Analysis
-
max time kernel
95s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 02:00
Static task
static1
Behavioral task
behavioral1
Sample
b757166599dc398cbea4f2f911a9b3b5c18e93c7817819ab152cfbce1e6db024.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
b757166599dc398cbea4f2f911a9b3b5c18e93c7817819ab152cfbce1e6db024.exe
Resource
win10v2004-20241007-en
General
-
Target
b757166599dc398cbea4f2f911a9b3b5c18e93c7817819ab152cfbce1e6db024.exe
-
Size
80KB
-
MD5
ae894aed667136018332d67e6282ece8
-
SHA1
308e72e9046308f53f4cfe398335f4c6dc14498d
-
SHA256
b757166599dc398cbea4f2f911a9b3b5c18e93c7817819ab152cfbce1e6db024
-
SHA512
130778a0f1198b3f8b8be9ed35c809d11a196ae9a3bfc0becdc2a28ce879f549ab3fe1765fde2f1cee9d6bdc3ed981eb2afebbbffd6b2ab1f1322a4bef0bb754
-
SSDEEP
1536:5aV0H0PMmyTZoSNjjV+0BoE34Z2LYS5DUHRbPa9b6i+sIk:z1myloSRV+0Bb3TYS5DSCopsIk
Malware Config
Extracted
berbew
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Jgeklege.exeBpdfga32.exeCgdaom32.exeFdemajom.exeHflhefql.exeOgcfjd32.exeFipica32.exeNlmblg32.exeBbmbnggl.exePdelgabo.exeHicnqb32.exeGkkldi32.exeHpcmmhpg.exeAfhehhmh.exeHmdjgf32.exeKqakkn32.exeQeqhmbpd.exeEpmkjgmf.exeFoboih32.exeCpklhpag.exeGgdbdc32.exeJnaidi32.exeJbmedgal.exeQfdbgo32.exeQlkgdc32.exeLjeppa32.exeCoeehd32.exeEnmhenbg.exeEcigkf32.exeEbndlbjg.exeNbchhhdm.exeGapdkn32.exeMjoipf32.exeNljefh32.exePejifj32.exeOpinnjcb.exeMnohan32.exeHldgbm32.exeIecalbca.exeHbhjmqgp.exeDpgldn32.exeHdglca32.exeKphcianj.exeQfbfao32.exeJgpkfpgo.exeCfajjnco.exeDkclndma.exeHfhfba32.exeEdgapl32.exeEedcmh32.exeNidfeaeb.exeHhflcf32.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgeklege.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpdfga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cgdaom32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdemajom.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hflhefql.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ogcfjd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fipica32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlmblg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bbmbnggl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdelgabo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hicnqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkkldi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpcmmhpg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afhehhmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmdjgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kqakkn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qeqhmbpd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epmkjgmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Foboih32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpklhpag.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggdbdc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnaidi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jbmedgal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qfdbgo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qlkgdc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ljeppa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Coeehd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Enmhenbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ecigkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ebndlbjg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbchhhdm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gapdkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mjoipf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nljefh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pejifj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Opinnjcb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnohan32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hldgbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iecalbca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hbhjmqgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dpgldn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hdglca32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kphcianj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qfbfao32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgpkfpgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfajjnco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dkclndma.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfhfba32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Edgapl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eedcmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nidfeaeb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhflcf32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
Processes:
Fecdpd32.exeFhaplo32.exeFkpmhk32.exeFokhiibo.exeFdhaapqf.exeFgfmmlpj.exeFoneni32.exeFalajd32.exeFhfjgogm.exeFncboeed.exeFdmjlp32.exeFgkfhk32.exeFoboih32.exeFelgfb32.exeGgncnkjb.exeGoekohjd.exeGacgkcih.exeGhmphn32.exeGkkldi32.exeGoghdhhb.exeGaedqc32.exeGddqmo32.exeGgbmij32.exeGoiejg32.exeGahafc32.exeGdfmbn32.exeGhbicmmp.exeGnoakdkg.exeGffjla32.exeGhdfhm32.exeGkbbdh32.exeGnanqc32.exeHfhfba32.exeHhfbnl32.exeHgiciipe.exeHoqkkfpg.exeHboggbok.exeHdmccmno.exeHglpoi32.exeHkglpgfk.exeHnehlceo.exeHdpphm32.exeHhklilde.exeHoedff32.exeHhmiokbb.exeHklekg32.exeHnjagb32.exeHbfmgaic.exeHddiclhf.exeHknapf32.exeHojnaehl.exeHbhjmqgp.exeIdffilfd.exeIgebegeg.exeInokbamd.exeIdicol32.exeIggokg32.exeIoogld32.exeIfhoiokd.exeIiglejjg.exeIkehaejk.exeIncdma32.exeIdnljkpl.exeIglhffop.exepid process 5032 Fecdpd32.exe 4500 Fhaplo32.exe 4416 Fkpmhk32.exe 2272 Fokhiibo.exe 2888 Fdhaapqf.exe 3488 Fgfmmlpj.exe 2960 Foneni32.exe 3364 Falajd32.exe 2824 Fhfjgogm.exe 2092 Fncboeed.exe 2188 Fdmjlp32.exe 4988 Fgkfhk32.exe 1256 Foboih32.exe 3876 Felgfb32.exe 1316 Ggncnkjb.exe 1264 Goekohjd.exe 3848 Gacgkcih.exe 1160 Ghmphn32.exe 3108 Gkkldi32.exe 1868 Goghdhhb.exe 4504 Gaedqc32.exe 1184 Gddqmo32.exe 3952 Ggbmij32.exe 2040 Goiejg32.exe 724 Gahafc32.exe 1276 Gdfmbn32.exe 3044 Ghbicmmp.exe 3700 Gnoakdkg.exe 2220 Gffjla32.exe 4676 Ghdfhm32.exe 3640 Gkbbdh32.exe 1956 Gnanqc32.exe 4280 Hfhfba32.exe 1428 Hhfbnl32.exe 3408 Hgiciipe.exe 1020 Hoqkkfpg.exe 64 Hboggbok.exe 4672 Hdmccmno.exe 3944 Hglpoi32.exe 4828 Hkglpgfk.exe 2164 Hnehlceo.exe 2780 Hdpphm32.exe 1492 Hhklilde.exe 4252 Hoedff32.exe 1476 Hhmiokbb.exe 3032 Hklekg32.exe 3844 Hnjagb32.exe 5060 Hbfmgaic.exe 3328 Hddiclhf.exe 1844 Hknapf32.exe 4400 Hojnaehl.exe 4524 Hbhjmqgp.exe 3308 Idffilfd.exe 4556 Igebegeg.exe 4404 Inokbamd.exe 4164 Idicol32.exe 448 Iggokg32.exe 3272 Ioogld32.exe 5064 Ifhoiokd.exe 2692 Iiglejjg.exe 4352 Ikehaejk.exe 1916 Incdma32.exe 1664 Idnljkpl.exe 4796 Iglhffop.exe -
Drops file in System32 directory 64 IoCs
Processes:
Hjlafn32.exeJgbhlo32.exeDdicajfd.exeGmanpc32.exeBoomlakd.exeBjfgedel.exeFdmjlp32.exeEigenf32.exeLhadoa32.exeIhhapc32.exeAfmocg32.exeFipica32.exeAonmknfk.exeCmnfgnle.exeCbknoe32.exeObbjdp32.exeHdmccmno.exeCiadkf32.exeGagjlm32.exeDmjecl32.exeMahkbjnn.exeBogigfje.exeClnomhii.exeFinkoe32.exeHejoeckl.exeNoqomh32.exeMggljcae.exeHdjpcgme.exeGpimbm32.exeEikphbcm.exeHghedmhm.exeJjkdbeei.exeOmbadh32.exePkaaikhi.exeMehanell.exeFdjgljkh.exeKindbq32.exeFmohei32.exeOlcabpkl.exePgfbpdhl.exeFblpmp32.exeIkamfi32.exeFkpmhk32.exeHhhhif32.exeGmcjebho.exeJnlpiimi.exeMlcoei32.exeOogdngna.exedescription ioc process File created C:\Windows\SysWOW64\Hdafcf32.exe Hjlafn32.exe File created C:\Windows\SysWOW64\Jnlpiimi.exe Jgbhlo32.exe File created C:\Windows\SysWOW64\Dmplbg32.exe Ddicajfd.exe File opened for modification C:\Windows\SysWOW64\Gpojln32.exe Gmanpc32.exe File opened for modification C:\Windows\SysWOW64\Fikhoofg.exe File created C:\Windows\SysWOW64\Bgfdnolf.exe Boomlakd.exe File created C:\Windows\SysWOW64\Edbljd32.dll Bjfgedel.exe File created C:\Windows\SysWOW64\Ohndgjio.exe File opened for modification C:\Windows\SysWOW64\Dhfembio.exe File created C:\Windows\SysWOW64\Cnlnpd32.dll Fdmjlp32.exe File opened for modification C:\Windows\SysWOW64\Emcaoefa.exe Eigenf32.exe File created C:\Windows\SysWOW64\Mgmbjofd.exe File created C:\Windows\SysWOW64\Aeaqdeiq.dll Lhadoa32.exe File opened for modification C:\Windows\SysWOW64\Ikgnlo32.exe Ihhapc32.exe File opened for modification C:\Windows\SysWOW64\Ahkkob32.exe Afmocg32.exe File created C:\Windows\SysWOW64\Iefnaa32.exe File created C:\Windows\SysWOW64\Ahjmjfao.exe File opened for modification C:\Windows\SysWOW64\Fdemajom.exe Fipica32.exe File opened for modification C:\Windows\SysWOW64\Loaanb32.exe File created C:\Windows\SysWOW64\Ioholb32.dll File created C:\Windows\SysWOW64\Ekbnjl32.exe File created C:\Windows\SysWOW64\Plbmlj32.dll Aonmknfk.exe File opened for modification C:\Windows\SysWOW64\Combci32.exe Cmnfgnle.exe File opened for modification C:\Windows\SysWOW64\Djbfqb32.exe Cbknoe32.exe File created C:\Windows\SysWOW64\Oeafpk32.exe Obbjdp32.exe File created C:\Windows\SysWOW64\Lcmmnqaq.exe File created C:\Windows\SysWOW64\Hglpoi32.exe Hdmccmno.exe File created C:\Windows\SysWOW64\Cpklhpag.exe Ciadkf32.exe File opened for modification C:\Windows\SysWOW64\Gdefhh32.exe Gagjlm32.exe File created C:\Windows\SysWOW64\Dphaoh32.exe Dmjecl32.exe File opened for modification C:\Windows\SysWOW64\Mcggoema.exe Mahkbjnn.exe File created C:\Windows\SysWOW64\Obgcip32.dll Bogigfje.exe File created C:\Windows\SysWOW64\Ccljca32.dll Clnomhii.exe File opened for modification C:\Windows\SysWOW64\Fphckopm.exe Finkoe32.exe File opened for modification C:\Windows\SysWOW64\Hmafgqlo.exe Hejoeckl.exe File opened for modification C:\Windows\SysWOW64\Encglg32.exe File opened for modification C:\Windows\SysWOW64\Nghfof32.exe Noqomh32.exe File created C:\Windows\SysWOW64\Mnadgn32.exe Mggljcae.exe File created C:\Windows\SysWOW64\Hhflcf32.exe Hdjpcgme.exe File created C:\Windows\SysWOW64\Gbginh32.exe Gpimbm32.exe File created C:\Windows\SysWOW64\Opoihjhe.dll File created C:\Windows\SysWOW64\Eabhjpdo.exe Eikphbcm.exe File created C:\Windows\SysWOW64\Ebepfgig.exe File created C:\Windows\SysWOW64\Hnkojp32.dll Hghedmhm.exe File created C:\Windows\SysWOW64\Dplpah32.dll Jjkdbeei.exe File created C:\Windows\SysWOW64\Dmenpl32.dll Ombadh32.exe File opened for modification C:\Windows\SysWOW64\Pmpmefgm.exe Pkaaikhi.exe File created C:\Windows\SysWOW64\Fjompa32.dll Mehanell.exe File created C:\Windows\SysWOW64\Fghche32.exe Fdjgljkh.exe File opened for modification C:\Windows\SysWOW64\Kgqdmmil.exe Kindbq32.exe File opened for modification C:\Windows\SysWOW64\Aamigi32.exe Aonmknfk.exe File created C:\Windows\SysWOW64\Cabbolpq.dll Fmohei32.exe File created C:\Windows\SysWOW64\Kgnobefp.dll Olcabpkl.exe File created C:\Windows\SysWOW64\Fkmomc32.dll File created C:\Windows\SysWOW64\Jbiena32.dll Pgfbpdhl.exe File opened for modification C:\Windows\SysWOW64\Ffglnofp.exe Fblpmp32.exe File created C:\Windows\SysWOW64\Ilcjna32.exe Ikamfi32.exe File created C:\Windows\SysWOW64\Jfkciidn.dll Fkpmhk32.exe File created C:\Windows\SysWOW64\Hkfeea32.exe Hhhhif32.exe File opened for modification C:\Windows\SysWOW64\Gbpbniff.exe Gmcjebho.exe File opened for modification C:\Windows\SysWOW64\Aomofaod.exe File opened for modification C:\Windows\SysWOW64\Jqkleell.exe Jnlpiimi.exe File created C:\Windows\SysWOW64\Cjmcmp32.dll Mlcoei32.exe File created C:\Windows\SysWOW64\Occqof32.exe Oogdngna.exe -
Program crash 1 IoCs
Processes:
pid pid_target process target process 8048 7216 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Lnpmpmpo.exeOldogm32.exeMlcoei32.exeOlhagekb.exeBbflmhmd.exeMqfnmjpq.exeNnhkhm32.exeFghche32.exeCmnfgnle.exeBpdfga32.exeJbcbniig.exeEckcpe32.exeGoiejg32.exeHhhhif32.exeJnlpiimi.exeAalbmcac.exeBdkgplbd.exeDbanenai.exeFiqhde32.exeMehanell.exePpqdni32.exeGpcdfjoj.exeAjfnnf32.exeNleeqbhl.exeNakpogni.exeFfpobj32.exeGkbbdh32.exeNghfof32.exePlpobk32.exeQchcqc32.exeKjopiihp.exeAkenpokp.exeAfmocg32.exeCcahcijj.exeBknilg32.exeHklekg32.exeJigdlhle.exePcampdjk.exeCfchoj32.exeJqmijd32.exePkbhcale.exeLqohllfi.exeKhchmc32.exePacfaj32.exeFmmkoj32.exeGaedqc32.exeBcmebpak.exeCbhkooic.exeFhfjgogm.exeFoboih32.exeIdgejomj.exeJdokjngb.exeDmklmb32.exeGgdbdc32.exeIdhlde32.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnpmpmpo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oldogm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlcoei32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olhagekb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbflmhmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mqfnmjpq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnhkhm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fghche32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmnfgnle.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpdfga32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbcbniig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eckcpe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Goiejg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhhhif32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnlpiimi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aalbmcac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdkgplbd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbanenai.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fiqhde32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mehanell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppqdni32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpcdfjoj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajfnnf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nleeqbhl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nakpogni.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffpobj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkbbdh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nghfof32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plpobk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qchcqc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjopiihp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akenpokp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afmocg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccahcijj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bknilg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hklekg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jigdlhle.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcampdjk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfchoj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jqmijd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkbhcale.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lqohllfi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khchmc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pacfaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmmkoj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaedqc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcmebpak.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbhkooic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhfjgogm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Foboih32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idgejomj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdokjngb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmklmb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggdbdc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idhlde32.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Modifies registry class 64 IoCs
Processes:
Khchmc32.exeLqohllfi.exeFnpmbkbb.exeKbgoelmm.exeKeekahla.exeDioibnjo.exeKcphgi32.exeHklekg32.exeEliejgoe.exeDfkckc32.exeCjicjc32.exeDmcobm32.exeKmepjojp.exeChpffi32.exeCfdgpn32.exeHejoeckl.exeNlbbam32.exeHdjpcgme.exeEjelmp32.exeFpkgke32.exePlgdcj32.exeFdgjfjmk.exeAfokhg32.exeEckcpe32.exeGphnaj32.exeCmjllopj.exeFdmjlp32.exeFipica32.exeNnkgml32.exeFhaplo32.exeJgnnapja.exePdhila32.exeKjopiihp.exeGbqjhpja.exeGbginh32.exeEdngpkee.exeFfnbmjko.exeJqmijd32.exeIgahkk32.exeMpmeknkb.exeDcnnin32.exeIfhoiokd.exeLigfho32.exeQlkpim32.exeCochbdpg.exeFiloiejc.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Khchmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lqohllfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igcfnj32.dll" Fnpmbkbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kbgoelmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dljopcfm.dll" Keekahla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocmfjlpa.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibofaadm.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocjgjgce.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dioibnjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kcphgi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hklekg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eliejgoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eqifhj32.dll" Dfkckc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eqipof32.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cjicjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dmcobm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kmepjojp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gadkoe32.dll" Chpffi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cfdgpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nankcn32.dll" Hejoeckl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nlbbam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hdjpcgme.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ejelmp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fpkgke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Plgdcj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fdgjfjmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Afokhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmoojb32.dll" Eckcpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Biqhfghk.dll" Gphnaj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cmjllopj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfgbep32.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fdmjlp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpiobnel.dll" Fipica32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nnkgml32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fhaplo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jgnnapja.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pdhila32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kfbiahje.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kjopiihp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gbqjhpja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epebai32.dll" Gbginh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Edngpkee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Miephikk.dll" Ffnbmjko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbdccije.dll" Jqmijd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Igahkk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mpmeknkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fepcfp32.dll" Dcnnin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Koopgl32.dll" Ifhoiokd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dacnph32.dll" Ligfho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qlkpim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cochbdpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Filoiejc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
b757166599dc398cbea4f2f911a9b3b5c18e93c7817819ab152cfbce1e6db024.exeFecdpd32.exeFhaplo32.exeFkpmhk32.exeFokhiibo.exeFdhaapqf.exeFgfmmlpj.exeFoneni32.exeFalajd32.exeFhfjgogm.exeFncboeed.exeFdmjlp32.exeFgkfhk32.exeFoboih32.exeFelgfb32.exeGgncnkjb.exeGoekohjd.exeGacgkcih.exeGhmphn32.exeGkkldi32.exeGoghdhhb.exeGaedqc32.exedescription pid process target process PID 4880 wrote to memory of 5032 4880 b757166599dc398cbea4f2f911a9b3b5c18e93c7817819ab152cfbce1e6db024.exe Fecdpd32.exe PID 4880 wrote to memory of 5032 4880 b757166599dc398cbea4f2f911a9b3b5c18e93c7817819ab152cfbce1e6db024.exe Fecdpd32.exe PID 4880 wrote to memory of 5032 4880 b757166599dc398cbea4f2f911a9b3b5c18e93c7817819ab152cfbce1e6db024.exe Fecdpd32.exe PID 5032 wrote to memory of 4500 5032 Fecdpd32.exe Fhaplo32.exe PID 5032 wrote to memory of 4500 5032 Fecdpd32.exe Fhaplo32.exe PID 5032 wrote to memory of 4500 5032 Fecdpd32.exe Fhaplo32.exe PID 4500 wrote to memory of 4416 4500 Fhaplo32.exe Fkpmhk32.exe PID 4500 wrote to memory of 4416 4500 Fhaplo32.exe Fkpmhk32.exe PID 4500 wrote to memory of 4416 4500 Fhaplo32.exe Fkpmhk32.exe PID 4416 wrote to memory of 2272 4416 Fkpmhk32.exe Fokhiibo.exe PID 4416 wrote to memory of 2272 4416 Fkpmhk32.exe Fokhiibo.exe PID 4416 wrote to memory of 2272 4416 Fkpmhk32.exe Fokhiibo.exe PID 2272 wrote to memory of 2888 2272 Fokhiibo.exe Fdhaapqf.exe PID 2272 wrote to memory of 2888 2272 Fokhiibo.exe Fdhaapqf.exe PID 2272 wrote to memory of 2888 2272 Fokhiibo.exe Fdhaapqf.exe PID 2888 wrote to memory of 3488 2888 Fdhaapqf.exe Fgfmmlpj.exe PID 2888 wrote to memory of 3488 2888 Fdhaapqf.exe Fgfmmlpj.exe PID 2888 wrote to memory of 3488 2888 Fdhaapqf.exe Fgfmmlpj.exe PID 3488 wrote to memory of 2960 3488 Fgfmmlpj.exe Foneni32.exe PID 3488 wrote to memory of 2960 3488 Fgfmmlpj.exe Foneni32.exe PID 3488 wrote to memory of 2960 3488 Fgfmmlpj.exe Foneni32.exe PID 2960 wrote to memory of 3364 2960 Foneni32.exe Falajd32.exe PID 2960 wrote to memory of 3364 2960 Foneni32.exe Falajd32.exe PID 2960 wrote to memory of 3364 2960 Foneni32.exe Falajd32.exe PID 3364 wrote to memory of 2824 3364 Falajd32.exe Fhfjgogm.exe PID 3364 wrote to memory of 2824 3364 Falajd32.exe Fhfjgogm.exe PID 3364 wrote to memory of 2824 3364 Falajd32.exe Fhfjgogm.exe PID 2824 wrote to memory of 2092 2824 Fhfjgogm.exe Fncboeed.exe PID 2824 wrote to memory of 2092 2824 Fhfjgogm.exe Fncboeed.exe PID 2824 wrote to memory of 2092 2824 Fhfjgogm.exe Fncboeed.exe PID 2092 wrote to memory of 2188 2092 Fncboeed.exe Fdmjlp32.exe PID 2092 wrote to memory of 2188 2092 Fncboeed.exe Fdmjlp32.exe PID 2092 wrote to memory of 2188 2092 Fncboeed.exe Fdmjlp32.exe PID 2188 wrote to memory of 4988 2188 Fdmjlp32.exe Fgkfhk32.exe PID 2188 wrote to memory of 4988 2188 Fdmjlp32.exe Fgkfhk32.exe PID 2188 wrote to memory of 4988 2188 Fdmjlp32.exe Fgkfhk32.exe PID 4988 wrote to memory of 1256 4988 Fgkfhk32.exe Foboih32.exe PID 4988 wrote to memory of 1256 4988 Fgkfhk32.exe Foboih32.exe PID 4988 wrote to memory of 1256 4988 Fgkfhk32.exe Foboih32.exe PID 1256 wrote to memory of 3876 1256 Foboih32.exe Felgfb32.exe PID 1256 wrote to memory of 3876 1256 Foboih32.exe Felgfb32.exe PID 1256 wrote to memory of 3876 1256 Foboih32.exe Felgfb32.exe PID 3876 wrote to memory of 1316 3876 Felgfb32.exe Ggncnkjb.exe PID 3876 wrote to memory of 1316 3876 Felgfb32.exe Ggncnkjb.exe PID 3876 wrote to memory of 1316 3876 Felgfb32.exe Ggncnkjb.exe PID 1316 wrote to memory of 1264 1316 Ggncnkjb.exe Goekohjd.exe PID 1316 wrote to memory of 1264 1316 Ggncnkjb.exe Goekohjd.exe PID 1316 wrote to memory of 1264 1316 Ggncnkjb.exe Goekohjd.exe PID 1264 wrote to memory of 3848 1264 Goekohjd.exe Gacgkcih.exe PID 1264 wrote to memory of 3848 1264 Goekohjd.exe Gacgkcih.exe PID 1264 wrote to memory of 3848 1264 Goekohjd.exe Gacgkcih.exe PID 3848 wrote to memory of 1160 3848 Gacgkcih.exe Ghmphn32.exe PID 3848 wrote to memory of 1160 3848 Gacgkcih.exe Ghmphn32.exe PID 3848 wrote to memory of 1160 3848 Gacgkcih.exe Ghmphn32.exe PID 1160 wrote to memory of 3108 1160 Ghmphn32.exe Gkkldi32.exe PID 1160 wrote to memory of 3108 1160 Ghmphn32.exe Gkkldi32.exe PID 1160 wrote to memory of 3108 1160 Ghmphn32.exe Gkkldi32.exe PID 3108 wrote to memory of 1868 3108 Gkkldi32.exe Goghdhhb.exe PID 3108 wrote to memory of 1868 3108 Gkkldi32.exe Goghdhhb.exe PID 3108 wrote to memory of 1868 3108 Gkkldi32.exe Goghdhhb.exe PID 1868 wrote to memory of 4504 1868 Goghdhhb.exe Gaedqc32.exe PID 1868 wrote to memory of 4504 1868 Goghdhhb.exe Gaedqc32.exe PID 1868 wrote to memory of 4504 1868 Goghdhhb.exe Gaedqc32.exe PID 4504 wrote to memory of 1184 4504 Gaedqc32.exe Gddqmo32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b757166599dc398cbea4f2f911a9b3b5c18e93c7817819ab152cfbce1e6db024.exe"C:\Users\Admin\AppData\Local\Temp\b757166599dc398cbea4f2f911a9b3b5c18e93c7817819ab152cfbce1e6db024.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4880 -
C:\Windows\SysWOW64\Fecdpd32.exeC:\Windows\system32\Fecdpd32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5032 -
C:\Windows\SysWOW64\Fhaplo32.exeC:\Windows\system32\Fhaplo32.exe3⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4500 -
C:\Windows\SysWOW64\Fkpmhk32.exeC:\Windows\system32\Fkpmhk32.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4416 -
C:\Windows\SysWOW64\Fokhiibo.exeC:\Windows\system32\Fokhiibo.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2272 -
C:\Windows\SysWOW64\Fdhaapqf.exeC:\Windows\system32\Fdhaapqf.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Windows\SysWOW64\Fgfmmlpj.exeC:\Windows\system32\Fgfmmlpj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3488 -
C:\Windows\SysWOW64\Foneni32.exeC:\Windows\system32\Foneni32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Windows\SysWOW64\Falajd32.exeC:\Windows\system32\Falajd32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3364 -
C:\Windows\SysWOW64\Fhfjgogm.exeC:\Windows\system32\Fhfjgogm.exe10⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\SysWOW64\Fncboeed.exeC:\Windows\system32\Fncboeed.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2092 -
C:\Windows\SysWOW64\Fdmjlp32.exeC:\Windows\system32\Fdmjlp32.exe12⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Windows\SysWOW64\Fgkfhk32.exeC:\Windows\system32\Fgkfhk32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4988 -
C:\Windows\SysWOW64\Foboih32.exeC:\Windows\system32\Foboih32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1256 -
C:\Windows\SysWOW64\Felgfb32.exeC:\Windows\system32\Felgfb32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3876 -
C:\Windows\SysWOW64\Ggncnkjb.exeC:\Windows\system32\Ggncnkjb.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1316 -
C:\Windows\SysWOW64\Goekohjd.exeC:\Windows\system32\Goekohjd.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1264 -
C:\Windows\SysWOW64\Gacgkcih.exeC:\Windows\system32\Gacgkcih.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3848 -
C:\Windows\SysWOW64\Ghmphn32.exeC:\Windows\system32\Ghmphn32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1160 -
C:\Windows\SysWOW64\Gkkldi32.exeC:\Windows\system32\Gkkldi32.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3108 -
C:\Windows\SysWOW64\Goghdhhb.exeC:\Windows\system32\Goghdhhb.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1868 -
C:\Windows\SysWOW64\Gaedqc32.exeC:\Windows\system32\Gaedqc32.exe22⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4504 -
C:\Windows\SysWOW64\Gddqmo32.exeC:\Windows\system32\Gddqmo32.exe23⤵
- Executes dropped EXE
PID:1184 -
C:\Windows\SysWOW64\Ggbmij32.exeC:\Windows\system32\Ggbmij32.exe24⤵
- Executes dropped EXE
PID:3952 -
C:\Windows\SysWOW64\Goiejg32.exeC:\Windows\system32\Goiejg32.exe25⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2040 -
C:\Windows\SysWOW64\Gahafc32.exeC:\Windows\system32\Gahafc32.exe26⤵
- Executes dropped EXE
PID:724 -
C:\Windows\SysWOW64\Gdfmbn32.exeC:\Windows\system32\Gdfmbn32.exe27⤵
- Executes dropped EXE
PID:1276 -
C:\Windows\SysWOW64\Ghbicmmp.exeC:\Windows\system32\Ghbicmmp.exe28⤵
- Executes dropped EXE
PID:3044 -
C:\Windows\SysWOW64\Gnoakdkg.exeC:\Windows\system32\Gnoakdkg.exe29⤵
- Executes dropped EXE
PID:3700 -
C:\Windows\SysWOW64\Gffjla32.exeC:\Windows\system32\Gffjla32.exe30⤵
- Executes dropped EXE
PID:2220 -
C:\Windows\SysWOW64\Ghdfhm32.exeC:\Windows\system32\Ghdfhm32.exe31⤵
- Executes dropped EXE
PID:4676 -
C:\Windows\SysWOW64\Gkbbdh32.exeC:\Windows\system32\Gkbbdh32.exe32⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3640 -
C:\Windows\SysWOW64\Gnanqc32.exeC:\Windows\system32\Gnanqc32.exe33⤵
- Executes dropped EXE
PID:1956 -
C:\Windows\SysWOW64\Hfhfba32.exeC:\Windows\system32\Hfhfba32.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4280 -
C:\Windows\SysWOW64\Hhfbnl32.exeC:\Windows\system32\Hhfbnl32.exe35⤵
- Executes dropped EXE
PID:1428 -
C:\Windows\SysWOW64\Hgiciipe.exeC:\Windows\system32\Hgiciipe.exe36⤵
- Executes dropped EXE
PID:3408 -
C:\Windows\SysWOW64\Hoqkkfpg.exeC:\Windows\system32\Hoqkkfpg.exe37⤵
- Executes dropped EXE
PID:1020 -
C:\Windows\SysWOW64\Hboggbok.exeC:\Windows\system32\Hboggbok.exe38⤵
- Executes dropped EXE
PID:64 -
C:\Windows\SysWOW64\Hdmccmno.exeC:\Windows\system32\Hdmccmno.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4672 -
C:\Windows\SysWOW64\Hglpoi32.exeC:\Windows\system32\Hglpoi32.exe40⤵
- Executes dropped EXE
PID:3944 -
C:\Windows\SysWOW64\Hkglpgfk.exeC:\Windows\system32\Hkglpgfk.exe41⤵
- Executes dropped EXE
PID:4828 -
C:\Windows\SysWOW64\Hnehlceo.exeC:\Windows\system32\Hnehlceo.exe42⤵
- Executes dropped EXE
PID:2164 -
C:\Windows\SysWOW64\Hdpphm32.exeC:\Windows\system32\Hdpphm32.exe43⤵
- Executes dropped EXE
PID:2780 -
C:\Windows\SysWOW64\Hhklilde.exeC:\Windows\system32\Hhklilde.exe44⤵
- Executes dropped EXE
PID:1492 -
C:\Windows\SysWOW64\Hoedff32.exeC:\Windows\system32\Hoedff32.exe45⤵
- Executes dropped EXE
PID:4252 -
C:\Windows\SysWOW64\Hhmiokbb.exeC:\Windows\system32\Hhmiokbb.exe46⤵
- Executes dropped EXE
PID:1476 -
C:\Windows\SysWOW64\Hklekg32.exeC:\Windows\system32\Hklekg32.exe47⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3032 -
C:\Windows\SysWOW64\Hnjagb32.exeC:\Windows\system32\Hnjagb32.exe48⤵
- Executes dropped EXE
PID:3844 -
C:\Windows\SysWOW64\Hbfmgaic.exeC:\Windows\system32\Hbfmgaic.exe49⤵
- Executes dropped EXE
PID:5060 -
C:\Windows\SysWOW64\Hddiclhf.exeC:\Windows\system32\Hddiclhf.exe50⤵
- Executes dropped EXE
PID:3328 -
C:\Windows\SysWOW64\Hknapf32.exeC:\Windows\system32\Hknapf32.exe51⤵
- Executes dropped EXE
PID:1844 -
C:\Windows\SysWOW64\Hojnaehl.exeC:\Windows\system32\Hojnaehl.exe52⤵
- Executes dropped EXE
PID:4400 -
C:\Windows\SysWOW64\Hbhjmqgp.exeC:\Windows\system32\Hbhjmqgp.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4524 -
C:\Windows\SysWOW64\Idffilfd.exeC:\Windows\system32\Idffilfd.exe54⤵
- Executes dropped EXE
PID:3308 -
C:\Windows\SysWOW64\Igebegeg.exeC:\Windows\system32\Igebegeg.exe55⤵
- Executes dropped EXE
PID:4556 -
C:\Windows\SysWOW64\Inokbamd.exeC:\Windows\system32\Inokbamd.exe56⤵
- Executes dropped EXE
PID:4404 -
C:\Windows\SysWOW64\Idicol32.exeC:\Windows\system32\Idicol32.exe57⤵
- Executes dropped EXE
PID:4164 -
C:\Windows\SysWOW64\Iggokg32.exeC:\Windows\system32\Iggokg32.exe58⤵
- Executes dropped EXE
PID:448 -
C:\Windows\SysWOW64\Ioogld32.exeC:\Windows\system32\Ioogld32.exe59⤵
- Executes dropped EXE
PID:3272 -
C:\Windows\SysWOW64\Ifhoiokd.exeC:\Windows\system32\Ifhoiokd.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:5064 -
C:\Windows\SysWOW64\Iiglejjg.exeC:\Windows\system32\Iiglejjg.exe61⤵
- Executes dropped EXE
PID:2692 -
C:\Windows\SysWOW64\Ikehaejk.exeC:\Windows\system32\Ikehaejk.exe62⤵
- Executes dropped EXE
PID:4352 -
C:\Windows\SysWOW64\Incdma32.exeC:\Windows\system32\Incdma32.exe63⤵
- Executes dropped EXE
PID:1916 -
C:\Windows\SysWOW64\Idnljkpl.exeC:\Windows\system32\Idnljkpl.exe64⤵
- Executes dropped EXE
PID:1664 -
C:\Windows\SysWOW64\Iglhffop.exeC:\Windows\system32\Iglhffop.exe65⤵
- Executes dropped EXE
PID:4796 -
C:\Windows\SysWOW64\Iocqgdpb.exeC:\Windows\system32\Iocqgdpb.exe66⤵PID:2104
-
C:\Windows\SysWOW64\Ibamcooe.exeC:\Windows\system32\Ibamcooe.exe67⤵PID:4944
-
C:\Windows\SysWOW64\Ifmidn32.exeC:\Windows\system32\Ifmidn32.exe68⤵PID:4188
-
C:\Windows\SysWOW64\Ignekfmm.exeC:\Windows\system32\Ignekfmm.exe69⤵PID:3692
-
C:\Windows\SysWOW64\Inhnhp32.exeC:\Windows\system32\Inhnhp32.exe70⤵PID:2908
-
C:\Windows\SysWOW64\Jgqbaf32.exeC:\Windows\system32\Jgqbaf32.exe71⤵PID:3696
-
C:\Windows\SysWOW64\Jnkjnpbg.exeC:\Windows\system32\Jnkjnpbg.exe72⤵PID:4948
-
C:\Windows\SysWOW64\Jedbjj32.exeC:\Windows\system32\Jedbjj32.exe73⤵PID:4956
-
C:\Windows\SysWOW64\Jipnkibm.exeC:\Windows\system32\Jipnkibm.exe74⤵PID:2496
-
C:\Windows\SysWOW64\Jojghc32.exeC:\Windows\system32\Jojghc32.exe75⤵PID:5024
-
C:\Windows\SysWOW64\Jfdodm32.exeC:\Windows\system32\Jfdodm32.exe76⤵PID:3748
-
C:\Windows\SysWOW64\Jibkqh32.exeC:\Windows\system32\Jibkqh32.exe77⤵PID:1696
-
C:\Windows\SysWOW64\Jgeklege.exeC:\Windows\system32\Jgeklege.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4732 -
C:\Windows\SysWOW64\Jpmcmbhg.exeC:\Windows\system32\Jpmcmbhg.exe79⤵PID:3236
-
C:\Windows\SysWOW64\Jbkpingk.exeC:\Windows\system32\Jbkpingk.exe80⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:1676 -
C:\Windows\SysWOW64\Jiehfh32.exeC:\Windows\system32\Jiehfh32.exe81⤵PID:3448
-
C:\Windows\SysWOW64\Jkcdbc32.exeC:\Windows\system32\Jkcdbc32.exe82⤵PID:396
-
C:\Windows\SysWOW64\Jnapno32.exeC:\Windows\system32\Jnapno32.exe83⤵PID:1800
-
C:\Windows\SysWOW64\Jigdlhle.exeC:\Windows\system32\Jigdlhle.exe84⤵
- System Location Discovery: System Language Discovery
PID:4044 -
C:\Windows\SysWOW64\Jpamhb32.exeC:\Windows\system32\Jpamhb32.exe85⤵PID:2184
-
C:\Windows\SysWOW64\Kbpidm32.exeC:\Windows\system32\Kbpidm32.exe86⤵PID:552
-
C:\Windows\SysWOW64\Kijaagjb.exeC:\Windows\system32\Kijaagjb.exe87⤵PID:4744
-
C:\Windows\SysWOW64\Klhnmcif.exeC:\Windows\system32\Klhnmcif.exe88⤵PID:2900
-
C:\Windows\SysWOW64\Knfjinhj.exeC:\Windows\system32\Knfjinhj.exe89⤵PID:392
-
C:\Windows\SysWOW64\Kbbfjm32.exeC:\Windows\system32\Kbbfjm32.exe90⤵PID:4688
-
C:\Windows\SysWOW64\Khonbdoj.exeC:\Windows\system32\Khonbdoj.exe91⤵PID:1680
-
C:\Windows\SysWOW64\Knifon32.exeC:\Windows\system32\Knifon32.exe92⤵PID:1500
-
C:\Windows\SysWOW64\Kbdbpmop.exeC:\Windows\system32\Kbdbpmop.exe93⤵PID:1452
-
C:\Windows\SysWOW64\Kebolhnd.exeC:\Windows\system32\Kebolhnd.exe94⤵PID:3948
-
C:\Windows\SysWOW64\Khakhcmg.exeC:\Windows\system32\Khakhcmg.exe95⤵PID:376
-
C:\Windows\SysWOW64\Kphcianj.exeC:\Windows\system32\Kphcianj.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4848 -
C:\Windows\SysWOW64\Knkcdn32.exeC:\Windows\system32\Knkcdn32.exe97⤵PID:4596
-
C:\Windows\SysWOW64\Kbgoelmm.exeC:\Windows\system32\Kbgoelmm.exe98⤵
- Modifies registry class
PID:4984 -
C:\Windows\SysWOW64\Keekahla.exeC:\Windows\system32\Keekahla.exe99⤵
- Modifies registry class
PID:5012 -
C:\Windows\SysWOW64\Khchmc32.exeC:\Windows\system32\Khchmc32.exe100⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1072 -
C:\Windows\SysWOW64\Kpkpoq32.exeC:\Windows\system32\Kpkpoq32.exe101⤵PID:60
-
C:\Windows\SysWOW64\Kicdgfbg.exeC:\Windows\system32\Kicdgfbg.exe102⤵PID:5144
-
C:\Windows\SysWOW64\Lpmldp32.exeC:\Windows\system32\Lpmldp32.exe103⤵PID:5188
-
C:\Windows\SysWOW64\Lnpmpmpo.exeC:\Windows\system32\Lnpmpmpo.exe104⤵
- System Location Discovery: System Language Discovery
PID:5232 -
C:\Windows\SysWOW64\Lieamfpe.exeC:\Windows\system32\Lieamfpe.exe105⤵PID:5276
-
C:\Windows\SysWOW64\Lnbiem32.exeC:\Windows\system32\Lnbiem32.exe106⤵PID:5320
-
C:\Windows\SysWOW64\Lflnlj32.exeC:\Windows\system32\Lflnlj32.exe107⤵PID:5364
-
C:\Windows\SysWOW64\Lhmjcbcj.exeC:\Windows\system32\Lhmjcbcj.exe108⤵PID:5408
-
C:\Windows\SysWOW64\Lpdbeo32.exeC:\Windows\system32\Lpdbeo32.exe109⤵PID:5452
-
C:\Windows\SysWOW64\Leqkmf32.exeC:\Windows\system32\Leqkmf32.exe110⤵PID:5496
-
C:\Windows\SysWOW64\Llkcjpiq.exeC:\Windows\system32\Llkcjpiq.exe111⤵PID:5540
-
C:\Windows\SysWOW64\Lpfojo32.exeC:\Windows\system32\Lpfojo32.exe112⤵PID:5584
-
C:\Windows\SysWOW64\Lfpggiif.exeC:\Windows\system32\Lfpggiif.exe113⤵PID:5628
-
C:\Windows\SysWOW64\Lhadoa32.exeC:\Windows\system32\Lhadoa32.exe114⤵
- Drops file in System32 directory
PID:5672 -
C:\Windows\SysWOW64\Mpilpo32.exeC:\Windows\system32\Mpilpo32.exe115⤵PID:5716
-
C:\Windows\SysWOW64\Mfbdmi32.exeC:\Windows\system32\Mfbdmi32.exe116⤵PID:5760
-
C:\Windows\SysWOW64\Meedheno.exeC:\Windows\system32\Meedheno.exe117⤵PID:5800
-
C:\Windows\SysWOW64\Mlomep32.exeC:\Windows\system32\Mlomep32.exe118⤵PID:5852
-
C:\Windows\SysWOW64\Mpkhenmd.exeC:\Windows\system32\Mpkhenmd.exe119⤵PID:5900
-
C:\Windows\SysWOW64\Mbieajlh.exeC:\Windows\system32\Mbieajlh.exe120⤵PID:5948
-
C:\Windows\SysWOW64\Mehanell.exeC:\Windows\system32\Mehanell.exe121⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:6020 -
C:\Windows\SysWOW64\Micmnd32.exeC:\Windows\system32\Micmnd32.exe122⤵PID:6076
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-