Analysis
-
max time kernel
111s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
09/11/2024, 15:20
Static task
static1
Behavioral task
behavioral1
Sample
68333fb8c3a6bec7e421a520be1d71658ded0c71e9e97c89fee901ea7b5e4fe0N.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
68333fb8c3a6bec7e421a520be1d71658ded0c71e9e97c89fee901ea7b5e4fe0N.exe
Resource
win10v2004-20241007-en
General
-
Target
68333fb8c3a6bec7e421a520be1d71658ded0c71e9e97c89fee901ea7b5e4fe0N.exe
-
Size
163KB
-
MD5
cba4061bc2d78ff5978b0c391b9f7080
-
SHA1
22aef1d3919d660e9f9ef6de63aa64d98b53f9b4
-
SHA256
68333fb8c3a6bec7e421a520be1d71658ded0c71e9e97c89fee901ea7b5e4fe0
-
SHA512
5a0b47031f04f1540a0ec3e59aa646e0a6f6d03dcb7164490ca59f88a2d0f2b3c4be4055446b0bb6123afd05eeed67840aff1d9ffbf8f1898bae6982f3ba6fc1
-
SSDEEP
1536:wDv1UqPo8510aFcouHQwSSylQtfeX90AtGRhKW+jujAEjh8DTL9GIvg/SylQ7aHI:wD6qL510ae4YgnWAUjWDUIwLyc4F
Malware Config
Extracted
berbew
http://tat-neftbank.ru/kkq.php
http://tat-neftbank.ru/wcmd.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fldeakgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fenedlec.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdjqinld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bpdgolml.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhjnmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Okkhhb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfbnfcli.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpdgolml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nnghjm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oabdol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kdmdlc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iiflgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fefboabg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Elmoqlmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ohppjpkc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkgbioee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qoopie32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jckiolgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hbengc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qfegakmc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkclcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pjgiad32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Diofenki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nmccnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eoefea32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhgnie32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gffmqq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oabdol32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qdkpomkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ggkoojip.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjdpcnfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Moikinib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ikkmho32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdbfpafn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Meonlkcm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmglpjak.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alhaho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njaoeq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ngajeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eopbooqb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kneflplf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eoqeekme.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnicddki.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Moikinib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nfljpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjhahb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Olioeoeo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icmlnmgb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcllmi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjgpjjak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Giakoc32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 3064 Pniohk32.exe 2888 Pnllnk32.exe 2952 Pdfdkehc.exe 3028 Pjblcl32.exe 2788 Amjkefmd.exe 2580 Agdlfd32.exe 2268 Ablmilgf.exe 1756 Bnekcm32.exe 3024 Bgmolb32.exe 2176 Bfeibo32.exe 2364 Chhbpfhi.exe 560 Caepdk32.exe 1752 Coiqmp32.exe 1160 Dgiomabc.exe 2072 Dglkba32.exe 2300 Eagiho32.exe 2368 Eokiabjf.exe 692 Eaalom32.exe 1520 Fcdele32.exe 1740 Fnjiin32.exe 2232 Fhfgokap.exe 2824 Gdodjlda.exe 2716 Gbcecpck.exe 1748 Ggbjag32.exe 688 Gfggbcdg.exe 2844 Hbqdldhi.exe 2960 Hbengc32.exe 2996 Hbgjmcba.exe 2944 Hbjgbbpn.exe 2928 Iekpdn32.exe 2708 Iaaaiobc.exe 784 Ipfnjkgk.exe 1576 Ibgglfdl.exe 940 Jehpna32.exe 1312 Jblpge32.exe 2100 Jkgelh32.exe 1900 Jdbfjm32.exe 304 Kdgoelnk.exe 296 Klbdiokf.exe 2476 Kjhahb32.exe 1404 Kbcfme32.exe 2436 Kccbgh32.exe 1136 Ldfldpqf.exe 1912 Lolpah32.exe 1040 Lkcqfifp.exe 2396 Ldkeoo32.exe 908 Lqbfdp32.exe 2376 Ljjjmeie.exe 2680 Mgnkfjho.exe 2420 Mpipkl32.exe 1696 Mibdcakk.exe 2892 Mpllpl32.exe 1016 Mmpmjpba.exe 2764 Mbmebgpi.exe 2752 Mpqekkob.exe 976 Nhljpmlm.exe 3012 Nhngem32.exe 3044 Ndehjnpo.exe 1808 Nmmlccfp.exe 2296 Ndgdpn32.exe 2472 Nakeib32.exe 2524 Nblaajbd.exe 1632 Oppbjn32.exe 2012 Obakli32.exe -
Loads dropped DLL 64 IoCs
pid Process 972 68333fb8c3a6bec7e421a520be1d71658ded0c71e9e97c89fee901ea7b5e4fe0N.exe 972 68333fb8c3a6bec7e421a520be1d71658ded0c71e9e97c89fee901ea7b5e4fe0N.exe 3064 Pniohk32.exe 3064 Pniohk32.exe 2888 Pnllnk32.exe 2888 Pnllnk32.exe 2952 Pdfdkehc.exe 2952 Pdfdkehc.exe 3028 Pjblcl32.exe 3028 Pjblcl32.exe 2788 Amjkefmd.exe 2788 Amjkefmd.exe 2580 Agdlfd32.exe 2580 Agdlfd32.exe 2268 Ablmilgf.exe 2268 Ablmilgf.exe 1756 Bnekcm32.exe 1756 Bnekcm32.exe 3024 Bgmolb32.exe 3024 Bgmolb32.exe 2176 Bfeibo32.exe 2176 Bfeibo32.exe 2364 Chhbpfhi.exe 2364 Chhbpfhi.exe 560 Caepdk32.exe 560 Caepdk32.exe 1752 Coiqmp32.exe 1752 Coiqmp32.exe 1160 Dgiomabc.exe 1160 Dgiomabc.exe 2072 Dglkba32.exe 2072 Dglkba32.exe 2300 Eagiho32.exe 2300 Eagiho32.exe 2368 Eokiabjf.exe 2368 Eokiabjf.exe 692 Eaalom32.exe 692 Eaalom32.exe 1520 Fcdele32.exe 1520 Fcdele32.exe 1740 Fnjiin32.exe 1740 Fnjiin32.exe 2232 Fhfgokap.exe 2232 Fhfgokap.exe 2824 Gdodjlda.exe 2824 Gdodjlda.exe 2716 Gbcecpck.exe 2716 Gbcecpck.exe 1748 Ggbjag32.exe 1748 Ggbjag32.exe 688 Gfggbcdg.exe 688 Gfggbcdg.exe 2844 Hbqdldhi.exe 2844 Hbqdldhi.exe 2960 Hbengc32.exe 2960 Hbengc32.exe 2996 Hbgjmcba.exe 2996 Hbgjmcba.exe 2944 Hbjgbbpn.exe 2944 Hbjgbbpn.exe 2928 Iekpdn32.exe 2928 Iekpdn32.exe 2708 Iaaaiobc.exe 2708 Iaaaiobc.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Jaolad32.exe Jehklc32.exe File created C:\Windows\SysWOW64\Epcdai32.dll Jndjoi32.exe File created C:\Windows\SysWOW64\Pjlcdo32.dll Process not Found File created C:\Windows\SysWOW64\Jjheklqc.exe Jdklcebk.exe File opened for modification C:\Windows\SysWOW64\Glpbiaqg.exe Gfcjqkbp.exe File created C:\Windows\SysWOW64\Gmfblfeb.dll Jddfbf32.exe File created C:\Windows\SysWOW64\Mckpba32.exe Mjcljlea.exe File created C:\Windows\SysWOW64\Lelnjj32.dll Eeameodq.exe File created C:\Windows\SysWOW64\Emcqpjhh.exe Ekcdegqe.exe File opened for modification C:\Windows\SysWOW64\Aipbidbj.exe Allbpqcp.exe File opened for modification C:\Windows\SysWOW64\Blcacnhh.exe Bfgikgjq.exe File created C:\Windows\SysWOW64\Inhgcd32.dll Clgpckcb.exe File created C:\Windows\SysWOW64\Kjfhgp32.exe Koacjg32.exe File created C:\Windows\SysWOW64\Lfhgng32.exe Process not Found File created C:\Windows\SysWOW64\Geflbg32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Gmnlog32.exe Gfdcbmbn.exe File opened for modification C:\Windows\SysWOW64\Fclmem32.exe Fhfihd32.exe File opened for modification C:\Windows\SysWOW64\Pfobjdoe.exe Pbaide32.exe File created C:\Windows\SysWOW64\Lfphhb32.dll Jfijmdbh.exe File created C:\Windows\SysWOW64\Bdbfpafn.exe Bfoffmhd.exe File created C:\Windows\SysWOW64\Jlkoqaae.dll Dgkkdnkb.exe File created C:\Windows\SysWOW64\Klbdig32.dll Nmmlccfp.exe File created C:\Windows\SysWOW64\Dmdmkboi.dll Ofefqf32.exe File created C:\Windows\SysWOW64\Libghd32.dll Nndhpqma.exe File created C:\Windows\SysWOW64\Kkaick32.dll Jboanfmm.exe File created C:\Windows\SysWOW64\Jjnmof32.dll Process not Found File created C:\Windows\SysWOW64\Bgmolb32.exe Bnekcm32.exe File created C:\Windows\SysWOW64\Ldfldpqf.exe Kccbgh32.exe File created C:\Windows\SysWOW64\Ennabb32.dll Hpodbo32.exe File opened for modification C:\Windows\SysWOW64\Gfgpgmql.exe Gmnlog32.exe File opened for modification C:\Windows\SysWOW64\Ppogok32.exe Plaoim32.exe File opened for modification C:\Windows\SysWOW64\Hkpaoape.exe Hefibg32.exe File created C:\Windows\SysWOW64\Mfokoe32.dll Jaolad32.exe File opened for modification C:\Windows\SysWOW64\Giakoc32.exe Gpiffngk.exe File created C:\Windows\SysWOW64\Dqcmdjjo.exe Djiegp32.exe File created C:\Windows\SysWOW64\Dnbdblmp.dll Conbmfif.exe File opened for modification C:\Windows\SysWOW64\Enmplm32.exe Efakhk32.exe File created C:\Windows\SysWOW64\Mgdmeh32.exe Mnlilb32.exe File created C:\Windows\SysWOW64\Fhfihd32.exe Flphccbp.exe File created C:\Windows\SysWOW64\Igpcpi32.exe Ifngiqlg.exe File opened for modification C:\Windows\SysWOW64\Mgillijo.exe Process not Found File opened for modification C:\Windows\SysWOW64\Phpkjoim.exe Process not Found File opened for modification C:\Windows\SysWOW64\Ljjjmeie.exe Lqbfdp32.exe File opened for modification C:\Windows\SysWOW64\Flphccbp.exe Fcgdjmlo.exe File opened for modification C:\Windows\SysWOW64\Dohnfc32.exe Choejien.exe File created C:\Windows\SysWOW64\Kkgcnepe.dll Aipbidbj.exe File opened for modification C:\Windows\SysWOW64\Kajbie32.exe Process not Found File created C:\Windows\SysWOW64\Hmkhjnbp.dll Process not Found File created C:\Windows\SysWOW64\Lphlck32.exe Kdakoj32.exe File created C:\Windows\SysWOW64\Dlpaod32.dll Omhhma32.exe File created C:\Windows\SysWOW64\Qeeadi32.exe Pphilb32.exe File opened for modification C:\Windows\SysWOW64\Eljkqfko.exe Process not Found File created C:\Windows\SysWOW64\Iilocklc.exe Infjfblm.exe File opened for modification C:\Windows\SysWOW64\Linoeccp.exe Lljolodf.exe File created C:\Windows\SysWOW64\Bpbfom32.dll Jpjndh32.exe File opened for modification C:\Windows\SysWOW64\Nlcpjj32.exe Nanlla32.exe File opened for modification C:\Windows\SysWOW64\Jbnhmdmn.exe Process not Found File created C:\Windows\SysWOW64\Omekgakg.exe Ohhcokmp.exe File opened for modification C:\Windows\SysWOW64\Hiphmf32.exe Hklhca32.exe File opened for modification C:\Windows\SysWOW64\Iaqnbb32.exe Iejnna32.exe File created C:\Windows\SysWOW64\Ikiedq32.exe Ielllj32.exe File opened for modification C:\Windows\SysWOW64\Kgddin32.exe Kkmddmop.exe File opened for modification C:\Windows\SysWOW64\Lmcfeh32.exe Lgfmmaem.exe File created C:\Windows\SysWOW64\Cmjcngni.dll Fhfgokap.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2664 4672 Process not Found 1328 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgopak32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anmnhhmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjkbfpah.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oikeal32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mckpba32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iipgeb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dddodd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jficbn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbhckm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gebflaga.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hklhca32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aeahjn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgfnfq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Conmkh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnkkeg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhdjdk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfoffmhd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgaljk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ainhln32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohppjpkc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbmgkp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghlgdecf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpaaho32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lolpah32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgigpgkd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfenjq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elcbmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifngiqlg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qpjchicb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpnibl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbflkcao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bncboo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkookd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbmdpg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgmhcm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgkokjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojlmgg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnhjbjam.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnmmjd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gddpndhp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdmklico.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcikllja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhmpmcaq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfpgee32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dqcmdjjo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnbhpl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcllmi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpcaeghc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cialng32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhfgokap.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfdcbmbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nchiao32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oaolne32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdiciboh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfkbfg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njaoeq32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nqkkea32.dll" Qhbdmeoe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ofphdi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lmcfeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dqknqleg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Akpfmnmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bgcbja32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hmheai32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kiamql32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gkancm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cijkaehj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ekifcd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kfknpj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aknnil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idhifn32.dll" Nhombc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfhapbkg.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pjblcl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Plaoim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnepjk32.dll" Bpnibl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jcaahofh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fcodhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aqfiqjgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdaclb32.dll" Bcnomjbg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mqqolfik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jdbhcfjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjfkao32.dll" Macpcccp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgopfi32.dll" Dkdhfdnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bgaljk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eopbooqb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gaahmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Npgknf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmchhqaf.dll" Qdkpomkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oolelj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfbljdjk.dll" Aekelo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mlikkbga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ofphdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opbkcp32.dll" Koogdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mloigc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ckopch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lielgo32.dll" Nchiao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ifiilp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pbnfdpge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfonie32.dll" Fbbfmqdm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Angohn32.dll" Jmaedolh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lgladc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jblbpnhk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iiiapg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bblocaik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhbnaabn.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aoqjhiie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcmdbl32.dll" Lgadba32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cfmhfm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cncmei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iknnie32.dll" Pngcnpkg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jjocoedg.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 972 wrote to memory of 3064 972 68333fb8c3a6bec7e421a520be1d71658ded0c71e9e97c89fee901ea7b5e4fe0N.exe 30 PID 972 wrote to memory of 3064 972 68333fb8c3a6bec7e421a520be1d71658ded0c71e9e97c89fee901ea7b5e4fe0N.exe 30 PID 972 wrote to memory of 3064 972 68333fb8c3a6bec7e421a520be1d71658ded0c71e9e97c89fee901ea7b5e4fe0N.exe 30 PID 972 wrote to memory of 3064 972 68333fb8c3a6bec7e421a520be1d71658ded0c71e9e97c89fee901ea7b5e4fe0N.exe 30 PID 3064 wrote to memory of 2888 3064 Pniohk32.exe 31 PID 3064 wrote to memory of 2888 3064 Pniohk32.exe 31 PID 3064 wrote to memory of 2888 3064 Pniohk32.exe 31 PID 3064 wrote to memory of 2888 3064 Pniohk32.exe 31 PID 2888 wrote to memory of 2952 2888 Pnllnk32.exe 32 PID 2888 wrote to memory of 2952 2888 Pnllnk32.exe 32 PID 2888 wrote to memory of 2952 2888 Pnllnk32.exe 32 PID 2888 wrote to memory of 2952 2888 Pnllnk32.exe 32 PID 2952 wrote to memory of 3028 2952 Pdfdkehc.exe 33 PID 2952 wrote to memory of 3028 2952 Pdfdkehc.exe 33 PID 2952 wrote to memory of 3028 2952 Pdfdkehc.exe 33 PID 2952 wrote to memory of 3028 2952 Pdfdkehc.exe 33 PID 3028 wrote to memory of 2788 3028 Pjblcl32.exe 34 PID 3028 wrote to memory of 2788 3028 Pjblcl32.exe 34 PID 3028 wrote to memory of 2788 3028 Pjblcl32.exe 34 PID 3028 wrote to memory of 2788 3028 Pjblcl32.exe 34 PID 2788 wrote to memory of 2580 2788 Amjkefmd.exe 35 PID 2788 wrote to memory of 2580 2788 Amjkefmd.exe 35 PID 2788 wrote to memory of 2580 2788 Amjkefmd.exe 35 PID 2788 wrote to memory of 2580 2788 Amjkefmd.exe 35 PID 2580 wrote to memory of 2268 2580 Agdlfd32.exe 36 PID 2580 wrote to memory of 2268 2580 Agdlfd32.exe 36 PID 2580 wrote to memory of 2268 2580 Agdlfd32.exe 36 PID 2580 wrote to memory of 2268 2580 Agdlfd32.exe 36 PID 2268 wrote to memory of 1756 2268 Ablmilgf.exe 37 PID 2268 wrote to memory of 1756 2268 Ablmilgf.exe 37 PID 2268 wrote to memory of 1756 2268 Ablmilgf.exe 37 PID 2268 wrote to memory of 1756 2268 Ablmilgf.exe 37 PID 1756 wrote to memory of 3024 1756 Bnekcm32.exe 38 PID 1756 wrote to memory of 3024 1756 Bnekcm32.exe 38 PID 1756 wrote to memory of 3024 1756 Bnekcm32.exe 38 PID 1756 wrote to memory of 3024 1756 Bnekcm32.exe 38 PID 3024 wrote to memory of 2176 3024 Bgmolb32.exe 39 PID 3024 wrote to memory of 2176 3024 Bgmolb32.exe 39 PID 3024 wrote to memory of 2176 3024 Bgmolb32.exe 39 PID 3024 wrote to memory of 2176 3024 Bgmolb32.exe 39 PID 2176 wrote to memory of 2364 2176 Bfeibo32.exe 40 PID 2176 wrote to memory of 2364 2176 Bfeibo32.exe 40 PID 2176 wrote to memory of 2364 2176 Bfeibo32.exe 40 PID 2176 wrote to memory of 2364 2176 Bfeibo32.exe 40 PID 2364 wrote to memory of 560 2364 Chhbpfhi.exe 41 PID 2364 wrote to memory of 560 2364 Chhbpfhi.exe 41 PID 2364 wrote to memory of 560 2364 Chhbpfhi.exe 41 PID 2364 wrote to memory of 560 2364 Chhbpfhi.exe 41 PID 560 wrote to memory of 1752 560 Caepdk32.exe 42 PID 560 wrote to memory of 1752 560 Caepdk32.exe 42 PID 560 wrote to memory of 1752 560 Caepdk32.exe 42 PID 560 wrote to memory of 1752 560 Caepdk32.exe 42 PID 1752 wrote to memory of 1160 1752 Coiqmp32.exe 43 PID 1752 wrote to memory of 1160 1752 Coiqmp32.exe 43 PID 1752 wrote to memory of 1160 1752 Coiqmp32.exe 43 PID 1752 wrote to memory of 1160 1752 Coiqmp32.exe 43 PID 1160 wrote to memory of 2072 1160 Dgiomabc.exe 44 PID 1160 wrote to memory of 2072 1160 Dgiomabc.exe 44 PID 1160 wrote to memory of 2072 1160 Dgiomabc.exe 44 PID 1160 wrote to memory of 2072 1160 Dgiomabc.exe 44 PID 2072 wrote to memory of 2300 2072 Dglkba32.exe 45 PID 2072 wrote to memory of 2300 2072 Dglkba32.exe 45 PID 2072 wrote to memory of 2300 2072 Dglkba32.exe 45 PID 2072 wrote to memory of 2300 2072 Dglkba32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\68333fb8c3a6bec7e421a520be1d71658ded0c71e9e97c89fee901ea7b5e4fe0N.exe"C:\Users\Admin\AppData\Local\Temp\68333fb8c3a6bec7e421a520be1d71658ded0c71e9e97c89fee901ea7b5e4fe0N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:972 -
C:\Windows\SysWOW64\Pniohk32.exeC:\Windows\system32\Pniohk32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\Windows\SysWOW64\Pnllnk32.exeC:\Windows\system32\Pnllnk32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Windows\SysWOW64\Pdfdkehc.exeC:\Windows\system32\Pdfdkehc.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Windows\SysWOW64\Pjblcl32.exeC:\Windows\system32\Pjblcl32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Windows\SysWOW64\Amjkefmd.exeC:\Windows\system32\Amjkefmd.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Windows\SysWOW64\Agdlfd32.exeC:\Windows\system32\Agdlfd32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Windows\SysWOW64\Ablmilgf.exeC:\Windows\system32\Ablmilgf.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2268 -
C:\Windows\SysWOW64\Bnekcm32.exeC:\Windows\system32\Bnekcm32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1756 -
C:\Windows\SysWOW64\Bgmolb32.exeC:\Windows\system32\Bgmolb32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3024 -
C:\Windows\SysWOW64\Bfeibo32.exeC:\Windows\system32\Bfeibo32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2176 -
C:\Windows\SysWOW64\Chhbpfhi.exeC:\Windows\system32\Chhbpfhi.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Windows\SysWOW64\Caepdk32.exeC:\Windows\system32\Caepdk32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:560 -
C:\Windows\SysWOW64\Coiqmp32.exeC:\Windows\system32\Coiqmp32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1752 -
C:\Windows\SysWOW64\Dgiomabc.exeC:\Windows\system32\Dgiomabc.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1160 -
C:\Windows\SysWOW64\Dglkba32.exeC:\Windows\system32\Dglkba32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2072 -
C:\Windows\SysWOW64\Eagiho32.exeC:\Windows\system32\Eagiho32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2300 -
C:\Windows\SysWOW64\Eokiabjf.exeC:\Windows\system32\Eokiabjf.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2368 -
C:\Windows\SysWOW64\Eaalom32.exeC:\Windows\system32\Eaalom32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:692 -
C:\Windows\SysWOW64\Fcdele32.exeC:\Windows\system32\Fcdele32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1520 -
C:\Windows\SysWOW64\Fnjiin32.exeC:\Windows\system32\Fnjiin32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1740 -
C:\Windows\SysWOW64\Fhfgokap.exeC:\Windows\system32\Fhfgokap.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2232 -
C:\Windows\SysWOW64\Gdodjlda.exeC:\Windows\system32\Gdodjlda.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2824 -
C:\Windows\SysWOW64\Gbcecpck.exeC:\Windows\system32\Gbcecpck.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2716 -
C:\Windows\SysWOW64\Ggbjag32.exeC:\Windows\system32\Ggbjag32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1748 -
C:\Windows\SysWOW64\Gfggbcdg.exeC:\Windows\system32\Gfggbcdg.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:688 -
C:\Windows\SysWOW64\Hbqdldhi.exeC:\Windows\system32\Hbqdldhi.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2844 -
C:\Windows\SysWOW64\Hbengc32.exeC:\Windows\system32\Hbengc32.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2960 -
C:\Windows\SysWOW64\Hbgjmcba.exeC:\Windows\system32\Hbgjmcba.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2996 -
C:\Windows\SysWOW64\Hbjgbbpn.exeC:\Windows\system32\Hbjgbbpn.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2944 -
C:\Windows\SysWOW64\Iekpdn32.exeC:\Windows\system32\Iekpdn32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2928 -
C:\Windows\SysWOW64\Iaaaiobc.exeC:\Windows\system32\Iaaaiobc.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2708 -
C:\Windows\SysWOW64\Ipfnjkgk.exeC:\Windows\system32\Ipfnjkgk.exe33⤵
- Executes dropped EXE
PID:784 -
C:\Windows\SysWOW64\Ibgglfdl.exeC:\Windows\system32\Ibgglfdl.exe34⤵
- Executes dropped EXE
PID:1576 -
C:\Windows\SysWOW64\Jehpna32.exeC:\Windows\system32\Jehpna32.exe35⤵
- Executes dropped EXE
PID:940 -
C:\Windows\SysWOW64\Jblpge32.exeC:\Windows\system32\Jblpge32.exe36⤵
- Executes dropped EXE
PID:1312 -
C:\Windows\SysWOW64\Jkgelh32.exeC:\Windows\system32\Jkgelh32.exe37⤵
- Executes dropped EXE
PID:2100 -
C:\Windows\SysWOW64\Jdbfjm32.exeC:\Windows\system32\Jdbfjm32.exe38⤵
- Executes dropped EXE
PID:1900 -
C:\Windows\SysWOW64\Kdgoelnk.exeC:\Windows\system32\Kdgoelnk.exe39⤵
- Executes dropped EXE
PID:304 -
C:\Windows\SysWOW64\Klbdiokf.exeC:\Windows\system32\Klbdiokf.exe40⤵
- Executes dropped EXE
PID:296 -
C:\Windows\SysWOW64\Kjhahb32.exeC:\Windows\system32\Kjhahb32.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2476 -
C:\Windows\SysWOW64\Kbcfme32.exeC:\Windows\system32\Kbcfme32.exe42⤵
- Executes dropped EXE
PID:1404 -
C:\Windows\SysWOW64\Kccbgh32.exeC:\Windows\system32\Kccbgh32.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2436 -
C:\Windows\SysWOW64\Ldfldpqf.exeC:\Windows\system32\Ldfldpqf.exe44⤵
- Executes dropped EXE
PID:1136 -
C:\Windows\SysWOW64\Lolpah32.exeC:\Windows\system32\Lolpah32.exe45⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1912 -
C:\Windows\SysWOW64\Lkcqfifp.exeC:\Windows\system32\Lkcqfifp.exe46⤵
- Executes dropped EXE
PID:1040 -
C:\Windows\SysWOW64\Ldkeoo32.exeC:\Windows\system32\Ldkeoo32.exe47⤵
- Executes dropped EXE
PID:2396 -
C:\Windows\SysWOW64\Lqbfdp32.exeC:\Windows\system32\Lqbfdp32.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:908 -
C:\Windows\SysWOW64\Ljjjmeie.exeC:\Windows\system32\Ljjjmeie.exe49⤵
- Executes dropped EXE
PID:2376 -
C:\Windows\SysWOW64\Mgnkfjho.exeC:\Windows\system32\Mgnkfjho.exe50⤵
- Executes dropped EXE
PID:2680 -
C:\Windows\SysWOW64\Mpipkl32.exeC:\Windows\system32\Mpipkl32.exe51⤵
- Executes dropped EXE
PID:2420 -
C:\Windows\SysWOW64\Mibdcakk.exeC:\Windows\system32\Mibdcakk.exe52⤵
- Executes dropped EXE
PID:1696 -
C:\Windows\SysWOW64\Mpllpl32.exeC:\Windows\system32\Mpllpl32.exe53⤵
- Executes dropped EXE
PID:2892 -
C:\Windows\SysWOW64\Mmpmjpba.exeC:\Windows\system32\Mmpmjpba.exe54⤵
- Executes dropped EXE
PID:1016 -
C:\Windows\SysWOW64\Mbmebgpi.exeC:\Windows\system32\Mbmebgpi.exe55⤵
- Executes dropped EXE
PID:2764 -
C:\Windows\SysWOW64\Mpqekkob.exeC:\Windows\system32\Mpqekkob.exe56⤵
- Executes dropped EXE
PID:2752 -
C:\Windows\SysWOW64\Nhljpmlm.exeC:\Windows\system32\Nhljpmlm.exe57⤵
- Executes dropped EXE
PID:976 -
C:\Windows\SysWOW64\Nhngem32.exeC:\Windows\system32\Nhngem32.exe58⤵
- Executes dropped EXE
PID:3012 -
C:\Windows\SysWOW64\Ndehjnpo.exeC:\Windows\system32\Ndehjnpo.exe59⤵
- Executes dropped EXE
PID:3044 -
C:\Windows\SysWOW64\Nmmlccfp.exeC:\Windows\system32\Nmmlccfp.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1808 -
C:\Windows\SysWOW64\Ndgdpn32.exeC:\Windows\system32\Ndgdpn32.exe61⤵
- Executes dropped EXE
PID:2296 -
C:\Windows\SysWOW64\Nakeib32.exeC:\Windows\system32\Nakeib32.exe62⤵
- Executes dropped EXE
PID:2472 -
C:\Windows\SysWOW64\Nblaajbd.exeC:\Windows\system32\Nblaajbd.exe63⤵
- Executes dropped EXE
PID:2524 -
C:\Windows\SysWOW64\Oppbjn32.exeC:\Windows\system32\Oppbjn32.exe64⤵
- Executes dropped EXE
PID:1632 -
C:\Windows\SysWOW64\Obakli32.exeC:\Windows\system32\Obakli32.exe65⤵
- Executes dropped EXE
PID:2012 -
C:\Windows\SysWOW64\Olioeoeo.exeC:\Windows\system32\Olioeoeo.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1452 -
C:\Windows\SysWOW64\Ohppjpkc.exeC:\Windows\system32\Ohppjpkc.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1084 -
C:\Windows\SysWOW64\Oedqcdim.exeC:\Windows\system32\Oedqcdim.exe68⤵PID:1680
-
C:\Windows\SysWOW64\Oolelj32.exeC:\Windows\system32\Oolelj32.exe69⤵
- Modifies registry class
PID:2644 -
C:\Windows\SysWOW64\Pghjqlmi.exeC:\Windows\system32\Pghjqlmi.exe70⤵PID:2564
-
C:\Windows\SysWOW64\Pdljjplb.exeC:\Windows\system32\Pdljjplb.exe71⤵PID:2108
-
C:\Windows\SysWOW64\Pihbbgjj.exeC:\Windows\system32\Pihbbgjj.exe72⤵PID:2980
-
C:\Windows\SysWOW64\Pcagkmaj.exeC:\Windows\system32\Pcagkmaj.exe73⤵PID:2940
-
C:\Windows\SysWOW64\Ppegdapd.exeC:\Windows\system32\Ppegdapd.exe74⤵PID:2872
-
C:\Windows\SysWOW64\Pgopak32.exeC:\Windows\system32\Pgopak32.exe75⤵
- System Location Discovery: System Language Discovery
PID:2504 -
C:\Windows\SysWOW64\Qdkfic32.exeC:\Windows\system32\Qdkfic32.exe76⤵PID:2760
-
C:\Windows\SysWOW64\Anfggicl.exeC:\Windows\system32\Anfggicl.exe77⤵PID:2428
-
C:\Windows\SysWOW64\Ajmhljip.exeC:\Windows\system32\Ajmhljip.exe78⤵PID:1348
-
C:\Windows\SysWOW64\Ankabh32.exeC:\Windows\system32\Ankabh32.exe79⤵PID:1872
-
C:\Windows\SysWOW64\Anmnhhmd.exeC:\Windows\system32\Anmnhhmd.exe80⤵
- System Location Discovery: System Language Discovery
PID:2916 -
C:\Windows\SysWOW64\Acjfpokk.exeC:\Windows\system32\Acjfpokk.exe81⤵PID:2196
-
C:\Windows\SysWOW64\Biikne32.exeC:\Windows\system32\Biikne32.exe82⤵PID:2500
-
C:\Windows\SysWOW64\Bocckoom.exeC:\Windows\system32\Bocckoom.exe83⤵PID:1972
-
C:\Windows\SysWOW64\Bfmlgi32.exeC:\Windows\system32\Bfmlgi32.exe84⤵PID:2900
-
C:\Windows\SysWOW64\Bmgddcnf.exeC:\Windows\system32\Bmgddcnf.exe85⤵PID:392
-
C:\Windows\SysWOW64\Bbdmljln.exeC:\Windows\system32\Bbdmljln.exe86⤵PID:756
-
C:\Windows\SysWOW64\Bbfibj32.exeC:\Windows\system32\Bbfibj32.exe87⤵PID:2068
-
C:\Windows\SysWOW64\Bgcbja32.exeC:\Windows\system32\Bgcbja32.exe88⤵
- Modifies registry class
PID:1536 -
C:\Windows\SysWOW64\Bbhfgj32.exeC:\Windows\system32\Bbhfgj32.exe89⤵PID:2832
-
C:\Windows\SysWOW64\Ccjbobnf.exeC:\Windows\system32\Ccjbobnf.exe90⤵PID:2168
-
C:\Windows\SysWOW64\Ceioieei.exeC:\Windows\system32\Ceioieei.exe91⤵PID:1120
-
C:\Windows\SysWOW64\Cjfgalcq.exeC:\Windows\system32\Cjfgalcq.exe92⤵PID:2372
-
C:\Windows\SysWOW64\Cfmhfm32.exeC:\Windows\system32\Cfmhfm32.exe93⤵
- Modifies registry class
PID:3060 -
C:\Windows\SysWOW64\Cpemob32.exeC:\Windows\system32\Cpemob32.exe94⤵PID:2236
-
C:\Windows\SysWOW64\Cbcikn32.exeC:\Windows\system32\Cbcikn32.exe95⤵PID:1332
-
C:\Windows\SysWOW64\Cfaaalep.exeC:\Windows\system32\Cfaaalep.exe96⤵PID:2292
-
C:\Windows\SysWOW64\Dlnjjc32.exeC:\Windows\system32\Dlnjjc32.exe97⤵PID:708
-
C:\Windows\SysWOW64\Dfdngl32.exeC:\Windows\system32\Dfdngl32.exe98⤵PID:1824
-
C:\Windows\SysWOW64\Dplbpaim.exeC:\Windows\system32\Dplbpaim.exe99⤵PID:2660
-
C:\Windows\SysWOW64\Dkfcqo32.exeC:\Windows\system32\Dkfcqo32.exe100⤵PID:2128
-
C:\Windows\SysWOW64\Dbmlal32.exeC:\Windows\system32\Dbmlal32.exe101⤵PID:1592
-
C:\Windows\SysWOW64\Dodlfmlb.exeC:\Windows\system32\Dodlfmlb.exe102⤵PID:2260
-
C:\Windows\SysWOW64\Ddqeodjj.exeC:\Windows\system32\Ddqeodjj.exe103⤵PID:2584
-
C:\Windows\SysWOW64\Dpgedepn.exeC:\Windows\system32\Dpgedepn.exe104⤵PID:2224
-
C:\Windows\SysWOW64\Eganqo32.exeC:\Windows\system32\Eganqo32.exe105⤵PID:2784
-
C:\Windows\SysWOW64\Echoepmo.exeC:\Windows\system32\Echoepmo.exe106⤵PID:1868
-
C:\Windows\SysWOW64\Elcpdeam.exeC:\Windows\system32\Elcpdeam.exe107⤵PID:3048
-
C:\Windows\SysWOW64\Eocieq32.exeC:\Windows\system32\Eocieq32.exe108⤵PID:2284
-
C:\Windows\SysWOW64\Fofekp32.exeC:\Windows\system32\Fofekp32.exe109⤵PID:2484
-
C:\Windows\SysWOW64\Fljfdd32.exeC:\Windows\system32\Fljfdd32.exe110⤵PID:2488
-
C:\Windows\SysWOW64\Fplknh32.exeC:\Windows\system32\Fplknh32.exe111⤵PID:2456
-
C:\Windows\SysWOW64\Fnplgl32.exeC:\Windows\system32\Fnplgl32.exe112⤵PID:960
-
C:\Windows\SysWOW64\Fjfllm32.exeC:\Windows\system32\Fjfllm32.exe113⤵PID:2640
-
C:\Windows\SysWOW64\Fdlqjf32.exeC:\Windows\system32\Fdlqjf32.exe114⤵PID:1224
-
C:\Windows\SysWOW64\Gcankb32.exeC:\Windows\system32\Gcankb32.exe115⤵PID:2004
-
C:\Windows\SysWOW64\Gohnpcmd.exeC:\Windows\system32\Gohnpcmd.exe116⤵PID:1692
-
C:\Windows\SysWOW64\Gfdcbmbn.exeC:\Windows\system32\Gfdcbmbn.exe117⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2252 -
C:\Windows\SysWOW64\Gmnlog32.exeC:\Windows\system32\Gmnlog32.exe118⤵
- Drops file in System32 directory
PID:2828 -
C:\Windows\SysWOW64\Gfgpgmql.exeC:\Windows\system32\Gfgpgmql.exe119⤵PID:2864
-
C:\Windows\SysWOW64\Hbnqln32.exeC:\Windows\system32\Hbnqln32.exe120⤵PID:924
-
C:\Windows\SysWOW64\Hndaao32.exeC:\Windows\system32\Hndaao32.exe121⤵PID:2720
-
C:\Windows\SysWOW64\Hjkbfpah.exeC:\Windows\system32\Hjkbfpah.exe122⤵
- System Location Discovery: System Language Discovery
PID:2744
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-