Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
26-11-2024 19:22
Behavioral task
behavioral1
Sample
066cf530a0eeb81643ab2339ff6d65de16f818577d0b36ebb40bb1ee0c46a348.exe
Resource
win7-20240903-en
windows7-x64
12 signatures
150 seconds
General
-
Target
066cf530a0eeb81643ab2339ff6d65de16f818577d0b36ebb40bb1ee0c46a348.exe
-
Size
337KB
-
MD5
f333a219131b9e7e0e15d0edb1c87608
-
SHA1
57642d2c2bfbaecd2dd6169d4dbdfb40793fef11
-
SHA256
066cf530a0eeb81643ab2339ff6d65de16f818577d0b36ebb40bb1ee0c46a348
-
SHA512
d0726b192828ef05a02aaf745efdf995137c7c7ceae8f191dab693c8e1f9ed33792a9caf2be912e452bbbade3f688f2ae63f4a18b0f4f2929ad129dc540cdb36
-
SSDEEP
3072:rQP0lIgYfc0DV+1BIyLK5jZWlfXXqyYwi8x4Yfc0V:zlI1+fIyG5jZkCwi8z
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Dmkcil32.exeJampjian.exeBnlgbnbp.exeEpnhpglg.exeLhpglecl.exeLfoojj32.exeBmlael32.exeFakdcnhh.exeIhglhp32.exeKaglcgdc.exeMkqqnq32.exeBdhleh32.exeNmabjfek.exeIjehdl32.exePaknelgk.exePleofj32.exeAobpfb32.exeEdlafebn.exeNapbjjom.exeIpjdameg.exePbemboof.exeQpbglhjq.exeKajiigba.exeIpomlm32.exeLgngbmjp.exeGghmmilh.exeLjigih32.exeQoeamo32.exeBfcodkcb.exedescription ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmkcil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jampjian.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bnlgbnbp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epnhpglg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lhpglecl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfoojj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bmlael32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fakdcnhh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ihglhp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kaglcgdc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkqqnq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bdhleh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmabjfek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ijehdl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Paknelgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pleofj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aobpfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Edlafebn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Napbjjom.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipjdameg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbemboof.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qpbglhjq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kajiigba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ipomlm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgngbmjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gghmmilh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ljigih32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qoeamo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfcodkcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" -
Berbew family
-
Njrat family
-
Executes dropped EXE 64 IoCs
Processes:
Fcphnm32.exeFjjpjgjj.exeFnflke32.exeFlhmfbim.exeGfcnegnk.exeGhajacmo.exeGmmfaa32.exeGbjojh32.exeGdkgkcpq.exeGkephn32.exeGoplilpf.exeGqahqd32.exeGiipab32.exeGjjmijme.exeGqdefddb.exeGgnmbn32.exeHcdnhoac.exeHfcjdkpg.exeHnjbeh32.exeHahnac32.exeHcgjmo32.exeHfegij32.exeHmoofdea.exeHpnkbpdd.exeHjcppidk.exeHmalldcn.exeHpphhp32.exeHfjpdjjo.exeHemqpf32.exeHlgimqhf.exeHpbdmo32.exeHbaaik32.exeIliebpfc.exeInhanl32.exeIafnjg32.exeIhpfgalh.exeIllbhp32.exeInjndk32.exeIbejdjln.exeIahkpg32.exeIdgglb32.exeIhbcmaje.exeInlkik32.exeIakgefqe.exeIdicbbpi.exeIhdpbq32.exeImahkg32.exeIamdkfnc.exeIppdgc32.exeIhglhp32.exeIjehdl32.exeIihiphln.exeJmdepg32.exeJaoqqflp.exeJdnmma32.exeJbqmhnbo.exeJfliim32.exeJkhejkcq.exeJikeeh32.exeJliaac32.exeJpdnbbah.exeJdpjba32.exeJbcjnnpl.exeJeafjiop.exepid Process 2536 Fcphnm32.exe 3032 Fjjpjgjj.exe 2304 Fnflke32.exe 2336 Flhmfbim.exe 2500 Gfcnegnk.exe 2828 Ghajacmo.exe 2640 Gmmfaa32.exe 3064 Gbjojh32.exe 1232 Gdkgkcpq.exe 540 Gkephn32.exe 2160 Goplilpf.exe 1940 Gqahqd32.exe 1568 Giipab32.exe 1576 Gjjmijme.exe 2272 Gqdefddb.exe 1072 Ggnmbn32.exe 3008 Hcdnhoac.exe 1284 Hfcjdkpg.exe 1992 Hnjbeh32.exe 1996 Hahnac32.exe 2288 Hcgjmo32.exe 2604 Hfegij32.exe 716 Hmoofdea.exe 2372 Hpnkbpdd.exe 1496 Hjcppidk.exe 2012 Hmalldcn.exe 2788 Hpphhp32.exe 2968 Hfjpdjjo.exe 2740 Hemqpf32.exe 2772 Hlgimqhf.exe 2600 Hpbdmo32.exe 2892 Hbaaik32.exe 2624 Iliebpfc.exe 2180 Inhanl32.exe 1216 Iafnjg32.exe 820 Ihpfgalh.exe 1740 Illbhp32.exe 2932 Injndk32.exe 2620 Ibejdjln.exe 2696 Iahkpg32.exe 2588 Idgglb32.exe 2220 Ihbcmaje.exe 620 Inlkik32.exe 2484 Iakgefqe.exe 1984 Idicbbpi.exe 2084 Ihdpbq32.exe 2908 Imahkg32.exe 1976 Iamdkfnc.exe 2876 Ippdgc32.exe 2692 Ihglhp32.exe 2856 Ijehdl32.exe 2900 Iihiphln.exe 2848 Jmdepg32.exe 564 Jaoqqflp.exe 2492 Jdnmma32.exe 3056 Jbqmhnbo.exe 2676 Jfliim32.exe 1696 Jkhejkcq.exe 2204 Jikeeh32.exe 784 Jliaac32.exe 2680 Jpdnbbah.exe 2928 Jdpjba32.exe 2412 Jbcjnnpl.exe 2184 Jeafjiop.exe -
Loads dropped DLL 64 IoCs
Processes:
066cf530a0eeb81643ab2339ff6d65de16f818577d0b36ebb40bb1ee0c46a348.exeFcphnm32.exeFjjpjgjj.exeFnflke32.exeFlhmfbim.exeGfcnegnk.exeGhajacmo.exeGmmfaa32.exeGbjojh32.exeGdkgkcpq.exeGkephn32.exeGoplilpf.exeGqahqd32.exeGiipab32.exeGjjmijme.exeGqdefddb.exeGgnmbn32.exeHcdnhoac.exeHfcjdkpg.exeHnjbeh32.exeHahnac32.exeHcgjmo32.exeHfegij32.exeHmoofdea.exeHpnkbpdd.exeHjcppidk.exeHmalldcn.exeHpphhp32.exeHfjpdjjo.exeHemqpf32.exeHlgimqhf.exeHpbdmo32.exepid Process 1356 066cf530a0eeb81643ab2339ff6d65de16f818577d0b36ebb40bb1ee0c46a348.exe 1356 066cf530a0eeb81643ab2339ff6d65de16f818577d0b36ebb40bb1ee0c46a348.exe 2536 Fcphnm32.exe 2536 Fcphnm32.exe 3032 Fjjpjgjj.exe 3032 Fjjpjgjj.exe 2304 Fnflke32.exe 2304 Fnflke32.exe 2336 Flhmfbim.exe 2336 Flhmfbim.exe 2500 Gfcnegnk.exe 2500 Gfcnegnk.exe 2828 Ghajacmo.exe 2828 Ghajacmo.exe 2640 Gmmfaa32.exe 2640 Gmmfaa32.exe 3064 Gbjojh32.exe 3064 Gbjojh32.exe 1232 Gdkgkcpq.exe 1232 Gdkgkcpq.exe 540 Gkephn32.exe 540 Gkephn32.exe 2160 Goplilpf.exe 2160 Goplilpf.exe 1940 Gqahqd32.exe 1940 Gqahqd32.exe 1568 Giipab32.exe 1568 Giipab32.exe 1576 Gjjmijme.exe 1576 Gjjmijme.exe 2272 Gqdefddb.exe 2272 Gqdefddb.exe 1072 Ggnmbn32.exe 1072 Ggnmbn32.exe 3008 Hcdnhoac.exe 3008 Hcdnhoac.exe 1284 Hfcjdkpg.exe 1284 Hfcjdkpg.exe 1992 Hnjbeh32.exe 1992 Hnjbeh32.exe 1996 Hahnac32.exe 1996 Hahnac32.exe 2288 Hcgjmo32.exe 2288 Hcgjmo32.exe 2604 Hfegij32.exe 2604 Hfegij32.exe 716 Hmoofdea.exe 716 Hmoofdea.exe 2372 Hpnkbpdd.exe 2372 Hpnkbpdd.exe 1496 Hjcppidk.exe 1496 Hjcppidk.exe 2012 Hmalldcn.exe 2012 Hmalldcn.exe 2788 Hpphhp32.exe 2788 Hpphhp32.exe 2968 Hfjpdjjo.exe 2968 Hfjpdjjo.exe 2740 Hemqpf32.exe 2740 Hemqpf32.exe 2772 Hlgimqhf.exe 2772 Hlgimqhf.exe 2600 Hpbdmo32.exe 2600 Hpbdmo32.exe -
Drops file in System32 directory 64 IoCs
Processes:
Hjgehgnh.exeEoebgcol.exePfnmmn32.exeHjlbdc32.exePjihmmbk.exeBqeqqk32.exeKlfjpa32.exeCmmcpi32.exeFdpgph32.exeBoogmgkl.exeOlbfagca.exeEakooqih.exeOflpgnld.exeNqokpd32.exeAfdiondb.exeDiidjpbe.exeDhhhbg32.exeJjkkbjln.exeIakgefqe.exeBacihmoo.exePifbjn32.exeLonibk32.exeOnnnml32.exeLgchgb32.exedescription ioc Process File created C:\Windows\SysWOW64\Hbnmienj.exe Hjgehgnh.exe File opened for modification C:\Windows\SysWOW64\Ebqngb32.exe Eoebgcol.exe File opened for modification C:\Windows\SysWOW64\Dhdfmbjc.exe File created C:\Windows\SysWOW64\Hhjjcdeh.dll File opened for modification C:\Windows\SysWOW64\Jgnchplb.exe File opened for modification C:\Windows\SysWOW64\Bmohjooe.exe File opened for modification C:\Windows\SysWOW64\Lkfdfo32.exe File created C:\Windows\SysWOW64\Adiijqhm.dll Pfnmmn32.exe File created C:\Windows\SysWOW64\Dkmbap32.dll File created C:\Windows\SysWOW64\Hahjkl32.dll File opened for modification C:\Windows\SysWOW64\Pjjmonac.exe File opened for modification C:\Windows\SysWOW64\Cdcjgnbc.exe File created C:\Windows\SysWOW64\Fcoolj32.exe File created C:\Windows\SysWOW64\Mjpkbk32.exe File opened for modification C:\Windows\SysWOW64\Hinbppna.exe Hjlbdc32.exe File created C:\Windows\SysWOW64\Mecbjd32.exe File opened for modification C:\Windows\SysWOW64\Pmhejhao.exe Pjihmmbk.exe File created C:\Windows\SysWOW64\Komlabbb.dll File opened for modification C:\Windows\SysWOW64\Bccmmf32.exe Bqeqqk32.exe File created C:\Windows\SysWOW64\Fmikim32.dll Klfjpa32.exe File created C:\Windows\SysWOW64\Ckpckece.exe Cmmcpi32.exe File opened for modification C:\Windows\SysWOW64\Fccglehn.exe Fdpgph32.exe File created C:\Windows\SysWOW64\Hnnikfij.dll File created C:\Windows\SysWOW64\Jjqiok32.exe File created C:\Windows\SysWOW64\Gjkcod32.exe File created C:\Windows\SysWOW64\Khglkqfj.exe File created C:\Windows\SysWOW64\Hiablm32.dll Boogmgkl.exe File created C:\Windows\SysWOW64\Khpbbn32.dll File created C:\Windows\SysWOW64\Alqqip32.dll File created C:\Windows\SysWOW64\Kjkehhjf.exe File created C:\Windows\SysWOW64\Gmlmpo32.exe File opened for modification C:\Windows\SysWOW64\Opnbbe32.exe Olbfagca.exe File created C:\Windows\SysWOW64\Jmndgq32.dll Eakooqih.exe File created C:\Windows\SysWOW64\Epaqjmil.dll Oflpgnld.exe File created C:\Windows\SysWOW64\Lcpnpp32.dll File opened for modification C:\Windows\SysWOW64\Npbklabl.exe Nqokpd32.exe File created C:\Windows\SysWOW64\Iifmcp32.dll File created C:\Windows\SysWOW64\Ogmnad32.dll File opened for modification C:\Windows\SysWOW64\Bphaglgo.exe File created C:\Windows\SysWOW64\Pcqebd32.exe File created C:\Windows\SysWOW64\Ajpepm32.exe Afdiondb.exe File created C:\Windows\SysWOW64\Hnppof32.dll Diidjpbe.exe File opened for modification C:\Windows\SysWOW64\Hgciff32.exe File opened for modification C:\Windows\SysWOW64\Aeiecfga.exe File opened for modification C:\Windows\SysWOW64\Lekcffem.exe File created C:\Windows\SysWOW64\Ejidgg32.dll File created C:\Windows\SysWOW64\Elpqemll.exe File created C:\Windows\SysWOW64\Dfkhndca.exe Dhhhbg32.exe File opened for modification C:\Windows\SysWOW64\Joggci32.exe Jjkkbjln.exe File opened for modification C:\Windows\SysWOW64\Fbipdi32.exe File created C:\Windows\SysWOW64\Idbgbahq.exe File opened for modification C:\Windows\SysWOW64\Lmqgec32.exe File created C:\Windows\SysWOW64\Idicbbpi.exe Iakgefqe.exe File opened for modification C:\Windows\SysWOW64\Bfoeil32.exe Bacihmoo.exe File created C:\Windows\SysWOW64\Ndafcmci.exe File created C:\Windows\SysWOW64\Obdngaom.dll File created C:\Windows\SysWOW64\Pnbojmmp.exe Pifbjn32.exe File created C:\Windows\SysWOW64\Qojagi32.dll File opened for modification C:\Windows\SysWOW64\Lnqjnhge.exe Lonibk32.exe File created C:\Windows\SysWOW64\Knbnol32.dll Onnnml32.exe File created C:\Windows\SysWOW64\Gfdaid32.exe File created C:\Windows\SysWOW64\Afbpnlcd.exe File created C:\Windows\SysWOW64\Mjaddn32.exe Lgchgb32.exe File created C:\Windows\SysWOW64\Nfjildbp.exe -
Program crash 1 IoCs
Processes:
pid pid_target Process 9536 10128 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Nnoiio32.exeMkipao32.exeNpjlhcmd.exeEdlafebn.exeKpdcfoph.exeBfoeil32.exeDgknkf32.exeFakdcnhh.exeLhiakf32.exeFofbhgde.exeEdidqf32.exeHbdjcffd.exeMqehjecl.exeMqjefamk.exeOejcpf32.exeQobdgo32.exeLcofio32.exeObhdcanc.exePeefcjlg.exeOjeobm32.exeAaimopli.exeKfibhjlj.exeLlmmpcfe.exeDaaenlng.exeMqnifg32.exePdjjag32.exeFmfocnjg.exeKjmnjkjd.exeMfeaiime.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnoiio32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkipao32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npjlhcmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edlafebn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpdcfoph.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfoeil32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgknkf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fakdcnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhiakf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fofbhgde.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edidqf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbdjcffd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mqehjecl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mqjefamk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oejcpf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qobdgo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcofio32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obhdcanc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Peefcjlg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojeobm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aaimopli.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfibhjlj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llmmpcfe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Daaenlng.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mqnifg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdjjag32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmfocnjg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjmnjkjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfeaiime.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language -
Modifies registry class 64 IoCs
Processes:
Jbjpom32.exeJagpdd32.exeIjehdl32.exeFhljkm32.exeCgcnghpl.exeBpbmqe32.exeDmijfmfi.exeEbnabb32.exeCoacbfii.exeGgnmbn32.exeIamdkfnc.exeMhcmedli.exeKcecbq32.exeFhgifgnb.exeLcofio32.exeKgnkci32.exeLopfhk32.exeJmdepg32.exeIejiodbl.exePbgjgomc.exePleofj32.exeAobpfb32.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jbjpom32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jagpdd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pemapqnd.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ijehdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nllchm32.dll" Fhljkm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcfabpac.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omfpmb32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cgcnghpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihlnih32.dll" Bpbmqe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dmijfmfi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ebnabb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmdeje32.dll" Coacbfii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abldll32.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ggnmbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nliqma32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iamdkfnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdpcbceo.dll" Mhcmedli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kcecbq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fhgifgnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikeaokpb.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lcofio32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kgnkci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lopfhk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Biklma32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajmdhkkn.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhnmcb32.dll" Jmdepg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfeflj32.dll" Iejiodbl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pbgjgomc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbdjfk32.dll" Pleofj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Moeodd32.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aeackjhh.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hloncd32.dll" Aobpfb32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
066cf530a0eeb81643ab2339ff6d65de16f818577d0b36ebb40bb1ee0c46a348.exeFcphnm32.exeFjjpjgjj.exeFnflke32.exeFlhmfbim.exeGfcnegnk.exeGhajacmo.exeGmmfaa32.exeGbjojh32.exeGdkgkcpq.exeGkephn32.exeGoplilpf.exeGqahqd32.exeGiipab32.exeGjjmijme.exeGqdefddb.exedescription pid Process procid_target PID 1356 wrote to memory of 2536 1356 066cf530a0eeb81643ab2339ff6d65de16f818577d0b36ebb40bb1ee0c46a348.exe 30 PID 1356 wrote to memory of 2536 1356 066cf530a0eeb81643ab2339ff6d65de16f818577d0b36ebb40bb1ee0c46a348.exe 30 PID 1356 wrote to memory of 2536 1356 066cf530a0eeb81643ab2339ff6d65de16f818577d0b36ebb40bb1ee0c46a348.exe 30 PID 1356 wrote to memory of 2536 1356 066cf530a0eeb81643ab2339ff6d65de16f818577d0b36ebb40bb1ee0c46a348.exe 30 PID 2536 wrote to memory of 3032 2536 Fcphnm32.exe 31 PID 2536 wrote to memory of 3032 2536 Fcphnm32.exe 31 PID 2536 wrote to memory of 3032 2536 Fcphnm32.exe 31 PID 2536 wrote to memory of 3032 2536 Fcphnm32.exe 31 PID 3032 wrote to memory of 2304 3032 Fjjpjgjj.exe 32 PID 3032 wrote to memory of 2304 3032 Fjjpjgjj.exe 32 PID 3032 wrote to memory of 2304 3032 Fjjpjgjj.exe 32 PID 3032 wrote to memory of 2304 3032 Fjjpjgjj.exe 32 PID 2304 wrote to memory of 2336 2304 Fnflke32.exe 33 PID 2304 wrote to memory of 2336 2304 Fnflke32.exe 33 PID 2304 wrote to memory of 2336 2304 Fnflke32.exe 33 PID 2304 wrote to memory of 2336 2304 Fnflke32.exe 33 PID 2336 wrote to memory of 2500 2336 Flhmfbim.exe 34 PID 2336 wrote to memory of 2500 2336 Flhmfbim.exe 34 PID 2336 wrote to memory of 2500 2336 Flhmfbim.exe 34 PID 2336 wrote to memory of 2500 2336 Flhmfbim.exe 34 PID 2500 wrote to memory of 2828 2500 Gfcnegnk.exe 35 PID 2500 wrote to memory of 2828 2500 Gfcnegnk.exe 35 PID 2500 wrote to memory of 2828 2500 Gfcnegnk.exe 35 PID 2500 wrote to memory of 2828 2500 Gfcnegnk.exe 35 PID 2828 wrote to memory of 2640 2828 Ghajacmo.exe 36 PID 2828 wrote to memory of 2640 2828 Ghajacmo.exe 36 PID 2828 wrote to memory of 2640 2828 Ghajacmo.exe 36 PID 2828 wrote to memory of 2640 2828 Ghajacmo.exe 36 PID 2640 wrote to memory of 3064 2640 Gmmfaa32.exe 37 PID 2640 wrote to memory of 3064 2640 Gmmfaa32.exe 37 PID 2640 wrote to memory of 3064 2640 Gmmfaa32.exe 37 PID 2640 wrote to memory of 3064 2640 Gmmfaa32.exe 37 PID 3064 wrote to memory of 1232 3064 Gbjojh32.exe 38 PID 3064 wrote to memory of 1232 3064 Gbjojh32.exe 38 PID 3064 wrote to memory of 1232 3064 Gbjojh32.exe 38 PID 3064 wrote to memory of 1232 3064 Gbjojh32.exe 38 PID 1232 wrote to memory of 540 1232 Gdkgkcpq.exe 39 PID 1232 wrote to memory of 540 1232 Gdkgkcpq.exe 39 PID 1232 wrote to memory of 540 1232 Gdkgkcpq.exe 39 PID 1232 wrote to memory of 540 1232 Gdkgkcpq.exe 39 PID 540 wrote to memory of 2160 540 Gkephn32.exe 40 PID 540 wrote to memory of 2160 540 Gkephn32.exe 40 PID 540 wrote to memory of 2160 540 Gkephn32.exe 40 PID 540 wrote to memory of 2160 540 Gkephn32.exe 40 PID 2160 wrote to memory of 1940 2160 Goplilpf.exe 41 PID 2160 wrote to memory of 1940 2160 Goplilpf.exe 41 PID 2160 wrote to memory of 1940 2160 Goplilpf.exe 41 PID 2160 wrote to memory of 1940 2160 Goplilpf.exe 41 PID 1940 wrote to memory of 1568 1940 Gqahqd32.exe 42 PID 1940 wrote to memory of 1568 1940 Gqahqd32.exe 42 PID 1940 wrote to memory of 1568 1940 Gqahqd32.exe 42 PID 1940 wrote to memory of 1568 1940 Gqahqd32.exe 42 PID 1568 wrote to memory of 1576 1568 Giipab32.exe 43 PID 1568 wrote to memory of 1576 1568 Giipab32.exe 43 PID 1568 wrote to memory of 1576 1568 Giipab32.exe 43 PID 1568 wrote to memory of 1576 1568 Giipab32.exe 43 PID 1576 wrote to memory of 2272 1576 Gjjmijme.exe 44 PID 1576 wrote to memory of 2272 1576 Gjjmijme.exe 44 PID 1576 wrote to memory of 2272 1576 Gjjmijme.exe 44 PID 1576 wrote to memory of 2272 1576 Gjjmijme.exe 44 PID 2272 wrote to memory of 1072 2272 Gqdefddb.exe 45 PID 2272 wrote to memory of 1072 2272 Gqdefddb.exe 45 PID 2272 wrote to memory of 1072 2272 Gqdefddb.exe 45 PID 2272 wrote to memory of 1072 2272 Gqdefddb.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\066cf530a0eeb81643ab2339ff6d65de16f818577d0b36ebb40bb1ee0c46a348.exe"C:\Users\Admin\AppData\Local\Temp\066cf530a0eeb81643ab2339ff6d65de16f818577d0b36ebb40bb1ee0c46a348.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1356 -
C:\Windows\SysWOW64\Fcphnm32.exeC:\Windows\system32\Fcphnm32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Windows\SysWOW64\Fjjpjgjj.exeC:\Windows\system32\Fjjpjgjj.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Windows\SysWOW64\Fnflke32.exeC:\Windows\system32\Fnflke32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2304 -
C:\Windows\SysWOW64\Flhmfbim.exeC:\Windows\system32\Flhmfbim.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Windows\SysWOW64\Gfcnegnk.exeC:\Windows\system32\Gfcnegnk.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Windows\SysWOW64\Ghajacmo.exeC:\Windows\system32\Ghajacmo.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Windows\SysWOW64\Gmmfaa32.exeC:\Windows\system32\Gmmfaa32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\SysWOW64\Gbjojh32.exeC:\Windows\system32\Gbjojh32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\Windows\SysWOW64\Gdkgkcpq.exeC:\Windows\system32\Gdkgkcpq.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1232 -
C:\Windows\SysWOW64\Gkephn32.exeC:\Windows\system32\Gkephn32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:540 -
C:\Windows\SysWOW64\Goplilpf.exeC:\Windows\system32\Goplilpf.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2160 -
C:\Windows\SysWOW64\Gqahqd32.exeC:\Windows\system32\Gqahqd32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1940 -
C:\Windows\SysWOW64\Giipab32.exeC:\Windows\system32\Giipab32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1568 -
C:\Windows\SysWOW64\Gjjmijme.exeC:\Windows\system32\Gjjmijme.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1576 -
C:\Windows\SysWOW64\Gqdefddb.exeC:\Windows\system32\Gqdefddb.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2272 -
C:\Windows\SysWOW64\Ggnmbn32.exeC:\Windows\system32\Ggnmbn32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1072 -
C:\Windows\SysWOW64\Hcdnhoac.exeC:\Windows\system32\Hcdnhoac.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3008 -
C:\Windows\SysWOW64\Hfcjdkpg.exeC:\Windows\system32\Hfcjdkpg.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1284 -
C:\Windows\SysWOW64\Hnjbeh32.exeC:\Windows\system32\Hnjbeh32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1992 -
C:\Windows\SysWOW64\Hahnac32.exeC:\Windows\system32\Hahnac32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1996 -
C:\Windows\SysWOW64\Hcgjmo32.exeC:\Windows\system32\Hcgjmo32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2288 -
C:\Windows\SysWOW64\Hfegij32.exeC:\Windows\system32\Hfegij32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2604 -
C:\Windows\SysWOW64\Hmoofdea.exeC:\Windows\system32\Hmoofdea.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:716 -
C:\Windows\SysWOW64\Hpnkbpdd.exeC:\Windows\system32\Hpnkbpdd.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2372 -
C:\Windows\SysWOW64\Hjcppidk.exeC:\Windows\system32\Hjcppidk.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1496 -
C:\Windows\SysWOW64\Hmalldcn.exeC:\Windows\system32\Hmalldcn.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2012 -
C:\Windows\SysWOW64\Hpphhp32.exeC:\Windows\system32\Hpphhp32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2788 -
C:\Windows\SysWOW64\Hfjpdjjo.exeC:\Windows\system32\Hfjpdjjo.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2968 -
C:\Windows\SysWOW64\Hemqpf32.exeC:\Windows\system32\Hemqpf32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2740 -
C:\Windows\SysWOW64\Hlgimqhf.exeC:\Windows\system32\Hlgimqhf.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2772 -
C:\Windows\SysWOW64\Hpbdmo32.exeC:\Windows\system32\Hpbdmo32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2600 -
C:\Windows\SysWOW64\Hbaaik32.exeC:\Windows\system32\Hbaaik32.exe33⤵
- Executes dropped EXE
PID:2892 -
C:\Windows\SysWOW64\Iliebpfc.exeC:\Windows\system32\Iliebpfc.exe34⤵
- Executes dropped EXE
PID:2624 -
C:\Windows\SysWOW64\Inhanl32.exeC:\Windows\system32\Inhanl32.exe35⤵
- Executes dropped EXE
PID:2180 -
C:\Windows\SysWOW64\Iafnjg32.exeC:\Windows\system32\Iafnjg32.exe36⤵
- Executes dropped EXE
PID:1216 -
C:\Windows\SysWOW64\Ihpfgalh.exeC:\Windows\system32\Ihpfgalh.exe37⤵
- Executes dropped EXE
PID:820 -
C:\Windows\SysWOW64\Illbhp32.exeC:\Windows\system32\Illbhp32.exe38⤵
- Executes dropped EXE
PID:1740 -
C:\Windows\SysWOW64\Injndk32.exeC:\Windows\system32\Injndk32.exe39⤵
- Executes dropped EXE
PID:2932 -
C:\Windows\SysWOW64\Ibejdjln.exeC:\Windows\system32\Ibejdjln.exe40⤵
- Executes dropped EXE
PID:2620 -
C:\Windows\SysWOW64\Iahkpg32.exeC:\Windows\system32\Iahkpg32.exe41⤵
- Executes dropped EXE
PID:2696 -
C:\Windows\SysWOW64\Idgglb32.exeC:\Windows\system32\Idgglb32.exe42⤵
- Executes dropped EXE
PID:2588 -
C:\Windows\SysWOW64\Ihbcmaje.exeC:\Windows\system32\Ihbcmaje.exe43⤵
- Executes dropped EXE
PID:2220 -
C:\Windows\SysWOW64\Inlkik32.exeC:\Windows\system32\Inlkik32.exe44⤵
- Executes dropped EXE
PID:620 -
C:\Windows\SysWOW64\Iakgefqe.exeC:\Windows\system32\Iakgefqe.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2484 -
C:\Windows\SysWOW64\Idicbbpi.exeC:\Windows\system32\Idicbbpi.exe46⤵
- Executes dropped EXE
PID:1984 -
C:\Windows\SysWOW64\Ihdpbq32.exeC:\Windows\system32\Ihdpbq32.exe47⤵
- Executes dropped EXE
PID:2084 -
C:\Windows\SysWOW64\Imahkg32.exeC:\Windows\system32\Imahkg32.exe48⤵
- Executes dropped EXE
PID:2908 -
C:\Windows\SysWOW64\Iamdkfnc.exeC:\Windows\system32\Iamdkfnc.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:1976 -
C:\Windows\SysWOW64\Ippdgc32.exeC:\Windows\system32\Ippdgc32.exe50⤵
- Executes dropped EXE
PID:2876 -
C:\Windows\SysWOW64\Ihglhp32.exeC:\Windows\system32\Ihglhp32.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2692 -
C:\Windows\SysWOW64\Ijehdl32.exeC:\Windows\system32\Ijehdl32.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2856 -
C:\Windows\SysWOW64\Iihiphln.exeC:\Windows\system32\Iihiphln.exe53⤵
- Executes dropped EXE
PID:2900 -
C:\Windows\SysWOW64\Jmdepg32.exeC:\Windows\system32\Jmdepg32.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:2848 -
C:\Windows\SysWOW64\Jaoqqflp.exeC:\Windows\system32\Jaoqqflp.exe55⤵
- Executes dropped EXE
PID:564 -
C:\Windows\SysWOW64\Jdnmma32.exeC:\Windows\system32\Jdnmma32.exe56⤵
- Executes dropped EXE
PID:2492 -
C:\Windows\SysWOW64\Jbqmhnbo.exeC:\Windows\system32\Jbqmhnbo.exe57⤵
- Executes dropped EXE
PID:3056 -
C:\Windows\SysWOW64\Jfliim32.exeC:\Windows\system32\Jfliim32.exe58⤵
- Executes dropped EXE
PID:2676 -
C:\Windows\SysWOW64\Jkhejkcq.exeC:\Windows\system32\Jkhejkcq.exe59⤵
- Executes dropped EXE
PID:1696 -
C:\Windows\SysWOW64\Jikeeh32.exeC:\Windows\system32\Jikeeh32.exe60⤵
- Executes dropped EXE
PID:2204 -
C:\Windows\SysWOW64\Jliaac32.exeC:\Windows\system32\Jliaac32.exe61⤵
- Executes dropped EXE
PID:784 -
C:\Windows\SysWOW64\Jpdnbbah.exeC:\Windows\system32\Jpdnbbah.exe62⤵
- Executes dropped EXE
PID:2680 -
C:\Windows\SysWOW64\Jdpjba32.exeC:\Windows\system32\Jdpjba32.exe63⤵
- Executes dropped EXE
PID:2928 -
C:\Windows\SysWOW64\Jbcjnnpl.exeC:\Windows\system32\Jbcjnnpl.exe64⤵
- Executes dropped EXE
PID:2412 -
C:\Windows\SysWOW64\Jeafjiop.exeC:\Windows\system32\Jeafjiop.exe65⤵
- Executes dropped EXE
PID:2184 -
C:\Windows\SysWOW64\Jimbkh32.exeC:\Windows\system32\Jimbkh32.exe66⤵PID:2744
-
C:\Windows\SysWOW64\Jmhnkfpa.exeC:\Windows\system32\Jmhnkfpa.exe67⤵PID:2096
-
C:\Windows\SysWOW64\Jlkngc32.exeC:\Windows\system32\Jlkngc32.exe68⤵PID:2532
-
C:\Windows\SysWOW64\Jpgjgboe.exeC:\Windows\system32\Jpgjgboe.exe69⤵PID:1548
-
C:\Windows\SysWOW64\Jbefcm32.exeC:\Windows\system32\Jbefcm32.exe70⤵PID:1712
-
C:\Windows\SysWOW64\Jgabdlfb.exeC:\Windows\system32\Jgabdlfb.exe71⤵PID:1884
-
C:\Windows\SysWOW64\Jhbold32.exeC:\Windows\system32\Jhbold32.exe72⤵PID:1540
-
C:\Windows\SysWOW64\Jlnklcej.exeC:\Windows\system32\Jlnklcej.exe73⤵PID:1172
-
C:\Windows\SysWOW64\Jpigma32.exeC:\Windows\system32\Jpigma32.exe74⤵PID:812
-
C:\Windows\SysWOW64\Jolghndm.exeC:\Windows\system32\Jolghndm.exe75⤵PID:1044
-
C:\Windows\SysWOW64\Jbhcim32.exeC:\Windows\system32\Jbhcim32.exe76⤵PID:2264
-
C:\Windows\SysWOW64\Jajcdjca.exeC:\Windows\system32\Jajcdjca.exe77⤵PID:2916
-
C:\Windows\SysWOW64\Jefpeh32.exeC:\Windows\system32\Jefpeh32.exe78⤵PID:1848
-
C:\Windows\SysWOW64\Jhdlad32.exeC:\Windows\system32\Jhdlad32.exe79⤵PID:2888
-
C:\Windows\SysWOW64\Jlphbbbg.exeC:\Windows\system32\Jlphbbbg.exe80⤵PID:2764
-
C:\Windows\SysWOW64\Jkchmo32.exeC:\Windows\system32\Jkchmo32.exe81⤵PID:2836
-
C:\Windows\SysWOW64\Jondnnbk.exeC:\Windows\system32\Jondnnbk.exe82⤵PID:2980
-
C:\Windows\SysWOW64\Jbjpom32.exeC:\Windows\system32\Jbjpom32.exe83⤵
- Modifies registry class
PID:2636 -
C:\Windows\SysWOW64\Jampjian.exeC:\Windows\system32\Jampjian.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1416 -
C:\Windows\SysWOW64\Jehlkhig.exeC:\Windows\system32\Jehlkhig.exe85⤵PID:1124
-
C:\Windows\SysWOW64\Khghgchk.exeC:\Windows\system32\Khghgchk.exe86⤵PID:1928
-
C:\Windows\SysWOW64\Kkeecogo.exeC:\Windows\system32\Kkeecogo.exe87⤵PID:2736
-
C:\Windows\SysWOW64\Koaqcn32.exeC:\Windows\system32\Koaqcn32.exe88⤵PID:1648
-
C:\Windows\SysWOW64\Kncaojfb.exeC:\Windows\system32\Kncaojfb.exe89⤵PID:972
-
C:\Windows\SysWOW64\Kdnild32.exeC:\Windows\system32\Kdnild32.exe90⤵PID:2080
-
C:\Windows\SysWOW64\Kglehp32.exeC:\Windows\system32\Kglehp32.exe91⤵PID:2972
-
C:\Windows\SysWOW64\Kkgahoel.exeC:\Windows\system32\Kkgahoel.exe92⤵PID:2448
-
C:\Windows\SysWOW64\Kaajei32.exeC:\Windows\system32\Kaajei32.exe93⤵PID:1732
-
C:\Windows\SysWOW64\Kpdjaecc.exeC:\Windows\system32\Kpdjaecc.exe94⤵PID:1792
-
C:\Windows\SysWOW64\Kdpfadlm.exeC:\Windows\system32\Kdpfadlm.exe95⤵PID:1240
-
C:\Windows\SysWOW64\Kgnbnpkp.exeC:\Windows\system32\Kgnbnpkp.exe96⤵PID:1352
-
C:\Windows\SysWOW64\Kjmnjkjd.exeC:\Windows\system32\Kjmnjkjd.exe97⤵
- System Location Discovery: System Language Discovery
PID:1556 -
C:\Windows\SysWOW64\Kadfkhkf.exeC:\Windows\system32\Kadfkhkf.exe98⤵PID:2760
-
C:\Windows\SysWOW64\Kpgffe32.exeC:\Windows\system32\Kpgffe32.exe99⤵PID:1684
-
C:\Windows\SysWOW64\Kdbbgdjj.exeC:\Windows\system32\Kdbbgdjj.exe100⤵PID:920
-
C:\Windows\SysWOW64\Kcecbq32.exeC:\Windows\system32\Kcecbq32.exe101⤵
- Modifies registry class
PID:2816 -
C:\Windows\SysWOW64\Kgqocoin.exeC:\Windows\system32\Kgqocoin.exe102⤵PID:2784
-
C:\Windows\SysWOW64\Kjokokha.exeC:\Windows\system32\Kjokokha.exe103⤵PID:2232
-
C:\Windows\SysWOW64\Knkgpi32.exeC:\Windows\system32\Knkgpi32.exe104⤵PID:1140
-
C:\Windows\SysWOW64\Klngkfge.exeC:\Windows\system32\Klngkfge.exe105⤵PID:1728
-
C:\Windows\SysWOW64\Kpicle32.exeC:\Windows\system32\Kpicle32.exe106⤵PID:2648
-
C:\Windows\SysWOW64\Kddomchg.exeC:\Windows\system32\Kddomchg.exe107⤵PID:2468
-
C:\Windows\SysWOW64\Kgclio32.exeC:\Windows\system32\Kgclio32.exe108⤵PID:1464
-
C:\Windows\SysWOW64\Kjahej32.exeC:\Windows\system32\Kjahej32.exe109⤵PID:1912
-
C:\Windows\SysWOW64\Knmdeioh.exeC:\Windows\system32\Knmdeioh.exe110⤵PID:2128
-
C:\Windows\SysWOW64\Kpkpadnl.exeC:\Windows\system32\Kpkpadnl.exe111⤵PID:1536
-
C:\Windows\SysWOW64\Lonpma32.exeC:\Windows\system32\Lonpma32.exe112⤵PID:1744
-
C:\Windows\SysWOW64\Lgehno32.exeC:\Windows\system32\Lgehno32.exe113⤵PID:2720
-
C:\Windows\SysWOW64\Lfhhjklc.exeC:\Windows\system32\Lfhhjklc.exe114⤵PID:1688
-
C:\Windows\SysWOW64\Ljddjj32.exeC:\Windows\system32\Ljddjj32.exe115⤵PID:2652
-
C:\Windows\SysWOW64\Llbqfe32.exeC:\Windows\system32\Llbqfe32.exe116⤵PID:2840
-
C:\Windows\SysWOW64\Lpnmgdli.exeC:\Windows\system32\Lpnmgdli.exe117⤵PID:2804
-
C:\Windows\SysWOW64\Loqmba32.exeC:\Windows\system32\Loqmba32.exe118⤵PID:1920
-
C:\Windows\SysWOW64\Lclicpkm.exeC:\Windows\system32\Lclicpkm.exe119⤵PID:2860
-
C:\Windows\SysWOW64\Lfkeokjp.exeC:\Windows\system32\Lfkeokjp.exe120⤵PID:2540
-
C:\Windows\SysWOW64\Ljfapjbi.exeC:\Windows\system32\Ljfapjbi.exe121⤵PID:2944
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-