Analysis
-
max time kernel
93s -
max time network
98s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/10/2024, 05:48
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
94f66be8020914698960e384c22f639ad2537fcddbcbdb85c390d800c61120b7N.exe
Resource
win7-20240903-en
windows7-x64
9 signatures
120 seconds
Behavioral task
behavioral2
Sample
94f66be8020914698960e384c22f639ad2537fcddbcbdb85c390d800c61120b7N.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
8 signatures
120 seconds
General
-
Target
94f66be8020914698960e384c22f639ad2537fcddbcbdb85c390d800c61120b7N.exe
-
Size
128KB
-
MD5
a5770b2c029d1f9c0cfa923f4c847090
-
SHA1
87142308c1142a47a836660721e9dbfa92eb56e4
-
SHA256
94f66be8020914698960e384c22f639ad2537fcddbcbdb85c390d800c61120b7
-
SHA512
12a19e3626843d05e847f752cb0bac24718eb24a826e39d28cc39e26d1aa30895e8f5e3939ce4beee50d073599761d1d2b136d68ccd9e3a0044974e11c3ad2b6
-
SSDEEP
3072:zT3YIF2YhogWPJ9IDlRxyhTbhgu+tAcrbFAJc+i:zTIRYygWPsDshsrtMk
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjnffjkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmggfp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdbnjdfg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glbjggof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ofhknodl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llnnmhfe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Micoed32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bobabg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmnqjp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgkfnh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qpcecb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cnjdpaki.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbphglbe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fimhjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbalopbn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nbebbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hgnoki32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahjgjj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idkkpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cohkokgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ipkdek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Falcae32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbiado32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iolhkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kkmioc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pekbga32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlmfeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kglmio32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lldopb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjepjkhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gidnkkpc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nqaiecjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Emdajb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdinljnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kcndbp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qlgpod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ibaeen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Imnocf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Caojpaij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ejflhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bbiado32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oanfen32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eppjfgcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gnqfcbnj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlnjbedi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Feqeog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aanbhp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efpomccg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jpenfp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khbiello.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njbgmjgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkdcbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mmkkmc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekmhejao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bpdnjple.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hnnljj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Injmcmej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cgcmjd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iplkpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jocnlg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kpiqfima.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found -
Executes dropped EXE 64 IoCs
pid Process 1040 Bjfjka32.exe 4680 Cqpbglno.exe 3084 Cflkpblf.exe 3896 Cmfclm32.exe 3232 Ccqkigkp.exe 3300 Cjjcfabm.exe 2308 Cadlbk32.exe 3644 Cgndoeag.exe 3828 Cmklglpn.exe 2944 Cceddf32.exe 4820 Cjomap32.exe 3476 Caienjfd.exe 1464 Ccgajfeh.exe 4704 Cgcmjd32.exe 3200 Cidjbmcp.exe 1452 Dakacjdb.exe 2764 Dgejpd32.exe 4140 Diffglam.exe 1884 Dpqodfij.exe 2148 Dhhfedil.exe 3100 Diicml32.exe 4672 Dpckjfgg.exe 2340 Dfmcfp32.exe 5004 Dmglcj32.exe 4280 Dpehof32.exe 3092 Dhlpqc32.exe 4768 Djklmo32.exe 4144 Ddcqedkk.exe 2584 Dfamapjo.exe 4360 Eagaoh32.exe 1644 Edemkd32.exe 3380 Ejpfhnpe.exe 3680 Emnbdioi.exe 4044 Eplnpeol.exe 3936 Ehcfaboo.exe 4980 Ejbbmnnb.exe 2756 Empoiimf.exe 4792 Epokedmj.exe 1824 Ehfcfb32.exe 4716 Ejdocm32.exe 2444 Embkoi32.exe 4068 Epagkd32.exe 2704 Ejflhm32.exe 3224 Eaqdegaj.exe 3056 Ehjlaaig.exe 4604 Fkihnmhj.exe 1480 Facqkg32.exe 2524 Fdamgb32.exe 3012 Fkkeclfh.exe 4696 Faenpf32.exe 4592 Fdcjlb32.exe 768 Fgbfhmll.exe 1676 Fipbdikp.exe 3032 Fpjjac32.exe 1812 Fkpool32.exe 3692 Fajgkfio.exe 1708 Fdhcgaic.exe 2780 Fkbkdkpp.exe 3516 Falcae32.exe 5052 Fdkpma32.exe 116 Gkdhjknm.exe 3144 Gaopfe32.exe 4736 Ggkiol32.exe 3484 Gaamlecg.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Dfnbgc32.exe Dodjjimm.exe File created C:\Windows\SysWOW64\Pplobcpp.exe Paiogf32.exe File created C:\Windows\SysWOW64\Gbpedjnb.exe Gpaihooo.exe File created C:\Windows\SysWOW64\Plmell32.dll Gaebef32.exe File opened for modification C:\Windows\SysWOW64\Emdajb32.exe Eiieicml.exe File created C:\Windows\SysWOW64\Lafnnj32.dll Knhakh32.exe File opened for modification C:\Windows\SysWOW64\Lqndhcdc.exe Lnohlgep.exe File created C:\Windows\SysWOW64\Ipflihfq.exe Ingpmmgm.exe File opened for modification C:\Windows\SysWOW64\Feqeog32.exe Fbbicl32.exe File opened for modification C:\Windows\SysWOW64\Nmhijd32.exe Njjmni32.exe File created C:\Windows\SysWOW64\Cqnnno32.dll Kiggbhda.exe File opened for modification C:\Windows\SysWOW64\Oadfkdgd.exe Ooejohhq.exe File created C:\Windows\SysWOW64\Ocmcjb32.dll Ffaong32.exe File opened for modification C:\Windows\SysWOW64\Bkphhgfc.exe Bhblllfo.exe File created C:\Windows\SysWOW64\Dognaofl.dll Kamjda32.exe File created C:\Windows\SysWOW64\Kamonn32.dll Process not Found File created C:\Windows\SysWOW64\Hdmoohbo.exe Hlegnjbm.exe File created C:\Windows\SysWOW64\Hkpmpo32.dll Odmbaj32.exe File opened for modification C:\Windows\SysWOW64\Nagiji32.exe Nnhmnn32.exe File opened for modification C:\Windows\SysWOW64\Cbbnpg32.exe Cocacl32.exe File created C:\Windows\SysWOW64\Lhnhajba.exe Likhem32.exe File created C:\Windows\SysWOW64\Mablfnne.exe Modpib32.exe File created C:\Windows\SysWOW64\Fllhjc32.dll Ocnabm32.exe File created C:\Windows\SysWOW64\Nijeec32.exe Nbqmiinl.exe File created C:\Windows\SysWOW64\Ggmgbckd.dll Nojjcj32.exe File opened for modification C:\Windows\SysWOW64\Pekbga32.exe Pcmeke32.exe File created C:\Windows\SysWOW64\Eiohdo32.dll Hlambk32.exe File opened for modification C:\Windows\SysWOW64\Knhakh32.exe Kjmfjj32.exe File created C:\Windows\SysWOW64\Abklmb32.dll Cljobphg.exe File created C:\Windows\SysWOW64\Nhhdnf32.exe Nfihbk32.exe File created C:\Windows\SysWOW64\Dhlpqc32.exe Dpehof32.exe File opened for modification C:\Windows\SysWOW64\Faenpf32.exe Fkkeclfh.exe File created C:\Windows\SysWOW64\Aomifecf.exe Ahcajk32.exe File created C:\Windows\SysWOW64\Ecbfdd32.dll Lnpofnhk.exe File opened for modification C:\Windows\SysWOW64\Jedccfqg.exe Jcfggkac.exe File opened for modification C:\Windows\SysWOW64\Monjjgkb.exe Mqkiok32.exe File opened for modification C:\Windows\SysWOW64\Ebkbbmqj.exe Eomffaag.exe File opened for modification C:\Windows\SysWOW64\Nckkfp32.exe Nqmojd32.exe File created C:\Windows\SysWOW64\Bjbalpnl.dll Dhlpqc32.exe File created C:\Windows\SysWOW64\Fdamgb32.exe Facqkg32.exe File created C:\Windows\SysWOW64\Gdfoio32.exe Gahcmd32.exe File created C:\Windows\SysWOW64\Gipdap32.exe Gbfldf32.exe File created C:\Windows\SysWOW64\Oddfcg32.dll Aahbbkaq.exe File created C:\Windows\SysWOW64\Lblldc32.dll Ibfnqmpf.exe File opened for modification C:\Windows\SysWOW64\Babcil32.exe Biklho32.exe File created C:\Windows\SysWOW64\Kqjkhbpd.dll Dgejpd32.exe File created C:\Windows\SysWOW64\Gaeaha32.dll Lkofdbkj.exe File created C:\Windows\SysWOW64\Iglhgnlj.dll Oklkdi32.exe File opened for modification C:\Windows\SysWOW64\Hmnmgnoh.exe Hkpqkcpd.exe File created C:\Windows\SysWOW64\Bgnpek32.dll Lpgmhg32.exe File created C:\Windows\SysWOW64\Ehcfaboo.exe Eplnpeol.exe File opened for modification C:\Windows\SysWOW64\Aleckinj.exe Ahjgjj32.exe File created C:\Windows\SysWOW64\Mlmgnn32.dll Bjnmpl32.exe File created C:\Windows\SysWOW64\Ekhobd32.dll Aoalgn32.exe File opened for modification C:\Windows\SysWOW64\Fbbpmb32.exe Fpdcag32.exe File created C:\Windows\SysWOW64\Hlpfhe32.exe Hefnkkkj.exe File created C:\Windows\SysWOW64\Jjpdeo32.dll Gicgpelg.exe File created C:\Windows\SysWOW64\Kadcjkfm.dll Ccpdoqgd.exe File created C:\Windows\SysWOW64\Gbabigfj.exe Gpcfmkff.exe File created C:\Windows\SysWOW64\Anaomkdb.exe Akccap32.exe File created C:\Windows\SysWOW64\Cplbfcmi.dll Ejalcgkg.exe File created C:\Windows\SysWOW64\Hejqldci.exe Hnphoj32.exe File created C:\Windows\SysWOW64\Dagdgfkf.dll Ipgkjlmg.exe File created C:\Windows\SysWOW64\Pqlhmf32.dll Hbohpn32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 7636 6292 Process not Found 1171 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkaobnio.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llqjbhdc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccdnjp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eehicoel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gemkelcd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckclhn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpnmbl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmggfp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljobpiql.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njjdho32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilkoim32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Loacdc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Inomhbeq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlmfeg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kngkqbgl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fibhpbea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Coegoe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Diffglam.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddgibkpc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilnbicff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpenfp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjodla32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pchlpfjb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pefhlaie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hidgai32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlbcnd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnibokbd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcgdhkem.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iepaaico.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kofkbk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mqhfoebo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccgajfeh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdfoio32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikbfgppo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lqkgbcff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bogkmgba.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kakmna32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljpaqmgb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjjpnlbd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgqlcg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhgiim32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bllbaa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nopfpgip.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llnnmhfe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfhmjf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djklmo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elnoopdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikdcmpnl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Keimof32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnaqgd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eiaoid32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgkmgk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgdpni32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Loighj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apjdikqd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehfcfb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggbook32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcniglmb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebommi32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hnphoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enfhldel.dll" Qpbnhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnneheln.dll" Hhfedm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njiekege.dll" Bhldpj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aaohcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oqadgkdb.dll" Cdecgbfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gkdpbpih.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mcpcdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cknmplfo.dll" Ojqcnhkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jklaah32.dll" Iqklon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mhafeb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bcahmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgpbnj32.dll" Bfgjjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efeichoo.dll" Ckkiccep.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lknojl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pdfehh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmqmbmdf.dll" Fmcjpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gmimai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aepjgm32.dll" Nceefd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Loofnccf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gklnjj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Abbkcpma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mkohaj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ohkkhhmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkgmdnki.dll" Dkahilkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Llqjbhdc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mecjif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbnnbmfj.dll" Oaompd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dfefkkqp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gkkgpc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mgnlkfal.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gbmingjo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kgninn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fpbflg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ddcqedkk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Epokedmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hacbhb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpmgll32.dll" Igchfiof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbgpnkdm.dll" Nemmoe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kapfiqoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apjfbb32.dll" Lakfeodm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nofefp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nepmal32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pdmkhgho.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eejeiocj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hlpfhe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glgpnm32.dll" Okedcjcm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bmofagfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geibhp32.dll" Dflmlj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lkchelci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pkpmdbfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ekcgkb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mfenglqf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oacoqnci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Galdglpd.dll" Gpbpbecj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocoick32.dll" Gnblnlhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dfmcfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjbalpnl.dll" Dhlpqc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iiofld32.dll" Empoiimf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oodlnfco.dll" Nccokk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ohkkhhmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpecpo32.dll" Klbnajqc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kkcfid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qohpkf32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1588 wrote to memory of 1040 1588 94f66be8020914698960e384c22f639ad2537fcddbcbdb85c390d800c61120b7N.exe 82 PID 1588 wrote to memory of 1040 1588 94f66be8020914698960e384c22f639ad2537fcddbcbdb85c390d800c61120b7N.exe 82 PID 1588 wrote to memory of 1040 1588 94f66be8020914698960e384c22f639ad2537fcddbcbdb85c390d800c61120b7N.exe 82 PID 1040 wrote to memory of 4680 1040 Bjfjka32.exe 83 PID 1040 wrote to memory of 4680 1040 Bjfjka32.exe 83 PID 1040 wrote to memory of 4680 1040 Bjfjka32.exe 83 PID 4680 wrote to memory of 3084 4680 Cqpbglno.exe 84 PID 4680 wrote to memory of 3084 4680 Cqpbglno.exe 84 PID 4680 wrote to memory of 3084 4680 Cqpbglno.exe 84 PID 3084 wrote to memory of 3896 3084 Cflkpblf.exe 86 PID 3084 wrote to memory of 3896 3084 Cflkpblf.exe 86 PID 3084 wrote to memory of 3896 3084 Cflkpblf.exe 86 PID 3896 wrote to memory of 3232 3896 Cmfclm32.exe 87 PID 3896 wrote to memory of 3232 3896 Cmfclm32.exe 87 PID 3896 wrote to memory of 3232 3896 Cmfclm32.exe 87 PID 3232 wrote to memory of 3300 3232 Ccqkigkp.exe 88 PID 3232 wrote to memory of 3300 3232 Ccqkigkp.exe 88 PID 3232 wrote to memory of 3300 3232 Ccqkigkp.exe 88 PID 3300 wrote to memory of 2308 3300 Cjjcfabm.exe 90 PID 3300 wrote to memory of 2308 3300 Cjjcfabm.exe 90 PID 3300 wrote to memory of 2308 3300 Cjjcfabm.exe 90 PID 2308 wrote to memory of 3644 2308 Cadlbk32.exe 91 PID 2308 wrote to memory of 3644 2308 Cadlbk32.exe 91 PID 2308 wrote to memory of 3644 2308 Cadlbk32.exe 91 PID 3644 wrote to memory of 3828 3644 Cgndoeag.exe 92 PID 3644 wrote to memory of 3828 3644 Cgndoeag.exe 92 PID 3644 wrote to memory of 3828 3644 Cgndoeag.exe 92 PID 3828 wrote to memory of 2944 3828 Cmklglpn.exe 94 PID 3828 wrote to memory of 2944 3828 Cmklglpn.exe 94 PID 3828 wrote to memory of 2944 3828 Cmklglpn.exe 94 PID 2944 wrote to memory of 4820 2944 Cceddf32.exe 95 PID 2944 wrote to memory of 4820 2944 Cceddf32.exe 95 PID 2944 wrote to memory of 4820 2944 Cceddf32.exe 95 PID 4820 wrote to memory of 3476 4820 Cjomap32.exe 96 PID 4820 wrote to memory of 3476 4820 Cjomap32.exe 96 PID 4820 wrote to memory of 3476 4820 Cjomap32.exe 96 PID 3476 wrote to memory of 1464 3476 Caienjfd.exe 97 PID 3476 wrote to memory of 1464 3476 Caienjfd.exe 97 PID 3476 wrote to memory of 1464 3476 Caienjfd.exe 97 PID 1464 wrote to memory of 4704 1464 Ccgajfeh.exe 98 PID 1464 wrote to memory of 4704 1464 Ccgajfeh.exe 98 PID 1464 wrote to memory of 4704 1464 Ccgajfeh.exe 98 PID 4704 wrote to memory of 3200 4704 Cgcmjd32.exe 99 PID 4704 wrote to memory of 3200 4704 Cgcmjd32.exe 99 PID 4704 wrote to memory of 3200 4704 Cgcmjd32.exe 99 PID 3200 wrote to memory of 1452 3200 Cidjbmcp.exe 100 PID 3200 wrote to memory of 1452 3200 Cidjbmcp.exe 100 PID 3200 wrote to memory of 1452 3200 Cidjbmcp.exe 100 PID 1452 wrote to memory of 2764 1452 Dakacjdb.exe 101 PID 1452 wrote to memory of 2764 1452 Dakacjdb.exe 101 PID 1452 wrote to memory of 2764 1452 Dakacjdb.exe 101 PID 2764 wrote to memory of 4140 2764 Dgejpd32.exe 102 PID 2764 wrote to memory of 4140 2764 Dgejpd32.exe 102 PID 2764 wrote to memory of 4140 2764 Dgejpd32.exe 102 PID 4140 wrote to memory of 1884 4140 Diffglam.exe 103 PID 4140 wrote to memory of 1884 4140 Diffglam.exe 103 PID 4140 wrote to memory of 1884 4140 Diffglam.exe 103 PID 1884 wrote to memory of 2148 1884 Dpqodfij.exe 104 PID 1884 wrote to memory of 2148 1884 Dpqodfij.exe 104 PID 1884 wrote to memory of 2148 1884 Dpqodfij.exe 104 PID 2148 wrote to memory of 3100 2148 Dhhfedil.exe 105 PID 2148 wrote to memory of 3100 2148 Dhhfedil.exe 105 PID 2148 wrote to memory of 3100 2148 Dhhfedil.exe 105 PID 3100 wrote to memory of 4672 3100 Diicml32.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\94f66be8020914698960e384c22f639ad2537fcddbcbdb85c390d800c61120b7N.exe"C:\Users\Admin\AppData\Local\Temp\94f66be8020914698960e384c22f639ad2537fcddbcbdb85c390d800c61120b7N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1588 -
C:\Windows\SysWOW64\Bjfjka32.exeC:\Windows\system32\Bjfjka32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1040 -
C:\Windows\SysWOW64\Cqpbglno.exeC:\Windows\system32\Cqpbglno.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4680 -
C:\Windows\SysWOW64\Cflkpblf.exeC:\Windows\system32\Cflkpblf.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3084 -
C:\Windows\SysWOW64\Cmfclm32.exeC:\Windows\system32\Cmfclm32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3896 -
C:\Windows\SysWOW64\Ccqkigkp.exeC:\Windows\system32\Ccqkigkp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3232 -
C:\Windows\SysWOW64\Cjjcfabm.exeC:\Windows\system32\Cjjcfabm.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3300 -
C:\Windows\SysWOW64\Cadlbk32.exeC:\Windows\system32\Cadlbk32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2308 -
C:\Windows\SysWOW64\Cgndoeag.exeC:\Windows\system32\Cgndoeag.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3644 -
C:\Windows\SysWOW64\Cmklglpn.exeC:\Windows\system32\Cmklglpn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3828 -
C:\Windows\SysWOW64\Cceddf32.exeC:\Windows\system32\Cceddf32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Windows\SysWOW64\Cjomap32.exeC:\Windows\system32\Cjomap32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4820 -
C:\Windows\SysWOW64\Caienjfd.exeC:\Windows\system32\Caienjfd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3476 -
C:\Windows\SysWOW64\Ccgajfeh.exeC:\Windows\system32\Ccgajfeh.exe14⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1464 -
C:\Windows\SysWOW64\Cgcmjd32.exeC:\Windows\system32\Cgcmjd32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4704 -
C:\Windows\SysWOW64\Cidjbmcp.exeC:\Windows\system32\Cidjbmcp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3200 -
C:\Windows\SysWOW64\Dakacjdb.exeC:\Windows\system32\Dakacjdb.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1452 -
C:\Windows\SysWOW64\Dgejpd32.exeC:\Windows\system32\Dgejpd32.exe18⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Windows\SysWOW64\Diffglam.exeC:\Windows\system32\Diffglam.exe19⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4140 -
C:\Windows\SysWOW64\Dpqodfij.exeC:\Windows\system32\Dpqodfij.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1884 -
C:\Windows\SysWOW64\Dhhfedil.exeC:\Windows\system32\Dhhfedil.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Windows\SysWOW64\Diicml32.exeC:\Windows\system32\Diicml32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3100 -
C:\Windows\SysWOW64\Dpckjfgg.exeC:\Windows\system32\Dpckjfgg.exe23⤵
- Executes dropped EXE
PID:4672 -
C:\Windows\SysWOW64\Dfmcfp32.exeC:\Windows\system32\Dfmcfp32.exe24⤵
- Executes dropped EXE
- Modifies registry class
PID:2340 -
C:\Windows\SysWOW64\Dmglcj32.exeC:\Windows\system32\Dmglcj32.exe25⤵
- Executes dropped EXE
PID:5004 -
C:\Windows\SysWOW64\Dpehof32.exeC:\Windows\system32\Dpehof32.exe26⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4280 -
C:\Windows\SysWOW64\Dhlpqc32.exeC:\Windows\system32\Dhlpqc32.exe27⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3092 -
C:\Windows\SysWOW64\Djklmo32.exeC:\Windows\system32\Djklmo32.exe28⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4768 -
C:\Windows\SysWOW64\Ddcqedkk.exeC:\Windows\system32\Ddcqedkk.exe29⤵
- Executes dropped EXE
- Modifies registry class
PID:4144 -
C:\Windows\SysWOW64\Dfamapjo.exeC:\Windows\system32\Dfamapjo.exe30⤵
- Executes dropped EXE
PID:2584 -
C:\Windows\SysWOW64\Eagaoh32.exeC:\Windows\system32\Eagaoh32.exe31⤵
- Executes dropped EXE
PID:4360 -
C:\Windows\SysWOW64\Edemkd32.exeC:\Windows\system32\Edemkd32.exe32⤵
- Executes dropped EXE
PID:1644 -
C:\Windows\SysWOW64\Ejpfhnpe.exeC:\Windows\system32\Ejpfhnpe.exe33⤵
- Executes dropped EXE
PID:3380 -
C:\Windows\SysWOW64\Emnbdioi.exeC:\Windows\system32\Emnbdioi.exe34⤵
- Executes dropped EXE
PID:3680 -
C:\Windows\SysWOW64\Eplnpeol.exeC:\Windows\system32\Eplnpeol.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4044 -
C:\Windows\SysWOW64\Ehcfaboo.exeC:\Windows\system32\Ehcfaboo.exe36⤵
- Executes dropped EXE
PID:3936 -
C:\Windows\SysWOW64\Ejbbmnnb.exeC:\Windows\system32\Ejbbmnnb.exe37⤵
- Executes dropped EXE
PID:4980 -
C:\Windows\SysWOW64\Empoiimf.exeC:\Windows\system32\Empoiimf.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:2756 -
C:\Windows\SysWOW64\Epokedmj.exeC:\Windows\system32\Epokedmj.exe39⤵
- Executes dropped EXE
- Modifies registry class
PID:4792 -
C:\Windows\SysWOW64\Ehfcfb32.exeC:\Windows\system32\Ehfcfb32.exe40⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1824 -
C:\Windows\SysWOW64\Ejdocm32.exeC:\Windows\system32\Ejdocm32.exe41⤵
- Executes dropped EXE
PID:4716 -
C:\Windows\SysWOW64\Embkoi32.exeC:\Windows\system32\Embkoi32.exe42⤵
- Executes dropped EXE
PID:2444 -
C:\Windows\SysWOW64\Epagkd32.exeC:\Windows\system32\Epagkd32.exe43⤵
- Executes dropped EXE
PID:4068 -
C:\Windows\SysWOW64\Ejflhm32.exeC:\Windows\system32\Ejflhm32.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2704 -
C:\Windows\SysWOW64\Eaqdegaj.exeC:\Windows\system32\Eaqdegaj.exe45⤵
- Executes dropped EXE
PID:3224 -
C:\Windows\SysWOW64\Ehjlaaig.exeC:\Windows\system32\Ehjlaaig.exe46⤵
- Executes dropped EXE
PID:3056 -
C:\Windows\SysWOW64\Fkihnmhj.exeC:\Windows\system32\Fkihnmhj.exe47⤵
- Executes dropped EXE
PID:4604 -
C:\Windows\SysWOW64\Facqkg32.exeC:\Windows\system32\Facqkg32.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1480 -
C:\Windows\SysWOW64\Fdamgb32.exeC:\Windows\system32\Fdamgb32.exe49⤵
- Executes dropped EXE
PID:2524 -
C:\Windows\SysWOW64\Fkkeclfh.exeC:\Windows\system32\Fkkeclfh.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3012 -
C:\Windows\SysWOW64\Faenpf32.exeC:\Windows\system32\Faenpf32.exe51⤵
- Executes dropped EXE
PID:4696 -
C:\Windows\SysWOW64\Fdcjlb32.exeC:\Windows\system32\Fdcjlb32.exe52⤵
- Executes dropped EXE
PID:4592 -
C:\Windows\SysWOW64\Fgbfhmll.exeC:\Windows\system32\Fgbfhmll.exe53⤵
- Executes dropped EXE
PID:768 -
C:\Windows\SysWOW64\Fipbdikp.exeC:\Windows\system32\Fipbdikp.exe54⤵
- Executes dropped EXE
PID:1676 -
C:\Windows\SysWOW64\Fpjjac32.exeC:\Windows\system32\Fpjjac32.exe55⤵
- Executes dropped EXE
PID:3032 -
C:\Windows\SysWOW64\Fkpool32.exeC:\Windows\system32\Fkpool32.exe56⤵
- Executes dropped EXE
PID:1812 -
C:\Windows\SysWOW64\Fajgkfio.exeC:\Windows\system32\Fajgkfio.exe57⤵
- Executes dropped EXE
PID:3692 -
C:\Windows\SysWOW64\Fdhcgaic.exeC:\Windows\system32\Fdhcgaic.exe58⤵
- Executes dropped EXE
PID:1708 -
C:\Windows\SysWOW64\Fkbkdkpp.exeC:\Windows\system32\Fkbkdkpp.exe59⤵
- Executes dropped EXE
PID:2780 -
C:\Windows\SysWOW64\Falcae32.exeC:\Windows\system32\Falcae32.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3516 -
C:\Windows\SysWOW64\Fdkpma32.exeC:\Windows\system32\Fdkpma32.exe61⤵
- Executes dropped EXE
PID:5052 -
C:\Windows\SysWOW64\Gkdhjknm.exeC:\Windows\system32\Gkdhjknm.exe62⤵
- Executes dropped EXE
PID:116 -
C:\Windows\SysWOW64\Gaopfe32.exeC:\Windows\system32\Gaopfe32.exe63⤵
- Executes dropped EXE
PID:3144 -
C:\Windows\SysWOW64\Ggkiol32.exeC:\Windows\system32\Ggkiol32.exe64⤵
- Executes dropped EXE
PID:4736 -
C:\Windows\SysWOW64\Gaamlecg.exeC:\Windows\system32\Gaamlecg.exe65⤵
- Executes dropped EXE
PID:3484 -
C:\Windows\SysWOW64\Gdoihpbk.exeC:\Windows\system32\Gdoihpbk.exe66⤵PID:3640
-
C:\Windows\SysWOW64\Ghkeio32.exeC:\Windows\system32\Ghkeio32.exe67⤵PID:4480
-
C:\Windows\SysWOW64\Gkiaej32.exeC:\Windows\system32\Gkiaej32.exe68⤵PID:4508
-
C:\Windows\SysWOW64\Gpfjma32.exeC:\Windows\system32\Gpfjma32.exe69⤵PID:4816
-
C:\Windows\SysWOW64\Ggpbjkpl.exeC:\Windows\system32\Ggpbjkpl.exe70⤵PID:4496
-
C:\Windows\SysWOW64\Gklnjj32.exeC:\Windows\system32\Gklnjj32.exe71⤵
- Modifies registry class
PID:1808 -
C:\Windows\SysWOW64\Gnjjfegi.exeC:\Windows\system32\Gnjjfegi.exe72⤵PID:2592
-
C:\Windows\SysWOW64\Gddbcp32.exeC:\Windows\system32\Gddbcp32.exe73⤵PID:5080
-
C:\Windows\SysWOW64\Ggbook32.exeC:\Windows\system32\Ggbook32.exe74⤵
- System Location Discovery: System Language Discovery
PID:3168 -
C:\Windows\SysWOW64\Gnlgleef.exeC:\Windows\system32\Gnlgleef.exe75⤵PID:2484
-
C:\Windows\SysWOW64\Gahcmd32.exeC:\Windows\system32\Gahcmd32.exe76⤵
- Drops file in System32 directory
PID:4560 -
C:\Windows\SysWOW64\Gdfoio32.exeC:\Windows\system32\Gdfoio32.exe77⤵
- System Location Discovery: System Language Discovery
PID:4880 -
C:\Windows\SysWOW64\Hjchaf32.exeC:\Windows\system32\Hjchaf32.exe78⤵PID:1980
-
C:\Windows\SysWOW64\Hhdhon32.exeC:\Windows\system32\Hhdhon32.exe79⤵PID:4384
-
C:\Windows\SysWOW64\Hnaqgd32.exeC:\Windows\system32\Hnaqgd32.exe80⤵
- System Location Discovery: System Language Discovery
PID:3716 -
C:\Windows\SysWOW64\Hhfedm32.exeC:\Windows\system32\Hhfedm32.exe81⤵
- Modifies registry class
PID:1720 -
C:\Windows\SysWOW64\Hpbiip32.exeC:\Windows\system32\Hpbiip32.exe82⤵PID:1712
-
C:\Windows\SysWOW64\Hkgnfhnh.exeC:\Windows\system32\Hkgnfhnh.exe83⤵PID:3688
-
C:\Windows\SysWOW64\Hgnoki32.exeC:\Windows\system32\Hgnoki32.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4588 -
C:\Windows\SysWOW64\Hacbhb32.exeC:\Windows\system32\Hacbhb32.exe85⤵
- Modifies registry class
PID:4568 -
C:\Windows\SysWOW64\Iklgah32.exeC:\Windows\system32\Iklgah32.exe86⤵PID:4948
-
C:\Windows\SysWOW64\Ijogmdqm.exeC:\Windows\system32\Ijogmdqm.exe87⤵PID:3148
-
C:\Windows\SysWOW64\Iafonaao.exeC:\Windows\system32\Iafonaao.exe88⤵PID:2276
-
C:\Windows\SysWOW64\Iddljmpc.exeC:\Windows\system32\Iddljmpc.exe89⤵PID:2892
-
C:\Windows\SysWOW64\Igchfiof.exeC:\Windows\system32\Igchfiof.exe90⤵
- Modifies registry class
PID:4492 -
C:\Windows\SysWOW64\Inmpcc32.exeC:\Windows\system32\Inmpcc32.exe91⤵PID:516
-
C:\Windows\SysWOW64\Iqklon32.exeC:\Windows\system32\Iqklon32.exe92⤵
- Modifies registry class
PID:4364 -
C:\Windows\SysWOW64\Ihbdplfi.exeC:\Windows\system32\Ihbdplfi.exe93⤵PID:4356
-
C:\Windows\SysWOW64\Inomhbeq.exeC:\Windows\system32\Inomhbeq.exe94⤵
- System Location Discovery: System Language Discovery
PID:4740 -
C:\Windows\SysWOW64\Idieem32.exeC:\Windows\system32\Idieem32.exe95⤵PID:2328
-
C:\Windows\SysWOW64\Ikcmbfcj.exeC:\Windows\system32\Ikcmbfcj.exe96⤵PID:4484
-
C:\Windows\SysWOW64\Inainbcn.exeC:\Windows\system32\Inainbcn.exe97⤵PID:2232
-
C:\Windows\SysWOW64\Igjngh32.exeC:\Windows\system32\Igjngh32.exe98⤵PID:4700
-
C:\Windows\SysWOW64\Indfca32.exeC:\Windows\system32\Indfca32.exe99⤵PID:1108
-
C:\Windows\SysWOW64\Jhijqj32.exeC:\Windows\system32\Jhijqj32.exe100⤵PID:3536
-
C:\Windows\SysWOW64\Jbaojpgb.exeC:\Windows\system32\Jbaojpgb.exe101⤵PID:4348
-
C:\Windows\SysWOW64\Jgogbgei.exeC:\Windows\system32\Jgogbgei.exe102⤵PID:1056
-
C:\Windows\SysWOW64\Jdbhkk32.exeC:\Windows\system32\Jdbhkk32.exe103⤵PID:4512
-
C:\Windows\SysWOW64\Jbfheo32.exeC:\Windows\system32\Jbfheo32.exe104⤵PID:5024
-
C:\Windows\SysWOW64\Jbiejoaj.exeC:\Windows\system32\Jbiejoaj.exe105⤵PID:4748
-
C:\Windows\SysWOW64\Jjdjoane.exeC:\Windows\system32\Jjdjoane.exe106⤵PID:4064
-
C:\Windows\SysWOW64\Kdinljnk.exeC:\Windows\system32\Kdinljnk.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3360 -
C:\Windows\SysWOW64\Kkcfid32.exeC:\Windows\system32\Kkcfid32.exe108⤵
- Modifies registry class
PID:5128 -
C:\Windows\SysWOW64\Kiggbhda.exeC:\Windows\system32\Kiggbhda.exe109⤵
- Drops file in System32 directory
PID:5172 -
C:\Windows\SysWOW64\Kjhcjq32.exeC:\Windows\system32\Kjhcjq32.exe110⤵PID:5220
-
C:\Windows\SysWOW64\Kenggi32.exeC:\Windows\system32\Kenggi32.exe111⤵PID:5264
-
C:\Windows\SysWOW64\Kkhpdcab.exeC:\Windows\system32\Kkhpdcab.exe112⤵PID:5308
-
C:\Windows\SysWOW64\Keqdmihc.exeC:\Windows\system32\Keqdmihc.exe113⤵PID:5352
-
C:\Windows\SysWOW64\Kjmmepfj.exeC:\Windows\system32\Kjmmepfj.exe114⤵PID:5392
-
C:\Windows\SysWOW64\Kageaj32.exeC:\Windows\system32\Kageaj32.exe115⤵PID:5436
-
C:\Windows\SysWOW64\Kinmcg32.exeC:\Windows\system32\Kinmcg32.exe116⤵PID:5468
-
C:\Windows\SysWOW64\Kkmioc32.exeC:\Windows\system32\Kkmioc32.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5520 -
C:\Windows\SysWOW64\Lbgalmej.exeC:\Windows\system32\Lbgalmej.exe118⤵PID:5564
-
C:\Windows\SysWOW64\Lkofdbkj.exeC:\Windows\system32\Lkofdbkj.exe119⤵
- Drops file in System32 directory
PID:5604 -
C:\Windows\SysWOW64\Lbinam32.exeC:\Windows\system32\Lbinam32.exe120⤵PID:5636
-
C:\Windows\SysWOW64\Licfngjd.exeC:\Windows\system32\Licfngjd.exe121⤵PID:5692
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-