Analysis
-
max time kernel
121s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
23-12-2024 20:07
Static task
static1
Behavioral task
behavioral1
Sample
243ccd77aefb48d0dcd770fd668ebb8bb6298bdd2c52000abec59d052fb67411.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
243ccd77aefb48d0dcd770fd668ebb8bb6298bdd2c52000abec59d052fb67411.exe
Resource
win10v2004-20241007-en
General
-
Target
243ccd77aefb48d0dcd770fd668ebb8bb6298bdd2c52000abec59d052fb67411.exe
-
Size
74KB
-
MD5
1b71b23ec6e85676dd55508d7e176860
-
SHA1
e0c6b980e7b35e4e4442278bfd0ae319816632c3
-
SHA256
243ccd77aefb48d0dcd770fd668ebb8bb6298bdd2c52000abec59d052fb67411
-
SHA512
c55da44130ac6e4ee91775c4d8a229cca45e14fc1d2d189a7f922abd94eaea87843da77d5ebe077819a77ba7890b228d5bacfca549840ee2ddb17b8b16ca2e2a
-
SSDEEP
1536:t54xZWaDOrZeHFdPXzI1u1uwn0YBYKVsFZ6zT:tqWm7fvzI1u1OYBYKVsb6zT
Malware Config
Extracted
berbew
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dkkmln32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kiccle32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eamgeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eklgjbca.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfcoll32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nalnmahf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Omgckcmm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmecdgbk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ldgikklb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lcgldc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oefmid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ceeibbgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bgbemjqh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kbjmhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Benbbcmf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jdplmflg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cjbpoeoj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbcdjpba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ifloeo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kihcakpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pedokpcm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmmcae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mebpchmb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anjnllbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hikobfgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Igojmjgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Idligq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Phphgf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpkaai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Galhhp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjnhpj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Paqdgcfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oinbglkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pljnmkoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eoqeekme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Khhpmbeb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejnnbpol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hdjnje32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddmohbln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lmbmbi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pnfkheap.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmafmo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Peooek32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 2484 Mpipkl32.exe 2944 Mmmpdp32.exe 2848 Mffdmfjd.exe 2868 Mpqekkob.exe 2764 Nlgfqldf.exe 1788 Nepkia32.exe 2268 Nafknbqk.exe 2092 Nplhooec.exe 1532 Nidmhd32.exe 2832 Ofjjghik.exe 288 Ofmgmhgh.exe 2036 Oebdndlp.exe 2292 Okolfkjg.exe 1644 Oefmid32.exe 1096 Pppnia32.exe 2156 Ppbkoabf.exe 1304 Pnfkheap.exe 1300 Pimlmf32.exe 1516 Pceqfl32.exe 1828 Phbinc32.exe 2420 Polakmbi.exe 1864 Qhgbibgg.exe 2200 Aoakfl32.exe 752 Agloko32.exe 2644 Aqgqid32.exe 3056 Achikonn.exe 3000 Anmnhhmd.exe 2864 Acjfpokk.exe 1600 Bjfkbhae.exe 2728 Bfmlgi32.exe 2852 Bklaepbn.exe 884 Bbfibj32.exe 2452 Bgcbja32.exe 2144 Cghkepdm.exe 1936 Cmgpcg32.exe 2984 Cjkamk32.exe 1128 Cbfeam32.exe 1044 Dlnjjc32.exe 2172 Dfdngl32.exe 2100 Dbkolmia.exe 2336 Dkkmln32.exe 756 Ehonebqq.exe 1836 Edenjc32.exe 1352 Eibgbj32.exe 1812 Edhkpcdb.exe 1920 Eoalpaaa.exe 836 Ehjqif32.exe 2668 Eabeal32.exe 2348 Ekjikadb.exe 2664 Fkmfpabp.exe 2740 Fdekigip.exe 2132 Fokofpif.exe 2988 Fgfckbfa.exe 2804 Fakhhk32.exe 2096 Fkdlaplh.exe 2120 Fdlqjf32.exe 1248 Gmgenh32.exe 952 Ggmjkapi.exe 1244 Gqendf32.exe 940 Ghqchi32.exe 2256 Gfdcbmbn.exe 1284 Gkaljdaf.exe 696 Gdjpcj32.exe 2340 Gghloe32.exe -
Loads dropped DLL 64 IoCs
pid Process 2164 243ccd77aefb48d0dcd770fd668ebb8bb6298bdd2c52000abec59d052fb67411.exe 2164 243ccd77aefb48d0dcd770fd668ebb8bb6298bdd2c52000abec59d052fb67411.exe 2484 Mpipkl32.exe 2484 Mpipkl32.exe 2944 Mmmpdp32.exe 2944 Mmmpdp32.exe 2848 Mffdmfjd.exe 2848 Mffdmfjd.exe 2868 Mpqekkob.exe 2868 Mpqekkob.exe 2764 Nlgfqldf.exe 2764 Nlgfqldf.exe 1788 Nepkia32.exe 1788 Nepkia32.exe 2268 Nafknbqk.exe 2268 Nafknbqk.exe 2092 Nplhooec.exe 2092 Nplhooec.exe 1532 Nidmhd32.exe 1532 Nidmhd32.exe 2832 Ofjjghik.exe 2832 Ofjjghik.exe 288 Ofmgmhgh.exe 288 Ofmgmhgh.exe 2036 Oebdndlp.exe 2036 Oebdndlp.exe 2292 Okolfkjg.exe 2292 Okolfkjg.exe 1644 Oefmid32.exe 1644 Oefmid32.exe 1096 Pppnia32.exe 1096 Pppnia32.exe 2156 Ppbkoabf.exe 2156 Ppbkoabf.exe 1304 Pnfkheap.exe 1304 Pnfkheap.exe 1300 Pimlmf32.exe 1300 Pimlmf32.exe 1516 Pceqfl32.exe 1516 Pceqfl32.exe 1828 Phbinc32.exe 1828 Phbinc32.exe 2420 Polakmbi.exe 2420 Polakmbi.exe 1864 Qhgbibgg.exe 1864 Qhgbibgg.exe 2200 Aoakfl32.exe 2200 Aoakfl32.exe 752 Agloko32.exe 752 Agloko32.exe 2644 Aqgqid32.exe 2644 Aqgqid32.exe 3056 Achikonn.exe 3056 Achikonn.exe 3000 Anmnhhmd.exe 3000 Anmnhhmd.exe 2864 Acjfpokk.exe 2864 Acjfpokk.exe 1600 Bjfkbhae.exe 1600 Bjfkbhae.exe 2728 Bfmlgi32.exe 2728 Bfmlgi32.exe 2852 Bklaepbn.exe 2852 Bklaepbn.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Ofmgmhgh.exe Ofjjghik.exe File created C:\Windows\SysWOW64\Dcpkli32.dll Aokfpjai.exe File created C:\Windows\SysWOW64\Liqnhl32.dll Bikemiik.exe File created C:\Windows\SysWOW64\Neomleaq.dll Omdbfo32.exe File opened for modification C:\Windows\SysWOW64\Qlkcjadb.exe Process not Found File created C:\Windows\SysWOW64\Gocnjn32.exe Fdmjmenh.exe File created C:\Windows\SysWOW64\Bghlof32.dll Mchjjc32.exe File created C:\Windows\SysWOW64\Fcfmdigd.dll Ndfppije.exe File created C:\Windows\SysWOW64\Epkjjimj.dll Nplhooec.exe File created C:\Windows\SysWOW64\Ojjalodg.dll Pppnia32.exe File opened for modification C:\Windows\SysWOW64\Gfdcbmbn.exe Ghqchi32.exe File opened for modification C:\Windows\SysWOW64\Dbneekan.exe Damhmc32.exe File created C:\Windows\SysWOW64\Ohkpdj32.exe Ojgokflc.exe File created C:\Windows\SysWOW64\Pdopmade.dll Jbandfkj.exe File opened for modification C:\Windows\SysWOW64\Noffadai.exe Nenaho32.exe File created C:\Windows\SysWOW64\Cefbfa32.exe Cbhejf32.exe File created C:\Windows\SysWOW64\Amfngnga.dll Process not Found File created C:\Windows\SysWOW64\Jgeppe32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Ehgoaiml.exe Eamgeo32.exe File created C:\Windows\SysWOW64\Ajqoqm32.exe Aipbidbj.exe File created C:\Windows\SysWOW64\Oejbgc32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Klipfpeh.exe Process not Found File created C:\Windows\SysWOW64\Jojpkd32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Mdigakic.exe Mchjjc32.exe File opened for modification C:\Windows\SysWOW64\Agonig32.exe Agmacgcc.exe File opened for modification C:\Windows\SysWOW64\Abaaakob.exe Algida32.exe File created C:\Windows\SysWOW64\Hacabgig.exe Hfnmdo32.exe File opened for modification C:\Windows\SysWOW64\Jhengldk.exe Process not Found File created C:\Windows\SysWOW64\Ifeenfjm.exe Process not Found File created C:\Windows\SysWOW64\Hqbnnj32.exe Higiih32.exe File opened for modification C:\Windows\SysWOW64\Loofjg32.exe Lfgaaa32.exe File created C:\Windows\SysWOW64\Pogaeg32.exe Plheil32.exe File opened for modification C:\Windows\SysWOW64\Kjpafanf.exe Kkmakd32.exe File created C:\Windows\SysWOW64\Nhojjjhj.exe Noffadai.exe File created C:\Windows\SysWOW64\Lchqgahd.dll Process not Found File opened for modification C:\Windows\SysWOW64\Obpflhmi.exe Process not Found File created C:\Windows\SysWOW64\Mkdfdn32.dll Dnfkefad.exe File created C:\Windows\SysWOW64\Jokbkn32.dll Eqhfoj32.exe File opened for modification C:\Windows\SysWOW64\Knicjipf.exe Process not Found File created C:\Windows\SysWOW64\Ddmaak32.exe Process not Found File created C:\Windows\SysWOW64\Nldpeojc.dll Process not Found File opened for modification C:\Windows\SysWOW64\Gkkkgkla.exe Process not Found File created C:\Windows\SysWOW64\Achikonn.exe Aqgqid32.exe File created C:\Windows\SysWOW64\Dhpnlnon.dll Fbhfcf32.exe File opened for modification C:\Windows\SysWOW64\Fjpbeecn.exe Fojnhlch.exe File opened for modification C:\Windows\SysWOW64\Qadhba32.exe Process not Found File created C:\Windows\SysWOW64\Mmafmo32.exe Mdcdcmai.exe File opened for modification C:\Windows\SysWOW64\Ebcqicem.exe Diklpn32.exe File created C:\Windows\SysWOW64\Pflacgaa.dll Process not Found File opened for modification C:\Windows\SysWOW64\Pibkdhbi.exe Process not Found File created C:\Windows\SysWOW64\Ibibcanh.exe Process not Found File opened for modification C:\Windows\SysWOW64\Pfhlie32.exe Oakcan32.exe File opened for modification C:\Windows\SysWOW64\Cioohh32.exe Bdbfpafn.exe File opened for modification C:\Windows\SysWOW64\Fknido32.exe Fqhegf32.exe File created C:\Windows\SysWOW64\Mabfaqca.exe Process not Found File created C:\Windows\SysWOW64\Mmmpdp32.exe Mpipkl32.exe File created C:\Windows\SysWOW64\Fagbad32.dll Mogqlgbi.exe File created C:\Windows\SysWOW64\Glncip32.dll Process not Found File created C:\Windows\SysWOW64\Jjdion32.dll Pbdhbnnp.exe File opened for modification C:\Windows\SysWOW64\Igfkkh32.exe Process not Found File created C:\Windows\SysWOW64\Hfflfp32.exe Hpmdjf32.exe File opened for modification C:\Windows\SysWOW64\Aogmdk32.exe Aenileon.exe File created C:\Windows\SysWOW64\Heedbbdb.exe Hddgkj32.exe File created C:\Windows\SysWOW64\Kjimafji.exe Process not Found -
Program crash 1 IoCs
pid pid_target Process procid_target 892 1816 Process not Found 1552 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpqekkob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apgcbmha.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lohkhjcj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggofcmih.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijmkkc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kejdqffo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nokdnail.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aoqjhiie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohjmnn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oepjmbka.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcpiombe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkgdbh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jffddfjk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejkampao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpoleilj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlajdpoc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egdnjlcg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmhpfl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dippfplg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdmklico.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngahmngp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efllcf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anmnhhmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Boncej32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kihcakpa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmefcp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdhmel32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fakhhk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcbppk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdpfiekl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eojbii32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flbehbqm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ommdqi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pafpjljk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmondpbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnnlfd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aaegha32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehjqif32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjlenm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Najbbepc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmbpda32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dohnfc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pafacd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cablfb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnlolhoo.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oocqlibj.dll" Hqbnnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfbjnb32.dll" Iilalc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nmdfglhm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pjdjbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdmjhb32.dll" Ooaflp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fijadk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hljegpof.dll" Ccbojk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Imndmnob.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aogmdk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Homfboco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnfindfp.dll" Ljndga32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pcikllja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbikoh32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnjmmlfg.dll" Boiagp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Laamkikl.dll" Ihcidgpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adldll32.dll" Degage32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chimmcji.dll" Dlajdpoc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qnmaka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qnagbc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cnpieceq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Baakem32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Okecak32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jcmhmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmdicgof.dll" Hllffmbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dopdgoif.dll" Ofphdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkafkl32.dll" Kmpfgklo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mhobldaf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gkbplepn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mnbpgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkpijaik.dll" Ooaiehhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ggmjkapi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nlmiojla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Odmgnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnnoim32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jngdfa32.dll" Enlncdio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lghigl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcfbhb32.dll" Blabef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nenaho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pglodgni.dll" Ckjqog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maebpq32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pelpab32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jmbnhm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ddfjak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jknlfg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iolohhpc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dobcekld.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lmbmbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipgmbc32.dll" Eoalpaaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Enjand32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ehfjbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Palkjk32.dll" Bgndnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mogefmni.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mimilgnj.dll" Inmdjjok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mihdjh32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gafcahil.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2164 wrote to memory of 2484 2164 243ccd77aefb48d0dcd770fd668ebb8bb6298bdd2c52000abec59d052fb67411.exe 29 PID 2164 wrote to memory of 2484 2164 243ccd77aefb48d0dcd770fd668ebb8bb6298bdd2c52000abec59d052fb67411.exe 29 PID 2164 wrote to memory of 2484 2164 243ccd77aefb48d0dcd770fd668ebb8bb6298bdd2c52000abec59d052fb67411.exe 29 PID 2164 wrote to memory of 2484 2164 243ccd77aefb48d0dcd770fd668ebb8bb6298bdd2c52000abec59d052fb67411.exe 29 PID 2484 wrote to memory of 2944 2484 Mpipkl32.exe 30 PID 2484 wrote to memory of 2944 2484 Mpipkl32.exe 30 PID 2484 wrote to memory of 2944 2484 Mpipkl32.exe 30 PID 2484 wrote to memory of 2944 2484 Mpipkl32.exe 30 PID 2944 wrote to memory of 2848 2944 Mmmpdp32.exe 31 PID 2944 wrote to memory of 2848 2944 Mmmpdp32.exe 31 PID 2944 wrote to memory of 2848 2944 Mmmpdp32.exe 31 PID 2944 wrote to memory of 2848 2944 Mmmpdp32.exe 31 PID 2848 wrote to memory of 2868 2848 Mffdmfjd.exe 32 PID 2848 wrote to memory of 2868 2848 Mffdmfjd.exe 32 PID 2848 wrote to memory of 2868 2848 Mffdmfjd.exe 32 PID 2848 wrote to memory of 2868 2848 Mffdmfjd.exe 32 PID 2868 wrote to memory of 2764 2868 Mpqekkob.exe 33 PID 2868 wrote to memory of 2764 2868 Mpqekkob.exe 33 PID 2868 wrote to memory of 2764 2868 Mpqekkob.exe 33 PID 2868 wrote to memory of 2764 2868 Mpqekkob.exe 33 PID 2764 wrote to memory of 1788 2764 Nlgfqldf.exe 34 PID 2764 wrote to memory of 1788 2764 Nlgfqldf.exe 34 PID 2764 wrote to memory of 1788 2764 Nlgfqldf.exe 34 PID 2764 wrote to memory of 1788 2764 Nlgfqldf.exe 34 PID 1788 wrote to memory of 2268 1788 Nepkia32.exe 35 PID 1788 wrote to memory of 2268 1788 Nepkia32.exe 35 PID 1788 wrote to memory of 2268 1788 Nepkia32.exe 35 PID 1788 wrote to memory of 2268 1788 Nepkia32.exe 35 PID 2268 wrote to memory of 2092 2268 Nafknbqk.exe 36 PID 2268 wrote to memory of 2092 2268 Nafknbqk.exe 36 PID 2268 wrote to memory of 2092 2268 Nafknbqk.exe 36 PID 2268 wrote to memory of 2092 2268 Nafknbqk.exe 36 PID 2092 wrote to memory of 1532 2092 Nplhooec.exe 37 PID 2092 wrote to memory of 1532 2092 Nplhooec.exe 37 PID 2092 wrote to memory of 1532 2092 Nplhooec.exe 37 PID 2092 wrote to memory of 1532 2092 Nplhooec.exe 37 PID 1532 wrote to memory of 2832 1532 Nidmhd32.exe 38 PID 1532 wrote to memory of 2832 1532 Nidmhd32.exe 38 PID 1532 wrote to memory of 2832 1532 Nidmhd32.exe 38 PID 1532 wrote to memory of 2832 1532 Nidmhd32.exe 38 PID 2832 wrote to memory of 288 2832 Ofjjghik.exe 39 PID 2832 wrote to memory of 288 2832 Ofjjghik.exe 39 PID 2832 wrote to memory of 288 2832 Ofjjghik.exe 39 PID 2832 wrote to memory of 288 2832 Ofjjghik.exe 39 PID 288 wrote to memory of 2036 288 Ofmgmhgh.exe 40 PID 288 wrote to memory of 2036 288 Ofmgmhgh.exe 40 PID 288 wrote to memory of 2036 288 Ofmgmhgh.exe 40 PID 288 wrote to memory of 2036 288 Ofmgmhgh.exe 40 PID 2036 wrote to memory of 2292 2036 Oebdndlp.exe 41 PID 2036 wrote to memory of 2292 2036 Oebdndlp.exe 41 PID 2036 wrote to memory of 2292 2036 Oebdndlp.exe 41 PID 2036 wrote to memory of 2292 2036 Oebdndlp.exe 41 PID 2292 wrote to memory of 1644 2292 Okolfkjg.exe 42 PID 2292 wrote to memory of 1644 2292 Okolfkjg.exe 42 PID 2292 wrote to memory of 1644 2292 Okolfkjg.exe 42 PID 2292 wrote to memory of 1644 2292 Okolfkjg.exe 42 PID 1644 wrote to memory of 1096 1644 Oefmid32.exe 43 PID 1644 wrote to memory of 1096 1644 Oefmid32.exe 43 PID 1644 wrote to memory of 1096 1644 Oefmid32.exe 43 PID 1644 wrote to memory of 1096 1644 Oefmid32.exe 43 PID 1096 wrote to memory of 2156 1096 Pppnia32.exe 44 PID 1096 wrote to memory of 2156 1096 Pppnia32.exe 44 PID 1096 wrote to memory of 2156 1096 Pppnia32.exe 44 PID 1096 wrote to memory of 2156 1096 Pppnia32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\243ccd77aefb48d0dcd770fd668ebb8bb6298bdd2c52000abec59d052fb67411.exe"C:\Users\Admin\AppData\Local\Temp\243ccd77aefb48d0dcd770fd668ebb8bb6298bdd2c52000abec59d052fb67411.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Windows\SysWOW64\Mpipkl32.exeC:\Windows\system32\Mpipkl32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2484 -
C:\Windows\SysWOW64\Mmmpdp32.exeC:\Windows\system32\Mmmpdp32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Windows\SysWOW64\Mffdmfjd.exeC:\Windows\system32\Mffdmfjd.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Windows\SysWOW64\Mpqekkob.exeC:\Windows\system32\Mpqekkob.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\SysWOW64\Nlgfqldf.exeC:\Windows\system32\Nlgfqldf.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Windows\SysWOW64\Nepkia32.exeC:\Windows\system32\Nepkia32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1788 -
C:\Windows\SysWOW64\Nafknbqk.exeC:\Windows\system32\Nafknbqk.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2268 -
C:\Windows\SysWOW64\Nplhooec.exeC:\Windows\system32\Nplhooec.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2092 -
C:\Windows\SysWOW64\Nidmhd32.exeC:\Windows\system32\Nidmhd32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1532 -
C:\Windows\SysWOW64\Ofjjghik.exeC:\Windows\system32\Ofjjghik.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Windows\SysWOW64\Ofmgmhgh.exeC:\Windows\system32\Ofmgmhgh.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:288 -
C:\Windows\SysWOW64\Oebdndlp.exeC:\Windows\system32\Oebdndlp.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\Windows\SysWOW64\Okolfkjg.exeC:\Windows\system32\Okolfkjg.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2292 -
C:\Windows\SysWOW64\Oefmid32.exeC:\Windows\system32\Oefmid32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1644 -
C:\Windows\SysWOW64\Pppnia32.exeC:\Windows\system32\Pppnia32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1096 -
C:\Windows\SysWOW64\Ppbkoabf.exeC:\Windows\system32\Ppbkoabf.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2156 -
C:\Windows\SysWOW64\Pnfkheap.exeC:\Windows\system32\Pnfkheap.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1304 -
C:\Windows\SysWOW64\Pimlmf32.exeC:\Windows\system32\Pimlmf32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1300 -
C:\Windows\SysWOW64\Pceqfl32.exeC:\Windows\system32\Pceqfl32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1516 -
C:\Windows\SysWOW64\Phbinc32.exeC:\Windows\system32\Phbinc32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1828 -
C:\Windows\SysWOW64\Polakmbi.exeC:\Windows\system32\Polakmbi.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2420 -
C:\Windows\SysWOW64\Qhgbibgg.exeC:\Windows\system32\Qhgbibgg.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1864 -
C:\Windows\SysWOW64\Aoakfl32.exeC:\Windows\system32\Aoakfl32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2200 -
C:\Windows\SysWOW64\Agloko32.exeC:\Windows\system32\Agloko32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:752 -
C:\Windows\SysWOW64\Aqgqid32.exeC:\Windows\system32\Aqgqid32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2644 -
C:\Windows\SysWOW64\Achikonn.exeC:\Windows\system32\Achikonn.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3056 -
C:\Windows\SysWOW64\Anmnhhmd.exeC:\Windows\system32\Anmnhhmd.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3000 -
C:\Windows\SysWOW64\Acjfpokk.exeC:\Windows\system32\Acjfpokk.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2864 -
C:\Windows\SysWOW64\Bjfkbhae.exeC:\Windows\system32\Bjfkbhae.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1600 -
C:\Windows\SysWOW64\Bfmlgi32.exeC:\Windows\system32\Bfmlgi32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2728 -
C:\Windows\SysWOW64\Bklaepbn.exeC:\Windows\system32\Bklaepbn.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2852 -
C:\Windows\SysWOW64\Bbfibj32.exeC:\Windows\system32\Bbfibj32.exe33⤵
- Executes dropped EXE
PID:884 -
C:\Windows\SysWOW64\Bgcbja32.exeC:\Windows\system32\Bgcbja32.exe34⤵
- Executes dropped EXE
PID:2452 -
C:\Windows\SysWOW64\Cghkepdm.exeC:\Windows\system32\Cghkepdm.exe35⤵
- Executes dropped EXE
PID:2144 -
C:\Windows\SysWOW64\Cmgpcg32.exeC:\Windows\system32\Cmgpcg32.exe36⤵
- Executes dropped EXE
PID:1936 -
C:\Windows\SysWOW64\Cjkamk32.exeC:\Windows\system32\Cjkamk32.exe37⤵
- Executes dropped EXE
PID:2984 -
C:\Windows\SysWOW64\Cbfeam32.exeC:\Windows\system32\Cbfeam32.exe38⤵
- Executes dropped EXE
PID:1128 -
C:\Windows\SysWOW64\Dlnjjc32.exeC:\Windows\system32\Dlnjjc32.exe39⤵
- Executes dropped EXE
PID:1044 -
C:\Windows\SysWOW64\Dfdngl32.exeC:\Windows\system32\Dfdngl32.exe40⤵
- Executes dropped EXE
PID:2172 -
C:\Windows\SysWOW64\Dbkolmia.exeC:\Windows\system32\Dbkolmia.exe41⤵
- Executes dropped EXE
PID:2100 -
C:\Windows\SysWOW64\Dkkmln32.exeC:\Windows\system32\Dkkmln32.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2336 -
C:\Windows\SysWOW64\Ehonebqq.exeC:\Windows\system32\Ehonebqq.exe43⤵
- Executes dropped EXE
PID:756 -
C:\Windows\SysWOW64\Edenjc32.exeC:\Windows\system32\Edenjc32.exe44⤵
- Executes dropped EXE
PID:1836 -
C:\Windows\SysWOW64\Eibgbj32.exeC:\Windows\system32\Eibgbj32.exe45⤵
- Executes dropped EXE
PID:1352 -
C:\Windows\SysWOW64\Edhkpcdb.exeC:\Windows\system32\Edhkpcdb.exe46⤵
- Executes dropped EXE
PID:1812 -
C:\Windows\SysWOW64\Eoalpaaa.exeC:\Windows\system32\Eoalpaaa.exe47⤵
- Executes dropped EXE
- Modifies registry class
PID:1920 -
C:\Windows\SysWOW64\Ehjqif32.exeC:\Windows\system32\Ehjqif32.exe48⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:836 -
C:\Windows\SysWOW64\Eabeal32.exeC:\Windows\system32\Eabeal32.exe49⤵
- Executes dropped EXE
PID:2668 -
C:\Windows\SysWOW64\Ekjikadb.exeC:\Windows\system32\Ekjikadb.exe50⤵
- Executes dropped EXE
PID:2348 -
C:\Windows\SysWOW64\Fkmfpabp.exeC:\Windows\system32\Fkmfpabp.exe51⤵
- Executes dropped EXE
PID:2664 -
C:\Windows\SysWOW64\Fdekigip.exeC:\Windows\system32\Fdekigip.exe52⤵
- Executes dropped EXE
PID:2740 -
C:\Windows\SysWOW64\Fokofpif.exeC:\Windows\system32\Fokofpif.exe53⤵
- Executes dropped EXE
PID:2132 -
C:\Windows\SysWOW64\Fgfckbfa.exeC:\Windows\system32\Fgfckbfa.exe54⤵
- Executes dropped EXE
PID:2988 -
C:\Windows\SysWOW64\Fakhhk32.exeC:\Windows\system32\Fakhhk32.exe55⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2804 -
C:\Windows\SysWOW64\Fkdlaplh.exeC:\Windows\system32\Fkdlaplh.exe56⤵
- Executes dropped EXE
PID:2096 -
C:\Windows\SysWOW64\Fdlqjf32.exeC:\Windows\system32\Fdlqjf32.exe57⤵
- Executes dropped EXE
PID:2120 -
C:\Windows\SysWOW64\Gmgenh32.exeC:\Windows\system32\Gmgenh32.exe58⤵
- Executes dropped EXE
PID:1248 -
C:\Windows\SysWOW64\Ggmjkapi.exeC:\Windows\system32\Ggmjkapi.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:952 -
C:\Windows\SysWOW64\Gqendf32.exeC:\Windows\system32\Gqendf32.exe60⤵
- Executes dropped EXE
PID:1244 -
C:\Windows\SysWOW64\Ghqchi32.exeC:\Windows\system32\Ghqchi32.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:940 -
C:\Windows\SysWOW64\Gfdcbmbn.exeC:\Windows\system32\Gfdcbmbn.exe62⤵
- Executes dropped EXE
PID:2256 -
C:\Windows\SysWOW64\Gkaljdaf.exeC:\Windows\system32\Gkaljdaf.exe63⤵
- Executes dropped EXE
PID:1284 -
C:\Windows\SysWOW64\Gdjpcj32.exeC:\Windows\system32\Gdjpcj32.exe64⤵
- Executes dropped EXE
PID:696 -
C:\Windows\SysWOW64\Gghloe32.exeC:\Windows\system32\Gghloe32.exe65⤵
- Executes dropped EXE
PID:2340 -
C:\Windows\SysWOW64\Hbnqln32.exeC:\Windows\system32\Hbnqln32.exe66⤵PID:2704
-
C:\Windows\SysWOW64\Higiih32.exeC:\Windows\system32\Higiih32.exe67⤵
- Drops file in System32 directory
PID:2432 -
C:\Windows\SysWOW64\Hqbnnj32.exeC:\Windows\system32\Hqbnnj32.exe68⤵
- Modifies registry class
PID:1636 -
C:\Windows\SysWOW64\Hgmfjdbe.exeC:\Windows\system32\Hgmfjdbe.exe69⤵PID:2620
-
C:\Windows\SysWOW64\Heqfdh32.exeC:\Windows\system32\Heqfdh32.exe70⤵PID:2628
-
C:\Windows\SysWOW64\Hfbckagm.exeC:\Windows\system32\Hfbckagm.exe71⤵PID:2940
-
C:\Windows\SysWOW64\Haggijgb.exeC:\Windows\system32\Haggijgb.exe72⤵PID:1696
-
C:\Windows\SysWOW64\Hfdpaqej.exeC:\Windows\system32\Hfdpaqej.exe73⤵PID:1384
-
C:\Windows\SysWOW64\Hpmdjf32.exeC:\Windows\system32\Hpmdjf32.exe74⤵
- Drops file in System32 directory
PID:2232 -
C:\Windows\SysWOW64\Hfflfp32.exeC:\Windows\system32\Hfflfp32.exe75⤵PID:2560
-
C:\Windows\SysWOW64\Ipoqofjh.exeC:\Windows\system32\Ipoqofjh.exe76⤵PID:1612
-
C:\Windows\SysWOW64\Ilfadg32.exeC:\Windows\system32\Ilfadg32.exe77⤵PID:1036
-
C:\Windows\SysWOW64\Ienfml32.exeC:\Windows\system32\Ienfml32.exe78⤵PID:1520
-
C:\Windows\SysWOW64\Ilhnjfmi.exeC:\Windows\system32\Ilhnjfmi.exe79⤵PID:1344
-
C:\Windows\SysWOW64\Ieqbbl32.exeC:\Windows\system32\Ieqbbl32.exe80⤵PID:2636
-
C:\Windows\SysWOW64\Ijmkkc32.exeC:\Windows\system32\Ijmkkc32.exe81⤵
- System Location Discovery: System Language Discovery
PID:2076 -
C:\Windows\SysWOW64\Ihaldgak.exeC:\Windows\system32\Ihaldgak.exe82⤵PID:2264
-
C:\Windows\SysWOW64\Imndmnob.exeC:\Windows\system32\Imndmnob.exe83⤵
- Modifies registry class
PID:3048 -
C:\Windows\SysWOW64\Jhchjgoh.exeC:\Windows\system32\Jhchjgoh.exe84⤵PID:1524
-
C:\Windows\SysWOW64\Jmpqbnmp.exeC:\Windows\system32\Jmpqbnmp.exe85⤵PID:1512
-
C:\Windows\SysWOW64\Jfiekc32.exeC:\Windows\system32\Jfiekc32.exe86⤵PID:2248
-
C:\Windows\SysWOW64\Jmbnhm32.exeC:\Windows\system32\Jmbnhm32.exe87⤵
- Modifies registry class
PID:2492 -
C:\Windows\SysWOW64\Jiinmnaa.exeC:\Windows\system32\Jiinmnaa.exe88⤵PID:2840
-
C:\Windows\SysWOW64\Jbbbed32.exeC:\Windows\system32\Jbbbed32.exe89⤵PID:1552
-
C:\Windows\SysWOW64\Jljgni32.exeC:\Windows\system32\Jljgni32.exe90⤵PID:2168
-
C:\Windows\SysWOW64\Jbdokceo.exeC:\Windows\system32\Jbdokceo.exe91⤵PID:1740
-
C:\Windows\SysWOW64\Jlmddi32.exeC:\Windows\system32\Jlmddi32.exe92⤵PID:2260
-
C:\Windows\SysWOW64\Kaillp32.exeC:\Windows\system32\Kaillp32.exe93⤵PID:1424
-
C:\Windows\SysWOW64\Kciifc32.exeC:\Windows\system32\Kciifc32.exe94⤵PID:1784
-
C:\Windows\SysWOW64\Klamohhj.exeC:\Windows\system32\Klamohhj.exe95⤵PID:1320
-
C:\Windows\SysWOW64\Kejahn32.exeC:\Windows\system32\Kejahn32.exe96⤵PID:316
-
C:\Windows\SysWOW64\Kkfjpemb.exeC:\Windows\system32\Kkfjpemb.exe97⤵PID:2272
-
C:\Windows\SysWOW64\Kdooij32.exeC:\Windows\system32\Kdooij32.exe98⤵PID:564
-
C:\Windows\SysWOW64\Kngcbpjc.exeC:\Windows\system32\Kngcbpjc.exe99⤵PID:864
-
C:\Windows\SysWOW64\Ljndga32.exeC:\Windows\system32\Ljndga32.exe100⤵
- Modifies registry class
PID:1888 -
C:\Windows\SysWOW64\Lcfhpf32.exeC:\Windows\system32\Lcfhpf32.exe101⤵PID:920
-
C:\Windows\SysWOW64\Lpjiik32.exeC:\Windows\system32\Lpjiik32.exe102⤵PID:2352
-
C:\Windows\SysWOW64\Lfgaaa32.exeC:\Windows\system32\Lfgaaa32.exe103⤵
- Drops file in System32 directory
PID:2608 -
C:\Windows\SysWOW64\Loofjg32.exeC:\Windows\system32\Loofjg32.exe104⤵PID:2844
-
C:\Windows\SysWOW64\Ljejgp32.exeC:\Windows\system32\Ljejgp32.exe105⤵PID:2748
-
C:\Windows\SysWOW64\Lcmopepp.exeC:\Windows\system32\Lcmopepp.exe106⤵PID:1500
-
C:\Windows\SysWOW64\Ldokhn32.exeC:\Windows\system32\Ldokhn32.exe107⤵PID:1816
-
C:\Windows\SysWOW64\Mdahnmck.exeC:\Windows\system32\Mdahnmck.exe108⤵PID:2208
-
C:\Windows\SysWOW64\Mgodjico.exeC:\Windows\system32\Mgodjico.exe109⤵PID:608
-
C:\Windows\SysWOW64\Mdcdcmai.exeC:\Windows\system32\Mdcdcmai.exe110⤵
- Drops file in System32 directory
PID:2392 -
C:\Windows\SysWOW64\Mmafmo32.exeC:\Windows\system32\Mmafmo32.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2812 -
C:\Windows\SysWOW64\Mjeffc32.exeC:\Windows\system32\Mjeffc32.exe112⤵PID:1664
-
C:\Windows\SysWOW64\Mpaoojjb.exeC:\Windows\system32\Mpaoojjb.exe113⤵PID:2616
-
C:\Windows\SysWOW64\Nbbhpegc.exeC:\Windows\system32\Nbbhpegc.exe114⤵PID:2976
-
C:\Windows\SysWOW64\Njipabhe.exeC:\Windows\system32\Njipabhe.exe115⤵PID:3064
-
C:\Windows\SysWOW64\Ncbdjhnf.exeC:\Windows\system32\Ncbdjhnf.exe116⤵PID:2736
-
C:\Windows\SysWOW64\Necqbp32.exeC:\Windows\system32\Necqbp32.exe117⤵PID:2188
-
C:\Windows\SysWOW64\Nlmiojla.exeC:\Windows\system32\Nlmiojla.exe118⤵
- Modifies registry class
PID:796 -
C:\Windows\SysWOW64\Neemgp32.exeC:\Windows\system32\Neemgp32.exe119⤵PID:1896
-
C:\Windows\SysWOW64\Npkaei32.exeC:\Windows\system32\Npkaei32.exe120⤵PID:1748
-
C:\Windows\SysWOW64\Nalnmahf.exeC:\Windows\system32\Nalnmahf.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2244 -
C:\Windows\SysWOW64\Nnpofe32.exeC:\Windows\system32\Nnpofe32.exe122⤵PID:1844
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-