Analysis
-
max time kernel
93s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 00:55
Static task
static1
Behavioral task
behavioral1
Sample
7ae423fabcc46fba74281ba6826f5e2a39e5d7be4199f71f27595f74aa49e7acN.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
7ae423fabcc46fba74281ba6826f5e2a39e5d7be4199f71f27595f74aa49e7acN.exe
Resource
win10v2004-20241007-en
General
-
Target
7ae423fabcc46fba74281ba6826f5e2a39e5d7be4199f71f27595f74aa49e7acN.exe
-
Size
59KB
-
MD5
1ab14d92cb9def65853566ec771830d0
-
SHA1
2101a516ba6e40dbbc202ced1f495ebb7d5ef994
-
SHA256
7ae423fabcc46fba74281ba6826f5e2a39e5d7be4199f71f27595f74aa49e7ac
-
SHA512
afec81a46396a49f13cd808caff7b6bc117ac0c1d370263fc3a0df759dbfd8b7c974c7f7b998b2d9b1d2af82b9ff23bff094969b6d74ce2fd8da74090c9c574a
-
SSDEEP
768:C251V1a0PQFWkVNcrFB8phzBkyevyfuWffEBAgn9NI6Z/1H5u5nf1fZMEBFELvkC:/5hayJ88B7X7xMQwNCyVs
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
7ae423fabcc46fba74281ba6826f5e2a39e5d7be4199f71f27595f74aa49e7acN.exeNbcqiope.exeFibojhim.exeKqmkae32.exeNajmjokc.exeBochmn32.exeBlnoga32.exeDfpgffpm.exeCmdfgm32.exeJbfheo32.exeMfhfhong.exeEhfcfb32.exeEpcdqd32.exeFknbil32.exeJqhafffk.exeAnmfbl32.exeBdgged32.exeNlaegk32.exeMhgfkg32.exePapfgbmg.exeQkmdkgob.exeCbphdn32.exeInjmcmej.exeIiehpahb.exeLbchba32.exeGnfhfl32.exeBpnihiio.exeGacjadad.exeIpflihfq.exeMalpia32.exeNloiakho.exeOlfobjbg.exeDimenegi.exeOdhifjkg.exeCnindhpg.exeOgklelna.exeFacqkg32.exeBjicdmmd.exePdifoehl.exePcbmka32.exePfgogh32.exeCfpnph32.exePcicklnn.exeNhdlao32.exeEeelnp32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad 7ae423fabcc46fba74281ba6826f5e2a39e5d7be4199f71f27595f74aa49e7acN.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbcqiope.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fibojhim.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kqmkae32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Najmjokc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bochmn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blnoga32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfpgffpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cmdfgm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbfheo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mfhfhong.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ehfcfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Epcdqd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fknbil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jqhafffk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anmfbl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdgged32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlaegk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhgfkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Papfgbmg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qkmdkgob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbphdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Injmcmej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iiehpahb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbchba32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gnfhfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bpnihiio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gacjadad.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipflihfq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Malpia32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nloiakho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Olfobjbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dimenegi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odhifjkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cnindhpg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ogklelna.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Facqkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjicdmmd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdifoehl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcbmka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pfgogh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfpnph32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcicklnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhdlao32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eeelnp32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
Processes:
Mlhbal32.exeNpcoakfp.exeNcbknfed.exeNepgjaeg.exeNilcjp32.exeNljofl32.exeNdaggimg.exeNcdgcf32.exeNjnpppkn.exeNphhmj32.exeNeeqea32.exeNloiakho.exeNdfqbhia.exeNcianepl.exeNjciko32.exeNlaegk32.exeNdhmhh32.exeNckndeni.exeNfjjppmm.exeNnqbanmo.exeOdkjng32.exeOflgep32.exeOncofm32.exeOlfobjbg.exeOcpgod32.exeOfnckp32.exeOneklm32.exeOdocigqg.exeOcbddc32.exeOfqpqo32.exeOnhhamgg.exeOdapnf32.exeOcdqjceo.exeOfcmfodb.exeOlmeci32.exeOqhacgdh.exeOcgmpccl.exeOgbipa32.exeOjaelm32.exePmoahijl.exePdfjifjo.exePcijeb32.exePgefeajb.exePnonbk32.exePmannhhj.exePdifoehl.exePggbkagp.exePjeoglgc.exePmdkch32.exePqpgdfnp.exePgioqq32.exePjhlml32.exePncgmkmj.exePqbdjfln.exePgllfp32.exePjjhbl32.exePmidog32.exePcbmka32.exePfaigm32.exeQmkadgpo.exeQqfmde32.exeQceiaa32.exeQfcfml32.exeQmmnjfnl.exepid process 2108 Mlhbal32.exe 1452 Npcoakfp.exe 2388 Ncbknfed.exe 3560 Nepgjaeg.exe 5040 Nilcjp32.exe 1672 Nljofl32.exe 3812 Ndaggimg.exe 768 Ncdgcf32.exe 4900 Njnpppkn.exe 3924 Nphhmj32.exe 2696 Neeqea32.exe 2692 Nloiakho.exe 452 Ndfqbhia.exe 2656 Ncianepl.exe 1792 Njciko32.exe 3408 Nlaegk32.exe 448 Ndhmhh32.exe 4676 Nckndeni.exe 4660 Nfjjppmm.exe 4872 Nnqbanmo.exe 5060 Odkjng32.exe 1972 Oflgep32.exe 2824 Oncofm32.exe 4428 Olfobjbg.exe 3512 Ocpgod32.exe 4912 Ofnckp32.exe 1276 Oneklm32.exe 5108 Odocigqg.exe 4376 Ocbddc32.exe 4344 Ofqpqo32.exe 1476 Onhhamgg.exe 4564 Odapnf32.exe 264 Ocdqjceo.exe 4080 Ofcmfodb.exe 5064 Olmeci32.exe 3940 Oqhacgdh.exe 2240 Ocgmpccl.exe 2628 Ogbipa32.exe 2072 Ojaelm32.exe 2192 Pmoahijl.exe 2052 Pdfjifjo.exe 372 Pcijeb32.exe 4792 Pgefeajb.exe 1336 Pnonbk32.exe 1592 Pmannhhj.exe 2000 Pdifoehl.exe 2324 Pggbkagp.exe 4068 Pjeoglgc.exe 1332 Pmdkch32.exe 2224 Pqpgdfnp.exe 3768 Pgioqq32.exe 4640 Pjhlml32.exe 4024 Pncgmkmj.exe 4536 Pqbdjfln.exe 4600 Pgllfp32.exe 4292 Pjjhbl32.exe 2968 Pmidog32.exe 4876 Pcbmka32.exe 3952 Pfaigm32.exe 2604 Qmkadgpo.exe 960 Qqfmde32.exe 3240 Qceiaa32.exe 2252 Qfcfml32.exe 4444 Qmmnjfnl.exe -
Drops file in System32 directory 64 IoCs
Processes:
Lkchelci.exeAmddjegd.exeCkfphc32.exeGmggfp32.exeGpecbk32.exeDdgplado.exeHbmcbime.exeLejnmncd.exePiphgq32.exeIghhln32.exeQhakoa32.exeAjggomog.exeHpcodihc.exeBjfaeh32.exeOgklelna.exeLnbklm32.exeOcdqjceo.exeKnefeffd.exeDlieda32.exeGnhdkl32.exeOllnhb32.exeOldjcg32.exeBljlfh32.exeJdfjld32.exeKqfngd32.exeQfpbmfdf.exeQqffjo32.exeFmikeaap.exeNmigoagp.exeBnpppgdj.exeBhhdil32.exeFlngfn32.exeLankbigo.exeAjpqnneo.exeQachgk32.exePjeoglgc.exeMblkhq32.exeNgmpcn32.exeNknobkje.exeKqmkae32.exeLmdemd32.exeCfnjpfcl.exeEkiohclf.exeKhpgckkb.exeJgcamf32.exeNnqbanmo.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Lmdemd32.exe Lkchelci.exe File created C:\Windows\SysWOW64\Ogjdmbil.exe File created C:\Windows\SysWOW64\Gdeahgnm.dll Amddjegd.exe File opened for modification C:\Windows\SysWOW64\Ccmgiaig.exe Ckfphc32.exe File created C:\Windows\SysWOW64\Ppipkl32.dll Gmggfp32.exe File created C:\Windows\SysWOW64\Gbdoof32.exe Gpecbk32.exe File opened for modification C:\Windows\SysWOW64\Dmohno32.exe Ddgplado.exe File created C:\Windows\SysWOW64\Qhjibgnp.dll Hbmcbime.exe File created C:\Windows\SysWOW64\Lhijijbg.exe Lejnmncd.exe File created C:\Windows\SysWOW64\Kckefh32.dll Piphgq32.exe File opened for modification C:\Windows\SysWOW64\Ikcdlmgf.exe Ighhln32.exe File opened for modification C:\Windows\SysWOW64\Qlmgopjq.exe Qhakoa32.exe File created C:\Windows\SysWOW64\Hhfjcdon.dll Ajggomog.exe File created C:\Windows\SysWOW64\Hcblpdgg.exe Hpcodihc.exe File created C:\Windows\SysWOW64\Cnokmj32.dll File created C:\Windows\SysWOW64\Bnbmefbg.exe Bjfaeh32.exe File created C:\Windows\SysWOW64\Oiihahme.exe Ogklelna.exe File created C:\Windows\SysWOW64\Lbngllob.exe Lnbklm32.exe File created C:\Windows\SysWOW64\Qdhlclpe.dll File created C:\Windows\SysWOW64\Gcdmai32.dll Ocdqjceo.exe File opened for modification C:\Windows\SysWOW64\Kflnfcgg.exe Knefeffd.exe File created C:\Windows\SysWOW64\Bgnffj32.exe File opened for modification C:\Windows\SysWOW64\Dpdaepai.exe Dlieda32.exe File opened for modification C:\Windows\SysWOW64\Mcelpggq.exe File opened for modification C:\Windows\SysWOW64\Ogjdmbil.exe File opened for modification C:\Windows\SysWOW64\Lancko32.exe File opened for modification C:\Windows\SysWOW64\Mhldbh32.exe File created C:\Windows\SysWOW64\Obnkfijp.dll Gnhdkl32.exe File created C:\Windows\SysWOW64\Lilqdd32.dll Ollnhb32.exe File created C:\Windows\SysWOW64\Anqlll32.dll Oldjcg32.exe File opened for modification C:\Windows\SysWOW64\Cpfcfmlp.exe File created C:\Windows\SysWOW64\Bohibc32.exe Bljlfh32.exe File created C:\Windows\SysWOW64\Eodolnaf.dll File created C:\Windows\SysWOW64\Pffgom32.exe File opened for modification C:\Windows\SysWOW64\Kkpbin32.exe Jdfjld32.exe File opened for modification C:\Windows\SysWOW64\Kcejco32.exe Kqfngd32.exe File created C:\Windows\SysWOW64\Pbehoafp.dll Qfpbmfdf.exe File opened for modification C:\Windows\SysWOW64\Qgpogili.exe Qqffjo32.exe File created C:\Windows\SysWOW64\Fpggamqc.exe Fmikeaap.exe File opened for modification C:\Windows\SysWOW64\Nccokk32.exe Nmigoagp.exe File created C:\Windows\SysWOW64\Ipbehfom.dll File created C:\Windows\SysWOW64\Qihfjd32.dll Bnpppgdj.exe File opened for modification C:\Windows\SysWOW64\Bjfaeh32.exe Bhhdil32.exe File created C:\Windows\SysWOW64\Fdepgkgj.exe Flngfn32.exe File created C:\Windows\SysWOW64\Kofkbk32.exe File created C:\Windows\SysWOW64\Apddkmko.dll Lankbigo.exe File created C:\Windows\SysWOW64\Alnmjjdb.exe Ajpqnneo.exe File opened for modification C:\Windows\SysWOW64\Qdbdcg32.exe Qachgk32.exe File opened for modification C:\Windows\SysWOW64\Pmdkch32.exe Pjeoglgc.exe File created C:\Windows\SysWOW64\Pogppn32.dll Mblkhq32.exe File created C:\Windows\SysWOW64\Fcppfn32.dll Ngmpcn32.exe File created C:\Windows\SysWOW64\Bcodim32.dll Nknobkje.exe File created C:\Windows\SysWOW64\Kclgmq32.exe Kqmkae32.exe File opened for modification C:\Windows\SysWOW64\Lekmnajj.exe Lmdemd32.exe File created C:\Windows\SysWOW64\Chlflabp.exe Cfnjpfcl.exe File created C:\Windows\SysWOW64\Lbfecjhc.dll File created C:\Windows\SysWOW64\Feocelll.exe Ekiohclf.exe File opened for modification C:\Windows\SysWOW64\Kpgodhkd.exe Khpgckkb.exe File created C:\Windows\SysWOW64\Jjamia32.exe Jgcamf32.exe File opened for modification C:\Windows\SysWOW64\Hbenoi32.exe File opened for modification C:\Windows\SysWOW64\Hpmhdmea.exe File opened for modification C:\Windows\SysWOW64\Pcegclgp.exe File opened for modification C:\Windows\SysWOW64\Nblolm32.exe File created C:\Windows\SysWOW64\Glgmkm32.dll Nnqbanmo.exe -
Program crash 1 IoCs
Processes:
pid pid_target process target process 12848 13272 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Beihma32.exeOhkkhhmh.exeQgcbgo32.exeOkchnk32.exeAbponp32.exeCcpdoqgd.exeFmfnpa32.exeGmiclo32.exeHlambk32.exeIgbalblk.exeGpaqbbld.exeHkbdki32.exeNoeahkfc.exeNabfjpak.exePmcclm32.exeHbdjchgn.exeJdpkflfe.exeJjjpnlbd.exeOlanmgig.exePkegpb32.exeNnqbanmo.exeCoadnlnb.exeCkjbhmad.exeBllbaa32.exeBdgged32.exeGkiaej32.exeNhdlao32.exeKjccdkki.exePocpfphe.exeDeqcbpld.exeIfgldfio.exeKbghfc32.exeEiildjag.exeOidhlb32.exeOekiqccc.exeLclpdncg.exeEecphp32.exeGnfhfl32.exeLnqeqd32.exeOpcqnb32.exeDjhpgofm.exeBebjdgmj.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Beihma32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohkkhhmh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qgcbgo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okchnk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abponp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccpdoqgd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmfnpa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmiclo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlambk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igbalblk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpaqbbld.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkbdki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Noeahkfc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nabfjpak.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmcclm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbdjchgn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdpkflfe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjjpnlbd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olanmgig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkegpb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnqbanmo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Coadnlnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckjbhmad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bllbaa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdgged32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkiaej32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhdlao32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjccdkki.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pocpfphe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Deqcbpld.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifgldfio.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbghfc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eiildjag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oidhlb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oekiqccc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lclpdncg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eecphp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnfhfl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnqeqd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opcqnb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djhpgofm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bebjdgmj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language -
Modifies registry class 64 IoCs
Processes:
Edknqiho.exeDcigeooj.exePoimpapp.exeLpkiph32.exeBjokdipf.exeLidmhmnp.exeHjlkge32.exeEopbnbhd.exeObafpg32.exeKihnmohm.exePpopjp32.exeMajjng32.exeBhkmec32.exeNoehba32.exeKnalji32.exeBklfgo32.exeAhqddk32.exeBhnikc32.exePgefeajb.exeIkokan32.exeGknkpjfb.exeJnlbojee.exeLknojl32.exeHcpojd32.exeAqncedbp.exeNgmpcn32.exeEagaoh32.exeIhnkel32.exeOdocigqg.exeOeicejia.exeBepmoh32.exeHajpbckl.exeLbgalmej.exeHloqml32.exeDlkbjqgm.exeGdcliikj.exeKfjapcii.exeLblaabdp.exeOocddono.exeIafonaao.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Edknqiho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpbkpm32.dll" Dcigeooj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Poimpapp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeclnmik.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lpkiph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnijfj32.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bjokdipf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lidmhmnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igcnla32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hjlkge32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eopbnbhd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Obafpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kihnmohm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ppopjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Majjng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bhkmec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ambfbo32.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbknkcnm.dll" Noehba32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Knalji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bklfgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ahqddk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bhnikc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcmhel32.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pgefeajb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhlfehjp.dll" Ikokan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gknkpjfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Appnje32.dll" Jnlbojee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lknojl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbmimp32.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hcpojd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gepgfb32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpmdoo32.dll" Aqncedbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ngmpcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahqdnk32.dll" Eagaoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ihnkel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnnkgo32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llmglb32.dll" Odocigqg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oeicejia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oglbla32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agchinmk.dll" Bepmoh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hajpbckl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nocedmfn.dll" Lbgalmej.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hloqml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkjpda32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dlkbjqgm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gdcliikj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgbfjmkq.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kfjapcii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Foalam32.dll" Lblaabdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oocddono.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Piomhofd.dll" Iafonaao.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
7ae423fabcc46fba74281ba6826f5e2a39e5d7be4199f71f27595f74aa49e7acN.exeMlhbal32.exeNpcoakfp.exeNcbknfed.exeNepgjaeg.exeNilcjp32.exeNljofl32.exeNdaggimg.exeNcdgcf32.exeNjnpppkn.exeNphhmj32.exeNeeqea32.exeNloiakho.exeNdfqbhia.exeNcianepl.exeNjciko32.exeNlaegk32.exeNdhmhh32.exeNckndeni.exeNfjjppmm.exeNnqbanmo.exeOdkjng32.exedescription pid process target process PID 4636 wrote to memory of 2108 4636 7ae423fabcc46fba74281ba6826f5e2a39e5d7be4199f71f27595f74aa49e7acN.exe Mlhbal32.exe PID 4636 wrote to memory of 2108 4636 7ae423fabcc46fba74281ba6826f5e2a39e5d7be4199f71f27595f74aa49e7acN.exe Mlhbal32.exe PID 4636 wrote to memory of 2108 4636 7ae423fabcc46fba74281ba6826f5e2a39e5d7be4199f71f27595f74aa49e7acN.exe Mlhbal32.exe PID 2108 wrote to memory of 1452 2108 Mlhbal32.exe Npcoakfp.exe PID 2108 wrote to memory of 1452 2108 Mlhbal32.exe Npcoakfp.exe PID 2108 wrote to memory of 1452 2108 Mlhbal32.exe Npcoakfp.exe PID 1452 wrote to memory of 2388 1452 Npcoakfp.exe Ncbknfed.exe PID 1452 wrote to memory of 2388 1452 Npcoakfp.exe Ncbknfed.exe PID 1452 wrote to memory of 2388 1452 Npcoakfp.exe Ncbknfed.exe PID 2388 wrote to memory of 3560 2388 Ncbknfed.exe Nepgjaeg.exe PID 2388 wrote to memory of 3560 2388 Ncbknfed.exe Nepgjaeg.exe PID 2388 wrote to memory of 3560 2388 Ncbknfed.exe Nepgjaeg.exe PID 3560 wrote to memory of 5040 3560 Nepgjaeg.exe Nilcjp32.exe PID 3560 wrote to memory of 5040 3560 Nepgjaeg.exe Nilcjp32.exe PID 3560 wrote to memory of 5040 3560 Nepgjaeg.exe Nilcjp32.exe PID 5040 wrote to memory of 1672 5040 Nilcjp32.exe Nljofl32.exe PID 5040 wrote to memory of 1672 5040 Nilcjp32.exe Nljofl32.exe PID 5040 wrote to memory of 1672 5040 Nilcjp32.exe Nljofl32.exe PID 1672 wrote to memory of 3812 1672 Nljofl32.exe Ndaggimg.exe PID 1672 wrote to memory of 3812 1672 Nljofl32.exe Ndaggimg.exe PID 1672 wrote to memory of 3812 1672 Nljofl32.exe Ndaggimg.exe PID 3812 wrote to memory of 768 3812 Ndaggimg.exe Ncdgcf32.exe PID 3812 wrote to memory of 768 3812 Ndaggimg.exe Ncdgcf32.exe PID 3812 wrote to memory of 768 3812 Ndaggimg.exe Ncdgcf32.exe PID 768 wrote to memory of 4900 768 Ncdgcf32.exe Njnpppkn.exe PID 768 wrote to memory of 4900 768 Ncdgcf32.exe Njnpppkn.exe PID 768 wrote to memory of 4900 768 Ncdgcf32.exe Njnpppkn.exe PID 4900 wrote to memory of 3924 4900 Njnpppkn.exe Nphhmj32.exe PID 4900 wrote to memory of 3924 4900 Njnpppkn.exe Nphhmj32.exe PID 4900 wrote to memory of 3924 4900 Njnpppkn.exe Nphhmj32.exe PID 3924 wrote to memory of 2696 3924 Nphhmj32.exe Neeqea32.exe PID 3924 wrote to memory of 2696 3924 Nphhmj32.exe Neeqea32.exe PID 3924 wrote to memory of 2696 3924 Nphhmj32.exe Neeqea32.exe PID 2696 wrote to memory of 2692 2696 Neeqea32.exe Nloiakho.exe PID 2696 wrote to memory of 2692 2696 Neeqea32.exe Nloiakho.exe PID 2696 wrote to memory of 2692 2696 Neeqea32.exe Nloiakho.exe PID 2692 wrote to memory of 452 2692 Nloiakho.exe Ndfqbhia.exe PID 2692 wrote to memory of 452 2692 Nloiakho.exe Ndfqbhia.exe PID 2692 wrote to memory of 452 2692 Nloiakho.exe Ndfqbhia.exe PID 452 wrote to memory of 2656 452 Ndfqbhia.exe Ncianepl.exe PID 452 wrote to memory of 2656 452 Ndfqbhia.exe Ncianepl.exe PID 452 wrote to memory of 2656 452 Ndfqbhia.exe Ncianepl.exe PID 2656 wrote to memory of 1792 2656 Ncianepl.exe Njciko32.exe PID 2656 wrote to memory of 1792 2656 Ncianepl.exe Njciko32.exe PID 2656 wrote to memory of 1792 2656 Ncianepl.exe Njciko32.exe PID 1792 wrote to memory of 3408 1792 Njciko32.exe Nlaegk32.exe PID 1792 wrote to memory of 3408 1792 Njciko32.exe Nlaegk32.exe PID 1792 wrote to memory of 3408 1792 Njciko32.exe Nlaegk32.exe PID 3408 wrote to memory of 448 3408 Nlaegk32.exe Ndhmhh32.exe PID 3408 wrote to memory of 448 3408 Nlaegk32.exe Ndhmhh32.exe PID 3408 wrote to memory of 448 3408 Nlaegk32.exe Ndhmhh32.exe PID 448 wrote to memory of 4676 448 Ndhmhh32.exe Nckndeni.exe PID 448 wrote to memory of 4676 448 Ndhmhh32.exe Nckndeni.exe PID 448 wrote to memory of 4676 448 Ndhmhh32.exe Nckndeni.exe PID 4676 wrote to memory of 4660 4676 Nckndeni.exe Nfjjppmm.exe PID 4676 wrote to memory of 4660 4676 Nckndeni.exe Nfjjppmm.exe PID 4676 wrote to memory of 4660 4676 Nckndeni.exe Nfjjppmm.exe PID 4660 wrote to memory of 4872 4660 Nfjjppmm.exe Nnqbanmo.exe PID 4660 wrote to memory of 4872 4660 Nfjjppmm.exe Nnqbanmo.exe PID 4660 wrote to memory of 4872 4660 Nfjjppmm.exe Nnqbanmo.exe PID 4872 wrote to memory of 5060 4872 Nnqbanmo.exe Odkjng32.exe PID 4872 wrote to memory of 5060 4872 Nnqbanmo.exe Odkjng32.exe PID 4872 wrote to memory of 5060 4872 Nnqbanmo.exe Odkjng32.exe PID 5060 wrote to memory of 1972 5060 Odkjng32.exe Oflgep32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7ae423fabcc46fba74281ba6826f5e2a39e5d7be4199f71f27595f74aa49e7acN.exe"C:\Users\Admin\AppData\Local\Temp\7ae423fabcc46fba74281ba6826f5e2a39e5d7be4199f71f27595f74aa49e7acN.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Suspicious use of WriteProcessMemory
PID:4636 -
C:\Windows\SysWOW64\Mlhbal32.exeC:\Windows\system32\Mlhbal32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2108 -
C:\Windows\SysWOW64\Npcoakfp.exeC:\Windows\system32\Npcoakfp.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1452 -
C:\Windows\SysWOW64\Ncbknfed.exeC:\Windows\system32\Ncbknfed.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\Windows\SysWOW64\Nepgjaeg.exeC:\Windows\system32\Nepgjaeg.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3560 -
C:\Windows\SysWOW64\Nilcjp32.exeC:\Windows\system32\Nilcjp32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5040 -
C:\Windows\SysWOW64\Nljofl32.exeC:\Windows\system32\Nljofl32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1672 -
C:\Windows\SysWOW64\Ndaggimg.exeC:\Windows\system32\Ndaggimg.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3812 -
C:\Windows\SysWOW64\Ncdgcf32.exeC:\Windows\system32\Ncdgcf32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:768 -
C:\Windows\SysWOW64\Njnpppkn.exeC:\Windows\system32\Njnpppkn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4900 -
C:\Windows\SysWOW64\Nphhmj32.exeC:\Windows\system32\Nphhmj32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3924 -
C:\Windows\SysWOW64\Neeqea32.exeC:\Windows\system32\Neeqea32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Windows\SysWOW64\Nloiakho.exeC:\Windows\system32\Nloiakho.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\SysWOW64\Ndfqbhia.exeC:\Windows\system32\Ndfqbhia.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:452 -
C:\Windows\SysWOW64\Ncianepl.exeC:\Windows\system32\Ncianepl.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\SysWOW64\Njciko32.exeC:\Windows\system32\Njciko32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1792 -
C:\Windows\SysWOW64\Nlaegk32.exeC:\Windows\system32\Nlaegk32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3408 -
C:\Windows\SysWOW64\Ndhmhh32.exeC:\Windows\system32\Ndhmhh32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:448 -
C:\Windows\SysWOW64\Nckndeni.exeC:\Windows\system32\Nckndeni.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4676 -
C:\Windows\SysWOW64\Nfjjppmm.exeC:\Windows\system32\Nfjjppmm.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4660 -
C:\Windows\SysWOW64\Nnqbanmo.exeC:\Windows\system32\Nnqbanmo.exe21⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4872 -
C:\Windows\SysWOW64\Odkjng32.exeC:\Windows\system32\Odkjng32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5060 -
C:\Windows\SysWOW64\Oflgep32.exeC:\Windows\system32\Oflgep32.exe23⤵
- Executes dropped EXE
PID:1972 -
C:\Windows\SysWOW64\Oncofm32.exeC:\Windows\system32\Oncofm32.exe24⤵
- Executes dropped EXE
PID:2824 -
C:\Windows\SysWOW64\Olfobjbg.exeC:\Windows\system32\Olfobjbg.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4428 -
C:\Windows\SysWOW64\Ocpgod32.exeC:\Windows\system32\Ocpgod32.exe26⤵
- Executes dropped EXE
PID:3512 -
C:\Windows\SysWOW64\Ofnckp32.exeC:\Windows\system32\Ofnckp32.exe27⤵
- Executes dropped EXE
PID:4912 -
C:\Windows\SysWOW64\Oneklm32.exeC:\Windows\system32\Oneklm32.exe28⤵
- Executes dropped EXE
PID:1276 -
C:\Windows\SysWOW64\Odocigqg.exeC:\Windows\system32\Odocigqg.exe29⤵
- Executes dropped EXE
- Modifies registry class
PID:5108 -
C:\Windows\SysWOW64\Ocbddc32.exeC:\Windows\system32\Ocbddc32.exe30⤵
- Executes dropped EXE
PID:4376 -
C:\Windows\SysWOW64\Ofqpqo32.exeC:\Windows\system32\Ofqpqo32.exe31⤵
- Executes dropped EXE
PID:4344 -
C:\Windows\SysWOW64\Onhhamgg.exeC:\Windows\system32\Onhhamgg.exe32⤵
- Executes dropped EXE
PID:1476 -
C:\Windows\SysWOW64\Odapnf32.exeC:\Windows\system32\Odapnf32.exe33⤵
- Executes dropped EXE
PID:4564 -
C:\Windows\SysWOW64\Ocdqjceo.exeC:\Windows\system32\Ocdqjceo.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:264 -
C:\Windows\SysWOW64\Ofcmfodb.exeC:\Windows\system32\Ofcmfodb.exe35⤵
- Executes dropped EXE
PID:4080 -
C:\Windows\SysWOW64\Olmeci32.exeC:\Windows\system32\Olmeci32.exe36⤵
- Executes dropped EXE
PID:5064 -
C:\Windows\SysWOW64\Oqhacgdh.exeC:\Windows\system32\Oqhacgdh.exe37⤵
- Executes dropped EXE
PID:3940 -
C:\Windows\SysWOW64\Ocgmpccl.exeC:\Windows\system32\Ocgmpccl.exe38⤵
- Executes dropped EXE
PID:2240 -
C:\Windows\SysWOW64\Ogbipa32.exeC:\Windows\system32\Ogbipa32.exe39⤵
- Executes dropped EXE
PID:2628 -
C:\Windows\SysWOW64\Ojaelm32.exeC:\Windows\system32\Ojaelm32.exe40⤵
- Executes dropped EXE
PID:2072 -
C:\Windows\SysWOW64\Pmoahijl.exeC:\Windows\system32\Pmoahijl.exe41⤵
- Executes dropped EXE
PID:2192 -
C:\Windows\SysWOW64\Pdfjifjo.exeC:\Windows\system32\Pdfjifjo.exe42⤵
- Executes dropped EXE
PID:2052 -
C:\Windows\SysWOW64\Pcijeb32.exeC:\Windows\system32\Pcijeb32.exe43⤵
- Executes dropped EXE
PID:372 -
C:\Windows\SysWOW64\Pgefeajb.exeC:\Windows\system32\Pgefeajb.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:4792 -
C:\Windows\SysWOW64\Pnonbk32.exeC:\Windows\system32\Pnonbk32.exe45⤵
- Executes dropped EXE
PID:1336 -
C:\Windows\SysWOW64\Pmannhhj.exeC:\Windows\system32\Pmannhhj.exe46⤵
- Executes dropped EXE
PID:1592 -
C:\Windows\SysWOW64\Pdifoehl.exeC:\Windows\system32\Pdifoehl.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2000 -
C:\Windows\SysWOW64\Pggbkagp.exeC:\Windows\system32\Pggbkagp.exe48⤵
- Executes dropped EXE
PID:2324 -
C:\Windows\SysWOW64\Pjeoglgc.exeC:\Windows\system32\Pjeoglgc.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4068 -
C:\Windows\SysWOW64\Pmdkch32.exeC:\Windows\system32\Pmdkch32.exe50⤵
- Executes dropped EXE
PID:1332 -
C:\Windows\SysWOW64\Pqpgdfnp.exeC:\Windows\system32\Pqpgdfnp.exe51⤵
- Executes dropped EXE
PID:2224 -
C:\Windows\SysWOW64\Pgioqq32.exeC:\Windows\system32\Pgioqq32.exe52⤵
- Executes dropped EXE
PID:3768 -
C:\Windows\SysWOW64\Pjhlml32.exeC:\Windows\system32\Pjhlml32.exe53⤵
- Executes dropped EXE
PID:4640 -
C:\Windows\SysWOW64\Pncgmkmj.exeC:\Windows\system32\Pncgmkmj.exe54⤵
- Executes dropped EXE
PID:4024 -
C:\Windows\SysWOW64\Pqbdjfln.exeC:\Windows\system32\Pqbdjfln.exe55⤵
- Executes dropped EXE
PID:4536 -
C:\Windows\SysWOW64\Pcppfaka.exeC:\Windows\system32\Pcppfaka.exe56⤵PID:1936
-
C:\Windows\SysWOW64\Pgllfp32.exeC:\Windows\system32\Pgllfp32.exe57⤵
- Executes dropped EXE
PID:4600 -
C:\Windows\SysWOW64\Pjjhbl32.exeC:\Windows\system32\Pjjhbl32.exe58⤵
- Executes dropped EXE
PID:4292 -
C:\Windows\SysWOW64\Pmidog32.exeC:\Windows\system32\Pmidog32.exe59⤵
- Executes dropped EXE
PID:2968 -
C:\Windows\SysWOW64\Pcbmka32.exeC:\Windows\system32\Pcbmka32.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4876 -
C:\Windows\SysWOW64\Pfaigm32.exeC:\Windows\system32\Pfaigm32.exe61⤵
- Executes dropped EXE
PID:3952 -
C:\Windows\SysWOW64\Qmkadgpo.exeC:\Windows\system32\Qmkadgpo.exe62⤵
- Executes dropped EXE
PID:2604 -
C:\Windows\SysWOW64\Qqfmde32.exeC:\Windows\system32\Qqfmde32.exe63⤵
- Executes dropped EXE
PID:960 -
C:\Windows\SysWOW64\Qceiaa32.exeC:\Windows\system32\Qceiaa32.exe64⤵
- Executes dropped EXE
PID:3240 -
C:\Windows\SysWOW64\Qfcfml32.exeC:\Windows\system32\Qfcfml32.exe65⤵
- Executes dropped EXE
PID:2252 -
C:\Windows\SysWOW64\Qmmnjfnl.exeC:\Windows\system32\Qmmnjfnl.exe66⤵
- Executes dropped EXE
PID:4444 -
C:\Windows\SysWOW64\Qddfkd32.exeC:\Windows\system32\Qddfkd32.exe67⤵PID:508
-
C:\Windows\SysWOW64\Qgcbgo32.exeC:\Windows\system32\Qgcbgo32.exe68⤵
- System Location Discovery: System Language Discovery
PID:2912 -
C:\Windows\SysWOW64\Qffbbldm.exeC:\Windows\system32\Qffbbldm.exe69⤵PID:1480
-
C:\Windows\SysWOW64\Anmjcieo.exeC:\Windows\system32\Anmjcieo.exe70⤵PID:3800
-
C:\Windows\SysWOW64\Aqkgpedc.exeC:\Windows\system32\Aqkgpedc.exe71⤵PID:1084
-
C:\Windows\SysWOW64\Acjclpcf.exeC:\Windows\system32\Acjclpcf.exe72⤵PID:1448
-
C:\Windows\SysWOW64\Afhohlbj.exeC:\Windows\system32\Afhohlbj.exe73⤵PID:3536
-
C:\Windows\SysWOW64\Anogiicl.exeC:\Windows\system32\Anogiicl.exe74⤵PID:4500
-
C:\Windows\SysWOW64\Aqncedbp.exeC:\Windows\system32\Aqncedbp.exe75⤵
- Modifies registry class
PID:3928 -
C:\Windows\SysWOW64\Agglboim.exeC:\Windows\system32\Agglboim.exe76⤵PID:3336
-
C:\Windows\SysWOW64\Amddjegd.exeC:\Windows\system32\Amddjegd.exe77⤵
- Drops file in System32 directory
PID:3464 -
C:\Windows\SysWOW64\Aeklkchg.exeC:\Windows\system32\Aeklkchg.exe78⤵PID:3212
-
C:\Windows\SysWOW64\Afmhck32.exeC:\Windows\system32\Afmhck32.exe79⤵PID:1960
-
C:\Windows\SysWOW64\Andqdh32.exeC:\Windows\system32\Andqdh32.exe80⤵PID:324
-
C:\Windows\SysWOW64\Aeniabfd.exeC:\Windows\system32\Aeniabfd.exe81⤵PID:2212
-
C:\Windows\SysWOW64\Acqimo32.exeC:\Windows\system32\Acqimo32.exe82⤵PID:4076
-
C:\Windows\SysWOW64\Anfmjhmd.exeC:\Windows\system32\Anfmjhmd.exe83⤵PID:1652
-
C:\Windows\SysWOW64\Aepefb32.exeC:\Windows\system32\Aepefb32.exe84⤵PID:3980
-
C:\Windows\SysWOW64\Bnhjohkb.exeC:\Windows\system32\Bnhjohkb.exe85⤵PID:2260
-
C:\Windows\SysWOW64\Bcebhoii.exeC:\Windows\system32\Bcebhoii.exe86⤵PID:4932
-
C:\Windows\SysWOW64\Bjokdipf.exeC:\Windows\system32\Bjokdipf.exe87⤵
- Modifies registry class
PID:2536 -
C:\Windows\SysWOW64\Bmngqdpj.exeC:\Windows\system32\Bmngqdpj.exe88⤵PID:4388
-
C:\Windows\SysWOW64\Beeoaapl.exeC:\Windows\system32\Beeoaapl.exe89⤵PID:5128
-
C:\Windows\SysWOW64\Bjagjhnc.exeC:\Windows\system32\Bjagjhnc.exe90⤵PID:5172
-
C:\Windows\SysWOW64\Bmpcfdmg.exeC:\Windows\system32\Bmpcfdmg.exe91⤵PID:5216
-
C:\Windows\SysWOW64\Beglgani.exeC:\Windows\system32\Beglgani.exe92⤵PID:5260
-
C:\Windows\SysWOW64\Bcjlcn32.exeC:\Windows\system32\Bcjlcn32.exe93⤵PID:5304
-
C:\Windows\SysWOW64\Bfhhoi32.exeC:\Windows\system32\Bfhhoi32.exe94⤵PID:5348
-
C:\Windows\SysWOW64\Bnpppgdj.exeC:\Windows\system32\Bnpppgdj.exe95⤵
- Drops file in System32 directory
PID:5392 -
C:\Windows\SysWOW64\Banllbdn.exeC:\Windows\system32\Banllbdn.exe96⤵PID:5436
-
C:\Windows\SysWOW64\Beihma32.exeC:\Windows\system32\Beihma32.exe97⤵
- System Location Discovery: System Language Discovery
PID:5480 -
C:\Windows\SysWOW64\Bhhdil32.exeC:\Windows\system32\Bhhdil32.exe98⤵
- Drops file in System32 directory
PID:5524 -
C:\Windows\SysWOW64\Bjfaeh32.exeC:\Windows\system32\Bjfaeh32.exe99⤵
- Drops file in System32 directory
PID:5568 -
C:\Windows\SysWOW64\Bnbmefbg.exeC:\Windows\system32\Bnbmefbg.exe100⤵PID:5604
-
C:\Windows\SysWOW64\Bmemac32.exeC:\Windows\system32\Bmemac32.exe101⤵PID:5648
-
C:\Windows\SysWOW64\Belebq32.exeC:\Windows\system32\Belebq32.exe102⤵PID:5692
-
C:\Windows\SysWOW64\Chjaol32.exeC:\Windows\system32\Chjaol32.exe103⤵PID:5736
-
C:\Windows\SysWOW64\Cndikf32.exeC:\Windows\system32\Cndikf32.exe104⤵PID:5780
-
C:\Windows\SysWOW64\Cenahpha.exeC:\Windows\system32\Cenahpha.exe105⤵PID:5824
-
C:\Windows\SysWOW64\Cfpnph32.exeC:\Windows\system32\Cfpnph32.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5868 -
C:\Windows\SysWOW64\Cjkjpgfi.exeC:\Windows\system32\Cjkjpgfi.exe107⤵PID:5912
-
C:\Windows\SysWOW64\Caebma32.exeC:\Windows\system32\Caebma32.exe108⤵PID:5952
-
C:\Windows\SysWOW64\Chokikeb.exeC:\Windows\system32\Chokikeb.exe109⤵PID:5996
-
C:\Windows\SysWOW64\Cfbkeh32.exeC:\Windows\system32\Cfbkeh32.exe110⤵PID:6040
-
C:\Windows\SysWOW64\Cagobalc.exeC:\Windows\system32\Cagobalc.exe111⤵PID:6084
-
C:\Windows\SysWOW64\Cnkplejl.exeC:\Windows\system32\Cnkplejl.exe112⤵PID:6128
-
C:\Windows\SysWOW64\Cajlhqjp.exeC:\Windows\system32\Cajlhqjp.exe113⤵PID:5164
-
C:\Windows\SysWOW64\Cdhhdlid.exeC:\Windows\system32\Cdhhdlid.exe114⤵PID:5224
-
C:\Windows\SysWOW64\Chcddk32.exeC:\Windows\system32\Chcddk32.exe115⤵PID:5296
-
C:\Windows\SysWOW64\Cffdpghg.exeC:\Windows\system32\Cffdpghg.exe116⤵PID:5376
-
C:\Windows\SysWOW64\Cnnlaehj.exeC:\Windows\system32\Cnnlaehj.exe117⤵PID:5468
-
C:\Windows\SysWOW64\Calhnpgn.exeC:\Windows\system32\Calhnpgn.exe118⤵PID:5552
-
C:\Windows\SysWOW64\Ddjejl32.exeC:\Windows\system32\Ddjejl32.exe119⤵PID:5660
-
C:\Windows\SysWOW64\Dhfajjoj.exeC:\Windows\system32\Dhfajjoj.exe120⤵PID:5732
-
C:\Windows\SysWOW64\Dopigd32.exeC:\Windows\system32\Dopigd32.exe121⤵PID:5852
-
C:\Windows\SysWOW64\Dmcibama.exeC:\Windows\system32\Dmcibama.exe122⤵PID:5980
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-