Analysis
-
max time kernel
94s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
24-01-2025 03:36
Behavioral task
behavioral1
Sample
5354a4d3844fc5239964693afb84816ddb1492a82959d0d36845c1fad9ad466f.exe
Resource
win7-20240903-en
windows7-x64
12 signatures
120 seconds
General
-
Target
5354a4d3844fc5239964693afb84816ddb1492a82959d0d36845c1fad9ad466f.exe
-
Size
93KB
-
MD5
f2800a9da1e32715fb40ef72c94c6a52
-
SHA1
62816d097e6cc819b2bd8360653ee2aa587c017c
-
SHA256
5354a4d3844fc5239964693afb84816ddb1492a82959d0d36845c1fad9ad466f
-
SHA512
24b327cc26a6a82d942f2375ad0ddc769784e9082c5f65bec76600f6d701485a25a6cb0a27933678408db96c7a6c20924521b550b64f884d876059e1fda99344
-
SSDEEP
1536:H6xt6iKUESmwIRv6mSJ678tESZzUTt6sQ1DaYfMZRWuLsV+1T:wt6itmLSJxUTRQgYfc0DV+1T
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbajbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ikbfgppo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mmnhcb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhbcfbjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfbcke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dgcihgaj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Noeahkfc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oondnini.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jepjhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lobjni32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bohibc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fdepgkgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jqhafffk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgninn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lndagg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gfjkjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fideeaco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Camddhoi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpaekqhh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Palklf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qjiipk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dojqjdbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iknmla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hpnoncim.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pekbga32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfgcakon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ebhglj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jncoikmp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjahlgpf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gnepna32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad 5354a4d3844fc5239964693afb84816ddb1492a82959d0d36845c1fad9ad466f.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmnhcb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nnkpnclp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kckqbj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lobjni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nlkngo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kqphfe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gppcmeem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Johnamkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pjbcplpe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpfkpp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nijeec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmkgkapm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mccfdmmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pkgcea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fpdcag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Epmmqheb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Joahqn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lljklo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocgbld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fbajbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmblagmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mlpokp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acmobchj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkaobnio.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfchlbfd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkenjh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icfekc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmcclm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fjohde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkhkjd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hblkjo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmbhoeid.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mqdcnl32.exe -
Berbew family
-
Njrat family
-
Executes dropped EXE 64 IoCs
pid Process 3996 Lelchgne.exe 3888 Ljilqnlm.exe 2712 Lbpdblmo.exe 4252 Llhikacp.exe 1724 Maeachag.exe 3368 Mhoipb32.exe 2672 Mbenmk32.exe 4120 Miofjepg.exe 1812 Mnlnbl32.exe 1712 Meefofek.exe 948 Mlpokp32.exe 5032 Mbighjdd.exe 4840 Micoed32.exe 3596 Mjellmbp.exe 1932 Maodigil.exe 3024 Mhilfa32.exe 4052 Nbnpcj32.exe 628 Nihipdhl.exe 1268 Noeahkfc.exe 2164 Nijeec32.exe 2748 Nklbmllg.exe 688 Nlkngo32.exe 2056 Nbefdijg.exe 5076 Niooqcad.exe 1592 Nkqkhk32.exe 3468 Nbgcih32.exe 460 Nefped32.exe 1472 Nlphbnoe.exe 2392 Oondnini.exe 4424 Oampjeml.exe 3308 Olbdhn32.exe 4792 Ooqqdi32.exe 1260 Oaompd32.exe 520 Oldamm32.exe 3092 Oaajed32.exe 3672 Obafpg32.exe 1212 Oeoblb32.exe 4332 Oklkdi32.exe 2132 Oimkbaed.exe 4116 Pcepkfld.exe 1732 Pedlgbkh.exe 1204 Polppg32.exe 3692 Pefhlaie.exe 1084 Poomegpf.exe 1240 Pidabppl.exe 5000 Pkenjh32.exe 4280 Pekbga32.exe 2688 Plejdkmm.exe 2524 Pocfpf32.exe 2812 Pemomqcn.exe 472 Qkjgegae.exe 3288 Qepkbpak.exe 3480 Qcclld32.exe 2848 Qebhhp32.exe 3896 Ajpqnneo.exe 3868 Akamff32.exe 4584 Ahenokjf.exe 2780 Alqjpi32.exe 2548 Aoofle32.exe 4744 Ajdjin32.exe 4880 Alcfei32.exe 3440 Acmobchj.exe 1392 Afkknogn.exe 1640 Acokhc32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Mgehfkop.exe Mcjmel32.exe File created C:\Windows\SysWOW64\Pmaffnce.exe Ponfka32.exe File opened for modification C:\Windows\SysWOW64\Cacckp32.exe Ckjknfnh.exe File created C:\Windows\SysWOW64\Cmncbodd.dll Oaajed32.exe File opened for modification C:\Windows\SysWOW64\Djhimica.exe Dcnqpo32.exe File created C:\Windows\SysWOW64\Ghdief32.dll Lcnmin32.exe File opened for modification C:\Windows\SysWOW64\Omcjep32.exe Ojdnid32.exe File created C:\Windows\SysWOW64\Oqadgkdb.dll Dmlkhofd.exe File opened for modification C:\Windows\SysWOW64\Eeelnp32.exe Efblbbqd.exe File created C:\Windows\SysWOW64\Opclldhj.exe Oaplqh32.exe File opened for modification C:\Windows\SysWOW64\Ondljl32.exe Ofmdio32.exe File created C:\Windows\SysWOW64\Poomegpf.exe Pefhlaie.exe File created C:\Windows\SysWOW64\Pkenjh32.exe Pidabppl.exe File opened for modification C:\Windows\SysWOW64\Gfokoelp.exe Gikkfqmf.exe File created C:\Windows\SysWOW64\Bmjkic32.exe Bhmbqm32.exe File created C:\Windows\SysWOW64\Ljobpiql.exe Lgqfdnah.exe File created C:\Windows\SysWOW64\Ahiiai32.dll Lcggio32.exe File opened for modification C:\Windows\SysWOW64\Lcnmin32.exe Lmdemd32.exe File opened for modification C:\Windows\SysWOW64\Napjdpcn.exe Njfagf32.exe File opened for modification C:\Windows\SysWOW64\Neqopnhb.exe Nnfgcd32.exe File opened for modification C:\Windows\SysWOW64\Niooqcad.exe Nbefdijg.exe File opened for modification C:\Windows\SysWOW64\Idhnkf32.exe Innfnl32.exe File created C:\Windows\SysWOW64\Jdodkebj.exe Jnelok32.exe File opened for modification C:\Windows\SysWOW64\Phodcg32.exe Peahgl32.exe File opened for modification C:\Windows\SysWOW64\Dijbno32.exe Dflfac32.exe File opened for modification C:\Windows\SysWOW64\Lcdciiec.exe Lpfgmnfp.exe File created C:\Windows\SysWOW64\Lmbhgd32.exe Ljclki32.exe File created C:\Windows\SysWOW64\Mmnhcb32.exe Mjokgg32.exe File opened for modification C:\Windows\SysWOW64\Bllbaa32.exe Bddjpd32.exe File created C:\Windows\SysWOW64\Jefjbddd.dll Jcoaglhk.exe File created C:\Windows\SysWOW64\Flcmfp32.dll Mbighjdd.exe File created C:\Windows\SysWOW64\Oimkbaed.exe Oklkdi32.exe File created C:\Windows\SysWOW64\Eleepoob.exe Ejchhgid.exe File created C:\Windows\SysWOW64\Bhmbqm32.exe Bpfkpp32.exe File created C:\Windows\SysWOW64\Jhghaf32.dll Ohkkhhmh.exe File created C:\Windows\SysWOW64\Plpjoe32.exe Pdhbmh32.exe File opened for modification C:\Windows\SysWOW64\Hmbphg32.exe Hekgfj32.exe File opened for modification C:\Windows\SysWOW64\Glcaambb.exe Fideeaco.exe File created C:\Windows\SysWOW64\Obgbikfp.dll Bedgjgkg.exe File created C:\Windows\SysWOW64\Hojncj32.dll Eppjfgcp.exe File created C:\Windows\SysWOW64\Eemnff32.dll Jgpfbjlo.exe File opened for modification C:\Windows\SysWOW64\Kckqbj32.exe Koodbl32.exe File created C:\Windows\SysWOW64\Gnlkgflm.dll Mlpokp32.exe File created C:\Windows\SysWOW64\Ajjjof32.dll Oldamm32.exe File created C:\Windows\SysWOW64\Dmoohe32.exe Ckpbnb32.exe File opened for modification C:\Windows\SysWOW64\Ncchae32.exe Nadleilm.exe File created C:\Windows\SysWOW64\Cgdgna32.dll Ipgbdbqb.exe File opened for modification C:\Windows\SysWOW64\Mfchlbfd.exe Mqdcnl32.exe File created C:\Windows\SysWOW64\Olbdhn32.exe Oampjeml.exe File created C:\Windows\SysWOW64\Kbpnnj32.dll Ecbjkngo.exe File created C:\Windows\SysWOW64\Adndoe32.exe Albpkc32.exe File opened for modification C:\Windows\SysWOW64\Jghpbk32.exe Jcmdaljn.exe File opened for modification C:\Windows\SysWOW64\Ompfej32.exe Ojajin32.exe File created C:\Windows\SysWOW64\Pnclimck.dll Qepkbpak.exe File opened for modification C:\Windows\SysWOW64\Mkmkkjko.exe Mmkkmc32.exe File created C:\Windows\SysWOW64\Nbdfqocb.dll Hbjoeojc.exe File created C:\Windows\SysWOW64\Dfookdli.dll Nccokk32.exe File opened for modification C:\Windows\SysWOW64\Qdbdcg32.exe Qoelkp32.exe File opened for modification C:\Windows\SysWOW64\Cfbcke32.exe Cnkkjh32.exe File opened for modification C:\Windows\SysWOW64\Jmbhoeid.exe Jiglnf32.exe File opened for modification C:\Windows\SysWOW64\Ogekbb32.exe Ocjoadei.exe File opened for modification C:\Windows\SysWOW64\Hdokdg32.exe Hmechmip.exe File created C:\Windows\SysWOW64\Mchppmij.exe Meepdp32.exe File created C:\Windows\SysWOW64\Oanjomjp.dll Neqopnhb.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 11864 11372 WerFault.exe 618 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Miofjepg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igfclkdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojajin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gppcmeem.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojdgnn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bajqda32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acmobchj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blgifbil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Impliekg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnlnbl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdhbmh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ickglm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbeapmll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idhnkf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kggcnoic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnfnlf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bohbhmfm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bohibc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dimenegi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knooej32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bddjpd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkhnjk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpnoncim.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpabni32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgninn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qcclld32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aoofle32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmkkmc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Inqbclob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibhkfm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgbjbp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Neclenfo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfcabp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amnlme32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccpdoqgd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbndfl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okkdic32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aonoao32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbohpn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klhnfo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onapdl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbajbi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkimho32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcjmel32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elnoopdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffobhg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilmmni32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjepjkhf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpnfge32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekmhejao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocgbld32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckpbnb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flqdlnde.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Neqopnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngqagcag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aogbfi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmjkic32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjellmbp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcpojd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdodkebj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nccokk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gehbjm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hblkjo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Boflmdkk.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fdglmkeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abakhdbk.dll" Iloidijb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aonoao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ahippdbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjdlfi32.dll" Fbgihaji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndnljbeg.dll" Llodgnja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nnojho32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fdccbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aiffheej.dll" Bllbaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kqqpck32.dll" Ffceip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hlglidlo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jlgepanl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kodnmkap.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nqpcjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pnifekmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcghka32.dll" Fmkgkapm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lcnmin32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pehngkcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hedafk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hefnkkkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppcbba32.dll" Paiogf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qpeahb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogacbllg.dll" Pdfehh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ilchfdgp.dll" Dkfadkgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jiglnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Okkdic32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bedgjgkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iefeek32.dll" Iibccgep.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mlpokp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Plejdkmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Knchpiom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajihlijd.dll" Mglfplgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Njfagf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jqhafffk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lmdemd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cqichhmn.dll" Pajeam32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qepkbpak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofcmimpk.dll" Fpbmfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddooacnk.dll" Idahjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iciaqc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlofpg32.dll" Jdaaaeqg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pmiikh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ckbemgcp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dojqjdbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jchdqkfl.dll" Nmkmjjaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pdenmbkk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aokkahlo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oampjeml.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ckpbnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geibhp32.dll" Dcnqpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lndagg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npefkf32.dll" Bakgoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nlfnaicd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pmaffnce.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bllbaa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oeoblb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pemomqcn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Elnoopdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfejnf32.dll" Iciaqc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lcnmin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Monjjgkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjfmcmai.dll" Cnkkjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gepgfb32.dll" Fealin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Flmqlg32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 560 wrote to memory of 3996 560 5354a4d3844fc5239964693afb84816ddb1492a82959d0d36845c1fad9ad466f.exe 83 PID 560 wrote to memory of 3996 560 5354a4d3844fc5239964693afb84816ddb1492a82959d0d36845c1fad9ad466f.exe 83 PID 560 wrote to memory of 3996 560 5354a4d3844fc5239964693afb84816ddb1492a82959d0d36845c1fad9ad466f.exe 83 PID 3996 wrote to memory of 3888 3996 Lelchgne.exe 84 PID 3996 wrote to memory of 3888 3996 Lelchgne.exe 84 PID 3996 wrote to memory of 3888 3996 Lelchgne.exe 84 PID 3888 wrote to memory of 2712 3888 Ljilqnlm.exe 85 PID 3888 wrote to memory of 2712 3888 Ljilqnlm.exe 85 PID 3888 wrote to memory of 2712 3888 Ljilqnlm.exe 85 PID 2712 wrote to memory of 4252 2712 Lbpdblmo.exe 86 PID 2712 wrote to memory of 4252 2712 Lbpdblmo.exe 86 PID 2712 wrote to memory of 4252 2712 Lbpdblmo.exe 86 PID 4252 wrote to memory of 1724 4252 Llhikacp.exe 87 PID 4252 wrote to memory of 1724 4252 Llhikacp.exe 87 PID 4252 wrote to memory of 1724 4252 Llhikacp.exe 87 PID 1724 wrote to memory of 3368 1724 Maeachag.exe 88 PID 1724 wrote to memory of 3368 1724 Maeachag.exe 88 PID 1724 wrote to memory of 3368 1724 Maeachag.exe 88 PID 3368 wrote to memory of 2672 3368 Mhoipb32.exe 89 PID 3368 wrote to memory of 2672 3368 Mhoipb32.exe 89 PID 3368 wrote to memory of 2672 3368 Mhoipb32.exe 89 PID 2672 wrote to memory of 4120 2672 Mbenmk32.exe 90 PID 2672 wrote to memory of 4120 2672 Mbenmk32.exe 90 PID 2672 wrote to memory of 4120 2672 Mbenmk32.exe 90 PID 4120 wrote to memory of 1812 4120 Miofjepg.exe 91 PID 4120 wrote to memory of 1812 4120 Miofjepg.exe 91 PID 4120 wrote to memory of 1812 4120 Miofjepg.exe 91 PID 1812 wrote to memory of 1712 1812 Mnlnbl32.exe 92 PID 1812 wrote to memory of 1712 1812 Mnlnbl32.exe 92 PID 1812 wrote to memory of 1712 1812 Mnlnbl32.exe 92 PID 1712 wrote to memory of 948 1712 Meefofek.exe 93 PID 1712 wrote to memory of 948 1712 Meefofek.exe 93 PID 1712 wrote to memory of 948 1712 Meefofek.exe 93 PID 948 wrote to memory of 5032 948 Mlpokp32.exe 94 PID 948 wrote to memory of 5032 948 Mlpokp32.exe 94 PID 948 wrote to memory of 5032 948 Mlpokp32.exe 94 PID 5032 wrote to memory of 4840 5032 Mbighjdd.exe 95 PID 5032 wrote to memory of 4840 5032 Mbighjdd.exe 95 PID 5032 wrote to memory of 4840 5032 Mbighjdd.exe 95 PID 4840 wrote to memory of 3596 4840 Micoed32.exe 96 PID 4840 wrote to memory of 3596 4840 Micoed32.exe 96 PID 4840 wrote to memory of 3596 4840 Micoed32.exe 96 PID 3596 wrote to memory of 1932 3596 Mjellmbp.exe 97 PID 3596 wrote to memory of 1932 3596 Mjellmbp.exe 97 PID 3596 wrote to memory of 1932 3596 Mjellmbp.exe 97 PID 1932 wrote to memory of 3024 1932 Maodigil.exe 98 PID 1932 wrote to memory of 3024 1932 Maodigil.exe 98 PID 1932 wrote to memory of 3024 1932 Maodigil.exe 98 PID 3024 wrote to memory of 4052 3024 Mhilfa32.exe 99 PID 3024 wrote to memory of 4052 3024 Mhilfa32.exe 99 PID 3024 wrote to memory of 4052 3024 Mhilfa32.exe 99 PID 4052 wrote to memory of 628 4052 Nbnpcj32.exe 100 PID 4052 wrote to memory of 628 4052 Nbnpcj32.exe 100 PID 4052 wrote to memory of 628 4052 Nbnpcj32.exe 100 PID 628 wrote to memory of 1268 628 Nihipdhl.exe 101 PID 628 wrote to memory of 1268 628 Nihipdhl.exe 101 PID 628 wrote to memory of 1268 628 Nihipdhl.exe 101 PID 1268 wrote to memory of 2164 1268 Noeahkfc.exe 102 PID 1268 wrote to memory of 2164 1268 Noeahkfc.exe 102 PID 1268 wrote to memory of 2164 1268 Noeahkfc.exe 102 PID 2164 wrote to memory of 2748 2164 Nijeec32.exe 103 PID 2164 wrote to memory of 2748 2164 Nijeec32.exe 103 PID 2164 wrote to memory of 2748 2164 Nijeec32.exe 103 PID 2748 wrote to memory of 688 2748 Nklbmllg.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\5354a4d3844fc5239964693afb84816ddb1492a82959d0d36845c1fad9ad466f.exe"C:\Users\Admin\AppData\Local\Temp\5354a4d3844fc5239964693afb84816ddb1492a82959d0d36845c1fad9ad466f.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Suspicious use of WriteProcessMemory
PID:560 -
C:\Windows\SysWOW64\Lelchgne.exeC:\Windows\system32\Lelchgne.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3996 -
C:\Windows\SysWOW64\Ljilqnlm.exeC:\Windows\system32\Ljilqnlm.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3888 -
C:\Windows\SysWOW64\Lbpdblmo.exeC:\Windows\system32\Lbpdblmo.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\SysWOW64\Llhikacp.exeC:\Windows\system32\Llhikacp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4252 -
C:\Windows\SysWOW64\Maeachag.exeC:\Windows\system32\Maeachag.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Windows\SysWOW64\Mhoipb32.exeC:\Windows\system32\Mhoipb32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3368 -
C:\Windows\SysWOW64\Mbenmk32.exeC:\Windows\system32\Mbenmk32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\SysWOW64\Miofjepg.exeC:\Windows\system32\Miofjepg.exe9⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4120 -
C:\Windows\SysWOW64\Mnlnbl32.exeC:\Windows\system32\Mnlnbl32.exe10⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1812 -
C:\Windows\SysWOW64\Meefofek.exeC:\Windows\system32\Meefofek.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Windows\SysWOW64\Mlpokp32.exeC:\Windows\system32\Mlpokp32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:948 -
C:\Windows\SysWOW64\Mbighjdd.exeC:\Windows\system32\Mbighjdd.exe13⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5032 -
C:\Windows\SysWOW64\Micoed32.exeC:\Windows\system32\Micoed32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4840 -
C:\Windows\SysWOW64\Mjellmbp.exeC:\Windows\system32\Mjellmbp.exe15⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3596 -
C:\Windows\SysWOW64\Maodigil.exeC:\Windows\system32\Maodigil.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1932 -
C:\Windows\SysWOW64\Mhilfa32.exeC:\Windows\system32\Mhilfa32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3024 -
C:\Windows\SysWOW64\Nbnpcj32.exeC:\Windows\system32\Nbnpcj32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4052 -
C:\Windows\SysWOW64\Nihipdhl.exeC:\Windows\system32\Nihipdhl.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:628 -
C:\Windows\SysWOW64\Noeahkfc.exeC:\Windows\system32\Noeahkfc.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1268 -
C:\Windows\SysWOW64\Nijeec32.exeC:\Windows\system32\Nijeec32.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Windows\SysWOW64\Nklbmllg.exeC:\Windows\system32\Nklbmllg.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\SysWOW64\Nlkngo32.exeC:\Windows\system32\Nlkngo32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:688 -
C:\Windows\SysWOW64\Nbefdijg.exeC:\Windows\system32\Nbefdijg.exe24⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2056 -
C:\Windows\SysWOW64\Niooqcad.exeC:\Windows\system32\Niooqcad.exe25⤵
- Executes dropped EXE
PID:5076 -
C:\Windows\SysWOW64\Nkqkhk32.exeC:\Windows\system32\Nkqkhk32.exe26⤵
- Executes dropped EXE
PID:1592 -
C:\Windows\SysWOW64\Nbgcih32.exeC:\Windows\system32\Nbgcih32.exe27⤵
- Executes dropped EXE
PID:3468 -
C:\Windows\SysWOW64\Nefped32.exeC:\Windows\system32\Nefped32.exe28⤵
- Executes dropped EXE
PID:460 -
C:\Windows\SysWOW64\Nlphbnoe.exeC:\Windows\system32\Nlphbnoe.exe29⤵
- Executes dropped EXE
PID:1472 -
C:\Windows\SysWOW64\Oondnini.exeC:\Windows\system32\Oondnini.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2392 -
C:\Windows\SysWOW64\Oampjeml.exeC:\Windows\system32\Oampjeml.exe31⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4424 -
C:\Windows\SysWOW64\Olbdhn32.exeC:\Windows\system32\Olbdhn32.exe32⤵
- Executes dropped EXE
PID:3308 -
C:\Windows\SysWOW64\Ooqqdi32.exeC:\Windows\system32\Ooqqdi32.exe33⤵
- Executes dropped EXE
PID:4792 -
C:\Windows\SysWOW64\Oaompd32.exeC:\Windows\system32\Oaompd32.exe34⤵
- Executes dropped EXE
PID:1260 -
C:\Windows\SysWOW64\Oldamm32.exeC:\Windows\system32\Oldamm32.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:520 -
C:\Windows\SysWOW64\Oaajed32.exeC:\Windows\system32\Oaajed32.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3092 -
C:\Windows\SysWOW64\Obafpg32.exeC:\Windows\system32\Obafpg32.exe37⤵
- Executes dropped EXE
PID:3672 -
C:\Windows\SysWOW64\Oeoblb32.exeC:\Windows\system32\Oeoblb32.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:1212 -
C:\Windows\SysWOW64\Oklkdi32.exeC:\Windows\system32\Oklkdi32.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4332 -
C:\Windows\SysWOW64\Oimkbaed.exeC:\Windows\system32\Oimkbaed.exe40⤵
- Executes dropped EXE
PID:2132 -
C:\Windows\SysWOW64\Pcepkfld.exeC:\Windows\system32\Pcepkfld.exe41⤵
- Executes dropped EXE
PID:4116 -
C:\Windows\SysWOW64\Pedlgbkh.exeC:\Windows\system32\Pedlgbkh.exe42⤵
- Executes dropped EXE
PID:1732 -
C:\Windows\SysWOW64\Polppg32.exeC:\Windows\system32\Polppg32.exe43⤵
- Executes dropped EXE
PID:1204 -
C:\Windows\SysWOW64\Pefhlaie.exeC:\Windows\system32\Pefhlaie.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3692 -
C:\Windows\SysWOW64\Poomegpf.exeC:\Windows\system32\Poomegpf.exe45⤵
- Executes dropped EXE
PID:1084 -
C:\Windows\SysWOW64\Pidabppl.exeC:\Windows\system32\Pidabppl.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1240 -
C:\Windows\SysWOW64\Pkenjh32.exeC:\Windows\system32\Pkenjh32.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5000 -
C:\Windows\SysWOW64\Pekbga32.exeC:\Windows\system32\Pekbga32.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4280 -
C:\Windows\SysWOW64\Plejdkmm.exeC:\Windows\system32\Plejdkmm.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:2688 -
C:\Windows\SysWOW64\Pocfpf32.exeC:\Windows\system32\Pocfpf32.exe50⤵
- Executes dropped EXE
PID:2524 -
C:\Windows\SysWOW64\Pemomqcn.exeC:\Windows\system32\Pemomqcn.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:2812 -
C:\Windows\SysWOW64\Qkjgegae.exeC:\Windows\system32\Qkjgegae.exe52⤵
- Executes dropped EXE
PID:472 -
C:\Windows\SysWOW64\Qepkbpak.exeC:\Windows\system32\Qepkbpak.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3288 -
C:\Windows\SysWOW64\Qcclld32.exeC:\Windows\system32\Qcclld32.exe54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3480 -
C:\Windows\SysWOW64\Qebhhp32.exeC:\Windows\system32\Qebhhp32.exe55⤵
- Executes dropped EXE
PID:2848 -
C:\Windows\SysWOW64\Ajpqnneo.exeC:\Windows\system32\Ajpqnneo.exe56⤵
- Executes dropped EXE
PID:3896 -
C:\Windows\SysWOW64\Akamff32.exeC:\Windows\system32\Akamff32.exe57⤵
- Executes dropped EXE
PID:3868 -
C:\Windows\SysWOW64\Ahenokjf.exeC:\Windows\system32\Ahenokjf.exe58⤵
- Executes dropped EXE
PID:4584 -
C:\Windows\SysWOW64\Alqjpi32.exeC:\Windows\system32\Alqjpi32.exe59⤵
- Executes dropped EXE
PID:2780 -
C:\Windows\SysWOW64\Aoofle32.exeC:\Windows\system32\Aoofle32.exe60⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2548 -
C:\Windows\SysWOW64\Ajdjin32.exeC:\Windows\system32\Ajdjin32.exe61⤵
- Executes dropped EXE
PID:4744 -
C:\Windows\SysWOW64\Alcfei32.exeC:\Windows\system32\Alcfei32.exe62⤵
- Executes dropped EXE
PID:4880 -
C:\Windows\SysWOW64\Acmobchj.exeC:\Windows\system32\Acmobchj.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3440 -
C:\Windows\SysWOW64\Afkknogn.exeC:\Windows\system32\Afkknogn.exe64⤵
- Executes dropped EXE
PID:1392 -
C:\Windows\SysWOW64\Acokhc32.exeC:\Windows\system32\Acokhc32.exe65⤵
- Executes dropped EXE
PID:1640 -
C:\Windows\SysWOW64\Bjicdmmd.exeC:\Windows\system32\Bjicdmmd.exe66⤵PID:4216
-
C:\Windows\SysWOW64\Boflmdkk.exeC:\Windows\system32\Boflmdkk.exe67⤵
- System Location Discovery: System Language Discovery
PID:1860 -
C:\Windows\SysWOW64\Bohibc32.exeC:\Windows\system32\Bohibc32.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2936 -
C:\Windows\SysWOW64\Bcfahbpo.exeC:\Windows\system32\Bcfahbpo.exe69⤵PID:3948
-
C:\Windows\SysWOW64\Bmabggdm.exeC:\Windows\system32\Bmabggdm.exe70⤵PID:216
-
C:\Windows\SysWOW64\Cjecpkcg.exeC:\Windows\system32\Cjecpkcg.exe71⤵PID:1116
-
C:\Windows\SysWOW64\Cbphdn32.exeC:\Windows\system32\Cbphdn32.exe72⤵PID:4732
-
C:\Windows\SysWOW64\Ccpdoqgd.exeC:\Windows\system32\Ccpdoqgd.exe73⤵
- System Location Discovery: System Language Discovery
PID:544 -
C:\Windows\SysWOW64\Cbbdjm32.exeC:\Windows\system32\Cbbdjm32.exe74⤵PID:4944
-
C:\Windows\SysWOW64\Cbeapmll.exeC:\Windows\system32\Cbeapmll.exe75⤵
- System Location Discovery: System Language Discovery
PID:4996 -
C:\Windows\SysWOW64\Ccdnjp32.exeC:\Windows\system32\Ccdnjp32.exe76⤵PID:3140
-
C:\Windows\SysWOW64\Ckpbnb32.exeC:\Windows\system32\Ckpbnb32.exe77⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2456 -
C:\Windows\SysWOW64\Dmoohe32.exeC:\Windows\system32\Dmoohe32.exe78⤵PID:2592
-
C:\Windows\SysWOW64\Dblgpl32.exeC:\Windows\system32\Dblgpl32.exe79⤵PID:4836
-
C:\Windows\SysWOW64\Dfgcakon.exeC:\Windows\system32\Dfgcakon.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3916 -
C:\Windows\SysWOW64\Dbndfl32.exeC:\Windows\system32\Dbndfl32.exe81⤵
- System Location Discovery: System Language Discovery
PID:4512 -
C:\Windows\SysWOW64\Dfjpfj32.exeC:\Windows\system32\Dfjpfj32.exe82⤵PID:2776
-
C:\Windows\SysWOW64\Dcnqpo32.exeC:\Windows\system32\Dcnqpo32.exe83⤵
- Drops file in System32 directory
- Modifies registry class
PID:2360 -
C:\Windows\SysWOW64\Djhimica.exeC:\Windows\system32\Djhimica.exe84⤵PID:2584
-
C:\Windows\SysWOW64\Dpdaepai.exeC:\Windows\system32\Dpdaepai.exe85⤵PID:2228
-
C:\Windows\SysWOW64\Dimenegi.exeC:\Windows\system32\Dimenegi.exe86⤵
- System Location Discovery: System Language Discovery
PID:2736 -
C:\Windows\SysWOW64\Ecbjkngo.exeC:\Windows\system32\Ecbjkngo.exe87⤵
- Drops file in System32 directory
PID:4940 -
C:\Windows\SysWOW64\Eiobceef.exeC:\Windows\system32\Eiobceef.exe88⤵PID:2452
-
C:\Windows\SysWOW64\Elnoopdj.exeC:\Windows\system32\Elnoopdj.exe89⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4084 -
C:\Windows\SysWOW64\Ebhglj32.exeC:\Windows\system32\Ebhglj32.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3624 -
C:\Windows\SysWOW64\Eiaoid32.exeC:\Windows\system32\Eiaoid32.exe91⤵PID:4576
-
C:\Windows\SysWOW64\Elpkep32.exeC:\Windows\system32\Elpkep32.exe92⤵PID:848
-
C:\Windows\SysWOW64\Efepbi32.exeC:\Windows\system32\Efepbi32.exe93⤵PID:3836
-
C:\Windows\SysWOW64\Emphocjj.exeC:\Windows\system32\Emphocjj.exe94⤵PID:1772
-
C:\Windows\SysWOW64\Eciplm32.exeC:\Windows\system32\Eciplm32.exe95⤵PID:4936
-
C:\Windows\SysWOW64\Ejchhgid.exeC:\Windows\system32\Ejchhgid.exe96⤵
- Drops file in System32 directory
PID:852 -
C:\Windows\SysWOW64\Eleepoob.exeC:\Windows\system32\Eleepoob.exe97⤵PID:2296
-
C:\Windows\SysWOW64\Ebommi32.exeC:\Windows\system32\Ebommi32.exe98⤵PID:4208
-
C:\Windows\SysWOW64\Eiieicml.exeC:\Windows\system32\Eiieicml.exe99⤵PID:2344
-
C:\Windows\SysWOW64\Fpbmfn32.exeC:\Windows\system32\Fpbmfn32.exe100⤵
- Modifies registry class
PID:3552 -
C:\Windows\SysWOW64\Fbajbi32.exeC:\Windows\system32\Fbajbi32.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:844 -
C:\Windows\SysWOW64\Fmfnpa32.exeC:\Windows\system32\Fmfnpa32.exe102⤵PID:2652
-
C:\Windows\SysWOW64\Flinkojm.exeC:\Windows\system32\Flinkojm.exe103⤵PID:5112
-
C:\Windows\SysWOW64\Ffobhg32.exeC:\Windows\system32\Ffobhg32.exe104⤵
- System Location Discovery: System Language Discovery
PID:2520 -
C:\Windows\SysWOW64\Fmikeaap.exeC:\Windows\system32\Fmikeaap.exe105⤵PID:4136
-
C:\Windows\SysWOW64\Fdccbl32.exeC:\Windows\system32\Fdccbl32.exe106⤵
- Modifies registry class
PID:2336 -
C:\Windows\SysWOW64\Ffaong32.exeC:\Windows\system32\Ffaong32.exe107⤵PID:2872
-
C:\Windows\SysWOW64\Fmkgkapm.exeC:\Windows\system32\Fmkgkapm.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2568 -
C:\Windows\SysWOW64\Fdepgkgj.exeC:\Windows\system32\Fdepgkgj.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:64 -
C:\Windows\SysWOW64\Fjohde32.exeC:\Windows\system32\Fjohde32.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4928 -
C:\Windows\SysWOW64\Flqdlnde.exeC:\Windows\system32\Flqdlnde.exe111⤵
- System Location Discovery: System Language Discovery
PID:1604 -
C:\Windows\SysWOW64\Fdglmkeg.exeC:\Windows\system32\Fdglmkeg.exe112⤵
- Modifies registry class
PID:3540 -
C:\Windows\SysWOW64\Fideeaco.exeC:\Windows\system32\Fideeaco.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:4816 -
C:\Windows\SysWOW64\Glcaambb.exeC:\Windows\system32\Glcaambb.exe114⤵PID:1560
-
C:\Windows\SysWOW64\Gfheof32.exeC:\Windows\system32\Gfheof32.exe115⤵PID:3696
-
C:\Windows\SysWOW64\Gmbmkpie.exeC:\Windows\system32\Gmbmkpie.exe116⤵PID:2412
-
C:\Windows\SysWOW64\Gdlfhj32.exeC:\Windows\system32\Gdlfhj32.exe117⤵PID:5152
-
C:\Windows\SysWOW64\Gjfnedho.exeC:\Windows\system32\Gjfnedho.exe118⤵PID:5196
-
C:\Windows\SysWOW64\Glgjlm32.exeC:\Windows\system32\Glgjlm32.exe119⤵PID:5240
-
C:\Windows\SysWOW64\Gdobnj32.exeC:\Windows\system32\Gdobnj32.exe120⤵PID:5284
-
C:\Windows\SysWOW64\Gkhkjd32.exeC:\Windows\system32\Gkhkjd32.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5328
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-