Analysis
-
max time kernel
121s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
07/11/2024, 04:20
Static task
static1
Behavioral task
behavioral1
Sample
c8dfd78990cabf6099fa4f437ceff19bbdf32abe5b796d2fe8aa8bca82356503.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
c8dfd78990cabf6099fa4f437ceff19bbdf32abe5b796d2fe8aa8bca82356503.exe
Resource
win10v2004-20241007-en
General
-
Target
c8dfd78990cabf6099fa4f437ceff19bbdf32abe5b796d2fe8aa8bca82356503.exe
-
Size
63KB
-
MD5
8347449bd79eff581297b7a92316f315
-
SHA1
8b6e5a580aa0793ab2570147510fc95da883962b
-
SHA256
c8dfd78990cabf6099fa4f437ceff19bbdf32abe5b796d2fe8aa8bca82356503
-
SHA512
f4133f7000c5e79411d10a440067f4322019ca7d8fc18e03f89262a26f4c9a3af6f9d1248f0bc76ae3f5aec15aad4a2b8b39872201ff569c34ad0922e246f6c4
-
SSDEEP
1536:W8jWmyQ0Hw6TekFwhDTYKjLYkXB/fSC3CowH1juIZo:W/X5WFTYKHYkXZfSC3wH1juIZo
Malware Config
Extracted
berbew
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajfcgoec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Neemgp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hibebeqb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgjpcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bdklnq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qlnghj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfhghgie.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbgmah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pcdnpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aalaoipc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehaaei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjbpoeoj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljhppo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndqokc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcjihk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdqfgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eidchjbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njgeel32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbgefa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ailboh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Noplmlok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aadbfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kahciaog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojakdd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pobgjhgh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bodhjdcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ifhgcgjq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kqemeb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dndoof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Faljqcmk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmecdgbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kelqff32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hahoodqi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkioho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pddinn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Foqadnpq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhndcd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Noojfpbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iokahhac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mjddnjdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pjppmlhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dadehh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfiofefm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjqdjn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgalnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ikibkhla.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhmpbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Enkdda32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lchclmla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bonenbgj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llpajmkq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnelmb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbpmbndm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eahkag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ijkjde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cniajdkg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfcjiodd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgijbede.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hilghaqq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eeicenni.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 2456 Mgkbjb32.exe 2924 Mpcgbhig.exe 2836 Nepokogo.exe 1752 Nhcebj32.exe 2692 Nlanhh32.exe 1120 Nhhominh.exe 432 Ogmkne32.exe 1412 Oabplobe.exe 2972 Ollqllod.exe 2212 Ojpaeq32.exe 1960 Ojbnkp32.exe 588 Obnbpb32.exe 2380 Pdnkanfg.exe 2276 Podpoffm.exe 2116 Pecelm32.exe 976 Pjpmdd32.exe 988 Pbgefa32.exe 824 Qcjoci32.exe 1288 Qghgigkn.exe 2240 Apclnj32.exe 2052 Apfici32.exe 1692 Almihjlj.exe 2260 Abinjdad.exe 2568 Alaccj32.exe 1580 Bldpiifb.exe 2560 Beldao32.exe 2880 Bodhjdcc.exe 2928 Bphaglgo.exe 2764 Biqfpb32.exe 2932 Blaobmkq.exe 2752 Cggcofkf.exe 2660 Ciglaa32.exe 2616 Codeih32.exe 3032 Chmibmlo.exe 836 Cniajdkg.exe 2372 Ckmbdh32.exe 1280 Cagjqbam.exe 688 Chabmm32.exe 1680 Dnqhkcdo.exe 2384 Dfniee32.exe 2512 Dcdfdi32.exe 2392 Ebicee32.exe 2516 Enpdjfgj.exe 2136 Egihcl32.exe 1736 Ebnmpemq.exe 304 Egkehllh.exe 1608 Edofbpja.exe 2468 Engjkeab.exe 2304 Fcdbcloi.exe 1440 Ffboohnm.exe 1524 Fbipdi32.exe 2168 Fmodaadg.exe 1076 Fejifdab.exe 1676 Fldabn32.exe 2672 Felekcop.exe 396 Flfnhnfm.exe 2628 Feobac32.exe 2096 Ghmnmo32.exe 368 Gbbbjg32.exe 780 Gjngoj32.exe 2440 Gdflgo32.exe 980 Gjpddigo.exe 1328 Gajlac32.exe 2632 Ghddnnfi.exe -
Loads dropped DLL 64 IoCs
pid Process 2900 c8dfd78990cabf6099fa4f437ceff19bbdf32abe5b796d2fe8aa8bca82356503.exe 2900 c8dfd78990cabf6099fa4f437ceff19bbdf32abe5b796d2fe8aa8bca82356503.exe 2456 Mgkbjb32.exe 2456 Mgkbjb32.exe 2924 Mpcgbhig.exe 2924 Mpcgbhig.exe 2836 Nepokogo.exe 2836 Nepokogo.exe 1752 Nhcebj32.exe 1752 Nhcebj32.exe 2692 Nlanhh32.exe 2692 Nlanhh32.exe 1120 Nhhominh.exe 1120 Nhhominh.exe 432 Ogmkne32.exe 432 Ogmkne32.exe 1412 Oabplobe.exe 1412 Oabplobe.exe 2972 Ollqllod.exe 2972 Ollqllod.exe 2212 Ojpaeq32.exe 2212 Ojpaeq32.exe 1960 Ojbnkp32.exe 1960 Ojbnkp32.exe 588 Obnbpb32.exe 588 Obnbpb32.exe 2380 Pdnkanfg.exe 2380 Pdnkanfg.exe 2276 Podpoffm.exe 2276 Podpoffm.exe 2116 Pecelm32.exe 2116 Pecelm32.exe 976 Pjpmdd32.exe 976 Pjpmdd32.exe 988 Pbgefa32.exe 988 Pbgefa32.exe 824 Qcjoci32.exe 824 Qcjoci32.exe 1288 Qghgigkn.exe 1288 Qghgigkn.exe 2240 Apclnj32.exe 2240 Apclnj32.exe 2052 Apfici32.exe 2052 Apfici32.exe 1692 Almihjlj.exe 1692 Almihjlj.exe 2260 Abinjdad.exe 2260 Abinjdad.exe 2568 Alaccj32.exe 2568 Alaccj32.exe 1580 Bldpiifb.exe 1580 Bldpiifb.exe 1536 Bfmqigba.exe 1536 Bfmqigba.exe 2880 Bodhjdcc.exe 2880 Bodhjdcc.exe 2928 Bphaglgo.exe 2928 Bphaglgo.exe 2764 Biqfpb32.exe 2764 Biqfpb32.exe 2932 Blaobmkq.exe 2932 Blaobmkq.exe 2752 Cggcofkf.exe 2752 Cggcofkf.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Afngoand.exe Abpohb32.exe File created C:\Windows\SysWOW64\Kghbmiik.dll Hnikmnho.exe File opened for modification C:\Windows\SysWOW64\Nenaho32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Hhfcnb32.exe Process not Found File created C:\Windows\SysWOW64\Pjibmbqj.dll Pdnkanfg.exe File opened for modification C:\Windows\SysWOW64\Mffkgl32.exe Meeopdhb.exe File created C:\Windows\SysWOW64\Opbkcp32.dll Process not Found File created C:\Windows\SysWOW64\Egikle32.exe Ealbcngg.exe File created C:\Windows\SysWOW64\Dadehh32.exe Dgoakpjn.exe File created C:\Windows\SysWOW64\Klilah32.dll Mfamko32.exe File created C:\Windows\SysWOW64\Nkbdbbop.exe Nfeljlqh.exe File created C:\Windows\SysWOW64\Hhgceh32.dll Bboahbio.exe File created C:\Windows\SysWOW64\Jallbb32.dll Fipdqmje.exe File created C:\Windows\SysWOW64\Ibofgebi.dll Process not Found File opened for modification C:\Windows\SysWOW64\Fcdbcloi.exe Engjkeab.exe File opened for modification C:\Windows\SysWOW64\Jjcigcmd.exe Jqjdon32.exe File created C:\Windows\SysWOW64\Ocndli32.dll Cdqfgh32.exe File created C:\Windows\SysWOW64\Ioopon32.dll Process not Found File created C:\Windows\SysWOW64\Ghcmedmo.exe Gaiehjfb.exe File opened for modification C:\Windows\SysWOW64\Oodejhfg.exe Process not Found File created C:\Windows\SysWOW64\Leeeoale.dll Heonpf32.exe File created C:\Windows\SysWOW64\Iopeoknn.exe Hhfmbq32.exe File created C:\Windows\SysWOW64\Lnofaf32.dll Ajdego32.exe File created C:\Windows\SysWOW64\Anfggicl.exe Aoakfl32.exe File created C:\Windows\SysWOW64\Nlngdfab.dll Process not Found File opened for modification C:\Windows\SysWOW64\Fniikj32.exe Process not Found File created C:\Windows\SysWOW64\Aqanke32.exe Qgiibp32.exe File created C:\Windows\SysWOW64\Kkqqck32.dll Aanonj32.exe File opened for modification C:\Windows\SysWOW64\Colgpo32.exe Beccgi32.exe File created C:\Windows\SysWOW64\Coblakbp.dll Edofbpja.exe File created C:\Windows\SysWOW64\Mogene32.exe Lcqdidim.exe File created C:\Windows\SysWOW64\Bgijbede.exe Behnkm32.exe File created C:\Windows\SysWOW64\Kplhfo32.exe Kfccmini.exe File created C:\Windows\SysWOW64\Eiheok32.exe Emadjj32.exe File opened for modification C:\Windows\SysWOW64\Iopeoknn.exe Hhfmbq32.exe File created C:\Windows\SysWOW64\Nbdbml32.exe Ndoelpid.exe File created C:\Windows\SysWOW64\Lldkem32.exe Lblflgqk.exe File created C:\Windows\SysWOW64\Jjellg32.dll Lflklaoc.exe File created C:\Windows\SysWOW64\Miekhd32.exe Mhbakmgg.exe File created C:\Windows\SysWOW64\Nmhqokcq.exe Miaaki32.exe File opened for modification C:\Windows\SysWOW64\Jojnglco.exe Johaalea.exe File created C:\Windows\SysWOW64\Dqffpd32.dll Haohel32.exe File created C:\Windows\SysWOW64\Pmgpjgph.exe Pfmgmm32.exe File created C:\Windows\SysWOW64\Iigcomkk.dll Meolcb32.exe File created C:\Windows\SysWOW64\Bnhjae32.exe Bqciha32.exe File created C:\Windows\SysWOW64\Bngnoa32.dll Mbkkepio.exe File created C:\Windows\SysWOW64\Fjjeid32.exe Fdpmljan.exe File opened for modification C:\Windows\SysWOW64\Poddphee.exe Phklcn32.exe File opened for modification C:\Windows\SysWOW64\Lhbjmg32.exe Lddagi32.exe File created C:\Windows\SysWOW64\Nqalkike.dll Ehjbaooe.exe File created C:\Windows\SysWOW64\Pecelm32.exe Podpoffm.exe File opened for modification C:\Windows\SysWOW64\Hbghdj32.exe Hiockd32.exe File created C:\Windows\SysWOW64\Fbaoil32.dll Oohmmojn.exe File opened for modification C:\Windows\SysWOW64\Ndclpb32.exe Ngolgn32.exe File created C:\Windows\SysWOW64\Ohikeegf.exe Obpbhk32.exe File opened for modification C:\Windows\SysWOW64\Ddbbod32.exe Caajmilh.exe File created C:\Windows\SysWOW64\Fnnbfjmp.exe Process not Found File created C:\Windows\SysWOW64\Kkilgb32.exe Kcngcp32.exe File created C:\Windows\SysWOW64\Jbhkngcd.exe Iipgeb32.exe File opened for modification C:\Windows\SysWOW64\Mhkkjnmo.exe Lldkem32.exe File created C:\Windows\SysWOW64\Miglkjli.dll Jmejmm32.exe File created C:\Windows\SysWOW64\Hogddpld.exe Hfookk32.exe File created C:\Windows\SysWOW64\Ednoomga.dll Kgghgg32.exe File created C:\Windows\SysWOW64\Ghndjd32.exe Gjjcqpbj.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4612 928 Process not Found 1167 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbjoaibo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qghgigkn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qbhpddbf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nkbdbbop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhbakmgg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onelbfab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjjcdp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cghpgbce.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hilghaqq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Meojkide.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdbibjok.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bljeke32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pncljmko.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdcdcmai.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mogene32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbhkngcd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opebpdad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdklnq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfeljlqh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dabicikf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dadehh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdjddf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cidhcg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kblooa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjlaod32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nkhkbmco.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Goemhfco.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdnkanfg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ambhpljg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oenmkngi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffboohnm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fijadk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmejmm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nijdcdgn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajcpgi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgmkef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdnlpaln.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkgdbh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljjjmeie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alncgn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbcooo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogmkne32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bodhjdcc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Biikne32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enkdda32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcojbm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gljdlq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdmjmenh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jaffca32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfhabe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjkbfpah.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdqfgh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmphdjpq.dll" Hkkaik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gbpegdik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jdjgfomh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pkholjam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Poddphee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ahjahk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cdlppf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fdgefn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dpflqfeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mdcdcmai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ednoomga.dll" Kgghgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hjkbfpah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpaood32.dll" Llainlje.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Glhjpjok.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Egihcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ehlkfn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Amglij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcmodmbk.dll" Kecmfg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emhqjkjh.dll" Lllkaobc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ohbjgg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fdpmljan.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pmecdgbk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Egmeadbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffkkeiee.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bejiehfi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ofphdi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dapchl32.dll" Jofdll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ciglaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jhkclc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlokefce.dll" Cahmik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aebpnp32.dll" Cjfjjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iiogbn32.dll" Fpncbjqj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcqqajef.dll" Mlidplcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glfiinip.dll" Mnkfcjqe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jkgbcofn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hidjml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adcidm32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gmobin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkbopl32.dll" Gkancm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ibeeeijg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bicogkal.dll" Pjbnmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hikkjocf.dll" Geehcoaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pfhghgie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ghddnnfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hbpmbndm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgeahmik.dll" Gdophn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lkcehkeh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nnfbmgcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ccjehkek.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kiafff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hilghaqq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Okbgkk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nknnnoph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kjnanhhc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Baajji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qkcdigpa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fofhdidp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Igpdnlgd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ndehjnpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nnknqpgi.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2900 wrote to memory of 2456 2900 c8dfd78990cabf6099fa4f437ceff19bbdf32abe5b796d2fe8aa8bca82356503.exe 30 PID 2900 wrote to memory of 2456 2900 c8dfd78990cabf6099fa4f437ceff19bbdf32abe5b796d2fe8aa8bca82356503.exe 30 PID 2900 wrote to memory of 2456 2900 c8dfd78990cabf6099fa4f437ceff19bbdf32abe5b796d2fe8aa8bca82356503.exe 30 PID 2900 wrote to memory of 2456 2900 c8dfd78990cabf6099fa4f437ceff19bbdf32abe5b796d2fe8aa8bca82356503.exe 30 PID 2456 wrote to memory of 2924 2456 Mgkbjb32.exe 31 PID 2456 wrote to memory of 2924 2456 Mgkbjb32.exe 31 PID 2456 wrote to memory of 2924 2456 Mgkbjb32.exe 31 PID 2456 wrote to memory of 2924 2456 Mgkbjb32.exe 31 PID 2924 wrote to memory of 2836 2924 Mpcgbhig.exe 32 PID 2924 wrote to memory of 2836 2924 Mpcgbhig.exe 32 PID 2924 wrote to memory of 2836 2924 Mpcgbhig.exe 32 PID 2924 wrote to memory of 2836 2924 Mpcgbhig.exe 32 PID 2836 wrote to memory of 1752 2836 Nepokogo.exe 33 PID 2836 wrote to memory of 1752 2836 Nepokogo.exe 33 PID 2836 wrote to memory of 1752 2836 Nepokogo.exe 33 PID 2836 wrote to memory of 1752 2836 Nepokogo.exe 33 PID 1752 wrote to memory of 2692 1752 Nhcebj32.exe 34 PID 1752 wrote to memory of 2692 1752 Nhcebj32.exe 34 PID 1752 wrote to memory of 2692 1752 Nhcebj32.exe 34 PID 1752 wrote to memory of 2692 1752 Nhcebj32.exe 34 PID 2692 wrote to memory of 1120 2692 Nlanhh32.exe 35 PID 2692 wrote to memory of 1120 2692 Nlanhh32.exe 35 PID 2692 wrote to memory of 1120 2692 Nlanhh32.exe 35 PID 2692 wrote to memory of 1120 2692 Nlanhh32.exe 35 PID 1120 wrote to memory of 432 1120 Nhhominh.exe 36 PID 1120 wrote to memory of 432 1120 Nhhominh.exe 36 PID 1120 wrote to memory of 432 1120 Nhhominh.exe 36 PID 1120 wrote to memory of 432 1120 Nhhominh.exe 36 PID 432 wrote to memory of 1412 432 Ogmkne32.exe 37 PID 432 wrote to memory of 1412 432 Ogmkne32.exe 37 PID 432 wrote to memory of 1412 432 Ogmkne32.exe 37 PID 432 wrote to memory of 1412 432 Ogmkne32.exe 37 PID 1412 wrote to memory of 2972 1412 Oabplobe.exe 38 PID 1412 wrote to memory of 2972 1412 Oabplobe.exe 38 PID 1412 wrote to memory of 2972 1412 Oabplobe.exe 38 PID 1412 wrote to memory of 2972 1412 Oabplobe.exe 38 PID 2972 wrote to memory of 2212 2972 Ollqllod.exe 39 PID 2972 wrote to memory of 2212 2972 Ollqllod.exe 39 PID 2972 wrote to memory of 2212 2972 Ollqllod.exe 39 PID 2972 wrote to memory of 2212 2972 Ollqllod.exe 39 PID 2212 wrote to memory of 1960 2212 Ojpaeq32.exe 40 PID 2212 wrote to memory of 1960 2212 Ojpaeq32.exe 40 PID 2212 wrote to memory of 1960 2212 Ojpaeq32.exe 40 PID 2212 wrote to memory of 1960 2212 Ojpaeq32.exe 40 PID 1960 wrote to memory of 588 1960 Ojbnkp32.exe 41 PID 1960 wrote to memory of 588 1960 Ojbnkp32.exe 41 PID 1960 wrote to memory of 588 1960 Ojbnkp32.exe 41 PID 1960 wrote to memory of 588 1960 Ojbnkp32.exe 41 PID 588 wrote to memory of 2380 588 Obnbpb32.exe 42 PID 588 wrote to memory of 2380 588 Obnbpb32.exe 42 PID 588 wrote to memory of 2380 588 Obnbpb32.exe 42 PID 588 wrote to memory of 2380 588 Obnbpb32.exe 42 PID 2380 wrote to memory of 2276 2380 Pdnkanfg.exe 43 PID 2380 wrote to memory of 2276 2380 Pdnkanfg.exe 43 PID 2380 wrote to memory of 2276 2380 Pdnkanfg.exe 43 PID 2380 wrote to memory of 2276 2380 Pdnkanfg.exe 43 PID 2276 wrote to memory of 2116 2276 Podpoffm.exe 44 PID 2276 wrote to memory of 2116 2276 Podpoffm.exe 44 PID 2276 wrote to memory of 2116 2276 Podpoffm.exe 44 PID 2276 wrote to memory of 2116 2276 Podpoffm.exe 44 PID 2116 wrote to memory of 976 2116 Pecelm32.exe 45 PID 2116 wrote to memory of 976 2116 Pecelm32.exe 45 PID 2116 wrote to memory of 976 2116 Pecelm32.exe 45 PID 2116 wrote to memory of 976 2116 Pecelm32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\c8dfd78990cabf6099fa4f437ceff19bbdf32abe5b796d2fe8aa8bca82356503.exe"C:\Users\Admin\AppData\Local\Temp\c8dfd78990cabf6099fa4f437ceff19bbdf32abe5b796d2fe8aa8bca82356503.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Windows\SysWOW64\Mgkbjb32.exeC:\Windows\system32\Mgkbjb32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2456 -
C:\Windows\SysWOW64\Mpcgbhig.exeC:\Windows\system32\Mpcgbhig.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Windows\SysWOW64\Nepokogo.exeC:\Windows\system32\Nepokogo.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Windows\SysWOW64\Nhcebj32.exeC:\Windows\system32\Nhcebj32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1752 -
C:\Windows\SysWOW64\Nlanhh32.exeC:\Windows\system32\Nlanhh32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\SysWOW64\Nhhominh.exeC:\Windows\system32\Nhhominh.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1120 -
C:\Windows\SysWOW64\Ogmkne32.exeC:\Windows\system32\Ogmkne32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:432 -
C:\Windows\SysWOW64\Oabplobe.exeC:\Windows\system32\Oabplobe.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1412 -
C:\Windows\SysWOW64\Ollqllod.exeC:\Windows\system32\Ollqllod.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\SysWOW64\Ojpaeq32.exeC:\Windows\system32\Ojpaeq32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Windows\SysWOW64\Ojbnkp32.exeC:\Windows\system32\Ojbnkp32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1960 -
C:\Windows\SysWOW64\Obnbpb32.exeC:\Windows\system32\Obnbpb32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:588 -
C:\Windows\SysWOW64\Pdnkanfg.exeC:\Windows\system32\Pdnkanfg.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Windows\SysWOW64\Podpoffm.exeC:\Windows\system32\Podpoffm.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\Windows\SysWOW64\Pecelm32.exeC:\Windows\system32\Pecelm32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2116 -
C:\Windows\SysWOW64\Pjpmdd32.exeC:\Windows\system32\Pjpmdd32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:976 -
C:\Windows\SysWOW64\Pbgefa32.exeC:\Windows\system32\Pbgefa32.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:988 -
C:\Windows\SysWOW64\Qcjoci32.exeC:\Windows\system32\Qcjoci32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:824 -
C:\Windows\SysWOW64\Qghgigkn.exeC:\Windows\system32\Qghgigkn.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1288 -
C:\Windows\SysWOW64\Apclnj32.exeC:\Windows\system32\Apclnj32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2240 -
C:\Windows\SysWOW64\Apfici32.exeC:\Windows\system32\Apfici32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2052 -
C:\Windows\SysWOW64\Almihjlj.exeC:\Windows\system32\Almihjlj.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1692 -
C:\Windows\SysWOW64\Abinjdad.exeC:\Windows\system32\Abinjdad.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2260 -
C:\Windows\SysWOW64\Alaccj32.exeC:\Windows\system32\Alaccj32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2568 -
C:\Windows\SysWOW64\Bldpiifb.exeC:\Windows\system32\Bldpiifb.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1580 -
C:\Windows\SysWOW64\Beldao32.exeC:\Windows\system32\Beldao32.exe27⤵
- Executes dropped EXE
PID:2560 -
C:\Windows\SysWOW64\Bfmqigba.exeC:\Windows\system32\Bfmqigba.exe28⤵
- Loads dropped DLL
PID:1536 -
C:\Windows\SysWOW64\Bodhjdcc.exeC:\Windows\system32\Bodhjdcc.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2880 -
C:\Windows\SysWOW64\Bphaglgo.exeC:\Windows\system32\Bphaglgo.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2928 -
C:\Windows\SysWOW64\Biqfpb32.exeC:\Windows\system32\Biqfpb32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2764 -
C:\Windows\SysWOW64\Blaobmkq.exeC:\Windows\system32\Blaobmkq.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2932 -
C:\Windows\SysWOW64\Cggcofkf.exeC:\Windows\system32\Cggcofkf.exe33⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2752 -
C:\Windows\SysWOW64\Ciglaa32.exeC:\Windows\system32\Ciglaa32.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:2660 -
C:\Windows\SysWOW64\Codeih32.exeC:\Windows\system32\Codeih32.exe35⤵
- Executes dropped EXE
PID:2616 -
C:\Windows\SysWOW64\Chmibmlo.exeC:\Windows\system32\Chmibmlo.exe36⤵
- Executes dropped EXE
PID:3032 -
C:\Windows\SysWOW64\Cniajdkg.exeC:\Windows\system32\Cniajdkg.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:836 -
C:\Windows\SysWOW64\Ckmbdh32.exeC:\Windows\system32\Ckmbdh32.exe38⤵
- Executes dropped EXE
PID:2372 -
C:\Windows\SysWOW64\Cagjqbam.exeC:\Windows\system32\Cagjqbam.exe39⤵
- Executes dropped EXE
PID:1280 -
C:\Windows\SysWOW64\Chabmm32.exeC:\Windows\system32\Chabmm32.exe40⤵
- Executes dropped EXE
PID:688 -
C:\Windows\SysWOW64\Dnqhkcdo.exeC:\Windows\system32\Dnqhkcdo.exe41⤵
- Executes dropped EXE
PID:1680 -
C:\Windows\SysWOW64\Dfniee32.exeC:\Windows\system32\Dfniee32.exe42⤵
- Executes dropped EXE
PID:2384 -
C:\Windows\SysWOW64\Dcdfdi32.exeC:\Windows\system32\Dcdfdi32.exe43⤵
- Executes dropped EXE
PID:2512 -
C:\Windows\SysWOW64\Ebicee32.exeC:\Windows\system32\Ebicee32.exe44⤵
- Executes dropped EXE
PID:2392 -
C:\Windows\SysWOW64\Enpdjfgj.exeC:\Windows\system32\Enpdjfgj.exe45⤵
- Executes dropped EXE
PID:2516 -
C:\Windows\SysWOW64\Egihcl32.exeC:\Windows\system32\Egihcl32.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:2136 -
C:\Windows\SysWOW64\Ebnmpemq.exeC:\Windows\system32\Ebnmpemq.exe47⤵
- Executes dropped EXE
PID:1736 -
C:\Windows\SysWOW64\Egkehllh.exeC:\Windows\system32\Egkehllh.exe48⤵
- Executes dropped EXE
PID:304 -
C:\Windows\SysWOW64\Edofbpja.exeC:\Windows\system32\Edofbpja.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1608 -
C:\Windows\SysWOW64\Engjkeab.exeC:\Windows\system32\Engjkeab.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2468 -
C:\Windows\SysWOW64\Fcdbcloi.exeC:\Windows\system32\Fcdbcloi.exe51⤵
- Executes dropped EXE
PID:2304 -
C:\Windows\SysWOW64\Ffboohnm.exeC:\Windows\system32\Ffboohnm.exe52⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1440 -
C:\Windows\SysWOW64\Fbipdi32.exeC:\Windows\system32\Fbipdi32.exe53⤵
- Executes dropped EXE
PID:1524 -
C:\Windows\SysWOW64\Fmodaadg.exeC:\Windows\system32\Fmodaadg.exe54⤵
- Executes dropped EXE
PID:2168 -
C:\Windows\SysWOW64\Fejifdab.exeC:\Windows\system32\Fejifdab.exe55⤵
- Executes dropped EXE
PID:1076 -
C:\Windows\SysWOW64\Fldabn32.exeC:\Windows\system32\Fldabn32.exe56⤵
- Executes dropped EXE
PID:1676 -
C:\Windows\SysWOW64\Felekcop.exeC:\Windows\system32\Felekcop.exe57⤵
- Executes dropped EXE
PID:2672 -
C:\Windows\SysWOW64\Flfnhnfm.exeC:\Windows\system32\Flfnhnfm.exe58⤵
- Executes dropped EXE
PID:396 -
C:\Windows\SysWOW64\Feobac32.exeC:\Windows\system32\Feobac32.exe59⤵
- Executes dropped EXE
PID:2628 -
C:\Windows\SysWOW64\Ghmnmo32.exeC:\Windows\system32\Ghmnmo32.exe60⤵
- Executes dropped EXE
PID:2096 -
C:\Windows\SysWOW64\Gbbbjg32.exeC:\Windows\system32\Gbbbjg32.exe61⤵
- Executes dropped EXE
PID:368 -
C:\Windows\SysWOW64\Gjngoj32.exeC:\Windows\system32\Gjngoj32.exe62⤵
- Executes dropped EXE
PID:780 -
C:\Windows\SysWOW64\Gdflgo32.exeC:\Windows\system32\Gdflgo32.exe63⤵
- Executes dropped EXE
PID:2440 -
C:\Windows\SysWOW64\Gjpddigo.exeC:\Windows\system32\Gjpddigo.exe64⤵
- Executes dropped EXE
PID:980 -
C:\Windows\SysWOW64\Gajlac32.exeC:\Windows\system32\Gajlac32.exe65⤵
- Executes dropped EXE
PID:1328 -
C:\Windows\SysWOW64\Ghddnnfi.exeC:\Windows\system32\Ghddnnfi.exe66⤵
- Executes dropped EXE
- Modifies registry class
PID:2632 -
C:\Windows\SysWOW64\Gmamfddp.exeC:\Windows\system32\Gmamfddp.exe67⤵PID:2084
-
C:\Windows\SysWOW64\Gihnkejd.exeC:\Windows\system32\Gihnkejd.exe68⤵PID:2072
-
C:\Windows\SysWOW64\Gpafgp32.exeC:\Windows\system32\Gpafgp32.exe69⤵PID:2112
-
C:\Windows\SysWOW64\Heonpf32.exeC:\Windows\system32\Heonpf32.exe70⤵
- Drops file in System32 directory
PID:1664 -
C:\Windows\SysWOW64\Hpdbmooo.exeC:\Windows\system32\Hpdbmooo.exe71⤵PID:2352
-
C:\Windows\SysWOW64\Hlkcbp32.exeC:\Windows\system32\Hlkcbp32.exe72⤵PID:2152
-
C:\Windows\SysWOW64\Hbekojlp.exeC:\Windows\system32\Hbekojlp.exe73⤵PID:3052
-
C:\Windows\SysWOW64\Hiockd32.exeC:\Windows\system32\Hiockd32.exe74⤵
- Drops file in System32 directory
PID:2840 -
C:\Windows\SysWOW64\Hbghdj32.exeC:\Windows\system32\Hbghdj32.exe75⤵PID:2720
-
C:\Windows\SysWOW64\Hhdqma32.exeC:\Windows\system32\Hhdqma32.exe76⤵PID:2508
-
C:\Windows\SysWOW64\Haleefoe.exeC:\Windows\system32\Haleefoe.exe77⤵PID:2388
-
C:\Windows\SysWOW64\Hhfmbq32.exeC:\Windows\system32\Hhfmbq32.exe78⤵
- Drops file in System32 directory
PID:3016 -
C:\Windows\SysWOW64\Iopeoknn.exeC:\Windows\system32\Iopeoknn.exe79⤵PID:2320
-
C:\Windows\SysWOW64\Ikgfdlcb.exeC:\Windows\system32\Ikgfdlcb.exe80⤵PID:332
-
C:\Windows\SysWOW64\Idokma32.exeC:\Windows\system32\Idokma32.exe81⤵PID:2368
-
C:\Windows\SysWOW64\Iilceh32.exeC:\Windows\system32\Iilceh32.exe82⤵PID:1576
-
C:\Windows\SysWOW64\Igpdnlgd.exeC:\Windows\system32\Igpdnlgd.exe83⤵
- Modifies registry class
PID:1432 -
C:\Windows\SysWOW64\Ijopjhfh.exeC:\Windows\system32\Ijopjhfh.exe84⤵PID:1796
-
C:\Windows\SysWOW64\Iokhcodo.exeC:\Windows\system32\Iokhcodo.exe85⤵PID:1252
-
C:\Windows\SysWOW64\Igbqdlea.exeC:\Windows\system32\Igbqdlea.exe86⤵PID:1480
-
C:\Windows\SysWOW64\Iloilcci.exeC:\Windows\system32\Iloilcci.exe87⤵PID:2252
-
C:\Windows\SysWOW64\Ionehnbm.exeC:\Windows\system32\Ionehnbm.exe88⤵PID:1908
-
C:\Windows\SysWOW64\Jlaeab32.exeC:\Windows\system32\Jlaeab32.exe89⤵PID:1612
-
C:\Windows\SysWOW64\Jaonji32.exeC:\Windows\system32\Jaonji32.exe90⤵PID:2808
-
C:\Windows\SysWOW64\Jkgbcofn.exeC:\Windows\system32\Jkgbcofn.exe91⤵
- Modifies registry class
PID:2724 -
C:\Windows\SysWOW64\Jneoojeb.exeC:\Windows\system32\Jneoojeb.exe92⤵PID:1652
-
C:\Windows\SysWOW64\Jhkclc32.exeC:\Windows\system32\Jhkclc32.exe93⤵
- Modifies registry class
PID:2952 -
C:\Windows\SysWOW64\Jkioho32.exeC:\Windows\system32\Jkioho32.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3004 -
C:\Windows\SysWOW64\Jbcgeilh.exeC:\Windows\system32\Jbcgeilh.exe95⤵PID:1148
-
C:\Windows\SysWOW64\Jhmpbc32.exeC:\Windows\system32\Jhmpbc32.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1944 -
C:\Windows\SysWOW64\Jnjhjj32.exeC:\Windows\system32\Jnjhjj32.exe97⤵PID:1544
-
C:\Windows\SysWOW64\Jcgqbq32.exeC:\Windows\system32\Jcgqbq32.exe98⤵PID:960
-
C:\Windows\SysWOW64\Jnlepioj.exeC:\Windows\system32\Jnlepioj.exe99⤵PID:1712
-
C:\Windows\SysWOW64\Kqkalenn.exeC:\Windows\system32\Kqkalenn.exe100⤵PID:2644
-
C:\Windows\SysWOW64\Kfgjdlme.exeC:\Windows\system32\Kfgjdlme.exe101⤵PID:1776
-
C:\Windows\SysWOW64\Kmabqf32.exeC:\Windows\system32\Kmabqf32.exe102⤵PID:2576
-
C:\Windows\SysWOW64\Kggfnoch.exeC:\Windows\system32\Kggfnoch.exe103⤵PID:2472
-
C:\Windows\SysWOW64\Kihbfg32.exeC:\Windows\system32\Kihbfg32.exe104⤵PID:2328
-
C:\Windows\SysWOW64\Kcngcp32.exeC:\Windows\system32\Kcngcp32.exe105⤵
- Drops file in System32 directory
PID:2424 -
C:\Windows\SysWOW64\Kkilgb32.exeC:\Windows\system32\Kkilgb32.exe106⤵PID:2908
-
C:\Windows\SysWOW64\Kfopdk32.exeC:\Windows\system32\Kfopdk32.exe107⤵PID:1468
-
C:\Windows\SysWOW64\Kpgdnp32.exeC:\Windows\system32\Kpgdnp32.exe108⤵PID:2776
-
C:\Windows\SysWOW64\Kecmfg32.exeC:\Windows\system32\Kecmfg32.exe109⤵
- Modifies registry class
PID:1028 -
C:\Windows\SysWOW64\Lpiacp32.exeC:\Windows\system32\Lpiacp32.exe110⤵PID:1476
-
C:\Windows\SysWOW64\Lefikg32.exeC:\Windows\system32\Lefikg32.exe111⤵PID:1920
-
C:\Windows\SysWOW64\Llpaha32.exeC:\Windows\system32\Llpaha32.exe112⤵PID:1376
-
C:\Windows\SysWOW64\Lggbmbfc.exeC:\Windows\system32\Lggbmbfc.exe113⤵PID:1304
-
C:\Windows\SysWOW64\Lnqkjl32.exeC:\Windows\system32\Lnqkjl32.exe114⤵PID:2248
-
C:\Windows\SysWOW64\Lcncbc32.exeC:\Windows\system32\Lcncbc32.exe115⤵PID:2592
-
C:\Windows\SysWOW64\Lmfgkh32.exeC:\Windows\system32\Lmfgkh32.exe116⤵PID:2684
-
C:\Windows\SysWOW64\Lfnlcnih.exeC:\Windows\system32\Lfnlcnih.exe117⤵PID:2676
-
C:\Windows\SysWOW64\Limhpihl.exeC:\Windows\system32\Limhpihl.exe118⤵PID:2200
-
C:\Windows\SysWOW64\Mcbmmbhb.exeC:\Windows\system32\Mcbmmbhb.exe119⤵PID:2968
-
C:\Windows\SysWOW64\Mfqiingf.exeC:\Windows\system32\Mfqiingf.exe120⤵PID:2416
-
C:\Windows\SysWOW64\Mmkafhnb.exeC:\Windows\system32\Mmkafhnb.exe121⤵PID:2600
-
C:\Windows\SysWOW64\Mbginomj.exeC:\Windows\system32\Mbginomj.exe122⤵PID:2520
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-