Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
03-01-2025 02:09
Behavioral task
behavioral1
Sample
a59a148cd0f5622e7e33b3ac80d6c49838a1d1f60ac9c5096bff0d8d73301e25.exe
Resource
win7-20240903-en
windows7-x64
12 signatures
150 seconds
General
-
Target
a59a148cd0f5622e7e33b3ac80d6c49838a1d1f60ac9c5096bff0d8d73301e25.exe
-
Size
93KB
-
MD5
4807c63e567665a041dc8d28141ab439
-
SHA1
fe2824455bd16bcdc9e6a29b2f2636a7c69c0e50
-
SHA256
a59a148cd0f5622e7e33b3ac80d6c49838a1d1f60ac9c5096bff0d8d73301e25
-
SHA512
0dbec9601d1534f4d95a6dcfc891c620e4bf406131c3424e65cf5700fe68c434a71b1787bedf2de1b134c5807d4162c63a64c317c3991b1ad53a907aa0213e9f
-
SSDEEP
1536:hQjDdIzqbLCzIq+FoepVcvHVHGDggM1DaYfMZRWuLsV+1J:yjD0DMq+FoepVs1HuggMgYfc0DV+1J
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cpmjhk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpgobc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mmfdhojb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pohfehdi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbajkiof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iiecgjba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Obgkpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bfkifhib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddliip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Depbfhpe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gghkdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fjeefofk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iapgkl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkigoimd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bfqpecma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pghfnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Glgjednf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hajinjff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmpjagfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qododfek.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifampo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ldjpbign.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iakgefqe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Injndk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ioilkblq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Inafbooe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Olbchn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bgblmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fgfhjcgg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elfcbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nameek32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jblnaq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lmdkcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qmifhq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qgjccb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aigmnqgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aboaff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lkakicam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Imahkg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mapccndn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejmhkiig.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlccdboi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndhlhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oiljam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gepafc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iflmjihl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpamde32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npolmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jgabdlfb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcjhmcok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hflkaq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chcloo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hfpdkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ioooiack.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Femeig32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nagbgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pifbjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hakkgc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ieajkfmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ohiffh32.exe -
Berbew family
-
Njrat family
-
Executes dropped EXE 64 IoCs
pid Process 2808 Enlglnci.exe 2736 Edfpih32.exe 2740 Fbjpblip.exe 2648 Fgfhjcgg.exe 3008 Fjeefofk.exe 1560 Fqomci32.exe 2460 Fkdaqa32.exe 2164 Fncmmmma.exe 1748 Femeig32.exe 1244 Fjjnan32.exe 1272 Fqcfnhjb.exe 112 Fcbbjcif.exe 2664 Fjlkgn32.exe 2248 Fafcdh32.exe 2448 Fbgpkpnn.exe 2036 Giahhj32.exe 3040 Gpkpedmh.exe 1860 Gbjlaplk.exe 1620 Gehhmkko.exe 1484 Gicdnj32.exe 1644 Gpnmjd32.exe 608 Gnpmfqap.exe 1604 Gifaciae.exe 2304 Gldmoepi.exe 2056 Gaafhloq.exe 2704 Ghkndf32.exe 2596 Glgjednf.exe 2800 Gnefapmj.exe 3012 Ghmkjedk.exe 480 Gjlgfaco.exe 1216 Hafock32.exe 2208 Heakcjcd.exe 1768 Hddlof32.exe 1580 Hmmphlpp.exe 1612 Hfedqagp.exe 2992 Hicqmmfc.exe 2064 Hajinjff.exe 3068 Hifmbmda.exe 2260 Hldjnhce.exe 2268 Hdkape32.exe 1508 Hfjnla32.exe 2168 Hlffdh32.exe 1684 Hflkaq32.exe 1292 Hijgml32.exe 2416 Ipdojfgh.exe 2976 Ibckfa32.exe 1448 Iaelanmg.exe 2384 Iimcclni.exe 2320 Ilkpogmm.exe 2852 Ioilkblq.exe 2828 Ibehla32.exe 2256 Iecdhm32.exe 264 Idfdcijh.exe 2432 Ilnmdgkj.exe 2176 Ioliqbjn.exe 2560 Iajemnia.exe 2876 Idiaii32.exe 1372 Iggned32.exe 2552 Inafbooe.exe 2112 Ippbnjni.exe 1056 Idknoi32.exe 2096 Igijkd32.exe 1040 Iihfgp32.exe 1592 Incbgnmc.exe -
Loads dropped DLL 64 IoCs
pid Process 2936 a59a148cd0f5622e7e33b3ac80d6c49838a1d1f60ac9c5096bff0d8d73301e25.exe 2936 a59a148cd0f5622e7e33b3ac80d6c49838a1d1f60ac9c5096bff0d8d73301e25.exe 2808 Enlglnci.exe 2808 Enlglnci.exe 2736 Edfpih32.exe 2736 Edfpih32.exe 2740 Fbjpblip.exe 2740 Fbjpblip.exe 2648 Fgfhjcgg.exe 2648 Fgfhjcgg.exe 3008 Fjeefofk.exe 3008 Fjeefofk.exe 1560 Fqomci32.exe 1560 Fqomci32.exe 2460 Fkdaqa32.exe 2460 Fkdaqa32.exe 2164 Fncmmmma.exe 2164 Fncmmmma.exe 1748 Femeig32.exe 1748 Femeig32.exe 1244 Fjjnan32.exe 1244 Fjjnan32.exe 1272 Fqcfnhjb.exe 1272 Fqcfnhjb.exe 112 Fcbbjcif.exe 112 Fcbbjcif.exe 2664 Fjlkgn32.exe 2664 Fjlkgn32.exe 2248 Fafcdh32.exe 2248 Fafcdh32.exe 2448 Fbgpkpnn.exe 2448 Fbgpkpnn.exe 2036 Giahhj32.exe 2036 Giahhj32.exe 3040 Gpkpedmh.exe 3040 Gpkpedmh.exe 1860 Gbjlaplk.exe 1860 Gbjlaplk.exe 1620 Gehhmkko.exe 1620 Gehhmkko.exe 1484 Gicdnj32.exe 1484 Gicdnj32.exe 1644 Gpnmjd32.exe 1644 Gpnmjd32.exe 608 Gnpmfqap.exe 608 Gnpmfqap.exe 1604 Gifaciae.exe 1604 Gifaciae.exe 2304 Gldmoepi.exe 2304 Gldmoepi.exe 2056 Gaafhloq.exe 2056 Gaafhloq.exe 2704 Ghkndf32.exe 2704 Ghkndf32.exe 2596 Glgjednf.exe 2596 Glgjednf.exe 2800 Gnefapmj.exe 2800 Gnefapmj.exe 3012 Ghmkjedk.exe 3012 Ghmkjedk.exe 480 Gjlgfaco.exe 480 Gjlgfaco.exe 1216 Hafock32.exe 1216 Hafock32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Ejpdai32.exe Efdhpjok.exe File created C:\Windows\SysWOW64\Imcpdkff.dll Djgkii32.exe File created C:\Windows\SysWOW64\Eogmcjef.exe Eklqcl32.exe File created C:\Windows\SysWOW64\Hjofdi32.exe Hgpjhn32.exe File opened for modification C:\Windows\SysWOW64\Nibqqh32.exe Nbhhdnlh.exe File created C:\Windows\SysWOW64\Oplelf32.exe Olpilg32.exe File created C:\Windows\SysWOW64\Dahapj32.dll Pojecajj.exe File created C:\Windows\SysWOW64\Ejmhkiig.exe Epecbd32.exe File opened for modification C:\Windows\SysWOW64\Gqiimfam.exe Gnkmqkbi.exe File created C:\Windows\SysWOW64\Kjlqgcoc.dll Ggcaiqhj.exe File created C:\Windows\SysWOW64\Ibfmbhnd.dll Jagnlkjd.exe File created C:\Windows\SysWOW64\Nncdpa32.dll Macilmnk.exe File created C:\Windows\SysWOW64\Qffhlolm.dll Eoiiijcc.exe File created C:\Windows\SysWOW64\Lhfefgkg.exe Lfhhjklc.exe File created C:\Windows\SysWOW64\Diphbfdi.exe Daipqhdg.exe File opened for modification C:\Windows\SysWOW64\Gqlebf32.exe Gmpjagfa.exe File created C:\Windows\SysWOW64\Apqcdckf.dll Pmkhjncg.exe File opened for modification C:\Windows\SysWOW64\Lneaqn32.exe Ljieppcb.exe File created C:\Windows\SysWOW64\Agjobffl.exe Process not Found File created C:\Windows\SysWOW64\Jcojqm32.dll Process not Found File created C:\Windows\SysWOW64\Fqglggcp.exe Fbdlkj32.exe File created C:\Windows\SysWOW64\Fllmhajo.dll Okdmjdol.exe File opened for modification C:\Windows\SysWOW64\Fncpef32.exe Fkecij32.exe File created C:\Windows\SysWOW64\Ongkdd32.dll Hcldhnkk.exe File created C:\Windows\SysWOW64\Knpkmqgb.dll Cpcnonob.exe File created C:\Windows\SysWOW64\Ciajik32.dll Hlccdboi.exe File created C:\Windows\SysWOW64\Kjglkm32.exe Kfkpknkq.exe File opened for modification C:\Windows\SysWOW64\Ppfomk32.exe Pmgbao32.exe File created C:\Windows\SysWOW64\Bajqfq32.exe Bnldjekl.exe File opened for modification C:\Windows\SysWOW64\Eijdkcgn.exe Eacljf32.exe File created C:\Windows\SysWOW64\Mdeobp32.dll Fjjpjgjj.exe File created C:\Windows\SysWOW64\Henjfpgi.dll Mnaiol32.exe File created C:\Windows\SysWOW64\Cmbfdl32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Aojojl32.exe Akncimmh.exe File created C:\Windows\SysWOW64\Abhkfg32.exe Aojojl32.exe File opened for modification C:\Windows\SysWOW64\Ipjahd32.exe Ilofhffj.exe File created C:\Windows\SysWOW64\Idkhmgco.dll Pphkbj32.exe File opened for modification C:\Windows\SysWOW64\Gdkgkcpq.exe Gblkoham.exe File created C:\Windows\SysWOW64\Aplpbjee.dll Iimfld32.exe File created C:\Windows\SysWOW64\Bbnnnbbh.dll Opihgfop.exe File opened for modification C:\Windows\SysWOW64\Kfjggo32.exe Kbokgpgg.exe File created C:\Windows\SysWOW64\Qdojgmfe.exe Qaqnkafa.exe File created C:\Windows\SysWOW64\Pclmghko.dll Ippdgc32.exe File opened for modification C:\Windows\SysWOW64\Mkqqnq32.exe Mcjhmcok.exe File opened for modification C:\Windows\SysWOW64\Mqbbagjo.exe Mikjpiim.exe File created C:\Windows\SysWOW64\Khpjqgjc.dll Agolnbok.exe File created C:\Windows\SysWOW64\Ahbekjcf.exe Afdiondb.exe File opened for modification C:\Windows\SysWOW64\Meffhnal.exe Makjho32.exe File opened for modification C:\Windows\SysWOW64\Hfpdkl32.exe Gcahoqhf.exe File created C:\Windows\SysWOW64\Ffbafegj.dll Aopahjll.exe File created C:\Windows\SysWOW64\Injcbk32.dll Bgibnj32.exe File created C:\Windows\SysWOW64\Effeckcj.dll Hcgjmo32.exe File created C:\Windows\SysWOW64\Jmdepg32.exe Iihiphln.exe File opened for modification C:\Windows\SysWOW64\Lokgcf32.exe Lmljgj32.exe File created C:\Windows\SysWOW64\Baojapfj.exe Bnqned32.exe File created C:\Windows\SysWOW64\Eddeladm.exe Ecbhdi32.exe File created C:\Windows\SysWOW64\Opkccm32.exe Ommfga32.exe File created C:\Windows\SysWOW64\Hmglajcd.exe Hndlem32.exe File created C:\Windows\SysWOW64\Ampjoj32.dll Mmogmjmn.exe File created C:\Windows\SysWOW64\Ikmnfdoq.dll Mgjebg32.exe File opened for modification C:\Windows\SysWOW64\Dkigoimd.exe Dlfgcl32.exe File created C:\Windows\SysWOW64\Ehkhaqpk.exe Eelkeeah.exe File created C:\Windows\SysWOW64\Elfcbo32.exe Ehkhaqpk.exe File created C:\Windows\SysWOW64\Jnfomn32.exe Jjjclobg.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 11144 11112 Process not Found 1111 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjcckf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhiomn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjlioj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iihiphln.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mqbbagjo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpedeg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mchoid32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chfbgn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gncldi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkoncdcp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lokgcf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifjlcmmj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dinklffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hflkaq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Halbai32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjbbpmgo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldllgiek.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dogpdg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dddimn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdhkfd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enlglnci.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnjcomcf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmpcgace.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgncfcaa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Behilopf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmpbdm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qgjccb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcmcoblm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aidphq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enbnkigh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iibfajdc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qdojgmfe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pafbadcm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmpjagfa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbpdeogo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhjjgd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agolnbok.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Endjaief.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpamde32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eclbcj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdghaf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qlgkki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olophhjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgbdodnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlhjhi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eijdkcgn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qdlggg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgfcja32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lifbmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfjcfb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jplkmgol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgchgb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlbboiip.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akiobk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmkilb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppnnai32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdecha32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Noemqe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocohkh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dakmfh32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pegqpacp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Knkgpi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jpiedieo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ioooiack.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poeofkoh.dll" Jkmeoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epnhci32.dll" Ldjpbign.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aidphq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkfcag32.dll" Ejkkfjkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nckljk32.dll" Ijqoilii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kleajenp.dll" Imokehhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijngkeln.dll" Enlglnci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lnjafd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oklnff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Akncimmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kpdjaecc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qpceaipi.dll" Lhiakf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mpgobc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Flfpabkp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ioohokoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cceell32.dll" Qgmpibam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eoobfoke.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gicdnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkllaj32.dll" Bcjqdmla.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mbpipp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bkbaii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hdoghdmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oeehln32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pldebkhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jhdlad32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ioliqbjn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inaqlm32.dll" Cmmhaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eacpijip.dll" Ejmhkiig.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hlccdboi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ifampo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clakmm32.dll" Jnpkflne.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Khcomhbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iaehhqjh.dll" Pmdmmalf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qqbecp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aennba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikcljcke.dll" Foccjood.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mmfdhojb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdedjl32.dll" Opplolac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glegaime.dll" Efdhpjok.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mijamjnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nhdhif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgkjaa32.dll" Aqonbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qpmcjc32.dll" Dlfgcl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jkchmo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fjlkgn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lbemfbdk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nhgkil32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Padeldeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djiqcmnn.dll" Njjcip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmapmi32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gmpcgace.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oefdbdjo.dll" Obmnna32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Medeaaej.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Naalga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gnpflj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iplnnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqnfackh.dll" Nmnclmoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Llbqfe32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2936 wrote to memory of 2808 2936 a59a148cd0f5622e7e33b3ac80d6c49838a1d1f60ac9c5096bff0d8d73301e25.exe 30 PID 2936 wrote to memory of 2808 2936 a59a148cd0f5622e7e33b3ac80d6c49838a1d1f60ac9c5096bff0d8d73301e25.exe 30 PID 2936 wrote to memory of 2808 2936 a59a148cd0f5622e7e33b3ac80d6c49838a1d1f60ac9c5096bff0d8d73301e25.exe 30 PID 2936 wrote to memory of 2808 2936 a59a148cd0f5622e7e33b3ac80d6c49838a1d1f60ac9c5096bff0d8d73301e25.exe 30 PID 2808 wrote to memory of 2736 2808 Enlglnci.exe 31 PID 2808 wrote to memory of 2736 2808 Enlglnci.exe 31 PID 2808 wrote to memory of 2736 2808 Enlglnci.exe 31 PID 2808 wrote to memory of 2736 2808 Enlglnci.exe 31 PID 2736 wrote to memory of 2740 2736 Edfpih32.exe 32 PID 2736 wrote to memory of 2740 2736 Edfpih32.exe 32 PID 2736 wrote to memory of 2740 2736 Edfpih32.exe 32 PID 2736 wrote to memory of 2740 2736 Edfpih32.exe 32 PID 2740 wrote to memory of 2648 2740 Fbjpblip.exe 33 PID 2740 wrote to memory of 2648 2740 Fbjpblip.exe 33 PID 2740 wrote to memory of 2648 2740 Fbjpblip.exe 33 PID 2740 wrote to memory of 2648 2740 Fbjpblip.exe 33 PID 2648 wrote to memory of 3008 2648 Fgfhjcgg.exe 34 PID 2648 wrote to memory of 3008 2648 Fgfhjcgg.exe 34 PID 2648 wrote to memory of 3008 2648 Fgfhjcgg.exe 34 PID 2648 wrote to memory of 3008 2648 Fgfhjcgg.exe 34 PID 3008 wrote to memory of 1560 3008 Fjeefofk.exe 35 PID 3008 wrote to memory of 1560 3008 Fjeefofk.exe 35 PID 3008 wrote to memory of 1560 3008 Fjeefofk.exe 35 PID 3008 wrote to memory of 1560 3008 Fjeefofk.exe 35 PID 1560 wrote to memory of 2460 1560 Fqomci32.exe 36 PID 1560 wrote to memory of 2460 1560 Fqomci32.exe 36 PID 1560 wrote to memory of 2460 1560 Fqomci32.exe 36 PID 1560 wrote to memory of 2460 1560 Fqomci32.exe 36 PID 2460 wrote to memory of 2164 2460 Fkdaqa32.exe 37 PID 2460 wrote to memory of 2164 2460 Fkdaqa32.exe 37 PID 2460 wrote to memory of 2164 2460 Fkdaqa32.exe 37 PID 2460 wrote to memory of 2164 2460 Fkdaqa32.exe 37 PID 2164 wrote to memory of 1748 2164 Fncmmmma.exe 38 PID 2164 wrote to memory of 1748 2164 Fncmmmma.exe 38 PID 2164 wrote to memory of 1748 2164 Fncmmmma.exe 38 PID 2164 wrote to memory of 1748 2164 Fncmmmma.exe 38 PID 1748 wrote to memory of 1244 1748 Femeig32.exe 39 PID 1748 wrote to memory of 1244 1748 Femeig32.exe 39 PID 1748 wrote to memory of 1244 1748 Femeig32.exe 39 PID 1748 wrote to memory of 1244 1748 Femeig32.exe 39 PID 1244 wrote to memory of 1272 1244 Fjjnan32.exe 40 PID 1244 wrote to memory of 1272 1244 Fjjnan32.exe 40 PID 1244 wrote to memory of 1272 1244 Fjjnan32.exe 40 PID 1244 wrote to memory of 1272 1244 Fjjnan32.exe 40 PID 1272 wrote to memory of 112 1272 Fqcfnhjb.exe 41 PID 1272 wrote to memory of 112 1272 Fqcfnhjb.exe 41 PID 1272 wrote to memory of 112 1272 Fqcfnhjb.exe 41 PID 1272 wrote to memory of 112 1272 Fqcfnhjb.exe 41 PID 112 wrote to memory of 2664 112 Fcbbjcif.exe 42 PID 112 wrote to memory of 2664 112 Fcbbjcif.exe 42 PID 112 wrote to memory of 2664 112 Fcbbjcif.exe 42 PID 112 wrote to memory of 2664 112 Fcbbjcif.exe 42 PID 2664 wrote to memory of 2248 2664 Fjlkgn32.exe 43 PID 2664 wrote to memory of 2248 2664 Fjlkgn32.exe 43 PID 2664 wrote to memory of 2248 2664 Fjlkgn32.exe 43 PID 2664 wrote to memory of 2248 2664 Fjlkgn32.exe 43 PID 2248 wrote to memory of 2448 2248 Fafcdh32.exe 44 PID 2248 wrote to memory of 2448 2248 Fafcdh32.exe 44 PID 2248 wrote to memory of 2448 2248 Fafcdh32.exe 44 PID 2248 wrote to memory of 2448 2248 Fafcdh32.exe 44 PID 2448 wrote to memory of 2036 2448 Fbgpkpnn.exe 45 PID 2448 wrote to memory of 2036 2448 Fbgpkpnn.exe 45 PID 2448 wrote to memory of 2036 2448 Fbgpkpnn.exe 45 PID 2448 wrote to memory of 2036 2448 Fbgpkpnn.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\a59a148cd0f5622e7e33b3ac80d6c49838a1d1f60ac9c5096bff0d8d73301e25.exe"C:\Users\Admin\AppData\Local\Temp\a59a148cd0f5622e7e33b3ac80d6c49838a1d1f60ac9c5096bff0d8d73301e25.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Windows\SysWOW64\Enlglnci.exeC:\Windows\system32\Enlglnci.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Windows\SysWOW64\Edfpih32.exeC:\Windows\system32\Edfpih32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\SysWOW64\Fbjpblip.exeC:\Windows\system32\Fbjpblip.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Windows\SysWOW64\Fgfhjcgg.exeC:\Windows\system32\Fgfhjcgg.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\SysWOW64\Fjeefofk.exeC:\Windows\system32\Fjeefofk.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Windows\SysWOW64\Fqomci32.exeC:\Windows\system32\Fqomci32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1560 -
C:\Windows\SysWOW64\Fkdaqa32.exeC:\Windows\system32\Fkdaqa32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2460 -
C:\Windows\SysWOW64\Fncmmmma.exeC:\Windows\system32\Fncmmmma.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Windows\SysWOW64\Femeig32.exeC:\Windows\system32\Femeig32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Windows\SysWOW64\Fjjnan32.exeC:\Windows\system32\Fjjnan32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1244 -
C:\Windows\SysWOW64\Fqcfnhjb.exeC:\Windows\system32\Fqcfnhjb.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1272 -
C:\Windows\SysWOW64\Fcbbjcif.exeC:\Windows\system32\Fcbbjcif.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:112 -
C:\Windows\SysWOW64\Fjlkgn32.exeC:\Windows\system32\Fjlkgn32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\SysWOW64\Fafcdh32.exeC:\Windows\system32\Fafcdh32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Windows\SysWOW64\Fbgpkpnn.exeC:\Windows\system32\Fbgpkpnn.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2448 -
C:\Windows\SysWOW64\Giahhj32.exeC:\Windows\system32\Giahhj32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2036 -
C:\Windows\SysWOW64\Gpkpedmh.exeC:\Windows\system32\Gpkpedmh.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3040 -
C:\Windows\SysWOW64\Gbjlaplk.exeC:\Windows\system32\Gbjlaplk.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1860 -
C:\Windows\SysWOW64\Gehhmkko.exeC:\Windows\system32\Gehhmkko.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1620 -
C:\Windows\SysWOW64\Gicdnj32.exeC:\Windows\system32\Gicdnj32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1484 -
C:\Windows\SysWOW64\Gpnmjd32.exeC:\Windows\system32\Gpnmjd32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1644 -
C:\Windows\SysWOW64\Gnpmfqap.exeC:\Windows\system32\Gnpmfqap.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:608 -
C:\Windows\SysWOW64\Gifaciae.exeC:\Windows\system32\Gifaciae.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1604 -
C:\Windows\SysWOW64\Gldmoepi.exeC:\Windows\system32\Gldmoepi.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2304 -
C:\Windows\SysWOW64\Gaafhloq.exeC:\Windows\system32\Gaafhloq.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2056 -
C:\Windows\SysWOW64\Ghkndf32.exeC:\Windows\system32\Ghkndf32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2704 -
C:\Windows\SysWOW64\Glgjednf.exeC:\Windows\system32\Glgjednf.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2596 -
C:\Windows\SysWOW64\Gnefapmj.exeC:\Windows\system32\Gnefapmj.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2800 -
C:\Windows\SysWOW64\Ghmkjedk.exeC:\Windows\system32\Ghmkjedk.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3012 -
C:\Windows\SysWOW64\Gjlgfaco.exeC:\Windows\system32\Gjlgfaco.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:480 -
C:\Windows\SysWOW64\Hafock32.exeC:\Windows\system32\Hafock32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1216 -
C:\Windows\SysWOW64\Heakcjcd.exeC:\Windows\system32\Heakcjcd.exe33⤵
- Executes dropped EXE
PID:2208 -
C:\Windows\SysWOW64\Hddlof32.exeC:\Windows\system32\Hddlof32.exe34⤵
- Executes dropped EXE
PID:1768 -
C:\Windows\SysWOW64\Hmmphlpp.exeC:\Windows\system32\Hmmphlpp.exe35⤵
- Executes dropped EXE
PID:1580 -
C:\Windows\SysWOW64\Hfedqagp.exeC:\Windows\system32\Hfedqagp.exe36⤵
- Executes dropped EXE
PID:1612 -
C:\Windows\SysWOW64\Hicqmmfc.exeC:\Windows\system32\Hicqmmfc.exe37⤵
- Executes dropped EXE
PID:2992 -
C:\Windows\SysWOW64\Hajinjff.exeC:\Windows\system32\Hajinjff.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2064 -
C:\Windows\SysWOW64\Hifmbmda.exeC:\Windows\system32\Hifmbmda.exe39⤵
- Executes dropped EXE
PID:3068 -
C:\Windows\SysWOW64\Hldjnhce.exeC:\Windows\system32\Hldjnhce.exe40⤵
- Executes dropped EXE
PID:2260 -
C:\Windows\SysWOW64\Hdkape32.exeC:\Windows\system32\Hdkape32.exe41⤵
- Executes dropped EXE
PID:2268 -
C:\Windows\SysWOW64\Hfjnla32.exeC:\Windows\system32\Hfjnla32.exe42⤵
- Executes dropped EXE
PID:1508 -
C:\Windows\SysWOW64\Hlffdh32.exeC:\Windows\system32\Hlffdh32.exe43⤵
- Executes dropped EXE
PID:2168 -
C:\Windows\SysWOW64\Hflkaq32.exeC:\Windows\system32\Hflkaq32.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1684 -
C:\Windows\SysWOW64\Hijgml32.exeC:\Windows\system32\Hijgml32.exe45⤵
- Executes dropped EXE
PID:1292 -
C:\Windows\SysWOW64\Ipdojfgh.exeC:\Windows\system32\Ipdojfgh.exe46⤵
- Executes dropped EXE
PID:2416 -
C:\Windows\SysWOW64\Ibckfa32.exeC:\Windows\system32\Ibckfa32.exe47⤵
- Executes dropped EXE
PID:2976 -
C:\Windows\SysWOW64\Iaelanmg.exeC:\Windows\system32\Iaelanmg.exe48⤵
- Executes dropped EXE
PID:1448 -
C:\Windows\SysWOW64\Iimcclni.exeC:\Windows\system32\Iimcclni.exe49⤵
- Executes dropped EXE
PID:2384 -
C:\Windows\SysWOW64\Ilkpogmm.exeC:\Windows\system32\Ilkpogmm.exe50⤵
- Executes dropped EXE
PID:2320 -
C:\Windows\SysWOW64\Ioilkblq.exeC:\Windows\system32\Ioilkblq.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2852 -
C:\Windows\SysWOW64\Ibehla32.exeC:\Windows\system32\Ibehla32.exe52⤵
- Executes dropped EXE
PID:2828 -
C:\Windows\SysWOW64\Iecdhm32.exeC:\Windows\system32\Iecdhm32.exe53⤵
- Executes dropped EXE
PID:2256 -
C:\Windows\SysWOW64\Idfdcijh.exeC:\Windows\system32\Idfdcijh.exe54⤵
- Executes dropped EXE
PID:264 -
C:\Windows\SysWOW64\Ilnmdgkj.exeC:\Windows\system32\Ilnmdgkj.exe55⤵
- Executes dropped EXE
PID:2432 -
C:\Windows\SysWOW64\Ioliqbjn.exeC:\Windows\system32\Ioliqbjn.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:2176 -
C:\Windows\SysWOW64\Iajemnia.exeC:\Windows\system32\Iajemnia.exe57⤵
- Executes dropped EXE
PID:2560 -
C:\Windows\SysWOW64\Idiaii32.exeC:\Windows\system32\Idiaii32.exe58⤵
- Executes dropped EXE
PID:2876 -
C:\Windows\SysWOW64\Iggned32.exeC:\Windows\system32\Iggned32.exe59⤵
- Executes dropped EXE
PID:1372 -
C:\Windows\SysWOW64\Inafbooe.exeC:\Windows\system32\Inafbooe.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2552 -
C:\Windows\SysWOW64\Ippbnjni.exeC:\Windows\system32\Ippbnjni.exe61⤵
- Executes dropped EXE
PID:2112 -
C:\Windows\SysWOW64\Idknoi32.exeC:\Windows\system32\Idknoi32.exe62⤵
- Executes dropped EXE
PID:1056 -
C:\Windows\SysWOW64\Igijkd32.exeC:\Windows\system32\Igijkd32.exe63⤵
- Executes dropped EXE
PID:2096 -
C:\Windows\SysWOW64\Iihfgp32.exeC:\Windows\system32\Iihfgp32.exe64⤵
- Executes dropped EXE
PID:1040 -
C:\Windows\SysWOW64\Incbgnmc.exeC:\Windows\system32\Incbgnmc.exe65⤵
- Executes dropped EXE
PID:1592 -
C:\Windows\SysWOW64\Idmkdh32.exeC:\Windows\system32\Idmkdh32.exe66⤵PID:2972
-
C:\Windows\SysWOW64\Jglgpdcc.exeC:\Windows\system32\Jglgpdcc.exe67⤵PID:2356
-
C:\Windows\SysWOW64\Jjjclobg.exeC:\Windows\system32\Jjjclobg.exe68⤵
- Drops file in System32 directory
PID:2732 -
C:\Windows\SysWOW64\Jnfomn32.exeC:\Windows\system32\Jnfomn32.exe69⤵PID:2692
-
C:\Windows\SysWOW64\Jliohkak.exeC:\Windows\system32\Jliohkak.exe70⤵PID:2640
-
C:\Windows\SysWOW64\Jdpgjhbm.exeC:\Windows\system32\Jdpgjhbm.exe71⤵PID:2748
-
C:\Windows\SysWOW64\Jgncfcaa.exeC:\Windows\system32\Jgncfcaa.exe72⤵
- System Location Discovery: System Language Discovery
PID:580 -
C:\Windows\SysWOW64\Jjmpbopd.exeC:\Windows\system32\Jjmpbopd.exe73⤵PID:336
-
C:\Windows\SysWOW64\Jpfhoi32.exeC:\Windows\system32\Jpfhoi32.exe74⤵PID:2012
-
C:\Windows\SysWOW64\Jcedkd32.exeC:\Windows\system32\Jcedkd32.exe75⤵PID:1880
-
C:\Windows\SysWOW64\Jfcqgpfi.exeC:\Windows\system32\Jfcqgpfi.exe76⤵PID:1756
-
C:\Windows\SysWOW64\Jhamckel.exeC:\Windows\system32\Jhamckel.exe77⤵PID:1724
-
C:\Windows\SysWOW64\Jpiedieo.exeC:\Windows\system32\Jpiedieo.exe78⤵
- Modifies registry class
PID:2324 -
C:\Windows\SysWOW64\Jcgapdeb.exeC:\Windows\system32\Jcgapdeb.exe79⤵PID:2200
-
C:\Windows\SysWOW64\Jfemlpdf.exeC:\Windows\system32\Jfemlpdf.exe80⤵PID:2184
-
C:\Windows\SysWOW64\Jhdihkcj.exeC:\Windows\system32\Jhdihkcj.exe81⤵PID:688
-
C:\Windows\SysWOW64\Jkbfdfbm.exeC:\Windows\system32\Jkbfdfbm.exe82⤵PID:2140
-
C:\Windows\SysWOW64\Jonbee32.exeC:\Windows\system32\Jonbee32.exe83⤵PID:2492
-
C:\Windows\SysWOW64\Jblnaq32.exeC:\Windows\system32\Jblnaq32.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2496 -
C:\Windows\SysWOW64\Jdkjnl32.exeC:\Windows\system32\Jdkjnl32.exe85⤵PID:2932
-
C:\Windows\SysWOW64\Jlbboiip.exeC:\Windows\system32\Jlbboiip.exe86⤵
- System Location Discovery: System Language Discovery
PID:3036 -
C:\Windows\SysWOW64\Kopokehd.exeC:\Windows\system32\Kopokehd.exe87⤵PID:988
-
C:\Windows\SysWOW64\Kbokgpgg.exeC:\Windows\system32\Kbokgpgg.exe88⤵
- Drops file in System32 directory
PID:1792 -
C:\Windows\SysWOW64\Kfjggo32.exeC:\Windows\system32\Kfjggo32.exe89⤵PID:836
-
C:\Windows\SysWOW64\Kglcogeo.exeC:\Windows\system32\Kglcogeo.exe90⤵PID:2812
-
C:\Windows\SysWOW64\Kkgopf32.exeC:\Windows\system32\Kkgopf32.exe91⤵PID:1740
-
C:\Windows\SysWOW64\Kobkpdfa.exeC:\Windows\system32\Kobkpdfa.exe92⤵PID:2280
-
C:\Windows\SysWOW64\Kbaglpee.exeC:\Windows\system32\Kbaglpee.exe93⤵PID:2440
-
C:\Windows\SysWOW64\Khkpijma.exeC:\Windows\system32\Khkpijma.exe94⤵PID:1596
-
C:\Windows\SysWOW64\Kkileele.exeC:\Windows\system32\Kkileele.exe95⤵PID:1500
-
C:\Windows\SysWOW64\Kjllab32.exeC:\Windows\system32\Kjllab32.exe96⤵PID:1936
-
C:\Windows\SysWOW64\Kbcdbp32.exeC:\Windows\system32\Kbcdbp32.exe97⤵PID:464
-
C:\Windows\SysWOW64\Kdbpnk32.exeC:\Windows\system32\Kdbpnk32.exe98⤵PID:2772
-
C:\Windows\SysWOW64\Kgpmjf32.exeC:\Windows\system32\Kgpmjf32.exe99⤵PID:2576
-
C:\Windows\SysWOW64\Kjoifb32.exeC:\Windows\system32\Kjoifb32.exe100⤵PID:532
-
C:\Windows\SysWOW64\Knjegqif.exeC:\Windows\system32\Knjegqif.exe101⤵PID:2160
-
C:\Windows\SysWOW64\Kqiaclhj.exeC:\Windows\system32\Kqiaclhj.exe102⤵PID:2864
-
C:\Windows\SysWOW64\Kcgmoggn.exeC:\Windows\system32\Kcgmoggn.exe103⤵PID:2132
-
C:\Windows\SysWOW64\Kfeikcfa.exeC:\Windows\system32\Kfeikcfa.exe104⤵PID:2912
-
C:\Windows\SysWOW64\Knmamp32.exeC:\Windows\system32\Knmamp32.exe105⤵PID:2408
-
C:\Windows\SysWOW64\Kqknil32.exeC:\Windows\system32\Kqknil32.exe106⤵PID:2352
-
C:\Windows\SysWOW64\Kcijeg32.exeC:\Windows\system32\Kcijeg32.exe107⤵PID:2412
-
C:\Windows\SysWOW64\Lfhfab32.exeC:\Windows\system32\Lfhfab32.exe108⤵PID:1848
-
C:\Windows\SysWOW64\Lifbmn32.exeC:\Windows\system32\Lifbmn32.exe109⤵
- System Location Discovery: System Language Discovery
PID:1712 -
C:\Windows\SysWOW64\Lmbonmll.exeC:\Windows\system32\Lmbonmll.exe110⤵PID:2780
-
C:\Windows\SysWOW64\Lopkjhko.exeC:\Windows\system32\Lopkjhko.exe111⤵PID:2600
-
C:\Windows\SysWOW64\Lclgjg32.exeC:\Windows\system32\Lclgjg32.exe112⤵PID:2468
-
C:\Windows\SysWOW64\Lfjcfb32.exeC:\Windows\system32\Lfjcfb32.exe113⤵
- System Location Discovery: System Language Discovery
PID:2212 -
C:\Windows\SysWOW64\Lmdkcl32.exeC:\Windows\system32\Lmdkcl32.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2764 -
C:\Windows\SysWOW64\Lobgoh32.exeC:\Windows\system32\Lobgoh32.exe115⤵PID:2752
-
C:\Windows\SysWOW64\Lcncpfaf.exeC:\Windows\system32\Lcncpfaf.exe116⤵PID:2948
-
C:\Windows\SysWOW64\Lflplbpi.exeC:\Windows\system32\Lflplbpi.exe117⤵PID:1804
-
C:\Windows\SysWOW64\Liklhmom.exeC:\Windows\system32\Liklhmom.exe118⤵PID:2516
-
C:\Windows\SysWOW64\Lmfhil32.exeC:\Windows\system32\Lmfhil32.exe119⤵PID:2348
-
C:\Windows\SysWOW64\Lpedeg32.exeC:\Windows\system32\Lpedeg32.exe120⤵
- System Location Discovery: System Language Discovery
PID:3004 -
C:\Windows\SysWOW64\Lbcpac32.exeC:\Windows\system32\Lbcpac32.exe121⤵PID:1716
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-