Analysis
-
max time kernel
95s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08-01-2025 04:21
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
8f0fc2b8b5f8a71e77ee26ed5ef7000e0a37fb6a923e6ee6783ea97ff25436f9.exe
Resource
win7-20240903-en
windows7-x64
13 signatures
150 seconds
Behavioral task
behavioral2
Sample
8f0fc2b8b5f8a71e77ee26ed5ef7000e0a37fb6a923e6ee6783ea97ff25436f9.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
8f0fc2b8b5f8a71e77ee26ed5ef7000e0a37fb6a923e6ee6783ea97ff25436f9.exe
-
Size
96KB
-
MD5
abd69a6477ac10c807dcaad26ea7fdf3
-
SHA1
5fb29bc14d19a6cfa5324bb515927fe61ad28b60
-
SHA256
8f0fc2b8b5f8a71e77ee26ed5ef7000e0a37fb6a923e6ee6783ea97ff25436f9
-
SHA512
9fbc4ca921cdb061f1eb7df5664b893d19163c2ad20082a0084c9738a5af6625e0c7d593425b16af0ab5fd39ce31beacacb7624e766207913d6775e86952c3fa
-
SSDEEP
1536:dlplAEyQ8kF0N5YVZtzxEMnq2Lz7RZObZUUWaegPYAy:JikuNOVjFF3zClUUWaeP
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npgmpf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oakbehfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dglkoeio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nfihbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckmehb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oejbfmpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Phigif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fpkibf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iedjmioj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jiglnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mqimikfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eomffaag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ogcnmc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjbcplpe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hildmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kjccdkki.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aajohjon.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hipmfjee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jlfpdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojbacd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iidphgcn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nqpcjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lqhdbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nabfjpak.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qkipkani.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Badanigc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iikmbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Enkdaepb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgbchj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mmpmnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dkndie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jaajhb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mapppn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kqbdldnq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hehkajig.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpfgmnfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hihibbjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mpeiie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ljhefhha.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eejeiocj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nfcabp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fooclapd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hemdlj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkgeainn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fkofga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ilccoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jcphab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Anclbkbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dkokcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jihbip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nghekkmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Olicnfco.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlolpq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncqlkemc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fqppci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oalipoiq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eblimcdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hpiecd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Afbgkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bheplb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lqmmmmph.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmkmjjaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iolhkh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilccoh32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 1648 Bhcjqinf.exe 1688 Bombmcec.exe 3584 Bfgjjm32.exe 2420 Bmabggdm.exe 4084 Bopocbcq.exe 3092 Cfigpm32.exe 4160 Cmcolgbj.exe 4368 Cobkhb32.exe 512 Cjgpfk32.exe 2056 Cmflbf32.exe 3156 Codhnb32.exe 2696 Cfnqklgh.exe 3740 Cimmggfl.exe 3548 Cmhigf32.exe 3432 Cbeapmll.exe 4424 Cjliajmo.exe 404 Ckmehb32.exe 4380 Ccdnjp32.exe 1360 Cjnffjkl.exe 2220 Cmmbbejp.exe 820 Coknoaic.exe 2008 Dbjkkl32.exe 4952 Djqblj32.exe 2192 Dkbocbog.exe 3560 Dcigeooj.exe 1784 Djcoai32.exe 2428 Dpphjp32.exe 2376 Dfjpfj32.exe 2888 Dmdhcddh.exe 1084 Dflmlj32.exe 2844 Dpdaepai.exe 3492 Dimenegi.exe 4352 Eiobceef.exe 3628 Ebhglj32.exe 4872 Eplgeokq.exe 1228 Elbhjp32.exe 4184 Ejchhgid.exe 4488 Eleepoob.exe 4440 Ebommi32.exe 3968 Ejfeng32.exe 452 Elgaeolp.exe 4452 Fcniglmb.exe 2900 Fikbocki.exe 2704 Fdqfll32.exe 4508 Ffobhg32.exe 844 Fmikeaap.exe 3756 Fdccbl32.exe 1628 Fjmkoeqi.exe 2280 Flngfn32.exe 1076 Fpjcgm32.exe 4412 Fjohde32.exe 1772 Fibhpbea.exe 4268 Fdglmkeg.exe 1680 Fffhifdk.exe 3732 Fmpqfq32.exe 2824 Gdjibj32.exe 3168 Gfheof32.exe 768 Gmbmkpie.exe 4648 Gpqjglii.exe 3608 Gjfnedho.exe 2540 Glgjlm32.exe 4364 Gdobnj32.exe 3288 Gfmojenc.exe 2180 Gljgbllj.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Jhglpo32.dll Clchbqoo.exe File created C:\Windows\SysWOW64\Lobjni32.exe Lmdnbn32.exe File created C:\Windows\SysWOW64\Goniok32.dll Ihdldn32.exe File created C:\Windows\SysWOW64\Inmdohhp.dll Kcmfnd32.exe File created C:\Windows\SysWOW64\Fbdehlip.exe Fgoakc32.exe File created C:\Windows\SysWOW64\Benibond.dll Jllhpkfk.exe File created C:\Windows\SysWOW64\Gdaociml.exe Gljgbllj.exe File opened for modification C:\Windows\SysWOW64\Aolblopj.exe Alnfpcag.exe File created C:\Windows\SysWOW64\Cndeii32.exe Clchbqoo.exe File created C:\Windows\SysWOW64\Dfnbgc32.exe Dngjff32.exe File created C:\Windows\SysWOW64\Hohahelb.dll Hfhgkmpj.exe File created C:\Windows\SysWOW64\Foapaa32.exe Fkfcqb32.exe File created C:\Windows\SysWOW64\Ncpeaoih.exe Nodiqp32.exe File opened for modification C:\Windows\SysWOW64\Nijqcf32.exe Nfldgk32.exe File created C:\Windows\SysWOW64\Bhcjqinf.exe 8f0fc2b8b5f8a71e77ee26ed5ef7000e0a37fb6a923e6ee6783ea97ff25436f9.exe File created C:\Windows\SysWOW64\Faeghb32.dll Domdjj32.exe File opened for modification C:\Windows\SysWOW64\Ombcji32.exe Ofhknodl.exe File created C:\Windows\SysWOW64\Pmiikh32.exe Pjkmomfn.exe File created C:\Windows\SysWOW64\Bkibgh32.exe Bhkfkmmg.exe File opened for modification C:\Windows\SysWOW64\Kpiqfima.exe Khbiello.exe File created C:\Windows\SysWOW64\Hlcjhkdp.exe Hkbmqb32.exe File created C:\Windows\SysWOW64\Baadiiif.exe Bochmn32.exe File opened for modification C:\Windows\SysWOW64\Kgdpni32.exe Kcidmkpq.exe File opened for modification C:\Windows\SysWOW64\Ncnofeof.exe Nqpcjj32.exe File opened for modification C:\Windows\SysWOW64\Jlbejloe.exe Iehmmb32.exe File opened for modification C:\Windows\SysWOW64\Ipmbjgpi.exe Ijcjmmil.exe File created C:\Windows\SysWOW64\Lqpamb32.exe Lnadagbm.exe File created C:\Windows\SysWOW64\Nnkpnclp.exe Njpdnedf.exe File opened for modification C:\Windows\SysWOW64\Doaneiop.exe Digehphc.exe File opened for modification C:\Windows\SysWOW64\Ocaebc32.exe Opeiadfg.exe File opened for modification C:\Windows\SysWOW64\Fkfcqb32.exe Figgdg32.exe File created C:\Windows\SysWOW64\Dcdcmh32.dll Fmpqfq32.exe File opened for modification C:\Windows\SysWOW64\Hipmfjee.exe Gbeejp32.exe File created C:\Windows\SysWOW64\Dohjem32.dll Kjlopc32.exe File opened for modification C:\Windows\SysWOW64\Hpioin32.exe Hioflcbj.exe File created C:\Windows\SysWOW64\Mbgeqmjp.exe Mpeiie32.exe File created C:\Windows\SysWOW64\Nhoped32.dll Pimfpc32.exe File created C:\Windows\SysWOW64\Mmihfl32.dll Cnaaib32.exe File created C:\Windows\SysWOW64\Hifmmb32.exe Hbldphde.exe File created C:\Windows\SysWOW64\Ohpfbb32.dll Kqdaadln.exe File created C:\Windows\SysWOW64\Ihejacdm.dll Mnfnlf32.exe File opened for modification C:\Windows\SysWOW64\Dngjff32.exe Dodjjimm.exe File created C:\Windows\SysWOW64\Mcpcdg32.exe Mmfkhmdi.exe File created C:\Windows\SysWOW64\Gdglhf32.dll Njmqnobn.exe File opened for modification C:\Windows\SysWOW64\Pjbcplpe.exe Phcgcqab.exe File created C:\Windows\SysWOW64\Hejeak32.dll Pmkofa32.exe File opened for modification C:\Windows\SysWOW64\Fibhpbea.exe Fjohde32.exe File created C:\Windows\SysWOW64\Blnoga32.exe Bedgjgkg.exe File created C:\Windows\SysWOW64\Qgjamboa.dll Iebngial.exe File opened for modification C:\Windows\SysWOW64\Fikbocki.exe Fcniglmb.exe File created C:\Windows\SysWOW64\Djiiimel.dll Igigla32.exe File created C:\Windows\SysWOW64\Oakbehfe.exe Onmfimga.exe File created C:\Windows\SysWOW64\Hkhcdb32.dll Hiacacpg.exe File opened for modification C:\Windows\SysWOW64\Coohhlpe.exe Ckclhn32.exe File opened for modification C:\Windows\SysWOW64\Dhclmp32.exe Dfdpad32.exe File created C:\Windows\SysWOW64\Aijqqd32.dll Hffken32.exe File created C:\Windows\SysWOW64\Gijmad32.exe Gbpedjnb.exe File created C:\Windows\SysWOW64\Pfigmnlg.dll Nodiqp32.exe File created C:\Windows\SysWOW64\Jhkilook.dll Edplhjhi.exe File created C:\Windows\SysWOW64\Ennqfenp.exe Eokqkh32.exe File opened for modification C:\Windows\SysWOW64\Kgiiiidd.exe Kpoalo32.exe File created C:\Windows\SysWOW64\Bahdob32.exe Bknlbhhe.exe File opened for modification C:\Windows\SysWOW64\Pfhmjf32.exe Pciqnk32.exe File created C:\Windows\SysWOW64\Glgjlm32.exe Gjfnedho.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 16088 15864 WerFault.exe 869 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aafemk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fiaael32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Koodbl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agdcpkll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aajhndkb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhhiemoj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjnffjkl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkjnfkma.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bknlbhhe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmphaaln.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnicid32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pecellgl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bedgjgkg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddnfmqng.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eblimcdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mqkiok32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcbnnpka.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngjbaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chfegk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iajdgcab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmdnbn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehndnh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncabfkqo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bffcpg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qmeigg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chiblk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dggbcf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ieccbbkn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhckcgpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmblagmf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qjfmkk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcdala32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddligq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcdjbk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eohmkb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebommi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijqmhnko.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbhboolf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlolpq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppolhcnm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qpcecb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckjknfnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edplhjhi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmikeaap.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjepjkhf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjnnbk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iolhkh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lohqnd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eomffaag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbihjifh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjlcjf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oogpjbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcidmkpq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gemkelcd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnadagbm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdbnjdfg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njmqnobn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipjedh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lqkqhm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgmjmjnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Keimof32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onkidm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amlogfel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnmkfh32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjnppabn.dll" Hbhijepa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Agdcpkll.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Chfegk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fkfcqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cjliajmo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jgkdbacp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcedencn.dll" Qdbdcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pkpmdbfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Alnfpcag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kmfhkf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ahmjjoig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcoaln32.dll" Eohmkb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Klekfinp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dkbocbog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bomkcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ebdcld32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iloidijb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjgobjmp.dll" Nndjndbh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggqecq32.dll" Eofgpikj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdjfee32.dll" Ennqfenp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Glipgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Filclgic.dll" Geaepk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgkeml32.dll" Fbbicl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hehdfdek.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ekdnei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opnaqk32.dll" Geldkfpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Koonge32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Olicnfco.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fpkibf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndqojdee.dll" Nclbpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kedlip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlmmnd32.dll" Llcghg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbopqlen.dll" Phigif32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nmdgikhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ieccbbkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jlbejloe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ffobhg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Icnklbmj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jcphab32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Malpia32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cnfaohbj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bhhiemoj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Geanfelc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfkbfh32.dll" Aajohjon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cammjakm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ljaoeini.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mapppn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nfgklkoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hecjke32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cmhigf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hckeoeno.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Maiccajf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kjlopc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lpfgmnfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lmdnbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eignjamf.dll" Adcjop32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mnfnlf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egjgdg32.dll" Akepfpcl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gihgfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hlepcdoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kcbfcigf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kgnbdh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jifecp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgdkaadn.dll" Cmmbbejp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3496 wrote to memory of 1648 3496 8f0fc2b8b5f8a71e77ee26ed5ef7000e0a37fb6a923e6ee6783ea97ff25436f9.exe 82 PID 3496 wrote to memory of 1648 3496 8f0fc2b8b5f8a71e77ee26ed5ef7000e0a37fb6a923e6ee6783ea97ff25436f9.exe 82 PID 3496 wrote to memory of 1648 3496 8f0fc2b8b5f8a71e77ee26ed5ef7000e0a37fb6a923e6ee6783ea97ff25436f9.exe 82 PID 1648 wrote to memory of 1688 1648 Bhcjqinf.exe 83 PID 1648 wrote to memory of 1688 1648 Bhcjqinf.exe 83 PID 1648 wrote to memory of 1688 1648 Bhcjqinf.exe 83 PID 1688 wrote to memory of 3584 1688 Bombmcec.exe 84 PID 1688 wrote to memory of 3584 1688 Bombmcec.exe 84 PID 1688 wrote to memory of 3584 1688 Bombmcec.exe 84 PID 3584 wrote to memory of 2420 3584 Bfgjjm32.exe 85 PID 3584 wrote to memory of 2420 3584 Bfgjjm32.exe 85 PID 3584 wrote to memory of 2420 3584 Bfgjjm32.exe 85 PID 2420 wrote to memory of 4084 2420 Bmabggdm.exe 86 PID 2420 wrote to memory of 4084 2420 Bmabggdm.exe 86 PID 2420 wrote to memory of 4084 2420 Bmabggdm.exe 86 PID 4084 wrote to memory of 3092 4084 Bopocbcq.exe 87 PID 4084 wrote to memory of 3092 4084 Bopocbcq.exe 87 PID 4084 wrote to memory of 3092 4084 Bopocbcq.exe 87 PID 3092 wrote to memory of 4160 3092 Cfigpm32.exe 88 PID 3092 wrote to memory of 4160 3092 Cfigpm32.exe 88 PID 3092 wrote to memory of 4160 3092 Cfigpm32.exe 88 PID 4160 wrote to memory of 4368 4160 Cmcolgbj.exe 89 PID 4160 wrote to memory of 4368 4160 Cmcolgbj.exe 89 PID 4160 wrote to memory of 4368 4160 Cmcolgbj.exe 89 PID 4368 wrote to memory of 512 4368 Cobkhb32.exe 90 PID 4368 wrote to memory of 512 4368 Cobkhb32.exe 90 PID 4368 wrote to memory of 512 4368 Cobkhb32.exe 90 PID 512 wrote to memory of 2056 512 Cjgpfk32.exe 91 PID 512 wrote to memory of 2056 512 Cjgpfk32.exe 91 PID 512 wrote to memory of 2056 512 Cjgpfk32.exe 91 PID 2056 wrote to memory of 3156 2056 Cmflbf32.exe 92 PID 2056 wrote to memory of 3156 2056 Cmflbf32.exe 92 PID 2056 wrote to memory of 3156 2056 Cmflbf32.exe 92 PID 3156 wrote to memory of 2696 3156 Codhnb32.exe 93 PID 3156 wrote to memory of 2696 3156 Codhnb32.exe 93 PID 3156 wrote to memory of 2696 3156 Codhnb32.exe 93 PID 2696 wrote to memory of 3740 2696 Cfnqklgh.exe 94 PID 2696 wrote to memory of 3740 2696 Cfnqklgh.exe 94 PID 2696 wrote to memory of 3740 2696 Cfnqklgh.exe 94 PID 3740 wrote to memory of 3548 3740 Cimmggfl.exe 95 PID 3740 wrote to memory of 3548 3740 Cimmggfl.exe 95 PID 3740 wrote to memory of 3548 3740 Cimmggfl.exe 95 PID 3548 wrote to memory of 3432 3548 Cmhigf32.exe 96 PID 3548 wrote to memory of 3432 3548 Cmhigf32.exe 96 PID 3548 wrote to memory of 3432 3548 Cmhigf32.exe 96 PID 3432 wrote to memory of 4424 3432 Cbeapmll.exe 97 PID 3432 wrote to memory of 4424 3432 Cbeapmll.exe 97 PID 3432 wrote to memory of 4424 3432 Cbeapmll.exe 97 PID 4424 wrote to memory of 404 4424 Cjliajmo.exe 98 PID 4424 wrote to memory of 404 4424 Cjliajmo.exe 98 PID 4424 wrote to memory of 404 4424 Cjliajmo.exe 98 PID 404 wrote to memory of 4380 404 Ckmehb32.exe 99 PID 404 wrote to memory of 4380 404 Ckmehb32.exe 99 PID 404 wrote to memory of 4380 404 Ckmehb32.exe 99 PID 4380 wrote to memory of 1360 4380 Ccdnjp32.exe 100 PID 4380 wrote to memory of 1360 4380 Ccdnjp32.exe 100 PID 4380 wrote to memory of 1360 4380 Ccdnjp32.exe 100 PID 1360 wrote to memory of 2220 1360 Cjnffjkl.exe 101 PID 1360 wrote to memory of 2220 1360 Cjnffjkl.exe 101 PID 1360 wrote to memory of 2220 1360 Cjnffjkl.exe 101 PID 2220 wrote to memory of 820 2220 Cmmbbejp.exe 102 PID 2220 wrote to memory of 820 2220 Cmmbbejp.exe 102 PID 2220 wrote to memory of 820 2220 Cmmbbejp.exe 102 PID 820 wrote to memory of 2008 820 Coknoaic.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\8f0fc2b8b5f8a71e77ee26ed5ef7000e0a37fb6a923e6ee6783ea97ff25436f9.exe"C:\Users\Admin\AppData\Local\Temp\8f0fc2b8b5f8a71e77ee26ed5ef7000e0a37fb6a923e6ee6783ea97ff25436f9.exe"1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3496 -
C:\Windows\SysWOW64\Bhcjqinf.exeC:\Windows\system32\Bhcjqinf.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1648 -
C:\Windows\SysWOW64\Bombmcec.exeC:\Windows\system32\Bombmcec.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Windows\SysWOW64\Bfgjjm32.exeC:\Windows\system32\Bfgjjm32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3584 -
C:\Windows\SysWOW64\Bmabggdm.exeC:\Windows\system32\Bmabggdm.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Windows\SysWOW64\Bopocbcq.exeC:\Windows\system32\Bopocbcq.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4084 -
C:\Windows\SysWOW64\Cfigpm32.exeC:\Windows\system32\Cfigpm32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3092 -
C:\Windows\SysWOW64\Cmcolgbj.exeC:\Windows\system32\Cmcolgbj.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4160 -
C:\Windows\SysWOW64\Cobkhb32.exeC:\Windows\system32\Cobkhb32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4368 -
C:\Windows\SysWOW64\Cjgpfk32.exeC:\Windows\system32\Cjgpfk32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:512 -
C:\Windows\SysWOW64\Cmflbf32.exeC:\Windows\system32\Cmflbf32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\Windows\SysWOW64\Codhnb32.exeC:\Windows\system32\Codhnb32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3156 -
C:\Windows\SysWOW64\Cfnqklgh.exeC:\Windows\system32\Cfnqklgh.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Windows\SysWOW64\Cimmggfl.exeC:\Windows\system32\Cimmggfl.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3740 -
C:\Windows\SysWOW64\Cmhigf32.exeC:\Windows\system32\Cmhigf32.exe15⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3548 -
C:\Windows\SysWOW64\Cbeapmll.exeC:\Windows\system32\Cbeapmll.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3432 -
C:\Windows\SysWOW64\Cjliajmo.exeC:\Windows\system32\Cjliajmo.exe17⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4424 -
C:\Windows\SysWOW64\Ckmehb32.exeC:\Windows\system32\Ckmehb32.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:404 -
C:\Windows\SysWOW64\Ccdnjp32.exeC:\Windows\system32\Ccdnjp32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4380 -
C:\Windows\SysWOW64\Cjnffjkl.exeC:\Windows\system32\Cjnffjkl.exe20⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1360 -
C:\Windows\SysWOW64\Cmmbbejp.exeC:\Windows\system32\Cmmbbejp.exe21⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2220 -
C:\Windows\SysWOW64\Coknoaic.exeC:\Windows\system32\Coknoaic.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:820 -
C:\Windows\SysWOW64\Dbjkkl32.exeC:\Windows\system32\Dbjkkl32.exe23⤵
- Executes dropped EXE
PID:2008 -
C:\Windows\SysWOW64\Djqblj32.exeC:\Windows\system32\Djqblj32.exe24⤵
- Executes dropped EXE
PID:4952 -
C:\Windows\SysWOW64\Dkbocbog.exeC:\Windows\system32\Dkbocbog.exe25⤵
- Executes dropped EXE
- Modifies registry class
PID:2192 -
C:\Windows\SysWOW64\Dcigeooj.exeC:\Windows\system32\Dcigeooj.exe26⤵
- Executes dropped EXE
PID:3560 -
C:\Windows\SysWOW64\Djcoai32.exeC:\Windows\system32\Djcoai32.exe27⤵
- Executes dropped EXE
PID:1784 -
C:\Windows\SysWOW64\Dpphjp32.exeC:\Windows\system32\Dpphjp32.exe28⤵
- Executes dropped EXE
PID:2428 -
C:\Windows\SysWOW64\Dfjpfj32.exeC:\Windows\system32\Dfjpfj32.exe29⤵
- Executes dropped EXE
PID:2376 -
C:\Windows\SysWOW64\Dmdhcddh.exeC:\Windows\system32\Dmdhcddh.exe30⤵
- Executes dropped EXE
PID:2888 -
C:\Windows\SysWOW64\Dflmlj32.exeC:\Windows\system32\Dflmlj32.exe31⤵
- Executes dropped EXE
PID:1084 -
C:\Windows\SysWOW64\Dpdaepai.exeC:\Windows\system32\Dpdaepai.exe32⤵
- Executes dropped EXE
PID:2844 -
C:\Windows\SysWOW64\Dimenegi.exeC:\Windows\system32\Dimenegi.exe33⤵
- Executes dropped EXE
PID:3492 -
C:\Windows\SysWOW64\Eiobceef.exeC:\Windows\system32\Eiobceef.exe34⤵
- Executes dropped EXE
PID:4352 -
C:\Windows\SysWOW64\Ebhglj32.exeC:\Windows\system32\Ebhglj32.exe35⤵
- Executes dropped EXE
PID:3628 -
C:\Windows\SysWOW64\Eplgeokq.exeC:\Windows\system32\Eplgeokq.exe36⤵
- Executes dropped EXE
PID:4872 -
C:\Windows\SysWOW64\Elbhjp32.exeC:\Windows\system32\Elbhjp32.exe37⤵
- Executes dropped EXE
PID:1228 -
C:\Windows\SysWOW64\Ejchhgid.exeC:\Windows\system32\Ejchhgid.exe38⤵
- Executes dropped EXE
PID:4184 -
C:\Windows\SysWOW64\Eleepoob.exeC:\Windows\system32\Eleepoob.exe39⤵
- Executes dropped EXE
PID:4488 -
C:\Windows\SysWOW64\Ebommi32.exeC:\Windows\system32\Ebommi32.exe40⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4440 -
C:\Windows\SysWOW64\Ejfeng32.exeC:\Windows\system32\Ejfeng32.exe41⤵
- Executes dropped EXE
PID:3968 -
C:\Windows\SysWOW64\Elgaeolp.exeC:\Windows\system32\Elgaeolp.exe42⤵
- Executes dropped EXE
PID:452 -
C:\Windows\SysWOW64\Fcniglmb.exeC:\Windows\system32\Fcniglmb.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4452 -
C:\Windows\SysWOW64\Fikbocki.exeC:\Windows\system32\Fikbocki.exe44⤵
- Executes dropped EXE
PID:2900 -
C:\Windows\SysWOW64\Fdqfll32.exeC:\Windows\system32\Fdqfll32.exe45⤵
- Executes dropped EXE
PID:2704 -
C:\Windows\SysWOW64\Ffobhg32.exeC:\Windows\system32\Ffobhg32.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:4508 -
C:\Windows\SysWOW64\Fmikeaap.exeC:\Windows\system32\Fmikeaap.exe47⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:844 -
C:\Windows\SysWOW64\Fdccbl32.exeC:\Windows\system32\Fdccbl32.exe48⤵
- Executes dropped EXE
PID:3756 -
C:\Windows\SysWOW64\Fjmkoeqi.exeC:\Windows\system32\Fjmkoeqi.exe49⤵
- Executes dropped EXE
PID:1628 -
C:\Windows\SysWOW64\Flngfn32.exeC:\Windows\system32\Flngfn32.exe50⤵
- Executes dropped EXE
PID:2280 -
C:\Windows\SysWOW64\Fpjcgm32.exeC:\Windows\system32\Fpjcgm32.exe51⤵
- Executes dropped EXE
PID:1076 -
C:\Windows\SysWOW64\Fjohde32.exeC:\Windows\system32\Fjohde32.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4412 -
C:\Windows\SysWOW64\Fibhpbea.exeC:\Windows\system32\Fibhpbea.exe53⤵
- Executes dropped EXE
PID:1772 -
C:\Windows\SysWOW64\Fdglmkeg.exeC:\Windows\system32\Fdglmkeg.exe54⤵
- Executes dropped EXE
PID:4268 -
C:\Windows\SysWOW64\Fffhifdk.exeC:\Windows\system32\Fffhifdk.exe55⤵
- Executes dropped EXE
PID:1680 -
C:\Windows\SysWOW64\Fmpqfq32.exeC:\Windows\system32\Fmpqfq32.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3732 -
C:\Windows\SysWOW64\Gdjibj32.exeC:\Windows\system32\Gdjibj32.exe57⤵
- Executes dropped EXE
PID:2824 -
C:\Windows\SysWOW64\Gfheof32.exeC:\Windows\system32\Gfheof32.exe58⤵
- Executes dropped EXE
PID:3168 -
C:\Windows\SysWOW64\Gmbmkpie.exeC:\Windows\system32\Gmbmkpie.exe59⤵
- Executes dropped EXE
PID:768 -
C:\Windows\SysWOW64\Gpqjglii.exeC:\Windows\system32\Gpqjglii.exe60⤵
- Executes dropped EXE
PID:4648 -
C:\Windows\SysWOW64\Gjfnedho.exeC:\Windows\system32\Gjfnedho.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3608 -
C:\Windows\SysWOW64\Glgjlm32.exeC:\Windows\system32\Glgjlm32.exe62⤵
- Executes dropped EXE
PID:2540 -
C:\Windows\SysWOW64\Gdobnj32.exeC:\Windows\system32\Gdobnj32.exe63⤵
- Executes dropped EXE
PID:4364 -
C:\Windows\SysWOW64\Gfmojenc.exeC:\Windows\system32\Gfmojenc.exe64⤵
- Executes dropped EXE
PID:3288 -
C:\Windows\SysWOW64\Gljgbllj.exeC:\Windows\system32\Gljgbllj.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2180 -
C:\Windows\SysWOW64\Gdaociml.exeC:\Windows\system32\Gdaociml.exe66⤵PID:4244
-
C:\Windows\SysWOW64\Gkkgpc32.exeC:\Windows\system32\Gkkgpc32.exe67⤵PID:1732
-
C:\Windows\SysWOW64\Glldgljg.exeC:\Windows\system32\Glldgljg.exe68⤵PID:4916
-
C:\Windows\SysWOW64\Gdcliikj.exeC:\Windows\system32\Gdcliikj.exe69⤵PID:4336
-
C:\Windows\SysWOW64\Gkmdecbg.exeC:\Windows\system32\Gkmdecbg.exe70⤵PID:4908
-
C:\Windows\SysWOW64\Hmlpaoaj.exeC:\Windows\system32\Hmlpaoaj.exe71⤵PID:3944
-
C:\Windows\SysWOW64\Hbhijepa.exeC:\Windows\system32\Hbhijepa.exe72⤵
- Modifies registry class
PID:4720 -
C:\Windows\SysWOW64\Hkpqkcpd.exeC:\Windows\system32\Hkpqkcpd.exe73⤵PID:3816
-
C:\Windows\SysWOW64\Hmnmgnoh.exeC:\Windows\system32\Hmnmgnoh.exe74⤵PID:3760
-
C:\Windows\SysWOW64\Hckeoeno.exeC:\Windows\system32\Hckeoeno.exe75⤵
- Modifies registry class
PID:4536 -
C:\Windows\SysWOW64\Hkbmqb32.exeC:\Windows\system32\Hkbmqb32.exe76⤵
- Drops file in System32 directory
PID:1636 -
C:\Windows\SysWOW64\Hlcjhkdp.exeC:\Windows\system32\Hlcjhkdp.exe77⤵PID:3916
-
C:\Windows\SysWOW64\Hcmbee32.exeC:\Windows\system32\Hcmbee32.exe78⤵PID:5060
-
C:\Windows\SysWOW64\Hginecde.exeC:\Windows\system32\Hginecde.exe79⤵PID:2196
-
C:\Windows\SysWOW64\Hlegnjbm.exeC:\Windows\system32\Hlegnjbm.exe80⤵PID:2896
-
C:\Windows\SysWOW64\Hkfglb32.exeC:\Windows\system32\Hkfglb32.exe81⤵PID:3376
-
C:\Windows\SysWOW64\Hdokdg32.exeC:\Windows\system32\Hdokdg32.exe82⤵PID:1864
-
C:\Windows\SysWOW64\Hcblpdgg.exeC:\Windows\system32\Hcblpdgg.exe83⤵PID:2276
-
C:\Windows\SysWOW64\Hildmn32.exeC:\Windows\system32\Hildmn32.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:544 -
C:\Windows\SysWOW64\Icdheded.exeC:\Windows\system32\Icdheded.exe85⤵PID:2956
-
C:\Windows\SysWOW64\Iinqbn32.exeC:\Windows\system32\Iinqbn32.exe86⤵PID:3896
-
C:\Windows\SysWOW64\Injmcmej.exeC:\Windows\system32\Injmcmej.exe87⤵PID:3192
-
C:\Windows\SysWOW64\Igbalblk.exeC:\Windows\system32\Igbalblk.exe88⤵PID:3428
-
C:\Windows\SysWOW64\Ijqmhnko.exeC:\Windows\system32\Ijqmhnko.exe89⤵
- System Location Discovery: System Language Discovery
PID:1672 -
C:\Windows\SysWOW64\Iloidijb.exeC:\Windows\system32\Iloidijb.exe90⤵
- Modifies registry class
PID:4332 -
C:\Windows\SysWOW64\Ipjedh32.exeC:\Windows\system32\Ipjedh32.exe91⤵
- System Location Discovery: System Language Discovery
PID:3036 -
C:\Windows\SysWOW64\Iciaqc32.exeC:\Windows\system32\Iciaqc32.exe92⤵PID:5068
-
C:\Windows\SysWOW64\Ijcjmmil.exeC:\Windows\system32\Ijcjmmil.exe93⤵
- Drops file in System32 directory
PID:2740 -
C:\Windows\SysWOW64\Ipmbjgpi.exeC:\Windows\system32\Ipmbjgpi.exe94⤵PID:2776
-
C:\Windows\SysWOW64\Icknfcol.exeC:\Windows\system32\Icknfcol.exe95⤵PID:4320
-
C:\Windows\SysWOW64\Iggjga32.exeC:\Windows\system32\Iggjga32.exe96⤵PID:3360
-
C:\Windows\SysWOW64\Ijegcm32.exeC:\Windows\system32\Ijegcm32.exe97⤵PID:1608
-
C:\Windows\SysWOW64\Ilccoh32.exeC:\Windows\system32\Ilccoh32.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3296 -
C:\Windows\SysWOW64\Icnklbmj.exeC:\Windows\system32\Icnklbmj.exe99⤵
- Modifies registry class
PID:3188 -
C:\Windows\SysWOW64\Igigla32.exeC:\Windows\system32\Igigla32.exe100⤵
- Drops file in System32 directory
PID:2088 -
C:\Windows\SysWOW64\Ikdcmpnl.exeC:\Windows\system32\Ikdcmpnl.exe101⤵PID:3544
-
C:\Windows\SysWOW64\Jlfpdh32.exeC:\Windows\system32\Jlfpdh32.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2436 -
C:\Windows\SysWOW64\Jcphab32.exeC:\Windows\system32\Jcphab32.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2256 -
C:\Windows\SysWOW64\Jgkdbacp.exeC:\Windows\system32\Jgkdbacp.exe104⤵
- Modifies registry class
PID:3996 -
C:\Windows\SysWOW64\Jnelok32.exeC:\Windows\system32\Jnelok32.exe105⤵PID:5048
-
C:\Windows\SysWOW64\Jpdhkf32.exeC:\Windows\system32\Jpdhkf32.exe106⤵PID:1132
-
C:\Windows\SysWOW64\Jgnqgqan.exeC:\Windows\system32\Jgnqgqan.exe107⤵PID:2464
-
C:\Windows\SysWOW64\Jjlmclqa.exeC:\Windows\system32\Jjlmclqa.exe108⤵PID:3512
-
C:\Windows\SysWOW64\Jlkipgpe.exeC:\Windows\system32\Jlkipgpe.exe109⤵PID:1528
-
C:\Windows\SysWOW64\Jcdala32.exeC:\Windows\system32\Jcdala32.exe110⤵
- System Location Discovery: System Language Discovery
PID:4956 -
C:\Windows\SysWOW64\Jklinohd.exeC:\Windows\system32\Jklinohd.exe111⤵PID:3468
-
C:\Windows\SysWOW64\Jnjejjgh.exeC:\Windows\system32\Jnjejjgh.exe112⤵PID:2884
-
C:\Windows\SysWOW64\Jgbjbp32.exeC:\Windows\system32\Jgbjbp32.exe113⤵PID:1176
-
C:\Windows\SysWOW64\Jjafok32.exeC:\Windows\system32\Jjafok32.exe114⤵PID:2904
-
C:\Windows\SysWOW64\Jnlbojee.exeC:\Windows\system32\Jnlbojee.exe115⤵PID:2760
-
C:\Windows\SysWOW64\Jcikgacl.exeC:\Windows\system32\Jcikgacl.exe116⤵PID:3504
-
C:\Windows\SysWOW64\Kkpbin32.exeC:\Windows\system32\Kkpbin32.exe117⤵PID:2988
-
C:\Windows\SysWOW64\Kjccdkki.exeC:\Windows\system32\Kjccdkki.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3112 -
C:\Windows\SysWOW64\Kdigadjo.exeC:\Windows\system32\Kdigadjo.exe119⤵PID:1252
-
C:\Windows\SysWOW64\Kggcnoic.exeC:\Windows\system32\Kggcnoic.exe120⤵PID:4664
-
C:\Windows\SysWOW64\Kjepjkhf.exeC:\Windows\system32\Kjepjkhf.exe121⤵
- System Location Discovery: System Language Discovery
PID:2468
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-