Analysis
-
max time kernel
93s -
max time network
99s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19/11/2024, 18:37
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ae5d530fb90287622d270e399e022707c28e21629f54d2c3eeac35242a1b91ceN.exe
Resource
win7-20240903-en
windows7-x64
10 signatures
120 seconds
Behavioral task
behavioral2
Sample
ae5d530fb90287622d270e399e022707c28e21629f54d2c3eeac35242a1b91ceN.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
10 signatures
120 seconds
General
-
Target
ae5d530fb90287622d270e399e022707c28e21629f54d2c3eeac35242a1b91ceN.exe
-
Size
82KB
-
MD5
08df7f4dbc3ddeb039105c20d66a19f0
-
SHA1
58dac7ee0915d7778b32616caabcf43792401cb9
-
SHA256
ae5d530fb90287622d270e399e022707c28e21629f54d2c3eeac35242a1b91ce
-
SHA512
1609e3509ddbeec5846069d035c631e1fdd443dff6ecc6c3532b0c5620003afa8d1bac5aae76b919456113edaceaf01e9198991b971365c4ec21fd6a26cd659a
-
SSDEEP
1536:LhhuYTrp0AtDBHHBCRgfLwOjgF2L7epm6+wDSmQFN6TiN1sJtvQ6:LruWpxtDdvLBjfypm6tm7N6TO1Spp
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kdmnfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hcofin32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdhila32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhbjekoc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfpnpk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdjqef32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfmmin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nncammgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Niomjbjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lengmppk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kcphgi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmafgqlo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eikphbcm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dncepokb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmohei32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eojgja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Babacl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmhegljj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bcjbbj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfmqoogd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdjnfp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ioiioh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Endnfm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jlglok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qdqehief.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lndfkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Combci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iiajbpih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cinpkpha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fbkibj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fgffbelo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kfnaklil.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfchoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hdnbcqed.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehbehqob.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofadcgpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lnpdfjci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mqmmcc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klocnbcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cacbadnb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pehlajkk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgdqglbm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mqfnmjpq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lbddld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dcdnpfjd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Boqlmebj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gpimbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Emefng32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibmchp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nidfeaeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oglpjeqf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcampdjk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgodlidc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cklfmeci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dagohgah.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jplkehcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Icjeel32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jloijp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Apjbcjhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Afnemn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Phfhmeko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mknopcnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Meipnhbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Omgjohog.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 5072 Dhlnjb32.exe 2544 Dadbchdk.exe 1976 Dfakkobb.exe 3280 Dagohgah.exe 1164 Dgdgqo32.exe 3960 Deehofho.exe 180 Egfdfn32.exe 732 Ealhcg32.exe 3520 Eghalnlj.exe 4288 Eejaje32.exe 4920 Egknanjg.exe 1680 Emefng32.exe 4644 Eelnoe32.exe 3000 Ekifglpn.exe 1688 Emioigmo.exe 2724 Fgbdbl32.exe 116 Fnllof32.exe 1168 Fgdqglbm.exe 2856 Fajeeeac.exe 4596 Fgfmmlpj.exe 2960 Foneni32.exe 3316 Fdjnfp32.exe 552 Fannpd32.exe 2304 Fdmjlp32.exe 4552 Fkgbijdn.exe 4980 Felgfb32.exe 2952 Ghkcbn32.exe 4044 Geoclb32.exe 1980 Goghdhhb.exe 4448 Gddqmo32.exe 4676 Ggbmij32.exe 2376 Gahafc32.exe 1508 Gnoakdkg.exe 3356 Gdhjhnbd.exe 3804 Gnanqc32.exe 756 Hdkgmnpa.exe 2180 Hnckfc32.exe 1216 Hhioclgg.exe 2852 Hbadla32.exe 3476 Hkihegdi.exe 2152 Hhmiokbb.exe 2692 Hfaihp32.exe 4292 Hgbfphgj.exe 4904 Ifdfno32.exe 4032 Igebegeg.exe 1924 Ioljfe32.exe 4188 Iffbcomf.exe 4880 Ioogld32.exe 1840 Ibmchp32.exe 3452 Igjlpg32.exe 1000 Incdma32.exe 1572 Idnljkpl.exe 2892 Ioemmcno.exe 4452 Jebfej32.exe 3100 Jgqbaf32.exe 2828 Johjbc32.exe 3088 Jfbbomci.exe 696 Jipnkibm.exe 4868 Jnmgcpqd.exe 4624 Jfdodm32.exe 1504 Jegopjha.exe 1080 Jkagmd32.exe 3132 Jbkpingk.exe 1072 Jeileifo.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Hdkgmnpa.exe Gnanqc32.exe File created C:\Windows\SysWOW64\Lpcqabka.dll Flmoeg32.exe File created C:\Windows\SysWOW64\Pjflaoem.exe Poagdffg.exe File created C:\Windows\SysWOW64\Lngmoogn.dll Combci32.exe File created C:\Windows\SysWOW64\Ipjlca32.exe Iipdgg32.exe File opened for modification C:\Windows\SysWOW64\Lmcllm32.exe Lkboddha.exe File created C:\Windows\SysWOW64\Kjnbdl32.exe Kgofhq32.exe File created C:\Windows\SysWOW64\Mebjni32.exe Mqfnmjpq.exe File created C:\Windows\SysWOW64\Hnckfc32.exe Hdkgmnpa.exe File created C:\Windows\SysWOW64\Ojcehm32.exe Neglpf32.exe File created C:\Windows\SysWOW64\Ncliaj32.dll Dkehcdko.exe File opened for modification C:\Windows\SysWOW64\Gndgmk32.exe Gihned32.exe File opened for modification C:\Windows\SysWOW64\Fmpoop32.exe Fgffbelo.exe File opened for modification C:\Windows\SysWOW64\Iagcbjcd.exe Hhooje32.exe File created C:\Windows\SysWOW64\Kbaopg32.exe Kkgfcmfj.exe File created C:\Windows\SysWOW64\Hgillkbb.dll Lbokaeag.exe File opened for modification C:\Windows\SysWOW64\Kcdabhmg.exe Kmjien32.exe File opened for modification C:\Windows\SysWOW64\Helkkc32.exe Hbnoog32.exe File opened for modification C:\Windows\SysWOW64\Kilngg32.exe Kfnaklil.exe File opened for modification C:\Windows\SysWOW64\Ncjnhg32.exe Nlpelmgi.exe File created C:\Windows\SysWOW64\Oemcpbid.exe Oppkgkkl.exe File created C:\Windows\SysWOW64\Fkmomc32.dll Ipkboj32.exe File opened for modification C:\Windows\SysWOW64\Cogkcn32.exe Chmbfcaj.exe File created C:\Windows\SysWOW64\Hceechii.dll Mjdbkffg.exe File created C:\Windows\SysWOW64\Iclaen32.dll Hiinfheo.exe File created C:\Windows\SysWOW64\Gmjpfa32.exe Giodecjm.exe File created C:\Windows\SysWOW64\Fanqfajg.dll Nnlmhf32.exe File created C:\Windows\SysWOW64\Klkljfga.dll Chmbfcaj.exe File created C:\Windows\SysWOW64\Dfakkobb.exe Dadbchdk.exe File opened for modification C:\Windows\SysWOW64\Lqjggf32.exe Ljpojloe.exe File created C:\Windows\SysWOW64\Pjenfp32.dll Bokcab32.exe File created C:\Windows\SysWOW64\Pfhkdf32.exe Ppnbglbe.exe File created C:\Windows\SysWOW64\Ghjcpobj.dll Dmmicbdq.exe File created C:\Windows\SysWOW64\Onjnnink.dll Libmmpol.exe File opened for modification C:\Windows\SysWOW64\Bcehgkdg.exe Bllpkq32.exe File created C:\Windows\SysWOW64\Boielf32.exe Blkipjio.exe File created C:\Windows\SysWOW64\Phbnbi32.exe Pnjijdoi.exe File opened for modification C:\Windows\SysWOW64\Bcdblaje.exe Acafga32.exe File opened for modification C:\Windows\SysWOW64\Ipqbdpqk.exe Inbfhdag.exe File opened for modification C:\Windows\SysWOW64\Jjbjcd32.exe Jchafjgd.exe File created C:\Windows\SysWOW64\Ockbflgn.exe Omajib32.exe File opened for modification C:\Windows\SysWOW64\Ioclef32.exe Imapnnnl.exe File created C:\Windows\SysWOW64\Chhikd32.exe Cpaajg32.exe File opened for modification C:\Windows\SysWOW64\Jbkpingk.exe Jkagmd32.exe File opened for modification C:\Windows\SysWOW64\Pacfaj32.exe Poejeo32.exe File created C:\Windows\SysWOW64\Eliejgoe.exe Ejgibo32.exe File created C:\Windows\SysWOW64\Djkbhbok.dll Ipnfopbn.exe File opened for modification C:\Windows\SysWOW64\Dnfaeo32.exe Dkgeic32.exe File opened for modification C:\Windows\SysWOW64\Befjopml.exe Bkpfagnf.exe File created C:\Windows\SysWOW64\Jbdpjfgb.dll Jplkehcb.exe File created C:\Windows\SysWOW64\Kcgoojpo.dll Dgdgqo32.exe File created C:\Windows\SysWOW64\Cadbgc32.dll Eghalnlj.exe File created C:\Windows\SysWOW64\Ghkcbn32.exe Felgfb32.exe File created C:\Windows\SysWOW64\Dimpge32.dll Nghfof32.exe File created C:\Windows\SysWOW64\Jmedol32.dll Ligfho32.exe File created C:\Windows\SysWOW64\Pjlpnlog.dll Mqhchdjb.exe File opened for modification C:\Windows\SysWOW64\Emefng32.exe Egknanjg.exe File created C:\Windows\SysWOW64\Ngbifl32.dll Hdkgmnpa.exe File created C:\Windows\SysWOW64\Nadflmah.dll Lhjnnbem.exe File created C:\Windows\SysWOW64\Jnomni32.exe Jgedao32.exe File created C:\Windows\SysWOW64\Beqnok32.dll Ncpjedeg.exe File created C:\Windows\SysWOW64\Lpmpmlgn.dll Nahmoa32.exe File opened for modification C:\Windows\SysWOW64\Npnnblmo.exe Nidfeaeb.exe File opened for modification C:\Windows\SysWOW64\Lidjbpli.exe Lbkafe32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 6760 6452 WerFault.exe 935 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddnmli32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mppbqn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgffbelo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jchafjgd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phfhmeko.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdcden32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpgkafie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idfoofbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jloijp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aobolg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehdanpmo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekifglpn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qllnnini.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkmbob32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijdnbfka.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hacjgk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emlknf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngbellcl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjflaoem.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdmnfb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lilpcofa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Naeaio32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phkahe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cphgkfne.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qjpohnmb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eegpbh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eejaje32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eelnoe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcoamb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bphndh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffamgf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmefqf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aoelaflg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljpojloe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdjnfp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnckfc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lapogbjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfigecac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnmfoc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aomofaod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cagdeieg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdmohapq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pemeli32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bogigfje.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chhikd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igahkk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aplohj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egbhon32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbhepfgo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnilic32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkmmbhji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfelqkij.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkhhdc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnehna32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Babacl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chmbfcaj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eakaiq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Becnippo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmcclp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eabhjpdo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akgjenim.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmienm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fqdpnbfe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eelingfo.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 3132 Jbkpingk.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjdqcd32.dll" Jdokjngb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jgodlidc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmfhin32.dll" Pdhila32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlapbb32.dll" Jmienm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpimak32.dll" Mfbdmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Phlibkje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ljkpegnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmephi32.dll" Oaejpmij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdeipg32.dll" Kljbkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pfjgie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ipgpnaif.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mebjni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cacbadnb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dimcgdpm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fhhpbhao.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kbhepfgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Obefjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kcfnhh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Donadmbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Plcjinmi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pdoompkd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gmjpfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chonbd32.dll" Igjlpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kfkbhb32.dll" Naeaio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ebndlbjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mjehfoqi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Foccfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bmbfkpfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnlema32.dll" Fjchnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ipjlca32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dkdainhc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oibkej32.dll" Adgkihon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Klocnbcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdpfih32.dll" Emoonlnb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iipdgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbokli32.dll" Ncpcjnak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcpeiooc.dll" Jqlbpnfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlbmahcl.dll" Bnaocbkg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ioqopgfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hckmekoo.dll" Kpcafgmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eejaje32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ehjcaj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lbokaeag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Akcajo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qneedh32.dll" Bnphilgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mlfbeooc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Acleallb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Neknpa32.dll" Bohpalnq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bnaocbkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdignafa.dll" Ikfgaipa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lmfhamlm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Helkkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khckinep.dll" Kgofhq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpgannpf.dll" Eelnoe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cfchoj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Edgapl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nlhhqhie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipeiaf32.dll" Dilmmn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pejblc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnnaoi32.dll" Pmefqf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aamigi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ikfgaipa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmkgii32.dll" Onccie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alemnh32.dll" Glgake32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 952 wrote to memory of 5072 952 ae5d530fb90287622d270e399e022707c28e21629f54d2c3eeac35242a1b91ceN.exe 83 PID 952 wrote to memory of 5072 952 ae5d530fb90287622d270e399e022707c28e21629f54d2c3eeac35242a1b91ceN.exe 83 PID 952 wrote to memory of 5072 952 ae5d530fb90287622d270e399e022707c28e21629f54d2c3eeac35242a1b91ceN.exe 83 PID 5072 wrote to memory of 2544 5072 Dhlnjb32.exe 84 PID 5072 wrote to memory of 2544 5072 Dhlnjb32.exe 84 PID 5072 wrote to memory of 2544 5072 Dhlnjb32.exe 84 PID 2544 wrote to memory of 1976 2544 Dadbchdk.exe 85 PID 2544 wrote to memory of 1976 2544 Dadbchdk.exe 85 PID 2544 wrote to memory of 1976 2544 Dadbchdk.exe 85 PID 1976 wrote to memory of 3280 1976 Dfakkobb.exe 86 PID 1976 wrote to memory of 3280 1976 Dfakkobb.exe 86 PID 1976 wrote to memory of 3280 1976 Dfakkobb.exe 86 PID 3280 wrote to memory of 1164 3280 Dagohgah.exe 87 PID 3280 wrote to memory of 1164 3280 Dagohgah.exe 87 PID 3280 wrote to memory of 1164 3280 Dagohgah.exe 87 PID 1164 wrote to memory of 3960 1164 Dgdgqo32.exe 88 PID 1164 wrote to memory of 3960 1164 Dgdgqo32.exe 88 PID 1164 wrote to memory of 3960 1164 Dgdgqo32.exe 88 PID 3960 wrote to memory of 180 3960 Deehofho.exe 89 PID 3960 wrote to memory of 180 3960 Deehofho.exe 89 PID 3960 wrote to memory of 180 3960 Deehofho.exe 89 PID 180 wrote to memory of 732 180 Egfdfn32.exe 90 PID 180 wrote to memory of 732 180 Egfdfn32.exe 90 PID 180 wrote to memory of 732 180 Egfdfn32.exe 90 PID 732 wrote to memory of 3520 732 Ealhcg32.exe 91 PID 732 wrote to memory of 3520 732 Ealhcg32.exe 91 PID 732 wrote to memory of 3520 732 Ealhcg32.exe 91 PID 3520 wrote to memory of 4288 3520 Eghalnlj.exe 93 PID 3520 wrote to memory of 4288 3520 Eghalnlj.exe 93 PID 3520 wrote to memory of 4288 3520 Eghalnlj.exe 93 PID 4288 wrote to memory of 4920 4288 Eejaje32.exe 94 PID 4288 wrote to memory of 4920 4288 Eejaje32.exe 94 PID 4288 wrote to memory of 4920 4288 Eejaje32.exe 94 PID 4920 wrote to memory of 1680 4920 Egknanjg.exe 95 PID 4920 wrote to memory of 1680 4920 Egknanjg.exe 95 PID 4920 wrote to memory of 1680 4920 Egknanjg.exe 95 PID 1680 wrote to memory of 4644 1680 Emefng32.exe 96 PID 1680 wrote to memory of 4644 1680 Emefng32.exe 96 PID 1680 wrote to memory of 4644 1680 Emefng32.exe 96 PID 4644 wrote to memory of 3000 4644 Eelnoe32.exe 97 PID 4644 wrote to memory of 3000 4644 Eelnoe32.exe 97 PID 4644 wrote to memory of 3000 4644 Eelnoe32.exe 97 PID 3000 wrote to memory of 1688 3000 Ekifglpn.exe 98 PID 3000 wrote to memory of 1688 3000 Ekifglpn.exe 98 PID 3000 wrote to memory of 1688 3000 Ekifglpn.exe 98 PID 1688 wrote to memory of 2724 1688 Emioigmo.exe 100 PID 1688 wrote to memory of 2724 1688 Emioigmo.exe 100 PID 1688 wrote to memory of 2724 1688 Emioigmo.exe 100 PID 2724 wrote to memory of 116 2724 Fgbdbl32.exe 101 PID 2724 wrote to memory of 116 2724 Fgbdbl32.exe 101 PID 2724 wrote to memory of 116 2724 Fgbdbl32.exe 101 PID 116 wrote to memory of 1168 116 Fnllof32.exe 102 PID 116 wrote to memory of 1168 116 Fnllof32.exe 102 PID 116 wrote to memory of 1168 116 Fnllof32.exe 102 PID 1168 wrote to memory of 2856 1168 Fgdqglbm.exe 103 PID 1168 wrote to memory of 2856 1168 Fgdqglbm.exe 103 PID 1168 wrote to memory of 2856 1168 Fgdqglbm.exe 103 PID 2856 wrote to memory of 4596 2856 Fajeeeac.exe 104 PID 2856 wrote to memory of 4596 2856 Fajeeeac.exe 104 PID 2856 wrote to memory of 4596 2856 Fajeeeac.exe 104 PID 4596 wrote to memory of 2960 4596 Fgfmmlpj.exe 105 PID 4596 wrote to memory of 2960 4596 Fgfmmlpj.exe 105 PID 4596 wrote to memory of 2960 4596 Fgfmmlpj.exe 105 PID 2960 wrote to memory of 3316 2960 Foneni32.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\ae5d530fb90287622d270e399e022707c28e21629f54d2c3eeac35242a1b91ceN.exe"C:\Users\Admin\AppData\Local\Temp\ae5d530fb90287622d270e399e022707c28e21629f54d2c3eeac35242a1b91ceN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:952 -
C:\Windows\SysWOW64\Dhlnjb32.exeC:\Windows\system32\Dhlnjb32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5072 -
C:\Windows\SysWOW64\Dadbchdk.exeC:\Windows\system32\Dadbchdk.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Windows\SysWOW64\Dfakkobb.exeC:\Windows\system32\Dfakkobb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\Windows\SysWOW64\Dagohgah.exeC:\Windows\system32\Dagohgah.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3280 -
C:\Windows\SysWOW64\Dgdgqo32.exeC:\Windows\system32\Dgdgqo32.exe6⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1164 -
C:\Windows\SysWOW64\Deehofho.exeC:\Windows\system32\Deehofho.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3960 -
C:\Windows\SysWOW64\Egfdfn32.exeC:\Windows\system32\Egfdfn32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:180 -
C:\Windows\SysWOW64\Ealhcg32.exeC:\Windows\system32\Ealhcg32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:732 -
C:\Windows\SysWOW64\Eghalnlj.exeC:\Windows\system32\Eghalnlj.exe10⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3520 -
C:\Windows\SysWOW64\Eejaje32.exeC:\Windows\system32\Eejaje32.exe11⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4288 -
C:\Windows\SysWOW64\Egknanjg.exeC:\Windows\system32\Egknanjg.exe12⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4920 -
C:\Windows\SysWOW64\Emefng32.exeC:\Windows\system32\Emefng32.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Windows\SysWOW64\Eelnoe32.exeC:\Windows\system32\Eelnoe32.exe14⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4644 -
C:\Windows\SysWOW64\Ekifglpn.exeC:\Windows\system32\Ekifglpn.exe15⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Windows\SysWOW64\Emioigmo.exeC:\Windows\system32\Emioigmo.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Windows\SysWOW64\Fgbdbl32.exeC:\Windows\system32\Fgbdbl32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\SysWOW64\Fnllof32.exeC:\Windows\system32\Fnllof32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:116 -
C:\Windows\SysWOW64\Fgdqglbm.exeC:\Windows\system32\Fgdqglbm.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1168 -
C:\Windows\SysWOW64\Fajeeeac.exeC:\Windows\system32\Fajeeeac.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Windows\SysWOW64\Fgfmmlpj.exeC:\Windows\system32\Fgfmmlpj.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4596 -
C:\Windows\SysWOW64\Foneni32.exeC:\Windows\system32\Foneni32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Windows\SysWOW64\Fdjnfp32.exeC:\Windows\system32\Fdjnfp32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3316 -
C:\Windows\SysWOW64\Fannpd32.exeC:\Windows\system32\Fannpd32.exe24⤵
- Executes dropped EXE
PID:552 -
C:\Windows\SysWOW64\Fdmjlp32.exeC:\Windows\system32\Fdmjlp32.exe25⤵
- Executes dropped EXE
PID:2304 -
C:\Windows\SysWOW64\Fkgbijdn.exeC:\Windows\system32\Fkgbijdn.exe26⤵
- Executes dropped EXE
PID:4552 -
C:\Windows\SysWOW64\Felgfb32.exeC:\Windows\system32\Felgfb32.exe27⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4980 -
C:\Windows\SysWOW64\Ghkcbn32.exeC:\Windows\system32\Ghkcbn32.exe28⤵
- Executes dropped EXE
PID:2952 -
C:\Windows\SysWOW64\Geoclb32.exeC:\Windows\system32\Geoclb32.exe29⤵
- Executes dropped EXE
PID:4044 -
C:\Windows\SysWOW64\Goghdhhb.exeC:\Windows\system32\Goghdhhb.exe30⤵
- Executes dropped EXE
PID:1980 -
C:\Windows\SysWOW64\Gddqmo32.exeC:\Windows\system32\Gddqmo32.exe31⤵
- Executes dropped EXE
PID:4448 -
C:\Windows\SysWOW64\Ggbmij32.exeC:\Windows\system32\Ggbmij32.exe32⤵
- Executes dropped EXE
PID:4676 -
C:\Windows\SysWOW64\Gahafc32.exeC:\Windows\system32\Gahafc32.exe33⤵
- Executes dropped EXE
PID:2376 -
C:\Windows\SysWOW64\Gnoakdkg.exeC:\Windows\system32\Gnoakdkg.exe34⤵
- Executes dropped EXE
PID:1508 -
C:\Windows\SysWOW64\Gdhjhnbd.exeC:\Windows\system32\Gdhjhnbd.exe35⤵
- Executes dropped EXE
PID:3356 -
C:\Windows\SysWOW64\Gnanqc32.exeC:\Windows\system32\Gnanqc32.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3804 -
C:\Windows\SysWOW64\Hdkgmnpa.exeC:\Windows\system32\Hdkgmnpa.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:756 -
C:\Windows\SysWOW64\Hnckfc32.exeC:\Windows\system32\Hnckfc32.exe38⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2180 -
C:\Windows\SysWOW64\Hhioclgg.exeC:\Windows\system32\Hhioclgg.exe39⤵
- Executes dropped EXE
PID:1216 -
C:\Windows\SysWOW64\Hbadla32.exeC:\Windows\system32\Hbadla32.exe40⤵
- Executes dropped EXE
PID:2852 -
C:\Windows\SysWOW64\Hkihegdi.exeC:\Windows\system32\Hkihegdi.exe41⤵
- Executes dropped EXE
PID:3476 -
C:\Windows\SysWOW64\Hhmiokbb.exeC:\Windows\system32\Hhmiokbb.exe42⤵
- Executes dropped EXE
PID:2152 -
C:\Windows\SysWOW64\Hfaihp32.exeC:\Windows\system32\Hfaihp32.exe43⤵
- Executes dropped EXE
PID:2692 -
C:\Windows\SysWOW64\Hgbfphgj.exeC:\Windows\system32\Hgbfphgj.exe44⤵
- Executes dropped EXE
PID:4292 -
C:\Windows\SysWOW64\Ifdfno32.exeC:\Windows\system32\Ifdfno32.exe45⤵
- Executes dropped EXE
PID:4904 -
C:\Windows\SysWOW64\Igebegeg.exeC:\Windows\system32\Igebegeg.exe46⤵
- Executes dropped EXE
PID:4032 -
C:\Windows\SysWOW64\Ioljfe32.exeC:\Windows\system32\Ioljfe32.exe47⤵
- Executes dropped EXE
PID:1924 -
C:\Windows\SysWOW64\Iffbcomf.exeC:\Windows\system32\Iffbcomf.exe48⤵
- Executes dropped EXE
PID:4188 -
C:\Windows\SysWOW64\Ioogld32.exeC:\Windows\system32\Ioogld32.exe49⤵
- Executes dropped EXE
PID:4880 -
C:\Windows\SysWOW64\Ibmchp32.exeC:\Windows\system32\Ibmchp32.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1840 -
C:\Windows\SysWOW64\Igjlpg32.exeC:\Windows\system32\Igjlpg32.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:3452 -
C:\Windows\SysWOW64\Incdma32.exeC:\Windows\system32\Incdma32.exe52⤵
- Executes dropped EXE
PID:1000 -
C:\Windows\SysWOW64\Idnljkpl.exeC:\Windows\system32\Idnljkpl.exe53⤵
- Executes dropped EXE
PID:1572 -
C:\Windows\SysWOW64\Ioemmcno.exeC:\Windows\system32\Ioemmcno.exe54⤵
- Executes dropped EXE
PID:2892 -
C:\Windows\SysWOW64\Jebfej32.exeC:\Windows\system32\Jebfej32.exe55⤵
- Executes dropped EXE
PID:4452 -
C:\Windows\SysWOW64\Jgqbaf32.exeC:\Windows\system32\Jgqbaf32.exe56⤵
- Executes dropped EXE
PID:3100 -
C:\Windows\SysWOW64\Johjbc32.exeC:\Windows\system32\Johjbc32.exe57⤵
- Executes dropped EXE
PID:2828 -
C:\Windows\SysWOW64\Jfbbomci.exeC:\Windows\system32\Jfbbomci.exe58⤵
- Executes dropped EXE
PID:3088 -
C:\Windows\SysWOW64\Jipnkibm.exeC:\Windows\system32\Jipnkibm.exe59⤵
- Executes dropped EXE
PID:696 -
C:\Windows\SysWOW64\Jnmgcpqd.exeC:\Windows\system32\Jnmgcpqd.exe60⤵
- Executes dropped EXE
PID:4868 -
C:\Windows\SysWOW64\Jfdodm32.exeC:\Windows\system32\Jfdodm32.exe61⤵
- Executes dropped EXE
PID:4624 -
C:\Windows\SysWOW64\Jegopjha.exeC:\Windows\system32\Jegopjha.exe62⤵
- Executes dropped EXE
PID:1504 -
C:\Windows\SysWOW64\Jkagmd32.exeC:\Windows\system32\Jkagmd32.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1080 -
C:\Windows\SysWOW64\Jbkpingk.exeC:\Windows\system32\Jbkpingk.exe64⤵
- Executes dropped EXE
- System Network Configuration Discovery: Internet Connection Discovery
PID:3132 -
C:\Windows\SysWOW64\Jeileifo.exeC:\Windows\system32\Jeileifo.exe65⤵
- Executes dropped EXE
PID:1072 -
C:\Windows\SysWOW64\Jkcdbc32.exeC:\Windows\system32\Jkcdbc32.exe66⤵PID:3852
-
C:\Windows\SysWOW64\Jbmloneh.exeC:\Windows\system32\Jbmloneh.exe67⤵PID:2044
-
C:\Windows\SysWOW64\Jigdlhle.exeC:\Windows\system32\Jigdlhle.exe68⤵PID:932
-
C:\Windows\SysWOW64\Jpamhb32.exeC:\Windows\system32\Jpamhb32.exe69⤵PID:924
-
C:\Windows\SysWOW64\Kbpidm32.exeC:\Windows\system32\Kbpidm32.exe70⤵PID:4312
-
C:\Windows\SysWOW64\Keneqi32.exeC:\Windows\system32\Keneqi32.exe71⤵PID:3236
-
C:\Windows\SysWOW64\Kglamd32.exeC:\Windows\system32\Kglamd32.exe72⤵PID:2580
-
C:\Windows\SysWOW64\Kpcina32.exeC:\Windows\system32\Kpcina32.exe73⤵PID:3732
-
C:\Windows\SysWOW64\Kfnaklil.exeC:\Windows\system32\Kfnaklil.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2336 -
C:\Windows\SysWOW64\Kilngg32.exeC:\Windows\system32\Kilngg32.exe75⤵PID:228
-
C:\Windows\SysWOW64\Kpffcapl.exeC:\Windows\system32\Kpffcapl.exe76⤵PID:836
-
C:\Windows\SysWOW64\Kfpnpk32.exeC:\Windows\system32\Kfpnpk32.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4140 -
C:\Windows\SysWOW64\Kinklg32.exeC:\Windows\system32\Kinklg32.exe78⤵PID:548
-
C:\Windows\SysWOW64\Klmghb32.exeC:\Windows\system32\Klmghb32.exe79⤵PID:2812
-
C:\Windows\SysWOW64\Kbgoelmm.exeC:\Windows\system32\Kbgoelmm.exe80⤵PID:4808
-
C:\Windows\SysWOW64\Kiqgbf32.exeC:\Windows\system32\Kiqgbf32.exe81⤵PID:1496
-
C:\Windows\SysWOW64\Klocnbcn.exeC:\Windows\system32\Klocnbcn.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5012 -
C:\Windows\SysWOW64\Knmpjmba.exeC:\Windows\system32\Knmpjmba.exe83⤵PID:2300
-
C:\Windows\SysWOW64\Keghgg32.exeC:\Windows\system32\Keghgg32.exe84⤵PID:4004
-
C:\Windows\SysWOW64\Klapcaak.exeC:\Windows\system32\Klapcaak.exe85⤵PID:3504
-
C:\Windows\SysWOW64\Lbkhpl32.exeC:\Windows\system32\Lbkhpl32.exe86⤵PID:1492
-
C:\Windows\SysWOW64\Lejelg32.exeC:\Windows\system32\Lejelg32.exe87⤵PID:4216
-
C:\Windows\SysWOW64\Llcmia32.exeC:\Windows\system32\Llcmia32.exe88⤵PID:2928
-
C:\Windows\SysWOW64\Lnbiem32.exeC:\Windows\system32\Lnbiem32.exe89⤵PID:3008
-
C:\Windows\SysWOW64\Lelabgfi.exeC:\Windows\system32\Lelabgfi.exe90⤵PID:444
-
C:\Windows\SysWOW64\Lhjnnbem.exeC:\Windows\system32\Lhjnnbem.exe91⤵
- Drops file in System32 directory
PID:4064 -
C:\Windows\SysWOW64\Lndfkl32.exeC:\Windows\system32\Lndfkl32.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5128 -
C:\Windows\SysWOW64\Lflnlj32.exeC:\Windows\system32\Lflnlj32.exe93⤵PID:5200
-
C:\Windows\SysWOW64\Lhmjcbcj.exeC:\Windows\system32\Lhmjcbcj.exe94⤵PID:5268
-
C:\Windows\SysWOW64\Logbpljg.exeC:\Windows\system32\Logbpljg.exe95⤵PID:5324
-
C:\Windows\SysWOW64\Lfnkaiki.exeC:\Windows\system32\Lfnkaiki.exe96⤵PID:5376
-
C:\Windows\SysWOW64\Lilgnejm.exeC:\Windows\system32\Lilgnejm.exe97⤵PID:5420
-
C:\Windows\SysWOW64\Lpfojo32.exeC:\Windows\system32\Lpfojo32.exe98⤵PID:5472
-
C:\Windows\SysWOW64\Lbekfj32.exeC:\Windows\system32\Lbekfj32.exe99⤵PID:5516
-
C:\Windows\SysWOW64\Lioccdhj.exeC:\Windows\system32\Lioccdhj.exe100⤵PID:5576
-
C:\Windows\SysWOW64\Mpilpo32.exeC:\Windows\system32\Mpilpo32.exe101⤵PID:5620
-
C:\Windows\SysWOW64\Mfbdmi32.exeC:\Windows\system32\Mfbdmi32.exe102⤵
- Modifies registry class
PID:5664 -
C:\Windows\SysWOW64\Miapid32.exeC:\Windows\system32\Miapid32.exe103⤵PID:5708
-
C:\Windows\SysWOW64\Mpkhenmd.exeC:\Windows\system32\Mpkhenmd.exe104⤵PID:5752
-
C:\Windows\SysWOW64\Mbieajlh.exeC:\Windows\system32\Mbieajlh.exe105⤵PID:5796
-
C:\Windows\SysWOW64\Mehanell.exeC:\Windows\system32\Mehanell.exe106⤵PID:5840
-
C:\Windows\SysWOW64\Mlaijo32.exeC:\Windows\system32\Mlaijo32.exe107⤵PID:5884
-
C:\Windows\SysWOW64\Mopefk32.exeC:\Windows\system32\Mopefk32.exe108⤵PID:5928
-
C:\Windows\SysWOW64\Mejnce32.exeC:\Windows\system32\Mejnce32.exe109⤵PID:5976
-
C:\Windows\SysWOW64\Mppbqn32.exeC:\Windows\system32\Mppbqn32.exe110⤵
- System Location Discovery: System Language Discovery
PID:6020 -
C:\Windows\SysWOW64\Mlfbeooc.exeC:\Windows\system32\Mlfbeooc.exe111⤵
- Modifies registry class
PID:6064 -
C:\Windows\SysWOW64\Nliokn32.exeC:\Windows\system32\Nliokn32.exe112⤵PID:6108
-
C:\Windows\SysWOW64\Nbchhhdm.exeC:\Windows\system32\Nbchhhdm.exe113⤵PID:4484
-
C:\Windows\SysWOW64\Niomjbjg.exeC:\Windows\system32\Niomjbjg.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5260 -
C:\Windows\SysWOW64\Npiegl32.exeC:\Windows\system32\Npiegl32.exe115⤵PID:5332
-
C:\Windows\SysWOW64\Niaipbhe.exeC:\Windows\system32\Niaipbhe.exe116⤵PID:5404
-
C:\Windows\SysWOW64\Nlpelmgi.exeC:\Windows\system32\Nlpelmgi.exe117⤵
- Drops file in System32 directory
PID:5480 -
C:\Windows\SysWOW64\Ncjnhg32.exeC:\Windows\system32\Ncjnhg32.exe118⤵PID:5568
-
C:\Windows\SysWOW64\Nidfeaeb.exeC:\Windows\system32\Nidfeaeb.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5636 -
C:\Windows\SysWOW64\Npnnblmo.exeC:\Windows\system32\Npnnblmo.exe120⤵PID:5696
-
C:\Windows\SysWOW64\Nghfof32.exeC:\Windows\system32\Nghfof32.exe121⤵
- Drops file in System32 directory
PID:5792
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-