Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
61s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
10/10/2024, 14:40
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
5f5d88751bbf0c90dfd28762ee2995a452daf2f2f609e0b112248fc7bc0a7135N.exe
Resource
win7-20241010-en
windows7-x64
9 signatures
120 seconds
Behavioral task
behavioral2
Sample
5f5d88751bbf0c90dfd28762ee2995a452daf2f2f609e0b112248fc7bc0a7135N.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
8 signatures
120 seconds
General
-
Target
5f5d88751bbf0c90dfd28762ee2995a452daf2f2f609e0b112248fc7bc0a7135N.exe
-
Size
422KB
-
MD5
f66f92a25a12da3ded7ec166f3190bc0
-
SHA1
b02ac5b1d4a90c4934af203889b49e5618a030a4
-
SHA256
5f5d88751bbf0c90dfd28762ee2995a452daf2f2f609e0b112248fc7bc0a7135
-
SHA512
53fceda3484409fe30fa1e68764b90d0ef21f334cb5c2cc32b9e33ba17a4e3e4ebcf59866c05f19e1349f69b46b2a6623dd854b88cdb8f146ee33408f0e68276
-
SSDEEP
6144:66gl3babO6FSPnvZU1AF+6FSPnvZhDYsKKo6FSPnvZU1AF+6FSPnvZq:660GaXgA4XfczXgA4XA
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://tat-neftbank.ru/kkq.php
http://tat-neftbank.ru/wcmd.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ijphqbpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gddobpbe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjkehhjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgaqohql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Acbnggjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fleihi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbgela32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckijdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhobldaf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkbhco32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghbhhnhk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmjdcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmgokcja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ehclbpic.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lojjfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hgbanlfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qajfmbna.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dlifcqfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gnoaliln.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Joepjokm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbfcoedi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eibikc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhfhaoec.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhpdkm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iniidj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lphnlcnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lhegcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jneoojeb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Joenaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jidngh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlkigbef.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhmbfhfd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qekdpkgj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajibckpc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fleihi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehdpcahk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lppkgi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbidof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jmqckf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kiafff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mlmaad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qekdpkgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mdhpgeeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ofbikf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aenileon.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmkfqind.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mcmkoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lcneklck.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gghloe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fgqcel32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdhigo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ginefe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gegbpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bemmenhb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akmlacdn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ieaekdkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Akmlacdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cmjdcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lhddjngm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qpocno32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcihdo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bknfeege.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cgaoic32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkfhglen.exe -
Executes dropped EXE 64 IoCs
pid Process 3036 Meemgk32.exe 2756 Malmllfb.exe 3052 Mgkbjb32.exe 2828 Nikkkn32.exe 2904 Neblqoel.exe 1064 Nlanhh32.exe 2228 Ngjoif32.exe 552 Onipqp32.exe 2972 Ofdeeb32.exe 992 Ojbnkp32.exe 2372 Peqhgmdd.exe 756 Pbdipa32.exe 1360 Pnkiebib.exe 604 Qfkgdd32.exe 2248 Acohnhab.exe 2332 Ainmlomf.exe 2604 Ahcjmkbo.exe 1972 Bjfpdf32.exe 1796 Bfmqigba.exe 2244 Bacefpbg.exe 612 Bknfeege.exe 544 Bdfjnkne.exe 2504 Biccfalm.exe 852 Cbkgog32.exe 2508 Ciepkajj.exe 2792 Codeih32.exe 2804 Chofhm32.exe 3016 Chabmm32.exe 2656 Dpmgao32.exe 1056 Dnqhkcdo.exe 1768 Dncdqcbl.exe 2392 Ekpkhkji.exe 2920 Ehclbpic.exe 2988 Eomdoj32.exe 2964 Ejgeogmn.exe 772 Ekfaij32.exe 2156 Egmbnkie.exe 2040 Engjkeab.exe 1252 Fjnkpf32.exe 2356 Fqhclqnc.exe 1608 Fpmpnmck.exe 1320 Fejifdab.exe 1492 Fbniohpl.exe 508 Fpbihl32.exe 2068 Feobac32.exe 1668 Gjljij32.exe 2152 Gddobpbe.exe 2516 Gmlckehe.exe 1460 Ghbhhnhk.exe 3064 Gmoppefc.exe 2524 Gdihmo32.exe 2816 Gmamfddp.exe 928 Gjemoi32.exe 3024 Hbpbck32.exe 428 Hlhfmqge.exe 2324 Hhogaamj.exe 2424 Hahljg32.exe 2004 Hkppcmjk.exe 2416 Hdhdlbpk.exe 1412 Honiikpa.exe 372 Hdkaabnh.exe 2916 Imcfjg32.exe 2536 Ikgfdlcb.exe 2204 Ipdolbbj.exe -
Loads dropped DLL 64 IoCs
pid Process 1852 5f5d88751bbf0c90dfd28762ee2995a452daf2f2f609e0b112248fc7bc0a7135N.exe 1852 5f5d88751bbf0c90dfd28762ee2995a452daf2f2f609e0b112248fc7bc0a7135N.exe 3036 Meemgk32.exe 3036 Meemgk32.exe 2756 Malmllfb.exe 2756 Malmllfb.exe 3052 Mgkbjb32.exe 3052 Mgkbjb32.exe 2828 Nikkkn32.exe 2828 Nikkkn32.exe 2904 Neblqoel.exe 2904 Neblqoel.exe 1064 Nlanhh32.exe 1064 Nlanhh32.exe 2228 Ngjoif32.exe 2228 Ngjoif32.exe 552 Onipqp32.exe 552 Onipqp32.exe 2972 Ofdeeb32.exe 2972 Ofdeeb32.exe 992 Ojbnkp32.exe 992 Ojbnkp32.exe 2372 Peqhgmdd.exe 2372 Peqhgmdd.exe 756 Pbdipa32.exe 756 Pbdipa32.exe 1360 Pnkiebib.exe 1360 Pnkiebib.exe 604 Qfkgdd32.exe 604 Qfkgdd32.exe 2248 Acohnhab.exe 2248 Acohnhab.exe 2332 Ainmlomf.exe 2332 Ainmlomf.exe 2604 Ahcjmkbo.exe 2604 Ahcjmkbo.exe 1972 Bjfpdf32.exe 1972 Bjfpdf32.exe 1796 Bfmqigba.exe 1796 Bfmqigba.exe 2244 Bacefpbg.exe 2244 Bacefpbg.exe 612 Bknfeege.exe 612 Bknfeege.exe 544 Bdfjnkne.exe 544 Bdfjnkne.exe 2504 Biccfalm.exe 2504 Biccfalm.exe 852 Cbkgog32.exe 852 Cbkgog32.exe 1564 Ccnddg32.exe 1564 Ccnddg32.exe 2792 Codeih32.exe 2792 Codeih32.exe 2804 Chofhm32.exe 2804 Chofhm32.exe 3016 Chabmm32.exe 3016 Chabmm32.exe 2656 Dpmgao32.exe 2656 Dpmgao32.exe 1056 Dnqhkcdo.exe 1056 Dnqhkcdo.exe 1768 Dncdqcbl.exe 1768 Dncdqcbl.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Caccnllf.exe Chkoef32.exe File opened for modification C:\Windows\SysWOW64\Joenaf32.exe Jdpidm32.exe File opened for modification C:\Windows\SysWOW64\Nbddfe32.exe Njipabhe.exe File created C:\Windows\SysWOW64\Cenqenin.dll Cpgglifo.exe File opened for modification C:\Windows\SysWOW64\Kccian32.exe Kjkehhjf.exe File created C:\Windows\SysWOW64\Kdeehe32.exe Johlpoij.exe File created C:\Windows\SysWOW64\Aejlka32.dll Kbokda32.exe File created C:\Windows\SysWOW64\Ggmldj32.exe Gmegkd32.exe File created C:\Windows\SysWOW64\Jomadboo.dll Cimooo32.exe File created C:\Windows\SysWOW64\Cmjdcm32.exe Caccnllf.exe File created C:\Windows\SysWOW64\Inlepl32.dll Jmqckf32.exe File created C:\Windows\SysWOW64\Enjaiiho.dll Mbhnpplb.exe File created C:\Windows\SysWOW64\Lpgqlc32.exe Lhklha32.exe File opened for modification C:\Windows\SysWOW64\Ammoel32.exe Aebjaj32.exe File created C:\Windows\SysWOW64\Dpgckm32.exe Djmknb32.exe File created C:\Windows\SysWOW64\Acmbambf.dll Qhdfdb32.exe File opened for modification C:\Windows\SysWOW64\Aokfpjai.exe Aoijjjcl.exe File created C:\Windows\SysWOW64\Ncejcg32.exe Nqgngk32.exe File created C:\Windows\SysWOW64\Ohqbbi32.exe Oepianef.exe File opened for modification C:\Windows\SysWOW64\Ankckagj.exe Akmgoehg.exe File created C:\Windows\SysWOW64\Ipijpkei.exe Iiobcq32.exe File opened for modification C:\Windows\SysWOW64\Dippfplg.exe Cohlnkeg.exe File created C:\Windows\SysWOW64\Engjkeab.exe Egmbnkie.exe File opened for modification C:\Windows\SysWOW64\Lbjjekhl.exe Llpaha32.exe File created C:\Windows\SysWOW64\Mgaqohql.exe Mkkpjg32.exe File created C:\Windows\SysWOW64\Bnfagl32.dll Gjemoi32.exe File created C:\Windows\SysWOW64\Lhjdeqif.dll Kflcok32.exe File opened for modification C:\Windows\SysWOW64\Jlbhjkij.exe Ilpkel32.exe File opened for modification C:\Windows\SysWOW64\Okcchbnn.exe Oqmokioh.exe File opened for modification C:\Windows\SysWOW64\Fbiijb32.exe Fkoqmhii.exe File opened for modification C:\Windows\SysWOW64\Hnljkf32.exe Hgbanlfc.exe File created C:\Windows\SysWOW64\Qnpjec32.dll Mdcfle32.exe File created C:\Windows\SysWOW64\Omefae32.dll Mbpibm32.exe File created C:\Windows\SysWOW64\Eikkoh32.dll Okijhmcm.exe File created C:\Windows\SysWOW64\Echoepmo.exe Ddqeodjj.exe File created C:\Windows\SysWOW64\Kimfdido.dll Icnbic32.exe File opened for modification C:\Windows\SysWOW64\Jbooen32.exe Jlegic32.exe File created C:\Windows\SysWOW64\Ekpkhkji.exe Dncdqcbl.exe File created C:\Windows\SysWOW64\Hmeanaca.dll Flmecm32.exe File created C:\Windows\SysWOW64\Npqbka32.dll Jaolad32.exe File opened for modification C:\Windows\SysWOW64\Ngjoif32.exe Nlanhh32.exe File created C:\Windows\SysWOW64\Mcekkkmc.exe Mgnkfjho.exe File created C:\Windows\SysWOW64\Mbbkabdh.exe Lbpolb32.exe File opened for modification C:\Windows\SysWOW64\Gpfggeai.exe Gemfghek.exe File created C:\Windows\SysWOW64\Nqdjge32.exe Nhmbfhfd.exe File created C:\Windows\SysWOW64\Qoqhncgp.exe Qekdpkgj.exe File created C:\Windows\SysWOW64\Jpeafo32.exe Jgmlmj32.exe File opened for modification C:\Windows\SysWOW64\Cnpnga32.exe Claake32.exe File opened for modification C:\Windows\SysWOW64\Phklcn32.exe Ppogok32.exe File created C:\Windows\SysWOW64\Cejnde32.dll Hgbanlfc.exe File created C:\Windows\SysWOW64\Loocanbe.exe Liekddkh.exe File created C:\Windows\SysWOW64\Obchjdci.dll Bfblmofp.exe File created C:\Windows\SysWOW64\Dahobdpe.exe Cgpjin32.exe File opened for modification C:\Windows\SysWOW64\Gjpakdbl.exe Geeekf32.exe File opened for modification C:\Windows\SysWOW64\Eenabkfk.exe Epqhjdhc.exe File created C:\Windows\SysWOW64\Eigaib32.dll Mbbkabdh.exe File created C:\Windows\SysWOW64\Fclmem32.exe Flbehbqm.exe File created C:\Windows\SysWOW64\Fegffg32.dll Oecnkk32.exe File created C:\Windows\SysWOW64\Donklh32.dll Ofbikf32.exe File opened for modification C:\Windows\SysWOW64\Mjkmfn32.exe Lndlamke.exe File created C:\Windows\SysWOW64\Piffca32.dll Bafkookd.exe File opened for modification C:\Windows\SysWOW64\Bjalndpb.exe Bbfgiabg.exe File opened for modification C:\Windows\SysWOW64\Jlkigbef.exe Jilmkffb.exe File created C:\Windows\SysWOW64\Goplnb32.dll Gmoppefc.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 6836 6684 Process not Found 1185 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oecnkk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhaefepn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgibijkb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kckjmpko.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjfdcc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljjjmeie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Doocln32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppogok32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acohnhab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkmghe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmgodc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bipaodah.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjcljlea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhogaamj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fipdqmje.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lighjd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gikpjk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kokppd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odjikh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlbaljhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdeehe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngoinfao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmjbphod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihdmld32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmiikipg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kninog32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfobjdoe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhlogo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekpkhkji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dalfdjdl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Figoefkf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bemmenhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnpnga32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcdljghj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mqoocmcg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhpigk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcamln32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdkaabnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amebjgai.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckbccnji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lndlamke.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdcfle32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncnmhajo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdihmo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Innbde32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cejfckie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epakcm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibbioilj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Docjne32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdhdlbpk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akmlacdn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qdlialfb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfkakbpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmlckehe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcjmcd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbmoceol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Liekddkh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjbhgolp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ophanl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcaahofh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jneoojeb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ninjjf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qgfmlp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chohqebq.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdbcbcgp.dll" Nkbcgnie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dpdpkfga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlpjpc32.dll" Jkpfcnoe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qbhpddbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Acbnggjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahpfkg32.dll" Kccian32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bgpnjkgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlmhimhb.dll" Biccfalm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npdbjl32.dll" Jkdfmoha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gmegkd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bphmfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mgnkfjho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kbokda32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Akmgoehg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eagdgaoe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gddobpbe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Honiikpa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dpmjjhmi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nhpdkm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ncejcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fimamm32.dll" Aenileon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Joepjokm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bpbabf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ocdnloph.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lqbfdp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ahcjmkbo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dpmgao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fbiijb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mdfcaegj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mlmaad32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ijjebd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lnaokn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Onipqp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ikgfdlcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kdoaackf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkbhmg32.dll" Gdihmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Njjieace.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Chohqebq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nbddfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Minhfcle.dll" Qggoeilh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nalmek32.dll" Bjfpdf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dncdqcbl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Omgfdhbq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nehjmppo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fndcfjlj.dll" Cohlnkeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iganmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lmolkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nbjpjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfndae32.dll" Mlmaad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkmgmf32.dll" Pdngpp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bkjdpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ibdclp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihpfhhme.dll" Koeeoljm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bknfeege.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Enmqjq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lcneklck.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ibdclp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bfkakbpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jmelfeqn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ghbhhnhk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gmamfddp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hnjagdlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jeenfd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oemfahcn.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1852 wrote to memory of 3036 1852 5f5d88751bbf0c90dfd28762ee2995a452daf2f2f609e0b112248fc7bc0a7135N.exe 30 PID 1852 wrote to memory of 3036 1852 5f5d88751bbf0c90dfd28762ee2995a452daf2f2f609e0b112248fc7bc0a7135N.exe 30 PID 1852 wrote to memory of 3036 1852 5f5d88751bbf0c90dfd28762ee2995a452daf2f2f609e0b112248fc7bc0a7135N.exe 30 PID 1852 wrote to memory of 3036 1852 5f5d88751bbf0c90dfd28762ee2995a452daf2f2f609e0b112248fc7bc0a7135N.exe 30 PID 3036 wrote to memory of 2756 3036 Meemgk32.exe 31 PID 3036 wrote to memory of 2756 3036 Meemgk32.exe 31 PID 3036 wrote to memory of 2756 3036 Meemgk32.exe 31 PID 3036 wrote to memory of 2756 3036 Meemgk32.exe 31 PID 2756 wrote to memory of 3052 2756 Malmllfb.exe 32 PID 2756 wrote to memory of 3052 2756 Malmllfb.exe 32 PID 2756 wrote to memory of 3052 2756 Malmllfb.exe 32 PID 2756 wrote to memory of 3052 2756 Malmllfb.exe 32 PID 3052 wrote to memory of 2828 3052 Mgkbjb32.exe 33 PID 3052 wrote to memory of 2828 3052 Mgkbjb32.exe 33 PID 3052 wrote to memory of 2828 3052 Mgkbjb32.exe 33 PID 3052 wrote to memory of 2828 3052 Mgkbjb32.exe 33 PID 2828 wrote to memory of 2904 2828 Nikkkn32.exe 34 PID 2828 wrote to memory of 2904 2828 Nikkkn32.exe 34 PID 2828 wrote to memory of 2904 2828 Nikkkn32.exe 34 PID 2828 wrote to memory of 2904 2828 Nikkkn32.exe 34 PID 2904 wrote to memory of 1064 2904 Neblqoel.exe 35 PID 2904 wrote to memory of 1064 2904 Neblqoel.exe 35 PID 2904 wrote to memory of 1064 2904 Neblqoel.exe 35 PID 2904 wrote to memory of 1064 2904 Neblqoel.exe 35 PID 1064 wrote to memory of 2228 1064 Nlanhh32.exe 36 PID 1064 wrote to memory of 2228 1064 Nlanhh32.exe 36 PID 1064 wrote to memory of 2228 1064 Nlanhh32.exe 36 PID 1064 wrote to memory of 2228 1064 Nlanhh32.exe 36 PID 2228 wrote to memory of 552 2228 Ngjoif32.exe 37 PID 2228 wrote to memory of 552 2228 Ngjoif32.exe 37 PID 2228 wrote to memory of 552 2228 Ngjoif32.exe 37 PID 2228 wrote to memory of 552 2228 Ngjoif32.exe 37 PID 552 wrote to memory of 2972 552 Onipqp32.exe 38 PID 552 wrote to memory of 2972 552 Onipqp32.exe 38 PID 552 wrote to memory of 2972 552 Onipqp32.exe 38 PID 552 wrote to memory of 2972 552 Onipqp32.exe 38 PID 2972 wrote to memory of 992 2972 Ofdeeb32.exe 39 PID 2972 wrote to memory of 992 2972 Ofdeeb32.exe 39 PID 2972 wrote to memory of 992 2972 Ofdeeb32.exe 39 PID 2972 wrote to memory of 992 2972 Ofdeeb32.exe 39 PID 992 wrote to memory of 2372 992 Ojbnkp32.exe 40 PID 992 wrote to memory of 2372 992 Ojbnkp32.exe 40 PID 992 wrote to memory of 2372 992 Ojbnkp32.exe 40 PID 992 wrote to memory of 2372 992 Ojbnkp32.exe 40 PID 2372 wrote to memory of 756 2372 Peqhgmdd.exe 41 PID 2372 wrote to memory of 756 2372 Peqhgmdd.exe 41 PID 2372 wrote to memory of 756 2372 Peqhgmdd.exe 41 PID 2372 wrote to memory of 756 2372 Peqhgmdd.exe 41 PID 756 wrote to memory of 1360 756 Pbdipa32.exe 42 PID 756 wrote to memory of 1360 756 Pbdipa32.exe 42 PID 756 wrote to memory of 1360 756 Pbdipa32.exe 42 PID 756 wrote to memory of 1360 756 Pbdipa32.exe 42 PID 1360 wrote to memory of 604 1360 Pnkiebib.exe 43 PID 1360 wrote to memory of 604 1360 Pnkiebib.exe 43 PID 1360 wrote to memory of 604 1360 Pnkiebib.exe 43 PID 1360 wrote to memory of 604 1360 Pnkiebib.exe 43 PID 604 wrote to memory of 2248 604 Qfkgdd32.exe 44 PID 604 wrote to memory of 2248 604 Qfkgdd32.exe 44 PID 604 wrote to memory of 2248 604 Qfkgdd32.exe 44 PID 604 wrote to memory of 2248 604 Qfkgdd32.exe 44 PID 2248 wrote to memory of 2332 2248 Acohnhab.exe 45 PID 2248 wrote to memory of 2332 2248 Acohnhab.exe 45 PID 2248 wrote to memory of 2332 2248 Acohnhab.exe 45 PID 2248 wrote to memory of 2332 2248 Acohnhab.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\5f5d88751bbf0c90dfd28762ee2995a452daf2f2f609e0b112248fc7bc0a7135N.exe"C:\Users\Admin\AppData\Local\Temp\5f5d88751bbf0c90dfd28762ee2995a452daf2f2f609e0b112248fc7bc0a7135N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1852 -
C:\Windows\SysWOW64\Meemgk32.exeC:\Windows\system32\Meemgk32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Windows\SysWOW64\Malmllfb.exeC:\Windows\system32\Malmllfb.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\SysWOW64\Mgkbjb32.exeC:\Windows\system32\Mgkbjb32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Windows\SysWOW64\Nikkkn32.exeC:\Windows\system32\Nikkkn32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Windows\SysWOW64\Neblqoel.exeC:\Windows\system32\Neblqoel.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Windows\SysWOW64\Nlanhh32.exeC:\Windows\system32\Nlanhh32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1064 -
C:\Windows\SysWOW64\Ngjoif32.exeC:\Windows\system32\Ngjoif32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2228 -
C:\Windows\SysWOW64\Onipqp32.exeC:\Windows\system32\Onipqp32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:552 -
C:\Windows\SysWOW64\Ofdeeb32.exeC:\Windows\system32\Ofdeeb32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\SysWOW64\Ojbnkp32.exeC:\Windows\system32\Ojbnkp32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:992 -
C:\Windows\SysWOW64\Peqhgmdd.exeC:\Windows\system32\Peqhgmdd.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Windows\SysWOW64\Pbdipa32.exeC:\Windows\system32\Pbdipa32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:756 -
C:\Windows\SysWOW64\Pnkiebib.exeC:\Windows\system32\Pnkiebib.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1360 -
C:\Windows\SysWOW64\Qfkgdd32.exeC:\Windows\system32\Qfkgdd32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:604 -
C:\Windows\SysWOW64\Acohnhab.exeC:\Windows\system32\Acohnhab.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Windows\SysWOW64\Ainmlomf.exeC:\Windows\system32\Ainmlomf.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2332 -
C:\Windows\SysWOW64\Ahcjmkbo.exeC:\Windows\system32\Ahcjmkbo.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2604 -
C:\Windows\SysWOW64\Bjfpdf32.exeC:\Windows\system32\Bjfpdf32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1972 -
C:\Windows\SysWOW64\Bfmqigba.exeC:\Windows\system32\Bfmqigba.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1796 -
C:\Windows\SysWOW64\Bacefpbg.exeC:\Windows\system32\Bacefpbg.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2244 -
C:\Windows\SysWOW64\Bknfeege.exeC:\Windows\system32\Bknfeege.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:612 -
C:\Windows\SysWOW64\Bdfjnkne.exeC:\Windows\system32\Bdfjnkne.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:544 -
C:\Windows\SysWOW64\Biccfalm.exeC:\Windows\system32\Biccfalm.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2504 -
C:\Windows\SysWOW64\Cbkgog32.exeC:\Windows\system32\Cbkgog32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:852 -
C:\Windows\SysWOW64\Ciepkajj.exeC:\Windows\system32\Ciepkajj.exe26⤵
- Executes dropped EXE
PID:2508 -
C:\Windows\SysWOW64\Ccnddg32.exeC:\Windows\system32\Ccnddg32.exe27⤵
- Loads dropped DLL
PID:1564 -
C:\Windows\SysWOW64\Codeih32.exeC:\Windows\system32\Codeih32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2792 -
C:\Windows\SysWOW64\Chofhm32.exeC:\Windows\system32\Chofhm32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2804 -
C:\Windows\SysWOW64\Chabmm32.exeC:\Windows\system32\Chabmm32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3016 -
C:\Windows\SysWOW64\Dpmgao32.exeC:\Windows\system32\Dpmgao32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2656 -
C:\Windows\SysWOW64\Dnqhkcdo.exeC:\Windows\system32\Dnqhkcdo.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1056 -
C:\Windows\SysWOW64\Dncdqcbl.exeC:\Windows\system32\Dncdqcbl.exe33⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1768 -
C:\Windows\SysWOW64\Ekpkhkji.exeC:\Windows\system32\Ekpkhkji.exe34⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2392 -
C:\Windows\SysWOW64\Ehclbpic.exeC:\Windows\system32\Ehclbpic.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2920 -
C:\Windows\SysWOW64\Eomdoj32.exeC:\Windows\system32\Eomdoj32.exe36⤵
- Executes dropped EXE
PID:2988 -
C:\Windows\SysWOW64\Ejgeogmn.exeC:\Windows\system32\Ejgeogmn.exe37⤵
- Executes dropped EXE
PID:2964 -
C:\Windows\SysWOW64\Ekfaij32.exeC:\Windows\system32\Ekfaij32.exe38⤵
- Executes dropped EXE
PID:772 -
C:\Windows\SysWOW64\Egmbnkie.exeC:\Windows\system32\Egmbnkie.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2156 -
C:\Windows\SysWOW64\Engjkeab.exeC:\Windows\system32\Engjkeab.exe40⤵
- Executes dropped EXE
PID:2040 -
C:\Windows\SysWOW64\Fjnkpf32.exeC:\Windows\system32\Fjnkpf32.exe41⤵
- Executes dropped EXE
PID:1252 -
C:\Windows\SysWOW64\Fqhclqnc.exeC:\Windows\system32\Fqhclqnc.exe42⤵
- Executes dropped EXE
PID:2356 -
C:\Windows\SysWOW64\Fpmpnmck.exeC:\Windows\system32\Fpmpnmck.exe43⤵
- Executes dropped EXE
PID:1608 -
C:\Windows\SysWOW64\Fejifdab.exeC:\Windows\system32\Fejifdab.exe44⤵
- Executes dropped EXE
PID:1320 -
C:\Windows\SysWOW64\Fbniohpl.exeC:\Windows\system32\Fbniohpl.exe45⤵
- Executes dropped EXE
PID:1492 -
C:\Windows\SysWOW64\Fpbihl32.exeC:\Windows\system32\Fpbihl32.exe46⤵
- Executes dropped EXE
PID:508 -
C:\Windows\SysWOW64\Feobac32.exeC:\Windows\system32\Feobac32.exe47⤵
- Executes dropped EXE
PID:2068 -
C:\Windows\SysWOW64\Gjljij32.exeC:\Windows\system32\Gjljij32.exe48⤵
- Executes dropped EXE
PID:1668 -
C:\Windows\SysWOW64\Gddobpbe.exeC:\Windows\system32\Gddobpbe.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2152 -
C:\Windows\SysWOW64\Gmlckehe.exeC:\Windows\system32\Gmlckehe.exe50⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2516 -
C:\Windows\SysWOW64\Ghbhhnhk.exeC:\Windows\system32\Ghbhhnhk.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1460 -
C:\Windows\SysWOW64\Gmoppefc.exeC:\Windows\system32\Gmoppefc.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3064 -
C:\Windows\SysWOW64\Gdihmo32.exeC:\Windows\system32\Gdihmo32.exe53⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2524 -
C:\Windows\SysWOW64\Gmamfddp.exeC:\Windows\system32\Gmamfddp.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:2816 -
C:\Windows\SysWOW64\Gjemoi32.exeC:\Windows\system32\Gjemoi32.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:928 -
C:\Windows\SysWOW64\Hbpbck32.exeC:\Windows\system32\Hbpbck32.exe56⤵
- Executes dropped EXE
PID:3024 -
C:\Windows\SysWOW64\Hlhfmqge.exeC:\Windows\system32\Hlhfmqge.exe57⤵
- Executes dropped EXE
PID:428 -
C:\Windows\SysWOW64\Hhogaamj.exeC:\Windows\system32\Hhogaamj.exe58⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2324 -
C:\Windows\SysWOW64\Hahljg32.exeC:\Windows\system32\Hahljg32.exe59⤵
- Executes dropped EXE
PID:2424 -
C:\Windows\SysWOW64\Hkppcmjk.exeC:\Windows\system32\Hkppcmjk.exe60⤵
- Executes dropped EXE
PID:2004 -
C:\Windows\SysWOW64\Hdhdlbpk.exeC:\Windows\system32\Hdhdlbpk.exe61⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2416 -
C:\Windows\SysWOW64\Honiikpa.exeC:\Windows\system32\Honiikpa.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:1412 -
C:\Windows\SysWOW64\Hdkaabnh.exeC:\Windows\system32\Hdkaabnh.exe63⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:372 -
C:\Windows\SysWOW64\Imcfjg32.exeC:\Windows\system32\Imcfjg32.exe64⤵
- Executes dropped EXE
PID:2916 -
C:\Windows\SysWOW64\Ikgfdlcb.exeC:\Windows\system32\Ikgfdlcb.exe65⤵
- Executes dropped EXE
- Modifies registry class
PID:2536 -
C:\Windows\SysWOW64\Ipdolbbj.exeC:\Windows\system32\Ipdolbbj.exe66⤵
- Executes dropped EXE
PID:2204 -
C:\Windows\SysWOW64\Icbkhnan.exeC:\Windows\system32\Icbkhnan.exe67⤵PID:2912
-
C:\Windows\SysWOW64\Ilkpac32.exeC:\Windows\system32\Ilkpac32.exe68⤵PID:2528
-
C:\Windows\SysWOW64\Igpdnlgd.exeC:\Windows\system32\Igpdnlgd.exe69⤵PID:2856
-
C:\Windows\SysWOW64\Iokhcodo.exeC:\Windows\system32\Iokhcodo.exe70⤵PID:2136
-
C:\Windows\SysWOW64\Ihdmld32.exeC:\Windows\system32\Ihdmld32.exe71⤵
- System Location Discovery: System Language Discovery
PID:2872 -
C:\Windows\SysWOW64\Ionehnbm.exeC:\Windows\system32\Ionehnbm.exe72⤵PID:840
-
C:\Windows\SysWOW64\Jfhmehji.exeC:\Windows\system32\Jfhmehji.exe73⤵PID:2560
-
C:\Windows\SysWOW64\Jkdfmoha.exeC:\Windows\system32\Jkdfmoha.exe74⤵
- Modifies registry class
PID:2996 -
C:\Windows\SysWOW64\Jfjjkhhg.exeC:\Windows\system32\Jfjjkhhg.exe75⤵PID:584
-
C:\Windows\SysWOW64\Jldbgb32.exeC:\Windows\system32\Jldbgb32.exe76⤵PID:2472
-
C:\Windows\SysWOW64\Jneoojeb.exeC:\Windows\system32\Jneoojeb.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2368 -
C:\Windows\SysWOW64\Jhkclc32.exeC:\Windows\system32\Jhkclc32.exe78⤵PID:1976
-
C:\Windows\SysWOW64\Jbcgeilh.exeC:\Windows\system32\Jbcgeilh.exe79⤵PID:1580
-
C:\Windows\SysWOW64\Jhmpbc32.exeC:\Windows\system32\Jhmpbc32.exe80⤵PID:784
-
C:\Windows\SysWOW64\Jjnlikic.exeC:\Windows\system32\Jjnlikic.exe81⤵PID:2252
-
C:\Windows\SysWOW64\Jddqgdii.exeC:\Windows\system32\Jddqgdii.exe82⤵PID:1884
-
C:\Windows\SysWOW64\Kmoekf32.exeC:\Windows\system32\Kmoekf32.exe83⤵PID:1680
-
C:\Windows\SysWOW64\Kckjmpko.exeC:\Windows\system32\Kckjmpko.exe84⤵
- System Location Discovery: System Language Discovery
PID:1456 -
C:\Windows\SysWOW64\Kjebjjck.exeC:\Windows\system32\Kjebjjck.exe85⤵PID:2676
-
C:\Windows\SysWOW64\Kflcok32.exeC:\Windows\system32\Kflcok32.exe86⤵
- Drops file in System32 directory
PID:2452 -
C:\Windows\SysWOW64\Kodghqop.exeC:\Windows\system32\Kodghqop.exe87⤵PID:2212
-
C:\Windows\SysWOW64\Kfopdk32.exeC:\Windows\system32\Kfopdk32.exe88⤵PID:860
-
C:\Windows\SysWOW64\Lgbibb32.exeC:\Windows\system32\Lgbibb32.exe89⤵PID:2584
-
C:\Windows\SysWOW64\Lbhmok32.exeC:\Windows\system32\Lbhmok32.exe90⤵PID:2104
-
C:\Windows\SysWOW64\Llpaha32.exeC:\Windows\system32\Llpaha32.exe91⤵
- Drops file in System32 directory
PID:1868 -
C:\Windows\SysWOW64\Lbjjekhl.exeC:\Windows\system32\Lbjjekhl.exe92⤵PID:2268
-
C:\Windows\SysWOW64\Llbnnq32.exeC:\Windows\system32\Llbnnq32.exe93⤵PID:1864
-
C:\Windows\SysWOW64\Laogfg32.exeC:\Windows\system32\Laogfg32.exe94⤵PID:948
-
C:\Windows\SysWOW64\Lflonn32.exeC:\Windows\system32\Lflonn32.exe95⤵PID:744
-
C:\Windows\SysWOW64\Lpddgd32.exeC:\Windows\system32\Lpddgd32.exe96⤵PID:2664
-
C:\Windows\SysWOW64\Lhklha32.exeC:\Windows\system32\Lhklha32.exe97⤵
- Drops file in System32 directory
PID:540 -
C:\Windows\SysWOW64\Lpgqlc32.exeC:\Windows\system32\Lpgqlc32.exe98⤵PID:1524
-
C:\Windows\SysWOW64\Mfqiingf.exeC:\Windows\system32\Mfqiingf.exe99⤵PID:2596
-
C:\Windows\SysWOW64\Mlmaad32.exeC:\Windows\system32\Mlmaad32.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2160 -
C:\Windows\SysWOW64\Mmmnkglp.exeC:\Windows\system32\Mmmnkglp.exe101⤵PID:2172
-
C:\Windows\SysWOW64\Monjcp32.exeC:\Windows\system32\Monjcp32.exe102⤵PID:1452
-
C:\Windows\SysWOW64\Ncjbba32.exeC:\Windows\system32\Ncjbba32.exe103⤵PID:2520
-
C:\Windows\SysWOW64\Ncloha32.exeC:\Windows\system32\Ncloha32.exe104⤵PID:1568
-
C:\Windows\SysWOW64\Ooemcb32.exeC:\Windows\system32\Ooemcb32.exe105⤵PID:2180
-
C:\Windows\SysWOW64\Oikapk32.exeC:\Windows\system32\Oikapk32.exe106⤵PID:988
-
C:\Windows\SysWOW64\Oogiha32.exeC:\Windows\system32\Oogiha32.exe107⤵PID:2900
-
C:\Windows\SysWOW64\Oeaael32.exeC:\Windows\system32\Oeaael32.exe108⤵PID:2684
-
C:\Windows\SysWOW64\Oknjmb32.exeC:\Windows\system32\Oknjmb32.exe109⤵PID:2740
-
C:\Windows\SysWOW64\Oecnkk32.exeC:\Windows\system32\Oecnkk32.exe110⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2896 -
C:\Windows\SysWOW64\Okqgcb32.exeC:\Windows\system32\Okqgcb32.exe111⤵PID:1704
-
C:\Windows\SysWOW64\Oqmokioh.exeC:\Windows\system32\Oqmokioh.exe112⤵
- Drops file in System32 directory
PID:2724 -
C:\Windows\SysWOW64\Okcchbnn.exeC:\Windows\system32\Okcchbnn.exe113⤵PID:996
-
C:\Windows\SysWOW64\Pdkhag32.exeC:\Windows\system32\Pdkhag32.exe114⤵PID:2264
-
C:\Windows\SysWOW64\Pjhpin32.exeC:\Windows\system32\Pjhpin32.exe115⤵PID:1596
-
C:\Windows\SysWOW64\Pfoanp32.exeC:\Windows\system32\Pfoanp32.exe116⤵PID:2696
-
C:\Windows\SysWOW64\Pmiikipg.exeC:\Windows\system32\Pmiikipg.exe117⤵
- System Location Discovery: System Language Discovery
PID:2868 -
C:\Windows\SysWOW64\Pjmjdnop.exeC:\Windows\system32\Pjmjdnop.exe118⤵PID:2432
-
C:\Windows\SysWOW64\Pmkfqind.exeC:\Windows\system32\Pmkfqind.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1932 -
C:\Windows\SysWOW64\Pbhoip32.exeC:\Windows\system32\Pbhoip32.exe120⤵PID:1692
-
C:\Windows\SysWOW64\Pkpcbecl.exeC:\Windows\system32\Pkpcbecl.exe121⤵PID:2276
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-