Analysis
-
max time kernel
120s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
08-10-2024 02:39
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
c45c2caf446cff65346c5190403c5a8ff5d80dfaf527f52f5bc133c4cfbcbda3.exe
Resource
win7-20240903-en
windows7-x64
10 signatures
150 seconds
General
-
Target
c45c2caf446cff65346c5190403c5a8ff5d80dfaf527f52f5bc133c4cfbcbda3.exe
-
Size
163KB
-
MD5
ffc1ca8946e6cb2ac55445859f37d964
-
SHA1
35955a6fed4404e80dce0a8ab9dfb1e339d64e44
-
SHA256
c45c2caf446cff65346c5190403c5a8ff5d80dfaf527f52f5bc133c4cfbcbda3
-
SHA512
ed66f9870a46b3ad7930b9d55e3ebf2af46ccc0367723283389f50377ca4978cf1d29ea23f71670431173c92a954c72dbd317a9f70e11c664772f40f40f70a28
-
SSDEEP
3072:JVQ2wq4BEMXSEj3lsp7hgltOrWKDBr+yJb:JVDr4/XSEz4tgLOf
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://master-x.com/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://crutop.ru/index.php
http://kaspersky.ru/index.php
http://color-bank.ru/index.php
http://adult-empire.com/index.php
http://virus-list.com/index.php
http://trojan.ru/index.php
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://fethard.biz/index.htm
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://kaspersky.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
Extracted
Family
gozi
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fnodob32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nihedodm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Onjianec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojffjg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ainhln32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cekkaanh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kkfoobkc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dppiddie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mfbcheka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bklpglom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ocdnio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fjefnckj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikfokb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ilfeidmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Edenlp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilohnopg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hamnee32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkodfeem.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahnmno32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bcnmdend.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbgacebm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekqqea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mlogojjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cgogbano.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fppcjcfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Immcnikq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mikjmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Elahkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmoghklh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgaoqdmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcmjfiab.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgienc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfdbkj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmgfli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gniqhpgi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhpkgoja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mjialchg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kolcdahb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mghjcq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gfclic32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkegigal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Imbakfcc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efmchp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhkeml32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hamnee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Efnlko32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnhblp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmohgoao.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fqbeapqb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bokfaflj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ibaonfll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qdeokd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmidimen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ilkhabeg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmpppijb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efkhkifo.exe -
Executes dropped EXE 64 IoCs
pid Process 2096 Gokpgd32.exe 2380 Ghcdpjqj.exe 2720 Hegdinpd.exe 2740 Hkifld32.exe 2748 Hddgkj32.exe 2628 Hnllcoed.exe 948 Iopeagip.exe 1920 Icnngeof.exe 1304 Ihmcelkk.exe 2072 Jgbpfhpc.exe 592 Jmaedolh.exe 1816 Jcmjfiab.exe 2328 Jcpglhpo.exe 1516 Jofhqiec.exe 2392 Knnagehi.exe 2164 Kkbbqjgb.exe 1612 Kcpcjl32.exe 3016 Lmjdia32.exe 276 Licbca32.exe 2408 Lopjlh32.exe 1284 Macpcccp.exe 928 Ncnoaj32.exe 1260 Neaehelb.exe 2664 Noiiaj32.exe 1496 Oggkklnk.exe 296 Odkkdqmd.exe 2116 Oqaliabh.exe 1604 Ognakk32.exe 2772 Oceaql32.exe 1844 Pfekbg32.exe 2800 Pdkgcd32.exe 2692 Piipibff.exe 3048 Pneiaidn.exe 2700 Peandcih.exe 2464 Qjofljho.exe 3044 Qedjib32.exe 2432 Aamhdckg.exe 616 Afjplj32.exe 1756 Aeommfnf.exe 2436 Afojgiei.exe 1520 Anjnllbd.exe 2488 Anlkakqa.exe 1740 Blplkp32.exe 1392 Bmdehgcf.exe 1100 Bfliqmjg.exe 3020 Bkjbgk32.exe 2112 Bgablmfa.exe 964 Cialng32.exe 1528 Cidhcg32.exe 2100 Cgnbepjp.exe 1724 Dgqokp32.exe 1652 Djokgk32.exe 1464 Dddodd32.exe 1580 Dcjleq32.exe 2828 Dlbanfbo.exe 2760 Dclikp32.exe 2604 Dppiddie.exe 2260 Djhnmj32.exe 2196 Ecabfpff.exe 2480 Eklgjbca.exe 2928 Efakhk32.exe 2612 Eojpqpih.exe 1532 Edghighp.exe 1820 Ekqqea32.exe -
Loads dropped DLL 64 IoCs
pid Process 2068 c45c2caf446cff65346c5190403c5a8ff5d80dfaf527f52f5bc133c4cfbcbda3.exe 2068 c45c2caf446cff65346c5190403c5a8ff5d80dfaf527f52f5bc133c4cfbcbda3.exe 2096 Gokpgd32.exe 2096 Gokpgd32.exe 2380 Ghcdpjqj.exe 2380 Ghcdpjqj.exe 2720 Hegdinpd.exe 2720 Hegdinpd.exe 2740 Hkifld32.exe 2740 Hkifld32.exe 2748 Hddgkj32.exe 2748 Hddgkj32.exe 2628 Hnllcoed.exe 2628 Hnllcoed.exe 948 Iopeagip.exe 948 Iopeagip.exe 1920 Icnngeof.exe 1920 Icnngeof.exe 1304 Ihmcelkk.exe 1304 Ihmcelkk.exe 2072 Jgbpfhpc.exe 2072 Jgbpfhpc.exe 592 Jmaedolh.exe 592 Jmaedolh.exe 1816 Jcmjfiab.exe 1816 Jcmjfiab.exe 2328 Jcpglhpo.exe 2328 Jcpglhpo.exe 1516 Jofhqiec.exe 1516 Jofhqiec.exe 2392 Knnagehi.exe 2392 Knnagehi.exe 2164 Kkbbqjgb.exe 2164 Kkbbqjgb.exe 1612 Kcpcjl32.exe 1612 Kcpcjl32.exe 3016 Lmjdia32.exe 3016 Lmjdia32.exe 276 Licbca32.exe 276 Licbca32.exe 2408 Lopjlh32.exe 2408 Lopjlh32.exe 1284 Macpcccp.exe 1284 Macpcccp.exe 928 Ncnoaj32.exe 928 Ncnoaj32.exe 1260 Neaehelb.exe 1260 Neaehelb.exe 2664 Noiiaj32.exe 2664 Noiiaj32.exe 1496 Oggkklnk.exe 1496 Oggkklnk.exe 296 Odkkdqmd.exe 296 Odkkdqmd.exe 2116 Oqaliabh.exe 2116 Oqaliabh.exe 1604 Ognakk32.exe 1604 Ognakk32.exe 2772 Oceaql32.exe 2772 Oceaql32.exe 1844 Pfekbg32.exe 1844 Pfekbg32.exe 2800 Pdkgcd32.exe 2800 Pdkgcd32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Hjqdankl.exe Process not Found File created C:\Windows\SysWOW64\Dqmefm32.dll Ojijha32.exe File opened for modification C:\Windows\SysWOW64\Gjpama32.exe Gniqhpgi.exe File opened for modification C:\Windows\SysWOW64\Bboomn32.exe Process not Found File created C:\Windows\SysWOW64\Nmqbib32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Cbbcmdfa.exe Biindo32.exe File opened for modification C:\Windows\SysWOW64\Fglkeaqk.exe Fqbbig32.exe File created C:\Windows\SysWOW64\Nodikecl.exe Napibq32.exe File created C:\Windows\SysWOW64\Cenjoi32.exe Ckeffdmi.exe File created C:\Windows\SysWOW64\Cipahi32.dll Process not Found File created C:\Windows\SysWOW64\Kcliqaid.dll Foencfda.exe File created C:\Windows\SysWOW64\Jaqhiq32.exe Jlcpqj32.exe File opened for modification C:\Windows\SysWOW64\Ngpokkgb.exe Nngjbfpa.exe File created C:\Windows\SysWOW64\Lqcnikge.dll Process not Found File created C:\Windows\SysWOW64\Knmlgdfb.exe Process not Found File opened for modification C:\Windows\SysWOW64\Dgqokp32.exe Cgnbepjp.exe File created C:\Windows\SysWOW64\Ohakgaim.dll Cbfidfem.exe File opened for modification C:\Windows\SysWOW64\Ahlphpmk.exe Aocloj32.exe File created C:\Windows\SysWOW64\Qohbmm32.dll Process not Found File created C:\Windows\SysWOW64\Ppffcjlb.dll Gflfidpl.exe File created C:\Windows\SysWOW64\Ooljkbfj.dll Dalaeicf.exe File created C:\Windows\SysWOW64\Ocegln32.exe Nmhodg32.exe File created C:\Windows\SysWOW64\Ikgdpa32.dll Process not Found File created C:\Windows\SysWOW64\Hlqolb32.dll Ookonp32.exe File opened for modification C:\Windows\SysWOW64\Agioab32.exe Process not Found File created C:\Windows\SysWOW64\Ggmgccil.dll Bdidegec.exe File created C:\Windows\SysWOW64\Jgolhoik.exe Jnfhoi32.exe File opened for modification C:\Windows\SysWOW64\Inllflpf.exe Ifqgaibk.exe File created C:\Windows\SysWOW64\Moaafhdg.dll Process not Found File created C:\Windows\SysWOW64\Mngemf32.dll Donlcdgn.exe File opened for modification C:\Windows\SysWOW64\Ifeenfjm.exe Ilpaqmkg.exe File opened for modification C:\Windows\SysWOW64\Emeoojfg.exe Dpanffhn.exe File opened for modification C:\Windows\SysWOW64\Ifckaodd.exe Imkfhj32.exe File created C:\Windows\SysWOW64\Kibcnb32.exe Kdfjekmd.exe File created C:\Windows\SysWOW64\Fhjajm32.dll Process not Found File created C:\Windows\SysWOW64\Cjimgj32.exe Process not Found File created C:\Windows\SysWOW64\Qddmbkoi.exe Qnkdeagl.exe File created C:\Windows\SysWOW64\Adkaib32.exe Aonial32.exe File opened for modification C:\Windows\SysWOW64\Pehggk32.exe Pgdgngml.exe File created C:\Windows\SysWOW64\Npbbcgga.exe Namebk32.exe File created C:\Windows\SysWOW64\Iekecpmd.exe Process not Found File created C:\Windows\SysWOW64\Iimqnd32.dll Edieng32.exe File created C:\Windows\SysWOW64\Iocehf32.dll Adkaib32.exe File opened for modification C:\Windows\SysWOW64\Gdlncn32.exe Gifjeeip.exe File created C:\Windows\SysWOW64\Kgnall32.exe Kbaidejd.exe File created C:\Windows\SysWOW64\Gkfmjndo.exe Ganiah32.exe File opened for modification C:\Windows\SysWOW64\Biindo32.exe Bpajliip.exe File created C:\Windows\SysWOW64\Heoeipbc.dll Hmakkqqi.exe File created C:\Windows\SysWOW64\Mpdfgeke.dll Process not Found File created C:\Windows\SysWOW64\Lmefnqih.exe Process not Found File created C:\Windows\SysWOW64\Hjdqphho.dll Cmggkmfg.exe File created C:\Windows\SysWOW64\Aqjfoblc.exe Process not Found File opened for modification C:\Windows\SysWOW64\Piejbpgk.exe Pbkbff32.exe File opened for modification C:\Windows\SysWOW64\Jnpapn32.exe Jgficdgo.exe File created C:\Windows\SysWOW64\Iqqogaii.dll Onjianec.exe File created C:\Windows\SysWOW64\Bccpob32.dll Okimnfkm.exe File created C:\Windows\SysWOW64\Boknmnja.dll Gndedhdj.exe File created C:\Windows\SysWOW64\Fmimdhkm.dll Bebmgc32.exe File opened for modification C:\Windows\SysWOW64\Ecnaaofc.exe Process not Found File created C:\Windows\SysWOW64\Kaoelf32.dll Hkkcdq32.exe File opened for modification C:\Windows\SysWOW64\Kbdmdk32.exe Kikhkeel.exe File opened for modification C:\Windows\SysWOW64\Hppjpd32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Giiibqdp.exe Gndedhdj.exe File opened for modification C:\Windows\SysWOW64\Ahkgeq32.exe Aaaohfjo.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3192 3852 Process not Found 1245 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ancfbhdh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmfbckfa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kknkncbl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clcghk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpjlldmg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdpoeo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhjkai32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jokccnci.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkdokjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kahqbh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilnegb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c45c2caf446cff65346c5190403c5a8ff5d80dfaf527f52f5bc133c4cfbcbda3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odhhdk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhmioa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gggihhkd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgnnpc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dqgjbcoo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kibnld32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nenajk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edkbdf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Madcgpao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpmhhcjk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihapcdol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojfmdnba.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aocloj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlffcdnm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdplcfoi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgpmcg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihdflchi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifeenfjm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogbkakeo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gifgml32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ondcacad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlogao32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Piipibff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cidhcg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjeojnep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ongfai32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jioplhdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gifjeeip.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igopilfp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abmmca32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgjbbopk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fklohgie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nkddkk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhcgbc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ichmclja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Copjcd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eojpqpih.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Haiagm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbeakllj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmfblk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcooinfc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Immcnikq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nocima32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbdpcd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cgnbepjp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pbmoke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Igfmdadd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poglgb32.dll" Ojpedn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leenhbbd.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eafmng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjaaqa32.dll" Bjillfhl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pednllpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mndhde32.dll" Kibnld32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Leoaod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gndedhdj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ckeffdmi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mkeapgng.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lfibeoog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kqffeaol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kgienc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njocpl32.dll" Bnagecdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lofono32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oogdiqki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijndni32.dll" Fmidimen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogmkla32.dll" Ediggoma.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ilohnopg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hjjknfin.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gbgnpl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dpifln32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kehjpd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qohilfpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmafdaaj.dll" Ndaehi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mlgjce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bakjfp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Apinihbm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knfejb32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akdadd32.dll" Cialng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ncobeg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lgpkobnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jokccnci.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Okapcanj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Majlod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Macpcccp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppffcjlb.dll" Gflfidpl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mgnfgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbfdpfep.dll" Diekle32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fbgacebm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ckkjmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beehfe32.dll" Kahqbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhhjljgp.dll" Ceablp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jhgonj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njmnmahk.dll" Hfnjlj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbccmikf.dll" Pfdcjnbn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Alhnag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Donlcdgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bepjce32.dll" Ffihelkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Biindo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nglcbafp.dll" Eklgjbca.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bklpglom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icmlak32.dll" Jbegpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jaiiio32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iadabljk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdbcadhb.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jhengldk.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2068 wrote to memory of 2096 2068 c45c2caf446cff65346c5190403c5a8ff5d80dfaf527f52f5bc133c4cfbcbda3.exe 29 PID 2068 wrote to memory of 2096 2068 c45c2caf446cff65346c5190403c5a8ff5d80dfaf527f52f5bc133c4cfbcbda3.exe 29 PID 2068 wrote to memory of 2096 2068 c45c2caf446cff65346c5190403c5a8ff5d80dfaf527f52f5bc133c4cfbcbda3.exe 29 PID 2068 wrote to memory of 2096 2068 c45c2caf446cff65346c5190403c5a8ff5d80dfaf527f52f5bc133c4cfbcbda3.exe 29 PID 2096 wrote to memory of 2380 2096 Gokpgd32.exe 30 PID 2096 wrote to memory of 2380 2096 Gokpgd32.exe 30 PID 2096 wrote to memory of 2380 2096 Gokpgd32.exe 30 PID 2096 wrote to memory of 2380 2096 Gokpgd32.exe 30 PID 2380 wrote to memory of 2720 2380 Ghcdpjqj.exe 31 PID 2380 wrote to memory of 2720 2380 Ghcdpjqj.exe 31 PID 2380 wrote to memory of 2720 2380 Ghcdpjqj.exe 31 PID 2380 wrote to memory of 2720 2380 Ghcdpjqj.exe 31 PID 2720 wrote to memory of 2740 2720 Hegdinpd.exe 32 PID 2720 wrote to memory of 2740 2720 Hegdinpd.exe 32 PID 2720 wrote to memory of 2740 2720 Hegdinpd.exe 32 PID 2720 wrote to memory of 2740 2720 Hegdinpd.exe 32 PID 2740 wrote to memory of 2748 2740 Hkifld32.exe 33 PID 2740 wrote to memory of 2748 2740 Hkifld32.exe 33 PID 2740 wrote to memory of 2748 2740 Hkifld32.exe 33 PID 2740 wrote to memory of 2748 2740 Hkifld32.exe 33 PID 2748 wrote to memory of 2628 2748 Hddgkj32.exe 34 PID 2748 wrote to memory of 2628 2748 Hddgkj32.exe 34 PID 2748 wrote to memory of 2628 2748 Hddgkj32.exe 34 PID 2748 wrote to memory of 2628 2748 Hddgkj32.exe 34 PID 2628 wrote to memory of 948 2628 Hnllcoed.exe 35 PID 2628 wrote to memory of 948 2628 Hnllcoed.exe 35 PID 2628 wrote to memory of 948 2628 Hnllcoed.exe 35 PID 2628 wrote to memory of 948 2628 Hnllcoed.exe 35 PID 948 wrote to memory of 1920 948 Iopeagip.exe 36 PID 948 wrote to memory of 1920 948 Iopeagip.exe 36 PID 948 wrote to memory of 1920 948 Iopeagip.exe 36 PID 948 wrote to memory of 1920 948 Iopeagip.exe 36 PID 1920 wrote to memory of 1304 1920 Icnngeof.exe 37 PID 1920 wrote to memory of 1304 1920 Icnngeof.exe 37 PID 1920 wrote to memory of 1304 1920 Icnngeof.exe 37 PID 1920 wrote to memory of 1304 1920 Icnngeof.exe 37 PID 1304 wrote to memory of 2072 1304 Ihmcelkk.exe 38 PID 1304 wrote to memory of 2072 1304 Ihmcelkk.exe 38 PID 1304 wrote to memory of 2072 1304 Ihmcelkk.exe 38 PID 1304 wrote to memory of 2072 1304 Ihmcelkk.exe 38 PID 2072 wrote to memory of 592 2072 Jgbpfhpc.exe 39 PID 2072 wrote to memory of 592 2072 Jgbpfhpc.exe 39 PID 2072 wrote to memory of 592 2072 Jgbpfhpc.exe 39 PID 2072 wrote to memory of 592 2072 Jgbpfhpc.exe 39 PID 592 wrote to memory of 1816 592 Jmaedolh.exe 40 PID 592 wrote to memory of 1816 592 Jmaedolh.exe 40 PID 592 wrote to memory of 1816 592 Jmaedolh.exe 40 PID 592 wrote to memory of 1816 592 Jmaedolh.exe 40 PID 1816 wrote to memory of 2328 1816 Jcmjfiab.exe 41 PID 1816 wrote to memory of 2328 1816 Jcmjfiab.exe 41 PID 1816 wrote to memory of 2328 1816 Jcmjfiab.exe 41 PID 1816 wrote to memory of 2328 1816 Jcmjfiab.exe 41 PID 2328 wrote to memory of 1516 2328 Jcpglhpo.exe 42 PID 2328 wrote to memory of 1516 2328 Jcpglhpo.exe 42 PID 2328 wrote to memory of 1516 2328 Jcpglhpo.exe 42 PID 2328 wrote to memory of 1516 2328 Jcpglhpo.exe 42 PID 1516 wrote to memory of 2392 1516 Jofhqiec.exe 43 PID 1516 wrote to memory of 2392 1516 Jofhqiec.exe 43 PID 1516 wrote to memory of 2392 1516 Jofhqiec.exe 43 PID 1516 wrote to memory of 2392 1516 Jofhqiec.exe 43 PID 2392 wrote to memory of 2164 2392 Knnagehi.exe 44 PID 2392 wrote to memory of 2164 2392 Knnagehi.exe 44 PID 2392 wrote to memory of 2164 2392 Knnagehi.exe 44 PID 2392 wrote to memory of 2164 2392 Knnagehi.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\c45c2caf446cff65346c5190403c5a8ff5d80dfaf527f52f5bc133c4cfbcbda3.exe"C:\Users\Admin\AppData\Local\Temp\c45c2caf446cff65346c5190403c5a8ff5d80dfaf527f52f5bc133c4cfbcbda3.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Windows\SysWOW64\Gokpgd32.exeC:\Windows\system32\Gokpgd32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2096 -
C:\Windows\SysWOW64\Ghcdpjqj.exeC:\Windows\system32\Ghcdpjqj.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Windows\SysWOW64\Hegdinpd.exeC:\Windows\system32\Hegdinpd.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\SysWOW64\Hkifld32.exeC:\Windows\system32\Hkifld32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Windows\SysWOW64\Hddgkj32.exeC:\Windows\system32\Hddgkj32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\SysWOW64\Hnllcoed.exeC:\Windows\system32\Hnllcoed.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\SysWOW64\Iopeagip.exeC:\Windows\system32\Iopeagip.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:948 -
C:\Windows\SysWOW64\Icnngeof.exeC:\Windows\system32\Icnngeof.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1920 -
C:\Windows\SysWOW64\Ihmcelkk.exeC:\Windows\system32\Ihmcelkk.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1304 -
C:\Windows\SysWOW64\Jgbpfhpc.exeC:\Windows\system32\Jgbpfhpc.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2072 -
C:\Windows\SysWOW64\Jmaedolh.exeC:\Windows\system32\Jmaedolh.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:592 -
C:\Windows\SysWOW64\Jcmjfiab.exeC:\Windows\system32\Jcmjfiab.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1816 -
C:\Windows\SysWOW64\Jcpglhpo.exeC:\Windows\system32\Jcpglhpo.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2328 -
C:\Windows\SysWOW64\Jofhqiec.exeC:\Windows\system32\Jofhqiec.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1516 -
C:\Windows\SysWOW64\Knnagehi.exeC:\Windows\system32\Knnagehi.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Windows\SysWOW64\Kkbbqjgb.exeC:\Windows\system32\Kkbbqjgb.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2164 -
C:\Windows\SysWOW64\Kcpcjl32.exeC:\Windows\system32\Kcpcjl32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1612 -
C:\Windows\SysWOW64\Lmjdia32.exeC:\Windows\system32\Lmjdia32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3016 -
C:\Windows\SysWOW64\Licbca32.exeC:\Windows\system32\Licbca32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:276 -
C:\Windows\SysWOW64\Lopjlh32.exeC:\Windows\system32\Lopjlh32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2408 -
C:\Windows\SysWOW64\Macpcccp.exeC:\Windows\system32\Macpcccp.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1284 -
C:\Windows\SysWOW64\Ncnoaj32.exeC:\Windows\system32\Ncnoaj32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:928 -
C:\Windows\SysWOW64\Neaehelb.exeC:\Windows\system32\Neaehelb.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1260 -
C:\Windows\SysWOW64\Noiiaj32.exeC:\Windows\system32\Noiiaj32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2664 -
C:\Windows\SysWOW64\Oggkklnk.exeC:\Windows\system32\Oggkklnk.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1496 -
C:\Windows\SysWOW64\Odkkdqmd.exeC:\Windows\system32\Odkkdqmd.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:296 -
C:\Windows\SysWOW64\Oqaliabh.exeC:\Windows\system32\Oqaliabh.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2116 -
C:\Windows\SysWOW64\Ognakk32.exeC:\Windows\system32\Ognakk32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1604 -
C:\Windows\SysWOW64\Oceaql32.exeC:\Windows\system32\Oceaql32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2772 -
C:\Windows\SysWOW64\Pfekbg32.exeC:\Windows\system32\Pfekbg32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1844 -
C:\Windows\SysWOW64\Pdkgcd32.exeC:\Windows\system32\Pdkgcd32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2800 -
C:\Windows\SysWOW64\Piipibff.exeC:\Windows\system32\Piipibff.exe33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2692 -
C:\Windows\SysWOW64\Pneiaidn.exeC:\Windows\system32\Pneiaidn.exe34⤵
- Executes dropped EXE
PID:3048 -
C:\Windows\SysWOW64\Peandcih.exeC:\Windows\system32\Peandcih.exe35⤵
- Executes dropped EXE
PID:2700 -
C:\Windows\SysWOW64\Qjofljho.exeC:\Windows\system32\Qjofljho.exe36⤵
- Executes dropped EXE
PID:2464 -
C:\Windows\SysWOW64\Qedjib32.exeC:\Windows\system32\Qedjib32.exe37⤵
- Executes dropped EXE
PID:3044 -
C:\Windows\SysWOW64\Aamhdckg.exeC:\Windows\system32\Aamhdckg.exe38⤵
- Executes dropped EXE
PID:2432 -
C:\Windows\SysWOW64\Afjplj32.exeC:\Windows\system32\Afjplj32.exe39⤵
- Executes dropped EXE
PID:616 -
C:\Windows\SysWOW64\Aeommfnf.exeC:\Windows\system32\Aeommfnf.exe40⤵
- Executes dropped EXE
PID:1756 -
C:\Windows\SysWOW64\Afojgiei.exeC:\Windows\system32\Afojgiei.exe41⤵
- Executes dropped EXE
PID:2436 -
C:\Windows\SysWOW64\Anjnllbd.exeC:\Windows\system32\Anjnllbd.exe42⤵
- Executes dropped EXE
PID:1520 -
C:\Windows\SysWOW64\Anlkakqa.exeC:\Windows\system32\Anlkakqa.exe43⤵
- Executes dropped EXE
PID:2488 -
C:\Windows\SysWOW64\Blplkp32.exeC:\Windows\system32\Blplkp32.exe44⤵
- Executes dropped EXE
PID:1740 -
C:\Windows\SysWOW64\Bmdehgcf.exeC:\Windows\system32\Bmdehgcf.exe45⤵
- Executes dropped EXE
PID:1392 -
C:\Windows\SysWOW64\Bfliqmjg.exeC:\Windows\system32\Bfliqmjg.exe46⤵
- Executes dropped EXE
PID:1100 -
C:\Windows\SysWOW64\Bkjbgk32.exeC:\Windows\system32\Bkjbgk32.exe47⤵
- Executes dropped EXE
PID:3020 -
C:\Windows\SysWOW64\Bgablmfa.exeC:\Windows\system32\Bgablmfa.exe48⤵
- Executes dropped EXE
PID:2112 -
C:\Windows\SysWOW64\Cialng32.exeC:\Windows\system32\Cialng32.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:964 -
C:\Windows\SysWOW64\Cidhcg32.exeC:\Windows\system32\Cidhcg32.exe50⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1528 -
C:\Windows\SysWOW64\Cgnbepjp.exeC:\Windows\system32\Cgnbepjp.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2100 -
C:\Windows\SysWOW64\Dgqokp32.exeC:\Windows\system32\Dgqokp32.exe52⤵
- Executes dropped EXE
PID:1724 -
C:\Windows\SysWOW64\Djokgk32.exeC:\Windows\system32\Djokgk32.exe53⤵
- Executes dropped EXE
PID:1652 -
C:\Windows\SysWOW64\Dddodd32.exeC:\Windows\system32\Dddodd32.exe54⤵
- Executes dropped EXE
PID:1464 -
C:\Windows\SysWOW64\Dcjleq32.exeC:\Windows\system32\Dcjleq32.exe55⤵
- Executes dropped EXE
PID:1580 -
C:\Windows\SysWOW64\Dlbanfbo.exeC:\Windows\system32\Dlbanfbo.exe56⤵
- Executes dropped EXE
PID:2828 -
C:\Windows\SysWOW64\Dclikp32.exeC:\Windows\system32\Dclikp32.exe57⤵
- Executes dropped EXE
PID:2760 -
C:\Windows\SysWOW64\Dppiddie.exeC:\Windows\system32\Dppiddie.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2604 -
C:\Windows\SysWOW64\Djhnmj32.exeC:\Windows\system32\Djhnmj32.exe59⤵
- Executes dropped EXE
PID:2260 -
C:\Windows\SysWOW64\Ecabfpff.exeC:\Windows\system32\Ecabfpff.exe60⤵
- Executes dropped EXE
PID:2196 -
C:\Windows\SysWOW64\Eklgjbca.exeC:\Windows\system32\Eklgjbca.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:2480 -
C:\Windows\SysWOW64\Efakhk32.exeC:\Windows\system32\Efakhk32.exe62⤵
- Executes dropped EXE
PID:2928 -
C:\Windows\SysWOW64\Eojpqpih.exeC:\Windows\system32\Eojpqpih.exe63⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2612 -
C:\Windows\SysWOW64\Edghighp.exeC:\Windows\system32\Edghighp.exe64⤵
- Executes dropped EXE
PID:1532 -
C:\Windows\SysWOW64\Ekqqea32.exeC:\Windows\system32\Ekqqea32.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1820 -
C:\Windows\SysWOW64\Edieng32.exeC:\Windows\system32\Edieng32.exe66⤵
- Drops file in System32 directory
PID:2180 -
C:\Windows\SysWOW64\Eggajb32.exeC:\Windows\system32\Eggajb32.exe67⤵PID:696
-
C:\Windows\SysWOW64\Ejfnfn32.exeC:\Windows\system32\Ejfnfn32.exe68⤵PID:2076
-
C:\Windows\SysWOW64\Edkbdf32.exeC:\Windows\system32\Edkbdf32.exe69⤵
- System Location Discovery: System Language Discovery
PID:1328 -
C:\Windows\SysWOW64\Fjhjlm32.exeC:\Windows\system32\Fjhjlm32.exe70⤵PID:2016
-
C:\Windows\SysWOW64\Fqbbig32.exeC:\Windows\system32\Fqbbig32.exe71⤵
- Drops file in System32 directory
PID:2504 -
C:\Windows\SysWOW64\Fglkeaqk.exeC:\Windows\system32\Fglkeaqk.exe72⤵PID:1644
-
C:\Windows\SysWOW64\Hepdml32.exeC:\Windows\system32\Hepdml32.exe73⤵PID:836
-
C:\Windows\SysWOW64\Haiagm32.exeC:\Windows\system32\Haiagm32.exe74⤵
- System Location Discovery: System Language Discovery
PID:2764 -
C:\Windows\SysWOW64\Ippkni32.exeC:\Windows\system32\Ippkni32.exe75⤵PID:2836
-
C:\Windows\SysWOW64\Ikfokb32.exeC:\Windows\system32\Ikfokb32.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2804 -
C:\Windows\SysWOW64\Ipbgci32.exeC:\Windows\system32\Ipbgci32.exe77⤵PID:2584
-
C:\Windows\SysWOW64\Iebmaoed.exeC:\Windows\system32\Iebmaoed.exe78⤵PID:2556
-
C:\Windows\SysWOW64\Jlleni32.exeC:\Windows\system32\Jlleni32.exe79⤵PID:2420
-
C:\Windows\SysWOW64\Jgaikb32.exeC:\Windows\system32\Jgaikb32.exe80⤵PID:2416
-
C:\Windows\SysWOW64\Jomnpdjb.exeC:\Windows\system32\Jomnpdjb.exe81⤵PID:2040
-
C:\Windows\SysWOW64\Jfffmo32.exeC:\Windows\system32\Jfffmo32.exe82⤵PID:2460
-
C:\Windows\SysWOW64\Jookedhp.exeC:\Windows\system32\Jookedhp.exe83⤵PID:1912
-
C:\Windows\SysWOW64\Jhgonj32.exeC:\Windows\system32\Jhgonj32.exe84⤵
- Modifies registry class
PID:2984 -
C:\Windows\SysWOW64\Jndgfqlh.exeC:\Windows\system32\Jndgfqlh.exe85⤵PID:2172
-
C:\Windows\SysWOW64\Jgllof32.exeC:\Windows\system32\Jgllof32.exe86⤵PID:1288
-
C:\Windows\SysWOW64\Jdpmij32.exeC:\Windows\system32\Jdpmij32.exe87⤵PID:772
-
C:\Windows\SysWOW64\Kjmeaa32.exeC:\Windows\system32\Kjmeaa32.exe88⤵PID:1008
-
C:\Windows\SysWOW64\Kgaejeoc.exeC:\Windows\system32\Kgaejeoc.exe89⤵PID:2036
-
C:\Windows\SysWOW64\Kqijck32.exeC:\Windows\system32\Kqijck32.exe90⤵PID:2992
-
C:\Windows\SysWOW64\Knmjmodm.exeC:\Windows\system32\Knmjmodm.exe91⤵PID:880
-
C:\Windows\SysWOW64\Koogdg32.exeC:\Windows\system32\Koogdg32.exe92⤵PID:2256
-
C:\Windows\SysWOW64\Kmbgnl32.exeC:\Windows\system32\Kmbgnl32.exe93⤵PID:2816
-
C:\Windows\SysWOW64\Kbppfb32.exeC:\Windows\system32\Kbppfb32.exe94⤵PID:1992
-
C:\Windows\SysWOW64\Kkhdohnm.exeC:\Windows\system32\Kkhdohnm.exe95⤵PID:3068
-
C:\Windows\SysWOW64\Lfmhla32.exeC:\Windows\system32\Lfmhla32.exe96⤵PID:2952
-
C:\Windows\SysWOW64\Lnhmqc32.exeC:\Windows\system32\Lnhmqc32.exe97⤵PID:2644
-
C:\Windows\SysWOW64\Lebemmbk.exeC:\Windows\system32\Lebemmbk.exe98⤵PID:2892
-
C:\Windows\SysWOW64\Laifbnho.exeC:\Windows\system32\Laifbnho.exe99⤵PID:2132
-
C:\Windows\SysWOW64\Lgcooh32.exeC:\Windows\system32\Lgcooh32.exe100⤵PID:1960
-
C:\Windows\SysWOW64\Lnmglbgh.exeC:\Windows\system32\Lnmglbgh.exe101⤵PID:776
-
C:\Windows\SysWOW64\Llagegfb.exeC:\Windows\system32\Llagegfb.exe102⤵PID:2964
-
C:\Windows\SysWOW64\Leilnllb.exeC:\Windows\system32\Leilnllb.exe103⤵PID:2300
-
C:\Windows\SysWOW64\Mnbpgb32.exeC:\Windows\system32\Mnbpgb32.exe104⤵PID:628
-
C:\Windows\SysWOW64\Maplcm32.exeC:\Windows\system32\Maplcm32.exe105⤵PID:2000
-
C:\Windows\SysWOW64\Mjialchg.exeC:\Windows\system32\Mjialchg.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2368 -
C:\Windows\SysWOW64\Mdaedhoh.exeC:\Windows\system32\Mdaedhoh.exe107⤵PID:2880
-
C:\Windows\SysWOW64\Mbfbfe32.exeC:\Windows\system32\Mbfbfe32.exe108⤵PID:2588
-
C:\Windows\SysWOW64\Mlogojjp.exeC:\Windows\system32\Mlogojjp.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1672 -
C:\Windows\SysWOW64\Mlacdj32.exeC:\Windows\system32\Mlacdj32.exe110⤵PID:2104
-
C:\Windows\SysWOW64\Nhhdiknb.exeC:\Windows\system32\Nhhdiknb.exe111⤵PID:1236
-
C:\Windows\SysWOW64\Napibq32.exeC:\Windows\system32\Napibq32.exe112⤵
- Drops file in System32 directory
PID:2872 -
C:\Windows\SysWOW64\Nodikecl.exeC:\Windows\system32\Nodikecl.exe113⤵PID:1780
-
C:\Windows\SysWOW64\Nkkjpf32.exeC:\Windows\system32\Nkkjpf32.exe114⤵PID:1964
-
C:\Windows\SysWOW64\Ndcnik32.exeC:\Windows\system32\Ndcnik32.exe115⤵PID:2120
-
C:\Windows\SysWOW64\Nipgab32.exeC:\Windows\system32\Nipgab32.exe116⤵PID:1052
-
C:\Windows\SysWOW64\Nchkjhdh.exeC:\Windows\system32\Nchkjhdh.exe117⤵PID:2240
-
C:\Windows\SysWOW64\Nibcgb32.exeC:\Windows\system32\Nibcgb32.exe118⤵PID:872
-
C:\Windows\SysWOW64\Odhhdk32.exeC:\Windows\system32\Odhhdk32.exe119⤵
- System Location Discovery: System Language Discovery
PID:1108 -
C:\Windows\SysWOW64\Ooaiehhj.exeC:\Windows\system32\Ooaiehhj.exe120⤵PID:236
-
C:\Windows\SysWOW64\Ohjmnn32.exeC:\Windows\system32\Ohjmnn32.exe121⤵PID:1300
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-