Analysis
-
max time kernel
92s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 01:58
Static task
static1
Behavioral task
behavioral1
Sample
b5d26a0d34f94c602df644fbb13c3db7abf36d905c7f40bcb60a90ef5c784463.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
b5d26a0d34f94c602df644fbb13c3db7abf36d905c7f40bcb60a90ef5c784463.exe
Resource
win10v2004-20241007-en
General
-
Target
b5d26a0d34f94c602df644fbb13c3db7abf36d905c7f40bcb60a90ef5c784463.exe
-
Size
112KB
-
MD5
b2dbc74a9c2ea473c195eef96ed24416
-
SHA1
dda183993270437693e5e81735291f352c351f26
-
SHA256
b5d26a0d34f94c602df644fbb13c3db7abf36d905c7f40bcb60a90ef5c784463
-
SHA512
d813ffa26047f643fc15e1e9c4c25b70e2c6b725a07b9c2b9bf6e60c930627117093d560a977abe6c729d8252ec2f5889c58c663cd290f634ebbede9fda79f47
-
SSDEEP
1536:T2Of5sUNS2L+TIIHeLptNpmT85roDRTe7VEVZcG4TXMtDhGJ5taRFkIsoh+RWGHP:h576TIJV3pjod5VZcGmhaR5sS+vfv
Malware Config
Extracted
berbew
http://crutop.nu/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://master-x.com/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://crutop.ru/index.php
http://kaspersky.ru/index.php
http://color-bank.ru/index.php
http://adult-empire.com/index.php
http://virus-list.com/index.php
http://trojan.ru/index.php
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://fethard.biz/index.htm
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://kaspersky.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Jkimho32.exeLjaoeini.exeJnnpdg32.exeIakiia32.exePkenjh32.exePofjpl32.exePhbhcmjl.exeKbekqdjh.exeNmlddqem.exeOanfen32.exeGfhndpol.exeOigllh32.exeFlfkkhid.exeBmofagfp.exeJncoikmp.exeLjhefhha.exeAhpmjejp.exeFbpchb32.exeNmipdk32.exeCbgnemjj.exeJkgpbp32.exeOldjcg32.exeDeqcbpld.exeFiaael32.exeNhpbfpka.exeKlahfp32.exeLokdnjkg.exeCbeapmll.exeFfmfchle.exeHplicjok.exePeahgl32.exeHmdlmg32.exeMmpmnl32.exeJiaglp32.exeGdobnj32.exeInqbclob.exeGmimai32.exeJfehed32.exeCjhfpa32.exeHkeaqi32.exeDjfcaohp.exeCmcolgbj.exeDpbdopck.exeOaqbkn32.exeJpcapp32.exeDimenegi.exeHoaojp32.exeKngkqbgl.exeOffnhpfo.exeMhgfkg32.exeDapkni32.exeGahcmd32.exeAcokhc32.exeBlhpqhlh.exeFlqdlnde.exeCfbcke32.exeCcgjopal.exeEppqqn32.exeIebngial.exeMfeeabda.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jkimho32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljaoeini.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnnpdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iakiia32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkenjh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pofjpl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phbhcmjl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbekqdjh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmlddqem.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oanfen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gfhndpol.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oigllh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oigllh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Flfkkhid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bmofagfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jncoikmp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljhefhha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ahpmjejp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbpchb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmipdk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbgnemjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jkgpbp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oldjcg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Deqcbpld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fiaael32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhpbfpka.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klahfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lokdnjkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbeapmll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ffmfchle.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hplicjok.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Peahgl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmdlmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mmpmnl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jiaglp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdobnj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Inqbclob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmimai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jfehed32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjhfpa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkeaqi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djfcaohp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cmcolgbj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpbdopck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oaqbkn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpcapp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dimenegi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hoaojp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kngkqbgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Offnhpfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhgfkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dapkni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gahcmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Acokhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Blhpqhlh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flqdlnde.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfbcke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ccgjopal.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eppqqn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iebngial.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mfeeabda.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
Processes:
Iiehpahb.exeIoopml32.exeIbnligoc.exeIigdfa32.exeIoambknl.exeIbpiogmp.exeIenekbld.exeIgmagnkg.exeJngjch32.exeJfnbdecg.exeJgonlm32.exeJnifigpa.exeJecofa32.exeJiokfpph.exeJnkcogno.exeJbgoof32.exeJiaglp32.exeJnnpdg32.exeJfehed32.exeJgfdmlcm.exeJpmlnjco.exeJfgdkd32.exeJghabl32.exeKldmckic.exeKbnepe32.exeKihnmohm.exeKpbfii32.exeKbpbed32.exeKpdboimg.exeKfnkkb32.exeKhpgckkb.exeKbekqdjh.exeKechmoil.exeKhbdikip.exeKpiljh32.exeKbghfc32.exeKiaqcnpb.exeLlpmoiof.exeLpkiph32.exeLbjelc32.exeLidmhmnp.exeLlbidimc.exeLnqeqd32.exeLfhnaa32.exeLifjnm32.exeLldfjh32.exeLbnngbbn.exeLihfcm32.exeLlgcph32.exeLpbopfag.exeLbqklb32.exeLikcilhh.exeLpekef32.exeLbchba32.exeMimpolee.exeMlklkgei.exeMojhgbdl.exeMfaqhp32.exeMiomdk32.exeMpieqeko.exeMolelb32.exeMhdjehhj.exeMplafeil.exeMbjnbqhp.exepid process 4364 Iiehpahb.exe 1416 Ioopml32.exe 2208 Ibnligoc.exe 3852 Iigdfa32.exe 4356 Ioambknl.exe 2584 Ibpiogmp.exe 1224 Ienekbld.exe 3208 Igmagnkg.exe 2448 Jngjch32.exe 2876 Jfnbdecg.exe 4716 Jgonlm32.exe 3120 Jnifigpa.exe 4940 Jecofa32.exe 2352 Jiokfpph.exe 1368 Jnkcogno.exe 3836 Jbgoof32.exe 1540 Jiaglp32.exe 2752 Jnnpdg32.exe 3016 Jfehed32.exe 1096 Jgfdmlcm.exe 5048 Jpmlnjco.exe 5012 Jfgdkd32.exe 884 Jghabl32.exe 864 Kldmckic.exe 2360 Kbnepe32.exe 1528 Kihnmohm.exe 3332 Kpbfii32.exe 3516 Kbpbed32.exe 1920 Kpdboimg.exe 2984 Kfnkkb32.exe 4524 Khpgckkb.exe 1460 Kbekqdjh.exe 4444 Kechmoil.exe 4360 Khbdikip.exe 4476 Kpiljh32.exe 1088 Kbghfc32.exe 3964 Kiaqcnpb.exe 4740 Llpmoiof.exe 1908 Lpkiph32.exe 4164 Lbjelc32.exe 4052 Lidmhmnp.exe 3388 Llbidimc.exe 4628 Lnqeqd32.exe 2248 Lfhnaa32.exe 2404 Lifjnm32.exe 3580 Lldfjh32.exe 2868 Lbnngbbn.exe 4000 Lihfcm32.exe 5088 Llgcph32.exe 3268 Lpbopfag.exe 5068 Lbqklb32.exe 4588 Likcilhh.exe 3700 Lpekef32.exe 3124 Lbchba32.exe 1756 Mimpolee.exe 2372 Mlklkgei.exe 4932 Mojhgbdl.exe 3520 Mfaqhp32.exe 1356 Miomdk32.exe 4148 Mpieqeko.exe 1740 Molelb32.exe 3676 Mhdjehhj.exe 4152 Mplafeil.exe 2016 Mbjnbqhp.exe -
Drops file in System32 directory 64 IoCs
Processes:
Dpgeee32.exeAhenokjf.exeCmflbf32.exeFjmkoeqi.exeKdigadjo.exeOdjeljhd.exeIbnligoc.exeKihnmohm.exeKgnbdh32.exeLcnfohmi.exePldcjeia.exeCljobphg.exeNaecop32.exeOobfob32.exeGmafajfi.exeGaefgd32.exeKnkekn32.exeKijchhbo.exeEcbjkngo.exeOldjcg32.exeAobilkcl.exeFineoi32.exeNefped32.exeObjpoh32.exeDfoiaj32.exeLcggio32.exeLbqklb32.exeHjjnae32.exeBqdblmhl.exeDpehof32.exeNlphbnoe.exeBjlpjm32.exeAkepfpcl.exeBemqih32.exeMojhgbdl.exeNpgabc32.exeLckiihok.exeMjpbam32.exeBebjdgmj.exeLcimdh32.exeMimpolee.exeIhbdplfi.exeHkicaahi.exeIdhnkf32.exeMepfiq32.exeClchbqoo.exeGbeejp32.exeBfjnjcni.exeNknobkje.exeDheibpje.exeOnmfimga.exeHmnmgnoh.exeOoagno32.exeOcopdn32.exePahpfc32.exeCmmbbejp.exeGppcmeem.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Dhomfc32.exe Dpgeee32.exe File created C:\Windows\SysWOW64\Akcjkfij.exe Ahenokjf.exe File opened for modification C:\Windows\SysWOW64\Ckilmcgb.exe Cmflbf32.exe File created C:\Windows\SysWOW64\Ocmcjb32.dll Fjmkoeqi.exe File opened for modification C:\Windows\SysWOW64\Kggcnoic.exe Kdigadjo.exe File created C:\Windows\SysWOW64\Cncijina.dll Odjeljhd.exe File opened for modification C:\Windows\SysWOW64\Iigdfa32.exe Ibnligoc.exe File opened for modification C:\Windows\SysWOW64\Kpbfii32.exe Kihnmohm.exe File created C:\Windows\SysWOW64\Hemikcpm.dll Kgnbdh32.exe File created C:\Windows\SysWOW64\Efmnhl32.dll Lcnfohmi.exe File opened for modification C:\Windows\SysWOW64\Qmepam32.exe Pldcjeia.exe File created C:\Windows\SysWOW64\Cohkokgj.exe Cljobphg.exe File created C:\Windows\SysWOW64\Jebiel32.dll Naecop32.exe File created C:\Windows\SysWOW64\Gbdqegoi.dll Oobfob32.exe File created C:\Windows\SysWOW64\Gppcmeem.exe Gmafajfi.exe File opened for modification C:\Windows\SysWOW64\Gddbcp32.exe Gaefgd32.exe File created C:\Windows\SysWOW64\Lbgalmej.exe Knkekn32.exe File opened for modification C:\Windows\SysWOW64\Kkhpdcab.exe Kijchhbo.exe File opened for modification C:\Windows\SysWOW64\Efafgifc.exe Ecbjkngo.exe File created C:\Windows\SysWOW64\Oobfob32.exe Oldjcg32.exe File created C:\Windows\SysWOW64\Aflaie32.exe Aobilkcl.exe File created C:\Windows\SysWOW64\Bcgpgh32.dll Fineoi32.exe File created C:\Windows\SysWOW64\Nhdlao32.exe Nefped32.exe File opened for modification C:\Windows\SysWOW64\Oehlkc32.exe Objpoh32.exe File opened for modification C:\Windows\SysWOW64\Dimenegi.exe Dfoiaj32.exe File created C:\Windows\SysWOW64\Pdnjmc32.dll Lcggio32.exe File opened for modification C:\Windows\SysWOW64\Cogddd32.exe File created C:\Windows\SysWOW64\Efmdqkmi.dll Lbqklb32.exe File created C:\Windows\SysWOW64\Hpdfnolo.exe Hjjnae32.exe File opened for modification C:\Windows\SysWOW64\Bcbohigp.exe Bqdblmhl.exe File created C:\Windows\SysWOW64\Jgbbpbop.dll Dpehof32.exe File opened for modification C:\Windows\SysWOW64\Okchnk32.exe Nlphbnoe.exe File created C:\Windows\SysWOW64\Bhoqeibl.exe Bjlpjm32.exe File created C:\Windows\SysWOW64\Pjinodke.dll Akepfpcl.exe File opened for modification C:\Windows\SysWOW64\Bhkmec32.exe Bemqih32.exe File created C:\Windows\SysWOW64\Mfaqhp32.exe Mojhgbdl.exe File opened for modification C:\Windows\SysWOW64\Nipekiep.exe Npgabc32.exe File opened for modification C:\Windows\SysWOW64\Lggejg32.exe Lckiihok.exe File created C:\Windows\SysWOW64\Cpbjkn32.exe File created C:\Windows\SysWOW64\Mbgjbkfg.exe Mjpbam32.exe File opened for modification C:\Windows\SysWOW64\Bhpfqcln.exe Bebjdgmj.exe File opened for modification C:\Windows\SysWOW64\Lfgipd32.exe Lcimdh32.exe File created C:\Windows\SysWOW64\Qhjmdp32.exe File created C:\Windows\SysWOW64\Dgihjf32.dll File opened for modification C:\Windows\SysWOW64\Mlklkgei.exe Mimpolee.exe File opened for modification C:\Windows\SysWOW64\Iakiia32.exe Ihbdplfi.exe File created C:\Windows\SysWOW64\Bbaffgag.dll Hkicaahi.exe File created C:\Windows\SysWOW64\Iggjga32.exe Idhnkf32.exe File created C:\Windows\SysWOW64\Mccfdmmo.exe Mepfiq32.exe File created C:\Windows\SysWOW64\Coadnlnb.exe Clchbqoo.exe File created C:\Windows\SysWOW64\Lfebfnqn.dll Gbeejp32.exe File created C:\Windows\SysWOW64\Bihjfnmm.exe Bfjnjcni.exe File opened for modification C:\Windows\SysWOW64\Nbefdijg.exe Nknobkje.exe File created C:\Windows\SysWOW64\Pmphblgf.dll Dheibpje.exe File created C:\Windows\SysWOW64\Oakbehfe.exe Onmfimga.exe File created C:\Windows\SysWOW64\Oehlkc32.exe Objpoh32.exe File created C:\Windows\SysWOW64\Hplicjok.exe Hmnmgnoh.exe File created C:\Windows\SysWOW64\Oigllh32.exe Ooagno32.exe File created C:\Windows\SysWOW64\Gdilpd32.dll Ocopdn32.exe File created C:\Windows\SysWOW64\Hnoigi32.dll Pahpfc32.exe File created C:\Windows\SysWOW64\Coknoaic.exe Cmmbbejp.exe File created C:\Windows\SysWOW64\Mgdkaadn.dll Cmmbbejp.exe File created C:\Windows\SysWOW64\Okbcgopo.dll Idhnkf32.exe File opened for modification C:\Windows\SysWOW64\Gncchb32.exe Gppcmeem.exe -
Program crash 1 IoCs
Processes:
pid pid_target process target process 6012 3884 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Aeaanjkl.exeMfeeabda.exeJdgafjpn.exeFibhpbea.exeFligqhga.exeJbgoof32.exeQikgco32.exeJcdala32.exeGikdkj32.exeDhomfc32.exeCfbcke32.exeJdnoplhh.exeFfobhg32.exeJgpfbjlo.exeLnjgfb32.exeCjecpkcg.exeOehlkc32.exeAanbhp32.exeJcmdaljn.exeNbadcpbh.exeMlbkap32.exeDbcmakpl.exeBahkih32.exeIoolkncg.exeOabhfg32.exeCcnncgmc.exeOoqqdi32.exePdfehh32.exeBnkbcj32.exeNeoieenp.exeLbnngbbn.exeDpnbog32.exeFipbdikp.exeHkbdki32.exeFpbmfn32.exeFpggamqc.exeHdmoohbo.exeJghabl32.exeCleegp32.exeGlipgf32.exeJpaleglc.exeJqdoem32.exeOkjnnj32.exeJnelok32.exeKjeiodek.exePdenmbkk.exeFkpool32.exeHjlkge32.exeGbfldf32.exeNaecop32.exeAnobgl32.exeFmkqpkla.exeGmimai32.exeKhbdikip.exeAojlaeei.exeCdlqqcnl.exeMqfpckhm.exeMngegmbc.exeLgccinoe.exeMchppmij.exeDmdhcddh.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aeaanjkl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfeeabda.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdgafjpn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fibhpbea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fligqhga.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbgoof32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qikgco32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcdala32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gikdkj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhomfc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfbcke32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdnoplhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffobhg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgpfbjlo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnjgfb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjecpkcg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oehlkc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aanbhp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcmdaljn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbadcpbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlbkap32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbcmakpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bahkih32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ioolkncg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oabhfg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccnncgmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ooqqdi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdfehh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnkbcj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Neoieenp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbnngbbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpnbog32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fipbdikp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkbdki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpbmfn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpggamqc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdmoohbo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jghabl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cleegp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glipgf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpaleglc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jqdoem32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okjnnj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnelok32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjeiodek.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdenmbkk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkpool32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjlkge32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbfldf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Naecop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anobgl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmkqpkla.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmimai32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khbdikip.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aojlaeei.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdlqqcnl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mqfpckhm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mngegmbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgccinoe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mchppmij.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmdhcddh.exe -
Modifies registry class 64 IoCs
Processes:
Lbgalmej.exeEciplm32.exeLklbdm32.exeAdndoe32.exeLnqeqd32.exeNiniei32.exeDgejpd32.exeFkpool32.exeGnqfcbnj.exeIohejo32.exeLmaamn32.exeNjfkmphe.exeInqbclob.exeAednci32.exeEbdcld32.exeEkdnei32.exeLpbopfag.exeAcokhc32.exeCmmbbejp.exeFjhacf32.exeHffken32.exeMjkblhfo.exeClgbmp32.exeCljobphg.exeJmeede32.exeJbgoof32.exeNplkmckj.exeOofaiokl.exeLldopb32.exeNefped32.exeHlcjhkdp.exeLdgccb32.exeCofnik32.exeIenekbld.exeBgeaifia.exeMiaboe32.exeNliaao32.exeCbdjeg32.exeEpmmqheb.exeLfbped32.exeFdglmkeg.exeLgepom32.exeOdoogi32.exePefabkej.exeFkbkdkpp.exeMhfppabl.exeDjcoai32.exeEmphocjj.exeEkkkoj32.exeJcmdaljn.exeLckiihok.exeKodnmkap.exeKngkqbgl.exeCcgajfeh.exeGgkiol32.exeFfobhg32.exePdmkhgho.exeLpkiph32.exeMfeeabda.exeFlpmagqi.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfombjbg.dll" Lbgalmej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eciplm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lklbdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Adndoe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lnqeqd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Niniei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dgejpd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fkpool32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gnqfcbnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iohejo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lmaamn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Njfkmphe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Inqbclob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aednci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ebdcld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ekdnei32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lpbopfag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kemilf32.dll" Acokhc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cmmbbejp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fjhacf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbdfqocb.dll" Hffken32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggiabl32.dll" Mjkblhfo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Clgbmp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cljobphg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jmeede32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhqihllh.dll" Jbgoof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nplkmckj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fngdja32.dll" Oofaiokl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lldopb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nefped32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hlcjhkdp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ldgccb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cofnik32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ienekbld.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bgeaifia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Miaboe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Peehmbji.dll" Nliaao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mqpdko32.dll" Cbdjeg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Epmmqheb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcpjljph.dll" Lfbped32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Momkkhch.dll" Fdglmkeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lgepom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbnffffp.dll" Odoogi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pefabkej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbhkjmnj.dll" Fkbkdkpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egdeookg.dll" Mhfppabl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnffda32.dll" Djcoai32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Emphocjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhkbjd32.dll" Ekkkoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Migmpjdh.dll" Jcmdaljn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lckiihok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kodnmkap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kngkqbgl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ccgajfeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ggkiol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ffobhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pdmkhgho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aqlelp32.dll" Lpkiph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leilnmkp.dll" Mfeeabda.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhfjcpfb.dll" Flpmagqi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
b5d26a0d34f94c602df644fbb13c3db7abf36d905c7f40bcb60a90ef5c784463.exeIiehpahb.exeIoopml32.exeIbnligoc.exeIigdfa32.exeIoambknl.exeIbpiogmp.exeIenekbld.exeIgmagnkg.exeJngjch32.exeJfnbdecg.exeJgonlm32.exeJnifigpa.exeJecofa32.exeJiokfpph.exeJnkcogno.exeJbgoof32.exeJiaglp32.exeJnnpdg32.exeJfehed32.exeJgfdmlcm.exeJpmlnjco.exedescription pid process target process PID 3256 wrote to memory of 4364 3256 b5d26a0d34f94c602df644fbb13c3db7abf36d905c7f40bcb60a90ef5c784463.exe Iiehpahb.exe PID 3256 wrote to memory of 4364 3256 b5d26a0d34f94c602df644fbb13c3db7abf36d905c7f40bcb60a90ef5c784463.exe Iiehpahb.exe PID 3256 wrote to memory of 4364 3256 b5d26a0d34f94c602df644fbb13c3db7abf36d905c7f40bcb60a90ef5c784463.exe Iiehpahb.exe PID 4364 wrote to memory of 1416 4364 Iiehpahb.exe Ioopml32.exe PID 4364 wrote to memory of 1416 4364 Iiehpahb.exe Ioopml32.exe PID 4364 wrote to memory of 1416 4364 Iiehpahb.exe Ioopml32.exe PID 1416 wrote to memory of 2208 1416 Ioopml32.exe Ibnligoc.exe PID 1416 wrote to memory of 2208 1416 Ioopml32.exe Ibnligoc.exe PID 1416 wrote to memory of 2208 1416 Ioopml32.exe Ibnligoc.exe PID 2208 wrote to memory of 3852 2208 Ibnligoc.exe Iigdfa32.exe PID 2208 wrote to memory of 3852 2208 Ibnligoc.exe Iigdfa32.exe PID 2208 wrote to memory of 3852 2208 Ibnligoc.exe Iigdfa32.exe PID 3852 wrote to memory of 4356 3852 Iigdfa32.exe Ioambknl.exe PID 3852 wrote to memory of 4356 3852 Iigdfa32.exe Ioambknl.exe PID 3852 wrote to memory of 4356 3852 Iigdfa32.exe Ioambknl.exe PID 4356 wrote to memory of 2584 4356 Ioambknl.exe Ibpiogmp.exe PID 4356 wrote to memory of 2584 4356 Ioambknl.exe Ibpiogmp.exe PID 4356 wrote to memory of 2584 4356 Ioambknl.exe Ibpiogmp.exe PID 2584 wrote to memory of 1224 2584 Ibpiogmp.exe Ienekbld.exe PID 2584 wrote to memory of 1224 2584 Ibpiogmp.exe Ienekbld.exe PID 2584 wrote to memory of 1224 2584 Ibpiogmp.exe Ienekbld.exe PID 1224 wrote to memory of 3208 1224 Ienekbld.exe Igmagnkg.exe PID 1224 wrote to memory of 3208 1224 Ienekbld.exe Igmagnkg.exe PID 1224 wrote to memory of 3208 1224 Ienekbld.exe Igmagnkg.exe PID 3208 wrote to memory of 2448 3208 Igmagnkg.exe Jngjch32.exe PID 3208 wrote to memory of 2448 3208 Igmagnkg.exe Jngjch32.exe PID 3208 wrote to memory of 2448 3208 Igmagnkg.exe Jngjch32.exe PID 2448 wrote to memory of 2876 2448 Jngjch32.exe Jfnbdecg.exe PID 2448 wrote to memory of 2876 2448 Jngjch32.exe Jfnbdecg.exe PID 2448 wrote to memory of 2876 2448 Jngjch32.exe Jfnbdecg.exe PID 2876 wrote to memory of 4716 2876 Jfnbdecg.exe Jgonlm32.exe PID 2876 wrote to memory of 4716 2876 Jfnbdecg.exe Jgonlm32.exe PID 2876 wrote to memory of 4716 2876 Jfnbdecg.exe Jgonlm32.exe PID 4716 wrote to memory of 3120 4716 Jgonlm32.exe Jnifigpa.exe PID 4716 wrote to memory of 3120 4716 Jgonlm32.exe Jnifigpa.exe PID 4716 wrote to memory of 3120 4716 Jgonlm32.exe Jnifigpa.exe PID 3120 wrote to memory of 4940 3120 Jnifigpa.exe Jecofa32.exe PID 3120 wrote to memory of 4940 3120 Jnifigpa.exe Jecofa32.exe PID 3120 wrote to memory of 4940 3120 Jnifigpa.exe Jecofa32.exe PID 4940 wrote to memory of 2352 4940 Jecofa32.exe Jiokfpph.exe PID 4940 wrote to memory of 2352 4940 Jecofa32.exe Jiokfpph.exe PID 4940 wrote to memory of 2352 4940 Jecofa32.exe Jiokfpph.exe PID 2352 wrote to memory of 1368 2352 Jiokfpph.exe Jnkcogno.exe PID 2352 wrote to memory of 1368 2352 Jiokfpph.exe Jnkcogno.exe PID 2352 wrote to memory of 1368 2352 Jiokfpph.exe Jnkcogno.exe PID 1368 wrote to memory of 3836 1368 Jnkcogno.exe Jbgoof32.exe PID 1368 wrote to memory of 3836 1368 Jnkcogno.exe Jbgoof32.exe PID 1368 wrote to memory of 3836 1368 Jnkcogno.exe Jbgoof32.exe PID 3836 wrote to memory of 1540 3836 Jbgoof32.exe Jiaglp32.exe PID 3836 wrote to memory of 1540 3836 Jbgoof32.exe Jiaglp32.exe PID 3836 wrote to memory of 1540 3836 Jbgoof32.exe Jiaglp32.exe PID 1540 wrote to memory of 2752 1540 Jiaglp32.exe Jnnpdg32.exe PID 1540 wrote to memory of 2752 1540 Jiaglp32.exe Jnnpdg32.exe PID 1540 wrote to memory of 2752 1540 Jiaglp32.exe Jnnpdg32.exe PID 2752 wrote to memory of 3016 2752 Jnnpdg32.exe Jfehed32.exe PID 2752 wrote to memory of 3016 2752 Jnnpdg32.exe Jfehed32.exe PID 2752 wrote to memory of 3016 2752 Jnnpdg32.exe Jfehed32.exe PID 3016 wrote to memory of 1096 3016 Jfehed32.exe Jgfdmlcm.exe PID 3016 wrote to memory of 1096 3016 Jfehed32.exe Jgfdmlcm.exe PID 3016 wrote to memory of 1096 3016 Jfehed32.exe Jgfdmlcm.exe PID 1096 wrote to memory of 5048 1096 Jgfdmlcm.exe Jpmlnjco.exe PID 1096 wrote to memory of 5048 1096 Jgfdmlcm.exe Jpmlnjco.exe PID 1096 wrote to memory of 5048 1096 Jgfdmlcm.exe Jpmlnjco.exe PID 5048 wrote to memory of 5012 5048 Jpmlnjco.exe Jfgdkd32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b5d26a0d34f94c602df644fbb13c3db7abf36d905c7f40bcb60a90ef5c784463.exe"C:\Users\Admin\AppData\Local\Temp\b5d26a0d34f94c602df644fbb13c3db7abf36d905c7f40bcb60a90ef5c784463.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3256 -
C:\Windows\SysWOW64\Iiehpahb.exeC:\Windows\system32\Iiehpahb.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4364 -
C:\Windows\SysWOW64\Ioopml32.exeC:\Windows\system32\Ioopml32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1416 -
C:\Windows\SysWOW64\Ibnligoc.exeC:\Windows\system32\Ibnligoc.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Windows\SysWOW64\Iigdfa32.exeC:\Windows\system32\Iigdfa32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3852 -
C:\Windows\SysWOW64\Ioambknl.exeC:\Windows\system32\Ioambknl.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4356 -
C:\Windows\SysWOW64\Ibpiogmp.exeC:\Windows\system32\Ibpiogmp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Windows\SysWOW64\Ienekbld.exeC:\Windows\system32\Ienekbld.exe8⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1224 -
C:\Windows\SysWOW64\Igmagnkg.exeC:\Windows\system32\Igmagnkg.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3208 -
C:\Windows\SysWOW64\Jngjch32.exeC:\Windows\system32\Jngjch32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2448 -
C:\Windows\SysWOW64\Jfnbdecg.exeC:\Windows\system32\Jfnbdecg.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Windows\SysWOW64\Jgonlm32.exeC:\Windows\system32\Jgonlm32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4716 -
C:\Windows\SysWOW64\Jnifigpa.exeC:\Windows\system32\Jnifigpa.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3120 -
C:\Windows\SysWOW64\Jecofa32.exeC:\Windows\system32\Jecofa32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4940 -
C:\Windows\SysWOW64\Jiokfpph.exeC:\Windows\system32\Jiokfpph.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Windows\SysWOW64\Jnkcogno.exeC:\Windows\system32\Jnkcogno.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1368 -
C:\Windows\SysWOW64\Jbgoof32.exeC:\Windows\system32\Jbgoof32.exe17⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3836 -
C:\Windows\SysWOW64\Jiaglp32.exeC:\Windows\system32\Jiaglp32.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1540 -
C:\Windows\SysWOW64\Jnnpdg32.exeC:\Windows\system32\Jnnpdg32.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\SysWOW64\Jfehed32.exeC:\Windows\system32\Jfehed32.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Windows\SysWOW64\Jgfdmlcm.exeC:\Windows\system32\Jgfdmlcm.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1096 -
C:\Windows\SysWOW64\Jpmlnjco.exeC:\Windows\system32\Jpmlnjco.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5048 -
C:\Windows\SysWOW64\Jfgdkd32.exeC:\Windows\system32\Jfgdkd32.exe23⤵
- Executes dropped EXE
PID:5012 -
C:\Windows\SysWOW64\Jghabl32.exeC:\Windows\system32\Jghabl32.exe24⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:884 -
C:\Windows\SysWOW64\Kldmckic.exeC:\Windows\system32\Kldmckic.exe25⤵
- Executes dropped EXE
PID:864 -
C:\Windows\SysWOW64\Kbnepe32.exeC:\Windows\system32\Kbnepe32.exe26⤵
- Executes dropped EXE
PID:2360 -
C:\Windows\SysWOW64\Kihnmohm.exeC:\Windows\system32\Kihnmohm.exe27⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1528 -
C:\Windows\SysWOW64\Kpbfii32.exeC:\Windows\system32\Kpbfii32.exe28⤵
- Executes dropped EXE
PID:3332 -
C:\Windows\SysWOW64\Kbpbed32.exeC:\Windows\system32\Kbpbed32.exe29⤵
- Executes dropped EXE
PID:3516 -
C:\Windows\SysWOW64\Kpdboimg.exeC:\Windows\system32\Kpdboimg.exe30⤵
- Executes dropped EXE
PID:1920 -
C:\Windows\SysWOW64\Kfnkkb32.exeC:\Windows\system32\Kfnkkb32.exe31⤵
- Executes dropped EXE
PID:2984 -
C:\Windows\SysWOW64\Khpgckkb.exeC:\Windows\system32\Khpgckkb.exe32⤵
- Executes dropped EXE
PID:4524 -
C:\Windows\SysWOW64\Kbekqdjh.exeC:\Windows\system32\Kbekqdjh.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1460 -
C:\Windows\SysWOW64\Kechmoil.exeC:\Windows\system32\Kechmoil.exe34⤵
- Executes dropped EXE
PID:4444 -
C:\Windows\SysWOW64\Khbdikip.exeC:\Windows\system32\Khbdikip.exe35⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4360 -
C:\Windows\SysWOW64\Kpiljh32.exeC:\Windows\system32\Kpiljh32.exe36⤵
- Executes dropped EXE
PID:4476 -
C:\Windows\SysWOW64\Kbghfc32.exeC:\Windows\system32\Kbghfc32.exe37⤵
- Executes dropped EXE
PID:1088 -
C:\Windows\SysWOW64\Kiaqcnpb.exeC:\Windows\system32\Kiaqcnpb.exe38⤵
- Executes dropped EXE
PID:3964 -
C:\Windows\SysWOW64\Llpmoiof.exeC:\Windows\system32\Llpmoiof.exe39⤵
- Executes dropped EXE
PID:4740 -
C:\Windows\SysWOW64\Lpkiph32.exeC:\Windows\system32\Lpkiph32.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:1908 -
C:\Windows\SysWOW64\Lbjelc32.exeC:\Windows\system32\Lbjelc32.exe41⤵
- Executes dropped EXE
PID:4164 -
C:\Windows\SysWOW64\Lidmhmnp.exeC:\Windows\system32\Lidmhmnp.exe42⤵
- Executes dropped EXE
PID:4052 -
C:\Windows\SysWOW64\Llbidimc.exeC:\Windows\system32\Llbidimc.exe43⤵
- Executes dropped EXE
PID:3388 -
C:\Windows\SysWOW64\Lnqeqd32.exeC:\Windows\system32\Lnqeqd32.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:4628 -
C:\Windows\SysWOW64\Lfhnaa32.exeC:\Windows\system32\Lfhnaa32.exe45⤵
- Executes dropped EXE
PID:2248 -
C:\Windows\SysWOW64\Lifjnm32.exeC:\Windows\system32\Lifjnm32.exe46⤵
- Executes dropped EXE
PID:2404 -
C:\Windows\SysWOW64\Lldfjh32.exeC:\Windows\system32\Lldfjh32.exe47⤵
- Executes dropped EXE
PID:3580 -
C:\Windows\SysWOW64\Lbnngbbn.exeC:\Windows\system32\Lbnngbbn.exe48⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2868 -
C:\Windows\SysWOW64\Lihfcm32.exeC:\Windows\system32\Lihfcm32.exe49⤵
- Executes dropped EXE
PID:4000 -
C:\Windows\SysWOW64\Llgcph32.exeC:\Windows\system32\Llgcph32.exe50⤵
- Executes dropped EXE
PID:5088 -
C:\Windows\SysWOW64\Lpbopfag.exeC:\Windows\system32\Lpbopfag.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:3268 -
C:\Windows\SysWOW64\Lbqklb32.exeC:\Windows\system32\Lbqklb32.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5068 -
C:\Windows\SysWOW64\Likcilhh.exeC:\Windows\system32\Likcilhh.exe53⤵
- Executes dropped EXE
PID:4588 -
C:\Windows\SysWOW64\Lpekef32.exeC:\Windows\system32\Lpekef32.exe54⤵
- Executes dropped EXE
PID:3700 -
C:\Windows\SysWOW64\Lbchba32.exeC:\Windows\system32\Lbchba32.exe55⤵
- Executes dropped EXE
PID:3124 -
C:\Windows\SysWOW64\Mimpolee.exeC:\Windows\system32\Mimpolee.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1756 -
C:\Windows\SysWOW64\Mlklkgei.exeC:\Windows\system32\Mlklkgei.exe57⤵
- Executes dropped EXE
PID:2372 -
C:\Windows\SysWOW64\Mojhgbdl.exeC:\Windows\system32\Mojhgbdl.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4932 -
C:\Windows\SysWOW64\Mfaqhp32.exeC:\Windows\system32\Mfaqhp32.exe59⤵
- Executes dropped EXE
PID:3520 -
C:\Windows\SysWOW64\Miomdk32.exeC:\Windows\system32\Miomdk32.exe60⤵
- Executes dropped EXE
PID:1356 -
C:\Windows\SysWOW64\Mpieqeko.exeC:\Windows\system32\Mpieqeko.exe61⤵
- Executes dropped EXE
PID:4148 -
C:\Windows\SysWOW64\Molelb32.exeC:\Windows\system32\Molelb32.exe62⤵
- Executes dropped EXE
PID:1740 -
C:\Windows\SysWOW64\Mhdjehhj.exeC:\Windows\system32\Mhdjehhj.exe63⤵
- Executes dropped EXE
PID:3676 -
C:\Windows\SysWOW64\Mplafeil.exeC:\Windows\system32\Mplafeil.exe64⤵
- Executes dropped EXE
PID:4152 -
C:\Windows\SysWOW64\Mbjnbqhp.exeC:\Windows\system32\Mbjnbqhp.exe65⤵
- Executes dropped EXE
PID:2016 -
C:\Windows\SysWOW64\Mehjol32.exeC:\Windows\system32\Mehjol32.exe66⤵PID:2676
-
C:\Windows\SysWOW64\Mhgfkg32.exeC:\Windows\system32\Mhgfkg32.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4028 -
C:\Windows\SysWOW64\Mblkhq32.exeC:\Windows\system32\Mblkhq32.exe68⤵PID:1884
-
C:\Windows\SysWOW64\Mekgdl32.exeC:\Windows\system32\Mekgdl32.exe69⤵PID:4620
-
C:\Windows\SysWOW64\Mleoafmn.exeC:\Windows\system32\Mleoafmn.exe70⤵PID:2024
-
C:\Windows\SysWOW64\Mockmala.exeC:\Windows\system32\Mockmala.exe71⤵PID:1248
-
C:\Windows\SysWOW64\Nhlpfgbb.exeC:\Windows\system32\Nhlpfgbb.exe72⤵PID:2692
-
C:\Windows\SysWOW64\Nlglfe32.exeC:\Windows\system32\Nlglfe32.exe73⤵PID:3468
-
C:\Windows\SysWOW64\Nbadcpbh.exeC:\Windows\system32\Nbadcpbh.exe74⤵
- System Location Discovery: System Language Discovery
PID:684 -
C:\Windows\SysWOW64\Neppokal.exeC:\Windows\system32\Neppokal.exe75⤵PID:2240
-
C:\Windows\SysWOW64\Nohehq32.exeC:\Windows\system32\Nohehq32.exe76⤵PID:1512
-
C:\Windows\SysWOW64\Ngomin32.exeC:\Windows\system32\Ngomin32.exe77⤵PID:612
-
C:\Windows\SysWOW64\Niniei32.exeC:\Windows\system32\Niniei32.exe78⤵
- Modifies registry class
PID:3276 -
C:\Windows\SysWOW64\Nhpiafnm.exeC:\Windows\system32\Nhpiafnm.exe79⤵PID:4776
-
C:\Windows\SysWOW64\Npgabc32.exeC:\Windows\system32\Npgabc32.exe80⤵
- Drops file in System32 directory
PID:4236 -
C:\Windows\SysWOW64\Nipekiep.exeC:\Windows\system32\Nipekiep.exe81⤵PID:752
-
C:\Windows\SysWOW64\Nlnbgddc.exeC:\Windows\system32\Nlnbgddc.exe82⤵PID:1044
-
C:\Windows\SysWOW64\Nchjdo32.exeC:\Windows\system32\Nchjdo32.exe83⤵PID:4092
-
C:\Windows\SysWOW64\Nibbqicm.exeC:\Windows\system32\Nibbqicm.exe84⤵PID:2388
-
C:\Windows\SysWOW64\Nplkmckj.exeC:\Windows\system32\Nplkmckj.exe85⤵
- Modifies registry class
PID:1876 -
C:\Windows\SysWOW64\Nookip32.exeC:\Windows\system32\Nookip32.exe86⤵PID:4892
-
C:\Windows\SysWOW64\Oeicejia.exeC:\Windows\system32\Oeicejia.exe87⤵PID:2840
-
C:\Windows\SysWOW64\Oidofh32.exeC:\Windows\system32\Oidofh32.exe88⤵PID:1684
-
C:\Windows\SysWOW64\Opogbbig.exeC:\Windows\system32\Opogbbig.exe89⤵PID:4176
-
C:\Windows\SysWOW64\Ooagno32.exeC:\Windows\system32\Ooagno32.exe90⤵
- Drops file in System32 directory
PID:4788 -
C:\Windows\SysWOW64\Oigllh32.exeC:\Windows\system32\Oigllh32.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:912 -
C:\Windows\SysWOW64\Ocopdn32.exeC:\Windows\system32\Ocopdn32.exe92⤵
- Drops file in System32 directory
PID:3680 -
C:\Windows\SysWOW64\Oiihahme.exeC:\Windows\system32\Oiihahme.exe93⤵PID:2416
-
C:\Windows\SysWOW64\Olgemcli.exeC:\Windows\system32\Olgemcli.exe94⤵PID:728
-
C:\Windows\SysWOW64\Oofaiokl.exeC:\Windows\system32\Oofaiokl.exe95⤵
- Modifies registry class
PID:3224 -
C:\Windows\SysWOW64\Opemca32.exeC:\Windows\system32\Opemca32.exe96⤵PID:3432
-
C:\Windows\SysWOW64\Ogpepl32.exeC:\Windows\system32\Ogpepl32.exe97⤵PID:4008
-
C:\Windows\SysWOW64\Ohqbhdpj.exeC:\Windows\system32\Ohqbhdpj.exe98⤵PID:1792
-
C:\Windows\SysWOW64\Ocffempp.exeC:\Windows\system32\Ocffempp.exe99⤵PID:4388
-
C:\Windows\SysWOW64\Phcomcng.exeC:\Windows\system32\Phcomcng.exe100⤵PID:956
-
C:\Windows\SysWOW64\Pomgjn32.exeC:\Windows\system32\Pomgjn32.exe101⤵PID:464
-
C:\Windows\SysWOW64\Phelcc32.exeC:\Windows\system32\Phelcc32.exe102⤵PID:5132
-
C:\Windows\SysWOW64\Plagcbdn.exeC:\Windows\system32\Plagcbdn.exe103⤵PID:5176
-
C:\Windows\SysWOW64\Poodpmca.exeC:\Windows\system32\Poodpmca.exe104⤵PID:5232
-
C:\Windows\SysWOW64\Pgflqkdd.exeC:\Windows\system32\Pgflqkdd.exe105⤵PID:5280
-
C:\Windows\SysWOW64\Pjehmfch.exeC:\Windows\system32\Pjehmfch.exe106⤵PID:5352
-
C:\Windows\SysWOW64\Phhhhc32.exeC:\Windows\system32\Phhhhc32.exe107⤵PID:5412
-
C:\Windows\SysWOW64\Plcdiabk.exeC:\Windows\system32\Plcdiabk.exe108⤵PID:5460
-
C:\Windows\SysWOW64\Poaqemao.exeC:\Windows\system32\Poaqemao.exe109⤵PID:5508
-
C:\Windows\SysWOW64\Pcmlfl32.exeC:\Windows\system32\Pcmlfl32.exe110⤵PID:5576
-
C:\Windows\SysWOW64\Pflibgil.exeC:\Windows\system32\Pflibgil.exe111⤵PID:5648
-
C:\Windows\SysWOW64\Pjgebf32.exeC:\Windows\system32\Pjgebf32.exe112⤵PID:5696
-
C:\Windows\SysWOW64\Phjenbhp.exeC:\Windows\system32\Phjenbhp.exe113⤵PID:5752
-
C:\Windows\SysWOW64\Ppamophb.exeC:\Windows\system32\Ppamophb.exe114⤵PID:5796
-
C:\Windows\SysWOW64\Podmkm32.exeC:\Windows\system32\Podmkm32.exe115⤵PID:5848
-
C:\Windows\SysWOW64\Pgkelj32.exeC:\Windows\system32\Pgkelj32.exe116⤵PID:5896
-
C:\Windows\SysWOW64\Pjjahe32.exeC:\Windows\system32\Pjjahe32.exe117⤵PID:5944
-
C:\Windows\SysWOW64\Plhnda32.exeC:\Windows\system32\Plhnda32.exe118⤵PID:6000
-
C:\Windows\SysWOW64\Pofjpl32.exeC:\Windows\system32\Pofjpl32.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6044 -
C:\Windows\SysWOW64\Qfpbmfdf.exeC:\Windows\system32\Qfpbmfdf.exe120⤵PID:6084
-
C:\Windows\SysWOW64\Qljjjqlc.exeC:\Windows\system32\Qljjjqlc.exe121⤵PID:6128
-
C:\Windows\SysWOW64\Qoifflkg.exeC:\Windows\system32\Qoifflkg.exe122⤵PID:5152
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-