cdlhnd32.exeC:\Windows\system32\Cdlhnd32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Windows\SysWOW64\Djfqkoqc.exeC:\Windows\system32\Djfqkoqc.exe5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1292 -
C:\Windows\SysWOW64\Dapihi32.exeC:\Windows\system32\Dapihi32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\Windows\SysWOW64\Ddnedd32.exeC:\Windows\system32\Ddnedd32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4248 -
C:\Windows\SysWOW64\Dfmapp32.exeC:\Windows\system32\Dfmapp32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1816 -
C:\Windows\SysWOW64\Dmgjmjnd.exeC:\Windows\system32\Dmgjmjnd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4036 -
C:\Windows\SysWOW64\Ddqbicea.exeC:\Windows\system32\Ddqbicea.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4828 -
C:\Windows\SysWOW64\Dkkjfn32.exeC:\Windows\system32\Dkkjfn32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Windows\SysWOW64\Dadbchdk.exeC:\Windows\system32\Dadbchdk.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4644 -
C:\Windows\SysWOW64\Ddcoocco.exeC:\Windows\system32\Ddcoocco.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3308 -
C:\Windows\SysWOW64\Dkmgln32.exeC:\Windows\system32\Dkmgln32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3496 -
C:\Windows\SysWOW64\Dmkchi32.exeC:\Windows\system32\Dmkchi32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Windows\SysWOW64\Dgdgqo32.exeC:\Windows\system32\Dgdgqo32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\Windows\SysWOW64\Dailng32.exeC:\Windows\system32\Dailng32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4748 -
C:\Windows\SysWOW64\Ddhhjb32.exeC:\Windows\system32\Ddhhjb32.exe18⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3752 -
C:\Windows\SysWOW64\Egfdfn32.exeC:\Windows\system32\Egfdfn32.exe19⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4524 -
C:\Windows\SysWOW64\Eomlgk32.exeC:\Windows\system32\Eomlgk32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4672 -
C:\Windows\SysWOW64\Ealhcg32.exeC:\Windows\system32\Ealhcg32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4032 -
C:\Windows\SysWOW64\Eheqpa32.exeC:\Windows\system32\Eheqpa32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Windows\SysWOW64\Eopimkml.exeC:\Windows\system32\Eopimkml.exe23⤵
- Executes dropped EXE
PID:912 -
C:\Windows\SysWOW64\Edlaebkd.exeC:\Windows\system32\Edlaebkd.exe24⤵
- Executes dropped EXE
PID:3800 -
C:\Windows\SysWOW64\Egknanjg.exeC:\Windows\system32\Egknanjg.exe25⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4880 -
C:\Windows\SysWOW64\Emefng32.exeC:\Windows\system32\Emefng32.exe26⤵
- Executes dropped EXE
PID:1412 -
C:\Windows\SysWOW64\Edonkaia.exeC:\Windows\system32\Edonkaia.exe27⤵
- Executes dropped EXE
PID:2716 -
C:\Windows\SysWOW64\Ehjjkp32.exeC:\Windows\system32\Ehjjkp32.exe28⤵
- Executes dropped EXE
PID:3452 -
C:\Windows\SysWOW64\Eodbhj32.exeC:\Windows\system32\Eodbhj32.exe29⤵
- Executes dropped EXE
PID:2952 -
C:\Windows\SysWOW64\Eabodf32.exeC:\Windows\system32\Eabodf32.exe30⤵
- Executes dropped EXE
PID:3276 -
C:\Windows\SysWOW64\Ehmgapog.exeC:\Windows\system32\Ehmgapog.exe31⤵
- Executes dropped EXE
PID:4368 -
C:\Windows\SysWOW64\Edcgfa32.exeC:\Windows\system32\Edcgfa32.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3608 -
C:\Windows\SysWOW64\Fkmpbk32.exeC:\Windows\system32\Fkmpbk32.exe33⤵
- Executes dropped EXE
PID:4440 -
C:\Windows\SysWOW64\Fecdpd32.exeC:\Windows\system32\Fecdpd32.exe34⤵
- Executes dropped EXE
PID:3264 -
C:\Windows\SysWOW64\Fhaplo32.exeC:\Windows\system32\Fhaplo32.exe35⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2376 -
C:\Windows\SysWOW64\Fgdqglbm.exeC:\Windows\system32\Fgdqglbm.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:4568 -
C:\Windows\SysWOW64\Fokhiibo.exeC:\Windows\system32\Fokhiibo.exe37⤵
- Executes dropped EXE
PID:1352 -
C:\Windows\SysWOW64\Fajeeeac.exeC:\Windows\system32\Fajeeeac.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2212 -
C:\Windows\SysWOW64\Fdhaapqf.exeC:\Windows\system32\Fdhaapqf.exe39⤵
- Executes dropped EXE
PID:5012 -
C:\Windows\SysWOW64\Fgfmmlpj.exeC:\Windows\system32\Fgfmmlpj.exe40⤵
- Executes dropped EXE
PID:4792 -
C:\Windows\SysWOW64\Foneni32.exeC:\Windows\system32\Foneni32.exe41⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4616 -
C:\Windows\SysWOW64\Fnqejfgg.exeC:\Windows\system32\Fnqejfgg.exe42⤵
- Executes dropped EXE
PID:648 -
C:\Windows\SysWOW64\Falajd32.exeC:\Windows\system32\Falajd32.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3780 -
C:\Windows\SysWOW64\Fdjnfp32.exeC:\Windows\system32\Fdjnfp32.exe44⤵
- Executes dropped EXE
PID:4308 -
C:\Windows\SysWOW64\Fgijbk32.exeC:\Windows\system32\Fgijbk32.exe45⤵
- Executes dropped EXE
PID:3740 -
C:\Windows\SysWOW64\Fannpd32.exeC:\Windows\system32\Fannpd32.exe46⤵
- Executes dropped EXE
PID:2340 -
C:\Windows\SysWOW64\Fkgbijdn.exeC:\Windows\system32\Fkgbijdn.exe47⤵
- Executes dropped EXE
PID:3128 -
C:\Windows\SysWOW64\Fneoeeca.exeC:\Windows\system32\Fneoeeca.exe48⤵
- Executes dropped EXE
PID:3700 -
C:\Windows\SysWOW64\Ggncnkjb.exeC:\Windows\system32\Ggncnkjb.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1288 -
C:\Windows\SysWOW64\Gacgkcih.exeC:\Windows\system32\Gacgkcih.exe50⤵
- Executes dropped EXE
PID:1500 -
C:\Windows\SysWOW64\Gdadgohl.exeC:\Windows\system32\Gdadgohl.exe51⤵
- Executes dropped EXE
PID:2940 -
C:\Windows\SysWOW64\Goghdhhb.exeC:\Windows\system32\Goghdhhb.exe52⤵
- Executes dropped EXE
PID:1696 -
C:\Windows\SysWOW64\Gaedqc32.exeC:\Windows\system32\Gaedqc32.exe53⤵
- Executes dropped EXE
PID:3584 -
C:\Windows\SysWOW64\Gddqmo32.exeC:\Windows\system32\Gddqmo32.exe54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4988 -
C:\Windows\SysWOW64\Goiejg32.exeC:\Windows\system32\Goiejg32.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3696 -
C:\Windows\SysWOW64\Gahafc32.exeC:\Windows\system32\Gahafc32.exe56⤵
- Executes dropped EXE
PID:2476 -
C:\Windows\SysWOW64\Ggdinj32.exeC:\Windows\system32\Ggdinj32.exe57⤵
- Executes dropped EXE
PID:5040 -
C:\Windows\SysWOW64\Golapg32.exeC:\Windows\system32\Golapg32.exe58⤵
- Executes dropped EXE
PID:2832 -
C:\Windows\SysWOW64\Gdhjhnbd.exeC:\Windows\system32\Gdhjhnbd.exe59⤵
- Executes dropped EXE
PID:3964 -
C:\Windows\SysWOW64\Gonnegbj.exeC:\Windows\system32\Gonnegbj.exe60⤵
- Executes dropped EXE
PID:2308 -
C:\Windows\SysWOW64\Hhfbnl32.exeC:\Windows\system32\Hhfbnl32.exe61⤵
- Executes dropped EXE
PID:3156 -
C:\Windows\SysWOW64\Hoqkkfpg.exeC:\Windows\system32\Hoqkkfpg.exe62⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3168 -
C:\Windows\SysWOW64\Hnckfc32.exeC:\Windows\system32\Hnckfc32.exe63⤵
- Executes dropped EXE
PID:4812 -
C:\Windows\SysWOW64\Hdmccmno.exeC:\Windows\system32\Hdmccmno.exe64⤵
- Executes dropped EXE
PID:2244 -
C:\Windows\SysWOW64\Hglpoi32.exeC:\Windows\system32\Hglpoi32.exe65⤵
- Executes dropped EXE
PID:4288 -
C:\Windows\SysWOW64\Hkglpgfk.exeC:\Windows\system32\Hkglpgfk.exe66⤵PID:3636
-
C:\Windows\SysWOW64\Hfmpmpea.exeC:\Windows\system32\Hfmpmpea.exe67⤵PID:4024
-
C:\Windows\SysWOW64\Hgnldh32.exeC:\Windows\system32\Hgnldh32.exe68⤵PID:3856
-
C:\Windows\SysWOW64\Hbcqba32.exeC:\Windows\system32\Hbcqba32.exe69⤵PID:4668
-
C:\Windows\SysWOW64\Hhmiokbb.exeC:\Windows\system32\Hhmiokbb.exe70⤵PID:2372
-
C:\Windows\SysWOW64\Hklekg32.exeC:\Windows\system32\Hklekg32.exe71⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2304 -
C:\Windows\SysWOW64\Hfaihp32.exeC:\Windows\system32\Hfaihp32.exe72⤵PID:4508
-
C:\Windows\SysWOW64\Hojnaehl.exeC:\Windows\system32\Hojnaehl.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4700 -
C:\Windows\SysWOW64\Hbhjmqgp.exeC:\Windows\system32\Hbhjmqgp.exe74⤵
- Drops file in System32 directory
PID:1716 -
C:\Windows\SysWOW64\Ioljfe32.exeC:\Windows\system32\Ioljfe32.exe75⤵PID:1064
-
C:\Windows\SysWOW64\Idicol32.exeC:\Windows\system32\Idicol32.exe76⤵PID:4840
-
C:\Windows\SysWOW64\Iggokg32.exeC:\Windows\system32\Iggokg32.exe77⤵PID:3684
-
C:\Windows\SysWOW64\Ifhoiokd.exeC:\Windows\system32\Ifhoiokd.exe78⤵
- Modifies registry class
PID:3732 -
C:\Windows\SysWOW64\Idkpdk32.exeC:\Windows\system32\Idkpdk32.exe79⤵PID:3076
-
C:\Windows\SysWOW64\Igjlpg32.exeC:\Windows\system32\Igjlpg32.exe80⤵PID:2064
-
C:\Windows\SysWOW64\Idnljkpl.exeC:\Windows\system32\Idnljkpl.exe81⤵PID:1740
-
C:\Windows\SysWOW64\Infabq32.exeC:\Windows\system32\Infabq32.exe82⤵PID:3680
-
C:\Windows\SysWOW64\Ifmidn32.exeC:\Windows\system32\Ifmidn32.exe83⤵PID:5000
-
C:\Windows\SysWOW64\Ignekfmm.exeC:\Windows\system32\Ignekfmm.exe84⤵
- Drops file in System32 directory
PID:2756 -
C:\Windows\SysWOW64\Jebfej32.exeC:\Windows\system32\Jebfej32.exe85⤵PID:4040
-
C:\Windows\SysWOW64\Jklnadcc.exeC:\Windows\system32\Jklnadcc.exe86⤵PID:1228
-
C:\Windows\SysWOW64\Jedbjj32.exeC:\Windows\system32\Jedbjj32.exe87⤵PID:1416
-
C:\Windows\SysWOW64\Jipnkibm.exeC:\Windows\system32\Jipnkibm.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3652 -
C:\Windows\SysWOW64\Jojghc32.exeC:\Windows\system32\Jojghc32.exe89⤵PID:3840
-
C:\Windows\SysWOW64\Jbhcdnim.exeC:\Windows\system32\Jbhcdnim.exe90⤵
- Modifies registry class
PID:1168 -
C:\Windows\SysWOW64\Jfdodm32.exeC:\Windows\system32\Jfdodm32.exe91⤵PID:3820
-
C:\Windows\SysWOW64\Jegopjha.exeC:\Windows\system32\Jegopjha.exe92⤵
- Drops file in System32 directory
PID:1748 -
C:\Windows\SysWOW64\Jgeklege.exeC:\Windows\system32\Jgeklege.exe93⤵PID:4980
-
C:\Windows\SysWOW64\Jpmcmbhg.exeC:\Windows\system32\Jpmcmbhg.exe94⤵PID:180
-
C:\Windows\SysWOW64\Jnocio32.exeC:\Windows\system32\Jnocio32.exe95⤵PID:3528
-
C:\Windows\SysWOW64\Jffljm32.exeC:\Windows\system32\Jffljm32.exe96⤵
- Drops file in System32 directory
PID:5140 -
C:\Windows\SysWOW64\Jeileifo.exeC:\Windows\system32\Jeileifo.exe97⤵PID:5204
-
C:\Windows\SysWOW64\Jiehfh32.exeC:\Windows\system32\Jiehfh32.exe98⤵PID:5264
-
C:\Windows\SysWOW64\Jkcdbc32.exeC:\Windows\system32\Jkcdbc32.exe99⤵PID:5312
-
C:\Windows\SysWOW64\Jpopcbfd.exeC:\Windows\system32\Jpopcbfd.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5360 -
C:\Windows\SysWOW64\Jbmloneh.exeC:\Windows\system32\Jbmloneh.exe101⤵PID:5408
-
C:\Windows\SysWOW64\Jelhki32.exeC:\Windows\system32\Jelhki32.exe102⤵PID:5460
-
C:\Windows\SysWOW64\Jigdlhle.exeC:\Windows\system32\Jigdlhle.exe103⤵
- Drops file in System32 directory
PID:5512 -
C:\Windows\SysWOW64\Jpamhb32.exeC:\Windows\system32\Jpamhb32.exe104⤵
- Modifies registry class
PID:5560 -
C:\Windows\SysWOW64\Kfkeelko.exeC:\Windows\system32\Kfkeelko.exe105⤵PID:5616
-
C:\Windows\SysWOW64\Kpcina32.exeC:\Windows\system32\Kpcina32.exe106⤵PID:5664
-
C:\Windows\SysWOW64\Kfnaklil.exeC:\Windows\system32\Kfnaklil.exe107⤵PID:5712
-
C:\Windows\SysWOW64\Khonbdoj.exeC:\Windows\system32\Khonbdoj.exe108⤵PID:5756
-
C:\Windows\SysWOW64\Kljjcb32.exeC:\Windows\system32\Kljjcb32.exe109⤵PID:5800
-
C:\Windows\SysWOW64\Kfpnpk32.exeC:\Windows\system32\Kfpnpk32.exe110⤵PID:5848
-
C:\Windows\SysWOW64\Kphcianj.exeC:\Windows\system32\Kphcianj.exe111⤵PID:5892
-
C:\Windows\SysWOW64\Keekahla.exeC:\Windows\system32\Keekahla.exe112⤵
- System Location Discovery: System Language Discovery
PID:5936 -
C:\Windows\SysWOW64\Knmpjmba.exeC:\Windows\system32\Knmpjmba.exe113⤵PID:5976
-
C:\Windows\SysWOW64\Kfdhkkcd.exeC:\Windows\system32\Kfdhkkcd.exe114⤵PID:6020
-
C:\Windows\SysWOW64\Khfdcc32.exeC:\Windows\system32\Khfdcc32.exe115⤵PID:6064
-
C:\Windows\SysWOW64\Lbkhpl32.exeC:\Windows\system32\Lbkhpl32.exe116⤵PID:6108
-
C:\Windows\SysWOW64\Llcmia32.exeC:\Windows\system32\Llcmia32.exe117⤵PID:672
-
C:\Windows\SysWOW64\Lfiafj32.exeC:\Windows\system32\Lfiafj32.exe118⤵PID:5248
-
C:\Windows\SysWOW64\Lhjnnbem.exeC:\Windows\system32\Lhjnnbem.exe119⤵PID:5332
-
C:\Windows\SysWOW64\Lhmjcbcj.exeC:\Windows\system32\Lhmjcbcj.exe120⤵PID:5396
-
C:\Windows\SysWOW64\Lpdbeo32.exeC:\Windows\system32\Lpdbeo32.exe121⤵PID:5480
-
C:\Windows\SysWOW64\Logbpljg.exeC:\Windows\system32\Logbpljg.exe122⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5552
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-