Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
103s -
max time network
107s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
04/11/2024, 02:47
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
81a34aaf2d0511691ccad21b26b6b5ecf6f62f3f7cd6ecc61bdc847943811091N.exe
Resource
win7-20240903-en
windows7-x64
13 signatures
120 seconds
Behavioral task
behavioral2
Sample
81a34aaf2d0511691ccad21b26b6b5ecf6f62f3f7cd6ecc61bdc847943811091N.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
120 seconds
General
-
Target
81a34aaf2d0511691ccad21b26b6b5ecf6f62f3f7cd6ecc61bdc847943811091N.exe
-
Size
96KB
-
MD5
ef30a59103e4ea7f9be9bb7322701bb0
-
SHA1
d27ab19bd69b38e32cc2731a55a3d3a392783851
-
SHA256
81a34aaf2d0511691ccad21b26b6b5ecf6f62f3f7cd6ecc61bdc847943811091
-
SHA512
ef73ecdafe34d46b93247ef0d39ee444523d2a7592b804f1af5f5f7d4731790aa2e22d5519061b4aff8da1a5f7f7103300e270ff7e3fff45fb528764c96df287
-
SSDEEP
1536:Ac0rpco7AAC2oPIu8Q2LZ7RZObZUUWaegPYA:krpTNeeZClUUWae
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbgeno32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjgpfk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idkbkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bbnkonbd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fideeaco.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfadkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pkbjjbda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bnoddcef.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijegcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qklmpalf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kpmdfonj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bljlfh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iinqbn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plmmif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ecgcfm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mminhceb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgelgi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nknobkje.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajdjin32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icknfcol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aolblopj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aokkahlo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fggocmhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ackbmcjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gipdap32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgmgqc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Phaahggp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkhgmf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbfheo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emdajb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nlkgmh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgdidgjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hkjjlhle.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcobaedj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Allpejfe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpggamqc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Goglcahb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ahfmpnql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmoohe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Efafgifc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eppqqn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Omgcpokp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgnomg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejdocm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dihlbf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eiobceef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iliinc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhpqaiji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbeapmll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gikkfqmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mngegmbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mlbkap32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgkiaj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgelek32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oihagaji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfnqklgh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jokkgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jhijqj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bbgeno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmfeidbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jklphekp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmdlffhj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gikdkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhbebj32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 944 Cfadkb32.exe 4280 Cceddf32.exe 2592 Caienjfd.exe 2272 Cjaifp32.exe 948 Dcjnoece.exe 1616 Djdflp32.exe 324 Dclkee32.exe 2904 Diicml32.exe 3500 Dcogje32.exe 2896 Dmglcj32.exe 3208 Dhlpqc32.exe 1372 Dmihij32.exe 3752 Dfamapjo.exe 4348 Eagaoh32.exe 3812 Edemkd32.exe 64 Emnbdioi.exe 2648 Edhjqc32.exe 1952 Eidbij32.exe 4744 Edjgfcec.exe 3412 Ejdocm32.exe 452 Emehdh32.exe 3732 Ehjlaaig.exe 2088 Facqkg32.exe 2680 Fhmigagd.exe 4908 Fmjaphek.exe 3112 Fgbfhmll.exe 1568 Fpjjac32.exe 5072 Fgdbnmji.exe 4276 Fajgkfio.exe 1384 Fggocmhf.exe 3284 Falcae32.exe 2288 Ggilil32.exe 2516 Gaopfe32.exe 216 Ggkiol32.exe 4800 Gaamlecg.exe 4996 Ghkeio32.exe 1508 Gilapgqb.exe 4020 Gacjadad.exe 4980 Ggpbjkpl.exe 1748 Ginnfgop.exe 5064 Gaefgd32.exe 5040 Ggbook32.exe 5096 Gnlgleef.exe 2336 Hgelek32.exe 4672 Hajpbckl.exe 4696 Hdilnojp.exe 1280 Hgghjjid.exe 1668 Hpomcp32.exe 660 Hkeaqi32.exe 4120 Hpbiip32.exe 5028 Hnfjbdmk.exe 3512 Hpdfnolo.exe 5032 Hkjjlhle.exe 1680 Hnhghcki.exe 3780 Ijogmdqm.exe 1076 Iqipio32.exe 3280 Ikndgg32.exe 872 Iahlcaol.exe 3892 Idghpmnp.exe 1772 Ikqqlgem.exe 3716 Inomhbeq.exe 3456 Iqmidndd.exe 2392 Iggaah32.exe 4504 Inainbcn.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Bfpdin32.exe Bcahmb32.exe File created C:\Windows\SysWOW64\Qdphngfl.exe Pocpfphe.exe File created C:\Windows\SysWOW64\Gmafajfi.exe Gejopl32.exe File created C:\Windows\SysWOW64\Dqboip32.dll Bcfahbpo.exe File created C:\Windows\SysWOW64\Dmfeidbe.exe Djhimica.exe File opened for modification C:\Windows\SysWOW64\Cgnomg32.exe Cocjiehd.exe File created C:\Windows\SysWOW64\Jkganhnq.dll Kkjlic32.exe File opened for modification C:\Windows\SysWOW64\Fgdbnmji.exe Fpjjac32.exe File created C:\Windows\SysWOW64\Jkhgmf32.exe Jhijqj32.exe File opened for modification C:\Windows\SysWOW64\Meefofek.exe Mnlnbl32.exe File created C:\Windows\SysWOW64\Neoieenp.exe Noeahkfc.exe File created C:\Windows\SysWOW64\Djdflp32.exe Dcjnoece.exe File opened for modification C:\Windows\SysWOW64\Bjpjel32.exe Bcfahbpo.exe File created C:\Windows\SysWOW64\Ibhkfm32.exe Ibfnqmpf.exe File created C:\Windows\SysWOW64\Lcnfohmi.exe Ljeafb32.exe File created C:\Windows\SysWOW64\Bgkiaj32.exe Amcehdod.exe File created C:\Windows\SysWOW64\Gejlkojm.dll Bhldpj32.exe File created C:\Windows\SysWOW64\Dgnkfj32.dll Hdjbiheb.exe File created C:\Windows\SysWOW64\Mmjmhg32.dll Camddhoi.exe File opened for modification C:\Windows\SysWOW64\Ghkeio32.exe Gaamlecg.exe File created C:\Windows\SysWOW64\Nkddkljd.dll Mlbkap32.exe File opened for modification C:\Windows\SysWOW64\Nknobkje.exe Neafjdkn.exe File created C:\Windows\SysWOW64\Gckdpj32.dll Ejalcgkg.exe File created C:\Windows\SysWOW64\Dgmchiim.dll Glbjggof.exe File opened for modification C:\Windows\SysWOW64\Kjhloj32.exe Kgipcogp.exe File opened for modification C:\Windows\SysWOW64\Modgdicm.exe Lcnfohmi.exe File created C:\Windows\SysWOW64\Ieneofbo.dll Cmcolgbj.exe File opened for modification C:\Windows\SysWOW64\Mlbkap32.exe Mehcdfch.exe File created C:\Windows\SysWOW64\Oohgdhfn.exe Ohnohn32.exe File opened for modification C:\Windows\SysWOW64\Ffclcgfn.exe Fpjcgm32.exe File opened for modification C:\Windows\SysWOW64\Jjjpnlbd.exe Jcphab32.exe File created C:\Windows\SysWOW64\Kggcnoic.exe Kdigadjo.exe File opened for modification C:\Windows\SysWOW64\Kiejmi32.exe Jjdjoane.exe File created C:\Windows\SysWOW64\Kjeqge32.dll Manmoq32.exe File created C:\Windows\SysWOW64\Naecop32.exe Nndjndbh.exe File created C:\Windows\SysWOW64\Odalmibl.exe Omgcpokp.exe File created C:\Windows\SysWOW64\Hlmkgk32.dll Aednci32.exe File created C:\Windows\SysWOW64\Dngjff32.exe Dkhnjk32.exe File created C:\Windows\SysWOW64\Ijogmdqm.exe Hnhghcki.exe File created C:\Windows\SysWOW64\Paelfmaf.exe Odalmibl.exe File opened for modification C:\Windows\SysWOW64\Fmfgek32.exe Fihnomjp.exe File created C:\Windows\SysWOW64\Jeggngeb.dll Edjgfcec.exe File created C:\Windows\SysWOW64\Qepkbpak.exe Qofcff32.exe File created C:\Windows\SysWOW64\Ggiabl32.dll Mglfplgk.exe File created C:\Windows\SysWOW64\Njfagf32.exe Nclikl32.exe File opened for modification C:\Windows\SysWOW64\Ebjcajjd.exe Ecgcfm32.exe File created C:\Windows\SysWOW64\Kmfhkf32.exe Kjhloj32.exe File created C:\Windows\SysWOW64\Leifdf32.dll Aolblopj.exe File created C:\Windows\SysWOW64\Lgdidgjg.exe Llodgnja.exe File created C:\Windows\SysWOW64\Iangld32.dll Inomhbeq.exe File created C:\Windows\SysWOW64\Egdeookg.dll Mehcdfch.exe File created C:\Windows\SysWOW64\Cdecba32.dll Ddjmba32.exe File created C:\Windows\SysWOW64\Bildbk32.dll Gilapgqb.exe File created C:\Windows\SysWOW64\Okjnnj32.exe Oihagaji.exe File opened for modification C:\Windows\SysWOW64\Gbfldf32.exe Gphphj32.exe File opened for modification C:\Windows\SysWOW64\Ggilil32.exe Falcae32.exe File opened for modification C:\Windows\SysWOW64\Ejalcgkg.exe Ebjcajjd.exe File opened for modification C:\Windows\SysWOW64\Anaomkdb.exe Aefjii32.exe File created C:\Windows\SysWOW64\Amcehdod.exe Ahfmpnql.exe File created C:\Windows\SysWOW64\Kalhafbk.dll Okchnk32.exe File created C:\Windows\SysWOW64\Eblpgjha.exe Elbhjp32.exe File created C:\Windows\SysWOW64\Ldgccb32.exe Lmpkadnm.exe File created C:\Windows\SysWOW64\Fihnomjp.exe Enbjad32.exe File opened for modification C:\Windows\SysWOW64\Fggocmhf.exe Fajgkfio.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 12296 13040 WerFault.exe 659 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaefgd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iggaah32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abponp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emmkiclm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qepkbpak.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jqhafffk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Goglcahb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgifbhid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qdphngfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jngbjd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgbfhmll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hajpbckl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mejpje32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Neafjdkn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hibafp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhmigagd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nahgoe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmoohe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lknojl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgnbdh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 81a34aaf2d0511691ccad21b26b6b5ecf6f62f3f7cd6ecc61bdc847943811091N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Indfca32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpabni32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdgafjpn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmmolepp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbdjeg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llodgnja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aaiimadl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpjcgm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcnmin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Deqcbpld.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gflhoo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mldhfpib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmmqhl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfaemp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfefkkqp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpphjp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcikgacl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phbhcmjl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfoiaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmkdcm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onapdl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnpofnhk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Niooqcad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glgjlm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifomll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dojqjdbl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdlfhj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjepjkhf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfamapjo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpbiip32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgffic32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Objpoh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ackbmcjl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpdfnolo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fikbocki.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hckeoeno.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iphioh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojgjndno.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgbpaipl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkjlic32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbgcih32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfokoelp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oodcdb32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Naecop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlgjal32.dll" Bepmoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbibld32.dll" Cbbnpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Geaepk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jeggngeb.dll" Edjgfcec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jeciaina.dll" Dfglfdkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjkoqgjn.dll" Gbmingjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfdngj32.dll" Hienlpel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gilapgqb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Knooej32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aamknj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jpaleglc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Knooej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oilmjcon.dll" Lkchelci.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Deqcbpld.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lgdidgjg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nopfpgip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epmfkk32.dll" Bhamkipi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Deqcbpld.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gaamlecg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmfmgg32.dll" Kdkdgchl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pocpfphe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imjfmjln.dll" Jkhgmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggpdhj32.dll" Goglcahb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Accailfj.dll" Icknfcol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjjfon32.dll" Kmkbfeab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cpfcfmlp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oiciibmb.dll" Hdilnojp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bddchh32.dll" Lbngllob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mldhfpib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Negcig32.dll" Aleckinj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Coknoaic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Giinpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kapceeje.dll" Flkdfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bpfkpp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bnmoijje.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kdkdgchl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecbfdd32.dll" Lieccf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fhmigagd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnmqme32.dll" Idghpmnp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ojgjndno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbmolo32.dll" Ljeafb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pakllc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qabjcina.dll" Gfokoelp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iafphi32.dll" Pmnbfhal.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID 81a34aaf2d0511691ccad21b26b6b5ecf6f62f3f7cd6ecc61bdc847943811091N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Keqdmihc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ficlfj32.dll" Glkmmefl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mcgiefen.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jhlgfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qjpnpd32.dll" Jjoiil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kodoah32.dll" Nndjndbh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jiejjepo.dll" Hoaojp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpqhgk32.dll" Ggilil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ohghgodi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kckefh32.dll" Phbhcmjl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ackbmcjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ijegcm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kjhloj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hckeoeno.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jjjpnlbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kmdlffhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mminhceb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aolblopj.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1672 wrote to memory of 944 1672 81a34aaf2d0511691ccad21b26b6b5ecf6f62f3f7cd6ecc61bdc847943811091N.exe 84 PID 1672 wrote to memory of 944 1672 81a34aaf2d0511691ccad21b26b6b5ecf6f62f3f7cd6ecc61bdc847943811091N.exe 84 PID 1672 wrote to memory of 944 1672 81a34aaf2d0511691ccad21b26b6b5ecf6f62f3f7cd6ecc61bdc847943811091N.exe 84 PID 944 wrote to memory of 4280 944 Cfadkb32.exe 85 PID 944 wrote to memory of 4280 944 Cfadkb32.exe 85 PID 944 wrote to memory of 4280 944 Cfadkb32.exe 85 PID 4280 wrote to memory of 2592 4280 Cceddf32.exe 86 PID 4280 wrote to memory of 2592 4280 Cceddf32.exe 86 PID 4280 wrote to memory of 2592 4280 Cceddf32.exe 86 PID 2592 wrote to memory of 2272 2592 Caienjfd.exe 87 PID 2592 wrote to memory of 2272 2592 Caienjfd.exe 87 PID 2592 wrote to memory of 2272 2592 Caienjfd.exe 87 PID 2272 wrote to memory of 948 2272 Cjaifp32.exe 88 PID 2272 wrote to memory of 948 2272 Cjaifp32.exe 88 PID 2272 wrote to memory of 948 2272 Cjaifp32.exe 88 PID 948 wrote to memory of 1616 948 Dcjnoece.exe 89 PID 948 wrote to memory of 1616 948 Dcjnoece.exe 89 PID 948 wrote to memory of 1616 948 Dcjnoece.exe 89 PID 1616 wrote to memory of 324 1616 Djdflp32.exe 90 PID 1616 wrote to memory of 324 1616 Djdflp32.exe 90 PID 1616 wrote to memory of 324 1616 Djdflp32.exe 90 PID 324 wrote to memory of 2904 324 Dclkee32.exe 91 PID 324 wrote to memory of 2904 324 Dclkee32.exe 91 PID 324 wrote to memory of 2904 324 Dclkee32.exe 91 PID 2904 wrote to memory of 3500 2904 Diicml32.exe 92 PID 2904 wrote to memory of 3500 2904 Diicml32.exe 92 PID 2904 wrote to memory of 3500 2904 Diicml32.exe 92 PID 3500 wrote to memory of 2896 3500 Dcogje32.exe 93 PID 3500 wrote to memory of 2896 3500 Dcogje32.exe 93 PID 3500 wrote to memory of 2896 3500 Dcogje32.exe 93 PID 2896 wrote to memory of 3208 2896 Dmglcj32.exe 94 PID 2896 wrote to memory of 3208 2896 Dmglcj32.exe 94 PID 2896 wrote to memory of 3208 2896 Dmglcj32.exe 94 PID 3208 wrote to memory of 1372 3208 Dhlpqc32.exe 95 PID 3208 wrote to memory of 1372 3208 Dhlpqc32.exe 95 PID 3208 wrote to memory of 1372 3208 Dhlpqc32.exe 95 PID 1372 wrote to memory of 3752 1372 Dmihij32.exe 96 PID 1372 wrote to memory of 3752 1372 Dmihij32.exe 96 PID 1372 wrote to memory of 3752 1372 Dmihij32.exe 96 PID 3752 wrote to memory of 4348 3752 Dfamapjo.exe 97 PID 3752 wrote to memory of 4348 3752 Dfamapjo.exe 97 PID 3752 wrote to memory of 4348 3752 Dfamapjo.exe 97 PID 4348 wrote to memory of 3812 4348 Eagaoh32.exe 98 PID 4348 wrote to memory of 3812 4348 Eagaoh32.exe 98 PID 4348 wrote to memory of 3812 4348 Eagaoh32.exe 98 PID 3812 wrote to memory of 64 3812 Edemkd32.exe 99 PID 3812 wrote to memory of 64 3812 Edemkd32.exe 99 PID 3812 wrote to memory of 64 3812 Edemkd32.exe 99 PID 64 wrote to memory of 2648 64 Emnbdioi.exe 100 PID 64 wrote to memory of 2648 64 Emnbdioi.exe 100 PID 64 wrote to memory of 2648 64 Emnbdioi.exe 100 PID 2648 wrote to memory of 1952 2648 Edhjqc32.exe 101 PID 2648 wrote to memory of 1952 2648 Edhjqc32.exe 101 PID 2648 wrote to memory of 1952 2648 Edhjqc32.exe 101 PID 1952 wrote to memory of 4744 1952 Eidbij32.exe 103 PID 1952 wrote to memory of 4744 1952 Eidbij32.exe 103 PID 1952 wrote to memory of 4744 1952 Eidbij32.exe 103 PID 4744 wrote to memory of 3412 4744 Edjgfcec.exe 104 PID 4744 wrote to memory of 3412 4744 Edjgfcec.exe 104 PID 4744 wrote to memory of 3412 4744 Edjgfcec.exe 104 PID 3412 wrote to memory of 452 3412 Ejdocm32.exe 105 PID 3412 wrote to memory of 452 3412 Ejdocm32.exe 105 PID 3412 wrote to memory of 452 3412 Ejdocm32.exe 105 PID 452 wrote to memory of 3732 452 Emehdh32.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\81a34aaf2d0511691ccad21b26b6b5ecf6f62f3f7cd6ecc61bdc847943811091N.exe"C:\Users\Admin\AppData\Local\Temp\81a34aaf2d0511691ccad21b26b6b5ecf6f62f3f7cd6ecc61bdc847943811091N.exe"1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1672 -
C:\Windows\SysWOW64\Cfadkb32.exeC:\Windows\system32\Cfadkb32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:944 -
C:\Windows\SysWOW64\Cceddf32.exeC:\Windows\system32\Cceddf32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4280 -
C:\Windows\SysWOW64\Caienjfd.exeC:\Windows\system32\Caienjfd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Windows\SysWOW64\Cjaifp32.exeC:\Windows\system32\Cjaifp32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2272 -
C:\Windows\SysWOW64\Dcjnoece.exeC:\Windows\system32\Dcjnoece.exe6⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:948 -
C:\Windows\SysWOW64\Djdflp32.exeC:\Windows\system32\Djdflp32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1616 -
C:\Windows\SysWOW64\Dclkee32.exeC:\Windows\system32\Dclkee32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:324 -
C:\Windows\SysWOW64\Diicml32.exeC:\Windows\system32\Diicml32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Windows\SysWOW64\Dcogje32.exeC:\Windows\system32\Dcogje32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3500 -
C:\Windows\SysWOW64\Dmglcj32.exeC:\Windows\system32\Dmglcj32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Windows\SysWOW64\Dhlpqc32.exeC:\Windows\system32\Dhlpqc32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3208 -
C:\Windows\SysWOW64\Dmihij32.exeC:\Windows\system32\Dmihij32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1372 -
C:\Windows\SysWOW64\Dfamapjo.exeC:\Windows\system32\Dfamapjo.exe14⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3752 -
C:\Windows\SysWOW64\Eagaoh32.exeC:\Windows\system32\Eagaoh32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4348 -
C:\Windows\SysWOW64\Edemkd32.exeC:\Windows\system32\Edemkd32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3812 -
C:\Windows\SysWOW64\Emnbdioi.exeC:\Windows\system32\Emnbdioi.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:64 -
C:\Windows\SysWOW64\Edhjqc32.exeC:\Windows\system32\Edhjqc32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\SysWOW64\Eidbij32.exeC:\Windows\system32\Eidbij32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1952 -
C:\Windows\SysWOW64\Edjgfcec.exeC:\Windows\system32\Edjgfcec.exe20⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4744 -
C:\Windows\SysWOW64\Ejdocm32.exeC:\Windows\system32\Ejdocm32.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3412 -
C:\Windows\SysWOW64\Emehdh32.exeC:\Windows\system32\Emehdh32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:452 -
C:\Windows\SysWOW64\Ehjlaaig.exeC:\Windows\system32\Ehjlaaig.exe23⤵
- Executes dropped EXE
PID:3732 -
C:\Windows\SysWOW64\Facqkg32.exeC:\Windows\system32\Facqkg32.exe24⤵
- Executes dropped EXE
PID:2088 -
C:\Windows\SysWOW64\Fhmigagd.exeC:\Windows\system32\Fhmigagd.exe25⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2680 -
C:\Windows\SysWOW64\Fmjaphek.exeC:\Windows\system32\Fmjaphek.exe26⤵
- Executes dropped EXE
PID:4908 -
C:\Windows\SysWOW64\Fgbfhmll.exeC:\Windows\system32\Fgbfhmll.exe27⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3112 -
C:\Windows\SysWOW64\Fpjjac32.exeC:\Windows\system32\Fpjjac32.exe28⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1568 -
C:\Windows\SysWOW64\Fgdbnmji.exeC:\Windows\system32\Fgdbnmji.exe29⤵
- Executes dropped EXE
PID:5072 -
C:\Windows\SysWOW64\Fajgkfio.exeC:\Windows\system32\Fajgkfio.exe30⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4276 -
C:\Windows\SysWOW64\Fggocmhf.exeC:\Windows\system32\Fggocmhf.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1384 -
C:\Windows\SysWOW64\Falcae32.exeC:\Windows\system32\Falcae32.exe32⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3284 -
C:\Windows\SysWOW64\Ggilil32.exeC:\Windows\system32\Ggilil32.exe33⤵
- Executes dropped EXE
- Modifies registry class
PID:2288 -
C:\Windows\SysWOW64\Gaopfe32.exeC:\Windows\system32\Gaopfe32.exe34⤵
- Executes dropped EXE
PID:2516 -
C:\Windows\SysWOW64\Ggkiol32.exeC:\Windows\system32\Ggkiol32.exe35⤵
- Executes dropped EXE
PID:216 -
C:\Windows\SysWOW64\Gaamlecg.exeC:\Windows\system32\Gaamlecg.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4800 -
C:\Windows\SysWOW64\Ghkeio32.exeC:\Windows\system32\Ghkeio32.exe37⤵
- Executes dropped EXE
PID:4996 -
C:\Windows\SysWOW64\Gilapgqb.exeC:\Windows\system32\Gilapgqb.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1508 -
C:\Windows\SysWOW64\Gacjadad.exeC:\Windows\system32\Gacjadad.exe39⤵
- Executes dropped EXE
PID:4020 -
C:\Windows\SysWOW64\Ggpbjkpl.exeC:\Windows\system32\Ggpbjkpl.exe40⤵
- Executes dropped EXE
PID:4980 -
C:\Windows\SysWOW64\Ginnfgop.exeC:\Windows\system32\Ginnfgop.exe41⤵
- Executes dropped EXE
PID:1748 -
C:\Windows\SysWOW64\Gaefgd32.exeC:\Windows\system32\Gaefgd32.exe42⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5064 -
C:\Windows\SysWOW64\Ggbook32.exeC:\Windows\system32\Ggbook32.exe43⤵
- Executes dropped EXE
PID:5040 -
C:\Windows\SysWOW64\Gnlgleef.exeC:\Windows\system32\Gnlgleef.exe44⤵
- Executes dropped EXE
PID:5096 -
C:\Windows\SysWOW64\Hgelek32.exeC:\Windows\system32\Hgelek32.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2336 -
C:\Windows\SysWOW64\Hajpbckl.exeC:\Windows\system32\Hajpbckl.exe46⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4672 -
C:\Windows\SysWOW64\Hdilnojp.exeC:\Windows\system32\Hdilnojp.exe47⤵
- Executes dropped EXE
- Modifies registry class
PID:4696 -
C:\Windows\SysWOW64\Hgghjjid.exeC:\Windows\system32\Hgghjjid.exe48⤵
- Executes dropped EXE
PID:1280 -
C:\Windows\SysWOW64\Hpomcp32.exeC:\Windows\system32\Hpomcp32.exe49⤵
- Executes dropped EXE
PID:1668 -
C:\Windows\SysWOW64\Hkeaqi32.exeC:\Windows\system32\Hkeaqi32.exe50⤵
- Executes dropped EXE
PID:660 -
C:\Windows\SysWOW64\Hpbiip32.exeC:\Windows\system32\Hpbiip32.exe51⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4120 -
C:\Windows\SysWOW64\Hnfjbdmk.exeC:\Windows\system32\Hnfjbdmk.exe52⤵
- Executes dropped EXE
PID:5028 -
C:\Windows\SysWOW64\Hpdfnolo.exeC:\Windows\system32\Hpdfnolo.exe53⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3512 -
C:\Windows\SysWOW64\Hkjjlhle.exeC:\Windows\system32\Hkjjlhle.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5032 -
C:\Windows\SysWOW64\Hnhghcki.exeC:\Windows\system32\Hnhghcki.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1680 -
C:\Windows\SysWOW64\Ijogmdqm.exeC:\Windows\system32\Ijogmdqm.exe56⤵
- Executes dropped EXE
PID:3780 -
C:\Windows\SysWOW64\Iqipio32.exeC:\Windows\system32\Iqipio32.exe57⤵
- Executes dropped EXE
PID:1076 -
C:\Windows\SysWOW64\Ikndgg32.exeC:\Windows\system32\Ikndgg32.exe58⤵
- Executes dropped EXE
PID:3280 -
C:\Windows\SysWOW64\Iahlcaol.exeC:\Windows\system32\Iahlcaol.exe59⤵
- Executes dropped EXE
PID:872 -
C:\Windows\SysWOW64\Idghpmnp.exeC:\Windows\system32\Idghpmnp.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:3892 -
C:\Windows\SysWOW64\Ikqqlgem.exeC:\Windows\system32\Ikqqlgem.exe61⤵
- Executes dropped EXE
PID:1772 -
C:\Windows\SysWOW64\Inomhbeq.exeC:\Windows\system32\Inomhbeq.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3716 -
C:\Windows\SysWOW64\Iqmidndd.exeC:\Windows\system32\Iqmidndd.exe63⤵
- Executes dropped EXE
PID:3456 -
C:\Windows\SysWOW64\Iggaah32.exeC:\Windows\system32\Iggaah32.exe64⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2392 -
C:\Windows\SysWOW64\Inainbcn.exeC:\Windows\system32\Inainbcn.exe65⤵
- Executes dropped EXE
PID:4504 -
C:\Windows\SysWOW64\Idkbkl32.exeC:\Windows\system32\Idkbkl32.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:32 -
C:\Windows\SysWOW64\Ikejgf32.exeC:\Windows\system32\Ikejgf32.exe67⤵PID:2212
-
C:\Windows\SysWOW64\Indfca32.exeC:\Windows\system32\Indfca32.exe68⤵
- System Location Discovery: System Language Discovery
PID:4284 -
C:\Windows\SysWOW64\Jhijqj32.exeC:\Windows\system32\Jhijqj32.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:4404 -
C:\Windows\SysWOW64\Jkhgmf32.exeC:\Windows\system32\Jkhgmf32.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1440 -
C:\Windows\SysWOW64\Jqdoem32.exeC:\Windows\system32\Jqdoem32.exe71⤵PID:1548
-
C:\Windows\SysWOW64\Jhlgfj32.exeC:\Windows\system32\Jhlgfj32.exe72⤵
- Modifies registry class
PID:4492 -
C:\Windows\SysWOW64\Jbdlop32.exeC:\Windows\system32\Jbdlop32.exe73⤵PID:4024
-
C:\Windows\SysWOW64\Jhndljll.exeC:\Windows\system32\Jhndljll.exe74⤵PID:4488
-
C:\Windows\SysWOW64\Jklphekp.exeC:\Windows\system32\Jklphekp.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1840 -
C:\Windows\SysWOW64\Jbfheo32.exeC:\Windows\system32\Jbfheo32.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2620 -
C:\Windows\SysWOW64\Jhpqaiji.exeC:\Windows\system32\Jhpqaiji.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:968 -
C:\Windows\SysWOW64\Jnmijq32.exeC:\Windows\system32\Jnmijq32.exe78⤵PID:3652
-
C:\Windows\SysWOW64\Jdgafjpn.exeC:\Windows\system32\Jdgafjpn.exe79⤵
- System Location Discovery: System Language Discovery
PID:1924 -
C:\Windows\SysWOW64\Jjdjoane.exeC:\Windows\system32\Jjdjoane.exe80⤵
- Drops file in System32 directory
PID:2312 -
C:\Windows\SysWOW64\Kiejmi32.exeC:\Windows\system32\Kiejmi32.exe81⤵PID:5168
-
C:\Windows\SysWOW64\Kkcfid32.exeC:\Windows\system32\Kkcfid32.exe82⤵PID:5212
-
C:\Windows\SysWOW64\Kelkaj32.exeC:\Windows\system32\Kelkaj32.exe83⤵PID:5260
-
C:\Windows\SysWOW64\Kjhcjq32.exeC:\Windows\system32\Kjhcjq32.exe84⤵PID:5316
-
C:\Windows\SysWOW64\Kgmcce32.exeC:\Windows\system32\Kgmcce32.exe85⤵PID:5368
-
C:\Windows\SysWOW64\Keqdmihc.exeC:\Windows\system32\Keqdmihc.exe86⤵
- Modifies registry class
PID:5412 -
C:\Windows\SysWOW64\Kkjlic32.exeC:\Windows\system32\Kkjlic32.exe87⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:5456 -
C:\Windows\SysWOW64\Kniieo32.exeC:\Windows\system32\Kniieo32.exe88⤵PID:5504
-
C:\Windows\SysWOW64\Kageaj32.exeC:\Windows\system32\Kageaj32.exe89⤵PID:5548
-
C:\Windows\SysWOW64\Lajagj32.exeC:\Windows\system32\Lajagj32.exe90⤵PID:5592
-
C:\Windows\SysWOW64\Lkofdbkj.exeC:\Windows\system32\Lkofdbkj.exe91⤵PID:5636
-
C:\Windows\SysWOW64\Lnnbqnjn.exeC:\Windows\system32\Lnnbqnjn.exe92⤵PID:5680
-
C:\Windows\SysWOW64\Legjmh32.exeC:\Windows\system32\Legjmh32.exe93⤵PID:5724
-
C:\Windows\SysWOW64\Lgffic32.exeC:\Windows\system32\Lgffic32.exe94⤵
- System Location Discovery: System Language Discovery
PID:5768 -
C:\Windows\SysWOW64\Lnpofnhk.exeC:\Windows\system32\Lnpofnhk.exe95⤵
- System Location Discovery: System Language Discovery
PID:5816 -
C:\Windows\SysWOW64\Lieccf32.exeC:\Windows\system32\Lieccf32.exe96⤵
- Modifies registry class
PID:5860 -
C:\Windows\SysWOW64\Lldopb32.exeC:\Windows\system32\Lldopb32.exe97⤵PID:5904
-
C:\Windows\SysWOW64\Lbngllob.exeC:\Windows\system32\Lbngllob.exe98⤵
- Modifies registry class
PID:5948 -
C:\Windows\SysWOW64\Llflea32.exeC:\Windows\system32\Llflea32.exe99⤵PID:5992
-
C:\Windows\SysWOW64\Lndham32.exeC:\Windows\system32\Lndham32.exe100⤵PID:6040
-
C:\Windows\SysWOW64\Lhmmjbkf.exeC:\Windows\system32\Lhmmjbkf.exe101⤵PID:6084
-
C:\Windows\SysWOW64\Mngegmbc.exeC:\Windows\system32\Mngegmbc.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6128 -
C:\Windows\SysWOW64\Milidebi.exeC:\Windows\system32\Milidebi.exe103⤵PID:5220
-
C:\Windows\SysWOW64\Mniallpq.exeC:\Windows\system32\Mniallpq.exe104⤵PID:5252
-
C:\Windows\SysWOW64\Mnlnbl32.exeC:\Windows\system32\Mnlnbl32.exe105⤵
- Drops file in System32 directory
PID:5360 -
C:\Windows\SysWOW64\Meefofek.exeC:\Windows\system32\Meefofek.exe106⤵PID:5420
-
C:\Windows\SysWOW64\Mbighjdd.exeC:\Windows\system32\Mbighjdd.exe107⤵PID:5436
-
C:\Windows\SysWOW64\Mehcdfch.exeC:\Windows\system32\Mehcdfch.exe108⤵
- Drops file in System32 directory
PID:5532 -
C:\Windows\SysWOW64\Mlbkap32.exeC:\Windows\system32\Mlbkap32.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5620 -
C:\Windows\SysWOW64\Mnphmkji.exeC:\Windows\system32\Mnphmkji.exe110⤵PID:5708
-
C:\Windows\SysWOW64\Mejpje32.exeC:\Windows\system32\Mejpje32.exe111⤵
- System Location Discovery: System Language Discovery
PID:5780 -
C:\Windows\SysWOW64\Mldhfpib.exeC:\Windows\system32\Mldhfpib.exe112⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5868 -
C:\Windows\SysWOW64\Nobdbkhf.exeC:\Windows\system32\Nobdbkhf.exe113⤵PID:5944
-
C:\Windows\SysWOW64\Nemmoe32.exeC:\Windows\system32\Nemmoe32.exe114⤵PID:6012
-
C:\Windows\SysWOW64\Nlfelogp.exeC:\Windows\system32\Nlfelogp.exe115⤵PID:6076
-
C:\Windows\SysWOW64\Noeahkfc.exeC:\Windows\system32\Noeahkfc.exe116⤵
- Drops file in System32 directory
PID:6136 -
C:\Windows\SysWOW64\Neoieenp.exeC:\Windows\system32\Neoieenp.exe117⤵PID:5280
-
C:\Windows\SysWOW64\Nklbmllg.exeC:\Windows\system32\Nklbmllg.exe118⤵PID:5476
-
C:\Windows\SysWOW64\Nognnj32.exeC:\Windows\system32\Nognnj32.exe119⤵PID:5632
-
C:\Windows\SysWOW64\Neafjdkn.exeC:\Windows\system32\Neafjdkn.exe120⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:5732 -
C:\Windows\SysWOW64\Nknobkje.exeC:\Windows\system32\Nknobkje.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5852
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-