Analysis
-
max time kernel
117s -
max time network
117s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
19-09-2024 05:34
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
2093185e7a3ce22dedf692e57d006e177c9f5c73c147f2500c24dd3f94b61183N.exe
Resource
win7-20240903-en
windows7-x64
9 signatures
120 seconds
Behavioral task
behavioral2
Sample
2093185e7a3ce22dedf692e57d006e177c9f5c73c147f2500c24dd3f94b61183N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
8 signatures
120 seconds
General
-
Target
2093185e7a3ce22dedf692e57d006e177c9f5c73c147f2500c24dd3f94b61183N.exe
-
Size
69KB
-
MD5
fec4022b828d8ed9b6e9b5e090f5f580
-
SHA1
acaf5464d8128e923b1e7ca03323926cb61e0972
-
SHA256
2093185e7a3ce22dedf692e57d006e177c9f5c73c147f2500c24dd3f94b61183
-
SHA512
fe025d3d087213636ecaea750b99fe98a533f89154d1ae870a5b7cb76d0cd0f3a906d07fd993d92404ca297a13774ca846fd8ea3810331afc41099fd3822a080
-
SSDEEP
1536:csiHzEqhMwhk0K/kHhyNein/GFZCeDAyZ:i5hTK/gyNFn/GFZC1yZ
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://tat-neftbank.ru/kkq.php
http://tat-neftbank.ru/wcmd.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Deenjpcd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mqehjecl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olkifaen.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qoeamo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Agglbp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldgnklmi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kglehp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbcbjlmb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdhdkn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfcabd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jimbkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kpicle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lgqkbb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nefdpjkl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iejiodbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Agpeaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ibejdjln.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olmela32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Olpbaa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kipmhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bngfmhbj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfgdmjlp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pleofj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajckilei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nfdfmfle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Heliepmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Apedah32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbgjgomc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cidddj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Daaenlng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iipejmko.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldbaopdj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lldmleam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aepbmhpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdldeo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnlphh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kbmome32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkdnhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Klhgfq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agbbgqhh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kocmim32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmdjkhdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bcjcme32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lljipmdl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jioopgef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hblgnkdh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihniaa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klngkfge.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkjjma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ggagmjbq.exe -
Executes dropped EXE 64 IoCs
pid Process 2484 Eggndi32.exe 2472 Eiekpd32.exe 2504 Eldglp32.exe 2304 Eppcmncq.exe 2812 Ecnoijbd.exe 2688 Eelkeeah.exe 2348 Ehkhaqpk.exe 2588 Epbpbnan.exe 3060 Ecploipa.exe 1732 Eeohkeoe.exe 1916 Ehmdgp32.exe 236 Elipgofb.exe 2488 Eogmcjef.exe 2672 Ecbhdi32.exe 2612 Eeaepd32.exe 2916 Ehpalp32.exe 1856 Eknmhk32.exe 1664 Enlidg32.exe 772 Eecafd32.exe 1084 Edfbaabj.exe 2440 Fhbnbpjc.exe 1768 Fkpjnkig.exe 2552 Folfoj32.exe 2176 Fnofjfhk.exe 2264 Fpmbfbgo.exe 2108 Fggkcl32.exe 2776 Fnacpffh.exe 2092 Fpoolael.exe 2568 Fdkklp32.exe 2772 Fgigil32.exe 2024 Fjhcegll.exe 2244 Fncpef32.exe 2768 Fdmhbplb.exe 2844 Fgldnkkf.exe 572 Ffodjh32.exe 2912 Fnflke32.exe 2924 Fqdiga32.exe 1720 Fcbecl32.exe 1080 Fgnadkic.exe 1804 Fqfemqod.exe 944 Gceailog.exe 2736 Gjojef32.exe 324 Gkpfmnlb.exe 2136 Gcgnnlle.exe 2404 Gbjojh32.exe 2228 Ghdgfbkl.exe 2676 Gkbcbn32.exe 2152 Gnaooi32.exe 2692 Gblkoham.exe 1360 Gifclb32.exe 308 Gkephn32.exe 1552 Gbohehoj.exe 1640 Gdmdacnn.exe 1060 Ggkqmoma.exe 1672 Gkglnm32.exe 1792 Gneijien.exe 1488 Gbadjg32.exe 988 Gqdefddb.exe 3040 Gepafc32.exe 1608 Ggnmbn32.exe 776 Hkiicmdh.exe 1388 Hnheohcl.exe 2416 Hmkeke32.exe 1440 Hebnlb32.exe -
Loads dropped DLL 64 IoCs
pid Process 1960 2093185e7a3ce22dedf692e57d006e177c9f5c73c147f2500c24dd3f94b61183N.exe 1960 2093185e7a3ce22dedf692e57d006e177c9f5c73c147f2500c24dd3f94b61183N.exe 2484 Eggndi32.exe 2484 Eggndi32.exe 2472 Eiekpd32.exe 2472 Eiekpd32.exe 2504 Eldglp32.exe 2504 Eldglp32.exe 2304 Eppcmncq.exe 2304 Eppcmncq.exe 2812 Ecnoijbd.exe 2812 Ecnoijbd.exe 2688 Eelkeeah.exe 2688 Eelkeeah.exe 2348 Ehkhaqpk.exe 2348 Ehkhaqpk.exe 2588 Epbpbnan.exe 2588 Epbpbnan.exe 3060 Ecploipa.exe 3060 Ecploipa.exe 1732 Eeohkeoe.exe 1732 Eeohkeoe.exe 1916 Ehmdgp32.exe 1916 Ehmdgp32.exe 236 Elipgofb.exe 236 Elipgofb.exe 2488 Eogmcjef.exe 2488 Eogmcjef.exe 2672 Ecbhdi32.exe 2672 Ecbhdi32.exe 2612 Eeaepd32.exe 2612 Eeaepd32.exe 2916 Ehpalp32.exe 2916 Ehpalp32.exe 1856 Eknmhk32.exe 1856 Eknmhk32.exe 1664 Enlidg32.exe 1664 Enlidg32.exe 772 Eecafd32.exe 772 Eecafd32.exe 1084 Edfbaabj.exe 1084 Edfbaabj.exe 2440 Fhbnbpjc.exe 2440 Fhbnbpjc.exe 1768 Fkpjnkig.exe 1768 Fkpjnkig.exe 2552 Folfoj32.exe 2552 Folfoj32.exe 2176 Fnofjfhk.exe 2176 Fnofjfhk.exe 2264 Fpmbfbgo.exe 2264 Fpmbfbgo.exe 2108 Fggkcl32.exe 2108 Fggkcl32.exe 2776 Fnacpffh.exe 2776 Fnacpffh.exe 2092 Fpoolael.exe 2092 Fpoolael.exe 2568 Fdkklp32.exe 2568 Fdkklp32.exe 2772 Fgigil32.exe 2772 Fgigil32.exe 2024 Fjhcegll.exe 2024 Fjhcegll.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Nlefhcnc.exe Nlefhcnc.exe File created C:\Windows\SysWOW64\Dmbcen32.exe Cfhkhd32.exe File opened for modification C:\Windows\SysWOW64\Mkcplien.exe Mclgklel.exe File created C:\Windows\SysWOW64\Algllb32.dll Process not Found File created C:\Windows\SysWOW64\Lfkeokjp.exe Lboiol32.exe File created C:\Windows\SysWOW64\Eddmlhaq.dll Lfoojj32.exe File opened for modification C:\Windows\SysWOW64\Aepbmhpl.exe Qbafalph.exe File opened for modification C:\Windows\SysWOW64\Lldmleam.exe Lhiakf32.exe File created C:\Windows\SysWOW64\Eencfjlb.dll Ogabql32.exe File created C:\Windows\SysWOW64\Nhnipd32.dll Aipgifcp.exe File created C:\Windows\SysWOW64\Aohndnll.dll Keqkofno.exe File opened for modification C:\Windows\SysWOW64\Boemlbpk.exe Blfapfpg.exe File created C:\Windows\SysWOW64\Kmimcbja.exe Kkjpggkn.exe File opened for modification C:\Windows\SysWOW64\Onjgkf32.exe Process not Found File created C:\Windows\SysWOW64\Qblfkgqb.exe Process not Found File opened for modification C:\Windows\SysWOW64\Enhaeldn.exe Process not Found File opened for modification C:\Windows\SysWOW64\Hghillnd.exe Hieiqo32.exe File created C:\Windows\SysWOW64\Qobmnf32.dll Fppaej32.exe File opened for modification C:\Windows\SysWOW64\Amoibc32.exe Process not Found File created C:\Windows\SysWOW64\Jalcdhla.dll Apkgpf32.exe File opened for modification C:\Windows\SysWOW64\Mhcfjnhm.exe Mploiq32.exe File created C:\Windows\SysWOW64\Mgnfji32.exe Process not Found File created C:\Windows\SysWOW64\Mfdgjene.dll Process not Found File created C:\Windows\SysWOW64\Endjeihi.dll Process not Found File created C:\Windows\SysWOW64\Pclmghko.dll Ippdgc32.exe File created C:\Windows\SysWOW64\Enmkijgm.dll Jampjian.exe File opened for modification C:\Windows\SysWOW64\Jbbccgmp.exe Joggci32.exe File created C:\Windows\SysWOW64\Cqlile32.dll Baneak32.exe File opened for modification C:\Windows\SysWOW64\Jcfoihhp.exe Process not Found File opened for modification C:\Windows\SysWOW64\Kklkcn32.exe Kgqocoin.exe File created C:\Windows\SysWOW64\Ieofkp32.exe Ijibng32.exe File opened for modification C:\Windows\SysWOW64\Fcqjfeja.exe Fdnjkh32.exe File opened for modification C:\Windows\SysWOW64\Ghdiokbq.exe Giaidnkf.exe File opened for modification C:\Windows\SysWOW64\Aipgifcp.exe Aedlhg32.exe File created C:\Windows\SysWOW64\Jiepeo32.dll Hgpjhn32.exe File created C:\Windows\SysWOW64\Lgpdglhn.exe Lcdhgn32.exe File created C:\Windows\SysWOW64\Epmjjhhd.dll Qfkelkkd.exe File created C:\Windows\SysWOW64\Dhnhab32.dll Efedga32.exe File opened for modification C:\Windows\SysWOW64\Folhgbid.exe Flnlkgjq.exe File created C:\Windows\SysWOW64\Dcibhnqq.dll Joidhh32.exe File created C:\Windows\SysWOW64\Dcdgqq32.dll Ipeaco32.exe File created C:\Windows\SysWOW64\Ioohokoo.exe Ijclol32.exe File opened for modification C:\Windows\SysWOW64\Adjhicpo.exe Aaklmhak.exe File created C:\Windows\SysWOW64\Cqglng32.exe Process not Found File created C:\Windows\SysWOW64\Hefqbobh.dll Process not Found File created C:\Windows\SysWOW64\Cidcinlc.dll Process not Found File created C:\Windows\SysWOW64\Nbiahjpi.dll Elibpg32.exe File created C:\Windows\SysWOW64\Gamnhq32.exe Gcjmmdbf.exe File opened for modification C:\Windows\SysWOW64\Lcdjpfgh.exe Process not Found File created C:\Windows\SysWOW64\Kcecbq32.exe Kdbbgdjj.exe File opened for modification C:\Windows\SysWOW64\Epkepakn.exe Process not Found File created C:\Windows\SysWOW64\Kmclmm32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Iejiodbl.exe Ibkmchbh.exe File created C:\Windows\SysWOW64\Jdhpfnbe.dll Process not Found File opened for modification C:\Windows\SysWOW64\Bkbdabog.exe Bhdhefpc.exe File created C:\Windows\SysWOW64\Hnppof32.dll Djfdob32.exe File created C:\Windows\SysWOW64\Hnpdcf32.exe Hkahgk32.exe File created C:\Windows\SysWOW64\Oqgjdbpi.exe Oninhgae.exe File opened for modification C:\Windows\SysWOW64\Ijlaloaf.exe Process not Found File opened for modification C:\Windows\SysWOW64\Gglbfg32.exe Gdnfjl32.exe File created C:\Windows\SysWOW64\Qaamhelq.dll Lcmklh32.exe File created C:\Windows\SysWOW64\Bdfahaaa.exe Process not Found File created C:\Windows\SysWOW64\Ninlepim.dll Mploiq32.exe File opened for modification C:\Windows\SysWOW64\Khagijcd.exe Process not Found -
Program crash 1 IoCs
pid pid_target Process procid_target 4968 4276 Process not Found 1483 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgldnkkf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngpqfp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Feddombd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gglbfg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iaegpaao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohdfqbio.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbjlhpkb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnmbme32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Peeoidik.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcofio32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmccqbpm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnokahip.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnhjgj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khghgchk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Locjhqpa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohipla32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhmaeg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Boifga32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnefhpma.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjofdi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Popgboae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhenjmbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Palpneop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnjbeh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jimbkh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adaiee32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmehdh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdiqpigl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iedfqeka.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Deenjpcd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llmmpcfe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hoqjqhjf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldbaopdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Makkcc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nojnql32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ainkcf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmoofdea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kglehp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfmbek32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mobfgdcl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omnipjni.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmfocnjg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgjnhaco.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knmdeioh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjaddn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebklic32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgcnahoo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lohelidp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Goejbpjh.dll" Lfkeokjp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lklgbadb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnajpcii.dll" Lklgbadb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Omnkicen.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcngcc32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epgfma32.dll" Fqfemqod.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oejcpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbejnl32.dll" Feachqgb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hklhae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nigldq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jnagmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olpecfkn.dll" Pleofj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lhlqjone.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikgeel32.dll" Mikjpiim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdecfn32.dll" Acicla32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mflgih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aognbnkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjpqkajf.dll" Dncibp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blipcb32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgokeion.dll" Imokehhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lpnmgdli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Edoefl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhimbk32.dll" Ncinap32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gekfnoog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iknafhjb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jaiqnakp.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phkckneq.dll" Mgedmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Idicbbpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leoiil32.dll" Mlieoqgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmjkjk32.dll" Nbfnggeo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fmfocnjg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Knkgpi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mcnbhb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eipbmjcc.dll" Dlofgj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Njpihk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdilhpcp.dll" Pfebnmcj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gaagcpdl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jnagmc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Epnhpglg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anjaagnc.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fhbnbpjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihpfbd32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fffjig32.dll" Kekiphge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pdeqfhjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aacinhhc.dll" Apgagg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cmmcpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Apefjqob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbdofg32.dll" Hjmlhbbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okhdnm32.dll" Obhdcanc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1960 wrote to memory of 2484 1960 2093185e7a3ce22dedf692e57d006e177c9f5c73c147f2500c24dd3f94b61183N.exe 30 PID 1960 wrote to memory of 2484 1960 2093185e7a3ce22dedf692e57d006e177c9f5c73c147f2500c24dd3f94b61183N.exe 30 PID 1960 wrote to memory of 2484 1960 2093185e7a3ce22dedf692e57d006e177c9f5c73c147f2500c24dd3f94b61183N.exe 30 PID 1960 wrote to memory of 2484 1960 2093185e7a3ce22dedf692e57d006e177c9f5c73c147f2500c24dd3f94b61183N.exe 30 PID 2484 wrote to memory of 2472 2484 Eggndi32.exe 31 PID 2484 wrote to memory of 2472 2484 Eggndi32.exe 31 PID 2484 wrote to memory of 2472 2484 Eggndi32.exe 31 PID 2484 wrote to memory of 2472 2484 Eggndi32.exe 31 PID 2472 wrote to memory of 2504 2472 Eiekpd32.exe 32 PID 2472 wrote to memory of 2504 2472 Eiekpd32.exe 32 PID 2472 wrote to memory of 2504 2472 Eiekpd32.exe 32 PID 2472 wrote to memory of 2504 2472 Eiekpd32.exe 32 PID 2504 wrote to memory of 2304 2504 Eldglp32.exe 33 PID 2504 wrote to memory of 2304 2504 Eldglp32.exe 33 PID 2504 wrote to memory of 2304 2504 Eldglp32.exe 33 PID 2504 wrote to memory of 2304 2504 Eldglp32.exe 33 PID 2304 wrote to memory of 2812 2304 Eppcmncq.exe 34 PID 2304 wrote to memory of 2812 2304 Eppcmncq.exe 34 PID 2304 wrote to memory of 2812 2304 Eppcmncq.exe 34 PID 2304 wrote to memory of 2812 2304 Eppcmncq.exe 34 PID 2812 wrote to memory of 2688 2812 Ecnoijbd.exe 35 PID 2812 wrote to memory of 2688 2812 Ecnoijbd.exe 35 PID 2812 wrote to memory of 2688 2812 Ecnoijbd.exe 35 PID 2812 wrote to memory of 2688 2812 Ecnoijbd.exe 35 PID 2688 wrote to memory of 2348 2688 Eelkeeah.exe 36 PID 2688 wrote to memory of 2348 2688 Eelkeeah.exe 36 PID 2688 wrote to memory of 2348 2688 Eelkeeah.exe 36 PID 2688 wrote to memory of 2348 2688 Eelkeeah.exe 36 PID 2348 wrote to memory of 2588 2348 Ehkhaqpk.exe 37 PID 2348 wrote to memory of 2588 2348 Ehkhaqpk.exe 37 PID 2348 wrote to memory of 2588 2348 Ehkhaqpk.exe 37 PID 2348 wrote to memory of 2588 2348 Ehkhaqpk.exe 37 PID 2588 wrote to memory of 3060 2588 Epbpbnan.exe 38 PID 2588 wrote to memory of 3060 2588 Epbpbnan.exe 38 PID 2588 wrote to memory of 3060 2588 Epbpbnan.exe 38 PID 2588 wrote to memory of 3060 2588 Epbpbnan.exe 38 PID 3060 wrote to memory of 1732 3060 Ecploipa.exe 39 PID 3060 wrote to memory of 1732 3060 Ecploipa.exe 39 PID 3060 wrote to memory of 1732 3060 Ecploipa.exe 39 PID 3060 wrote to memory of 1732 3060 Ecploipa.exe 39 PID 1732 wrote to memory of 1916 1732 Eeohkeoe.exe 40 PID 1732 wrote to memory of 1916 1732 Eeohkeoe.exe 40 PID 1732 wrote to memory of 1916 1732 Eeohkeoe.exe 40 PID 1732 wrote to memory of 1916 1732 Eeohkeoe.exe 40 PID 1916 wrote to memory of 236 1916 Ehmdgp32.exe 41 PID 1916 wrote to memory of 236 1916 Ehmdgp32.exe 41 PID 1916 wrote to memory of 236 1916 Ehmdgp32.exe 41 PID 1916 wrote to memory of 236 1916 Ehmdgp32.exe 41 PID 236 wrote to memory of 2488 236 Elipgofb.exe 42 PID 236 wrote to memory of 2488 236 Elipgofb.exe 42 PID 236 wrote to memory of 2488 236 Elipgofb.exe 42 PID 236 wrote to memory of 2488 236 Elipgofb.exe 42 PID 2488 wrote to memory of 2672 2488 Eogmcjef.exe 43 PID 2488 wrote to memory of 2672 2488 Eogmcjef.exe 43 PID 2488 wrote to memory of 2672 2488 Eogmcjef.exe 43 PID 2488 wrote to memory of 2672 2488 Eogmcjef.exe 43 PID 2672 wrote to memory of 2612 2672 Ecbhdi32.exe 44 PID 2672 wrote to memory of 2612 2672 Ecbhdi32.exe 44 PID 2672 wrote to memory of 2612 2672 Ecbhdi32.exe 44 PID 2672 wrote to memory of 2612 2672 Ecbhdi32.exe 44 PID 2612 wrote to memory of 2916 2612 Eeaepd32.exe 45 PID 2612 wrote to memory of 2916 2612 Eeaepd32.exe 45 PID 2612 wrote to memory of 2916 2612 Eeaepd32.exe 45 PID 2612 wrote to memory of 2916 2612 Eeaepd32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\2093185e7a3ce22dedf692e57d006e177c9f5c73c147f2500c24dd3f94b61183N.exe"C:\Users\Admin\AppData\Local\Temp\2093185e7a3ce22dedf692e57d006e177c9f5c73c147f2500c24dd3f94b61183N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1960 -
C:\Windows\SysWOW64\Eggndi32.exeC:\Windows\system32\Eggndi32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2484 -
C:\Windows\SysWOW64\Eiekpd32.exeC:\Windows\system32\Eiekpd32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Windows\SysWOW64\Eldglp32.exeC:\Windows\system32\Eldglp32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Windows\SysWOW64\Eppcmncq.exeC:\Windows\system32\Eppcmncq.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2304 -
C:\Windows\SysWOW64\Ecnoijbd.exeC:\Windows\system32\Ecnoijbd.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Windows\SysWOW64\Eelkeeah.exeC:\Windows\system32\Eelkeeah.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\SysWOW64\Ehkhaqpk.exeC:\Windows\system32\Ehkhaqpk.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Windows\SysWOW64\Epbpbnan.exeC:\Windows\system32\Epbpbnan.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Windows\SysWOW64\Ecploipa.exeC:\Windows\system32\Ecploipa.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Windows\SysWOW64\Eeohkeoe.exeC:\Windows\system32\Eeohkeoe.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Windows\SysWOW64\Ehmdgp32.exeC:\Windows\system32\Ehmdgp32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1916 -
C:\Windows\SysWOW64\Elipgofb.exeC:\Windows\system32\Elipgofb.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:236 -
C:\Windows\SysWOW64\Eogmcjef.exeC:\Windows\system32\Eogmcjef.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\Windows\SysWOW64\Ecbhdi32.exeC:\Windows\system32\Ecbhdi32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\SysWOW64\Eeaepd32.exeC:\Windows\system32\Eeaepd32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\SysWOW64\Ehpalp32.exeC:\Windows\system32\Ehpalp32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2916 -
C:\Windows\SysWOW64\Eknmhk32.exeC:\Windows\system32\Eknmhk32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1856 -
C:\Windows\SysWOW64\Enlidg32.exeC:\Windows\system32\Enlidg32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1664 -
C:\Windows\SysWOW64\Eecafd32.exeC:\Windows\system32\Eecafd32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:772 -
C:\Windows\SysWOW64\Edfbaabj.exeC:\Windows\system32\Edfbaabj.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1084 -
C:\Windows\SysWOW64\Fhbnbpjc.exeC:\Windows\system32\Fhbnbpjc.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2440 -
C:\Windows\SysWOW64\Fkpjnkig.exeC:\Windows\system32\Fkpjnkig.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1768 -
C:\Windows\SysWOW64\Folfoj32.exeC:\Windows\system32\Folfoj32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2552 -
C:\Windows\SysWOW64\Fnofjfhk.exeC:\Windows\system32\Fnofjfhk.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2176 -
C:\Windows\SysWOW64\Fpmbfbgo.exeC:\Windows\system32\Fpmbfbgo.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2264 -
C:\Windows\SysWOW64\Fggkcl32.exeC:\Windows\system32\Fggkcl32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2108 -
C:\Windows\SysWOW64\Fnacpffh.exeC:\Windows\system32\Fnacpffh.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2776 -
C:\Windows\SysWOW64\Fpoolael.exeC:\Windows\system32\Fpoolael.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2092 -
C:\Windows\SysWOW64\Fdkklp32.exeC:\Windows\system32\Fdkklp32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2568 -
C:\Windows\SysWOW64\Fgigil32.exeC:\Windows\system32\Fgigil32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2772 -
C:\Windows\SysWOW64\Fjhcegll.exeC:\Windows\system32\Fjhcegll.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2024 -
C:\Windows\SysWOW64\Fncpef32.exeC:\Windows\system32\Fncpef32.exe33⤵
- Executes dropped EXE
PID:2244 -
C:\Windows\SysWOW64\Fdmhbplb.exeC:\Windows\system32\Fdmhbplb.exe34⤵
- Executes dropped EXE
PID:2768 -
C:\Windows\SysWOW64\Fgldnkkf.exeC:\Windows\system32\Fgldnkkf.exe35⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2844 -
C:\Windows\SysWOW64\Ffodjh32.exeC:\Windows\system32\Ffodjh32.exe36⤵
- Executes dropped EXE
PID:572 -
C:\Windows\SysWOW64\Fnflke32.exeC:\Windows\system32\Fnflke32.exe37⤵
- Executes dropped EXE
PID:2912 -
C:\Windows\SysWOW64\Fqdiga32.exeC:\Windows\system32\Fqdiga32.exe38⤵
- Executes dropped EXE
PID:2924 -
C:\Windows\SysWOW64\Fcbecl32.exeC:\Windows\system32\Fcbecl32.exe39⤵
- Executes dropped EXE
PID:1720 -
C:\Windows\SysWOW64\Fgnadkic.exeC:\Windows\system32\Fgnadkic.exe40⤵
- Executes dropped EXE
PID:1080 -
C:\Windows\SysWOW64\Fqfemqod.exeC:\Windows\system32\Fqfemqod.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:1804 -
C:\Windows\SysWOW64\Gceailog.exeC:\Windows\system32\Gceailog.exe42⤵
- Executes dropped EXE
PID:944 -
C:\Windows\SysWOW64\Gjojef32.exeC:\Windows\system32\Gjojef32.exe43⤵
- Executes dropped EXE
PID:2736 -
C:\Windows\SysWOW64\Gkpfmnlb.exeC:\Windows\system32\Gkpfmnlb.exe44⤵
- Executes dropped EXE
PID:324 -
C:\Windows\SysWOW64\Gcgnnlle.exeC:\Windows\system32\Gcgnnlle.exe45⤵
- Executes dropped EXE
PID:2136 -
C:\Windows\SysWOW64\Gbjojh32.exeC:\Windows\system32\Gbjojh32.exe46⤵
- Executes dropped EXE
PID:2404 -
C:\Windows\SysWOW64\Ghdgfbkl.exeC:\Windows\system32\Ghdgfbkl.exe47⤵
- Executes dropped EXE
PID:2228 -
C:\Windows\SysWOW64\Gkbcbn32.exeC:\Windows\system32\Gkbcbn32.exe48⤵
- Executes dropped EXE
PID:2676 -
C:\Windows\SysWOW64\Gnaooi32.exeC:\Windows\system32\Gnaooi32.exe49⤵
- Executes dropped EXE
PID:2152 -
C:\Windows\SysWOW64\Gblkoham.exeC:\Windows\system32\Gblkoham.exe50⤵
- Executes dropped EXE
PID:2692 -
C:\Windows\SysWOW64\Gifclb32.exeC:\Windows\system32\Gifclb32.exe51⤵
- Executes dropped EXE
PID:1360 -
C:\Windows\SysWOW64\Gkephn32.exeC:\Windows\system32\Gkephn32.exe52⤵
- Executes dropped EXE
PID:308 -
C:\Windows\SysWOW64\Gbohehoj.exeC:\Windows\system32\Gbohehoj.exe53⤵
- Executes dropped EXE
PID:1552 -
C:\Windows\SysWOW64\Gdmdacnn.exeC:\Windows\system32\Gdmdacnn.exe54⤵
- Executes dropped EXE
PID:1640 -
C:\Windows\SysWOW64\Ggkqmoma.exeC:\Windows\system32\Ggkqmoma.exe55⤵
- Executes dropped EXE
PID:1060 -
C:\Windows\SysWOW64\Gkglnm32.exeC:\Windows\system32\Gkglnm32.exe56⤵
- Executes dropped EXE
PID:1672 -
C:\Windows\SysWOW64\Gneijien.exeC:\Windows\system32\Gneijien.exe57⤵
- Executes dropped EXE
PID:1792 -
C:\Windows\SysWOW64\Gbadjg32.exeC:\Windows\system32\Gbadjg32.exe58⤵
- Executes dropped EXE
PID:1488 -
C:\Windows\SysWOW64\Gqdefddb.exeC:\Windows\system32\Gqdefddb.exe59⤵
- Executes dropped EXE
PID:988 -
C:\Windows\SysWOW64\Gepafc32.exeC:\Windows\system32\Gepafc32.exe60⤵
- Executes dropped EXE
PID:3040 -
C:\Windows\SysWOW64\Ggnmbn32.exeC:\Windows\system32\Ggnmbn32.exe61⤵
- Executes dropped EXE
PID:1608 -
C:\Windows\SysWOW64\Hkiicmdh.exeC:\Windows\system32\Hkiicmdh.exe62⤵
- Executes dropped EXE
PID:776 -
C:\Windows\SysWOW64\Hnheohcl.exeC:\Windows\system32\Hnheohcl.exe63⤵
- Executes dropped EXE
PID:1388 -
C:\Windows\SysWOW64\Hmkeke32.exeC:\Windows\system32\Hmkeke32.exe64⤵
- Executes dropped EXE
PID:2416 -
C:\Windows\SysWOW64\Hebnlb32.exeC:\Windows\system32\Hebnlb32.exe65⤵
- Executes dropped EXE
PID:1440 -
C:\Windows\SysWOW64\Hcdnhoac.exeC:\Windows\system32\Hcdnhoac.exe66⤵PID:1604
-
C:\Windows\SysWOW64\Hgpjhn32.exeC:\Windows\system32\Hgpjhn32.exe67⤵
- Drops file in System32 directory
PID:1932 -
C:\Windows\SysWOW64\Hjofdi32.exeC:\Windows\system32\Hjofdi32.exe68⤵
- System Location Discovery: System Language Discovery
PID:1236 -
C:\Windows\SysWOW64\Hnjbeh32.exeC:\Windows\system32\Hnjbeh32.exe69⤵
- System Location Discovery: System Language Discovery
PID:2764 -
C:\Windows\SysWOW64\Hahnac32.exeC:\Windows\system32\Hahnac32.exe70⤵PID:2720
-
C:\Windows\SysWOW64\Hpkompgg.exeC:\Windows\system32\Hpkompgg.exe71⤵PID:2044
-
C:\Windows\SysWOW64\Hgbfnngi.exeC:\Windows\system32\Hgbfnngi.exe72⤵PID:2744
-
C:\Windows\SysWOW64\Hfegij32.exeC:\Windows\system32\Hfegij32.exe73⤵PID:2448
-
C:\Windows\SysWOW64\Hjacjifm.exeC:\Windows\system32\Hjacjifm.exe74⤵PID:2384
-
C:\Windows\SysWOW64\Hmoofdea.exeC:\Windows\system32\Hmoofdea.exe75⤵
- System Location Discovery: System Language Discovery
PID:1748 -
C:\Windows\SysWOW64\Hakkgc32.exeC:\Windows\system32\Hakkgc32.exe76⤵PID:648
-
C:\Windows\SysWOW64\Hcigco32.exeC:\Windows\system32\Hcigco32.exe77⤵PID:1956
-
C:\Windows\SysWOW64\Hblgnkdh.exeC:\Windows\system32\Hblgnkdh.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:396 -
C:\Windows\SysWOW64\Hfhcoj32.exeC:\Windows\system32\Hfhcoj32.exe79⤵PID:1504
-
C:\Windows\SysWOW64\Hjcppidk.exeC:\Windows\system32\Hjcppidk.exe80⤵PID:1356
-
C:\Windows\SysWOW64\Hifpke32.exeC:\Windows\system32\Hifpke32.exe81⤵PID:576
-
C:\Windows\SysWOW64\Hldlga32.exeC:\Windows\system32\Hldlga32.exe82⤵PID:2328
-
C:\Windows\SysWOW64\Hpphhp32.exeC:\Windows\system32\Hpphhp32.exe83⤵PID:1276
-
C:\Windows\SysWOW64\Hcldhnkk.exeC:\Windows\system32\Hcldhnkk.exe84⤵PID:2640
-
C:\Windows\SysWOW64\Hfjpdjjo.exeC:\Windows\system32\Hfjpdjjo.exe85⤵PID:2572
-
C:\Windows\SysWOW64\Hihlqeib.exeC:\Windows\system32\Hihlqeib.exe86⤵PID:1912
-
C:\Windows\SysWOW64\Hmdhad32.exeC:\Windows\system32\Hmdhad32.exe87⤵PID:1800
-
C:\Windows\SysWOW64\Hlgimqhf.exeC:\Windows\system32\Hlgimqhf.exe88⤵PID:2896
-
C:\Windows\SysWOW64\Hbaaik32.exeC:\Windows\system32\Hbaaik32.exe89⤵PID:2788
-
C:\Windows\SysWOW64\Ieomef32.exeC:\Windows\system32\Ieomef32.exe90⤵PID:2288
-
C:\Windows\SysWOW64\Iikifegp.exeC:\Windows\system32\Iikifegp.exe91⤵PID:1964
-
C:\Windows\SysWOW64\Ihniaa32.exeC:\Windows\system32\Ihniaa32.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2852 -
C:\Windows\SysWOW64\Ipeaco32.exeC:\Windows\system32\Ipeaco32.exe93⤵
- Drops file in System32 directory
PID:2648 -
C:\Windows\SysWOW64\Inhanl32.exeC:\Windows\system32\Inhanl32.exe94⤵PID:668
-
C:\Windows\SysWOW64\Ibcnojnp.exeC:\Windows\system32\Ibcnojnp.exe95⤵PID:704
-
C:\Windows\SysWOW64\Iafnjg32.exeC:\Windows\system32\Iafnjg32.exe96⤵PID:2428
-
C:\Windows\SysWOW64\Iimfld32.exeC:\Windows\system32\Iimfld32.exe97⤵PID:2728
-
C:\Windows\SysWOW64\Ihpfgalh.exeC:\Windows\system32\Ihpfgalh.exe98⤵PID:2628
-
C:\Windows\SysWOW64\Illbhp32.exeC:\Windows\system32\Illbhp32.exe99⤵PID:1716
-
C:\Windows\SysWOW64\Ijnbcmkk.exeC:\Windows\system32\Ijnbcmkk.exe100⤵PID:2096
-
C:\Windows\SysWOW64\Ibejdjln.exeC:\Windows\system32\Ibejdjln.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2668 -
C:\Windows\SysWOW64\Iahkpg32.exeC:\Windows\system32\Iahkpg32.exe102⤵PID:3036
-
C:\Windows\SysWOW64\Iedfqeka.exeC:\Windows\system32\Iedfqeka.exe103⤵
- System Location Discovery: System Language Discovery
PID:2580 -
C:\Windows\SysWOW64\Idgglb32.exeC:\Windows\system32\Idgglb32.exe104⤵PID:2512
-
C:\Windows\SysWOW64\Ilnomp32.exeC:\Windows\system32\Ilnomp32.exe105⤵PID:3048
-
C:\Windows\SysWOW64\Ijqoilii.exeC:\Windows\system32\Ijqoilii.exe106⤵PID:1520
-
C:\Windows\SysWOW64\Inlkik32.exeC:\Windows\system32\Inlkik32.exe107⤵PID:756
-
C:\Windows\SysWOW64\Imokehhl.exeC:\Windows\system32\Imokehhl.exe108⤵
- Modifies registry class
PID:3032 -
C:\Windows\SysWOW64\Iefcfe32.exeC:\Windows\system32\Iefcfe32.exe109⤵PID:1204
-
C:\Windows\SysWOW64\Idicbbpi.exeC:\Windows\system32\Idicbbpi.exe110⤵
- Modifies registry class
PID:1816 -
C:\Windows\SysWOW64\Ihdpbq32.exeC:\Windows\system32\Ihdpbq32.exe111⤵PID:2808
-
C:\Windows\SysWOW64\Ijclol32.exeC:\Windows\system32\Ijclol32.exe112⤵
- Drops file in System32 directory
PID:1636 -
C:\Windows\SysWOW64\Ioohokoo.exeC:\Windows\system32\Ioohokoo.exe113⤵PID:2164
-
C:\Windows\SysWOW64\Imahkg32.exeC:\Windows\system32\Imahkg32.exe114⤵PID:1528
-
C:\Windows\SysWOW64\Ippdgc32.exeC:\Windows\system32\Ippdgc32.exe115⤵
- Drops file in System32 directory
PID:2524 -
C:\Windows\SysWOW64\Idkpganf.exeC:\Windows\system32\Idkpganf.exe116⤵PID:1668
-
C:\Windows\SysWOW64\Ihglhp32.exeC:\Windows\system32\Ihglhp32.exe117⤵PID:2796
-
C:\Windows\SysWOW64\Ifjlcmmj.exeC:\Windows\system32\Ifjlcmmj.exe118⤵PID:548
-
C:\Windows\SysWOW64\Jaoqqflp.exeC:\Windows\system32\Jaoqqflp.exe119⤵PID:952
-
C:\Windows\SysWOW64\Jpbalb32.exeC:\Windows\system32\Jpbalb32.exe120⤵PID:2396
-
C:\Windows\SysWOW64\Jbqmhnbo.exeC:\Windows\system32\Jbqmhnbo.exe121⤵PID:2016
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-