Analysis
-
max time kernel
93s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08-12-2024 01:20
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e9b03fb3e4a5dea2f9ee8152f4a5c0fb52bf103e9a1dc19cde2395eb96dd504eN.exe
Resource
win7-20241023-en
windows7-x64
10 signatures
120 seconds
Behavioral task
behavioral2
Sample
e9b03fb3e4a5dea2f9ee8152f4a5c0fb52bf103e9a1dc19cde2395eb96dd504eN.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
120 seconds
General
-
Target
e9b03fb3e4a5dea2f9ee8152f4a5c0fb52bf103e9a1dc19cde2395eb96dd504eN.exe
-
Size
345KB
-
MD5
ba3d4c5314d2f51be24687dc7cb68f70
-
SHA1
f32c89195b98f0597564479fbbe0be18396753b3
-
SHA256
e9b03fb3e4a5dea2f9ee8152f4a5c0fb52bf103e9a1dc19cde2395eb96dd504e
-
SHA512
d6ff5bba8a75d9a59df93397fd87dacb28e64b1c74e0756edc858cb5d3a5e52873bddcf2d419f0c3eadf5b45b1ecc285bc560614153cc8b622fcb610ffe581af
-
SSDEEP
6144:tFmPcKC/MwGsmLr5+Nod/MwGsmLrZNs/VKi/MwGsmLrRo68lg:tFmPCMmmg8MmmpNs/VXMmmj
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmbmkpie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ikdcmpnl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnkkjh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apmhiq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fibhpbea.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpnmbl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnadagbm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plpjoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fijkdmhn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aoioli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hifmmb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kibeoo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klekfinp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfbaalbi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmbmkpie.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjpfjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbnhoj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dlieda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmafajfi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjpode32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fajbjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pbhgoh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdglmkeg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgjijmin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aehgnied.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lokdnjkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jnlkedai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fqppci32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gicgpelg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Likhem32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgpmmp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkaobnio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dheibpje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Impliekg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chdialdl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipbaol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ieojgc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ljceqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gaebef32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fimodc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbicpfdk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njmqnobn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bnlhncgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cggimh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppgomnai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jjjpnlbd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efblbbqd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fneggdhg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lllagh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ennqfenp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ohlqcagj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehpadhll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Loofnccf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dcnqpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gpecbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmieae32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcfggkac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pjpfjl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cggimh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fgmdec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gihpkd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lomjicei.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nciopppp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecgcfm32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 2348 Akffafgg.exe 1104 Afkknogn.exe 1012 Ajggomog.exe 804 Bjicdmmd.exe 3608 Bkkple32.exe 4376 Bjlpjm32.exe 3176 Bkmmaeap.exe 2900 Bfbaonae.exe 3156 Bokehc32.exe 4452 Bjpjel32.exe 4948 Bombmcec.exe 4776 Bjbfklei.exe 960 Bkdcbd32.exe 4572 Bbnkonbd.exe 3600 Cfldelik.exe 3760 Ccpdoqgd.exe 3796 Cimmggfl.exe 4592 Ckkiccep.exe 4348 Cjliajmo.exe 1932 Ccdnjp32.exe 3268 Dbjkkl32.exe 5056 Djqblj32.exe 1784 Dmoohe32.exe 3316 Dmalne32.exe 1716 Dckdjomg.exe 3652 Dcnqpo32.exe 1108 Dlieda32.exe 1608 Dfoiaj32.exe 4040 Ecbjkngo.exe 1444 Ebhglj32.exe 2376 Ecgcfm32.exe 4812 Emphocjj.exe 4868 Eblpgjha.exe 3196 Embddb32.exe 1708 Eleepoob.exe 3848 Efjimhnh.exe 4088 Elgaeolp.exe 3540 Fcniglmb.exe 4344 Fikbocki.exe 3152 Flinkojm.exe 404 Fbcfhibj.exe 388 Fimodc32.exe 4024 Fllkqn32.exe 3420 Fbfcmhpg.exe 2040 Fjmkoeqi.exe 8 Fpjcgm32.exe 452 Fbhpch32.exe 5068 Fibhpbea.exe 2748 Flqdlnde.exe 2184 Fdglmkeg.exe 1700 Fideeaco.exe 3000 Gpnmbl32.exe 4980 Gfheof32.exe 4488 Gmbmkpie.exe 3284 Gbofcghl.exe 2004 Giinpa32.exe 2652 Gpcfmkff.exe 4472 Gfmojenc.exe 1296 Gikkfqmf.exe 4992 Gpecbk32.exe 1904 Gfokoelp.exe 1944 Gingkqkd.exe 4788 Glldgljg.exe 1084 Gkmdecbg.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Fcokoohi.dll Npbceggm.exe File opened for modification C:\Windows\SysWOW64\Bddcenpi.exe Baegibae.exe File created C:\Windows\SysWOW64\Kmieae32.exe Kkgiimng.exe File opened for modification C:\Windows\SysWOW64\Kmkbfeab.exe Kjmfjj32.exe File created C:\Windows\SysWOW64\Haaaidfk.dll Lkalplel.exe File opened for modification C:\Windows\SysWOW64\Jocefm32.exe Jiglnf32.exe File created C:\Windows\SysWOW64\Ombnni32.dll Lnjgfb32.exe File opened for modification C:\Windows\SysWOW64\Mjlhgaqp.exe Mogcihaj.exe File opened for modification C:\Windows\SysWOW64\Cdmfllhn.exe Cncnob32.exe File opened for modification C:\Windows\SysWOW64\Heegad32.exe Hbgkei32.exe File created C:\Windows\SysWOW64\Galoohke.exe Gnnccl32.exe File created C:\Windows\SysWOW64\Jhifomdj.exe Jekjcaef.exe File opened for modification C:\Windows\SysWOW64\Loofnccf.exe Lhenai32.exe File created C:\Windows\SysWOW64\Pjajmpkj.dll Idhnkf32.exe File created C:\Windows\SysWOW64\Nccokk32.exe Nmigoagp.exe File opened for modification C:\Windows\SysWOW64\Ekodjiol.exe Efblbbqd.exe File created C:\Windows\SysWOW64\Mneoha32.dll Jhplpl32.exe File created C:\Windows\SysWOW64\Aphnnafb.exe Aogbfi32.exe File created C:\Windows\SysWOW64\Fcniglmb.exe Elgaeolp.exe File opened for modification C:\Windows\SysWOW64\Lcjcnoej.exe Lqkgbcff.exe File created C:\Windows\SysWOW64\Lgjijmin.exe Lekmnajj.exe File created C:\Windows\SysWOW64\Ncabfkqo.exe Nmgjia32.exe File created C:\Windows\SysWOW64\Ilnbicff.exe Iipfmggc.exe File created C:\Windows\SysWOW64\Lbpflbpa.dll Ojajin32.exe File created C:\Windows\SysWOW64\Mlofpg32.dll Jcdala32.exe File created C:\Windows\SysWOW64\Ppioondd.dll Dfdpad32.exe File opened for modification C:\Windows\SysWOW64\Hfaajnfb.exe Glkmmefl.exe File created C:\Windows\SysWOW64\Fcpjljph.dll Lfbped32.exe File created C:\Windows\SysWOW64\Bgicnp32.dll Doojec32.exe File created C:\Windows\SysWOW64\Ckjooo32.dll Hpnoncim.exe File opened for modification C:\Windows\SysWOW64\Igfclkdj.exe Ilqoobdd.exe File opened for modification C:\Windows\SysWOW64\Njljch32.exe Ncbafoge.exe File opened for modification C:\Windows\SysWOW64\Dheibpje.exe Dnpdegjp.exe File created C:\Windows\SysWOW64\Gcgplk32.dll Adfgdpmi.exe File created C:\Windows\SysWOW64\Iljpij32.exe Hildmn32.exe File created C:\Windows\SysWOW64\Pmmanjof.dll Qemhbj32.exe File opened for modification C:\Windows\SysWOW64\Gngeik32.exe Ggmmlamj.exe File created C:\Windows\SysWOW64\Dpifjj32.dll Mjlalkmd.exe File created C:\Windows\SysWOW64\Gmigpf32.dll Qhkdof32.exe File created C:\Windows\SysWOW64\Fkccgodj.dll Ffqhcq32.exe File created C:\Windows\SysWOW64\Nfldgk32.exe Ncmhko32.exe File created C:\Windows\SysWOW64\Glaecb32.dll Glldgljg.exe File created C:\Windows\SysWOW64\Neiqnh32.dll Bhnikc32.exe File opened for modification C:\Windows\SysWOW64\Gmfplibd.exe Gflhoo32.exe File created C:\Windows\SysWOW64\Ibcbfe32.dll Jllokajf.exe File created C:\Windows\SysWOW64\Mpeiie32.exe Mjlalkmd.exe File opened for modification C:\Windows\SysWOW64\Nfldgk32.exe Ncmhko32.exe File created C:\Windows\SysWOW64\Ibkgme32.dll Oeokal32.exe File created C:\Windows\SysWOW64\Lpmbai32.dll Aehgnied.exe File created C:\Windows\SysWOW64\Emoadlfo.exe Ennqfenp.exe File created C:\Windows\SysWOW64\Aamebb32.dll Coegoe32.exe File opened for modification C:\Windows\SysWOW64\Ilphdlqh.exe Iajdgcab.exe File opened for modification C:\Windows\SysWOW64\Kidben32.exe Koonge32.exe File created C:\Windows\SysWOW64\Cndepccb.dll Pmaffnce.exe File created C:\Windows\SysWOW64\Bgaclkia.dll Hpqldc32.exe File opened for modification C:\Windows\SysWOW64\Jepjhg32.exe Jofalmmp.exe File opened for modification C:\Windows\SysWOW64\Eomffaag.exe Ehbnigjj.exe File created C:\Windows\SysWOW64\Lpiaimfg.dll Ibqnkh32.exe File created C:\Windows\SysWOW64\Dlhcmpgk.dll Ipbaol32.exe File created C:\Windows\SysWOW64\Lhnoigkk.dll Oflmnh32.exe File created C:\Windows\SysWOW64\Dfoiaj32.exe Dlieda32.exe File created C:\Windows\SysWOW64\Ilnpcnol.dll Kmieae32.exe File created C:\Windows\SysWOW64\Lnadagbm.exe Lkchelci.exe File opened for modification C:\Windows\SysWOW64\Bhmbqm32.exe Bacjdbch.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 14988 14900 WerFault.exe 773 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Poliea32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpelhd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hplbickp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iipfmggc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Impliekg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljceqb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmkofa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fideeaco.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eiokinbk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gncchb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgdpni32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mogcihaj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnnccl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gihpkd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghojbq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpfbcn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Meepdp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgclpkac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnahdi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmhdkknd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oikjkc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpabni32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Inlihl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nccokk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npbceggm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlljnf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppgomnai.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dckdjomg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Inqbclob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmieae32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fijkdmhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmcpoedn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccpdoqgd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bakgoh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iogopi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncbafoge.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e9b03fb3e4a5dea2f9ee8152f4a5c0fb52bf103e9a1dc19cde2395eb96dd504eN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjpjel32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgobel32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfjola32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcfidb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fllkqn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjlhgaqp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebifmm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmechmip.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blgifbil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iolhkh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oqhoeb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hildmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdmqmc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pffgom32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebfign32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnkfmm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldipha32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lqojclne.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egohdegl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bokehc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgninn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohcegi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adfgdpmi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckbemgcp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcdeeq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpjcgm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdfjld32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dhdbhifj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ebifmm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ojemig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gabmaqlh.dll" Olfghg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Klahfp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kcbfcigf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mcgiefen.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Apmhiq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bgkiaj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Galoohke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkbcikkp.dll" Mjggal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbjnik32.dll" Flinkojm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mohjdmko.dll" Mnhkbfme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paedlhhc.dll" Meepdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omfmcjlk.dll" Ohlqcagj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Phigif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnifpf32.dll" Mqfpckhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ghojbq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inmdohhp.dll" Kcmfnd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kdigadjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mncilb32.dll" Chiigadc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bddcenpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbfecjhc.dll" Gbpedjnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ahippdbe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bakgoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajihlijd.dll" Mglfplgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mcifkf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ombcji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjllddpj.dll" Bacjdbch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hildmn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nmgjia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjofoqdn.dll" Hbohpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikgbdnie.dll" Igajal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgnddp32.dll" Cncnob32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ieojgc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnoimo32.dll" Fbfcmhpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkamodje.dll" Bogkmgba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hplicjok.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jpfepf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bgkiaj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fdnhih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Giinpa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bllbaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dokgdkeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iebngial.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fijkdmhn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Igajal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gaagdbfm.dll" Ocohmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Galoohke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbcpja32.dll" Bkdcbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kekbjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eanmnefk.dll" Lomqcjie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eleepoob.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cbbnpg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jebfng32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lfbped32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Diinlj32.dll" Cnahdi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aogbfi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mcoljagj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfpqiega.dll" Mcdeeq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmheim32.dll" Fcniglmb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Giinpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mobnnd32.dll" Lmmolepp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aajohjon.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4332 wrote to memory of 2348 4332 e9b03fb3e4a5dea2f9ee8152f4a5c0fb52bf103e9a1dc19cde2395eb96dd504eN.exe 82 PID 4332 wrote to memory of 2348 4332 e9b03fb3e4a5dea2f9ee8152f4a5c0fb52bf103e9a1dc19cde2395eb96dd504eN.exe 82 PID 4332 wrote to memory of 2348 4332 e9b03fb3e4a5dea2f9ee8152f4a5c0fb52bf103e9a1dc19cde2395eb96dd504eN.exe 82 PID 2348 wrote to memory of 1104 2348 Akffafgg.exe 83 PID 2348 wrote to memory of 1104 2348 Akffafgg.exe 83 PID 2348 wrote to memory of 1104 2348 Akffafgg.exe 83 PID 1104 wrote to memory of 1012 1104 Afkknogn.exe 84 PID 1104 wrote to memory of 1012 1104 Afkknogn.exe 84 PID 1104 wrote to memory of 1012 1104 Afkknogn.exe 84 PID 1012 wrote to memory of 804 1012 Ajggomog.exe 85 PID 1012 wrote to memory of 804 1012 Ajggomog.exe 85 PID 1012 wrote to memory of 804 1012 Ajggomog.exe 85 PID 804 wrote to memory of 3608 804 Bjicdmmd.exe 86 PID 804 wrote to memory of 3608 804 Bjicdmmd.exe 86 PID 804 wrote to memory of 3608 804 Bjicdmmd.exe 86 PID 3608 wrote to memory of 4376 3608 Bkkple32.exe 87 PID 3608 wrote to memory of 4376 3608 Bkkple32.exe 87 PID 3608 wrote to memory of 4376 3608 Bkkple32.exe 87 PID 4376 wrote to memory of 3176 4376 Bjlpjm32.exe 88 PID 4376 wrote to memory of 3176 4376 Bjlpjm32.exe 88 PID 4376 wrote to memory of 3176 4376 Bjlpjm32.exe 88 PID 3176 wrote to memory of 2900 3176 Bkmmaeap.exe 89 PID 3176 wrote to memory of 2900 3176 Bkmmaeap.exe 89 PID 3176 wrote to memory of 2900 3176 Bkmmaeap.exe 89 PID 2900 wrote to memory of 3156 2900 Bfbaonae.exe 90 PID 2900 wrote to memory of 3156 2900 Bfbaonae.exe 90 PID 2900 wrote to memory of 3156 2900 Bfbaonae.exe 90 PID 3156 wrote to memory of 4452 3156 Bokehc32.exe 91 PID 3156 wrote to memory of 4452 3156 Bokehc32.exe 91 PID 3156 wrote to memory of 4452 3156 Bokehc32.exe 91 PID 4452 wrote to memory of 4948 4452 Bjpjel32.exe 92 PID 4452 wrote to memory of 4948 4452 Bjpjel32.exe 92 PID 4452 wrote to memory of 4948 4452 Bjpjel32.exe 92 PID 4948 wrote to memory of 4776 4948 Bombmcec.exe 93 PID 4948 wrote to memory of 4776 4948 Bombmcec.exe 93 PID 4948 wrote to memory of 4776 4948 Bombmcec.exe 93 PID 4776 wrote to memory of 960 4776 Bjbfklei.exe 94 PID 4776 wrote to memory of 960 4776 Bjbfklei.exe 94 PID 4776 wrote to memory of 960 4776 Bjbfklei.exe 94 PID 960 wrote to memory of 4572 960 Bkdcbd32.exe 95 PID 960 wrote to memory of 4572 960 Bkdcbd32.exe 95 PID 960 wrote to memory of 4572 960 Bkdcbd32.exe 95 PID 4572 wrote to memory of 3600 4572 Bbnkonbd.exe 96 PID 4572 wrote to memory of 3600 4572 Bbnkonbd.exe 96 PID 4572 wrote to memory of 3600 4572 Bbnkonbd.exe 96 PID 3600 wrote to memory of 3760 3600 Cfldelik.exe 97 PID 3600 wrote to memory of 3760 3600 Cfldelik.exe 97 PID 3600 wrote to memory of 3760 3600 Cfldelik.exe 97 PID 3760 wrote to memory of 3796 3760 Ccpdoqgd.exe 98 PID 3760 wrote to memory of 3796 3760 Ccpdoqgd.exe 98 PID 3760 wrote to memory of 3796 3760 Ccpdoqgd.exe 98 PID 3796 wrote to memory of 4592 3796 Cimmggfl.exe 99 PID 3796 wrote to memory of 4592 3796 Cimmggfl.exe 99 PID 3796 wrote to memory of 4592 3796 Cimmggfl.exe 99 PID 4592 wrote to memory of 4348 4592 Ckkiccep.exe 100 PID 4592 wrote to memory of 4348 4592 Ckkiccep.exe 100 PID 4592 wrote to memory of 4348 4592 Ckkiccep.exe 100 PID 4348 wrote to memory of 1932 4348 Cjliajmo.exe 101 PID 4348 wrote to memory of 1932 4348 Cjliajmo.exe 101 PID 4348 wrote to memory of 1932 4348 Cjliajmo.exe 101 PID 1932 wrote to memory of 3268 1932 Ccdnjp32.exe 102 PID 1932 wrote to memory of 3268 1932 Ccdnjp32.exe 102 PID 1932 wrote to memory of 3268 1932 Ccdnjp32.exe 102 PID 3268 wrote to memory of 5056 3268 Dbjkkl32.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\e9b03fb3e4a5dea2f9ee8152f4a5c0fb52bf103e9a1dc19cde2395eb96dd504eN.exe"C:\Users\Admin\AppData\Local\Temp\e9b03fb3e4a5dea2f9ee8152f4a5c0fb52bf103e9a1dc19cde2395eb96dd504eN.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4332 -
C:\Windows\SysWOW64\Akffafgg.exeC:\Windows\system32\Akffafgg.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Windows\SysWOW64\Afkknogn.exeC:\Windows\system32\Afkknogn.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1104 -
C:\Windows\SysWOW64\Ajggomog.exeC:\Windows\system32\Ajggomog.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1012 -
C:\Windows\SysWOW64\Bjicdmmd.exeC:\Windows\system32\Bjicdmmd.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:804 -
C:\Windows\SysWOW64\Bkkple32.exeC:\Windows\system32\Bkkple32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3608 -
C:\Windows\SysWOW64\Bjlpjm32.exeC:\Windows\system32\Bjlpjm32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4376 -
C:\Windows\SysWOW64\Bkmmaeap.exeC:\Windows\system32\Bkmmaeap.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3176 -
C:\Windows\SysWOW64\Bfbaonae.exeC:\Windows\system32\Bfbaonae.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Windows\SysWOW64\Bokehc32.exeC:\Windows\system32\Bokehc32.exe10⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3156 -
C:\Windows\SysWOW64\Bjpjel32.exeC:\Windows\system32\Bjpjel32.exe11⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4452 -
C:\Windows\SysWOW64\Bombmcec.exeC:\Windows\system32\Bombmcec.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4948 -
C:\Windows\SysWOW64\Bjbfklei.exeC:\Windows\system32\Bjbfklei.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4776 -
C:\Windows\SysWOW64\Bkdcbd32.exeC:\Windows\system32\Bkdcbd32.exe14⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:960 -
C:\Windows\SysWOW64\Bbnkonbd.exeC:\Windows\system32\Bbnkonbd.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4572 -
C:\Windows\SysWOW64\Cfldelik.exeC:\Windows\system32\Cfldelik.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3600 -
C:\Windows\SysWOW64\Ccpdoqgd.exeC:\Windows\system32\Ccpdoqgd.exe17⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3760 -
C:\Windows\SysWOW64\Cimmggfl.exeC:\Windows\system32\Cimmggfl.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3796 -
C:\Windows\SysWOW64\Ckkiccep.exeC:\Windows\system32\Ckkiccep.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4592 -
C:\Windows\SysWOW64\Cjliajmo.exeC:\Windows\system32\Cjliajmo.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4348 -
C:\Windows\SysWOW64\Ccdnjp32.exeC:\Windows\system32\Ccdnjp32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1932 -
C:\Windows\SysWOW64\Dbjkkl32.exeC:\Windows\system32\Dbjkkl32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3268 -
C:\Windows\SysWOW64\Djqblj32.exeC:\Windows\system32\Djqblj32.exe23⤵
- Executes dropped EXE
PID:5056 -
C:\Windows\SysWOW64\Dmoohe32.exeC:\Windows\system32\Dmoohe32.exe24⤵
- Executes dropped EXE
PID:1784 -
C:\Windows\SysWOW64\Dmalne32.exeC:\Windows\system32\Dmalne32.exe25⤵
- Executes dropped EXE
PID:3316 -
C:\Windows\SysWOW64\Dckdjomg.exeC:\Windows\system32\Dckdjomg.exe26⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1716 -
C:\Windows\SysWOW64\Dcnqpo32.exeC:\Windows\system32\Dcnqpo32.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3652 -
C:\Windows\SysWOW64\Dlieda32.exeC:\Windows\system32\Dlieda32.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1108 -
C:\Windows\SysWOW64\Dfoiaj32.exeC:\Windows\system32\Dfoiaj32.exe29⤵
- Executes dropped EXE
PID:1608 -
C:\Windows\SysWOW64\Ecbjkngo.exeC:\Windows\system32\Ecbjkngo.exe30⤵
- Executes dropped EXE
PID:4040 -
C:\Windows\SysWOW64\Ebhglj32.exeC:\Windows\system32\Ebhglj32.exe31⤵
- Executes dropped EXE
PID:1444 -
C:\Windows\SysWOW64\Ecgcfm32.exeC:\Windows\system32\Ecgcfm32.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2376 -
C:\Windows\SysWOW64\Emphocjj.exeC:\Windows\system32\Emphocjj.exe33⤵
- Executes dropped EXE
PID:4812 -
C:\Windows\SysWOW64\Eblpgjha.exeC:\Windows\system32\Eblpgjha.exe34⤵
- Executes dropped EXE
PID:4868 -
C:\Windows\SysWOW64\Embddb32.exeC:\Windows\system32\Embddb32.exe35⤵
- Executes dropped EXE
PID:3196 -
C:\Windows\SysWOW64\Eleepoob.exeC:\Windows\system32\Eleepoob.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:1708 -
C:\Windows\SysWOW64\Efjimhnh.exeC:\Windows\system32\Efjimhnh.exe37⤵
- Executes dropped EXE
PID:3848 -
C:\Windows\SysWOW64\Elgaeolp.exeC:\Windows\system32\Elgaeolp.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4088 -
C:\Windows\SysWOW64\Fcniglmb.exeC:\Windows\system32\Fcniglmb.exe39⤵
- Executes dropped EXE
- Modifies registry class
PID:3540 -
C:\Windows\SysWOW64\Fikbocki.exeC:\Windows\system32\Fikbocki.exe40⤵
- Executes dropped EXE
PID:4344 -
C:\Windows\SysWOW64\Flinkojm.exeC:\Windows\system32\Flinkojm.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:3152 -
C:\Windows\SysWOW64\Fbcfhibj.exeC:\Windows\system32\Fbcfhibj.exe42⤵
- Executes dropped EXE
PID:404 -
C:\Windows\SysWOW64\Fimodc32.exeC:\Windows\system32\Fimodc32.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:388 -
C:\Windows\SysWOW64\Fllkqn32.exeC:\Windows\system32\Fllkqn32.exe44⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4024 -
C:\Windows\SysWOW64\Fbfcmhpg.exeC:\Windows\system32\Fbfcmhpg.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:3420 -
C:\Windows\SysWOW64\Fjmkoeqi.exeC:\Windows\system32\Fjmkoeqi.exe46⤵
- Executes dropped EXE
PID:2040 -
C:\Windows\SysWOW64\Fpjcgm32.exeC:\Windows\system32\Fpjcgm32.exe47⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:8 -
C:\Windows\SysWOW64\Fbhpch32.exeC:\Windows\system32\Fbhpch32.exe48⤵
- Executes dropped EXE
PID:452 -
C:\Windows\SysWOW64\Fibhpbea.exeC:\Windows\system32\Fibhpbea.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5068 -
C:\Windows\SysWOW64\Flqdlnde.exeC:\Windows\system32\Flqdlnde.exe50⤵
- Executes dropped EXE
PID:2748 -
C:\Windows\SysWOW64\Fdglmkeg.exeC:\Windows\system32\Fdglmkeg.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2184 -
C:\Windows\SysWOW64\Fideeaco.exeC:\Windows\system32\Fideeaco.exe52⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1700 -
C:\Windows\SysWOW64\Gpnmbl32.exeC:\Windows\system32\Gpnmbl32.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3000 -
C:\Windows\SysWOW64\Gfheof32.exeC:\Windows\system32\Gfheof32.exe54⤵
- Executes dropped EXE
PID:4980 -
C:\Windows\SysWOW64\Gmbmkpie.exeC:\Windows\system32\Gmbmkpie.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4488 -
C:\Windows\SysWOW64\Gbofcghl.exeC:\Windows\system32\Gbofcghl.exe56⤵
- Executes dropped EXE
PID:3284 -
C:\Windows\SysWOW64\Giinpa32.exeC:\Windows\system32\Giinpa32.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:2004 -
C:\Windows\SysWOW64\Gpcfmkff.exeC:\Windows\system32\Gpcfmkff.exe58⤵
- Executes dropped EXE
PID:2652 -
C:\Windows\SysWOW64\Gfmojenc.exeC:\Windows\system32\Gfmojenc.exe59⤵
- Executes dropped EXE
PID:4472 -
C:\Windows\SysWOW64\Gikkfqmf.exeC:\Windows\system32\Gikkfqmf.exe60⤵
- Executes dropped EXE
PID:1296 -
C:\Windows\SysWOW64\Gpecbk32.exeC:\Windows\system32\Gpecbk32.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4992 -
C:\Windows\SysWOW64\Gfokoelp.exeC:\Windows\system32\Gfokoelp.exe62⤵
- Executes dropped EXE
PID:1904 -
C:\Windows\SysWOW64\Gingkqkd.exeC:\Windows\system32\Gingkqkd.exe63⤵
- Executes dropped EXE
PID:1944 -
C:\Windows\SysWOW64\Glldgljg.exeC:\Windows\system32\Glldgljg.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4788 -
C:\Windows\SysWOW64\Gkmdecbg.exeC:\Windows\system32\Gkmdecbg.exe65⤵
- Executes dropped EXE
PID:1084 -
C:\Windows\SysWOW64\Hpjmnjqn.exeC:\Windows\system32\Hpjmnjqn.exe66⤵PID:224
-
C:\Windows\SysWOW64\Hdehni32.exeC:\Windows\system32\Hdehni32.exe67⤵PID:4696
-
C:\Windows\SysWOW64\Hkpqkcpd.exeC:\Windows\system32\Hkpqkcpd.exe68⤵PID:5072
-
C:\Windows\SysWOW64\Hplicjok.exeC:\Windows\system32\Hplicjok.exe69⤵
- Modifies registry class
PID:4476 -
C:\Windows\SysWOW64\Hckeoeno.exeC:\Windows\system32\Hckeoeno.exe70⤵PID:4716
-
C:\Windows\SysWOW64\Hienlpel.exeC:\Windows\system32\Hienlpel.exe71⤵PID:956
-
C:\Windows\SysWOW64\Hdjbiheb.exeC:\Windows\system32\Hdjbiheb.exe72⤵PID:1920
-
C:\Windows\SysWOW64\Higjaoci.exeC:\Windows\system32\Higjaoci.exe73⤵PID:3148
-
C:\Windows\SysWOW64\Hpabni32.exeC:\Windows\system32\Hpabni32.exe74⤵
- System Location Discovery: System Language Discovery
PID:3512 -
C:\Windows\SysWOW64\Hcpojd32.exeC:\Windows\system32\Hcpojd32.exe75⤵PID:1476
-
C:\Windows\SysWOW64\Hmechmip.exeC:\Windows\system32\Hmechmip.exe76⤵
- System Location Discovery: System Language Discovery
PID:4800 -
C:\Windows\SysWOW64\Hdokdg32.exeC:\Windows\system32\Hdokdg32.exe77⤵PID:4768
-
C:\Windows\SysWOW64\Hildmn32.exeC:\Windows\system32\Hildmn32.exe78⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3852 -
C:\Windows\SysWOW64\Iljpij32.exeC:\Windows\system32\Iljpij32.exe79⤵PID:3700
-
C:\Windows\SysWOW64\Icdheded.exeC:\Windows\system32\Icdheded.exe80⤵PID:764
-
C:\Windows\SysWOW64\Ikkpgafg.exeC:\Windows\system32\Ikkpgafg.exe81⤵PID:4808
-
C:\Windows\SysWOW64\Ilmmni32.exeC:\Windows\system32\Ilmmni32.exe82⤵PID:4536
-
C:\Windows\SysWOW64\Icfekc32.exeC:\Windows\system32\Icfekc32.exe83⤵PID:1360
-
C:\Windows\SysWOW64\Inlihl32.exeC:\Windows\system32\Inlihl32.exe84⤵
- System Location Discovery: System Language Discovery
PID:2268 -
C:\Windows\SysWOW64\Iciaqc32.exeC:\Windows\system32\Iciaqc32.exe85⤵PID:1456
-
C:\Windows\SysWOW64\Ipmbjgpi.exeC:\Windows\system32\Ipmbjgpi.exe86⤵PID:4912
-
C:\Windows\SysWOW64\Idhnkf32.exeC:\Windows\system32\Idhnkf32.exe87⤵
- Drops file in System32 directory
PID:4496 -
C:\Windows\SysWOW64\Inqbclob.exeC:\Windows\system32\Inqbclob.exe88⤵
- System Location Discovery: System Language Discovery
PID:2980 -
C:\Windows\SysWOW64\Icnklbmj.exeC:\Windows\system32\Icnklbmj.exe89⤵PID:1764
-
C:\Windows\SysWOW64\Ikdcmpnl.exeC:\Windows\system32\Ikdcmpnl.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5096 -
C:\Windows\SysWOW64\Jlfpdh32.exeC:\Windows\system32\Jlfpdh32.exe91⤵PID:4060
-
C:\Windows\SysWOW64\Jcphab32.exeC:\Windows\system32\Jcphab32.exe92⤵PID:2332
-
C:\Windows\SysWOW64\Jjjpnlbd.exeC:\Windows\system32\Jjjpnlbd.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2128 -
C:\Windows\SysWOW64\Jpdhkf32.exeC:\Windows\system32\Jpdhkf32.exe94⤵PID:3024
-
C:\Windows\SysWOW64\Jgnqgqan.exeC:\Windows\system32\Jgnqgqan.exe95⤵PID:2228
-
C:\Windows\SysWOW64\Jnhidk32.exeC:\Windows\system32\Jnhidk32.exe96⤵PID:5024
-
C:\Windows\SysWOW64\Jpfepf32.exeC:\Windows\system32\Jpfepf32.exe97⤵
- Modifies registry class
PID:1856 -
C:\Windows\SysWOW64\Jcdala32.exeC:\Windows\system32\Jcdala32.exe98⤵
- Drops file in System32 directory
PID:1828 -
C:\Windows\SysWOW64\Jgpmmp32.exeC:\Windows\system32\Jgpmmp32.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3348 -
C:\Windows\SysWOW64\Jlmfeg32.exeC:\Windows\system32\Jlmfeg32.exe100⤵PID:1524
-
C:\Windows\SysWOW64\Jcgnbaeo.exeC:\Windows\system32\Jcgnbaeo.exe101⤵PID:4032
-
C:\Windows\SysWOW64\Jknfcofa.exeC:\Windows\system32\Jknfcofa.exe102⤵PID:4804
-
C:\Windows\SysWOW64\Jlobkg32.exeC:\Windows\system32\Jlobkg32.exe103⤵PID:5076
-
C:\Windows\SysWOW64\Jdfjld32.exeC:\Windows\system32\Jdfjld32.exe104⤵
- System Location Discovery: System Language Discovery
PID:812 -
C:\Windows\SysWOW64\Jgeghp32.exeC:\Windows\system32\Jgeghp32.exe105⤵PID:212
-
C:\Windows\SysWOW64\Kmaopfjm.exeC:\Windows\system32\Kmaopfjm.exe106⤵PID:4648
-
C:\Windows\SysWOW64\Kdigadjo.exeC:\Windows\system32\Kdigadjo.exe107⤵
- Modifies registry class
PID:2868 -
C:\Windows\SysWOW64\Kggcnoic.exeC:\Windows\system32\Kggcnoic.exe108⤵PID:2408
-
C:\Windows\SysWOW64\Kjepjkhf.exeC:\Windows\system32\Kjepjkhf.exe109⤵PID:1788
-
C:\Windows\SysWOW64\Kqphfe32.exeC:\Windows\system32\Kqphfe32.exe110⤵PID:3068
-
C:\Windows\SysWOW64\Kgipcogp.exeC:\Windows\system32\Kgipcogp.exe111⤵PID:1020
-
C:\Windows\SysWOW64\Knchpiom.exeC:\Windows\system32\Knchpiom.exe112⤵PID:1632
-
C:\Windows\SysWOW64\Kmfhkf32.exeC:\Windows\system32\Kmfhkf32.exe113⤵PID:1152
-
C:\Windows\SysWOW64\Kdmqmc32.exeC:\Windows\system32\Kdmqmc32.exe114⤵
- System Location Discovery: System Language Discovery
PID:1588 -
C:\Windows\SysWOW64\Kkgiimng.exeC:\Windows\system32\Kkgiimng.exe115⤵
- Drops file in System32 directory
PID:4928 -
C:\Windows\SysWOW64\Kmieae32.exeC:\Windows\system32\Kmieae32.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4108 -
C:\Windows\SysWOW64\Kdpmbc32.exeC:\Windows\system32\Kdpmbc32.exe117⤵PID:3604
-
C:\Windows\SysWOW64\Kgninn32.exeC:\Windows\system32\Kgninn32.exe118⤵
- System Location Discovery: System Language Discovery
PID:3752 -
C:\Windows\SysWOW64\Kjmfjj32.exeC:\Windows\system32\Kjmfjj32.exe119⤵
- Drops file in System32 directory
PID:5136 -
C:\Windows\SysWOW64\Kmkbfeab.exeC:\Windows\system32\Kmkbfeab.exe120⤵PID:5188
-
C:\Windows\SysWOW64\Kcejco32.exeC:\Windows\system32\Kcejco32.exe121⤵PID:5232
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-