Analysis
-
max time kernel
93s -
max time network
99s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08-12-2024 03:45
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ee3606405a5dee67bb6b0128e1d008ac5667fe71e5cd8004d667783aae2bab43N.exe
Resource
win7-20240708-en
windows7-x64
10 signatures
120 seconds
Behavioral task
behavioral2
Sample
ee3606405a5dee67bb6b0128e1d008ac5667fe71e5cd8004d667783aae2bab43N.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
120 seconds
General
-
Target
ee3606405a5dee67bb6b0128e1d008ac5667fe71e5cd8004d667783aae2bab43N.exe
-
Size
96KB
-
MD5
66cfb69b6a69e6248193da24584cfe40
-
SHA1
6c873f48c9ec6bcd072c2901209d1475ffb29f5c
-
SHA256
ee3606405a5dee67bb6b0128e1d008ac5667fe71e5cd8004d667783aae2bab43
-
SHA512
9ebdf843371ae972fc95cb474ca7d1aa23869ffb852c5ea2e8dd7dd5a12c9c04e65243d60c85f1eda1a48c5a66db204c7395c8690fbd0c5afc82eff84b781449
-
SSDEEP
1536:GdxX5ttiGgbRcl4wlUpxQhzvi+2LFsBMu/HCmiDcg3MZRP3cEW3AE:mttiZ6tlwKhzYFa6miEo
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mqafhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjgpfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkkgpc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njkkbehl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Phdnngdn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fealin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nmigoagp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmdlmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oanokhdb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ohnohn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qhlkilba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djhimica.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgfapd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkconn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Boenhgdd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iijfhbhl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oophlo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmkofa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aaiimadl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcpjnjii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ekonpckp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Phajna32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qfkqjmdg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amcehdod.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Diccgfpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Igdnabjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Odhifjkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Amjillkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mnhdgpii.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbnlaldg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkjlic32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcphab32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkalplel.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgdidgjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pdhkcb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kdbjhbbd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nclikl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmlddqem.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hldiinke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lcclncbh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlmfeg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efpomccg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebimgcfi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhilfa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abponp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbdoof32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjgchm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jnjejjgh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Omdieb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpbpbecj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hpnoncim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nagiji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Apodoq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omdieb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hnnljj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipihpkkd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmjemflb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Joahqn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jmbhoeid.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgnlkfal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gaebef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lbngllob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pahpfc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahqddk32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 3724 Knflpoqf.exe 636 Kaehljpj.exe 2848 Kkjlic32.exe 1992 Kageaj32.exe 908 Kgamnded.exe 2680 Knkekn32.exe 3536 Liqihglg.exe 532 Ljbfpo32.exe 1128 Lalnmiia.exe 992 Licfngjd.exe 952 Ljdceo32.exe 100 Lankbigo.exe 1896 Lldopb32.exe 4680 Lnbklm32.exe 212 Lbngllob.exe 3492 Ljilqnlm.exe 4880 Lijlof32.exe 4000 Mbenmk32.exe 3300 Mecjif32.exe 3220 Mlmbfqoj.exe 3232 Mnlnbl32.exe 5028 Meefofek.exe 3476 Mhdckaeo.exe 4344 Mnnkgl32.exe 3228 Mehcdfch.exe 4820 Mhfppabl.exe 756 Mblcnj32.exe 1624 Mhilfa32.exe 1976 Nbnpcj32.exe 1492 Nlfelogp.exe 4652 Nijeec32.exe 3084 Nliaao32.exe 2284 Nhpbfpka.exe 3804 Nojjcj32.exe 4516 Nlnkmnah.exe 4380 Nbgcih32.exe 3056 Niakfbpa.exe 3288 Okchnk32.exe 1936 Oampjeml.exe 916 Okedcjcm.exe 2300 Oekiqccc.exe 2340 Oldamm32.exe 620 Oboijgbl.exe 3676 Ohkbbn32.exe 4420 Okjnnj32.exe 1956 Oadfkdgd.exe 408 Ohnohn32.exe 388 Oohgdhfn.exe 3144 Oimkbaed.exe 2856 Pkogiikb.exe 4992 Pahpfc32.exe 4964 Pedlgbkh.exe 2732 Plndcl32.exe 1840 Polppg32.exe 1784 Phedhmhi.exe 3000 Poomegpf.exe 4780 Pidabppl.exe 4872 Pkenjh32.exe 5112 Pcmeke32.exe 5000 Pifnhpmi.exe 3032 Pkhjph32.exe 1392 Pabblb32.exe 4364 Qhlkilba.exe 3180 Qkjgegae.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Kageaj32.exe Kkjlic32.exe File created C:\Windows\SysWOW64\Gedapeof.dll Kmaopfjm.exe File created C:\Windows\SysWOW64\Lkchelci.exe Ldipha32.exe File created C:\Windows\SysWOW64\Jobfelii.dll Jljbeali.exe File opened for modification C:\Windows\SysWOW64\Hpioin32.exe Hlmchoan.exe File created C:\Windows\SysWOW64\Ipbaol32.exe Ihkjno32.exe File created C:\Windows\SysWOW64\Bcddcbab.exe Bohibc32.exe File created C:\Windows\SysWOW64\Ejlbhh32.exe Efafgifc.exe File opened for modification C:\Windows\SysWOW64\Ekkkoj32.exe Eiloco32.exe File created C:\Windows\SysWOW64\Fnihkq32.dll Mnjqmpgg.exe File created C:\Windows\SysWOW64\Fmjhedep.dll Lqbncb32.exe File opened for modification C:\Windows\SysWOW64\Dbicpfdk.exe Dmlkhofd.exe File created C:\Windows\SysWOW64\Hffken32.exe Hoobdp32.exe File opened for modification C:\Windows\SysWOW64\Hnbeeiji.exe Hldiinke.exe File created C:\Windows\SysWOW64\Cdecba32.dll Dmohno32.exe File created C:\Windows\SysWOW64\Gbeejp32.exe Glkmmefl.exe File created C:\Windows\SysWOW64\Akmcfjdp.dll Nhhdnf32.exe File created C:\Windows\SysWOW64\Fgbdja32.dll Innfnl32.exe File created C:\Windows\SysWOW64\Ngjbaj32.exe Nelfeo32.exe File opened for modification C:\Windows\SysWOW64\Adfnofpd.exe Anmfbl32.exe File opened for modification C:\Windows\SysWOW64\Dmohno32.exe Dbicpfdk.exe File created C:\Windows\SysWOW64\Nbkdke32.dll Knalji32.exe File created C:\Windows\SysWOW64\Fmhdkknd.exe Fealin32.exe File opened for modification C:\Windows\SysWOW64\Mcdeeq32.exe Mohidbkl.exe File opened for modification C:\Windows\SysWOW64\Oophlo32.exe Ojcpdg32.exe File created C:\Windows\SysWOW64\Bfllfd32.dll Kjjiej32.exe File created C:\Windows\SysWOW64\Pdnjmc32.dll Lqikmc32.exe File created C:\Windows\SysWOW64\Efjbcakl.exe Eppjfgcp.exe File created C:\Windows\SysWOW64\Hockka32.dll Qodeajbg.exe File opened for modification C:\Windows\SysWOW64\Bnlhncgi.exe Bhpofl32.exe File created C:\Windows\SysWOW64\Mbkkam32.dll Caageq32.exe File created C:\Windows\SysWOW64\Jicchk32.dll Llnnmhfe.exe File created C:\Windows\SysWOW64\Bpldbefn.dll Ofckhj32.exe File created C:\Windows\SysWOW64\Qaflgago.exe Qohpkf32.exe File created C:\Windows\SysWOW64\Gbdoof32.exe Gljgbllj.exe File created C:\Windows\SysWOW64\Pioelhgj.dll Idfaefkd.exe File opened for modification C:\Windows\SysWOW64\Qhkdof32.exe Qaalblgi.exe File created C:\Windows\SysWOW64\Bhkfkmmg.exe Bpdnjple.exe File created C:\Windows\SysWOW64\Glfmgp32.exe Geldkfpi.exe File created C:\Windows\SysWOW64\Ledepn32.exe Lcfidb32.exe File opened for modification C:\Windows\SysWOW64\Jkimho32.exe Jdodkebj.exe File created C:\Windows\SysWOW64\Jgbjbp32.exe Jlmfeg32.exe File created C:\Windows\SysWOW64\Gabmaqlh.dll Olfghg32.exe File opened for modification C:\Windows\SysWOW64\Aonhghjl.exe Aggpfkjj.exe File opened for modification C:\Windows\SysWOW64\Jniood32.exe Jinboekc.exe File opened for modification C:\Windows\SysWOW64\Ocaebc32.exe Omgmeigd.exe File created C:\Windows\SysWOW64\Nkphhg32.dll Ggmmlamj.exe File opened for modification C:\Windows\SysWOW64\Jbccge32.exe Jpegkj32.exe File created C:\Windows\SysWOW64\Hiiggoaf.exe Hgkkkcbc.exe File opened for modification C:\Windows\SysWOW64\Ipoopgnf.exe Inqbclob.exe File created C:\Windows\SysWOW64\Phdnngdn.exe Pajeam32.exe File created C:\Windows\SysWOW64\Fhhfif32.dll Johnamkm.exe File opened for modification C:\Windows\SysWOW64\Hhfpbpdo.exe Hehdfdek.exe File opened for modification C:\Windows\SysWOW64\Oikjkc32.exe Oflmnh32.exe File created C:\Windows\SysWOW64\Emkndc32.exe Ejlbhh32.exe File created C:\Windows\SysWOW64\Gehcdm32.dll Nlhkgi32.exe File created C:\Windows\SysWOW64\Bdcebook.dll Aoalgn32.exe File created C:\Windows\SysWOW64\Edgbii32.exe Enmjlojd.exe File opened for modification C:\Windows\SysWOW64\Bgnffj32.exe Bhkfkmmg.exe File created C:\Windows\SysWOW64\Jldbpl32.exe Jifecp32.exe File created C:\Windows\SysWOW64\Khiofk32.exe Kapfiqoj.exe File opened for modification C:\Windows\SysWOW64\Hildmn32.exe Hkicaahi.exe File created C:\Windows\SysWOW64\Gfqnichl.dll Ckclhn32.exe File opened for modification C:\Windows\SysWOW64\Fefedmil.exe Fnlmhc32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 812 2700 WerFault.exe 908 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihbponja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbnpcj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcblpdgg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppgegd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iahgad32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfjola32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akdilipp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmeandma.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fofilp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efepbi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eppjfgcp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iipfmggc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjeiodek.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnpphljo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpnakk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpepbgbd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjnmpl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glkmmefl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcdciiec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cklhcfle.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jiiicf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojhpimhp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdagpnbk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kabcopmg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qhngolpo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfoiaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hildmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ennqfenp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcapicdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lakfeodm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okjnnj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdehni32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qjiipk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebaplnie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lqhdbm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdbpgl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfbaalbi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mqjbddpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oadfkdgd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcahmb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ecefqnel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekaapi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfldgk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocihgnam.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Padnaq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nijeec32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmpjmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eehicoel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chdialdl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnjejjgh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kglmio32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aakebqbj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcqjon32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aoalgn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgnlkfal.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hffken32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aonhghjl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gokbgpeg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jikoopij.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igdgglfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oghghb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chkobkod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdnhih32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mehcdfch.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hobipl32.dll" Oidhlb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ipoopgnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jifecp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lhnhajba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcmpdfhi.dll" Licfngjd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ajdjin32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fllkqn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fnipbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iebngial.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kgiiiidd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mqafhl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aonhghjl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fofilp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hldiinke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Capqggce.dll" Bjlpjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkopekaa.dll" Ennqfenp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gpbpbecj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gflhoo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dqpfmlce.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eqncnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clmmco32.dll" Iijfhbhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gabmaqlh.dll" Olfghg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cdnmfclj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gejhef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lhenai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gipdap32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lgbloglj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Djcoai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ijqmhnko.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lqhdbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcdibc32.dll" Cdmfllhn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpahkbdh.dll" Enkmfolf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gbmingjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhaljido.dll" Jokkgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijcomn32.dll" Lpochfji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ncmhko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Epndknin.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nmlddqem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Peaggfjj.dll" Mcpcdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mjlhgaqp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdlgcp32.dll" Ocaebc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kiikpnmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejbdho32.dll" Nojjcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Faikapbo.dll" Ackbmcjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlbdlk32.dll" Acokhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdmjaa32.dll" Eclmamod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fimgpahk.dll" Dbicpfdk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qjiipk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Akdilipp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gicgpelg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aknifq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kiikpnmj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iinqbn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Inqbclob.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cbfgkffn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gncchb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Filapfbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fbdehlip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gmbmkpie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gkhkjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hmpjmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Blielbfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bkdcbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klndfknp.dll" Nfnamjhk.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3512 wrote to memory of 3724 3512 ee3606405a5dee67bb6b0128e1d008ac5667fe71e5cd8004d667783aae2bab43N.exe 82 PID 3512 wrote to memory of 3724 3512 ee3606405a5dee67bb6b0128e1d008ac5667fe71e5cd8004d667783aae2bab43N.exe 82 PID 3512 wrote to memory of 3724 3512 ee3606405a5dee67bb6b0128e1d008ac5667fe71e5cd8004d667783aae2bab43N.exe 82 PID 3724 wrote to memory of 636 3724 Knflpoqf.exe 83 PID 3724 wrote to memory of 636 3724 Knflpoqf.exe 83 PID 3724 wrote to memory of 636 3724 Knflpoqf.exe 83 PID 636 wrote to memory of 2848 636 Kaehljpj.exe 84 PID 636 wrote to memory of 2848 636 Kaehljpj.exe 84 PID 636 wrote to memory of 2848 636 Kaehljpj.exe 84 PID 2848 wrote to memory of 1992 2848 Kkjlic32.exe 85 PID 2848 wrote to memory of 1992 2848 Kkjlic32.exe 85 PID 2848 wrote to memory of 1992 2848 Kkjlic32.exe 85 PID 1992 wrote to memory of 908 1992 Kageaj32.exe 86 PID 1992 wrote to memory of 908 1992 Kageaj32.exe 86 PID 1992 wrote to memory of 908 1992 Kageaj32.exe 86 PID 908 wrote to memory of 2680 908 Kgamnded.exe 87 PID 908 wrote to memory of 2680 908 Kgamnded.exe 87 PID 908 wrote to memory of 2680 908 Kgamnded.exe 87 PID 2680 wrote to memory of 3536 2680 Knkekn32.exe 88 PID 2680 wrote to memory of 3536 2680 Knkekn32.exe 88 PID 2680 wrote to memory of 3536 2680 Knkekn32.exe 88 PID 3536 wrote to memory of 532 3536 Liqihglg.exe 89 PID 3536 wrote to memory of 532 3536 Liqihglg.exe 89 PID 3536 wrote to memory of 532 3536 Liqihglg.exe 89 PID 532 wrote to memory of 1128 532 Ljbfpo32.exe 90 PID 532 wrote to memory of 1128 532 Ljbfpo32.exe 90 PID 532 wrote to memory of 1128 532 Ljbfpo32.exe 90 PID 1128 wrote to memory of 992 1128 Lalnmiia.exe 91 PID 1128 wrote to memory of 992 1128 Lalnmiia.exe 91 PID 1128 wrote to memory of 992 1128 Lalnmiia.exe 91 PID 992 wrote to memory of 952 992 Licfngjd.exe 92 PID 992 wrote to memory of 952 992 Licfngjd.exe 92 PID 992 wrote to memory of 952 992 Licfngjd.exe 92 PID 952 wrote to memory of 100 952 Ljdceo32.exe 93 PID 952 wrote to memory of 100 952 Ljdceo32.exe 93 PID 952 wrote to memory of 100 952 Ljdceo32.exe 93 PID 100 wrote to memory of 1896 100 Lankbigo.exe 94 PID 100 wrote to memory of 1896 100 Lankbigo.exe 94 PID 100 wrote to memory of 1896 100 Lankbigo.exe 94 PID 1896 wrote to memory of 4680 1896 Lldopb32.exe 95 PID 1896 wrote to memory of 4680 1896 Lldopb32.exe 95 PID 1896 wrote to memory of 4680 1896 Lldopb32.exe 95 PID 4680 wrote to memory of 212 4680 Lnbklm32.exe 96 PID 4680 wrote to memory of 212 4680 Lnbklm32.exe 96 PID 4680 wrote to memory of 212 4680 Lnbklm32.exe 96 PID 212 wrote to memory of 3492 212 Lbngllob.exe 97 PID 212 wrote to memory of 3492 212 Lbngllob.exe 97 PID 212 wrote to memory of 3492 212 Lbngllob.exe 97 PID 3492 wrote to memory of 4880 3492 Ljilqnlm.exe 98 PID 3492 wrote to memory of 4880 3492 Ljilqnlm.exe 98 PID 3492 wrote to memory of 4880 3492 Ljilqnlm.exe 98 PID 4880 wrote to memory of 4000 4880 Lijlof32.exe 99 PID 4880 wrote to memory of 4000 4880 Lijlof32.exe 99 PID 4880 wrote to memory of 4000 4880 Lijlof32.exe 99 PID 4000 wrote to memory of 3300 4000 Mbenmk32.exe 100 PID 4000 wrote to memory of 3300 4000 Mbenmk32.exe 100 PID 4000 wrote to memory of 3300 4000 Mbenmk32.exe 100 PID 3300 wrote to memory of 3220 3300 Mecjif32.exe 101 PID 3300 wrote to memory of 3220 3300 Mecjif32.exe 101 PID 3300 wrote to memory of 3220 3300 Mecjif32.exe 101 PID 3220 wrote to memory of 3232 3220 Mlmbfqoj.exe 102 PID 3220 wrote to memory of 3232 3220 Mlmbfqoj.exe 102 PID 3220 wrote to memory of 3232 3220 Mlmbfqoj.exe 102 PID 3232 wrote to memory of 5028 3232 Mnlnbl32.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\ee3606405a5dee67bb6b0128e1d008ac5667fe71e5cd8004d667783aae2bab43N.exe"C:\Users\Admin\AppData\Local\Temp\ee3606405a5dee67bb6b0128e1d008ac5667fe71e5cd8004d667783aae2bab43N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3512 -
C:\Windows\SysWOW64\Knflpoqf.exeC:\Windows\system32\Knflpoqf.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3724 -
C:\Windows\SysWOW64\Kaehljpj.exeC:\Windows\system32\Kaehljpj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:636 -
C:\Windows\SysWOW64\Kkjlic32.exeC:\Windows\system32\Kkjlic32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Windows\SysWOW64\Kageaj32.exeC:\Windows\system32\Kageaj32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1992 -
C:\Windows\SysWOW64\Kgamnded.exeC:\Windows\system32\Kgamnded.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:908 -
C:\Windows\SysWOW64\Knkekn32.exeC:\Windows\system32\Knkekn32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Windows\SysWOW64\Liqihglg.exeC:\Windows\system32\Liqihglg.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3536 -
C:\Windows\SysWOW64\Ljbfpo32.exeC:\Windows\system32\Ljbfpo32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:532 -
C:\Windows\SysWOW64\Lalnmiia.exeC:\Windows\system32\Lalnmiia.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1128 -
C:\Windows\SysWOW64\Licfngjd.exeC:\Windows\system32\Licfngjd.exe11⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:992 -
C:\Windows\SysWOW64\Ljdceo32.exeC:\Windows\system32\Ljdceo32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:952 -
C:\Windows\SysWOW64\Lankbigo.exeC:\Windows\system32\Lankbigo.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:100 -
C:\Windows\SysWOW64\Lldopb32.exeC:\Windows\system32\Lldopb32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1896 -
C:\Windows\SysWOW64\Lnbklm32.exeC:\Windows\system32\Lnbklm32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4680 -
C:\Windows\SysWOW64\Lbngllob.exeC:\Windows\system32\Lbngllob.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:212 -
C:\Windows\SysWOW64\Ljilqnlm.exeC:\Windows\system32\Ljilqnlm.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3492 -
C:\Windows\SysWOW64\Lijlof32.exeC:\Windows\system32\Lijlof32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4880 -
C:\Windows\SysWOW64\Mbenmk32.exeC:\Windows\system32\Mbenmk32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4000 -
C:\Windows\SysWOW64\Mecjif32.exeC:\Windows\system32\Mecjif32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3300 -
C:\Windows\SysWOW64\Mlmbfqoj.exeC:\Windows\system32\Mlmbfqoj.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3220 -
C:\Windows\SysWOW64\Mnlnbl32.exeC:\Windows\system32\Mnlnbl32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3232 -
C:\Windows\SysWOW64\Meefofek.exeC:\Windows\system32\Meefofek.exe23⤵
- Executes dropped EXE
PID:5028 -
C:\Windows\SysWOW64\Mhdckaeo.exeC:\Windows\system32\Mhdckaeo.exe24⤵
- Executes dropped EXE
PID:3476 -
C:\Windows\SysWOW64\Mnnkgl32.exeC:\Windows\system32\Mnnkgl32.exe25⤵
- Executes dropped EXE
PID:4344 -
C:\Windows\SysWOW64\Mehcdfch.exeC:\Windows\system32\Mehcdfch.exe26⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3228 -
C:\Windows\SysWOW64\Mhfppabl.exeC:\Windows\system32\Mhfppabl.exe27⤵
- Executes dropped EXE
PID:4820 -
C:\Windows\SysWOW64\Mblcnj32.exeC:\Windows\system32\Mblcnj32.exe28⤵
- Executes dropped EXE
PID:756 -
C:\Windows\SysWOW64\Mhilfa32.exeC:\Windows\system32\Mhilfa32.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1624 -
C:\Windows\SysWOW64\Nbnpcj32.exeC:\Windows\system32\Nbnpcj32.exe30⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1976 -
C:\Windows\SysWOW64\Nlfelogp.exeC:\Windows\system32\Nlfelogp.exe31⤵
- Executes dropped EXE
PID:1492 -
C:\Windows\SysWOW64\Nijeec32.exeC:\Windows\system32\Nijeec32.exe32⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4652 -
C:\Windows\SysWOW64\Nliaao32.exeC:\Windows\system32\Nliaao32.exe33⤵
- Executes dropped EXE
PID:3084 -
C:\Windows\SysWOW64\Nhpbfpka.exeC:\Windows\system32\Nhpbfpka.exe34⤵
- Executes dropped EXE
PID:2284 -
C:\Windows\SysWOW64\Nojjcj32.exeC:\Windows\system32\Nojjcj32.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:3804 -
C:\Windows\SysWOW64\Nlnkmnah.exeC:\Windows\system32\Nlnkmnah.exe36⤵
- Executes dropped EXE
PID:4516 -
C:\Windows\SysWOW64\Nbgcih32.exeC:\Windows\system32\Nbgcih32.exe37⤵
- Executes dropped EXE
PID:4380 -
C:\Windows\SysWOW64\Niakfbpa.exeC:\Windows\system32\Niakfbpa.exe38⤵
- Executes dropped EXE
PID:3056 -
C:\Windows\SysWOW64\Okchnk32.exeC:\Windows\system32\Okchnk32.exe39⤵
- Executes dropped EXE
PID:3288 -
C:\Windows\SysWOW64\Oampjeml.exeC:\Windows\system32\Oampjeml.exe40⤵
- Executes dropped EXE
PID:1936 -
C:\Windows\SysWOW64\Oidhlb32.exeC:\Windows\system32\Oidhlb32.exe41⤵
- Modifies registry class
PID:4392 -
C:\Windows\SysWOW64\Okedcjcm.exeC:\Windows\system32\Okedcjcm.exe42⤵
- Executes dropped EXE
PID:916 -
C:\Windows\SysWOW64\Oekiqccc.exeC:\Windows\system32\Oekiqccc.exe43⤵
- Executes dropped EXE
PID:2300 -
C:\Windows\SysWOW64\Oldamm32.exeC:\Windows\system32\Oldamm32.exe44⤵
- Executes dropped EXE
PID:2340 -
C:\Windows\SysWOW64\Oboijgbl.exeC:\Windows\system32\Oboijgbl.exe45⤵
- Executes dropped EXE
PID:620 -
C:\Windows\SysWOW64\Ohkbbn32.exeC:\Windows\system32\Ohkbbn32.exe46⤵
- Executes dropped EXE
PID:3676 -
C:\Windows\SysWOW64\Okjnnj32.exeC:\Windows\system32\Okjnnj32.exe47⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4420 -
C:\Windows\SysWOW64\Oadfkdgd.exeC:\Windows\system32\Oadfkdgd.exe48⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1956 -
C:\Windows\SysWOW64\Ohnohn32.exeC:\Windows\system32\Ohnohn32.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:408 -
C:\Windows\SysWOW64\Oohgdhfn.exeC:\Windows\system32\Oohgdhfn.exe50⤵
- Executes dropped EXE
PID:388 -
C:\Windows\SysWOW64\Oimkbaed.exeC:\Windows\system32\Oimkbaed.exe51⤵
- Executes dropped EXE
PID:3144 -
C:\Windows\SysWOW64\Pkogiikb.exeC:\Windows\system32\Pkogiikb.exe52⤵
- Executes dropped EXE
PID:2856 -
C:\Windows\SysWOW64\Pahpfc32.exeC:\Windows\system32\Pahpfc32.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4992 -
C:\Windows\SysWOW64\Pedlgbkh.exeC:\Windows\system32\Pedlgbkh.exe54⤵
- Executes dropped EXE
PID:4964 -
C:\Windows\SysWOW64\Plndcl32.exeC:\Windows\system32\Plndcl32.exe55⤵
- Executes dropped EXE
PID:2732 -
C:\Windows\SysWOW64\Polppg32.exeC:\Windows\system32\Polppg32.exe56⤵
- Executes dropped EXE
PID:1840 -
C:\Windows\SysWOW64\Phedhmhi.exeC:\Windows\system32\Phedhmhi.exe57⤵
- Executes dropped EXE
PID:1784 -
C:\Windows\SysWOW64\Poomegpf.exeC:\Windows\system32\Poomegpf.exe58⤵
- Executes dropped EXE
PID:3000 -
C:\Windows\SysWOW64\Pidabppl.exeC:\Windows\system32\Pidabppl.exe59⤵
- Executes dropped EXE
PID:4780 -
C:\Windows\SysWOW64\Pkenjh32.exeC:\Windows\system32\Pkenjh32.exe60⤵
- Executes dropped EXE
PID:4872 -
C:\Windows\SysWOW64\Pcmeke32.exeC:\Windows\system32\Pcmeke32.exe61⤵
- Executes dropped EXE
PID:5112 -
C:\Windows\SysWOW64\Pifnhpmi.exeC:\Windows\system32\Pifnhpmi.exe62⤵
- Executes dropped EXE
PID:5000 -
C:\Windows\SysWOW64\Pkhjph32.exeC:\Windows\system32\Pkhjph32.exe63⤵
- Executes dropped EXE
PID:3032 -
C:\Windows\SysWOW64\Pabblb32.exeC:\Windows\system32\Pabblb32.exe64⤵
- Executes dropped EXE
PID:1392 -
C:\Windows\SysWOW64\Qhlkilba.exeC:\Windows\system32\Qhlkilba.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4364 -
C:\Windows\SysWOW64\Qkjgegae.exeC:\Windows\system32\Qkjgegae.exe66⤵
- Executes dropped EXE
PID:3180 -
C:\Windows\SysWOW64\Qadoba32.exeC:\Windows\system32\Qadoba32.exe67⤵PID:2360
-
C:\Windows\SysWOW64\Qhngolpo.exeC:\Windows\system32\Qhngolpo.exe68⤵
- System Location Discovery: System Language Discovery
PID:3992 -
C:\Windows\SysWOW64\Qohpkf32.exeC:\Windows\system32\Qohpkf32.exe69⤵
- Drops file in System32 directory
PID:3124 -
C:\Windows\SysWOW64\Qaflgago.exeC:\Windows\system32\Qaflgago.exe70⤵PID:4884
-
C:\Windows\SysWOW64\Ahqddk32.exeC:\Windows\system32\Ahqddk32.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:768 -
C:\Windows\SysWOW64\Aaiimadl.exeC:\Windows\system32\Aaiimadl.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1192 -
C:\Windows\SysWOW64\Akamff32.exeC:\Windows\system32\Akamff32.exe73⤵PID:4316
-
C:\Windows\SysWOW64\Aakebqbj.exeC:\Windows\system32\Aakebqbj.exe74⤵
- System Location Discovery: System Language Discovery
PID:4572 -
C:\Windows\SysWOW64\Ahenokjf.exeC:\Windows\system32\Ahenokjf.exe75⤵PID:3872
-
C:\Windows\SysWOW64\Akcjkfij.exeC:\Windows\system32\Akcjkfij.exe76⤵PID:3608
-
C:\Windows\SysWOW64\Ackbmcjl.exeC:\Windows\system32\Ackbmcjl.exe77⤵
- Modifies registry class
PID:3648 -
C:\Windows\SysWOW64\Ajdjin32.exeC:\Windows\system32\Ajdjin32.exe78⤵
- Modifies registry class
PID:2580 -
C:\Windows\SysWOW64\Aoabad32.exeC:\Windows\system32\Aoabad32.exe79⤵PID:3208
-
C:\Windows\SysWOW64\Abponp32.exeC:\Windows\system32\Abponp32.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4048 -
C:\Windows\SysWOW64\Ajggomog.exeC:\Windows\system32\Ajggomog.exe81⤵PID:384
-
C:\Windows\SysWOW64\Acokhc32.exeC:\Windows\system32\Acokhc32.exe82⤵
- Modifies registry class
PID:2320 -
C:\Windows\SysWOW64\Bfngdn32.exeC:\Windows\system32\Bfngdn32.exe83⤵PID:4736
-
C:\Windows\SysWOW64\Bcahmb32.exeC:\Windows\system32\Bcahmb32.exe84⤵
- System Location Discovery: System Language Discovery
PID:2428 -
C:\Windows\SysWOW64\Bjlpjm32.exeC:\Windows\system32\Bjlpjm32.exe85⤵
- Modifies registry class
PID:632 -
C:\Windows\SysWOW64\Bohibc32.exeC:\Windows\system32\Bohibc32.exe86⤵
- Drops file in System32 directory
PID:4400 -
C:\Windows\SysWOW64\Bcddcbab.exeC:\Windows\system32\Bcddcbab.exe87⤵PID:4556
-
C:\Windows\SysWOW64\Bjnmpl32.exeC:\Windows\system32\Bjnmpl32.exe88⤵
- System Location Discovery: System Language Discovery
PID:2440 -
C:\Windows\SysWOW64\Bbiado32.exeC:\Windows\system32\Bbiado32.exe89⤵PID:3968
-
C:\Windows\SysWOW64\Bjpjel32.exeC:\Windows\system32\Bjpjel32.exe90⤵PID:3904
-
C:\Windows\SysWOW64\Bkafmd32.exeC:\Windows\system32\Bkafmd32.exe91⤵PID:4184
-
C:\Windows\SysWOW64\Bcinna32.exeC:\Windows\system32\Bcinna32.exe92⤵PID:4360
-
C:\Windows\SysWOW64\Bfgjjm32.exeC:\Windows\system32\Bfgjjm32.exe93⤵PID:4008
-
C:\Windows\SysWOW64\Bkdcbd32.exeC:\Windows\system32\Bkdcbd32.exe94⤵
- Modifies registry class
PID:2052 -
C:\Windows\SysWOW64\Bopocbcq.exeC:\Windows\system32\Bopocbcq.exe95⤵PID:4076
-
C:\Windows\SysWOW64\Cfigpm32.exeC:\Windows\system32\Cfigpm32.exe96⤵PID:3260
-
C:\Windows\SysWOW64\Ckfphc32.exeC:\Windows\system32\Ckfphc32.exe97⤵PID:4944
-
C:\Windows\SysWOW64\Cobkhb32.exeC:\Windows\system32\Cobkhb32.exe98⤵PID:1748
-
C:\Windows\SysWOW64\Cjgpfk32.exeC:\Windows\system32\Cjgpfk32.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:372 -
C:\Windows\SysWOW64\Cijpahho.exeC:\Windows\system32\Cijpahho.exe100⤵PID:2432
-
C:\Windows\SysWOW64\Ccpdoqgd.exeC:\Windows\system32\Ccpdoqgd.exe101⤵PID:2224
-
C:\Windows\SysWOW64\Cjjlkk32.exeC:\Windows\system32\Cjjlkk32.exe102⤵PID:4304
-
C:\Windows\SysWOW64\Cmhigf32.exeC:\Windows\system32\Cmhigf32.exe103⤵PID:2380
-
C:\Windows\SysWOW64\Ccbadp32.exeC:\Windows\system32\Ccbadp32.exe104⤵PID:4784
-
C:\Windows\SysWOW64\Cjliajmo.exeC:\Windows\system32\Cjliajmo.exe105⤵PID:996
-
C:\Windows\SysWOW64\Cmjemflb.exeC:\Windows\system32\Cmjemflb.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4192 -
C:\Windows\SysWOW64\Coiaiakf.exeC:\Windows\system32\Coiaiakf.exe107⤵PID:3564
-
C:\Windows\SysWOW64\Cbgnemjj.exeC:\Windows\system32\Cbgnemjj.exe108⤵PID:2352
-
C:\Windows\SysWOW64\Ciafbg32.exeC:\Windows\system32\Ciafbg32.exe109⤵PID:1564
-
C:\Windows\SysWOW64\Ckpbnb32.exeC:\Windows\system32\Ckpbnb32.exe110⤵PID:4752
-
C:\Windows\SysWOW64\Ccgjopal.exeC:\Windows\system32\Ccgjopal.exe111⤵PID:2900
-
C:\Windows\SysWOW64\Diccgfpd.exeC:\Windows\system32\Diccgfpd.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4280 -
C:\Windows\SysWOW64\Dkbocbog.exeC:\Windows\system32\Dkbocbog.exe113⤵PID:2924
-
C:\Windows\SysWOW64\Dblgpl32.exeC:\Windows\system32\Dblgpl32.exe114⤵PID:3196
-
C:\Windows\SysWOW64\Djcoai32.exeC:\Windows\system32\Djcoai32.exe115⤵
- Modifies registry class
PID:1644 -
C:\Windows\SysWOW64\Dkdliame.exeC:\Windows\system32\Dkdliame.exe116⤵PID:4976
-
C:\Windows\SysWOW64\Dckdjomg.exeC:\Windows\system32\Dckdjomg.exe117⤵PID:4136
-
C:\Windows\SysWOW64\Dfjpfj32.exeC:\Windows\system32\Dfjpfj32.exe118⤵PID:4876
-
C:\Windows\SysWOW64\Dlghoa32.exeC:\Windows\system32\Dlghoa32.exe119⤵PID:5128
-
C:\Windows\SysWOW64\Dcnqpo32.exeC:\Windows\system32\Dcnqpo32.exe120⤵PID:5176
-
C:\Windows\SysWOW64\Djhimica.exeC:\Windows\system32\Djhimica.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5220
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-