Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 01:07
Static task
static1
Behavioral task
behavioral1
Sample
a076e624c1496af67fd1b09375b3d1f2304045aaf2ed7b4a20e145eee6d553a4.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
a076e624c1496af67fd1b09375b3d1f2304045aaf2ed7b4a20e145eee6d553a4.exe
Resource
win10v2004-20241007-en
General
-
Target
a076e624c1496af67fd1b09375b3d1f2304045aaf2ed7b4a20e145eee6d553a4.exe
-
Size
55KB
-
MD5
c7c7836857023a98ed4ed49da9e677e8
-
SHA1
f0ec55a1ccceb012c4ca3c6fb0384e762f901d0b
-
SHA256
a076e624c1496af67fd1b09375b3d1f2304045aaf2ed7b4a20e145eee6d553a4
-
SHA512
27b1960990863506b71361eee295a248591f14989592e46b5ff4a6f9c5b3fba328162376358f9c9307bb894407453c4a6d6dd3c74cd02d5bbc8e699eb91e0f5d
-
SSDEEP
1536:kaUYPRoJ5zUOiWeJn0SdgnbuZ0oXD2LXn:zUeOiWK0vnbuKow3
Malware Config
Extracted
berbew
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Nipekiep.exeMfjcnold.exeMadjhb32.exeCabomkll.exeHnhghcki.exeLacdmh32.exeFlqdlnde.exeOjdnid32.exeKbbokdlk.exeMlklkgei.exeLqkgbcff.exeEhfcfb32.exeBokehc32.exeIlccoh32.exeKkgiimng.exeLklbdm32.exeNlcalieg.exeAhpmjejp.exeJjpode32.exeDflmlj32.exeFfaong32.exePamiaboj.exeJkimho32.exeCmcolgbj.exeGbmingjo.exeGmggfp32.exeHffken32.exeJejefqaf.exeAlnmjjdb.exeEfkphnbd.exeInmpcc32.exeMhoipb32.exeFmpqfq32.exeMkadfj32.exeJbbfdfkn.exeDjklmo32.exeHjedffig.exeLjgpkonp.exePlndcl32.exeGkkgpc32.exeOhfami32.exePalbgl32.exeJbileede.exeBppfmigl.exeEppjfgcp.exeQaalblgi.exeBdbnjdfg.exeIgigla32.exeNeqopnhb.exeAodogdmn.exeKgmcce32.exeOaajed32.exeQjnkcekm.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nipekiep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mfjcnold.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Madjhb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cabomkll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hnhghcki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lacdmh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flqdlnde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojdnid32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbbokdlk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mlklkgei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lqkgbcff.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehfcfb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bokehc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ilccoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kkgiimng.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lklbdm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlcalieg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ahpmjejp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jjpode32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dflmlj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ffaong32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pamiaboj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jkimho32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmcolgbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbmingjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmggfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hffken32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jejefqaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Alnmjjdb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efkphnbd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Inmpcc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhoipb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmpqfq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mkadfj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbbfdfkn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djklmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjedffig.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljgpkonp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Plndcl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkkgpc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohfami32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Palbgl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbileede.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bppfmigl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eppjfgcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qaalblgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bdbnjdfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Igigla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Neqopnhb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aodogdmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgmcce32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oaajed32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qjnkcekm.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
Processes:
Iijaka32.exeJodjhkkj.exeJbbfdfkn.exeJilnqqbj.exeJgonlm32.exeJoffnk32.exeJbdbjf32.exeJecofa32.exeJgakbm32.exeJoiccj32.exeJbgoof32.exeJiaglp32.exeJkodhk32.exeJbileede.exeJehhaaci.exeJpmlnjco.exeJblijebc.exeJejefqaf.exeJghabl32.exeKppici32.exeKbnepe32.exeKfjapcii.exeKihnmohm.exeKlfjijgq.exeKpbfii32.exeKflnfcgg.exeKijjbofj.exeKlifnj32.exeKngcje32.exeKbbokdlk.exeKeakgpko.exeKhpgckkb.exeKpgodhkd.exeKnippe32.exeKbekqdjh.exeKechmoil.exeKhbdikip.exeKnlleepl.exeKbghfc32.exeKefdbo32.exeLhdqnj32.exeLpkiph32.exeLbjelc32.exeLfealaol.exeLidmhmnp.exeLpneegel.exeLblaabdp.exeLejnmncd.exeLhijijbg.exeLldfjh32.exeLfjjga32.exeLihfcm32.exeLhkgoiqe.exeLoeolc32.exeLflgmqhd.exeLhncdi32.exeLpekef32.exeLbchba32.exeLeadnm32.exeMhppji32.exeMlklkgei.exeMojhgbdl.exeMfaqhp32.exeMiomdk32.exepid process 3136 Iijaka32.exe 4248 Jodjhkkj.exe 3232 Jbbfdfkn.exe 4976 Jilnqqbj.exe 544 Jgonlm32.exe 1260 Joffnk32.exe 1636 Jbdbjf32.exe 4148 Jecofa32.exe 232 Jgakbm32.exe 4888 Joiccj32.exe 516 Jbgoof32.exe 4848 Jiaglp32.exe 4404 Jkodhk32.exe 1324 Jbileede.exe 1308 Jehhaaci.exe 2052 Jpmlnjco.exe 3468 Jblijebc.exe 2572 Jejefqaf.exe 3912 Jghabl32.exe 4588 Kppici32.exe 428 Kbnepe32.exe 5036 Kfjapcii.exe 1464 Kihnmohm.exe 1472 Klfjijgq.exe 4304 Kpbfii32.exe 5080 Kflnfcgg.exe 2564 Kijjbofj.exe 4528 Klifnj32.exe 2656 Kngcje32.exe 2876 Kbbokdlk.exe 3256 Keakgpko.exe 4812 Khpgckkb.exe 4308 Kpgodhkd.exe 2004 Knippe32.exe 1088 Kbekqdjh.exe 4368 Kechmoil.exe 708 Khbdikip.exe 1184 Knlleepl.exe 348 Kbghfc32.exe 2976 Kefdbo32.exe 208 Lhdqnj32.exe 3664 Lpkiph32.exe 4432 Lbjelc32.exe 4324 Lfealaol.exe 712 Lidmhmnp.exe 2944 Lpneegel.exe 3380 Lblaabdp.exe 4832 Lejnmncd.exe 4484 Lhijijbg.exe 3212 Lldfjh32.exe 3888 Lfjjga32.exe 2996 Lihfcm32.exe 3192 Lhkgoiqe.exe 1152 Loeolc32.exe 4624 Lflgmqhd.exe 3536 Lhncdi32.exe 4600 Lpekef32.exe 4396 Lbchba32.exe 5016 Leadnm32.exe 4132 Mhppji32.exe 916 Mlklkgei.exe 3272 Mojhgbdl.exe 4616 Mfaqhp32.exe 1684 Miomdk32.exe -
Drops file in System32 directory 64 IoCs
Processes:
Bppfmigl.exeMalgcg32.exeEmkndc32.exeNclikl32.exeAodogdmn.exeDmalne32.exeHoclopne.exeHlbcnd32.exeGhkeio32.exeBnfihkqm.exeFflohaij.exeGlgcbf32.exeMlklkgei.exeJbkbpoog.exeMlnipg32.exeAgbkmijg.exeOlfghg32.exeDfglfdkb.exeGeohklaa.exeAjndioga.exeAnaomkdb.exeEdhjqc32.exeMfjcnold.exePckppl32.exeLnadagbm.exeMnhkbfme.exePmcclm32.exeHbhboolf.exeKnbbep32.exeDfjpfj32.exeEejeiocj.exeBemqih32.exeCljobphg.exePcmlfl32.exeInnfnl32.exeJpenfp32.exeLbjelc32.exeDfoplpla.exeGldglf32.exeMnnkgl32.exeOaajed32.exeOihagaji.exeFmfnpa32.exeFmcjpl32.exeKfjapcii.exeNhlpfgbb.exeBjfjka32.exeKecabifp.exeFdglmkeg.exeIljpij32.exeBedgjgkg.exeGbalopbn.exeNipekiep.exedescription ioc process File created C:\Windows\SysWOW64\Bclang32.exe Bppfmigl.exe File created C:\Windows\SysWOW64\Flcmfp32.dll Malgcg32.exe File created C:\Windows\SysWOW64\Nlljlela.dll Emkndc32.exe File opened for modification C:\Windows\SysWOW64\Nlcalieg.exe Nclikl32.exe File opened for modification C:\Windows\SysWOW64\Acokhc32.exe Aodogdmn.exe File created C:\Windows\SysWOW64\Mfplpfib.dll Dmalne32.exe File created C:\Windows\SysWOW64\Bgaclkia.dll Hoclopne.exe File created C:\Windows\SysWOW64\Bgagea32.dll File opened for modification C:\Windows\SysWOW64\Hpnoncim.exe Hlbcnd32.exe File created C:\Windows\SysWOW64\Ofkhpmpa.dll File created C:\Windows\SysWOW64\Gkiaej32.exe Ghkeio32.exe File created C:\Windows\SysWOW64\Pjldplpd.dll Bnfihkqm.exe File created C:\Windows\SysWOW64\Fijkdmhn.exe Fflohaij.exe File created C:\Windows\SysWOW64\Galdglpd.dll Glgcbf32.exe File created C:\Windows\SysWOW64\Kolfbd32.dll File created C:\Windows\SysWOW64\Ogcggo32.dll Mlklkgei.exe File opened for modification C:\Windows\SysWOW64\Kdinljnk.exe Jbkbpoog.exe File opened for modification C:\Windows\SysWOW64\Cponen32.exe File created C:\Windows\SysWOW64\Molelb32.exe Mlnipg32.exe File opened for modification C:\Windows\SysWOW64\Afelhf32.exe Agbkmijg.exe File created C:\Windows\SysWOW64\Gabmaqlh.dll Olfghg32.exe File opened for modification C:\Windows\SysWOW64\Dheibpje.exe Dfglfdkb.exe File opened for modification C:\Windows\SysWOW64\Gikdkj32.exe Geohklaa.exe File opened for modification C:\Windows\SysWOW64\Allpejfe.exe Ajndioga.exe File created C:\Windows\SysWOW64\Aamknj32.exe Anaomkdb.exe File created C:\Windows\SysWOW64\Efffmo32.exe Edhjqc32.exe File created C:\Windows\SysWOW64\Ppahmb32.exe File created C:\Windows\SysWOW64\Nhlpfgbb.exe Mfjcnold.exe File created C:\Windows\SysWOW64\Pjehmfch.exe Pckppl32.exe File opened for modification C:\Windows\SysWOW64\Lekmnajj.exe Lnadagbm.exe File opened for modification C:\Windows\SysWOW64\Maggnali.exe Mnhkbfme.exe File created C:\Windows\SysWOW64\Bhlkdj32.dll Pmcclm32.exe File created C:\Windows\SysWOW64\Chfhllkp.dll Hbhboolf.exe File opened for modification C:\Windows\SysWOW64\Kelkaj32.exe Knbbep32.exe File created C:\Windows\SysWOW64\Djelgied.exe Dfjpfj32.exe File opened for modification C:\Windows\SysWOW64\Emanjldl.exe Eejeiocj.exe File created C:\Windows\SysWOW64\Qmgelf32.exe File created C:\Windows\SysWOW64\Dmncdk32.dll File created C:\Windows\SysWOW64\Dnjfibml.dll Bemqih32.exe File created C:\Windows\SysWOW64\Khfclo32.dll Cljobphg.exe File opened for modification C:\Windows\SysWOW64\Pmblagmf.exe File created C:\Windows\SysWOW64\Conanfli.exe File created C:\Windows\SysWOW64\Iicfkknk.dll Pcmlfl32.exe File created C:\Windows\SysWOW64\Ipmbjgpi.exe Innfnl32.exe File created C:\Windows\SysWOW64\Ggmkff32.dll Jpenfp32.exe File opened for modification C:\Windows\SysWOW64\Lfealaol.exe Lbjelc32.exe File opened for modification C:\Windows\SysWOW64\Djklmo32.exe Dfoplpla.exe File created C:\Windows\SysWOW64\Gbnoiqdq.exe Gldglf32.exe File opened for modification C:\Windows\SysWOW64\Kcpjnjii.exe File created C:\Windows\SysWOW64\Mjnafk32.dll Mnnkgl32.exe File created C:\Windows\SysWOW64\Oihagaji.exe Oaajed32.exe File created C:\Windows\SysWOW64\Ohkbbn32.exe Oihagaji.exe File opened for modification C:\Windows\SysWOW64\Fpejlmcf.exe Fmfnpa32.exe File created C:\Windows\SysWOW64\Afeknhab.dll Hlbcnd32.exe File created C:\Windows\SysWOW64\Nmqmbmdf.dll Fmcjpl32.exe File opened for modification C:\Windows\SysWOW64\Kihnmohm.exe Kfjapcii.exe File opened for modification C:\Windows\SysWOW64\Nbadcpbh.exe Nhlpfgbb.exe File created C:\Windows\SysWOW64\Memicmfo.dll Bjfjka32.exe File created C:\Windows\SysWOW64\Hijjli32.dll Kecabifp.exe File created C:\Windows\SysWOW64\Fbjmhh32.exe Fdglmkeg.exe File created C:\Windows\SysWOW64\Ipflihfq.exe Iljpij32.exe File created C:\Windows\SysWOW64\Obgbikfp.dll Bedgjgkg.exe File created C:\Windows\SysWOW64\Geohklaa.exe Gbalopbn.exe File created C:\Windows\SysWOW64\Fhoaad32.dll Nipekiep.exe -
Program crash 1 IoCs
Processes:
pid pid_target process target process 6868 6716 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Poomegpf.exeImkbnf32.exeIibccgep.exeJiaglp32.exeBcelmhen.exeNijeec32.exeDjjebh32.exeFdglmkeg.exeIgdnabjh.exeCljobphg.exeEdmclccp.exeOkgaijaj.exeLknojl32.exePmaffnce.exeGpnfge32.exeOenlqi32.exeCmipblaq.exeEmjgim32.exeJdmgfedl.exePlbfdekd.exeBoeebnhp.exeFefedmil.exeMplafeil.exeFhdohp32.exeOkjnnj32.exeDbcmakpl.exeHienlpel.exeKkconn32.exeNjmhhefi.exeDdligq32.exeKppici32.exeAfgacokc.exeLkalplel.exeEmanjldl.exeHjhalefe.exeBojomm32.exeEjalcgkg.exeHginecde.exeJgpmmp32.exeQeodhjmo.exeLflgmqhd.exeMlpeff32.exeDhomfc32.exeGddbcp32.exeJgbchj32.exeNiniei32.exeKlfjijgq.exeJoahqn32.exeGahcmd32.exeKhbdikip.exePoodpmca.exeBfchidda.exeGigheh32.exeMkohaj32.exeAdikdfna.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Poomegpf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imkbnf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iibccgep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jiaglp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcelmhen.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nijeec32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djjebh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdglmkeg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igdnabjh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cljobphg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edmclccp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okgaijaj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lknojl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmaffnce.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpnfge32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oenlqi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmipblaq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emjgim32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdmgfedl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plbfdekd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Boeebnhp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fefedmil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mplafeil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhdohp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okjnnj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbcmakpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hienlpel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkconn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njmhhefi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddligq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kppici32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afgacokc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkalplel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emanjldl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjhalefe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bojomm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejalcgkg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hginecde.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgpmmp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qeodhjmo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lflgmqhd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlpeff32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhomfc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gddbcp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgbchj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Niniei32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klfjijgq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Joahqn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gahcmd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khbdikip.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Poodpmca.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfchidda.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gigheh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkohaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adikdfna.exe -
Modifies registry class 64 IoCs
Processes:
Lhncdi32.exeIjcjmmil.exeOalipoiq.exeEbnfbcbc.exeIinjhh32.exeEdopabqn.exeFhdohp32.exeDimenegi.exePhaahggp.exeFdcjlb32.exeNafjjf32.exeNndjndbh.exeGmafajfi.exePojcjh32.exeKqmkae32.exeAkccap32.exeJgbchj32.exePhincl32.exeEmdajb32.exeOmgcpokp.exeEiokinbk.exePcmlfl32.exeOeokal32.exeHdkidohn.exeInmpcc32.exeHdokdg32.exeJlkipgpe.exeJgakbm32.exeCpbbch32.exeIjfnmc32.exeAckbmcjl.exeEmkndc32.exeJofalmmp.exeQjnkcekm.exeDoaneiop.exeEagaoh32.exeJgpmmp32.exeIbcaknbi.exeMfaqhp32.exePkogiikb.exeDnmhpg32.exeHffken32.exeFdhcgaic.exeJdodkebj.exeAlnfpcag.exeAhdged32.exeCleegp32.exeLhdqnj32.exeJpaekqhh.exeJenmcggo.exeCcqkigkp.exeJjjpnlbd.exeLcjcnoej.exeCamddhoi.exeEjflhm32.exeBhnikc32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcbknkol.dll" Lhncdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ijcjmmil.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oalipoiq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ebnfbcbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iinjhh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clfabmda.dll" Edopabqn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fhdohp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpipfd32.dll" Dimenegi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Phaahggp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fdcjlb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nafjjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nndjndbh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gmafajfi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pojcjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kqmkae32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Akccap32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jgbchj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjjojj32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogjembbd.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Phincl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Emdajb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghoqak32.dll" Omgcpokp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eiokinbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iicfkknk.dll" Pcmlfl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oeokal32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hdkidohn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Meickkqm.dll" Inmpcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhlgfb32.dll" Hdokdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jlkipgpe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jgakbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cpbbch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ijfnmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ackbmcjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Emkndc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jofalmmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qjnkcekm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dejncidp.dll" Doaneiop.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eagaoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apmhinni.dll" Jgpmmp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ibcaknbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cqpnpgeo.dll" Mfaqhp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pkogiikb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khblgpag.dll" Dnmhpg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hffken32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipjiligp.dll" Fdhcgaic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olhldm32.dll" Jdodkebj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlmkgk32.dll" Alnfpcag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ahdged32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cghane32.dll" Cleegp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lhdqnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pkogiikb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jpaekqhh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jenmcggo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ccqkigkp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhoneioi.dll" Jjjpnlbd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lcjcnoej.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Camddhoi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ejflhm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bhnikc32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
a076e624c1496af67fd1b09375b3d1f2304045aaf2ed7b4a20e145eee6d553a4.exeIijaka32.exeJodjhkkj.exeJbbfdfkn.exeJilnqqbj.exeJgonlm32.exeJoffnk32.exeJbdbjf32.exeJecofa32.exeJgakbm32.exeJoiccj32.exeJbgoof32.exeJiaglp32.exeJkodhk32.exeJbileede.exeJehhaaci.exeJpmlnjco.exeJblijebc.exeJejefqaf.exeJghabl32.exeKppici32.exeKbnepe32.exedescription pid process target process PID 1572 wrote to memory of 3136 1572 a076e624c1496af67fd1b09375b3d1f2304045aaf2ed7b4a20e145eee6d553a4.exe Iijaka32.exe PID 1572 wrote to memory of 3136 1572 a076e624c1496af67fd1b09375b3d1f2304045aaf2ed7b4a20e145eee6d553a4.exe Iijaka32.exe PID 1572 wrote to memory of 3136 1572 a076e624c1496af67fd1b09375b3d1f2304045aaf2ed7b4a20e145eee6d553a4.exe Iijaka32.exe PID 3136 wrote to memory of 4248 3136 Iijaka32.exe Jodjhkkj.exe PID 3136 wrote to memory of 4248 3136 Iijaka32.exe Jodjhkkj.exe PID 3136 wrote to memory of 4248 3136 Iijaka32.exe Jodjhkkj.exe PID 4248 wrote to memory of 3232 4248 Jodjhkkj.exe Jbbfdfkn.exe PID 4248 wrote to memory of 3232 4248 Jodjhkkj.exe Jbbfdfkn.exe PID 4248 wrote to memory of 3232 4248 Jodjhkkj.exe Jbbfdfkn.exe PID 3232 wrote to memory of 4976 3232 Jbbfdfkn.exe Jilnqqbj.exe PID 3232 wrote to memory of 4976 3232 Jbbfdfkn.exe Jilnqqbj.exe PID 3232 wrote to memory of 4976 3232 Jbbfdfkn.exe Jilnqqbj.exe PID 4976 wrote to memory of 544 4976 Jilnqqbj.exe Jgonlm32.exe PID 4976 wrote to memory of 544 4976 Jilnqqbj.exe Jgonlm32.exe PID 4976 wrote to memory of 544 4976 Jilnqqbj.exe Jgonlm32.exe PID 544 wrote to memory of 1260 544 Jgonlm32.exe Joffnk32.exe PID 544 wrote to memory of 1260 544 Jgonlm32.exe Joffnk32.exe PID 544 wrote to memory of 1260 544 Jgonlm32.exe Joffnk32.exe PID 1260 wrote to memory of 1636 1260 Joffnk32.exe Jbdbjf32.exe PID 1260 wrote to memory of 1636 1260 Joffnk32.exe Jbdbjf32.exe PID 1260 wrote to memory of 1636 1260 Joffnk32.exe Jbdbjf32.exe PID 1636 wrote to memory of 4148 1636 Jbdbjf32.exe Jecofa32.exe PID 1636 wrote to memory of 4148 1636 Jbdbjf32.exe Jecofa32.exe PID 1636 wrote to memory of 4148 1636 Jbdbjf32.exe Jecofa32.exe PID 4148 wrote to memory of 232 4148 Jecofa32.exe Jgakbm32.exe PID 4148 wrote to memory of 232 4148 Jecofa32.exe Jgakbm32.exe PID 4148 wrote to memory of 232 4148 Jecofa32.exe Jgakbm32.exe PID 232 wrote to memory of 4888 232 Jgakbm32.exe Joiccj32.exe PID 232 wrote to memory of 4888 232 Jgakbm32.exe Joiccj32.exe PID 232 wrote to memory of 4888 232 Jgakbm32.exe Joiccj32.exe PID 4888 wrote to memory of 516 4888 Joiccj32.exe Jbgoof32.exe PID 4888 wrote to memory of 516 4888 Joiccj32.exe Jbgoof32.exe PID 4888 wrote to memory of 516 4888 Joiccj32.exe Jbgoof32.exe PID 516 wrote to memory of 4848 516 Jbgoof32.exe Jiaglp32.exe PID 516 wrote to memory of 4848 516 Jbgoof32.exe Jiaglp32.exe PID 516 wrote to memory of 4848 516 Jbgoof32.exe Jiaglp32.exe PID 4848 wrote to memory of 4404 4848 Jiaglp32.exe Jkodhk32.exe PID 4848 wrote to memory of 4404 4848 Jiaglp32.exe Jkodhk32.exe PID 4848 wrote to memory of 4404 4848 Jiaglp32.exe Jkodhk32.exe PID 4404 wrote to memory of 1324 4404 Jkodhk32.exe Jbileede.exe PID 4404 wrote to memory of 1324 4404 Jkodhk32.exe Jbileede.exe PID 4404 wrote to memory of 1324 4404 Jkodhk32.exe Jbileede.exe PID 1324 wrote to memory of 1308 1324 Jbileede.exe Jehhaaci.exe PID 1324 wrote to memory of 1308 1324 Jbileede.exe Jehhaaci.exe PID 1324 wrote to memory of 1308 1324 Jbileede.exe Jehhaaci.exe PID 1308 wrote to memory of 2052 1308 Jehhaaci.exe Jpmlnjco.exe PID 1308 wrote to memory of 2052 1308 Jehhaaci.exe Jpmlnjco.exe PID 1308 wrote to memory of 2052 1308 Jehhaaci.exe Jpmlnjco.exe PID 2052 wrote to memory of 3468 2052 Jpmlnjco.exe Jblijebc.exe PID 2052 wrote to memory of 3468 2052 Jpmlnjco.exe Jblijebc.exe PID 2052 wrote to memory of 3468 2052 Jpmlnjco.exe Jblijebc.exe PID 3468 wrote to memory of 2572 3468 Jblijebc.exe Jejefqaf.exe PID 3468 wrote to memory of 2572 3468 Jblijebc.exe Jejefqaf.exe PID 3468 wrote to memory of 2572 3468 Jblijebc.exe Jejefqaf.exe PID 2572 wrote to memory of 3912 2572 Jejefqaf.exe Jghabl32.exe PID 2572 wrote to memory of 3912 2572 Jejefqaf.exe Jghabl32.exe PID 2572 wrote to memory of 3912 2572 Jejefqaf.exe Jghabl32.exe PID 3912 wrote to memory of 4588 3912 Jghabl32.exe Kppici32.exe PID 3912 wrote to memory of 4588 3912 Jghabl32.exe Kppici32.exe PID 3912 wrote to memory of 4588 3912 Jghabl32.exe Kppici32.exe PID 4588 wrote to memory of 428 4588 Kppici32.exe Kbnepe32.exe PID 4588 wrote to memory of 428 4588 Kppici32.exe Kbnepe32.exe PID 4588 wrote to memory of 428 4588 Kppici32.exe Kbnepe32.exe PID 428 wrote to memory of 5036 428 Kbnepe32.exe Kfjapcii.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a076e624c1496af67fd1b09375b3d1f2304045aaf2ed7b4a20e145eee6d553a4.exe"C:\Users\Admin\AppData\Local\Temp\a076e624c1496af67fd1b09375b3d1f2304045aaf2ed7b4a20e145eee6d553a4.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1572 -
C:\Windows\SysWOW64\Iijaka32.exeC:\Windows\system32\Iijaka32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3136 -
C:\Windows\SysWOW64\Jodjhkkj.exeC:\Windows\system32\Jodjhkkj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4248 -
C:\Windows\SysWOW64\Jbbfdfkn.exeC:\Windows\system32\Jbbfdfkn.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3232 -
C:\Windows\SysWOW64\Jilnqqbj.exeC:\Windows\system32\Jilnqqbj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4976 -
C:\Windows\SysWOW64\Jgonlm32.exeC:\Windows\system32\Jgonlm32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:544 -
C:\Windows\SysWOW64\Joffnk32.exeC:\Windows\system32\Joffnk32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1260 -
C:\Windows\SysWOW64\Jbdbjf32.exeC:\Windows\system32\Jbdbjf32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Windows\SysWOW64\Jecofa32.exeC:\Windows\system32\Jecofa32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4148 -
C:\Windows\SysWOW64\Jgakbm32.exeC:\Windows\system32\Jgakbm32.exe10⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:232 -
C:\Windows\SysWOW64\Joiccj32.exeC:\Windows\system32\Joiccj32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4888 -
C:\Windows\SysWOW64\Jbgoof32.exeC:\Windows\system32\Jbgoof32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:516 -
C:\Windows\SysWOW64\Jiaglp32.exeC:\Windows\system32\Jiaglp32.exe13⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4848 -
C:\Windows\SysWOW64\Jkodhk32.exeC:\Windows\system32\Jkodhk32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4404 -
C:\Windows\SysWOW64\Jbileede.exeC:\Windows\system32\Jbileede.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1324 -
C:\Windows\SysWOW64\Jehhaaci.exeC:\Windows\system32\Jehhaaci.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1308 -
C:\Windows\SysWOW64\Jpmlnjco.exeC:\Windows\system32\Jpmlnjco.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2052 -
C:\Windows\SysWOW64\Jblijebc.exeC:\Windows\system32\Jblijebc.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3468 -
C:\Windows\SysWOW64\Jejefqaf.exeC:\Windows\system32\Jejefqaf.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Windows\SysWOW64\Jghabl32.exeC:\Windows\system32\Jghabl32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3912 -
C:\Windows\SysWOW64\Kppici32.exeC:\Windows\system32\Kppici32.exe21⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4588 -
C:\Windows\SysWOW64\Kbnepe32.exeC:\Windows\system32\Kbnepe32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:428 -
C:\Windows\SysWOW64\Kfjapcii.exeC:\Windows\system32\Kfjapcii.exe23⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5036 -
C:\Windows\SysWOW64\Kihnmohm.exeC:\Windows\system32\Kihnmohm.exe24⤵
- Executes dropped EXE
PID:1464 -
C:\Windows\SysWOW64\Klfjijgq.exeC:\Windows\system32\Klfjijgq.exe25⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1472 -
C:\Windows\SysWOW64\Kpbfii32.exeC:\Windows\system32\Kpbfii32.exe26⤵
- Executes dropped EXE
PID:4304 -
C:\Windows\SysWOW64\Kflnfcgg.exeC:\Windows\system32\Kflnfcgg.exe27⤵
- Executes dropped EXE
PID:5080 -
C:\Windows\SysWOW64\Kijjbofj.exeC:\Windows\system32\Kijjbofj.exe28⤵
- Executes dropped EXE
PID:2564 -
C:\Windows\SysWOW64\Klifnj32.exeC:\Windows\system32\Klifnj32.exe29⤵
- Executes dropped EXE
PID:4528 -
C:\Windows\SysWOW64\Kngcje32.exeC:\Windows\system32\Kngcje32.exe30⤵
- Executes dropped EXE
PID:2656 -
C:\Windows\SysWOW64\Kbbokdlk.exeC:\Windows\system32\Kbbokdlk.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2876 -
C:\Windows\SysWOW64\Keakgpko.exeC:\Windows\system32\Keakgpko.exe32⤵
- Executes dropped EXE
PID:3256 -
C:\Windows\SysWOW64\Khpgckkb.exeC:\Windows\system32\Khpgckkb.exe33⤵
- Executes dropped EXE
PID:4812 -
C:\Windows\SysWOW64\Kpgodhkd.exeC:\Windows\system32\Kpgodhkd.exe34⤵
- Executes dropped EXE
PID:4308 -
C:\Windows\SysWOW64\Knippe32.exeC:\Windows\system32\Knippe32.exe35⤵
- Executes dropped EXE
PID:2004 -
C:\Windows\SysWOW64\Kbekqdjh.exeC:\Windows\system32\Kbekqdjh.exe36⤵
- Executes dropped EXE
PID:1088 -
C:\Windows\SysWOW64\Kechmoil.exeC:\Windows\system32\Kechmoil.exe37⤵
- Executes dropped EXE
PID:4368 -
C:\Windows\SysWOW64\Khbdikip.exeC:\Windows\system32\Khbdikip.exe38⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:708 -
C:\Windows\SysWOW64\Knlleepl.exeC:\Windows\system32\Knlleepl.exe39⤵
- Executes dropped EXE
PID:1184 -
C:\Windows\SysWOW64\Kbghfc32.exeC:\Windows\system32\Kbghfc32.exe40⤵
- Executes dropped EXE
PID:348 -
C:\Windows\SysWOW64\Kefdbo32.exeC:\Windows\system32\Kefdbo32.exe41⤵
- Executes dropped EXE
PID:2976 -
C:\Windows\SysWOW64\Lhdqnj32.exeC:\Windows\system32\Lhdqnj32.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:208 -
C:\Windows\SysWOW64\Lpkiph32.exeC:\Windows\system32\Lpkiph32.exe43⤵
- Executes dropped EXE
PID:3664 -
C:\Windows\SysWOW64\Lbjelc32.exeC:\Windows\system32\Lbjelc32.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4432 -
C:\Windows\SysWOW64\Lfealaol.exeC:\Windows\system32\Lfealaol.exe45⤵
- Executes dropped EXE
PID:4324 -
C:\Windows\SysWOW64\Lidmhmnp.exeC:\Windows\system32\Lidmhmnp.exe46⤵
- Executes dropped EXE
PID:712 -
C:\Windows\SysWOW64\Lpneegel.exeC:\Windows\system32\Lpneegel.exe47⤵
- Executes dropped EXE
PID:2944 -
C:\Windows\SysWOW64\Lblaabdp.exeC:\Windows\system32\Lblaabdp.exe48⤵
- Executes dropped EXE
PID:3380 -
C:\Windows\SysWOW64\Lejnmncd.exeC:\Windows\system32\Lejnmncd.exe49⤵
- Executes dropped EXE
PID:4832 -
C:\Windows\SysWOW64\Lhijijbg.exeC:\Windows\system32\Lhijijbg.exe50⤵
- Executes dropped EXE
PID:4484 -
C:\Windows\SysWOW64\Lldfjh32.exeC:\Windows\system32\Lldfjh32.exe51⤵
- Executes dropped EXE
PID:3212 -
C:\Windows\SysWOW64\Lfjjga32.exeC:\Windows\system32\Lfjjga32.exe52⤵
- Executes dropped EXE
PID:3888 -
C:\Windows\SysWOW64\Lihfcm32.exeC:\Windows\system32\Lihfcm32.exe53⤵
- Executes dropped EXE
PID:2996 -
C:\Windows\SysWOW64\Lhkgoiqe.exeC:\Windows\system32\Lhkgoiqe.exe54⤵
- Executes dropped EXE
PID:3192 -
C:\Windows\SysWOW64\Loeolc32.exeC:\Windows\system32\Loeolc32.exe55⤵
- Executes dropped EXE
PID:1152 -
C:\Windows\SysWOW64\Lflgmqhd.exeC:\Windows\system32\Lflgmqhd.exe56⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4624 -
C:\Windows\SysWOW64\Lhncdi32.exeC:\Windows\system32\Lhncdi32.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:3536 -
C:\Windows\SysWOW64\Lpekef32.exeC:\Windows\system32\Lpekef32.exe58⤵
- Executes dropped EXE
PID:4600 -
C:\Windows\SysWOW64\Lbchba32.exeC:\Windows\system32\Lbchba32.exe59⤵
- Executes dropped EXE
PID:4396 -
C:\Windows\SysWOW64\Leadnm32.exeC:\Windows\system32\Leadnm32.exe60⤵
- Executes dropped EXE
PID:5016 -
C:\Windows\SysWOW64\Mhppji32.exeC:\Windows\system32\Mhppji32.exe61⤵
- Executes dropped EXE
PID:4132 -
C:\Windows\SysWOW64\Mlklkgei.exeC:\Windows\system32\Mlklkgei.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:916 -
C:\Windows\SysWOW64\Mojhgbdl.exeC:\Windows\system32\Mojhgbdl.exe63⤵
- Executes dropped EXE
PID:3272 -
C:\Windows\SysWOW64\Mfaqhp32.exeC:\Windows\system32\Mfaqhp32.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:4616 -
C:\Windows\SysWOW64\Miomdk32.exeC:\Windows\system32\Miomdk32.exe65⤵
- Executes dropped EXE
PID:1684 -
C:\Windows\SysWOW64\Mlnipg32.exeC:\Windows\system32\Mlnipg32.exe66⤵
- Drops file in System32 directory
PID:4460 -
C:\Windows\SysWOW64\Molelb32.exeC:\Windows\system32\Molelb32.exe67⤵PID:2892
-
C:\Windows\SysWOW64\Mbhamajc.exeC:\Windows\system32\Mbhamajc.exe68⤵PID:1364
-
C:\Windows\SysWOW64\Mibijk32.exeC:\Windows\system32\Mibijk32.exe69⤵PID:1796
-
C:\Windows\SysWOW64\Mlpeff32.exeC:\Windows\system32\Mlpeff32.exe70⤵
- System Location Discovery: System Language Discovery
PID:388 -
C:\Windows\SysWOW64\Mplafeil.exeC:\Windows\system32\Mplafeil.exe71⤵
- System Location Discovery: System Language Discovery
PID:3480 -
C:\Windows\SysWOW64\Mbjnbqhp.exeC:\Windows\system32\Mbjnbqhp.exe72⤵PID:4356
-
C:\Windows\SysWOW64\Mehjol32.exeC:\Windows\system32\Mehjol32.exe73⤵PID:1012
-
C:\Windows\SysWOW64\Midfokpm.exeC:\Windows\system32\Midfokpm.exe74⤵PID:3004
-
C:\Windows\SysWOW64\Mpnnle32.exeC:\Windows\system32\Mpnnle32.exe75⤵PID:4776
-
C:\Windows\SysWOW64\Moaogand.exeC:\Windows\system32\Moaogand.exe76⤵PID:4548
-
C:\Windows\SysWOW64\Mfhfhong.exeC:\Windows\system32\Mfhfhong.exe77⤵PID:4800
-
C:\Windows\SysWOW64\Mifcejnj.exeC:\Windows\system32\Mifcejnj.exe78⤵PID:4300
-
C:\Windows\SysWOW64\Mfjcnold.exeC:\Windows\system32\Mfjcnold.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:532 -
C:\Windows\SysWOW64\Nhlpfgbb.exeC:\Windows\system32\Nhlpfgbb.exe80⤵
- Drops file in System32 directory
PID:3808 -
C:\Windows\SysWOW64\Nbadcpbh.exeC:\Windows\system32\Nbadcpbh.exe81⤵PID:4024
-
C:\Windows\SysWOW64\Neppokal.exeC:\Windows\system32\Neppokal.exe82⤵PID:4984
-
C:\Windows\SysWOW64\Nhnlkfpp.exeC:\Windows\system32\Nhnlkfpp.exe83⤵PID:2888
-
C:\Windows\SysWOW64\Nohehq32.exeC:\Windows\system32\Nohehq32.exe84⤵PID:4384
-
C:\Windows\SysWOW64\Nebmekoi.exeC:\Windows\system32\Nebmekoi.exe85⤵PID:4992
-
C:\Windows\SysWOW64\Niniei32.exeC:\Windows\system32\Niniei32.exe86⤵
- System Location Discovery: System Language Discovery
PID:4788 -
C:\Windows\SysWOW64\Nlleaeff.exeC:\Windows\system32\Nlleaeff.exe87⤵PID:3260
-
C:\Windows\SysWOW64\Nojanpej.exeC:\Windows\system32\Nojanpej.exe88⤵PID:2128
-
C:\Windows\SysWOW64\Nedjjj32.exeC:\Windows\system32\Nedjjj32.exe89⤵PID:2284
-
C:\Windows\SysWOW64\Nipekiep.exeC:\Windows\system32\Nipekiep.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1028 -
C:\Windows\SysWOW64\Nhbfff32.exeC:\Windows\system32\Nhbfff32.exe91⤵PID:2332
-
C:\Windows\SysWOW64\Npjnhc32.exeC:\Windows\system32\Npjnhc32.exe92⤵PID:2372
-
C:\Windows\SysWOW64\Nchjdo32.exeC:\Windows\system32\Nchjdo32.exe93⤵PID:2288
-
C:\Windows\SysWOW64\Neffpj32.exeC:\Windows\system32\Neffpj32.exe94⤵PID:5028
-
C:\Windows\SysWOW64\Nibbqicm.exeC:\Windows\system32\Nibbqicm.exe95⤵PID:3856
-
C:\Windows\SysWOW64\Nookip32.exeC:\Windows\system32\Nookip32.exe96⤵PID:2700
-
C:\Windows\SysWOW64\Ogfcjm32.exeC:\Windows\system32\Ogfcjm32.exe97⤵PID:4284
-
C:\Windows\SysWOW64\Oidofh32.exeC:\Windows\system32\Oidofh32.exe98⤵PID:4580
-
C:\Windows\SysWOW64\Ooagno32.exeC:\Windows\system32\Ooagno32.exe99⤵PID:2896
-
C:\Windows\SysWOW64\Oekpkigo.exeC:\Windows\system32\Oekpkigo.exe100⤵PID:1136
-
C:\Windows\SysWOW64\Olehhc32.exeC:\Windows\system32\Olehhc32.exe101⤵PID:2828
-
C:\Windows\SysWOW64\Ogklelna.exeC:\Windows\system32\Ogklelna.exe102⤵PID:2740
-
C:\Windows\SysWOW64\Oenlqi32.exeC:\Windows\system32\Oenlqi32.exe103⤵
- System Location Discovery: System Language Discovery
PID:5156 -
C:\Windows\SysWOW64\Olgemcli.exeC:\Windows\system32\Olgemcli.exe104⤵PID:5200
-
C:\Windows\SysWOW64\Ogmijllo.exeC:\Windows\system32\Ogmijllo.exe105⤵PID:5244
-
C:\Windows\SysWOW64\Oepifi32.exeC:\Windows\system32\Oepifi32.exe106⤵PID:5288
-
C:\Windows\SysWOW64\Oljaccjf.exeC:\Windows\system32\Oljaccjf.exe107⤵PID:5332
-
C:\Windows\SysWOW64\Ogpepl32.exeC:\Windows\system32\Ogpepl32.exe108⤵PID:5376
-
C:\Windows\SysWOW64\Oebflhaf.exeC:\Windows\system32\Oebflhaf.exe109⤵PID:5420
-
C:\Windows\SysWOW64\Ojnblg32.exeC:\Windows\system32\Ojnblg32.exe110⤵PID:5464
-
C:\Windows\SysWOW64\Ollnhb32.exeC:\Windows\system32\Ollnhb32.exe111⤵PID:5508
-
C:\Windows\SysWOW64\Ookjdn32.exeC:\Windows\system32\Ookjdn32.exe112⤵PID:5552
-
C:\Windows\SysWOW64\Pjpobg32.exeC:\Windows\system32\Pjpobg32.exe113⤵PID:5596
-
C:\Windows\SysWOW64\Pgdokkfg.exeC:\Windows\system32\Pgdokkfg.exe114⤵PID:5640
-
C:\Windows\SysWOW64\Pjbkgfej.exeC:\Windows\system32\Pjbkgfej.exe115⤵PID:5684
-
C:\Windows\SysWOW64\Plagcbdn.exeC:\Windows\system32\Plagcbdn.exe116⤵PID:5728
-
C:\Windows\SysWOW64\Poodpmca.exeC:\Windows\system32\Poodpmca.exe117⤵
- System Location Discovery: System Language Discovery
PID:5772 -
C:\Windows\SysWOW64\Pckppl32.exeC:\Windows\system32\Pckppl32.exe118⤵
- Drops file in System32 directory
PID:5808 -
C:\Windows\SysWOW64\Pjehmfch.exeC:\Windows\system32\Pjehmfch.exe119⤵PID:5860
-
C:\Windows\SysWOW64\Plcdiabk.exeC:\Windows\system32\Plcdiabk.exe120⤵PID:5904
-
C:\Windows\SysWOW64\Pcmlfl32.exeC:\Windows\system32\Pcmlfl32.exe121⤵
- Drops file in System32 directory
- Modifies registry class
PID:5948 -
C:\Windows\SysWOW64\Phjenbhp.exeC:\Windows\system32\Phjenbhp.exe122⤵PID:5992
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-