Analysis
-
max time kernel
97s -
max time network
99s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22-12-2024 11:15
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
d4e8756fe9b1a11eb7b3530db259b4802be5a32acde0fa464eb6e0c5728b9ec7.exe
Resource
win7-20240903-en
windows7-x64
10 signatures
120 seconds
Behavioral task
behavioral2
Sample
d4e8756fe9b1a11eb7b3530db259b4802be5a32acde0fa464eb6e0c5728b9ec7.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
10 signatures
120 seconds
General
-
Target
d4e8756fe9b1a11eb7b3530db259b4802be5a32acde0fa464eb6e0c5728b9ec7.exe
-
Size
890KB
-
MD5
0584f42a6e3ca314fbc1706de386db1f
-
SHA1
ff7f89582d28b87fd5b66969ca4033ac014cccdc
-
SHA256
d4e8756fe9b1a11eb7b3530db259b4802be5a32acde0fa464eb6e0c5728b9ec7
-
SHA512
20b9114c66fc5860ea65bbd19e315a448ade23a2782b28c873fdd8206502469d81736d0d64e070979f34032c8a87779cf36f2d1307cbd8102083f3cef3d1c7c5
-
SSDEEP
6144:KGGb8Ed9nhPQ///NR5fKr2n0MO3LPlkUCmVs5bPQ///NR5frdQt383PQ///NR5fa:ovDU/Ng1/Nmr/Ng1/Nblt01PBNkEG
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://master-x.com/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://crutop.ru/index.php
http://kaspersky.ru/index.php
http://color-bank.ru/index.php
http://adult-empire.com/index.php
http://virus-list.com/index.php
http://trojan.ru/index.php
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://fethard.biz/index.htm
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://kaspersky.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mjilfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ipqbdpqk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnhdabcl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gipbjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dbnked32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipliiq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nejgjbkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Philml32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oilbajjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dphaoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aocmqcea.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cifmfeee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qhpkcdbd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Giheoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hoqkkfpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hdpphm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mklbjcpf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdpfbbad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jnilic32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fghche32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhafkimf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffqfmp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbkpingk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kbgoelmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ihdhedio.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igahkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mihficpp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nimpdb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Maiamqaj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okiembdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aldjja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckafbk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgmgfjfe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfhfba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mpbofm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihdhedio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mnmbfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fddffd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ioljfe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfdhkkcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djjclgib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nafgdh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iffbcomf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbnefkfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gklkdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lfgdajaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eakaiq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Knjljg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgaaai32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgkdhh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lqadbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pgjlkc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iqmpcg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgffbelo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ghoecg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbgoelmm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgjlkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mknopcnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Llhpjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pcqfenfo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aocmqcea.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iknkfp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lggccf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iiglejjg.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 2920 Fehmkchi.exe 4292 Fncboeed.exe 2680 Fneoeeca.exe 4500 Goekohjd.exe 3304 Gacgkcih.exe 2272 Ghmphn32.exe 2472 Gkkldi32.exe 3412 Gnjhpd32.exe 544 Gddqmo32.exe 3452 Ggbmij32.exe 4900 Goiejg32.exe 4252 Gahafc32.exe 3416 Gdfmbn32.exe 2364 Gkpeohlc.exe 2348 Gnoakdkg.exe 4596 Gajnlb32.exe 4988 Gdhjhnbd.exe 4884 Gggfdiag.exe 4604 Gnanqc32.exe 1800 Hfhfba32.exe 3064 Hgiciipe.exe 3976 Hoqkkfpg.exe 208 Hboggbok.exe 1160 Hdmccmno.exe 4984 Hglpoi32.exe 3940 Hocgpf32.exe 3504 Hbadla32.exe 3580 Hdpphm32.exe 4804 Hgnldh32.exe 3952 Hnhdabcl.exe 3180 Hfombpco.exe 1652 Hhmiokbb.exe 1832 Hklekg32.exe 4644 Hnjagb32.exe 3380 Hddiclhf.exe 3700 Hgbfphgj.exe 1140 Hojnaehl.exe 4232 Ifdfno32.exe 632 Igebegeg.exe 2720 Ioljfe32.exe 4352 Iffbcomf.exe 4424 Iidoojlj.exe 3964 Ikckkfln.exe 5032 Ibmchp32.exe 4540 Iiglejjg.exe 3408 Ikehaejk.exe 3688 Ibopnpah.exe 1844 Iiihjj32.exe 612 Ikgdfe32.exe 1676 Ibamcooe.exe 976 Iepiokni.exe 4624 Ikjale32.exe 3532 Jbdiio32.exe 1316 Jebfej32.exe 1920 Jgqbaf32.exe 712 Johjbc32.exe 4088 Jbffno32.exe 1312 Jedbjj32.exe 2828 Jgcofe32.exe 1208 Jojghc32.exe 4848 Jbhcdnim.exe 4164 Jegopjha.exe 4832 Jgeklege.exe 4384 Jpmcmbhg.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Ikckkfln.exe Iidoojlj.exe File created C:\Windows\SysWOW64\Afkihnoa.exe Ackpfbbp.exe File created C:\Windows\SysWOW64\Gpealj32.exe Gkhhdc32.exe File opened for modification C:\Windows\SysWOW64\Gpealj32.exe Gkhhdc32.exe File created C:\Windows\SysWOW64\Dijpgn32.exe Dmcobm32.exe File created C:\Windows\SysWOW64\Hppjmb32.exe Hkcaek32.exe File created C:\Windows\SysWOW64\Mcdjifod.exe Mmkbllhg.exe File created C:\Windows\SysWOW64\Mjehfoqi.exe Mggljcae.exe File opened for modification C:\Windows\SysWOW64\Hglpoi32.exe Hdmccmno.exe File created C:\Windows\SysWOW64\Amhnjhdk.exe Aocmqcea.exe File created C:\Windows\SysWOW64\Cialgd32.dll Jqfcje32.exe File opened for modification C:\Windows\SysWOW64\Kifnaa32.exe Jnaidi32.exe File opened for modification C:\Windows\SysWOW64\Mebqhp32.exe Lnhhkedi.exe File created C:\Windows\SysWOW64\Mgemng32.dll Melcnn32.exe File created C:\Windows\SysWOW64\Lkpoopfo.dll Oldhlf32.exe File opened for modification C:\Windows\SysWOW64\Nnkgml32.exe Ncecpc32.exe File opened for modification C:\Windows\SysWOW64\Hnbdlm32.exe Hkdhpa32.exe File opened for modification C:\Windows\SysWOW64\Lnhhkedi.exe Lhopok32.exe File opened for modification C:\Windows\SysWOW64\Acglfm32.exe Qhbhid32.exe File opened for modification C:\Windows\SysWOW64\Ndgpec32.exe Nedpjfhd.exe File created C:\Windows\SysWOW64\Mnjgkg32.dll Gkpeohlc.exe File opened for modification C:\Windows\SysWOW64\Ibmchp32.exe Ikckkfln.exe File opened for modification C:\Windows\SysWOW64\Klapcaak.exe Kicdgfbg.exe File opened for modification C:\Windows\SysWOW64\Ihfejdgl.exe Ikbdaphb.exe File created C:\Windows\SysWOW64\Nicokkbf.exe Nbigna32.exe File created C:\Windows\SysWOW64\Nhgepl32.dll Iibalfmd.exe File opened for modification C:\Windows\SysWOW64\Nedpjfhd.exe Nnkgml32.exe File created C:\Windows\SysWOW64\Lgfonj32.dll Jgbhlo32.exe File created C:\Windows\SysWOW64\Gnjhpd32.exe Gkkldi32.exe File created C:\Windows\SysWOW64\Kphcianj.exe Khakhcmg.exe File created C:\Windows\SysWOW64\Knmpjmba.exe Klocnbcn.exe File opened for modification C:\Windows\SysWOW64\Mfbdmi32.exe Mpilpo32.exe File created C:\Windows\SysWOW64\Ejcfbfqg.exe Edinel32.exe File created C:\Windows\SysWOW64\Ffamgf32.exe Faddoo32.exe File created C:\Windows\SysWOW64\Ggfoic32.exe Gplgmifo.exe File created C:\Windows\SysWOW64\Cefmjb32.dll Ckjpblig.exe File opened for modification C:\Windows\SysWOW64\Njahbm32.exe Ndgpec32.exe File created C:\Windows\SysWOW64\Jfedkc32.dll Fehmkchi.exe File created C:\Windows\SysWOW64\Hhmiokbb.exe Hfombpco.exe File opened for modification C:\Windows\SysWOW64\Llhpjj32.exe Liicno32.exe File opened for modification C:\Windows\SysWOW64\Peeokjnm.exe Pbgcoonj.exe File created C:\Windows\SysWOW64\Mopefk32.exe Mbieajlh.exe File opened for modification C:\Windows\SysWOW64\Ogcfjd32.exe Ocemdfdh.exe File created C:\Windows\SysWOW64\Lolpecdd.dll Ghoecg32.exe File created C:\Windows\SysWOW64\Ffakcenp.dll Inlgbl32.exe File created C:\Windows\SysWOW64\Phlibkje.exe Pgjlkc32.exe File created C:\Windows\SysWOW64\Djhffhke.exe Dcnnin32.exe File created C:\Windows\SysWOW64\Pblkke32.dll Eabhjpdo.exe File created C:\Windows\SysWOW64\Fjjeho32.exe Ecpmkepg.exe File created C:\Windows\SysWOW64\Onhlci32.dll Ifdfno32.exe File created C:\Windows\SysWOW64\Ohnlam32.exe Oiklfqpj.exe File opened for modification C:\Windows\SysWOW64\Efmclgdi.exe Eihccbep.exe File opened for modification C:\Windows\SysWOW64\Fgffbelo.exe Fplnfk32.exe File opened for modification C:\Windows\SysWOW64\Gaemfmdj.exe Gineepcg.exe File created C:\Windows\SysWOW64\Giokpimi.exe Gklkdl32.exe File created C:\Windows\SysWOW64\Kknfie32.exe Kcfnhh32.exe File created C:\Windows\SysWOW64\Mbqkbi32.exe Mpbofm32.exe File created C:\Windows\SysWOW64\Kdpaffhg.dll Ohhllhgo.exe File opened for modification C:\Windows\SysWOW64\Bklcqn32.exe Ajkgiepi.exe File opened for modification C:\Windows\SysWOW64\Hkadplbi.exe Hdglca32.exe File opened for modification C:\Windows\SysWOW64\Ijigme32.exe Icoopkpo.exe File created C:\Windows\SysWOW64\Hfhfba32.exe Gnanqc32.exe File created C:\Windows\SysWOW64\Ckchnjec.dll Hdmccmno.exe File created C:\Windows\SysWOW64\Alclhk32.dll Jgqbaf32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 11684 11596 WerFault.exe 582 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iepiokni.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jebfej32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Occqof32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghoecg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Inejhj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnpold32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djdcfb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbchhhdm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhlgpljo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plijnc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qklkjpcj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgjlkc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afkihnoa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfpdodim.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilcjna32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhmjcbcj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qcffkc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oilbajjl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mknopcnd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaemfmdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kljjcb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhadoa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qfbfao32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ainnoi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iknkfp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icjeel32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnhkhm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klocnbcn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmmicbdq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kqbbedfd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Naeaio32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbnked32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmcobm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgaaai32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lneekp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkkldi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knifon32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgcqcmgi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igebegeg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhjnnbem.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhpqkk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Noknhc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfbaed32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mopefk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogjcde32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgbkbp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmjcfedf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qkngopag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lggccf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgfbpdhl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhhpbhao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gplgmifo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmohei32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hneaam32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nkdlbc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjnocnco.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lepdbpnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nilijl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oldhlf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qahpljid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Keddgahe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kknfie32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nedpjfhd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Meigiofm.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2476 Jbkpingk.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cqjbafle.dll" Gpgggc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iibalfmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hdmccmno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jgjegd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ffamgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljcbfbmj.dll" Fpqgakql.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mnbkadln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oknnhb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kmmekndg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lgkmoelc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hebjngcc.dll" Kphcianj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lnpmpmpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlqbfk32.dll" Mflgcg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pfpilpio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Llhpjj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nmfahj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fhqiai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdmnio32.dll" Hnbdlm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iknkfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhdqihgi.dll" Nilijl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndebdlnb.dll" Qkngopag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cfpdodim.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hojnaehl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kciohajh.dll" Neadddca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jgpkfpgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgkncf32.dll" Llhpjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phbhpm32.dll" Naeaio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jpeloo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeocecgk.dll" Ggbmij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhkkacgl.dll" Jnaidi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gdpfbbad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Icoopkpo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ffephohc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jgodlidc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfedkc32.dll" Fehmkchi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fncboeed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Johjbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phpkkm32.dll" Mifjdcbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Algfpjja.dll" Ocemdfdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eoicgfjb.dll" Igdlkaal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imhihh32.dll" Giahei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ipliiq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lbboak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbbhnhdc.dll" Lbekfj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Miapid32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Inejhj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bjmdoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbjqgmon.dll" Dijpgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qbcmhd32.dll" Icjeel32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iiglejjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjmjdk32.dll" Jedbjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pgjlkc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oilbajjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pemeli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hgjbjlfk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nafgdh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nifbka32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fpqgakql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hdoing32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pcqfenfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qklkjpcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fohhif32.dll" Idehdpol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lggjnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pboanh32.dll" Nbdmcaoo.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2384 wrote to memory of 2920 2384 d4e8756fe9b1a11eb7b3530db259b4802be5a32acde0fa464eb6e0c5728b9ec7.exe 82 PID 2384 wrote to memory of 2920 2384 d4e8756fe9b1a11eb7b3530db259b4802be5a32acde0fa464eb6e0c5728b9ec7.exe 82 PID 2384 wrote to memory of 2920 2384 d4e8756fe9b1a11eb7b3530db259b4802be5a32acde0fa464eb6e0c5728b9ec7.exe 82 PID 2920 wrote to memory of 4292 2920 Fehmkchi.exe 83 PID 2920 wrote to memory of 4292 2920 Fehmkchi.exe 83 PID 2920 wrote to memory of 4292 2920 Fehmkchi.exe 83 PID 4292 wrote to memory of 2680 4292 Fncboeed.exe 84 PID 4292 wrote to memory of 2680 4292 Fncboeed.exe 84 PID 4292 wrote to memory of 2680 4292 Fncboeed.exe 84 PID 2680 wrote to memory of 4500 2680 Fneoeeca.exe 85 PID 2680 wrote to memory of 4500 2680 Fneoeeca.exe 85 PID 2680 wrote to memory of 4500 2680 Fneoeeca.exe 85 PID 4500 wrote to memory of 3304 4500 Goekohjd.exe 86 PID 4500 wrote to memory of 3304 4500 Goekohjd.exe 86 PID 4500 wrote to memory of 3304 4500 Goekohjd.exe 86 PID 3304 wrote to memory of 2272 3304 Gacgkcih.exe 87 PID 3304 wrote to memory of 2272 3304 Gacgkcih.exe 87 PID 3304 wrote to memory of 2272 3304 Gacgkcih.exe 87 PID 2272 wrote to memory of 2472 2272 Ghmphn32.exe 88 PID 2272 wrote to memory of 2472 2272 Ghmphn32.exe 88 PID 2272 wrote to memory of 2472 2272 Ghmphn32.exe 88 PID 2472 wrote to memory of 3412 2472 Gkkldi32.exe 89 PID 2472 wrote to memory of 3412 2472 Gkkldi32.exe 89 PID 2472 wrote to memory of 3412 2472 Gkkldi32.exe 89 PID 3412 wrote to memory of 544 3412 Gnjhpd32.exe 90 PID 3412 wrote to memory of 544 3412 Gnjhpd32.exe 90 PID 3412 wrote to memory of 544 3412 Gnjhpd32.exe 90 PID 544 wrote to memory of 3452 544 Gddqmo32.exe 91 PID 544 wrote to memory of 3452 544 Gddqmo32.exe 91 PID 544 wrote to memory of 3452 544 Gddqmo32.exe 91 PID 3452 wrote to memory of 4900 3452 Ggbmij32.exe 92 PID 3452 wrote to memory of 4900 3452 Ggbmij32.exe 92 PID 3452 wrote to memory of 4900 3452 Ggbmij32.exe 92 PID 4900 wrote to memory of 4252 4900 Goiejg32.exe 93 PID 4900 wrote to memory of 4252 4900 Goiejg32.exe 93 PID 4900 wrote to memory of 4252 4900 Goiejg32.exe 93 PID 4252 wrote to memory of 3416 4252 Gahafc32.exe 94 PID 4252 wrote to memory of 3416 4252 Gahafc32.exe 94 PID 4252 wrote to memory of 3416 4252 Gahafc32.exe 94 PID 3416 wrote to memory of 2364 3416 Gdfmbn32.exe 95 PID 3416 wrote to memory of 2364 3416 Gdfmbn32.exe 95 PID 3416 wrote to memory of 2364 3416 Gdfmbn32.exe 95 PID 2364 wrote to memory of 2348 2364 Gkpeohlc.exe 96 PID 2364 wrote to memory of 2348 2364 Gkpeohlc.exe 96 PID 2364 wrote to memory of 2348 2364 Gkpeohlc.exe 96 PID 2348 wrote to memory of 4596 2348 Gnoakdkg.exe 97 PID 2348 wrote to memory of 4596 2348 Gnoakdkg.exe 97 PID 2348 wrote to memory of 4596 2348 Gnoakdkg.exe 97 PID 4596 wrote to memory of 4988 4596 Gajnlb32.exe 98 PID 4596 wrote to memory of 4988 4596 Gajnlb32.exe 98 PID 4596 wrote to memory of 4988 4596 Gajnlb32.exe 98 PID 4988 wrote to memory of 4884 4988 Gdhjhnbd.exe 99 PID 4988 wrote to memory of 4884 4988 Gdhjhnbd.exe 99 PID 4988 wrote to memory of 4884 4988 Gdhjhnbd.exe 99 PID 4884 wrote to memory of 4604 4884 Gggfdiag.exe 100 PID 4884 wrote to memory of 4604 4884 Gggfdiag.exe 100 PID 4884 wrote to memory of 4604 4884 Gggfdiag.exe 100 PID 4604 wrote to memory of 1800 4604 Gnanqc32.exe 101 PID 4604 wrote to memory of 1800 4604 Gnanqc32.exe 101 PID 4604 wrote to memory of 1800 4604 Gnanqc32.exe 101 PID 1800 wrote to memory of 3064 1800 Hfhfba32.exe 102 PID 1800 wrote to memory of 3064 1800 Hfhfba32.exe 102 PID 1800 wrote to memory of 3064 1800 Hfhfba32.exe 102 PID 3064 wrote to memory of 3976 3064 Hgiciipe.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\d4e8756fe9b1a11eb7b3530db259b4802be5a32acde0fa464eb6e0c5728b9ec7.exe"C:\Users\Admin\AppData\Local\Temp\d4e8756fe9b1a11eb7b3530db259b4802be5a32acde0fa464eb6e0c5728b9ec7.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Windows\SysWOW64\Fehmkchi.exeC:\Windows\system32\Fehmkchi.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\SysWOW64\Fncboeed.exeC:\Windows\system32\Fncboeed.exe3⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4292 -
C:\Windows\SysWOW64\Fneoeeca.exeC:\Windows\system32\Fneoeeca.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Windows\SysWOW64\Goekohjd.exeC:\Windows\system32\Goekohjd.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4500 -
C:\Windows\SysWOW64\Gacgkcih.exeC:\Windows\system32\Gacgkcih.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3304 -
C:\Windows\SysWOW64\Ghmphn32.exeC:\Windows\system32\Ghmphn32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2272 -
C:\Windows\SysWOW64\Gkkldi32.exeC:\Windows\system32\Gkkldi32.exe8⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Windows\SysWOW64\Gnjhpd32.exeC:\Windows\system32\Gnjhpd32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3412 -
C:\Windows\SysWOW64\Gddqmo32.exeC:\Windows\system32\Gddqmo32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:544 -
C:\Windows\SysWOW64\Ggbmij32.exeC:\Windows\system32\Ggbmij32.exe11⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3452 -
C:\Windows\SysWOW64\Goiejg32.exeC:\Windows\system32\Goiejg32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4900 -
C:\Windows\SysWOW64\Gahafc32.exeC:\Windows\system32\Gahafc32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4252 -
C:\Windows\SysWOW64\Gdfmbn32.exeC:\Windows\system32\Gdfmbn32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3416 -
C:\Windows\SysWOW64\Gkpeohlc.exeC:\Windows\system32\Gkpeohlc.exe15⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Windows\SysWOW64\Gnoakdkg.exeC:\Windows\system32\Gnoakdkg.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Windows\SysWOW64\Gajnlb32.exeC:\Windows\system32\Gajnlb32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4596 -
C:\Windows\SysWOW64\Gdhjhnbd.exeC:\Windows\system32\Gdhjhnbd.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4988 -
C:\Windows\SysWOW64\Gggfdiag.exeC:\Windows\system32\Gggfdiag.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4884 -
C:\Windows\SysWOW64\Gnanqc32.exeC:\Windows\system32\Gnanqc32.exe20⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4604 -
C:\Windows\SysWOW64\Hfhfba32.exeC:\Windows\system32\Hfhfba32.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1800 -
C:\Windows\SysWOW64\Hgiciipe.exeC:\Windows\system32\Hgiciipe.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\Windows\SysWOW64\Hoqkkfpg.exeC:\Windows\system32\Hoqkkfpg.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3976 -
C:\Windows\SysWOW64\Hboggbok.exeC:\Windows\system32\Hboggbok.exe24⤵
- Executes dropped EXE
PID:208 -
C:\Windows\SysWOW64\Hdmccmno.exeC:\Windows\system32\Hdmccmno.exe25⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1160 -
C:\Windows\SysWOW64\Hglpoi32.exeC:\Windows\system32\Hglpoi32.exe26⤵
- Executes dropped EXE
PID:4984 -
C:\Windows\SysWOW64\Hocgpf32.exeC:\Windows\system32\Hocgpf32.exe27⤵
- Executes dropped EXE
PID:3940 -
C:\Windows\SysWOW64\Hbadla32.exeC:\Windows\system32\Hbadla32.exe28⤵
- Executes dropped EXE
PID:3504 -
C:\Windows\SysWOW64\Hdpphm32.exeC:\Windows\system32\Hdpphm32.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3580 -
C:\Windows\SysWOW64\Hgnldh32.exeC:\Windows\system32\Hgnldh32.exe30⤵
- Executes dropped EXE
PID:4804 -
C:\Windows\SysWOW64\Hnhdabcl.exeC:\Windows\system32\Hnhdabcl.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3952 -
C:\Windows\SysWOW64\Hfombpco.exeC:\Windows\system32\Hfombpco.exe32⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3180 -
C:\Windows\SysWOW64\Hhmiokbb.exeC:\Windows\system32\Hhmiokbb.exe33⤵
- Executes dropped EXE
PID:1652 -
C:\Windows\SysWOW64\Hklekg32.exeC:\Windows\system32\Hklekg32.exe34⤵
- Executes dropped EXE
PID:1832 -
C:\Windows\SysWOW64\Hnjagb32.exeC:\Windows\system32\Hnjagb32.exe35⤵
- Executes dropped EXE
PID:4644 -
C:\Windows\SysWOW64\Hddiclhf.exeC:\Windows\system32\Hddiclhf.exe36⤵
- Executes dropped EXE
PID:3380 -
C:\Windows\SysWOW64\Hgbfphgj.exeC:\Windows\system32\Hgbfphgj.exe37⤵
- Executes dropped EXE
PID:3700 -
C:\Windows\SysWOW64\Hojnaehl.exeC:\Windows\system32\Hojnaehl.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:1140 -
C:\Windows\SysWOW64\Ifdfno32.exeC:\Windows\system32\Ifdfno32.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4232 -
C:\Windows\SysWOW64\Igebegeg.exeC:\Windows\system32\Igebegeg.exe40⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:632 -
C:\Windows\SysWOW64\Ioljfe32.exeC:\Windows\system32\Ioljfe32.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2720 -
C:\Windows\SysWOW64\Iffbcomf.exeC:\Windows\system32\Iffbcomf.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4352 -
C:\Windows\SysWOW64\Iidoojlj.exeC:\Windows\system32\Iidoojlj.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4424 -
C:\Windows\SysWOW64\Ikckkfln.exeC:\Windows\system32\Ikckkfln.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3964 -
C:\Windows\SysWOW64\Ibmchp32.exeC:\Windows\system32\Ibmchp32.exe45⤵
- Executes dropped EXE
PID:5032 -
C:\Windows\SysWOW64\Iiglejjg.exeC:\Windows\system32\Iiglejjg.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4540 -
C:\Windows\SysWOW64\Ikehaejk.exeC:\Windows\system32\Ikehaejk.exe47⤵
- Executes dropped EXE
PID:3408 -
C:\Windows\SysWOW64\Ibopnpah.exeC:\Windows\system32\Ibopnpah.exe48⤵
- Executes dropped EXE
PID:3688 -
C:\Windows\SysWOW64\Iiihjj32.exeC:\Windows\system32\Iiihjj32.exe49⤵
- Executes dropped EXE
PID:1844 -
C:\Windows\SysWOW64\Ikgdfe32.exeC:\Windows\system32\Ikgdfe32.exe50⤵
- Executes dropped EXE
PID:612 -
C:\Windows\SysWOW64\Ibamcooe.exeC:\Windows\system32\Ibamcooe.exe51⤵
- Executes dropped EXE
PID:1676 -
C:\Windows\SysWOW64\Iepiokni.exeC:\Windows\system32\Iepiokni.exe52⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:976 -
C:\Windows\SysWOW64\Ikjale32.exeC:\Windows\system32\Ikjale32.exe53⤵
- Executes dropped EXE
PID:4624 -
C:\Windows\SysWOW64\Jbdiio32.exeC:\Windows\system32\Jbdiio32.exe54⤵
- Executes dropped EXE
PID:3532 -
C:\Windows\SysWOW64\Jebfej32.exeC:\Windows\system32\Jebfej32.exe55⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1316 -
C:\Windows\SysWOW64\Jgqbaf32.exeC:\Windows\system32\Jgqbaf32.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1920 -
C:\Windows\SysWOW64\Johjbc32.exeC:\Windows\system32\Johjbc32.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:712 -
C:\Windows\SysWOW64\Jbffno32.exeC:\Windows\system32\Jbffno32.exe58⤵
- Executes dropped EXE
PID:4088 -
C:\Windows\SysWOW64\Jedbjj32.exeC:\Windows\system32\Jedbjj32.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:1312 -
C:\Windows\SysWOW64\Jgcofe32.exeC:\Windows\system32\Jgcofe32.exe60⤵
- Executes dropped EXE
PID:2828 -
C:\Windows\SysWOW64\Jojghc32.exeC:\Windows\system32\Jojghc32.exe61⤵
- Executes dropped EXE
PID:1208 -
C:\Windows\SysWOW64\Jbhcdnim.exeC:\Windows\system32\Jbhcdnim.exe62⤵
- Executes dropped EXE
PID:4848 -
C:\Windows\SysWOW64\Jegopjha.exeC:\Windows\system32\Jegopjha.exe63⤵
- Executes dropped EXE
PID:4164 -
C:\Windows\SysWOW64\Jgeklege.exeC:\Windows\system32\Jgeklege.exe64⤵
- Executes dropped EXE
PID:4832 -
C:\Windows\SysWOW64\Jpmcmbhg.exeC:\Windows\system32\Jpmcmbhg.exe65⤵
- Executes dropped EXE
PID:4384 -
C:\Windows\SysWOW64\Jbkpingk.exeC:\Windows\system32\Jbkpingk.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Network Configuration Discovery: Internet Connection Discovery
PID:2476 -
C:\Windows\SysWOW64\Jeileifo.exeC:\Windows\system32\Jeileifo.exe67⤵PID:2536
-
C:\Windows\SysWOW64\Jghhaeeb.exeC:\Windows\system32\Jghhaeeb.exe68⤵PID:2148
-
C:\Windows\SysWOW64\Jpopcbfd.exeC:\Windows\system32\Jpopcbfd.exe69⤵PID:2124
-
C:\Windows\SysWOW64\Jbmloneh.exeC:\Windows\system32\Jbmloneh.exe70⤵PID:3556
-
C:\Windows\SysWOW64\Jelhki32.exeC:\Windows\system32\Jelhki32.exe71⤵PID:3960
-
C:\Windows\SysWOW64\Jgjegd32.exeC:\Windows\system32\Jgjegd32.exe72⤵
- Modifies registry class
PID:1028 -
C:\Windows\SysWOW64\Jpamhb32.exeC:\Windows\system32\Jpamhb32.exe73⤵PID:556
-
C:\Windows\SysWOW64\Kbbfjm32.exeC:\Windows\system32\Kbbfjm32.exe74⤵PID:2632
-
C:\Windows\SysWOW64\Kilngg32.exeC:\Windows\system32\Kilngg32.exe75⤵PID:2284
-
C:\Windows\SysWOW64\Kljjcb32.exeC:\Windows\system32\Kljjcb32.exe76⤵
- System Location Discovery: System Language Discovery
PID:2424 -
C:\Windows\SysWOW64\Knifon32.exeC:\Windows\system32\Knifon32.exe77⤵
- System Location Discovery: System Language Discovery
PID:4556 -
C:\Windows\SysWOW64\Kfpnpk32.exeC:\Windows\system32\Kfpnpk32.exe78⤵PID:2456
-
C:\Windows\SysWOW64\Khakhcmg.exeC:\Windows\system32\Khakhcmg.exe79⤵
- Drops file in System32 directory
PID:4876 -
C:\Windows\SysWOW64\Kphcianj.exeC:\Windows\system32\Kphcianj.exe80⤵
- Modifies registry class
PID:2076 -
C:\Windows\SysWOW64\Kbgoelmm.exeC:\Windows\system32\Kbgoelmm.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3352 -
C:\Windows\SysWOW64\Kiqgbf32.exeC:\Windows\system32\Kiqgbf32.exe82⤵PID:4588
-
C:\Windows\SysWOW64\Klocnbcn.exeC:\Windows\system32\Klocnbcn.exe83⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4568 -
C:\Windows\SysWOW64\Knmpjmba.exeC:\Windows\system32\Knmpjmba.exe84⤵PID:4720
-
C:\Windows\SysWOW64\Kfdhkkcd.exeC:\Windows\system32\Kfdhkkcd.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2092 -
C:\Windows\SysWOW64\Kicdgfbg.exeC:\Windows\system32\Kicdgfbg.exe86⤵
- Drops file in System32 directory
PID:2204 -
C:\Windows\SysWOW64\Klapcaak.exeC:\Windows\system32\Klapcaak.exe87⤵PID:4360
-
C:\Windows\SysWOW64\Lnpmpmpo.exeC:\Windows\system32\Lnpmpmpo.exe88⤵
- Modifies registry class
PID:5144 -
C:\Windows\SysWOW64\Lfgdajaa.exeC:\Windows\system32\Lfgdajaa.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5188 -
C:\Windows\SysWOW64\Lieamfpe.exeC:\Windows\system32\Lieamfpe.exe90⤵PID:5236
-
C:\Windows\SysWOW64\Lpoijpgb.exeC:\Windows\system32\Lpoijpgb.exe91⤵PID:5272
-
C:\Windows\SysWOW64\Lbnefkfe.exeC:\Windows\system32\Lbnefkfe.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5312 -
C:\Windows\SysWOW64\Lelabgfi.exeC:\Windows\system32\Lelabgfi.exe93⤵PID:5352
-
C:\Windows\SysWOW64\Lhjnnbem.exeC:\Windows\system32\Lhjnnbem.exe94⤵
- System Location Discovery: System Language Discovery
PID:5392 -
C:\Windows\SysWOW64\Lpafopeo.exeC:\Windows\system32\Lpafopeo.exe95⤵PID:5432
-
C:\Windows\SysWOW64\Lbpbkkdc.exeC:\Windows\system32\Lbpbkkdc.exe96⤵PID:5472
-
C:\Windows\SysWOW64\Lenngfcf.exeC:\Windows\system32\Lenngfcf.exe97⤵PID:5512
-
C:\Windows\SysWOW64\Lhmjcbcj.exeC:\Windows\system32\Lhmjcbcj.exe98⤵
- System Location Discovery: System Language Discovery
PID:5552 -
C:\Windows\SysWOW64\Lpdbeo32.exeC:\Windows\system32\Lpdbeo32.exe99⤵PID:5592
-
C:\Windows\SysWOW64\Lbboak32.exeC:\Windows\system32\Lbboak32.exe100⤵
- Modifies registry class
PID:5632 -
C:\Windows\SysWOW64\Lhogia32.exeC:\Windows\system32\Lhogia32.exe101⤵PID:5672
-
C:\Windows\SysWOW64\Lpfojo32.exeC:\Windows\system32\Lpfojo32.exe102⤵PID:5712
-
C:\Windows\SysWOW64\Lbekfj32.exeC:\Windows\system32\Lbekfj32.exe103⤵
- Modifies registry class
PID:5752 -
C:\Windows\SysWOW64\Lechbf32.exeC:\Windows\system32\Lechbf32.exe104⤵PID:5792
-
C:\Windows\SysWOW64\Lhadoa32.exeC:\Windows\system32\Lhadoa32.exe105⤵
- System Location Discovery: System Language Discovery
PID:5832 -
C:\Windows\SysWOW64\Mpilpo32.exeC:\Windows\system32\Mpilpo32.exe106⤵
- Drops file in System32 directory
PID:5868 -
C:\Windows\SysWOW64\Mfbdmi32.exeC:\Windows\system32\Mfbdmi32.exe107⤵PID:5912
-
C:\Windows\SysWOW64\Miapid32.exeC:\Windows\system32\Miapid32.exe108⤵
- Modifies registry class
PID:5952 -
C:\Windows\SysWOW64\Mlomep32.exeC:\Windows\system32\Mlomep32.exe109⤵PID:6008
-
C:\Windows\SysWOW64\Mbieajlh.exeC:\Windows\system32\Mbieajlh.exe110⤵
- Drops file in System32 directory
PID:6056 -
C:\Windows\SysWOW64\Mopefk32.exeC:\Windows\system32\Mopefk32.exe111⤵
- System Location Discovery: System Language Discovery
PID:6096 -
C:\Windows\SysWOW64\Mifjdcbb.exeC:\Windows\system32\Mifjdcbb.exe112⤵
- Modifies registry class
PID:6136 -
C:\Windows\SysWOW64\Mppbqn32.exeC:\Windows\system32\Mppbqn32.exe113⤵PID:4476
-
C:\Windows\SysWOW64\Mfjjmhql.exeC:\Windows\system32\Mfjjmhql.exe114⤵PID:388
-
C:\Windows\SysWOW64\Mihficpp.exeC:\Windows\system32\Mihficpp.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4416 -
C:\Windows\SysWOW64\Mpbofm32.exeC:\Windows\system32\Mpbofm32.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2672 -
C:\Windows\SysWOW64\Mbqkbi32.exeC:\Windows\system32\Mbqkbi32.exe117⤵PID:4912
-
C:\Windows\SysWOW64\Mflgcg32.exeC:\Windows\system32\Mflgcg32.exe118⤵
- Modifies registry class
PID:4812 -
C:\Windows\SysWOW64\Mijcoc32.exeC:\Windows\system32\Mijcoc32.exe119⤵PID:184
-
C:\Windows\SysWOW64\Npdklmej.exeC:\Windows\system32\Npdklmej.exe120⤵PID:5196
-
C:\Windows\SysWOW64\Nbchhhdm.exeC:\Windows\system32\Nbchhhdm.exe121⤵
- System Location Discovery: System Language Discovery
PID:3280
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-