Analysis
-
max time kernel
96s -
max time network
101s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08-12-2024 02:02
Behavioral task
behavioral1
Sample
6bbd9d9e6729b322a04b293d8042495c45e074628c21dab8846e75302aff3cd9N.exe
Resource
win7-20241023-en
windows7-x64
10 signatures
120 seconds
Behavioral task
behavioral2
Sample
6bbd9d9e6729b322a04b293d8042495c45e074628c21dab8846e75302aff3cd9N.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
10 signatures
120 seconds
General
-
Target
6bbd9d9e6729b322a04b293d8042495c45e074628c21dab8846e75302aff3cd9N.exe
-
Size
409KB
-
MD5
b9bcfb1b6f1c08b29c13e1ddfa6f1870
-
SHA1
9a4330d561a265fef826af68d9b94af0f0f8fcaa
-
SHA256
6bbd9d9e6729b322a04b293d8042495c45e074628c21dab8846e75302aff3cd9
-
SHA512
ef03a8e1b3535eba4686d2130ca10a165967288c750f84887b7783a8511d3fb9f4ecd5fc9d43f1658a03b761311e9287291fe750df1bd4c883428d7f0a9f7b77
-
SSDEEP
6144:OEGxwKHq8bW5Z0WdRcm4FmowdHoSuNZgZ0Wd/OWdPS2LStOshOWdPS2Lt:ODs4q14wFHoS/F5fC55
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://tat-neftbank.ru/kkq.php
http://tat-neftbank.ru/wcmd.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jfpeinel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmdfmclk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhlgpljo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gineepcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kginmnod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ghdfhm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Galjabam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hfhfba32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kqooen32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgpmcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lqdagk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmfahj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfdnjd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elfhdhag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fjchnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hkfeea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbnmbpld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Keekahla.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppcqdikg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pgoefbpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kiijgaff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Knmipg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nljefh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qoggjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gikbej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojpeap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bijnkgpb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmbkeoai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hhflcf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbfhkfib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Phfhmeko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bbpocfej.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbdaec32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpopcbfd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nejgjbkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eiffmc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oodana32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfpeinel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ijjnglkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oobdha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fipica32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Giiljp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jnomni32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Meedheno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Efemlh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fkmihehm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmdapilj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ccpbhpph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hkknpqnj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iallnj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkknpqnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Libmmpol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pclmjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mlabpi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emlbhl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikoqaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ijdnbfka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jbmloneh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fpqgakql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gdammiep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qeclmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Efipla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nliokn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjpgok32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 1236 Gkkldi32.exe 2072 Gaedqc32.exe 1376 Geapabpo.exe 1612 Ghommmob.exe 3236 Gecmganl.exe 1676 Ghbicmmp.exe 5112 Gkpeohlc.exe 3336 Golapg32.exe 1656 Gajnlb32.exe 3540 Gffjla32.exe 3660 Gdhjhnbd.exe 3364 Ghdfhm32.exe 2104 Gkbbdh32.exe 4448 Gnanqc32.exe 5000 Galjabam.exe 640 Hfhfba32.exe 4624 Hgiciipe.exe 436 Hkeojh32.exe 1476 Hnckfc32.exe 2004 Hboggbok.exe 3492 Hdmccmno.exe 4000 Hhioclgg.exe 1808 Hglpoi32.exe 220 Hfmpmpea.exe 1856 Hdpphm32.exe 3108 Hgnldh32.exe 4128 Hkihegdi.exe 5084 Hnhdabcl.exe 3112 Hbcqba32.exe 2712 Hdbmnm32.exe 3916 Hgpijhim.exe 1692 Hklekg32.exe 1652 Hnjagb32.exe 1452 Hfaihp32.exe 1892 Hddiclhf.exe 4856 Hgbfphgj.exe 3700 Hnmnlb32.exe 1464 Ifdfno32.exe 3264 Ihbbjk32.exe 2460 Ikqnffnq.exe 3480 Ioljfe32.exe 1956 Ibjgbp32.exe 4340 Idicol32.exe 1484 Iggokg32.exe 2056 Ikckkfln.exe 3736 Ibmchp32.exe 756 Idkpdk32.exe 3556 Igjlpg32.exe 5036 Ioadadbd.exe 4188 Ifklnn32.exe 3424 Idnljkpl.exe 1496 Iglhffop.exe 2188 Iocqgdpb.exe 4028 Ibamcooe.exe 3784 Iepiokni.exe 3624 Ignekfmm.exe 264 Ikjale32.exe 3668 Inhnhp32.exe 3628 Jfpeinel.exe 5020 Jinaeidp.exe 64 Jklnadcc.exe 1844 Jnkjnpbg.exe 4876 Jbffno32.exe 1540 Jedbjj32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Jbjiohco.exe Jnomni32.exe File created C:\Windows\SysWOW64\Cbknoe32.exe Combci32.exe File opened for modification C:\Windows\SysWOW64\Neniig32.exe Nmfahj32.exe File created C:\Windows\SysWOW64\Inloflmn.dll Ncbfjdcd.exe File created C:\Windows\SysWOW64\Pcampdjk.exe Ppcqdikg.exe File created C:\Windows\SysWOW64\Nicokkbf.exe Negcjm32.exe File opened for modification C:\Windows\SysWOW64\Nopgcbpn.exe Nkdlbc32.exe File created C:\Windows\SysWOW64\Ffldfabj.dll Albmdb32.exe File created C:\Windows\SysWOW64\Cdeqam32.dll Jkndmnne.exe File created C:\Windows\SysWOW64\Mhodocpo.dll Bkcjam32.exe File created C:\Windows\SysWOW64\Gkjnom32.exe Gdpfbbad.exe File opened for modification C:\Windows\SysWOW64\Jcdhkk32.exe Jpeloo32.exe File opened for modification C:\Windows\SysWOW64\Ibamcooe.exe Iocqgdpb.exe File opened for modification C:\Windows\SysWOW64\Ppqdni32.exe Pfkpap32.exe File created C:\Windows\SysWOW64\Qjnbbnoe.exe Pgoefbpa.exe File created C:\Windows\SysWOW64\Ainnoi32.exe Aofjfcco.exe File created C:\Windows\SysWOW64\Kgpmcg32.exe Kdaagl32.exe File opened for modification C:\Windows\SysWOW64\Dflkei32.exe Dgijjlla.exe File opened for modification C:\Windows\SysWOW64\Jqfcje32.exe Jnhfnj32.exe File opened for modification C:\Windows\SysWOW64\Keddgahe.exe Kbfhkfib.exe File created C:\Windows\SysWOW64\Dhflambk.dll Llkcjpiq.exe File created C:\Windows\SysWOW64\Jehnlg32.dll Nllkaa32.exe File opened for modification C:\Windows\SysWOW64\Hhjeoeai.exe Hpcmmhpg.exe File opened for modification C:\Windows\SysWOW64\Cfdnjd32.exe Ccfanh32.exe File created C:\Windows\SysWOW64\Hjmaembm.dll Ldfjbkbg.exe File created C:\Windows\SysWOW64\Knpabh32.dll Gnanqc32.exe File opened for modification C:\Windows\SysWOW64\Lbkhpl32.exe Lpmldp32.exe File created C:\Windows\SysWOW64\Elmcml32.dll Dfcqfhld.exe File created C:\Windows\SysWOW64\Nlafop32.dll Faddoo32.exe File opened for modification C:\Windows\SysWOW64\Hglpoi32.exe Hhioclgg.exe File created C:\Windows\SysWOW64\Dmelhmfm.exe Djgplagi.exe File created C:\Windows\SysWOW64\Jkkpmh32.exe Jcdhkk32.exe File opened for modification C:\Windows\SysWOW64\Mgbcod32.exe Medfci32.exe File created C:\Windows\SysWOW64\Ffhfed32.dll Kndmdojl.exe File created C:\Windows\SysWOW64\Olnbmk32.exe Ojpeap32.exe File created C:\Windows\SysWOW64\Jgnnapja.exe Idobedjm.exe File created C:\Windows\SysWOW64\Icmbklaa.exe Ipnfopbn.exe File created C:\Windows\SysWOW64\Kgigbhlh.exe Kqooen32.exe File created C:\Windows\SysWOW64\Nafdjp32.dll Jbeodh32.exe File opened for modification C:\Windows\SysWOW64\Jnomni32.exe Jgedao32.exe File opened for modification C:\Windows\SysWOW64\Alggpaqp.exe Afmocg32.exe File opened for modification C:\Windows\SysWOW64\Fjchnn32.exe Fblpmp32.exe File created C:\Windows\SysWOW64\Phpkkm32.dll Mldfpoaf.exe File created C:\Windows\SysWOW64\Dflkei32.exe Dgijjlla.exe File created C:\Windows\SysWOW64\Kgqdmmil.exe Kqflqc32.exe File created C:\Windows\SysWOW64\Khcceedj.dll Kdodal32.exe File created C:\Windows\SysWOW64\Pdjmih32.dll Fmadji32.exe File created C:\Windows\SysWOW64\Imlhpj32.dll Gfaodnne.exe File created C:\Windows\SysWOW64\Mgepedch.exe Mefcihdd.exe File opened for modification C:\Windows\SysWOW64\Hfmpmpea.exe Hglpoi32.exe File opened for modification C:\Windows\SysWOW64\Ppcqdikg.exe Phlibkje.exe File opened for modification C:\Windows\SysWOW64\Idobedjm.exe Ibafiikj.exe File created C:\Windows\SysWOW64\Pifnnane.dll Dmcobm32.exe File opened for modification C:\Windows\SysWOW64\Bfahnfem.exe Bcclbk32.exe File created C:\Windows\SysWOW64\Emgkkb32.dll Ijdnbfka.exe File created C:\Windows\SysWOW64\Kndmdojl.exe Jleahcki.exe File created C:\Windows\SysWOW64\Loioflhd.exe Llkcjpiq.exe File opened for modification C:\Windows\SysWOW64\Ogcfjd32.exe Oolnig32.exe File created C:\Windows\SysWOW64\Combci32.exe Ckafbk32.exe File opened for modification C:\Windows\SysWOW64\Gkmbob32.exe Gdcjbhcm.exe File opened for modification C:\Windows\SysWOW64\Ljffjh32.exe Lggjnl32.exe File created C:\Windows\SysWOW64\Hgillkbb.dll Lndopf32.exe File created C:\Windows\SysWOW64\Pehlajkk.exe Pkbhcale.exe File created C:\Windows\SysWOW64\Gnnkqngk.exe Gkpodbhg.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 13548 13404 WerFault.exe 735 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpkhenmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knmipg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Giokpimi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khchmc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qllnnini.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdbmnm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eimlnb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iallnj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjjgni32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eliejgoe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgjlkc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nicokkbf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbfedeoa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpmldp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cicqaehg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Doooii32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jllmdpbj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgfjmhnk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgbfphgj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Inlgbl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhpgqboa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhopok32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmdapilj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgiipc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bqhcfeho.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbjiohco.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcclbk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghdfhm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjeedmmf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipliiq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nopgcbpn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phlibkje.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Biqkdhhm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iqmpcg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhpdjbda.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjkdbeei.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mekmdhpo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phdbblpm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkfeea32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnaidi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kginmnod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aldjja32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aoeclmpc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifdfno32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Faddoo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfdnjd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggclim32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncbfjdcd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hddiclhf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehgfkj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkpodbhg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Keekahla.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Medfci32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfnaklil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iglhffop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpafopeo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nliokn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opedbk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fipica32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbahfdod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Necjomnc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gajnlb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfnpqb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkkpmh32.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 3948 Jbkpingk.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kqeaep32.dll" Jhpgqboa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hkhjpkla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mbghljok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjcgcdnb.dll" Mlomep32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nolebiho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dppeco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojeadaim.dll" Knhpdhck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qhbhid32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jidalb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjifck32.dll" Kjopiihp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mehldn32.dll" Knmipg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjedhdbh.dll" Mbmgbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hnjagb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ajfnnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nhffqnlm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chnfjppg.dll" Cicqaehg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eimlnb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nbgjha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhhkcg32.dll" Njmognja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Khfdcc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iqmpcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Abdohhog.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gkkldi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcqmef32.dll" Jnlpiimi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nhafkimf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qhbhid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Efbjlbih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aimlmk32.dll" Gmhjkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lnlbeq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kghpqbfb.dll" Lfiafj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Loioflhd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Baaken32.dll" Hgnldh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kfnaklil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fepcfp32.dll" Dpbbioko.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kqooen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfjinmha.dll" Bhenea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nonbhifl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cicophca.dll" Ahddnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kgkdhh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fiobik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jghhaeeb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kfnaklil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikdnfiag.dll" Hpfjchnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndejmm32.dll" Kilngg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eiffmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Noqhge32.dll" Fplnfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhhpnejj.dll" Gineepcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hpcmmhpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epgmccnp.dll" Nhafkimf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Idloeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kqhalm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Flbhpfgj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID 6bbd9d9e6729b322a04b293d8042495c45e074628c21dab8846e75302aff3cd9N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmhnhkce.dll" Aoeclmpc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bkefgl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ecigkf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eliejgoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfajad32.dll" Fiobik32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hpechaki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iooeobqa.dll" Mbqkbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnkabooc.dll" Nbedmhbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bompgbmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fangen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gonbak32.dll" Noiabc32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 404 wrote to memory of 1236 404 6bbd9d9e6729b322a04b293d8042495c45e074628c21dab8846e75302aff3cd9N.exe 82 PID 404 wrote to memory of 1236 404 6bbd9d9e6729b322a04b293d8042495c45e074628c21dab8846e75302aff3cd9N.exe 82 PID 404 wrote to memory of 1236 404 6bbd9d9e6729b322a04b293d8042495c45e074628c21dab8846e75302aff3cd9N.exe 82 PID 1236 wrote to memory of 2072 1236 Gkkldi32.exe 83 PID 1236 wrote to memory of 2072 1236 Gkkldi32.exe 83 PID 1236 wrote to memory of 2072 1236 Gkkldi32.exe 83 PID 2072 wrote to memory of 1376 2072 Gaedqc32.exe 84 PID 2072 wrote to memory of 1376 2072 Gaedqc32.exe 84 PID 2072 wrote to memory of 1376 2072 Gaedqc32.exe 84 PID 1376 wrote to memory of 1612 1376 Geapabpo.exe 85 PID 1376 wrote to memory of 1612 1376 Geapabpo.exe 85 PID 1376 wrote to memory of 1612 1376 Geapabpo.exe 85 PID 1612 wrote to memory of 3236 1612 Ghommmob.exe 86 PID 1612 wrote to memory of 3236 1612 Ghommmob.exe 86 PID 1612 wrote to memory of 3236 1612 Ghommmob.exe 86 PID 3236 wrote to memory of 1676 3236 Gecmganl.exe 87 PID 3236 wrote to memory of 1676 3236 Gecmganl.exe 87 PID 3236 wrote to memory of 1676 3236 Gecmganl.exe 87 PID 1676 wrote to memory of 5112 1676 Ghbicmmp.exe 88 PID 1676 wrote to memory of 5112 1676 Ghbicmmp.exe 88 PID 1676 wrote to memory of 5112 1676 Ghbicmmp.exe 88 PID 5112 wrote to memory of 3336 5112 Gkpeohlc.exe 89 PID 5112 wrote to memory of 3336 5112 Gkpeohlc.exe 89 PID 5112 wrote to memory of 3336 5112 Gkpeohlc.exe 89 PID 3336 wrote to memory of 1656 3336 Golapg32.exe 90 PID 3336 wrote to memory of 1656 3336 Golapg32.exe 90 PID 3336 wrote to memory of 1656 3336 Golapg32.exe 90 PID 1656 wrote to memory of 3540 1656 Gajnlb32.exe 91 PID 1656 wrote to memory of 3540 1656 Gajnlb32.exe 91 PID 1656 wrote to memory of 3540 1656 Gajnlb32.exe 91 PID 3540 wrote to memory of 3660 3540 Gffjla32.exe 92 PID 3540 wrote to memory of 3660 3540 Gffjla32.exe 92 PID 3540 wrote to memory of 3660 3540 Gffjla32.exe 92 PID 3660 wrote to memory of 3364 3660 Gdhjhnbd.exe 93 PID 3660 wrote to memory of 3364 3660 Gdhjhnbd.exe 93 PID 3660 wrote to memory of 3364 3660 Gdhjhnbd.exe 93 PID 3364 wrote to memory of 2104 3364 Ghdfhm32.exe 94 PID 3364 wrote to memory of 2104 3364 Ghdfhm32.exe 94 PID 3364 wrote to memory of 2104 3364 Ghdfhm32.exe 94 PID 2104 wrote to memory of 4448 2104 Gkbbdh32.exe 95 PID 2104 wrote to memory of 4448 2104 Gkbbdh32.exe 95 PID 2104 wrote to memory of 4448 2104 Gkbbdh32.exe 95 PID 4448 wrote to memory of 5000 4448 Gnanqc32.exe 96 PID 4448 wrote to memory of 5000 4448 Gnanqc32.exe 96 PID 4448 wrote to memory of 5000 4448 Gnanqc32.exe 96 PID 5000 wrote to memory of 640 5000 Galjabam.exe 97 PID 5000 wrote to memory of 640 5000 Galjabam.exe 97 PID 5000 wrote to memory of 640 5000 Galjabam.exe 97 PID 640 wrote to memory of 4624 640 Hfhfba32.exe 98 PID 640 wrote to memory of 4624 640 Hfhfba32.exe 98 PID 640 wrote to memory of 4624 640 Hfhfba32.exe 98 PID 4624 wrote to memory of 436 4624 Hgiciipe.exe 99 PID 4624 wrote to memory of 436 4624 Hgiciipe.exe 99 PID 4624 wrote to memory of 436 4624 Hgiciipe.exe 99 PID 436 wrote to memory of 1476 436 Hkeojh32.exe 100 PID 436 wrote to memory of 1476 436 Hkeojh32.exe 100 PID 436 wrote to memory of 1476 436 Hkeojh32.exe 100 PID 1476 wrote to memory of 2004 1476 Hnckfc32.exe 101 PID 1476 wrote to memory of 2004 1476 Hnckfc32.exe 101 PID 1476 wrote to memory of 2004 1476 Hnckfc32.exe 101 PID 2004 wrote to memory of 3492 2004 Hboggbok.exe 102 PID 2004 wrote to memory of 3492 2004 Hboggbok.exe 102 PID 2004 wrote to memory of 3492 2004 Hboggbok.exe 102 PID 3492 wrote to memory of 4000 3492 Hdmccmno.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\6bbd9d9e6729b322a04b293d8042495c45e074628c21dab8846e75302aff3cd9N.exe"C:\Users\Admin\AppData\Local\Temp\6bbd9d9e6729b322a04b293d8042495c45e074628c21dab8846e75302aff3cd9N.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:404 -
C:\Windows\SysWOW64\Gkkldi32.exeC:\Windows\system32\Gkkldi32.exe2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1236 -
C:\Windows\SysWOW64\Gaedqc32.exeC:\Windows\system32\Gaedqc32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2072 -
C:\Windows\SysWOW64\Geapabpo.exeC:\Windows\system32\Geapabpo.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1376 -
C:\Windows\SysWOW64\Ghommmob.exeC:\Windows\system32\Ghommmob.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1612 -
C:\Windows\SysWOW64\Gecmganl.exeC:\Windows\system32\Gecmganl.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3236 -
C:\Windows\SysWOW64\Ghbicmmp.exeC:\Windows\system32\Ghbicmmp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1676 -
C:\Windows\SysWOW64\Gkpeohlc.exeC:\Windows\system32\Gkpeohlc.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5112 -
C:\Windows\SysWOW64\Golapg32.exeC:\Windows\system32\Golapg32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3336 -
C:\Windows\SysWOW64\Gajnlb32.exeC:\Windows\system32\Gajnlb32.exe10⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Windows\SysWOW64\Gffjla32.exeC:\Windows\system32\Gffjla32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3540 -
C:\Windows\SysWOW64\Gdhjhnbd.exeC:\Windows\system32\Gdhjhnbd.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3660 -
C:\Windows\SysWOW64\Ghdfhm32.exeC:\Windows\system32\Ghdfhm32.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3364 -
C:\Windows\SysWOW64\Gkbbdh32.exeC:\Windows\system32\Gkbbdh32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Windows\SysWOW64\Gnanqc32.exeC:\Windows\system32\Gnanqc32.exe15⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4448 -
C:\Windows\SysWOW64\Galjabam.exeC:\Windows\system32\Galjabam.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5000 -
C:\Windows\SysWOW64\Hfhfba32.exeC:\Windows\system32\Hfhfba32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:640 -
C:\Windows\SysWOW64\Hgiciipe.exeC:\Windows\system32\Hgiciipe.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4624 -
C:\Windows\SysWOW64\Hkeojh32.exeC:\Windows\system32\Hkeojh32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:436 -
C:\Windows\SysWOW64\Hnckfc32.exeC:\Windows\system32\Hnckfc32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1476 -
C:\Windows\SysWOW64\Hboggbok.exeC:\Windows\system32\Hboggbok.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Windows\SysWOW64\Hdmccmno.exeC:\Windows\system32\Hdmccmno.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3492 -
C:\Windows\SysWOW64\Hhioclgg.exeC:\Windows\system32\Hhioclgg.exe23⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4000 -
C:\Windows\SysWOW64\Hglpoi32.exeC:\Windows\system32\Hglpoi32.exe24⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1808 -
C:\Windows\SysWOW64\Hfmpmpea.exeC:\Windows\system32\Hfmpmpea.exe25⤵
- Executes dropped EXE
PID:220 -
C:\Windows\SysWOW64\Hdpphm32.exeC:\Windows\system32\Hdpphm32.exe26⤵
- Executes dropped EXE
PID:1856 -
C:\Windows\SysWOW64\Hgnldh32.exeC:\Windows\system32\Hgnldh32.exe27⤵
- Executes dropped EXE
- Modifies registry class
PID:3108 -
C:\Windows\SysWOW64\Hkihegdi.exeC:\Windows\system32\Hkihegdi.exe28⤵
- Executes dropped EXE
PID:4128 -
C:\Windows\SysWOW64\Hnhdabcl.exeC:\Windows\system32\Hnhdabcl.exe29⤵
- Executes dropped EXE
PID:5084 -
C:\Windows\SysWOW64\Hbcqba32.exeC:\Windows\system32\Hbcqba32.exe30⤵
- Executes dropped EXE
PID:3112 -
C:\Windows\SysWOW64\Hdbmnm32.exeC:\Windows\system32\Hdbmnm32.exe31⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2712 -
C:\Windows\SysWOW64\Hgpijhim.exeC:\Windows\system32\Hgpijhim.exe32⤵
- Executes dropped EXE
PID:3916 -
C:\Windows\SysWOW64\Hklekg32.exeC:\Windows\system32\Hklekg32.exe33⤵
- Executes dropped EXE
PID:1692 -
C:\Windows\SysWOW64\Hnjagb32.exeC:\Windows\system32\Hnjagb32.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:1652 -
C:\Windows\SysWOW64\Hfaihp32.exeC:\Windows\system32\Hfaihp32.exe35⤵
- Executes dropped EXE
PID:1452 -
C:\Windows\SysWOW64\Hddiclhf.exeC:\Windows\system32\Hddiclhf.exe36⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1892 -
C:\Windows\SysWOW64\Hgbfphgj.exeC:\Windows\system32\Hgbfphgj.exe37⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4856 -
C:\Windows\SysWOW64\Hnmnlb32.exeC:\Windows\system32\Hnmnlb32.exe38⤵
- Executes dropped EXE
PID:3700 -
C:\Windows\SysWOW64\Ifdfno32.exeC:\Windows\system32\Ifdfno32.exe39⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1464 -
C:\Windows\SysWOW64\Ihbbjk32.exeC:\Windows\system32\Ihbbjk32.exe40⤵
- Executes dropped EXE
PID:3264 -
C:\Windows\SysWOW64\Ikqnffnq.exeC:\Windows\system32\Ikqnffnq.exe41⤵
- Executes dropped EXE
PID:2460 -
C:\Windows\SysWOW64\Ioljfe32.exeC:\Windows\system32\Ioljfe32.exe42⤵
- Executes dropped EXE
PID:3480 -
C:\Windows\SysWOW64\Ibjgbp32.exeC:\Windows\system32\Ibjgbp32.exe43⤵
- Executes dropped EXE
PID:1956 -
C:\Windows\SysWOW64\Idicol32.exeC:\Windows\system32\Idicol32.exe44⤵
- Executes dropped EXE
PID:4340 -
C:\Windows\SysWOW64\Iggokg32.exeC:\Windows\system32\Iggokg32.exe45⤵
- Executes dropped EXE
PID:1484 -
C:\Windows\SysWOW64\Ikckkfln.exeC:\Windows\system32\Ikckkfln.exe46⤵
- Executes dropped EXE
PID:2056 -
C:\Windows\SysWOW64\Ibmchp32.exeC:\Windows\system32\Ibmchp32.exe47⤵
- Executes dropped EXE
PID:3736 -
C:\Windows\SysWOW64\Idkpdk32.exeC:\Windows\system32\Idkpdk32.exe48⤵
- Executes dropped EXE
PID:756 -
C:\Windows\SysWOW64\Igjlpg32.exeC:\Windows\system32\Igjlpg32.exe49⤵
- Executes dropped EXE
PID:3556 -
C:\Windows\SysWOW64\Ioadadbd.exeC:\Windows\system32\Ioadadbd.exe50⤵
- Executes dropped EXE
PID:5036 -
C:\Windows\SysWOW64\Ifklnn32.exeC:\Windows\system32\Ifklnn32.exe51⤵
- Executes dropped EXE
PID:4188 -
C:\Windows\SysWOW64\Idnljkpl.exeC:\Windows\system32\Idnljkpl.exe52⤵
- Executes dropped EXE
PID:3424 -
C:\Windows\SysWOW64\Iglhffop.exeC:\Windows\system32\Iglhffop.exe53⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1496 -
C:\Windows\SysWOW64\Iocqgdpb.exeC:\Windows\system32\Iocqgdpb.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2188 -
C:\Windows\SysWOW64\Ibamcooe.exeC:\Windows\system32\Ibamcooe.exe55⤵
- Executes dropped EXE
PID:4028 -
C:\Windows\SysWOW64\Iepiokni.exeC:\Windows\system32\Iepiokni.exe56⤵
- Executes dropped EXE
PID:3784 -
C:\Windows\SysWOW64\Ignekfmm.exeC:\Windows\system32\Ignekfmm.exe57⤵
- Executes dropped EXE
PID:3624 -
C:\Windows\SysWOW64\Ikjale32.exeC:\Windows\system32\Ikjale32.exe58⤵
- Executes dropped EXE
PID:264 -
C:\Windows\SysWOW64\Inhnhp32.exeC:\Windows\system32\Inhnhp32.exe59⤵
- Executes dropped EXE
PID:3668 -
C:\Windows\SysWOW64\Jfpeinel.exeC:\Windows\system32\Jfpeinel.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3628 -
C:\Windows\SysWOW64\Jinaeidp.exeC:\Windows\system32\Jinaeidp.exe61⤵
- Executes dropped EXE
PID:5020 -
C:\Windows\SysWOW64\Jklnadcc.exeC:\Windows\system32\Jklnadcc.exe62⤵
- Executes dropped EXE
PID:64 -
C:\Windows\SysWOW64\Jnkjnpbg.exeC:\Windows\system32\Jnkjnpbg.exe63⤵
- Executes dropped EXE
PID:1844 -
C:\Windows\SysWOW64\Jbffno32.exeC:\Windows\system32\Jbffno32.exe64⤵
- Executes dropped EXE
PID:4876 -
C:\Windows\SysWOW64\Jedbjj32.exeC:\Windows\system32\Jedbjj32.exe65⤵
- Executes dropped EXE
PID:1540 -
C:\Windows\SysWOW64\Jipnkibm.exeC:\Windows\system32\Jipnkibm.exe66⤵PID:3380
-
C:\Windows\SysWOW64\Jkokgdaq.exeC:\Windows\system32\Jkokgdaq.exe67⤵PID:3820
-
C:\Windows\SysWOW64\Jnmgcpqd.exeC:\Windows\system32\Jnmgcpqd.exe68⤵PID:4808
-
C:\Windows\SysWOW64\Jfdodm32.exeC:\Windows\system32\Jfdodm32.exe69⤵PID:1840
-
C:\Windows\SysWOW64\Jgeklege.exeC:\Windows\system32\Jgeklege.exe70⤵PID:4360
-
C:\Windows\SysWOW64\Jpmcmbhg.exeC:\Windows\system32\Jpmcmbhg.exe71⤵PID:1324
-
C:\Windows\SysWOW64\Jbkpingk.exeC:\Windows\system32\Jbkpingk.exe72⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:3948 -
C:\Windows\SysWOW64\Jeileifo.exeC:\Windows\system32\Jeileifo.exe73⤵PID:4512
-
C:\Windows\SysWOW64\Jghhaeeb.exeC:\Windows\system32\Jghhaeeb.exe74⤵
- Modifies registry class
PID:2984 -
C:\Windows\SysWOW64\Jpopcbfd.exeC:\Windows\system32\Jpopcbfd.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3104 -
C:\Windows\SysWOW64\Jbmloneh.exeC:\Windows\system32\Jbmloneh.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3416 -
C:\Windows\SysWOW64\Jfihplma.exeC:\Windows\system32\Jfihplma.exe77⤵PID:2412
-
C:\Windows\SysWOW64\Jigdlhle.exeC:\Windows\system32\Jigdlhle.exe78⤵PID:1800
-
C:\Windows\SysWOW64\Jleahcki.exeC:\Windows\system32\Jleahcki.exe79⤵
- Drops file in System32 directory
PID:3976 -
C:\Windows\SysWOW64\Kndmdojl.exeC:\Windows\system32\Kndmdojl.exe80⤵
- Drops file in System32 directory
PID:5060 -
C:\Windows\SysWOW64\Kfkeelko.exeC:\Windows\system32\Kfkeelko.exe81⤵PID:4432
-
C:\Windows\SysWOW64\Kijaagjb.exeC:\Windows\system32\Kijaagjb.exe82⤵PID:5072
-
C:\Windows\SysWOW64\Klhnmcif.exeC:\Windows\system32\Klhnmcif.exe83⤵PID:1132
-
C:\Windows\SysWOW64\Knfjinhj.exeC:\Windows\system32\Knfjinhj.exe84⤵PID:4164
-
C:\Windows\SysWOW64\Kfnaklil.exeC:\Windows\system32\Kfnaklil.exe85⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:400 -
C:\Windows\SysWOW64\Kilngg32.exeC:\Windows\system32\Kilngg32.exe86⤵
- Modifies registry class
PID:1500 -
C:\Windows\SysWOW64\Kfpnpk32.exeC:\Windows\system32\Kfpnpk32.exe87⤵PID:2736
-
C:\Windows\SysWOW64\Knkcdn32.exeC:\Windows\system32\Knkcdn32.exe88⤵PID:2680
-
C:\Windows\SysWOW64\Keekahla.exeC:\Windows\system32\Keekahla.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2524 -
C:\Windows\SysWOW64\Khchmc32.exeC:\Windows\system32\Khchmc32.exe90⤵
- System Location Discovery: System Language Discovery
PID:2872 -
C:\Windows\SysWOW64\Kpkpoq32.exeC:\Windows\system32\Kpkpoq32.exe91⤵PID:4480
-
C:\Windows\SysWOW64\Kfdhkkcd.exeC:\Windows\system32\Kfdhkkcd.exe92⤵PID:4844
-
C:\Windows\SysWOW64\Khfdcc32.exeC:\Windows\system32\Khfdcc32.exe93⤵
- Modifies registry class
PID:4232 -
C:\Windows\SysWOW64\Lpmldp32.exeC:\Windows\system32\Lpmldp32.exe94⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4576 -
C:\Windows\SysWOW64\Lbkhpl32.exeC:\Windows\system32\Lbkhpl32.exe95⤵PID:3992
-
C:\Windows\SysWOW64\Lpoijpgb.exeC:\Windows\system32\Lpoijpgb.exe96⤵PID:4180
-
C:\Windows\SysWOW64\Lnbiem32.exeC:\Windows\system32\Lnbiem32.exe97⤵PID:2908
-
C:\Windows\SysWOW64\Lfiafj32.exeC:\Windows\system32\Lfiafj32.exe98⤵
- Modifies registry class
PID:1732 -
C:\Windows\SysWOW64\Lpafopeo.exeC:\Windows\system32\Lpafopeo.exe99⤵
- System Location Discovery: System Language Discovery
PID:3120 -
C:\Windows\SysWOW64\Lhmjcbcj.exeC:\Windows\system32\Lhmjcbcj.exe100⤵PID:4296
-
C:\Windows\SysWOW64\Llhfdq32.exeC:\Windows\system32\Llhfdq32.exe101⤵PID:3512
-
C:\Windows\SysWOW64\Lbboak32.exeC:\Windows\system32\Lbboak32.exe102⤵PID:60
-
C:\Windows\SysWOW64\Llkcjpiq.exeC:\Windows\system32\Llkcjpiq.exe103⤵
- Drops file in System32 directory
PID:2364 -
C:\Windows\SysWOW64\Loioflhd.exeC:\Windows\system32\Loioflhd.exe104⤵
- Modifies registry class
PID:2136 -
C:\Windows\SysWOW64\Mpilpo32.exeC:\Windows\system32\Mpilpo32.exe105⤵PID:3832
-
C:\Windows\SysWOW64\Moklkkfa.exeC:\Windows\system32\Moklkkfa.exe106⤵PID:688
-
C:\Windows\SysWOW64\Mbghljok.exeC:\Windows\system32\Mbghljok.exe107⤵
- Modifies registry class
PID:2920 -
C:\Windows\SysWOW64\Meedheno.exeC:\Windows\system32\Meedheno.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3580 -
C:\Windows\SysWOW64\Mlomep32.exeC:\Windows\system32\Mlomep32.exe109⤵
- Modifies registry class
PID:1020 -
C:\Windows\SysWOW64\Mpkhenmd.exeC:\Windows\system32\Mpkhenmd.exe110⤵
- System Location Discovery: System Language Discovery
PID:184 -
C:\Windows\SysWOW64\Mbieajlh.exeC:\Windows\system32\Mbieajlh.exe111⤵PID:2496
-
C:\Windows\SysWOW64\Mfeabh32.exeC:\Windows\system32\Mfeabh32.exe112⤵PID:3532
-
C:\Windows\SysWOW64\Mehanell.exeC:\Windows\system32\Mehanell.exe113⤵PID:2312
-
C:\Windows\SysWOW64\Mhfmjqkp.exeC:\Windows\system32\Mhfmjqkp.exe114⤵PID:1184
-
C:\Windows\SysWOW64\Mopefk32.exeC:\Windows\system32\Mopefk32.exe115⤵PID:2368
-
C:\Windows\SysWOW64\Mfgnhhbo.exeC:\Windows\system32\Mfgnhhbo.exe116⤵PID:1264
-
C:\Windows\SysWOW64\Mifjdcbb.exeC:\Windows\system32\Mifjdcbb.exe117⤵PID:2992
-
C:\Windows\SysWOW64\Mldfpoaf.exeC:\Windows\system32\Mldfpoaf.exe118⤵
- Drops file in System32 directory
PID:3020 -
C:\Windows\SysWOW64\Mppbqn32.exeC:\Windows\system32\Mppbqn32.exe119⤵PID:216
-
C:\Windows\SysWOW64\Mfjjmhql.exeC:\Windows\system32\Mfjjmhql.exe120⤵PID:1716
-
C:\Windows\SysWOW64\Mihficpp.exeC:\Windows\system32\Mihficpp.exe121⤵PID:3388
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-