Analysis
-
max time kernel
69s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
07-12-2024 20:48
Behavioral task
behavioral1
Sample
f053d9111c74223b6fb832da2442a41364aed63a0d076b70bcf77cedd0ee843cN.exe
Resource
win7-20240903-en
windows7-x64
10 signatures
120 seconds
Behavioral task
behavioral2
Sample
f053d9111c74223b6fb832da2442a41364aed63a0d076b70bcf77cedd0ee843cN.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
120 seconds
General
-
Target
f053d9111c74223b6fb832da2442a41364aed63a0d076b70bcf77cedd0ee843cN.exe
-
Size
319KB
-
MD5
f29fa091158795e5f731c37b52a30d00
-
SHA1
0a1cfe40f19bab3402975bf7dcafcd429726790f
-
SHA256
f053d9111c74223b6fb832da2442a41364aed63a0d076b70bcf77cedd0ee843c
-
SHA512
768689b5e1590039ef4baa8245eafeab07d20f2538008b12414f1c35934e768c356927e868a8740f9e22e55a7050b110a17264b6ca70dc352e8c3db11eabbec8
-
SSDEEP
6144:Sm89+0bFD8Wtfvw/Hlp4PlXj4IyqrQ///NR5fLYG3eujPQ///NR5fy:Gpw7YxxC/NcZ7/NK
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://master-x.com/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://crutop.ru/index.php
http://kaspersky.ru/index.php
http://color-bank.ru/index.php
http://adult-empire.com/index.php
http://virus-list.com/index.php
http://trojan.ru/index.php
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://fethard.biz/index.htm
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://kaspersky.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhiddoph.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ladebd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nqeapo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Afmbak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aphcppmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dcokpa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcqjfeja.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkgoff32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dlboca32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okkkoj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abnopj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pljnkodm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bplijcle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dijfch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qemomb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajjgei32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccgnelll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Onfabgch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Opaqpn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Deeqch32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fobkfqpo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Immjnj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcdadhjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mejmmqpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkgoff32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdbpekam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iokfjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nggipg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pglojj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pbglpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fipbhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Alodeacc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckkcep32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddhaie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ogdhik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pjjkfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Klcgpkhh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chlgid32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdfmpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nfdfmfle.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cqjhcfpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ggdekbgb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijqjgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njhbabif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bemkle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmpdmfff.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eannmi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnjalhpp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lilfgq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Anecfgdc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Meecaa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpbnjjkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Offpbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kpbhjh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plndcmmj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eogolc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jgbjjf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmgoif32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gibbgmfe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qemomb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ieponofk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Klecfkff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Akadpn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cppobaeb.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 876 Epnhpglg.exe 2692 Eldiehbk.exe 2756 Eihjolae.exe 2736 Elgfkhpi.exe 2432 Eogolc32.exe 2796 Eeagimdf.exe 3044 Fahhnn32.exe 992 Flnlkgjq.exe 868 Fhdmph32.exe 1728 Fooembgb.exe 860 Fkefbcmf.exe 2112 Fpbnjjkm.exe 2252 Fcqjfeja.exe 2576 Fpdkpiik.exe 1724 Gcedad32.exe 1840 Ghbljk32.exe 2520 Gpidki32.exe 1272 Gkcekfad.exe 552 Gdkjdl32.exe 988 Goqnae32.exe 2372 Gncnmane.exe 2448 Ghibjjnk.exe 1856 Gkgoff32.exe 2000 Hdpcokdo.exe 2368 Hadcipbi.exe 2208 Hdbpekam.exe 2812 Hnkdnqhm.exe 2840 Hqiqjlga.exe 2312 Hnmacpfj.exe 2780 Hqkmplen.exe 2620 Hcjilgdb.exe 2628 Hifbdnbi.exe 1684 Hoqjqhjf.exe 1268 Hiioin32.exe 1496 Ikgkei32.exe 576 Ieponofk.exe 2396 Inhdgdmk.exe 2136 Iebldo32.exe 2984 Igqhpj32.exe 2508 Ibfmmb32.exe 544 Iaimipjl.exe 1556 Iknafhjb.exe 2484 Ijaaae32.exe 1992 Ibhicbao.exe 2336 Iegeonpc.exe 2364 Ijcngenj.exe 2120 Inojhc32.exe 1884 Ieibdnnp.exe 1604 Jggoqimd.exe 2720 Jmdgipkk.exe 2824 Jcnoejch.exe 2972 Jfmkbebl.exe 2776 Jikhnaao.exe 784 Jabponba.exe 1860 Jcqlkjae.exe 2024 Jimdcqom.exe 1032 Jpgmpk32.exe 2592 Jbfilffm.exe 2564 Jedehaea.exe 2036 Jmkmjoec.exe 960 Jpjifjdg.exe 2580 Jfcabd32.exe 1668 Jibnop32.exe 564 Jplfkjbd.exe -
Loads dropped DLL 64 IoCs
pid Process 2380 f053d9111c74223b6fb832da2442a41364aed63a0d076b70bcf77cedd0ee843cN.exe 2380 f053d9111c74223b6fb832da2442a41364aed63a0d076b70bcf77cedd0ee843cN.exe 876 Epnhpglg.exe 876 Epnhpglg.exe 2692 Eldiehbk.exe 2692 Eldiehbk.exe 2756 Eihjolae.exe 2756 Eihjolae.exe 2736 Elgfkhpi.exe 2736 Elgfkhpi.exe 2432 Eogolc32.exe 2432 Eogolc32.exe 2796 Eeagimdf.exe 2796 Eeagimdf.exe 3044 Fahhnn32.exe 3044 Fahhnn32.exe 992 Flnlkgjq.exe 992 Flnlkgjq.exe 868 Fhdmph32.exe 868 Fhdmph32.exe 1728 Fooembgb.exe 1728 Fooembgb.exe 860 Fkefbcmf.exe 860 Fkefbcmf.exe 2112 Fpbnjjkm.exe 2112 Fpbnjjkm.exe 2252 Fcqjfeja.exe 2252 Fcqjfeja.exe 2576 Fpdkpiik.exe 2576 Fpdkpiik.exe 1724 Gcedad32.exe 1724 Gcedad32.exe 1840 Ghbljk32.exe 1840 Ghbljk32.exe 2520 Gpidki32.exe 2520 Gpidki32.exe 1272 Gkcekfad.exe 1272 Gkcekfad.exe 552 Gdkjdl32.exe 552 Gdkjdl32.exe 988 Goqnae32.exe 988 Goqnae32.exe 2372 Gncnmane.exe 2372 Gncnmane.exe 2448 Ghibjjnk.exe 2448 Ghibjjnk.exe 1856 Gkgoff32.exe 1856 Gkgoff32.exe 2000 Hdpcokdo.exe 2000 Hdpcokdo.exe 2368 Hadcipbi.exe 2368 Hadcipbi.exe 2208 Hdbpekam.exe 2208 Hdbpekam.exe 2812 Hnkdnqhm.exe 2812 Hnkdnqhm.exe 2840 Hqiqjlga.exe 2840 Hqiqjlga.exe 2312 Hnmacpfj.exe 2312 Hnmacpfj.exe 2780 Hqkmplen.exe 2780 Hqkmplen.exe 2620 Hcjilgdb.exe 2620 Hcjilgdb.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Mbendkpn.dll Ajamfh32.exe File created C:\Windows\SysWOW64\Mhnkcm32.dll Bklpjlmc.exe File opened for modification C:\Windows\SysWOW64\Dfkclf32.exe Dboglhna.exe File created C:\Windows\SysWOW64\Plhodp32.dll Fobkfqpo.exe File created C:\Windows\SysWOW64\Nggipg32.exe Nopaoj32.exe File opened for modification C:\Windows\SysWOW64\Qjfalj32.exe Qdlipplq.exe File created C:\Windows\SysWOW64\Knohabdl.dll Apefjqob.exe File created C:\Windows\SysWOW64\Jaeehmko.exe Jngilalk.exe File created C:\Windows\SysWOW64\Lhiddoph.exe Lcmklh32.exe File created C:\Windows\SysWOW64\Afoochol.dll Ombddbah.exe File opened for modification C:\Windows\SysWOW64\Oielnd32.exe Offpbi32.exe File opened for modification C:\Windows\SysWOW64\Qjddgj32.exe Phehko32.exe File created C:\Windows\SysWOW64\Bbjemo32.dll Akadpn32.exe File created C:\Windows\SysWOW64\Docopbaf.exe Dijfch32.exe File created C:\Windows\SysWOW64\Epfhde32.exe Eacghhkd.exe File created C:\Windows\SysWOW64\Nhocol32.dll Jnemfa32.exe File created C:\Windows\SysWOW64\Mdaaomdi.dll Gncnmane.exe File created C:\Windows\SysWOW64\Dkbioqbg.dll Ofafgipc.exe File opened for modification C:\Windows\SysWOW64\Kpdeoh32.exe Kmficl32.exe File opened for modification C:\Windows\SysWOW64\Ijlaloaf.exe Igmepdbc.exe File created C:\Windows\SysWOW64\Ofoebc32.dll Caokmd32.exe File opened for modification C:\Windows\SysWOW64\Gckfpc32.exe Gdhfdffl.exe File created C:\Windows\SysWOW64\Jajocl32.exe Jmocbnop.exe File opened for modification C:\Windows\SysWOW64\Kmficl32.exe Kijmbnpo.exe File opened for modification C:\Windows\SysWOW64\Iegeonpc.exe Ibhicbao.exe File created C:\Windows\SysWOW64\Bobhaimm.dll Dmcfngde.exe File created C:\Windows\SysWOW64\Oebblmoe.dll Hcblqb32.exe File created C:\Windows\SysWOW64\Fjglncdn.dll Jmocbnop.exe File created C:\Windows\SysWOW64\Naegmabc.exe Nnjklb32.exe File created C:\Windows\SysWOW64\Kecfmlgq.dll Cojeomee.exe File created C:\Windows\SysWOW64\Eebibf32.exe Ebcmfj32.exe File created C:\Windows\SysWOW64\Njhilimb.exe Nigldq32.exe File created C:\Windows\SysWOW64\Ncamen32.exe Ndnmialh.exe File created C:\Windows\SysWOW64\Jhgikm32.dll Eogolc32.exe File created C:\Windows\SysWOW64\Oepjoa32.exe Oqennbbl.exe File created C:\Windows\SysWOW64\Gdfiofhn.exe Gagmbkik.exe File created C:\Windows\SysWOW64\Kimjhnnl.exe Keango32.exe File created C:\Windows\SysWOW64\Nhpfdaml.exe Nccnlk32.exe File created C:\Windows\SysWOW64\Alodeacc.exe Aedlhg32.exe File opened for modification C:\Windows\SysWOW64\Oekmceaf.exe Obmpgjbb.exe File created C:\Windows\SysWOW64\Ebfqfpop.exe Ephdjeol.exe File created C:\Windows\SysWOW64\Lhfpdi32.exe Lehdhn32.exe File opened for modification C:\Windows\SysWOW64\Oiahnnji.exe Oqkpmaif.exe File created C:\Windows\SysWOW64\Mpbclcja.dll Fhdmph32.exe File created C:\Windows\SysWOW64\Lpnopm32.exe Llbconkd.exe File created C:\Windows\SysWOW64\Gaeqmk32.exe Gmidlmcd.exe File created C:\Windows\SysWOW64\Bbgclj32.dll Ijlaloaf.exe File created C:\Windows\SysWOW64\Egbigm32.dll Dlpbna32.exe File opened for modification C:\Windows\SysWOW64\Dbdagg32.exe Djmiejji.exe File created C:\Windows\SysWOW64\Jmkmjoec.exe Jedehaea.exe File created C:\Windows\SysWOW64\Golcgomm.dll Cnklgkap.exe File created C:\Windows\SysWOW64\Ohopde32.dll Nkclkl32.exe File created C:\Windows\SysWOW64\Hcjilgdb.exe Hqkmplen.exe File opened for modification C:\Windows\SysWOW64\Njhbabif.exe Nbqjqehd.exe File opened for modification C:\Windows\SysWOW64\Fllaopcg.exe Egpena32.exe File created C:\Windows\SysWOW64\Kbclpfop.dll Ijcngenj.exe File opened for modification C:\Windows\SysWOW64\Nccnlk32.exe Nqeapo32.exe File created C:\Windows\SysWOW64\Jbekkd32.dll Lophacfl.exe File created C:\Windows\SysWOW64\Ddnpnigl.dll Mkgeehnl.exe File created C:\Windows\SysWOW64\Pebbcdkn.exe Pbdfgilj.exe File opened for modification C:\Windows\SysWOW64\Hcblqb32.exe Hofqpc32.exe File opened for modification C:\Windows\SysWOW64\Joblkegc.exe Jihdnk32.exe File created C:\Windows\SysWOW64\Dboglhna.exe Doqkpl32.exe File created C:\Windows\SysWOW64\Omnkicen.exe Ojpomh32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 6748 6736 WerFault.exe 664 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igkhjdde.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hagianlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nkaoemjm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpogiglp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Geloanjg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fopnpaba.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmqkml32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifgklp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmficl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llbconkd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Babbng32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddhaie32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfodfh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ainkcf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifbaapfk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ablbjj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Baclaf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Embkbdce.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eogolc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbfilffm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnemfa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgnminke.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejdfqogm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fobkfqpo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aejnfe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfgdmjlp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcmcebkc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbnhpdke.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mobaef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okkkoj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdbpekam.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnkdnqhm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oqgjdbpi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amhcad32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bimphc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbmkfh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mejmmqpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oknhdjko.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dqfabdaf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opaqpn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjmnfk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijnnao32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnlhab32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oddphp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qnqjkh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlboca32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epnkip32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlmnogkl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijqjgo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llkbcl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jecnnk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbpefc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Paafmp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahngomkd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ieponofk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Piieicgl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjembh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blgcio32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klecfkff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emjhmipi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcdadhjb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnabffeo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epcddopf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bedhgj32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cdnncfoe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nhkbmo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Idohdhbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bidjckae.dll" Qncfphff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnpgnoqb.dll" Bemkle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhldnm32.dll" Aohgfm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Omhkcnfg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nbpqmfmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnbdeb32.dll" Kgdgpfnf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nqpmimbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjcpccaf.dll" Qemomb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pmnghfhi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bkkgfm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Efmckpko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ejioln32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fpjaodmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnfnhaca.dll" Nqpmimbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jfcabd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jmocbnop.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oddphp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkagib32.dll" Okbapi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dnpebj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pbepkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhibakgh.dll" Clilmbhd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmhdihjd.dll" Meecaa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Naegmabc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npabemib.dll" Boeoek32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dboglhna.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Immjnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epfbllkc.dll" Oqkpmaif.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dmmbge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pnfnajed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmojdiin.dll" Fopnpaba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pphjan32.dll" Ldpnoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgdinn32.dll" Meljbqna.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eihjolae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmojeo32.dll" Jabponba.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pnfnajed.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Docopbaf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aejnfe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cjhckg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mploiq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nbkgbg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ddhaie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hehaja32.dll" Eiilge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eelgcg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bckefnki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gcppkbia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hgiked32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lbbnjgik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hiioin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hdefnjkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kiecgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdnoim32.dll" Mcggef32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Okkkoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Caejbmia.dll" Igqhpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjhlmfio.dll" Honfqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hjggap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oddphp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Onldqejb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Phaoppja.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cppobaeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Honfqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlglpa32.dll" Mpkhoj32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2380 wrote to memory of 876 2380 f053d9111c74223b6fb832da2442a41364aed63a0d076b70bcf77cedd0ee843cN.exe 30 PID 2380 wrote to memory of 876 2380 f053d9111c74223b6fb832da2442a41364aed63a0d076b70bcf77cedd0ee843cN.exe 30 PID 2380 wrote to memory of 876 2380 f053d9111c74223b6fb832da2442a41364aed63a0d076b70bcf77cedd0ee843cN.exe 30 PID 2380 wrote to memory of 876 2380 f053d9111c74223b6fb832da2442a41364aed63a0d076b70bcf77cedd0ee843cN.exe 30 PID 876 wrote to memory of 2692 876 Epnhpglg.exe 31 PID 876 wrote to memory of 2692 876 Epnhpglg.exe 31 PID 876 wrote to memory of 2692 876 Epnhpglg.exe 31 PID 876 wrote to memory of 2692 876 Epnhpglg.exe 31 PID 2692 wrote to memory of 2756 2692 Eldiehbk.exe 32 PID 2692 wrote to memory of 2756 2692 Eldiehbk.exe 32 PID 2692 wrote to memory of 2756 2692 Eldiehbk.exe 32 PID 2692 wrote to memory of 2756 2692 Eldiehbk.exe 32 PID 2756 wrote to memory of 2736 2756 Eihjolae.exe 33 PID 2756 wrote to memory of 2736 2756 Eihjolae.exe 33 PID 2756 wrote to memory of 2736 2756 Eihjolae.exe 33 PID 2756 wrote to memory of 2736 2756 Eihjolae.exe 33 PID 2736 wrote to memory of 2432 2736 Elgfkhpi.exe 34 PID 2736 wrote to memory of 2432 2736 Elgfkhpi.exe 34 PID 2736 wrote to memory of 2432 2736 Elgfkhpi.exe 34 PID 2736 wrote to memory of 2432 2736 Elgfkhpi.exe 34 PID 2432 wrote to memory of 2796 2432 Eogolc32.exe 35 PID 2432 wrote to memory of 2796 2432 Eogolc32.exe 35 PID 2432 wrote to memory of 2796 2432 Eogolc32.exe 35 PID 2432 wrote to memory of 2796 2432 Eogolc32.exe 35 PID 2796 wrote to memory of 3044 2796 Eeagimdf.exe 36 PID 2796 wrote to memory of 3044 2796 Eeagimdf.exe 36 PID 2796 wrote to memory of 3044 2796 Eeagimdf.exe 36 PID 2796 wrote to memory of 3044 2796 Eeagimdf.exe 36 PID 3044 wrote to memory of 992 3044 Fahhnn32.exe 37 PID 3044 wrote to memory of 992 3044 Fahhnn32.exe 37 PID 3044 wrote to memory of 992 3044 Fahhnn32.exe 37 PID 3044 wrote to memory of 992 3044 Fahhnn32.exe 37 PID 992 wrote to memory of 868 992 Flnlkgjq.exe 38 PID 992 wrote to memory of 868 992 Flnlkgjq.exe 38 PID 992 wrote to memory of 868 992 Flnlkgjq.exe 38 PID 992 wrote to memory of 868 992 Flnlkgjq.exe 38 PID 868 wrote to memory of 1728 868 Fhdmph32.exe 39 PID 868 wrote to memory of 1728 868 Fhdmph32.exe 39 PID 868 wrote to memory of 1728 868 Fhdmph32.exe 39 PID 868 wrote to memory of 1728 868 Fhdmph32.exe 39 PID 1728 wrote to memory of 860 1728 Fooembgb.exe 40 PID 1728 wrote to memory of 860 1728 Fooembgb.exe 40 PID 1728 wrote to memory of 860 1728 Fooembgb.exe 40 PID 1728 wrote to memory of 860 1728 Fooembgb.exe 40 PID 860 wrote to memory of 2112 860 Fkefbcmf.exe 41 PID 860 wrote to memory of 2112 860 Fkefbcmf.exe 41 PID 860 wrote to memory of 2112 860 Fkefbcmf.exe 41 PID 860 wrote to memory of 2112 860 Fkefbcmf.exe 41 PID 2112 wrote to memory of 2252 2112 Fpbnjjkm.exe 42 PID 2112 wrote to memory of 2252 2112 Fpbnjjkm.exe 42 PID 2112 wrote to memory of 2252 2112 Fpbnjjkm.exe 42 PID 2112 wrote to memory of 2252 2112 Fpbnjjkm.exe 42 PID 2252 wrote to memory of 2576 2252 Fcqjfeja.exe 43 PID 2252 wrote to memory of 2576 2252 Fcqjfeja.exe 43 PID 2252 wrote to memory of 2576 2252 Fcqjfeja.exe 43 PID 2252 wrote to memory of 2576 2252 Fcqjfeja.exe 43 PID 2576 wrote to memory of 1724 2576 Fpdkpiik.exe 44 PID 2576 wrote to memory of 1724 2576 Fpdkpiik.exe 44 PID 2576 wrote to memory of 1724 2576 Fpdkpiik.exe 44 PID 2576 wrote to memory of 1724 2576 Fpdkpiik.exe 44 PID 1724 wrote to memory of 1840 1724 Gcedad32.exe 45 PID 1724 wrote to memory of 1840 1724 Gcedad32.exe 45 PID 1724 wrote to memory of 1840 1724 Gcedad32.exe 45 PID 1724 wrote to memory of 1840 1724 Gcedad32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\f053d9111c74223b6fb832da2442a41364aed63a0d076b70bcf77cedd0ee843cN.exe"C:\Users\Admin\AppData\Local\Temp\f053d9111c74223b6fb832da2442a41364aed63a0d076b70bcf77cedd0ee843cN.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Windows\SysWOW64\Epnhpglg.exeC:\Windows\system32\Epnhpglg.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:876 -
C:\Windows\SysWOW64\Eldiehbk.exeC:\Windows\system32\Eldiehbk.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\SysWOW64\Eihjolae.exeC:\Windows\system32\Eihjolae.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\SysWOW64\Elgfkhpi.exeC:\Windows\system32\Elgfkhpi.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\SysWOW64\Eogolc32.exeC:\Windows\system32\Eogolc32.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Windows\SysWOW64\Eeagimdf.exeC:\Windows\system32\Eeagimdf.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Windows\SysWOW64\Fahhnn32.exeC:\Windows\system32\Fahhnn32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Windows\SysWOW64\Flnlkgjq.exeC:\Windows\system32\Flnlkgjq.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:992 -
C:\Windows\SysWOW64\Fhdmph32.exeC:\Windows\system32\Fhdmph32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:868 -
C:\Windows\SysWOW64\Fooembgb.exeC:\Windows\system32\Fooembgb.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Windows\SysWOW64\Fkefbcmf.exeC:\Windows\system32\Fkefbcmf.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:860 -
C:\Windows\SysWOW64\Fpbnjjkm.exeC:\Windows\system32\Fpbnjjkm.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Windows\SysWOW64\Fcqjfeja.exeC:\Windows\system32\Fcqjfeja.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Windows\SysWOW64\Fpdkpiik.exeC:\Windows\system32\Fpdkpiik.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\Windows\SysWOW64\Gcedad32.exeC:\Windows\system32\Gcedad32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Windows\SysWOW64\Ghbljk32.exeC:\Windows\system32\Ghbljk32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1840 -
C:\Windows\SysWOW64\Gpidki32.exeC:\Windows\system32\Gpidki32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2520 -
C:\Windows\SysWOW64\Gkcekfad.exeC:\Windows\system32\Gkcekfad.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1272 -
C:\Windows\SysWOW64\Gdkjdl32.exeC:\Windows\system32\Gdkjdl32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:552 -
C:\Windows\SysWOW64\Goqnae32.exeC:\Windows\system32\Goqnae32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:988 -
C:\Windows\SysWOW64\Gncnmane.exeC:\Windows\system32\Gncnmane.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2372 -
C:\Windows\SysWOW64\Ghibjjnk.exeC:\Windows\system32\Ghibjjnk.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2448 -
C:\Windows\SysWOW64\Gkgoff32.exeC:\Windows\system32\Gkgoff32.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1856 -
C:\Windows\SysWOW64\Hdpcokdo.exeC:\Windows\system32\Hdpcokdo.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2000 -
C:\Windows\SysWOW64\Hadcipbi.exeC:\Windows\system32\Hadcipbi.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2368 -
C:\Windows\SysWOW64\Hdbpekam.exeC:\Windows\system32\Hdbpekam.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2208 -
C:\Windows\SysWOW64\Hnkdnqhm.exeC:\Windows\system32\Hnkdnqhm.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2812 -
C:\Windows\SysWOW64\Hqiqjlga.exeC:\Windows\system32\Hqiqjlga.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2840 -
C:\Windows\SysWOW64\Hnmacpfj.exeC:\Windows\system32\Hnmacpfj.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2312 -
C:\Windows\SysWOW64\Hqkmplen.exeC:\Windows\system32\Hqkmplen.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2780 -
C:\Windows\SysWOW64\Hcjilgdb.exeC:\Windows\system32\Hcjilgdb.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2620 -
C:\Windows\SysWOW64\Hifbdnbi.exeC:\Windows\system32\Hifbdnbi.exe33⤵
- Executes dropped EXE
PID:2628 -
C:\Windows\SysWOW64\Hoqjqhjf.exeC:\Windows\system32\Hoqjqhjf.exe34⤵
- Executes dropped EXE
PID:1684 -
C:\Windows\SysWOW64\Hiioin32.exeC:\Windows\system32\Hiioin32.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:1268 -
C:\Windows\SysWOW64\Ikgkei32.exeC:\Windows\system32\Ikgkei32.exe36⤵
- Executes dropped EXE
PID:1496 -
C:\Windows\SysWOW64\Ieponofk.exeC:\Windows\system32\Ieponofk.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:576 -
C:\Windows\SysWOW64\Inhdgdmk.exeC:\Windows\system32\Inhdgdmk.exe38⤵
- Executes dropped EXE
PID:2396 -
C:\Windows\SysWOW64\Iebldo32.exeC:\Windows\system32\Iebldo32.exe39⤵
- Executes dropped EXE
PID:2136 -
C:\Windows\SysWOW64\Igqhpj32.exeC:\Windows\system32\Igqhpj32.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:2984 -
C:\Windows\SysWOW64\Ibfmmb32.exeC:\Windows\system32\Ibfmmb32.exe41⤵
- Executes dropped EXE
PID:2508 -
C:\Windows\SysWOW64\Iaimipjl.exeC:\Windows\system32\Iaimipjl.exe42⤵
- Executes dropped EXE
PID:544 -
C:\Windows\SysWOW64\Iknafhjb.exeC:\Windows\system32\Iknafhjb.exe43⤵
- Executes dropped EXE
PID:1556 -
C:\Windows\SysWOW64\Ijaaae32.exeC:\Windows\system32\Ijaaae32.exe44⤵
- Executes dropped EXE
PID:2484 -
C:\Windows\SysWOW64\Ibhicbao.exeC:\Windows\system32\Ibhicbao.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1992 -
C:\Windows\SysWOW64\Iegeonpc.exeC:\Windows\system32\Iegeonpc.exe46⤵
- Executes dropped EXE
PID:2336 -
C:\Windows\SysWOW64\Ijcngenj.exeC:\Windows\system32\Ijcngenj.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2364 -
C:\Windows\SysWOW64\Inojhc32.exeC:\Windows\system32\Inojhc32.exe48⤵
- Executes dropped EXE
PID:2120 -
C:\Windows\SysWOW64\Ieibdnnp.exeC:\Windows\system32\Ieibdnnp.exe49⤵
- Executes dropped EXE
PID:1884 -
C:\Windows\SysWOW64\Jggoqimd.exeC:\Windows\system32\Jggoqimd.exe50⤵
- Executes dropped EXE
PID:1604 -
C:\Windows\SysWOW64\Jmdgipkk.exeC:\Windows\system32\Jmdgipkk.exe51⤵
- Executes dropped EXE
PID:2720 -
C:\Windows\SysWOW64\Jcnoejch.exeC:\Windows\system32\Jcnoejch.exe52⤵
- Executes dropped EXE
PID:2824 -
C:\Windows\SysWOW64\Jfmkbebl.exeC:\Windows\system32\Jfmkbebl.exe53⤵
- Executes dropped EXE
PID:2972 -
C:\Windows\SysWOW64\Jikhnaao.exeC:\Windows\system32\Jikhnaao.exe54⤵
- Executes dropped EXE
PID:2776 -
C:\Windows\SysWOW64\Jabponba.exeC:\Windows\system32\Jabponba.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:784 -
C:\Windows\SysWOW64\Jcqlkjae.exeC:\Windows\system32\Jcqlkjae.exe56⤵
- Executes dropped EXE
PID:1860 -
C:\Windows\SysWOW64\Jimdcqom.exeC:\Windows\system32\Jimdcqom.exe57⤵
- Executes dropped EXE
PID:2024 -
C:\Windows\SysWOW64\Jpgmpk32.exeC:\Windows\system32\Jpgmpk32.exe58⤵
- Executes dropped EXE
PID:1032 -
C:\Windows\SysWOW64\Jbfilffm.exeC:\Windows\system32\Jbfilffm.exe59⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2592 -
C:\Windows\SysWOW64\Jedehaea.exeC:\Windows\system32\Jedehaea.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2564 -
C:\Windows\SysWOW64\Jmkmjoec.exeC:\Windows\system32\Jmkmjoec.exe61⤵
- Executes dropped EXE
PID:2036 -
C:\Windows\SysWOW64\Jpjifjdg.exeC:\Windows\system32\Jpjifjdg.exe62⤵
- Executes dropped EXE
PID:960 -
C:\Windows\SysWOW64\Jfcabd32.exeC:\Windows\system32\Jfcabd32.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:2580 -
C:\Windows\SysWOW64\Jibnop32.exeC:\Windows\system32\Jibnop32.exe64⤵
- Executes dropped EXE
PID:1668 -
C:\Windows\SysWOW64\Jplfkjbd.exeC:\Windows\system32\Jplfkjbd.exe65⤵
- Executes dropped EXE
PID:564 -
C:\Windows\SysWOW64\Kbjbge32.exeC:\Windows\system32\Kbjbge32.exe66⤵PID:2176
-
C:\Windows\SysWOW64\Keioca32.exeC:\Windows\system32\Keioca32.exe67⤵PID:1780
-
C:\Windows\SysWOW64\Klcgpkhh.exeC:\Windows\system32\Klcgpkhh.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2152 -
C:\Windows\SysWOW64\Koaclfgl.exeC:\Windows\system32\Koaclfgl.exe69⤵PID:1596
-
C:\Windows\SysWOW64\Kbmome32.exeC:\Windows\system32\Kbmome32.exe70⤵PID:2492
-
C:\Windows\SysWOW64\Kdnkdmec.exeC:\Windows\system32\Kdnkdmec.exe71⤵PID:1172
-
C:\Windows\SysWOW64\Klecfkff.exeC:\Windows\system32\Klecfkff.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2876 -
C:\Windows\SysWOW64\Kablnadm.exeC:\Windows\system32\Kablnadm.exe73⤵PID:2612
-
C:\Windows\SysWOW64\Kdphjm32.exeC:\Windows\system32\Kdphjm32.exe74⤵PID:2676
-
C:\Windows\SysWOW64\Kfodfh32.exeC:\Windows\system32\Kfodfh32.exe75⤵
- System Location Discovery: System Language Discovery
PID:2708 -
C:\Windows\SysWOW64\Kkjpggkn.exeC:\Windows\system32\Kkjpggkn.exe76⤵PID:2184
-
C:\Windows\SysWOW64\Kadica32.exeC:\Windows\system32\Kadica32.exe77⤵PID:2672
-
C:\Windows\SysWOW64\Kdbepm32.exeC:\Windows\system32\Kdbepm32.exe78⤵PID:1012
-
C:\Windows\SysWOW64\Kkmmlgik.exeC:\Windows\system32\Kkmmlgik.exe79⤵PID:2428
-
C:\Windows\SysWOW64\Kipmhc32.exeC:\Windows\system32\Kipmhc32.exe80⤵PID:2276
-
C:\Windows\SysWOW64\Kpieengb.exeC:\Windows\system32\Kpieengb.exe81⤵PID:1612
-
C:\Windows\SysWOW64\Kbhbai32.exeC:\Windows\system32\Kbhbai32.exe82⤵PID:2488
-
C:\Windows\SysWOW64\Libjncnc.exeC:\Windows\system32\Libjncnc.exe83⤵PID:2168
-
C:\Windows\SysWOW64\Lmmfnb32.exeC:\Windows\system32\Lmmfnb32.exe84⤵PID:2328
-
C:\Windows\SysWOW64\Lgfjggll.exeC:\Windows\system32\Lgfjggll.exe85⤵PID:1000
-
C:\Windows\SysWOW64\Leikbd32.exeC:\Windows\system32\Leikbd32.exe86⤵PID:2284
-
C:\Windows\SysWOW64\Llbconkd.exeC:\Windows\system32\Llbconkd.exe87⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2836 -
C:\Windows\SysWOW64\Lpnopm32.exeC:\Windows\system32\Lpnopm32.exe88⤵PID:2940
-
C:\Windows\SysWOW64\Lcmklh32.exeC:\Windows\system32\Lcmklh32.exe89⤵
- Drops file in System32 directory
PID:2060 -
C:\Windows\SysWOW64\Lhiddoph.exeC:\Windows\system32\Lhiddoph.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2660 -
C:\Windows\SysWOW64\Loclai32.exeC:\Windows\system32\Loclai32.exe91⤵PID:1064
-
C:\Windows\SysWOW64\Lcohahpn.exeC:\Windows\system32\Lcohahpn.exe92⤵PID:1900
-
C:\Windows\SysWOW64\Laahme32.exeC:\Windows\system32\Laahme32.exe93⤵PID:1624
-
C:\Windows\SysWOW64\Lhlqjone.exeC:\Windows\system32\Lhlqjone.exe94⤵PID:2096
-
C:\Windows\SysWOW64\Lofifi32.exeC:\Windows\system32\Lofifi32.exe95⤵PID:948
-
C:\Windows\SysWOW64\Ladebd32.exeC:\Windows\system32\Ladebd32.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1376 -
C:\Windows\SysWOW64\Lhnmoo32.exeC:\Windows\system32\Lhnmoo32.exe97⤵PID:2528
-
C:\Windows\SysWOW64\Lnkege32.exeC:\Windows\system32\Lnkege32.exe98⤵PID:1740
-
C:\Windows\SysWOW64\Lnkege32.exeC:\Windows\system32\Lnkege32.exe99⤵PID:3032
-
C:\Windows\SysWOW64\Mdendpbg.exeC:\Windows\system32\Mdendpbg.exe100⤵PID:1036
-
C:\Windows\SysWOW64\Mkofaj32.exeC:\Windows\system32\Mkofaj32.exe101⤵PID:2560
-
C:\Windows\SysWOW64\Mnmbme32.exeC:\Windows\system32\Mnmbme32.exe102⤵PID:1916
-
C:\Windows\SysWOW64\Mploiq32.exeC:\Windows\system32\Mploiq32.exe103⤵
- Modifies registry class
PID:2744 -
C:\Windows\SysWOW64\Mdgkjopd.exeC:\Windows\system32\Mdgkjopd.exe104⤵PID:1564
-
C:\Windows\SysWOW64\Mgegfk32.exeC:\Windows\system32\Mgegfk32.exe105⤵PID:812
-
C:\Windows\SysWOW64\Mkacfiga.exeC:\Windows\system32\Mkacfiga.exe106⤵PID:2012
-
C:\Windows\SysWOW64\Mnpobefe.exeC:\Windows\system32\Mnpobefe.exe107⤵PID:1692
-
C:\Windows\SysWOW64\Mpnkopeh.exeC:\Windows\system32\Mpnkopeh.exe108⤵PID:2248
-
C:\Windows\SysWOW64\Mghckj32.exeC:\Windows\system32\Mghckj32.exe109⤵PID:2504
-
C:\Windows\SysWOW64\Mlelda32.exeC:\Windows\system32\Mlelda32.exe110⤵PID:1544
-
C:\Windows\SysWOW64\Mdldeo32.exeC:\Windows\system32\Mdldeo32.exe111⤵PID:1284
-
C:\Windows\SysWOW64\Mgjpaj32.exeC:\Windows\system32\Mgjpaj32.exe112⤵PID:2288
-
C:\Windows\SysWOW64\Mfmqmgbm.exeC:\Windows\system32\Mfmqmgbm.exe113⤵PID:2104
-
C:\Windows\SysWOW64\Mndhnd32.exeC:\Windows\system32\Mndhnd32.exe114⤵PID:1492
-
C:\Windows\SysWOW64\Mqbejp32.exeC:\Windows\system32\Mqbejp32.exe115⤵PID:984
-
C:\Windows\SysWOW64\Mcaafk32.exeC:\Windows\system32\Mcaafk32.exe116⤵PID:916
-
C:\Windows\SysWOW64\Mfpmbf32.exeC:\Windows\system32\Mfpmbf32.exe117⤵PID:2872
-
C:\Windows\SysWOW64\Mhninb32.exeC:\Windows\system32\Mhninb32.exe118⤵PID:2656
-
C:\Windows\SysWOW64\Nqeapo32.exeC:\Windows\system32\Nqeapo32.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2968 -
C:\Windows\SysWOW64\Nccnlk32.exeC:\Windows\system32\Nccnlk32.exe120⤵
- Drops file in System32 directory
PID:1176 -
C:\Windows\SysWOW64\Nhpfdaml.exeC:\Windows\system32\Nhpfdaml.exe121⤵PID:1052
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-