Analysis
-
max time kernel
95s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
02-01-2025 22:27
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
482f2ffa1a0c3a39236d5cff5889e3e65dfac0828e52eeca8966226288200243.exe
Resource
win7-20240903-en
windows7-x64
13 signatures
150 seconds
Behavioral task
behavioral2
Sample
482f2ffa1a0c3a39236d5cff5889e3e65dfac0828e52eeca8966226288200243.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
12 signatures
150 seconds
General
-
Target
482f2ffa1a0c3a39236d5cff5889e3e65dfac0828e52eeca8966226288200243.exe
-
Size
96KB
-
MD5
dd844c8d47bcd986705bbf0c08949a26
-
SHA1
b68d84f0b7c115c6e34f744aaf30e0a7d0669a58
-
SHA256
482f2ffa1a0c3a39236d5cff5889e3e65dfac0828e52eeca8966226288200243
-
SHA512
e75be8fe0d28f96a484193257c04b648e6e0cf1fd0e91e7205ade480753056f6e66f92763ecaab06f49027c4aff3aa514a024b986a05873e1b0a4aa7db17abb5
-
SSDEEP
3072:qvRZ0n9w/W9O1mPb334AO1d0QFcClUUWaeP:qIn9B33c0QFcCWUM
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbalopbn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aagkhd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Noeahkfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ohkbbn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipoopgnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nlcalieg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdpjlb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ioopml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cmjemflb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ahgcjddh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qobhkjdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Amfjeobf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cegdnopg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Maiccajf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cofnik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fphnlcdo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elpkep32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lenicahg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eecphp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jiglnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ppmcdq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ccbadp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hglipp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jfbkpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dclkee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Flfkkhid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nmfcok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajcdnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bciehh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aednci32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eicedn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebnfbcbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Llpmoiof.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcjcnoej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmpolgoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ljgpkonp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oadfkdgd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Famjkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dinmhkke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iciaqc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fknbil32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aakebqbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bfpdin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gemkelcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hpjmnjqn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aokkahlo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odmbaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nmdgikhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Leadnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gnjjfegi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hplicjok.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmnbfhal.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iggaah32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjokgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Plkpcfal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgloefco.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnjqmpgg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfbaonae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aaldccip.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdojjo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Maodigil.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljobpiql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mnpabe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Edfdej32.exe -
Berbew family
-
Brute Ratel C4
A customized command and control framework for red teaming and adversary simulation.
-
Bruteratel family
-
Detect BruteRatel badger 1 IoCs
resource yara_rule behavioral2/files/0x000a000000023bc7-207.dat family_bruteratel -
Executes dropped EXE 64 IoCs
pid Process 2084 Beihma32.exe 1360 Bjfaeh32.exe 4692 Bnbmefbg.exe 3376 Bcoenmao.exe 2128 Cjinkg32.exe 1408 Cenahpha.exe 1124 Chmndlge.exe 584 Cmiflbel.exe 2600 Caebma32.exe 3232 Chokikeb.exe 3152 Cnicfe32.exe 1412 Ceckcp32.exe 4804 Chagok32.exe 4356 Cjpckf32.exe 2888 Ceehho32.exe 3672 Chcddk32.exe 1568 Cnnlaehj.exe 3388 Calhnpgn.exe 4596 Cegdnopg.exe 3316 Dfiafg32.exe 1100 Dopigd32.exe 4116 Danecp32.exe 444 Dhhnpjmh.exe 1040 Dfknkg32.exe 3876 Dobfld32.exe 4120 Ddonekbl.exe 3004 Dfnjafap.exe 3176 Dkifae32.exe 2132 Dmgbnq32.exe 1032 Ddakjkqi.exe 2928 Dkkcge32.exe 4324 Daekdooc.exe 1116 Dgbdlf32.exe 3920 Dknpmdfc.exe 592 Edfdej32.exe 4396 Egdqae32.exe 4592 Emoinpcd.exe 1872 Eggmge32.exe 5108 Ealadnik.exe 1832 Ekefmc32.exe 1088 Emcbio32.exe 4680 Eobocb32.exe 4800 Eemgplno.exe 216 Egnchd32.exe 5012 Fdbdah32.exe 4364 Fgppmd32.exe 2584 Fafdkmap.exe 1376 Fhpmgg32.exe 804 Fahaplon.exe 2040 Fgeihcme.exe 3172 Fefjfked.exe 1920 Fhdfbfdh.exe 4908 Famjkl32.exe 2980 Fgjccb32.exe 3352 Gekcaj32.exe 1172 Gochjpho.exe 4996 Ggnlobej.exe 4252 Gadqlkep.exe 2976 Ggqida32.exe 1096 Gafmaj32.exe 1404 Gfbibikg.exe 4852 Ggcfja32.exe 3008 Gojnko32.exe 1876 Ghbbcd32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Hbbmmi32.exe Hnfamjqg.exe File created C:\Windows\SysWOW64\Chglab32.exe Cnahdi32.exe File created C:\Windows\SysWOW64\Ojmjcf32.dll Gpnfge32.exe File created C:\Windows\SysWOW64\Kpjgaoqm.exe Jlolpq32.exe File opened for modification C:\Windows\SysWOW64\Bgpcliao.exe Bpfkpp32.exe File created C:\Windows\SysWOW64\Ogclbn32.dll Dknpmdfc.exe File created C:\Windows\SysWOW64\Mldhfpib.exe Maodigil.exe File created C:\Windows\SysWOW64\Inngdb32.dll Jdodkebj.exe File created C:\Windows\SysWOW64\Jjoiil32.exe Jcdala32.exe File opened for modification C:\Windows\SysWOW64\Ebgpad32.exe Ekmhejao.exe File created C:\Windows\SysWOW64\Qlgene32.dll Ceckcp32.exe File created C:\Windows\SysWOW64\Jglklggl.exe Iqbbpm32.exe File created C:\Windows\SysWOW64\Knhebpni.dll Pkogiikb.exe File created C:\Windows\SysWOW64\Jcphab32.exe Jpaleglc.exe File created C:\Windows\SysWOW64\Pdhbmh32.exe Pajeam32.exe File created C:\Windows\SysWOW64\Hbpphi32.exe Hoadkn32.exe File created C:\Windows\SysWOW64\Aodfajaj.exe Amfjeobf.exe File opened for modification C:\Windows\SysWOW64\Fffhifdk.exe Fdglmkeg.exe File created C:\Windows\SysWOW64\Kgninn32.exe Kdpmbc32.exe File opened for modification C:\Windows\SysWOW64\Fnlmhc32.exe Fiodpl32.exe File created C:\Windows\SysWOW64\Bnoddcef.exe Process not Found File opened for modification C:\Windows\SysWOW64\Bnbmefbg.exe Bjfaeh32.exe File opened for modification C:\Windows\SysWOW64\Fealin32.exe Fngcmcfe.exe File created C:\Windows\SysWOW64\Pnjbcghk.dll Jiiicf32.exe File opened for modification C:\Windows\SysWOW64\Jljbeali.exe Jepjhg32.exe File created C:\Windows\SysWOW64\Ggbook32.exe Ghpocngo.exe File opened for modification C:\Windows\SysWOW64\Ggkiol32.exe Gaopfe32.exe File created C:\Windows\SysWOW64\Jkganhnq.dll Kgopidgf.exe File created C:\Windows\SysWOW64\Pjglocmi.dll Lijlof32.exe File created C:\Windows\SysWOW64\Niooqcad.exe Nknobkje.exe File opened for modification C:\Windows\SysWOW64\Ecbjkngo.exe Dlkbjqgm.exe File created C:\Windows\SysWOW64\Hebqnm32.dll Iohejo32.exe File opened for modification C:\Windows\SysWOW64\Jeekkafl.exe Jfbkpd32.exe File created C:\Windows\SysWOW64\Lhkmnj32.dll Ajeadd32.exe File created C:\Windows\SysWOW64\Alkdoago.dll Iqpfjnba.exe File created C:\Windows\SysWOW64\Indfca32.exe Ikejgf32.exe File opened for modification C:\Windows\SysWOW64\Dflfac32.exe Dkfadkgf.exe File created C:\Windows\SysWOW64\Ocffempp.exe Ohqbhdpj.exe File opened for modification C:\Windows\SysWOW64\Lpbopfag.exe Llgcph32.exe File created C:\Windows\SysWOW64\Jnhpoamf.exe Jjmcnbdm.exe File opened for modification C:\Windows\SysWOW64\Gmiclo32.exe Gkkgpc32.exe File opened for modification C:\Windows\SysWOW64\Hpabni32.exe Higjaoci.exe File opened for modification C:\Windows\SysWOW64\Bhkmec32.exe Bemqih32.exe File opened for modification C:\Windows\SysWOW64\Imiehfao.exe Iebngial.exe File created C:\Windows\SysWOW64\Chokikeb.exe Caebma32.exe File created C:\Windows\SysWOW64\Cjmpkqqj.exe Cgndoeag.exe File created C:\Windows\SysWOW64\Empoiimf.exe Ehcfaboo.exe File created C:\Windows\SysWOW64\Iikmbh32.exe Ifmqfm32.exe File opened for modification C:\Windows\SysWOW64\Lqhdbm32.exe Lnjgfb32.exe File opened for modification C:\Windows\SysWOW64\Mfeeabda.exe Mokmdh32.exe File created C:\Windows\SysWOW64\Chcddk32.exe Ceehho32.exe File opened for modification C:\Windows\SysWOW64\Ioambknl.exe Igjeanmj.exe File created C:\Windows\SysWOW64\Nagbfo32.dll Ohnebd32.exe File created C:\Windows\SysWOW64\Icndnfbg.dll Bqdblmhl.exe File created C:\Windows\SysWOW64\Glgjlm32.exe Giinpa32.exe File created C:\Windows\SysWOW64\Ffiipfmi.dll Eppjfgcp.exe File created C:\Windows\SysWOW64\Glgcbf32.exe Gmdcfidg.exe File created C:\Windows\SysWOW64\Jocefm32.exe Jiglnf32.exe File opened for modification C:\Windows\SysWOW64\Cjinkg32.exe Bcoenmao.exe File created C:\Windows\SysWOW64\Hglppijc.dll Iakiia32.exe File created C:\Windows\SysWOW64\Jekeodnf.dll Lqkgbcff.exe File created C:\Windows\SysWOW64\Jekqmhia.exe Jcmdaljn.exe File created C:\Windows\SysWOW64\Jpcapp32.exe Jiiicf32.exe File opened for modification C:\Windows\SysWOW64\Ondljl32.exe Opclldhj.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 6788 5144 Process not Found 1145 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Joiccj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Keakgpko.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffclcgfn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knooej32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcidmkpq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjjbjd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgbdlf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbbokdlk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlbbkfoq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qhakoa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjmcnbdm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mblcnj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akhcfe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iciaqc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knbiofhg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkpbin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Popbpqjh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjbfklei.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kijchhbo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlolpq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mqfpckhm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnnikdnj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcpikkge.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oidhlb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbdoof32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnkpnclp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chglab32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifgldfio.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nclikl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okedcjcm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmhigf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkicaahi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnjnqh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cceddf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojnblg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mepfiq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nabfjpak.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnfgcd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aoalgn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipoheakj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mokmdh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdicienl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ooagno32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Biogppeg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkhkjd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlhljhbg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mleoafmn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hienlpel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dflfac32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbbagk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhdfbfdh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgfapd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qdphngfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfjkjo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fefjfked.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efjimhnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlhccj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdodkebj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alnfpcag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cippgm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajeadd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lejgch32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mekgdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lijlof32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kjhloj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kdpmbc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Njmqnobn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pinnnm32.dll" Llhikacp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flcmfp32.dll" Malgcg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oifeab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aeheme32.dll" Pemomqcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fmikeaap.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gdjibj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fhmigagd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gbdoof32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fpeafcfa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eidlnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mminhceb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nnfgcd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klplbbaq.dll" Omegjomb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cdnmfclj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibingd32.dll" Ffqhcq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hehkajig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Igajal32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Baegibae.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Emcbio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jknfcofa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmlbhekk.dll" Fnipbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgaclkia.dll" Hlepcdoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ggeboaob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nofhmj32.dll" Epcdqd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gfkbde32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gmfplibd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bilonkon.dll" Ceehho32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mlbbkfoq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gkiaej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ohcegi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnihkq32.dll" Mfeeabda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cjpckf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iflbnkbi.dll" Hgoeep32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fpbmfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fikbocki.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gmiclo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdnpclpq.dll" Jqknkedi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkpiopih.dll" Qoelkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejhdfi32.dll" Imiehfao.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ondljl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cippgm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajlgckkf.dll" Oafcqcea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njiekege.dll" Bhldpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmigpf32.dll" Qkipkani.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aekddhcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfdqcn32.dll" Pjmjdm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hbbmmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nagbfo32.dll" Ohnebd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfcqdoab.dll" Fknbil32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ghpocngo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mlpokp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bfendmoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcgeilmb.dll" Dlkbjqgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihejacdm.dll" Mminhceb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ggqida32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1696 wrote to memory of 2084 1696 482f2ffa1a0c3a39236d5cff5889e3e65dfac0828e52eeca8966226288200243.exe 83 PID 1696 wrote to memory of 2084 1696 482f2ffa1a0c3a39236d5cff5889e3e65dfac0828e52eeca8966226288200243.exe 83 PID 1696 wrote to memory of 2084 1696 482f2ffa1a0c3a39236d5cff5889e3e65dfac0828e52eeca8966226288200243.exe 83 PID 2084 wrote to memory of 1360 2084 Beihma32.exe 84 PID 2084 wrote to memory of 1360 2084 Beihma32.exe 84 PID 2084 wrote to memory of 1360 2084 Beihma32.exe 84 PID 1360 wrote to memory of 4692 1360 Bjfaeh32.exe 85 PID 1360 wrote to memory of 4692 1360 Bjfaeh32.exe 85 PID 1360 wrote to memory of 4692 1360 Bjfaeh32.exe 85 PID 4692 wrote to memory of 3376 4692 Bnbmefbg.exe 86 PID 4692 wrote to memory of 3376 4692 Bnbmefbg.exe 86 PID 4692 wrote to memory of 3376 4692 Bnbmefbg.exe 86 PID 3376 wrote to memory of 2128 3376 Bcoenmao.exe 87 PID 3376 wrote to memory of 2128 3376 Bcoenmao.exe 87 PID 3376 wrote to memory of 2128 3376 Bcoenmao.exe 87 PID 2128 wrote to memory of 1408 2128 Cjinkg32.exe 88 PID 2128 wrote to memory of 1408 2128 Cjinkg32.exe 88 PID 2128 wrote to memory of 1408 2128 Cjinkg32.exe 88 PID 1408 wrote to memory of 1124 1408 Cenahpha.exe 89 PID 1408 wrote to memory of 1124 1408 Cenahpha.exe 89 PID 1408 wrote to memory of 1124 1408 Cenahpha.exe 89 PID 1124 wrote to memory of 584 1124 Chmndlge.exe 90 PID 1124 wrote to memory of 584 1124 Chmndlge.exe 90 PID 1124 wrote to memory of 584 1124 Chmndlge.exe 90 PID 584 wrote to memory of 2600 584 Cmiflbel.exe 91 PID 584 wrote to memory of 2600 584 Cmiflbel.exe 91 PID 584 wrote to memory of 2600 584 Cmiflbel.exe 91 PID 2600 wrote to memory of 3232 2600 Caebma32.exe 92 PID 2600 wrote to memory of 3232 2600 Caebma32.exe 92 PID 2600 wrote to memory of 3232 2600 Caebma32.exe 92 PID 3232 wrote to memory of 3152 3232 Chokikeb.exe 93 PID 3232 wrote to memory of 3152 3232 Chokikeb.exe 93 PID 3232 wrote to memory of 3152 3232 Chokikeb.exe 93 PID 3152 wrote to memory of 1412 3152 Cnicfe32.exe 94 PID 3152 wrote to memory of 1412 3152 Cnicfe32.exe 94 PID 3152 wrote to memory of 1412 3152 Cnicfe32.exe 94 PID 1412 wrote to memory of 4804 1412 Ceckcp32.exe 95 PID 1412 wrote to memory of 4804 1412 Ceckcp32.exe 95 PID 1412 wrote to memory of 4804 1412 Ceckcp32.exe 95 PID 4804 wrote to memory of 4356 4804 Chagok32.exe 96 PID 4804 wrote to memory of 4356 4804 Chagok32.exe 96 PID 4804 wrote to memory of 4356 4804 Chagok32.exe 96 PID 4356 wrote to memory of 2888 4356 Cjpckf32.exe 97 PID 4356 wrote to memory of 2888 4356 Cjpckf32.exe 97 PID 4356 wrote to memory of 2888 4356 Cjpckf32.exe 97 PID 2888 wrote to memory of 3672 2888 Ceehho32.exe 98 PID 2888 wrote to memory of 3672 2888 Ceehho32.exe 98 PID 2888 wrote to memory of 3672 2888 Ceehho32.exe 98 PID 3672 wrote to memory of 1568 3672 Chcddk32.exe 99 PID 3672 wrote to memory of 1568 3672 Chcddk32.exe 99 PID 3672 wrote to memory of 1568 3672 Chcddk32.exe 99 PID 1568 wrote to memory of 3388 1568 Cnnlaehj.exe 100 PID 1568 wrote to memory of 3388 1568 Cnnlaehj.exe 100 PID 1568 wrote to memory of 3388 1568 Cnnlaehj.exe 100 PID 3388 wrote to memory of 4596 3388 Calhnpgn.exe 101 PID 3388 wrote to memory of 4596 3388 Calhnpgn.exe 101 PID 3388 wrote to memory of 4596 3388 Calhnpgn.exe 101 PID 4596 wrote to memory of 3316 4596 Cegdnopg.exe 102 PID 4596 wrote to memory of 3316 4596 Cegdnopg.exe 102 PID 4596 wrote to memory of 3316 4596 Cegdnopg.exe 102 PID 3316 wrote to memory of 1100 3316 Dfiafg32.exe 103 PID 3316 wrote to memory of 1100 3316 Dfiafg32.exe 103 PID 3316 wrote to memory of 1100 3316 Dfiafg32.exe 103 PID 1100 wrote to memory of 4116 1100 Dopigd32.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\482f2ffa1a0c3a39236d5cff5889e3e65dfac0828e52eeca8966226288200243.exe"C:\Users\Admin\AppData\Local\Temp\482f2ffa1a0c3a39236d5cff5889e3e65dfac0828e52eeca8966226288200243.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1696 -
C:\Windows\SysWOW64\Beihma32.exeC:\Windows\system32\Beihma32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\Windows\SysWOW64\Bjfaeh32.exeC:\Windows\system32\Bjfaeh32.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1360 -
C:\Windows\SysWOW64\Bnbmefbg.exeC:\Windows\system32\Bnbmefbg.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4692 -
C:\Windows\SysWOW64\Bcoenmao.exeC:\Windows\system32\Bcoenmao.exe5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3376 -
C:\Windows\SysWOW64\Cjinkg32.exeC:\Windows\system32\Cjinkg32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Windows\SysWOW64\Cenahpha.exeC:\Windows\system32\Cenahpha.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1408 -
C:\Windows\SysWOW64\Chmndlge.exeC:\Windows\system32\Chmndlge.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1124 -
C:\Windows\SysWOW64\Cmiflbel.exeC:\Windows\system32\Cmiflbel.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:584 -
C:\Windows\SysWOW64\Caebma32.exeC:\Windows\system32\Caebma32.exe10⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\SysWOW64\Chokikeb.exeC:\Windows\system32\Chokikeb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3232 -
C:\Windows\SysWOW64\Cnicfe32.exeC:\Windows\system32\Cnicfe32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3152 -
C:\Windows\SysWOW64\Ceckcp32.exeC:\Windows\system32\Ceckcp32.exe13⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1412 -
C:\Windows\SysWOW64\Chagok32.exeC:\Windows\system32\Chagok32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4804 -
C:\Windows\SysWOW64\Cjpckf32.exeC:\Windows\system32\Cjpckf32.exe15⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4356 -
C:\Windows\SysWOW64\Ceehho32.exeC:\Windows\system32\Ceehho32.exe16⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Windows\SysWOW64\Chcddk32.exeC:\Windows\system32\Chcddk32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3672 -
C:\Windows\SysWOW64\Cnnlaehj.exeC:\Windows\system32\Cnnlaehj.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1568 -
C:\Windows\SysWOW64\Calhnpgn.exeC:\Windows\system32\Calhnpgn.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3388 -
C:\Windows\SysWOW64\Cegdnopg.exeC:\Windows\system32\Cegdnopg.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4596 -
C:\Windows\SysWOW64\Dfiafg32.exeC:\Windows\system32\Dfiafg32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3316 -
C:\Windows\SysWOW64\Dopigd32.exeC:\Windows\system32\Dopigd32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1100 -
C:\Windows\SysWOW64\Danecp32.exeC:\Windows\system32\Danecp32.exe23⤵
- Executes dropped EXE
PID:4116 -
C:\Windows\SysWOW64\Dhhnpjmh.exeC:\Windows\system32\Dhhnpjmh.exe24⤵
- Executes dropped EXE
PID:444 -
C:\Windows\SysWOW64\Dfknkg32.exeC:\Windows\system32\Dfknkg32.exe25⤵
- Executes dropped EXE
PID:1040 -
C:\Windows\SysWOW64\Dobfld32.exeC:\Windows\system32\Dobfld32.exe26⤵
- Executes dropped EXE
PID:3876 -
C:\Windows\SysWOW64\Ddonekbl.exeC:\Windows\system32\Ddonekbl.exe27⤵
- Executes dropped EXE
PID:4120 -
C:\Windows\SysWOW64\Dfnjafap.exeC:\Windows\system32\Dfnjafap.exe28⤵
- Executes dropped EXE
PID:3004 -
C:\Windows\SysWOW64\Dkifae32.exeC:\Windows\system32\Dkifae32.exe29⤵
- Executes dropped EXE
PID:3176 -
C:\Windows\SysWOW64\Dmgbnq32.exeC:\Windows\system32\Dmgbnq32.exe30⤵
- Executes dropped EXE
PID:2132 -
C:\Windows\SysWOW64\Ddakjkqi.exeC:\Windows\system32\Ddakjkqi.exe31⤵
- Executes dropped EXE
PID:1032 -
C:\Windows\SysWOW64\Dkkcge32.exeC:\Windows\system32\Dkkcge32.exe32⤵
- Executes dropped EXE
PID:2928 -
C:\Windows\SysWOW64\Daekdooc.exeC:\Windows\system32\Daekdooc.exe33⤵
- Executes dropped EXE
PID:4324 -
C:\Windows\SysWOW64\Dgbdlf32.exeC:\Windows\system32\Dgbdlf32.exe34⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1116 -
C:\Windows\SysWOW64\Dknpmdfc.exeC:\Windows\system32\Dknpmdfc.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3920 -
C:\Windows\SysWOW64\Edfdej32.exeC:\Windows\system32\Edfdej32.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:592 -
C:\Windows\SysWOW64\Egdqae32.exeC:\Windows\system32\Egdqae32.exe37⤵
- Executes dropped EXE
PID:4396 -
C:\Windows\SysWOW64\Emoinpcd.exeC:\Windows\system32\Emoinpcd.exe38⤵
- Executes dropped EXE
PID:4592 -
C:\Windows\SysWOW64\Eggmge32.exeC:\Windows\system32\Eggmge32.exe39⤵
- Executes dropped EXE
PID:1872 -
C:\Windows\SysWOW64\Ealadnik.exeC:\Windows\system32\Ealadnik.exe40⤵
- Executes dropped EXE
PID:5108 -
C:\Windows\SysWOW64\Ekefmc32.exeC:\Windows\system32\Ekefmc32.exe41⤵
- Executes dropped EXE
PID:1832 -
C:\Windows\SysWOW64\Emcbio32.exeC:\Windows\system32\Emcbio32.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:1088 -
C:\Windows\SysWOW64\Eobocb32.exeC:\Windows\system32\Eobocb32.exe43⤵
- Executes dropped EXE
PID:4680 -
C:\Windows\SysWOW64\Eemgplno.exeC:\Windows\system32\Eemgplno.exe44⤵
- Executes dropped EXE
PID:4800 -
C:\Windows\SysWOW64\Egnchd32.exeC:\Windows\system32\Egnchd32.exe45⤵
- Executes dropped EXE
PID:216 -
C:\Windows\SysWOW64\Fdbdah32.exeC:\Windows\system32\Fdbdah32.exe46⤵
- Executes dropped EXE
PID:5012 -
C:\Windows\SysWOW64\Fgppmd32.exeC:\Windows\system32\Fgppmd32.exe47⤵
- Executes dropped EXE
PID:4364 -
C:\Windows\SysWOW64\Fafdkmap.exeC:\Windows\system32\Fafdkmap.exe48⤵
- Executes dropped EXE
PID:2584 -
C:\Windows\SysWOW64\Fhpmgg32.exeC:\Windows\system32\Fhpmgg32.exe49⤵
- Executes dropped EXE
PID:1376 -
C:\Windows\SysWOW64\Fahaplon.exeC:\Windows\system32\Fahaplon.exe50⤵
- Executes dropped EXE
PID:804 -
C:\Windows\SysWOW64\Fgeihcme.exeC:\Windows\system32\Fgeihcme.exe51⤵
- Executes dropped EXE
PID:2040 -
C:\Windows\SysWOW64\Fefjfked.exeC:\Windows\system32\Fefjfked.exe52⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3172 -
C:\Windows\SysWOW64\Fhdfbfdh.exeC:\Windows\system32\Fhdfbfdh.exe53⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1920 -
C:\Windows\SysWOW64\Famjkl32.exeC:\Windows\system32\Famjkl32.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4908 -
C:\Windows\SysWOW64\Fgjccb32.exeC:\Windows\system32\Fgjccb32.exe55⤵
- Executes dropped EXE
PID:2980 -
C:\Windows\SysWOW64\Gekcaj32.exeC:\Windows\system32\Gekcaj32.exe56⤵
- Executes dropped EXE
PID:3352 -
C:\Windows\SysWOW64\Gochjpho.exeC:\Windows\system32\Gochjpho.exe57⤵
- Executes dropped EXE
PID:1172 -
C:\Windows\SysWOW64\Ggnlobej.exeC:\Windows\system32\Ggnlobej.exe58⤵
- Executes dropped EXE
PID:4996 -
C:\Windows\SysWOW64\Gadqlkep.exeC:\Windows\system32\Gadqlkep.exe59⤵
- Executes dropped EXE
PID:4252 -
C:\Windows\SysWOW64\Gepmlimi.exeC:\Windows\system32\Gepmlimi.exe60⤵PID:3492
-
C:\Windows\SysWOW64\Ggqida32.exeC:\Windows\system32\Ggqida32.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:2976 -
C:\Windows\SysWOW64\Gafmaj32.exeC:\Windows\system32\Gafmaj32.exe62⤵
- Executes dropped EXE
PID:1096 -
C:\Windows\SysWOW64\Gfbibikg.exeC:\Windows\system32\Gfbibikg.exe63⤵
- Executes dropped EXE
PID:1404 -
C:\Windows\SysWOW64\Ggcfja32.exeC:\Windows\system32\Ggcfja32.exe64⤵
- Executes dropped EXE
PID:4852 -
C:\Windows\SysWOW64\Gojnko32.exeC:\Windows\system32\Gojnko32.exe65⤵
- Executes dropped EXE
PID:3008 -
C:\Windows\SysWOW64\Ghbbcd32.exeC:\Windows\system32\Ghbbcd32.exe66⤵
- Executes dropped EXE
PID:1876 -
C:\Windows\SysWOW64\Ggeboaob.exeC:\Windows\system32\Ggeboaob.exe67⤵
- Modifies registry class
PID:4520 -
C:\Windows\SysWOW64\Hnoklk32.exeC:\Windows\system32\Hnoklk32.exe68⤵PID:2988
-
C:\Windows\SysWOW64\Hdicienl.exeC:\Windows\system32\Hdicienl.exe69⤵
- System Location Discovery: System Language Discovery
PID:4724 -
C:\Windows\SysWOW64\Hkckeo32.exeC:\Windows\system32\Hkckeo32.exe70⤵PID:3416
-
C:\Windows\SysWOW64\Hnagak32.exeC:\Windows\system32\Hnagak32.exe71⤵PID:1428
-
C:\Windows\SysWOW64\Hfipbh32.exeC:\Windows\system32\Hfipbh32.exe72⤵PID:1524
-
C:\Windows\SysWOW64\Hoadkn32.exeC:\Windows\system32\Hoadkn32.exe73⤵
- Drops file in System32 directory
PID:1108 -
C:\Windows\SysWOW64\Hbpphi32.exeC:\Windows\system32\Hbpphi32.exe74⤵PID:3772
-
C:\Windows\SysWOW64\Hglipp32.exeC:\Windows\system32\Hglipp32.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4188 -
C:\Windows\SysWOW64\Hnfamjqg.exeC:\Windows\system32\Hnfamjqg.exe76⤵
- Drops file in System32 directory
PID:1200 -
C:\Windows\SysWOW64\Hbbmmi32.exeC:\Windows\system32\Hbbmmi32.exe77⤵
- Modifies registry class
PID:3504 -
C:\Windows\SysWOW64\Hgoeep32.exeC:\Windows\system32\Hgoeep32.exe78⤵
- Modifies registry class
PID:3092 -
C:\Windows\SysWOW64\Hofmfmhj.exeC:\Windows\system32\Hofmfmhj.exe79⤵PID:3324
-
C:\Windows\SysWOW64\Hbdjchgn.exeC:\Windows\system32\Hbdjchgn.exe80⤵PID:1636
-
C:\Windows\SysWOW64\Hhnbpb32.exeC:\Windows\system32\Hhnbpb32.exe81⤵PID:3496
-
C:\Windows\SysWOW64\Iohjlmeg.exeC:\Windows\system32\Iohjlmeg.exe82⤵PID:1232
-
C:\Windows\SysWOW64\Ifbbig32.exeC:\Windows\system32\Ifbbig32.exe83⤵PID:1888
-
C:\Windows\SysWOW64\Igcoqocb.exeC:\Windows\system32\Igcoqocb.exe84⤵PID:3704
-
C:\Windows\SysWOW64\Inmgmijo.exeC:\Windows\system32\Inmgmijo.exe85⤵PID:1340
-
C:\Windows\SysWOW64\Igfkfo32.exeC:\Windows\system32\Igfkfo32.exe86⤵PID:736
-
C:\Windows\SysWOW64\Inpccihl.exeC:\Windows\system32\Inpccihl.exe87⤵PID:800
-
C:\Windows\SysWOW64\Ifgldfio.exeC:\Windows\system32\Ifgldfio.exe88⤵
- System Location Discovery: System Language Discovery
PID:4616 -
C:\Windows\SysWOW64\Ikcdlmgf.exeC:\Windows\system32\Ikcdlmgf.exe89⤵PID:4928
-
C:\Windows\SysWOW64\Ioopml32.exeC:\Windows\system32\Ioopml32.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2696 -
C:\Windows\SysWOW64\Ifihif32.exeC:\Windows\system32\Ifihif32.exe91⤵PID:1544
-
C:\Windows\SysWOW64\Igjeanmj.exeC:\Windows\system32\Igjeanmj.exe92⤵
- Drops file in System32 directory
PID:3748 -
C:\Windows\SysWOW64\Ioambknl.exeC:\Windows\system32\Ioambknl.exe93⤵PID:5116
-
C:\Windows\SysWOW64\Ifleoe32.exeC:\Windows\system32\Ifleoe32.exe94⤵PID:4860
-
C:\Windows\SysWOW64\Iijaka32.exeC:\Windows\system32\Iijaka32.exe95⤵PID:3288
-
C:\Windows\SysWOW64\Jodjhkkj.exeC:\Windows\system32\Jodjhkkj.exe96⤵PID:3636
-
C:\Windows\SysWOW64\Jbbfdfkn.exeC:\Windows\system32\Jbbfdfkn.exe97⤵PID:4304
-
C:\Windows\SysWOW64\Jilnqqbj.exeC:\Windows\system32\Jilnqqbj.exe98⤵PID:5052
-
C:\Windows\SysWOW64\Jkkjmlan.exeC:\Windows\system32\Jkkjmlan.exe99⤵PID:4576
-
C:\Windows\SysWOW64\Jbdbjf32.exeC:\Windows\system32\Jbdbjf32.exe100⤵PID:4092
-
C:\Windows\SysWOW64\Jecofa32.exeC:\Windows\system32\Jecofa32.exe101⤵PID:3168
-
C:\Windows\SysWOW64\Jgakbm32.exeC:\Windows\system32\Jgakbm32.exe102⤵PID:4768
-
C:\Windows\SysWOW64\Joiccj32.exeC:\Windows\system32\Joiccj32.exe103⤵
- System Location Discovery: System Language Discovery
PID:3568 -
C:\Windows\SysWOW64\Jfbkpd32.exeC:\Windows\system32\Jfbkpd32.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5088 -
C:\Windows\SysWOW64\Jeekkafl.exeC:\Windows\system32\Jeekkafl.exe105⤵PID:2232
-
C:\Windows\SysWOW64\Jkodhk32.exeC:\Windows\system32\Jkodhk32.exe106⤵PID:4504
-
C:\Windows\SysWOW64\Jfehed32.exeC:\Windows\system32\Jfehed32.exe107⤵PID:3740
-
C:\Windows\SysWOW64\Jgfdmlcm.exeC:\Windows\system32\Jgfdmlcm.exe108⤵PID:4560
-
C:\Windows\SysWOW64\Jpmlnjco.exeC:\Windows\system32\Jpmlnjco.exe109⤵PID:4220
-
C:\Windows\SysWOW64\Jfgdkd32.exeC:\Windows\system32\Jfgdkd32.exe110⤵PID:2428
-
C:\Windows\SysWOW64\Jejefqaf.exeC:\Windows\system32\Jejefqaf.exe111⤵PID:2712
-
C:\Windows\SysWOW64\Kppici32.exeC:\Windows\system32\Kppici32.exe112⤵PID:2916
-
C:\Windows\SysWOW64\Knbiofhg.exeC:\Windows\system32\Knbiofhg.exe113⤵
- System Location Discovery: System Language Discovery
PID:1452 -
C:\Windows\SysWOW64\Kelalp32.exeC:\Windows\system32\Kelalp32.exe114⤵PID:3440
-
C:\Windows\SysWOW64\Klfjijgq.exeC:\Windows\system32\Klfjijgq.exe115⤵PID:5072
-
C:\Windows\SysWOW64\Knefeffd.exeC:\Windows\system32\Knefeffd.exe116⤵PID:3696
-
C:\Windows\SysWOW64\Kflnfcgg.exeC:\Windows\system32\Kflnfcgg.exe117⤵PID:4024
-
C:\Windows\SysWOW64\Kijjbofj.exeC:\Windows\system32\Kijjbofj.exe118⤵PID:3464
-
C:\Windows\SysWOW64\Klifnj32.exeC:\Windows\system32\Klifnj32.exe119⤵PID:4632
-
C:\Windows\SysWOW64\Kbbokdlk.exeC:\Windows\system32\Kbbokdlk.exe120⤵
- System Location Discovery: System Language Discovery
PID:5148 -
C:\Windows\SysWOW64\Keakgpko.exeC:\Windows\system32\Keakgpko.exe121⤵
- System Location Discovery: System Language Discovery
PID:5192
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-