Analysis
-
max time kernel
93s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 12:03
Static task
static1
Behavioral task
behavioral1
Sample
e3a02935513ca184f7842507fd6cf0f4d5e7f6d6bded2ad4e8c9f52ae5bb6f8bN.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
e3a02935513ca184f7842507fd6cf0f4d5e7f6d6bded2ad4e8c9f52ae5bb6f8bN.exe
Resource
win10v2004-20241007-en
General
-
Target
e3a02935513ca184f7842507fd6cf0f4d5e7f6d6bded2ad4e8c9f52ae5bb6f8bN.exe
-
Size
136KB
-
MD5
e24c03d05f19680c91b130fd05b949e0
-
SHA1
0d935e55aec02afb788bc653b3aa5e39d47b8288
-
SHA256
e3a02935513ca184f7842507fd6cf0f4d5e7f6d6bded2ad4e8c9f52ae5bb6f8b
-
SHA512
05c54b762d073d8d0d379fe02a1c465c5fbb162ffd563e64d7c18097df7440d37adc321e06b6c92de82ca4cd5d44c4d6af48a4879d23cd64b407bf46a82ae026
-
SSDEEP
3072:2hmcFxjoJx4HpdSyPmpQysohLwdNbw+Y92xQuohLwdNbw5bxH0zVWccA:k7joJxapcAG3sohxd2Quohdbd0zscj
Malware Config
Extracted
berbew
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggppcjgp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gnbjhkpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oakida32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkdnokff.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Caohipan.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ciogff32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpklhpag.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpcdfjoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bllpkq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ilpfnlil.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfmmin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hclidnpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djilaaef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmhimmdj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lemqbjlo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jcenfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhmcjpdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pocdjfcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jqhpoeno.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikdafofp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njkile32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfbpkk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejcfbfqg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hiddkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jglqlc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjpmnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kqooen32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nleeqbhl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akdgehhd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Affgedna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Biedpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhhcejea.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpdhdheq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jfdodm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhqiai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jqkleell.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Efopbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ebpqab32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfnkdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npdklmej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iqmpcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Olcabpkl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Giokpimi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgmopldh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kqooen32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbmdjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lomhbbmm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlpelmgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ehlpfjkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfpmfbkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hicnqb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oihhfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mapqci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chkmkjfh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njgnahkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmcobm32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 1492 Cfhhepjm.exe 3820 Cnopfnko.exe 2508 Canlbi32.exe 2576 Cfjejp32.exe 1764 Doamlm32.exe 1668 Ddnedd32.exe 2808 Dfmapp32.exe 3604 Dmgjmjnd.exe 1664 Ddqbicea.exe 4332 Dkkjfn32.exe 4480 Dadbchdk.exe 3076 Dfakkobb.exe 4156 Dmkchi32.exe 1688 Ddekdc32.exe 2344 Dkocamhi.exe 4956 Dailng32.exe 3752 Ddhhjb32.exe 2112 Eomlgk32.exe 4992 Ealhcg32.exe 1636 Edjepb32.exe 2960 Eopimkml.exe 460 Embihh32.exe 4140 Edlaebkd.exe 1480 Egknanjg.exe 3032 Emefng32.exe 3552 Edonkaia.exe 4232 Ekifglpn.exe 2952 Emgbcgoa.exe 1848 Eenkedpd.exe 2660 Ekkcmknk.exe 1876 Eaekje32.exe 4072 Fhocfpme.exe 1368 Fnllof32.exe 2684 Fecdpd32.exe 3168 Fhaplo32.exe 1228 Fkpmhk32.exe 1816 Fnnidf32.exe 4868 Fdhaapqf.exe 4920 Fgfmmlpj.exe 3156 Falajd32.exe 648 Fhfjgogm.exe 4416 Fkdfcjfq.exe 472 Fncboeed.exe 1996 Fejjqcff.exe 2608 Fgkfhk32.exe 4292 Fneoeeca.exe 116 Ghkcbn32.exe 4656 Goekohjd.exe 4180 Geoclb32.exe 1160 Ggppcjgp.exe 2928 Gaedqc32.exe 1156 Geapabpo.exe 1132 Gnleedmj.exe 3112 Gecmganl.exe 5040 Ggdinj32.exe 1128 Golapg32.exe 636 Gajnlb32.exe 4440 Ghdfhm32.exe 5116 Gkbbdh32.exe 1164 Gnanqc32.exe 3492 Hfhfba32.exe 1280 Hhfbnl32.exe 2828 Hoqkkfpg.exe 1448 Hboggbok.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Ncjnhg32.exe Nlpelmgi.exe File created C:\Windows\SysWOW64\Pgmham32.dll Bgpomp32.exe File created C:\Windows\SysWOW64\Dpgldn32.exe Dimcgdpm.exe File created C:\Windows\SysWOW64\Nkonpjkn.dll Inejhj32.exe File created C:\Windows\SysWOW64\Aefhbh32.exe Acglfm32.exe File opened for modification C:\Windows\SysWOW64\Dbmdjn32.exe Doohnc32.exe File created C:\Windows\SysWOW64\Eehpok32.dll Eopimkml.exe File opened for modification C:\Windows\SysWOW64\Ciogff32.exe Cjlgjieb.exe File created C:\Windows\SysWOW64\Epnaikkk.dll Pihamhpo.exe File opened for modification C:\Windows\SysWOW64\Kfmmin32.exe Kcoamb32.exe File created C:\Windows\SysWOW64\Elplcpbi.dll Hnjagb32.exe File opened for modification C:\Windows\SysWOW64\Gbhpiodj.exe Gpicmc32.exe File created C:\Windows\SysWOW64\Egingkde.dll Aokikhdb.exe File created C:\Windows\SysWOW64\Affgedna.exe Ahcgig32.exe File created C:\Windows\SysWOW64\Jbmloneh.exe Jnapno32.exe File created C:\Windows\SysWOW64\Jgdccckd.dll Jiminnok.exe File created C:\Windows\SysWOW64\Mfielj32.exe Mckioo32.exe File opened for modification C:\Windows\SysWOW64\Ghdfhm32.exe Gajnlb32.exe File created C:\Windows\SysWOW64\Cjqqei32.exe Cgbdim32.exe File created C:\Windows\SysWOW64\Okngmo32.dll Diopmdnj.exe File opened for modification C:\Windows\SysWOW64\Ligfho32.exe Lnabkfkq.exe File opened for modification C:\Windows\SysWOW64\Poejeo32.exe Plfnicob.exe File created C:\Windows\SysWOW64\Jdahpneo.exe Jngpcd32.exe File opened for modification C:\Windows\SysWOW64\Jcenfd32.exe Jpgbjh32.exe File opened for modification C:\Windows\SysWOW64\Lfnfpl32.exe Lcojcppn.exe File created C:\Windows\SysWOW64\Ddmfac32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Fjakin32.exe Fbjcgq32.exe File opened for modification C:\Windows\SysWOW64\Efopbf32.exe Ehlpfjkl.exe File created C:\Windows\SysWOW64\Qpandk32.dll Oecbfk32.exe File created C:\Windows\SysWOW64\Bpbcph32.dll Jlafop32.exe File created C:\Windows\SysWOW64\Icdhdn32.dll Pegefdho.exe File created C:\Windows\SysWOW64\Hepanb32.dll Efiibk32.exe File created C:\Windows\SysWOW64\Bafnnbje.dll Lqangeqj.exe File opened for modification C:\Windows\SysWOW64\Nqojic32.exe Mnqnmg32.exe File created C:\Windows\SysWOW64\Mggipdnk.dll Efmclgdi.exe File created C:\Windows\SysWOW64\Bahaha32.exe Bknilg32.exe File created C:\Windows\SysWOW64\Cjdjhd32.dll Lfkijlqd.exe File created C:\Windows\SysWOW64\Ocieqmiq.exe Oakida32.exe File created C:\Windows\SysWOW64\Ihbbjk32.exe Ifdfno32.exe File opened for modification C:\Windows\SysWOW64\Afcjpd32.exe Ahqjdgij.exe File created C:\Windows\SysWOW64\Algfpjja.dll Opinnjcb.exe File opened for modification C:\Windows\SysWOW64\Gfibihab.exe Gnbjhkpp.exe File opened for modification C:\Windows\SysWOW64\Cnbenk32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Lnabkfkq.exe Lkcfoklm.exe File opened for modification C:\Windows\SysWOW64\Nbigna32.exe Nhcbqh32.exe File opened for modification C:\Windows\SysWOW64\Cilcfpjd.exe Cfmgjekp.exe File opened for modification C:\Windows\SysWOW64\Lfdcjm32.exe Lcfgma32.exe File created C:\Windows\SysWOW64\Lomhbbmm.exe Lnkkkj32.exe File created C:\Windows\SysWOW64\Oaemkkba.dll Bqmlae32.exe File opened for modification C:\Windows\SysWOW64\Qahpljid.exe Qojcpnjq.exe File created C:\Windows\SysWOW64\Lckqha32.exe Loodhbkj.exe File created C:\Windows\SysWOW64\Enhfnn32.dll Pmdpfp32.exe File created C:\Windows\SysWOW64\Bfeknmgf.exe Bcfobahc.exe File created C:\Windows\SysWOW64\Bldojnhi.dll Bijnkgpb.exe File opened for modification C:\Windows\SysWOW64\Gkbkjbfe.exe Ggfoic32.exe File created C:\Windows\SysWOW64\Oandonoa.exe Nopgcbpn.exe File opened for modification C:\Windows\SysWOW64\Paomfkao.exe Pclmjn32.exe File created C:\Windows\SysWOW64\Ecdioi32.dll Aldjja32.exe File created C:\Windows\SysWOW64\Koceldeg.exe Knbhdl32.exe File created C:\Windows\SysWOW64\Iekplf32.dll Icohfelc.exe File opened for modification C:\Windows\SysWOW64\Hboggbok.exe Hoqkkfpg.exe File created C:\Windows\SysWOW64\Ifgbpd32.dll Gmgepo32.exe File created C:\Windows\SysWOW64\Cbdhof32.exe Ccahcijj.exe File opened for modification C:\Windows\SysWOW64\Ddhhjb32.exe Dailng32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 7816 7172 Process not Found 1210 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bompgbmg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nagnno32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Doamlm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afilbnad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjhjijog.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmjien32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njjban32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epbdef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klgeehda.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oppffn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnpgfm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mebqhp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnpold32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfmgjekp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbnked32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfpeinel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnapno32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khchmc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jolole32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obnpiqfd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjfgedel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emchik32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmeemgba.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edjepb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jffljm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbchhhdm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejailfbj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kiijgaff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohndgjio.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djlpag32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pclmjn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lepmhijl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hblbihli.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iilepi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pajckl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epmkjgmf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcdhkk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdefhh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llhpjj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjakin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ioiioh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aagbgm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnanqc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pocdjfcd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acoiab32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qmlmaemp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mqhchdjb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkpmhk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcpkom32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Inbfhdag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dboapn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hobcoibm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhjpjj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Giheoj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ondjck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekcedb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnllof32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgqdmmil.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndebdlnb.dll" Qojcpnjq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inhaeo32.dll" Ggafndba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkhodo32.dll" Niqbeldi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onpafg32.dll" Ponddp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Loodhbkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apbcei32.dll" Efbcalel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hboggbok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfakjkqa.dll" Infabq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fpqgakql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfiaonkh.dll" Bfinoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enhfnn32.dll" Pmdpfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijajfhpm.dll" Ifmidn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ggdbdc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epgmccnp.dll" Nhafkimf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qpandk32.dll" Oecbfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mmodme32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pihdnokh.dll" Feelcfnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njjfda32.dll" Ljjikqkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fndinnim.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hoqkkfpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ijigme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fgkpne32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dfmapp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Keneqi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oogdngna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fhcfgi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oeafpk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hdnbcqed.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gldnkpal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjefhj32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qkkdojpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjicia32.dll" Doohnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgopdb32.dll" Imhmgpff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eiffmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iefifd32.dll" Nobjdpke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iibalfmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jlgcia32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bkcjam32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aplohj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ifklnn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mlofji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlpopdnc.dll" Pcnipn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dmgacfqo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Onafcegd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ddqbicea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kjamohfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adeanbbp.dll" Kcdabhmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jepboe32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fkdfcjfq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mgbcod32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dcmgog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahcbjc32.dll" Mnnagh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lncgbkpp.dll" Mhjpjj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oandonoa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gmhcqb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ocplal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Acobgljo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpabdhgp.dll" Cmnfgnle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phciljjf.dll" Cfgjpcce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qkaaeoop.dll" Ljeppa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Edlaebkd.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3272 wrote to memory of 1492 3272 e3a02935513ca184f7842507fd6cf0f4d5e7f6d6bded2ad4e8c9f52ae5bb6f8bN.exe 83 PID 3272 wrote to memory of 1492 3272 e3a02935513ca184f7842507fd6cf0f4d5e7f6d6bded2ad4e8c9f52ae5bb6f8bN.exe 83 PID 3272 wrote to memory of 1492 3272 e3a02935513ca184f7842507fd6cf0f4d5e7f6d6bded2ad4e8c9f52ae5bb6f8bN.exe 83 PID 1492 wrote to memory of 3820 1492 Cfhhepjm.exe 84 PID 1492 wrote to memory of 3820 1492 Cfhhepjm.exe 84 PID 1492 wrote to memory of 3820 1492 Cfhhepjm.exe 84 PID 3820 wrote to memory of 2508 3820 Cnopfnko.exe 86 PID 3820 wrote to memory of 2508 3820 Cnopfnko.exe 86 PID 3820 wrote to memory of 2508 3820 Cnopfnko.exe 86 PID 2508 wrote to memory of 2576 2508 Canlbi32.exe 87 PID 2508 wrote to memory of 2576 2508 Canlbi32.exe 87 PID 2508 wrote to memory of 2576 2508 Canlbi32.exe 87 PID 2576 wrote to memory of 1764 2576 Cfjejp32.exe 88 PID 2576 wrote to memory of 1764 2576 Cfjejp32.exe 88 PID 2576 wrote to memory of 1764 2576 Cfjejp32.exe 88 PID 1764 wrote to memory of 1668 1764 Doamlm32.exe 89 PID 1764 wrote to memory of 1668 1764 Doamlm32.exe 89 PID 1764 wrote to memory of 1668 1764 Doamlm32.exe 89 PID 1668 wrote to memory of 2808 1668 Ddnedd32.exe 91 PID 1668 wrote to memory of 2808 1668 Ddnedd32.exe 91 PID 1668 wrote to memory of 2808 1668 Ddnedd32.exe 91 PID 2808 wrote to memory of 3604 2808 Dfmapp32.exe 92 PID 2808 wrote to memory of 3604 2808 Dfmapp32.exe 92 PID 2808 wrote to memory of 3604 2808 Dfmapp32.exe 92 PID 3604 wrote to memory of 1664 3604 Dmgjmjnd.exe 93 PID 3604 wrote to memory of 1664 3604 Dmgjmjnd.exe 93 PID 3604 wrote to memory of 1664 3604 Dmgjmjnd.exe 93 PID 1664 wrote to memory of 4332 1664 Ddqbicea.exe 94 PID 1664 wrote to memory of 4332 1664 Ddqbicea.exe 94 PID 1664 wrote to memory of 4332 1664 Ddqbicea.exe 94 PID 4332 wrote to memory of 4480 4332 Dkkjfn32.exe 96 PID 4332 wrote to memory of 4480 4332 Dkkjfn32.exe 96 PID 4332 wrote to memory of 4480 4332 Dkkjfn32.exe 96 PID 4480 wrote to memory of 3076 4480 Dadbchdk.exe 97 PID 4480 wrote to memory of 3076 4480 Dadbchdk.exe 97 PID 4480 wrote to memory of 3076 4480 Dadbchdk.exe 97 PID 3076 wrote to memory of 4156 3076 Dfakkobb.exe 98 PID 3076 wrote to memory of 4156 3076 Dfakkobb.exe 98 PID 3076 wrote to memory of 4156 3076 Dfakkobb.exe 98 PID 4156 wrote to memory of 1688 4156 Dmkchi32.exe 99 PID 4156 wrote to memory of 1688 4156 Dmkchi32.exe 99 PID 4156 wrote to memory of 1688 4156 Dmkchi32.exe 99 PID 1688 wrote to memory of 2344 1688 Ddekdc32.exe 100 PID 1688 wrote to memory of 2344 1688 Ddekdc32.exe 100 PID 1688 wrote to memory of 2344 1688 Ddekdc32.exe 100 PID 2344 wrote to memory of 4956 2344 Dkocamhi.exe 101 PID 2344 wrote to memory of 4956 2344 Dkocamhi.exe 101 PID 2344 wrote to memory of 4956 2344 Dkocamhi.exe 101 PID 4956 wrote to memory of 3752 4956 Dailng32.exe 102 PID 4956 wrote to memory of 3752 4956 Dailng32.exe 102 PID 4956 wrote to memory of 3752 4956 Dailng32.exe 102 PID 3752 wrote to memory of 2112 3752 Ddhhjb32.exe 103 PID 3752 wrote to memory of 2112 3752 Ddhhjb32.exe 103 PID 3752 wrote to memory of 2112 3752 Ddhhjb32.exe 103 PID 2112 wrote to memory of 4992 2112 Eomlgk32.exe 104 PID 2112 wrote to memory of 4992 2112 Eomlgk32.exe 104 PID 2112 wrote to memory of 4992 2112 Eomlgk32.exe 104 PID 4992 wrote to memory of 1636 4992 Ealhcg32.exe 105 PID 4992 wrote to memory of 1636 4992 Ealhcg32.exe 105 PID 4992 wrote to memory of 1636 4992 Ealhcg32.exe 105 PID 1636 wrote to memory of 2960 1636 Edjepb32.exe 106 PID 1636 wrote to memory of 2960 1636 Edjepb32.exe 106 PID 1636 wrote to memory of 2960 1636 Edjepb32.exe 106 PID 2960 wrote to memory of 460 2960 Eopimkml.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\e3a02935513ca184f7842507fd6cf0f4d5e7f6d6bded2ad4e8c9f52ae5bb6f8bN.exe"C:\Users\Admin\AppData\Local\Temp\e3a02935513ca184f7842507fd6cf0f4d5e7f6d6bded2ad4e8c9f52ae5bb6f8bN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3272 -
C:\Windows\SysWOW64\Cfhhepjm.exeC:\Windows\system32\Cfhhepjm.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1492 -
C:\Windows\SysWOW64\Cnopfnko.exeC:\Windows\system32\Cnopfnko.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3820 -
C:\Windows\SysWOW64\Canlbi32.exeC:\Windows\system32\Canlbi32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Windows\SysWOW64\Cfjejp32.exeC:\Windows\system32\Cfjejp32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\Windows\SysWOW64\Doamlm32.exeC:\Windows\system32\Doamlm32.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1764 -
C:\Windows\SysWOW64\Ddnedd32.exeC:\Windows\system32\Ddnedd32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1668 -
C:\Windows\SysWOW64\Dfmapp32.exeC:\Windows\system32\Dfmapp32.exe8⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Windows\SysWOW64\Dmgjmjnd.exeC:\Windows\system32\Dmgjmjnd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3604 -
C:\Windows\SysWOW64\Ddqbicea.exeC:\Windows\system32\Ddqbicea.exe10⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Windows\SysWOW64\Dkkjfn32.exeC:\Windows\system32\Dkkjfn32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4332 -
C:\Windows\SysWOW64\Dadbchdk.exeC:\Windows\system32\Dadbchdk.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4480 -
C:\Windows\SysWOW64\Dfakkobb.exeC:\Windows\system32\Dfakkobb.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3076 -
C:\Windows\SysWOW64\Dmkchi32.exeC:\Windows\system32\Dmkchi32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4156 -
C:\Windows\SysWOW64\Ddekdc32.exeC:\Windows\system32\Ddekdc32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Windows\SysWOW64\Dkocamhi.exeC:\Windows\system32\Dkocamhi.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\Windows\SysWOW64\Dailng32.exeC:\Windows\system32\Dailng32.exe17⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4956 -
C:\Windows\SysWOW64\Ddhhjb32.exeC:\Windows\system32\Ddhhjb32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3752 -
C:\Windows\SysWOW64\Eomlgk32.exeC:\Windows\system32\Eomlgk32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Windows\SysWOW64\Ealhcg32.exeC:\Windows\system32\Ealhcg32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4992 -
C:\Windows\SysWOW64\Edjepb32.exeC:\Windows\system32\Edjepb32.exe21⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Windows\SysWOW64\Eopimkml.exeC:\Windows\system32\Eopimkml.exe22⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Windows\SysWOW64\Embihh32.exeC:\Windows\system32\Embihh32.exe23⤵
- Executes dropped EXE
PID:460 -
C:\Windows\SysWOW64\Edlaebkd.exeC:\Windows\system32\Edlaebkd.exe24⤵
- Executes dropped EXE
- Modifies registry class
PID:4140 -
C:\Windows\SysWOW64\Egknanjg.exeC:\Windows\system32\Egknanjg.exe25⤵
- Executes dropped EXE
PID:1480 -
C:\Windows\SysWOW64\Emefng32.exeC:\Windows\system32\Emefng32.exe26⤵
- Executes dropped EXE
PID:3032 -
C:\Windows\SysWOW64\Edonkaia.exeC:\Windows\system32\Edonkaia.exe27⤵
- Executes dropped EXE
PID:3552 -
C:\Windows\SysWOW64\Ekifglpn.exeC:\Windows\system32\Ekifglpn.exe28⤵
- Executes dropped EXE
PID:4232 -
C:\Windows\SysWOW64\Emgbcgoa.exeC:\Windows\system32\Emgbcgoa.exe29⤵
- Executes dropped EXE
PID:2952 -
C:\Windows\SysWOW64\Eenkedpd.exeC:\Windows\system32\Eenkedpd.exe30⤵
- Executes dropped EXE
PID:1848 -
C:\Windows\SysWOW64\Ekkcmknk.exeC:\Windows\system32\Ekkcmknk.exe31⤵
- Executes dropped EXE
PID:2660 -
C:\Windows\SysWOW64\Eaekje32.exeC:\Windows\system32\Eaekje32.exe32⤵
- Executes dropped EXE
PID:1876 -
C:\Windows\SysWOW64\Fhocfpme.exeC:\Windows\system32\Fhocfpme.exe33⤵
- Executes dropped EXE
PID:4072 -
C:\Windows\SysWOW64\Fnllof32.exeC:\Windows\system32\Fnllof32.exe34⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1368 -
C:\Windows\SysWOW64\Fecdpd32.exeC:\Windows\system32\Fecdpd32.exe35⤵
- Executes dropped EXE
PID:2684 -
C:\Windows\SysWOW64\Fhaplo32.exeC:\Windows\system32\Fhaplo32.exe36⤵
- Executes dropped EXE
PID:3168 -
C:\Windows\SysWOW64\Fkpmhk32.exeC:\Windows\system32\Fkpmhk32.exe37⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1228 -
C:\Windows\SysWOW64\Fnnidf32.exeC:\Windows\system32\Fnnidf32.exe38⤵
- Executes dropped EXE
PID:1816 -
C:\Windows\SysWOW64\Fdhaapqf.exeC:\Windows\system32\Fdhaapqf.exe39⤵
- Executes dropped EXE
PID:4868 -
C:\Windows\SysWOW64\Fgfmmlpj.exeC:\Windows\system32\Fgfmmlpj.exe40⤵
- Executes dropped EXE
PID:4920 -
C:\Windows\SysWOW64\Falajd32.exeC:\Windows\system32\Falajd32.exe41⤵
- Executes dropped EXE
PID:3156 -
C:\Windows\SysWOW64\Fhfjgogm.exeC:\Windows\system32\Fhfjgogm.exe42⤵
- Executes dropped EXE
PID:648 -
C:\Windows\SysWOW64\Fkdfcjfq.exeC:\Windows\system32\Fkdfcjfq.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:4416 -
C:\Windows\SysWOW64\Fncboeed.exeC:\Windows\system32\Fncboeed.exe44⤵
- Executes dropped EXE
PID:472 -
C:\Windows\SysWOW64\Fejjqcff.exeC:\Windows\system32\Fejjqcff.exe45⤵
- Executes dropped EXE
PID:1996 -
C:\Windows\SysWOW64\Fgkfhk32.exeC:\Windows\system32\Fgkfhk32.exe46⤵
- Executes dropped EXE
PID:2608 -
C:\Windows\SysWOW64\Fneoeeca.exeC:\Windows\system32\Fneoeeca.exe47⤵
- Executes dropped EXE
PID:4292 -
C:\Windows\SysWOW64\Ghkcbn32.exeC:\Windows\system32\Ghkcbn32.exe48⤵
- Executes dropped EXE
PID:116 -
C:\Windows\SysWOW64\Goekohjd.exeC:\Windows\system32\Goekohjd.exe49⤵
- Executes dropped EXE
PID:4656 -
C:\Windows\SysWOW64\Geoclb32.exeC:\Windows\system32\Geoclb32.exe50⤵
- Executes dropped EXE
PID:4180 -
C:\Windows\SysWOW64\Ggppcjgp.exeC:\Windows\system32\Ggppcjgp.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1160 -
C:\Windows\SysWOW64\Gaedqc32.exeC:\Windows\system32\Gaedqc32.exe52⤵
- Executes dropped EXE
PID:2928 -
C:\Windows\SysWOW64\Geapabpo.exeC:\Windows\system32\Geapabpo.exe53⤵
- Executes dropped EXE
PID:1156 -
C:\Windows\SysWOW64\Gnleedmj.exeC:\Windows\system32\Gnleedmj.exe54⤵
- Executes dropped EXE
PID:1132 -
C:\Windows\SysWOW64\Gecmganl.exeC:\Windows\system32\Gecmganl.exe55⤵
- Executes dropped EXE
PID:3112 -
C:\Windows\SysWOW64\Ggdinj32.exeC:\Windows\system32\Ggdinj32.exe56⤵
- Executes dropped EXE
PID:5040 -
C:\Windows\SysWOW64\Golapg32.exeC:\Windows\system32\Golapg32.exe57⤵
- Executes dropped EXE
PID:1128 -
C:\Windows\SysWOW64\Gajnlb32.exeC:\Windows\system32\Gajnlb32.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:636 -
C:\Windows\SysWOW64\Ghdfhm32.exeC:\Windows\system32\Ghdfhm32.exe59⤵
- Executes dropped EXE
PID:4440 -
C:\Windows\SysWOW64\Gkbbdh32.exeC:\Windows\system32\Gkbbdh32.exe60⤵
- Executes dropped EXE
PID:5116 -
C:\Windows\SysWOW64\Gnanqc32.exeC:\Windows\system32\Gnanqc32.exe61⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1164 -
C:\Windows\SysWOW64\Hfhfba32.exeC:\Windows\system32\Hfhfba32.exe62⤵
- Executes dropped EXE
PID:3492 -
C:\Windows\SysWOW64\Hhfbnl32.exeC:\Windows\system32\Hhfbnl32.exe63⤵
- Executes dropped EXE
PID:1280 -
C:\Windows\SysWOW64\Hoqkkfpg.exeC:\Windows\system32\Hoqkkfpg.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2828 -
C:\Windows\SysWOW64\Hboggbok.exeC:\Windows\system32\Hboggbok.exe65⤵
- Executes dropped EXE
- Modifies registry class
PID:1448 -
C:\Windows\SysWOW64\Hdmccmno.exeC:\Windows\system32\Hdmccmno.exe66⤵PID:4308
-
C:\Windows\SysWOW64\Hkglpgfk.exeC:\Windows\system32\Hkglpgfk.exe67⤵PID:1556
-
C:\Windows\SysWOW64\Hbadla32.exeC:\Windows\system32\Hbadla32.exe68⤵PID:1392
-
C:\Windows\SysWOW64\Hhklilde.exeC:\Windows\system32\Hhklilde.exe69⤵PID:1080
-
C:\Windows\SysWOW64\Hgnldh32.exeC:\Windows\system32\Hgnldh32.exe70⤵PID:3992
-
C:\Windows\SysWOW64\Hnhdabcl.exeC:\Windows\system32\Hnhdabcl.exe71⤵PID:3532
-
C:\Windows\SysWOW64\Hhmiokbb.exeC:\Windows\system32\Hhmiokbb.exe72⤵PID:2100
-
C:\Windows\SysWOW64\Hnjagb32.exeC:\Windows\system32\Hnjagb32.exe73⤵
- Drops file in System32 directory
PID:2812 -
C:\Windows\SysWOW64\Hhpedk32.exeC:\Windows\system32\Hhpedk32.exe74⤵PID:1124
-
C:\Windows\SysWOW64\Hbhjmqgp.exeC:\Windows\system32\Hbhjmqgp.exe75⤵PID:2012
-
C:\Windows\SysWOW64\Ifdfno32.exeC:\Windows\system32\Ifdfno32.exe76⤵
- Drops file in System32 directory
PID:3100 -
C:\Windows\SysWOW64\Ihbbjk32.exeC:\Windows\system32\Ihbbjk32.exe77⤵PID:4568
-
C:\Windows\SysWOW64\Ioljfe32.exeC:\Windows\system32\Ioljfe32.exe78⤵PID:3056
-
C:\Windows\SysWOW64\Iffbcomf.exeC:\Windows\system32\Iffbcomf.exe79⤵PID:1504
-
C:\Windows\SysWOW64\Iidoojlj.exeC:\Windows\system32\Iidoojlj.exe80⤵PID:3616
-
C:\Windows\SysWOW64\Iggokg32.exeC:\Windows\system32\Iggokg32.exe81⤵PID:3884
-
C:\Windows\SysWOW64\Inaggaka.exeC:\Windows\system32\Inaggaka.exe82⤵PID:456
-
C:\Windows\SysWOW64\Ifhoiokd.exeC:\Windows\system32\Ifhoiokd.exe83⤵PID:4744
-
C:\Windows\SysWOW64\Iiglejjg.exeC:\Windows\system32\Iiglejjg.exe84⤵PID:3740
-
C:\Windows\SysWOW64\Ioadadbd.exeC:\Windows\system32\Ioadadbd.exe85⤵PID:4316
-
C:\Windows\SysWOW64\Ibopnpah.exeC:\Windows\system32\Ibopnpah.exe86⤵PID:2476
-
C:\Windows\SysWOW64\Ifklnn32.exeC:\Windows\system32\Ifklnn32.exe87⤵
- Modifies registry class
PID:1400 -
C:\Windows\SysWOW64\Infabq32.exeC:\Windows\system32\Infabq32.exe88⤵
- Modifies registry class
PID:2300 -
C:\Windows\SysWOW64\Ifmidn32.exeC:\Windows\system32\Ifmidn32.exe89⤵
- Modifies registry class
PID:4616 -
C:\Windows\SysWOW64\Iilepi32.exeC:\Windows\system32\Iilepi32.exe90⤵
- System Location Discovery: System Language Discovery
PID:5180 -
C:\Windows\SysWOW64\Inhnhp32.exeC:\Windows\system32\Inhnhp32.exe91⤵PID:5224
-
C:\Windows\SysWOW64\Jfpeinel.exeC:\Windows\system32\Jfpeinel.exe92⤵
- System Location Discovery: System Language Discovery
PID:5264 -
C:\Windows\SysWOW64\Jklnadcc.exeC:\Windows\system32\Jklnadcc.exe93⤵PID:5312
-
C:\Windows\SysWOW64\Jfbbomci.exeC:\Windows\system32\Jfbbomci.exe94⤵PID:5356
-
C:\Windows\SysWOW64\Jkokgdaq.exeC:\Windows\system32\Jkokgdaq.exe95⤵PID:5404
-
C:\Windows\SysWOW64\Jfdodm32.exeC:\Windows\system32\Jfdodm32.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5448 -
C:\Windows\SysWOW64\Jgeklege.exeC:\Windows\system32\Jgeklege.exe97⤵PID:5492
-
C:\Windows\SysWOW64\Jffljm32.exeC:\Windows\system32\Jffljm32.exe98⤵
- System Location Discovery: System Language Discovery
PID:5536 -
C:\Windows\SysWOW64\Jiehfh32.exeC:\Windows\system32\Jiehfh32.exe99⤵PID:5580
-
C:\Windows\SysWOW64\Jkcdbc32.exeC:\Windows\system32\Jkcdbc32.exe100⤵PID:5624
-
C:\Windows\SysWOW64\Jnapno32.exeC:\Windows\system32\Jnapno32.exe101⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:5664 -
C:\Windows\SysWOW64\Jbmloneh.exeC:\Windows\system32\Jbmloneh.exe102⤵PID:5708
-
C:\Windows\SysWOW64\Jgjegd32.exeC:\Windows\system32\Jgjegd32.exe103⤵PID:5748
-
C:\Windows\SysWOW64\Jpamhb32.exeC:\Windows\system32\Jpamhb32.exe104⤵PID:5792
-
C:\Windows\SysWOW64\Keneqi32.exeC:\Windows\system32\Keneqi32.exe105⤵
- Modifies registry class
PID:5840 -
C:\Windows\SysWOW64\Knfjinhj.exeC:\Windows\system32\Knfjinhj.exe106⤵PID:5884
-
C:\Windows\SysWOW64\Kepbfh32.exeC:\Windows\system32\Kepbfh32.exe107⤵PID:5928
-
C:\Windows\SysWOW64\Khonbdoj.exeC:\Windows\system32\Khonbdoj.exe108⤵PID:5972
-
C:\Windows\SysWOW64\Kpffcapl.exeC:\Windows\system32\Kpffcapl.exe109⤵PID:6004
-
C:\Windows\SysWOW64\Kbdbpmop.exeC:\Windows\system32\Kbdbpmop.exe110⤵PID:6060
-
C:\Windows\SysWOW64\Kfpnpk32.exeC:\Windows\system32\Kfpnpk32.exe111⤵PID:6100
-
C:\Windows\SysWOW64\Kebolhnd.exeC:\Windows\system32\Kebolhnd.exe112⤵PID:2940
-
C:\Windows\SysWOW64\Kphcianj.exeC:\Windows\system32\Kphcianj.exe113⤵PID:5236
-
C:\Windows\SysWOW64\Knkcdn32.exeC:\Windows\system32\Knkcdn32.exe114⤵PID:5300
-
C:\Windows\SysWOW64\Kfbkfk32.exeC:\Windows\system32\Kfbkfk32.exe115⤵PID:5372
-
C:\Windows\SysWOW64\Khchmc32.exeC:\Windows\system32\Khchmc32.exe116⤵
- System Location Discovery: System Language Discovery
PID:5440 -
C:\Windows\SysWOW64\Lpmldp32.exeC:\Windows\system32\Lpmldp32.exe117⤵PID:5520
-
C:\Windows\SysWOW64\Lhmjcbcj.exeC:\Windows\system32\Lhmjcbcj.exe118⤵PID:5592
-
C:\Windows\SysWOW64\Lpdbeo32.exeC:\Windows\system32\Lpdbeo32.exe119⤵PID:5672
-
C:\Windows\SysWOW64\Lhogia32.exeC:\Windows\system32\Lhogia32.exe120⤵PID:5740
-
C:\Windows\SysWOW64\Lfpggiif.exeC:\Windows\system32\Lfpggiif.exe121⤵PID:5808
-
C:\Windows\SysWOW64\Mpilpo32.exeC:\Windows\system32\Mpilpo32.exe122⤵PID:5876
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-