Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
25-12-2024 15:25
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
47b73cc0b00f72923b9eb0309ec93869aed656fd109d007c3dd095669eed46ff.exe
Resource
win7-20240903-en
windows7-x64
10 signatures
120 seconds
Behavioral task
behavioral2
Sample
47b73cc0b00f72923b9eb0309ec93869aed656fd109d007c3dd095669eed46ff.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
120 seconds
General
-
Target
47b73cc0b00f72923b9eb0309ec93869aed656fd109d007c3dd095669eed46ff.exe
-
Size
63KB
-
MD5
4e315d3a0036545b7ab93d8e1eb9203d
-
SHA1
25b4a9243746412c971fc0297e28a085e8683685
-
SHA256
47b73cc0b00f72923b9eb0309ec93869aed656fd109d007c3dd095669eed46ff
-
SHA512
66c4c1ce033e814f8ef66551317fcb0dd2aca2a22a02257ebcee30126ab2cdd82c5960cfb52a8e967de7abbdb44ed6f7dedcc32931b12dcedfb667760520b181
-
SSDEEP
768:s/26SJySPOLXmvt28deeFu5okXpvSwA+3N1P9RfhQx3bZL+CQf/1H5+Xdnhg20aj:uSJ1cXm12Xxok5vS42bRc2H1juIZok
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhfefgkg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iapgkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjlioj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fcbecl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nagbgl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agbpnh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgigil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ancefgfd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egokonjc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfnneb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iajemnia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kpkpadnl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcnpojca.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mccbmh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pckajebj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cmfkfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iahkpg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lopkjhko.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpogbgmi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmogmjmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Neqnqofm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iihiphln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nlnpgd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Knekla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pdakniag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fkpjnkig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lqipkhbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jpogbgmi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdpldi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ekcaonhe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhcmhdke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kocmim32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Knmamp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bmbemb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnfcel32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lqcmmjko.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hblgnkdh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bgnfdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Danmmd32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 2412 Gnpmfqap.exe 1160 Gfgegnbb.exe 2372 Gnbjlpom.exe 2692 Gaafhloq.exe 2604 Glgjednf.exe 2660 Gnefapmj.exe 2540 Geoonjeg.exe 2956 Gligjd32.exe 2588 Gmjcblbb.exe 2936 Heakcjcd.exe 2584 Hfbhkb32.exe 2004 Hmmphlpp.exe 1280 Hhbdee32.exe 1996 Hjqqap32.exe 1912 Hpmiig32.exe 2384 Hfgafadm.exe 584 Hjcmgp32.exe 1488 Hldjnhce.exe 2208 Hdkape32.exe 1532 Hbnbkbja.exe 1628 Hmcfhkjg.exe 292 Hpbbdfik.exe 2072 Hoebpc32.exe 2680 Heokmmgb.exe 1752 Ipdojfgh.exe 824 Ibckfa32.exe 1284 Ilkpogmm.exe 2252 Ioilkblq.exe 2596 Iecdhm32.exe 2728 Ihbqdh32.exe 2336 Iajemnia.exe 2512 Iefamlak.exe 2484 Inafbooe.exe 376 Iamabm32.exe 804 Ikefkcmo.exe 2812 Iihfgp32.exe 2248 Jcpkpe32.exe 756 Jglgpdcc.exe 1444 Jliohkak.exe 1944 Jcbhee32.exe 1916 Jeadap32.exe 1908 Jlklnjoh.exe 1060 Jpfhoi32.exe 1484 Jfcqgpfi.exe 2092 Jpiedieo.exe 628 Jcgapdeb.exe 788 Jjaimn32.exe 3040 Jlpeij32.exe 1044 Jonbee32.exe 3024 Jcjnfdbp.exe 1688 Jfhjbobc.exe 2436 Jhffnk32.exe 2784 Jlbboiip.exe 2632 Kncofa32.exe 2300 Kbokgpgg.exe 2544 Kdmgclfk.exe 2440 Kkgopf32.exe 2836 Knekla32.exe 2916 Kbaglpee.exe 2256 Kdpcikdi.exe 1236 Khkpijma.exe 1612 Kkileele.exe 2388 Knhhaaki.exe 1744 Kqfdnljm.exe -
Loads dropped DLL 64 IoCs
pid Process 2052 47b73cc0b00f72923b9eb0309ec93869aed656fd109d007c3dd095669eed46ff.exe 2052 47b73cc0b00f72923b9eb0309ec93869aed656fd109d007c3dd095669eed46ff.exe 2412 Gnpmfqap.exe 2412 Gnpmfqap.exe 1160 Gfgegnbb.exe 1160 Gfgegnbb.exe 2372 Gnbjlpom.exe 2372 Gnbjlpom.exe 2692 Gaafhloq.exe 2692 Gaafhloq.exe 2604 Glgjednf.exe 2604 Glgjednf.exe 2660 Gnefapmj.exe 2660 Gnefapmj.exe 2540 Geoonjeg.exe 2540 Geoonjeg.exe 2956 Gligjd32.exe 2956 Gligjd32.exe 2588 Gmjcblbb.exe 2588 Gmjcblbb.exe 2936 Heakcjcd.exe 2936 Heakcjcd.exe 2584 Hfbhkb32.exe 2584 Hfbhkb32.exe 2004 Hmmphlpp.exe 2004 Hmmphlpp.exe 1280 Hhbdee32.exe 1280 Hhbdee32.exe 1996 Hjqqap32.exe 1996 Hjqqap32.exe 1912 Hpmiig32.exe 1912 Hpmiig32.exe 2384 Hfgafadm.exe 2384 Hfgafadm.exe 584 Hjcmgp32.exe 584 Hjcmgp32.exe 1488 Hldjnhce.exe 1488 Hldjnhce.exe 2208 Hdkape32.exe 2208 Hdkape32.exe 1532 Hbnbkbja.exe 1532 Hbnbkbja.exe 1628 Hmcfhkjg.exe 1628 Hmcfhkjg.exe 292 Hpbbdfik.exe 292 Hpbbdfik.exe 2072 Hoebpc32.exe 2072 Hoebpc32.exe 2680 Heokmmgb.exe 2680 Heokmmgb.exe 1752 Ipdojfgh.exe 1752 Ipdojfgh.exe 824 Ibckfa32.exe 824 Ibckfa32.exe 1284 Ilkpogmm.exe 1284 Ilkpogmm.exe 2252 Ioilkblq.exe 2252 Ioilkblq.exe 2596 Iecdhm32.exe 2596 Iecdhm32.exe 2728 Ihbqdh32.exe 2728 Ihbqdh32.exe 2336 Iajemnia.exe 2336 Iajemnia.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Jjbkgfgo.dll Hbnbkbja.exe File created C:\Windows\SysWOW64\Qgmfchei.exe Qdojgmfe.exe File created C:\Windows\SysWOW64\Cpkmcldj.exe Cmmagpef.exe File created C:\Windows\SysWOW64\Lddlkg32.exe Lqipkhbj.exe File created C:\Windows\SysWOW64\Pbonaedo.dll Process not Found File opened for modification C:\Windows\SysWOW64\Hgeelf32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Comdkipe.exe Chcloo32.exe File created C:\Windows\SysWOW64\Fcphnm32.exe Fqalaa32.exe File opened for modification C:\Windows\SysWOW64\Mbcoio32.exe Mpebmc32.exe File opened for modification C:\Windows\SysWOW64\Nggggoda.exe Process not Found File created C:\Windows\SysWOW64\Bdgoqijf.dll Process not Found File created C:\Windows\SysWOW64\Lkfddc32.exe Lcomce32.exe File opened for modification C:\Windows\SysWOW64\Lboiol32.exe Loqmba32.exe File created C:\Windows\SysWOW64\Mgjnhaco.exe Mobfgdcl.exe File created C:\Windows\SysWOW64\Mimgeigj.exe Mjkgjl32.exe File opened for modification C:\Windows\SysWOW64\Gqdgom32.exe Process not Found File created C:\Windows\SysWOW64\Bbkgbeme.dll Ihbqdh32.exe File opened for modification C:\Windows\SysWOW64\Ieigfk32.exe Ibkkjp32.exe File created C:\Windows\SysWOW64\Ppcbgkka.exe Oaqbln32.exe File opened for modification C:\Windows\SysWOW64\Njgpij32.exe Process not Found File created C:\Windows\SysWOW64\Niidma32.dll Lmjnak32.exe File opened for modification C:\Windows\SysWOW64\Emagacdm.exe Eggndi32.exe File created C:\Windows\SysWOW64\Khielcfh.exe Kdnild32.exe File created C:\Windows\SysWOW64\Ibagdh32.dll Process not Found File created C:\Windows\SysWOW64\Kqkmghhf.dll Process not Found File created C:\Windows\SysWOW64\Lcaiiejc.exe Lqcmmjko.exe File created C:\Windows\SysWOW64\Eemngplg.dll Olophhjd.exe File created C:\Windows\SysWOW64\Aldhcb32.dll Qlgkki32.exe File created C:\Windows\SysWOW64\Lndglp32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Khkpijma.exe Kdpcikdi.exe File created C:\Windows\SysWOW64\Pclhdl32.exe Pdihiook.exe File opened for modification C:\Windows\SysWOW64\Mbbfep32.exe Mjkndb32.exe File created C:\Windows\SysWOW64\Oemgplgo.exe Obokcqhk.exe File created C:\Windows\SysWOW64\Ncmglp32.exe Process not Found File created C:\Windows\SysWOW64\Bnapnm32.exe Process not Found File created C:\Windows\SysWOW64\Gfmfjhcj.dll Kdjccf32.exe File opened for modification C:\Windows\SysWOW64\Bckjhl32.exe Behilopf.exe File opened for modification C:\Windows\SysWOW64\Koflgf32.exe Process not Found File created C:\Windows\SysWOW64\Mjhocpkj.dll Nkhdkgnj.exe File opened for modification C:\Windows\SysWOW64\Dmgkgeah.exe Dgmbkk32.exe File created C:\Windows\SysWOW64\Egpbbn32.dll Jlhhndno.exe File created C:\Windows\SysWOW64\Eipbmjcc.dll Process not Found File opened for modification C:\Windows\SysWOW64\Jglgpdcc.exe Jcpkpe32.exe File created C:\Windows\SysWOW64\Nhjpke32.dll Jepmgj32.exe File opened for modification C:\Windows\SysWOW64\Lqhfhigj.exe Liqoflfh.exe File created C:\Windows\SysWOW64\Edeomgho.dll Nnmlcp32.exe File created C:\Windows\SysWOW64\Jbfghckb.dll Process not Found File created C:\Windows\SysWOW64\Fhikme32.exe Ffkoai32.exe File opened for modification C:\Windows\SysWOW64\Nenkqi32.exe Nmfbpk32.exe File created C:\Windows\SysWOW64\Oeindm32.exe Objaha32.exe File opened for modification C:\Windows\SysWOW64\Bdcifi32.exe Bniajoic.exe File opened for modification C:\Windows\SysWOW64\Cpfmmf32.exe Process not Found File created C:\Windows\SysWOW64\Iblkei32.dll Process not Found File created C:\Windows\SysWOW64\Pqdhpbib.dll Process not Found File created C:\Windows\SysWOW64\Khdecggq.dll Nhlgmd32.exe File created C:\Windows\SysWOW64\Mnaggcej.exe Mjekfd32.exe File opened for modification C:\Windows\SysWOW64\Oifdbb32.exe Oekhacbn.exe File created C:\Windows\SysWOW64\Fllmhajo.dll Ogiaif32.exe File created C:\Windows\SysWOW64\Cejmcm32.dll Bfncpcoc.exe File created C:\Windows\SysWOW64\Jajcdjca.exe Jolghndm.exe File created C:\Windows\SysWOW64\Cnkdfakf.dll Process not Found File created C:\Windows\SysWOW64\Nbhbjgmd.dll Ancefgfd.exe File created C:\Windows\SysWOW64\Ogfdej32.dll Egmojnlf.exe File created C:\Windows\SysWOW64\Opnkglik.dll Gonocmbi.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4680 4684 Process not Found 1646 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfmgelil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnqned32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbifnj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpnmgdli.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anbkipok.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cadjgf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdecha32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eheecbia.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkjdopeh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldllgiek.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbjmpcab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eggndi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfoojj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljfogake.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpcjnabn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aohdmdoh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aeidgbaf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eapfagno.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jofejpmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbjpom32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnacpffh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ieajkfmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mklcadfn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opnbbe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgdfdbhk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qhmcmk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iibfajdc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlhnifmq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Najpll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mimgeigj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oemegc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eeielfhk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iakgefqe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mobfgdcl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfpeeqig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndhlhg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okgjodmi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bckjhl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmgfqh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oioggmmc.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cakqgeoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjdjea32.dll" Nnoiio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddonghfa.dll" Fogibnha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iahghfmb.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Efdhpjok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bldmjd32.dll" Fgadda32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cicalakk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Foafdoag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kfpifm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hifpke32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oflpao32.dll" Khcomhbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leoolamp.dll" Nbniid32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nlefhcnc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkepinpk.dll" Jgaiobjn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hoiaho32.dll" Oehdan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bifbbocj.dll" Bqeqqk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odiaql32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Loqhnifk.dll" Ipokcdjn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Njbdea32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Plolgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oomgdcce.dll" Oadkej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Monoflqe.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Liklhmom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opknndcg.dll" Ajmfad32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eklqcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pgfjhcge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnalbmkj.dll" Ibckfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqfgjogd.dll" Mdpldi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibanaibn.dll" Gmbfggdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibodnd32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lonpma32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Labehg32.dll" Mlkail32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aaaphj32.dll" Cdgpnqpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hihlqeib.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Edfbaabj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmfhfajb.dll" Oionacqo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mknhnalm.dll" Aeidgbaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pppcjfnh.dll" Cifelgmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgcgbb32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hldlga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alppmhnm.dll" Anbkipok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oiggco32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apimlcdc.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ocjophem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gbohehoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khoqme32.dll" Allefimb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkppib32.dll" Acfmcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aihfap32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2052 wrote to memory of 2412 2052 47b73cc0b00f72923b9eb0309ec93869aed656fd109d007c3dd095669eed46ff.exe 28 PID 2052 wrote to memory of 2412 2052 47b73cc0b00f72923b9eb0309ec93869aed656fd109d007c3dd095669eed46ff.exe 28 PID 2052 wrote to memory of 2412 2052 47b73cc0b00f72923b9eb0309ec93869aed656fd109d007c3dd095669eed46ff.exe 28 PID 2052 wrote to memory of 2412 2052 47b73cc0b00f72923b9eb0309ec93869aed656fd109d007c3dd095669eed46ff.exe 28 PID 2412 wrote to memory of 1160 2412 Gnpmfqap.exe 29 PID 2412 wrote to memory of 1160 2412 Gnpmfqap.exe 29 PID 2412 wrote to memory of 1160 2412 Gnpmfqap.exe 29 PID 2412 wrote to memory of 1160 2412 Gnpmfqap.exe 29 PID 1160 wrote to memory of 2372 1160 Gfgegnbb.exe 30 PID 1160 wrote to memory of 2372 1160 Gfgegnbb.exe 30 PID 1160 wrote to memory of 2372 1160 Gfgegnbb.exe 30 PID 1160 wrote to memory of 2372 1160 Gfgegnbb.exe 30 PID 2372 wrote to memory of 2692 2372 Gnbjlpom.exe 31 PID 2372 wrote to memory of 2692 2372 Gnbjlpom.exe 31 PID 2372 wrote to memory of 2692 2372 Gnbjlpom.exe 31 PID 2372 wrote to memory of 2692 2372 Gnbjlpom.exe 31 PID 2692 wrote to memory of 2604 2692 Gaafhloq.exe 32 PID 2692 wrote to memory of 2604 2692 Gaafhloq.exe 32 PID 2692 wrote to memory of 2604 2692 Gaafhloq.exe 32 PID 2692 wrote to memory of 2604 2692 Gaafhloq.exe 32 PID 2604 wrote to memory of 2660 2604 Glgjednf.exe 33 PID 2604 wrote to memory of 2660 2604 Glgjednf.exe 33 PID 2604 wrote to memory of 2660 2604 Glgjednf.exe 33 PID 2604 wrote to memory of 2660 2604 Glgjednf.exe 33 PID 2660 wrote to memory of 2540 2660 Gnefapmj.exe 34 PID 2660 wrote to memory of 2540 2660 Gnefapmj.exe 34 PID 2660 wrote to memory of 2540 2660 Gnefapmj.exe 34 PID 2660 wrote to memory of 2540 2660 Gnefapmj.exe 34 PID 2540 wrote to memory of 2956 2540 Geoonjeg.exe 35 PID 2540 wrote to memory of 2956 2540 Geoonjeg.exe 35 PID 2540 wrote to memory of 2956 2540 Geoonjeg.exe 35 PID 2540 wrote to memory of 2956 2540 Geoonjeg.exe 35 PID 2956 wrote to memory of 2588 2956 Gligjd32.exe 36 PID 2956 wrote to memory of 2588 2956 Gligjd32.exe 36 PID 2956 wrote to memory of 2588 2956 Gligjd32.exe 36 PID 2956 wrote to memory of 2588 2956 Gligjd32.exe 36 PID 2588 wrote to memory of 2936 2588 Gmjcblbb.exe 37 PID 2588 wrote to memory of 2936 2588 Gmjcblbb.exe 37 PID 2588 wrote to memory of 2936 2588 Gmjcblbb.exe 37 PID 2588 wrote to memory of 2936 2588 Gmjcblbb.exe 37 PID 2936 wrote to memory of 2584 2936 Heakcjcd.exe 38 PID 2936 wrote to memory of 2584 2936 Heakcjcd.exe 38 PID 2936 wrote to memory of 2584 2936 Heakcjcd.exe 38 PID 2936 wrote to memory of 2584 2936 Heakcjcd.exe 38 PID 2584 wrote to memory of 2004 2584 Hfbhkb32.exe 39 PID 2584 wrote to memory of 2004 2584 Hfbhkb32.exe 39 PID 2584 wrote to memory of 2004 2584 Hfbhkb32.exe 39 PID 2584 wrote to memory of 2004 2584 Hfbhkb32.exe 39 PID 2004 wrote to memory of 1280 2004 Hmmphlpp.exe 40 PID 2004 wrote to memory of 1280 2004 Hmmphlpp.exe 40 PID 2004 wrote to memory of 1280 2004 Hmmphlpp.exe 40 PID 2004 wrote to memory of 1280 2004 Hmmphlpp.exe 40 PID 1280 wrote to memory of 1996 1280 Hhbdee32.exe 41 PID 1280 wrote to memory of 1996 1280 Hhbdee32.exe 41 PID 1280 wrote to memory of 1996 1280 Hhbdee32.exe 41 PID 1280 wrote to memory of 1996 1280 Hhbdee32.exe 41 PID 1996 wrote to memory of 1912 1996 Hjqqap32.exe 42 PID 1996 wrote to memory of 1912 1996 Hjqqap32.exe 42 PID 1996 wrote to memory of 1912 1996 Hjqqap32.exe 42 PID 1996 wrote to memory of 1912 1996 Hjqqap32.exe 42 PID 1912 wrote to memory of 2384 1912 Hpmiig32.exe 43 PID 1912 wrote to memory of 2384 1912 Hpmiig32.exe 43 PID 1912 wrote to memory of 2384 1912 Hpmiig32.exe 43 PID 1912 wrote to memory of 2384 1912 Hpmiig32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\47b73cc0b00f72923b9eb0309ec93869aed656fd109d007c3dd095669eed46ff.exe"C:\Users\Admin\AppData\Local\Temp\47b73cc0b00f72923b9eb0309ec93869aed656fd109d007c3dd095669eed46ff.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2052 -
C:\Windows\SysWOW64\Gnpmfqap.exeC:\Windows\system32\Gnpmfqap.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Windows\SysWOW64\Gfgegnbb.exeC:\Windows\system32\Gfgegnbb.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1160 -
C:\Windows\SysWOW64\Gnbjlpom.exeC:\Windows\system32\Gnbjlpom.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Windows\SysWOW64\Gaafhloq.exeC:\Windows\system32\Gaafhloq.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\SysWOW64\Glgjednf.exeC:\Windows\system32\Glgjednf.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Windows\SysWOW64\Gnefapmj.exeC:\Windows\system32\Gnefapmj.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\SysWOW64\Geoonjeg.exeC:\Windows\system32\Geoonjeg.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Windows\SysWOW64\Gligjd32.exeC:\Windows\system32\Gligjd32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Windows\SysWOW64\Gmjcblbb.exeC:\Windows\system32\Gmjcblbb.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Windows\SysWOW64\Heakcjcd.exeC:\Windows\system32\Heakcjcd.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Windows\SysWOW64\Hfbhkb32.exeC:\Windows\system32\Hfbhkb32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Windows\SysWOW64\Hmmphlpp.exeC:\Windows\system32\Hmmphlpp.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Windows\SysWOW64\Hhbdee32.exeC:\Windows\system32\Hhbdee32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1280 -
C:\Windows\SysWOW64\Hjqqap32.exeC:\Windows\system32\Hjqqap32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Windows\SysWOW64\Hpmiig32.exeC:\Windows\system32\Hpmiig32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1912 -
C:\Windows\SysWOW64\Hfgafadm.exeC:\Windows\system32\Hfgafadm.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2384 -
C:\Windows\SysWOW64\Hjcmgp32.exeC:\Windows\system32\Hjcmgp32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:584 -
C:\Windows\SysWOW64\Hldjnhce.exeC:\Windows\system32\Hldjnhce.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1488 -
C:\Windows\SysWOW64\Hdkape32.exeC:\Windows\system32\Hdkape32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2208 -
C:\Windows\SysWOW64\Hbnbkbja.exeC:\Windows\system32\Hbnbkbja.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1532 -
C:\Windows\SysWOW64\Hmcfhkjg.exeC:\Windows\system32\Hmcfhkjg.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1628 -
C:\Windows\SysWOW64\Hpbbdfik.exeC:\Windows\system32\Hpbbdfik.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:292 -
C:\Windows\SysWOW64\Hoebpc32.exeC:\Windows\system32\Hoebpc32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2072 -
C:\Windows\SysWOW64\Heokmmgb.exeC:\Windows\system32\Heokmmgb.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2680 -
C:\Windows\SysWOW64\Ipdojfgh.exeC:\Windows\system32\Ipdojfgh.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1752 -
C:\Windows\SysWOW64\Ibckfa32.exeC:\Windows\system32\Ibckfa32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:824 -
C:\Windows\SysWOW64\Ilkpogmm.exeC:\Windows\system32\Ilkpogmm.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1284 -
C:\Windows\SysWOW64\Ioilkblq.exeC:\Windows\system32\Ioilkblq.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2252 -
C:\Windows\SysWOW64\Iecdhm32.exeC:\Windows\system32\Iecdhm32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2596 -
C:\Windows\SysWOW64\Ihbqdh32.exeC:\Windows\system32\Ihbqdh32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2728 -
C:\Windows\SysWOW64\Iajemnia.exeC:\Windows\system32\Iajemnia.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2336 -
C:\Windows\SysWOW64\Iefamlak.exeC:\Windows\system32\Iefamlak.exe33⤵
- Executes dropped EXE
PID:2512 -
C:\Windows\SysWOW64\Inafbooe.exeC:\Windows\system32\Inafbooe.exe34⤵
- Executes dropped EXE
PID:2484 -
C:\Windows\SysWOW64\Iamabm32.exeC:\Windows\system32\Iamabm32.exe35⤵
- Executes dropped EXE
PID:376 -
C:\Windows\SysWOW64\Ikefkcmo.exeC:\Windows\system32\Ikefkcmo.exe36⤵
- Executes dropped EXE
PID:804 -
C:\Windows\SysWOW64\Iihfgp32.exeC:\Windows\system32\Iihfgp32.exe37⤵
- Executes dropped EXE
PID:2812 -
C:\Windows\SysWOW64\Jcpkpe32.exeC:\Windows\system32\Jcpkpe32.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2248 -
C:\Windows\SysWOW64\Jglgpdcc.exeC:\Windows\system32\Jglgpdcc.exe39⤵
- Executes dropped EXE
PID:756 -
C:\Windows\SysWOW64\Jliohkak.exeC:\Windows\system32\Jliohkak.exe40⤵
- Executes dropped EXE
PID:1444 -
C:\Windows\SysWOW64\Jcbhee32.exeC:\Windows\system32\Jcbhee32.exe41⤵
- Executes dropped EXE
PID:1944 -
C:\Windows\SysWOW64\Jeadap32.exeC:\Windows\system32\Jeadap32.exe42⤵
- Executes dropped EXE
PID:1916 -
C:\Windows\SysWOW64\Jlklnjoh.exeC:\Windows\system32\Jlklnjoh.exe43⤵
- Executes dropped EXE
PID:1908 -
C:\Windows\SysWOW64\Jpfhoi32.exeC:\Windows\system32\Jpfhoi32.exe44⤵
- Executes dropped EXE
PID:1060 -
C:\Windows\SysWOW64\Jfcqgpfi.exeC:\Windows\system32\Jfcqgpfi.exe45⤵
- Executes dropped EXE
PID:1484 -
C:\Windows\SysWOW64\Jpiedieo.exeC:\Windows\system32\Jpiedieo.exe46⤵
- Executes dropped EXE
PID:2092 -
C:\Windows\SysWOW64\Jcgapdeb.exeC:\Windows\system32\Jcgapdeb.exe47⤵
- Executes dropped EXE
PID:628 -
C:\Windows\SysWOW64\Jjaimn32.exeC:\Windows\system32\Jjaimn32.exe48⤵
- Executes dropped EXE
PID:788 -
C:\Windows\SysWOW64\Jlpeij32.exeC:\Windows\system32\Jlpeij32.exe49⤵
- Executes dropped EXE
PID:3040 -
C:\Windows\SysWOW64\Jonbee32.exeC:\Windows\system32\Jonbee32.exe50⤵
- Executes dropped EXE
PID:1044 -
C:\Windows\SysWOW64\Jcjnfdbp.exeC:\Windows\system32\Jcjnfdbp.exe51⤵
- Executes dropped EXE
PID:3024 -
C:\Windows\SysWOW64\Jfhjbobc.exeC:\Windows\system32\Jfhjbobc.exe52⤵
- Executes dropped EXE
PID:1688 -
C:\Windows\SysWOW64\Jhffnk32.exeC:\Windows\system32\Jhffnk32.exe53⤵
- Executes dropped EXE
PID:2436 -
C:\Windows\SysWOW64\Jlbboiip.exeC:\Windows\system32\Jlbboiip.exe54⤵
- Executes dropped EXE
PID:2784 -
C:\Windows\SysWOW64\Kncofa32.exeC:\Windows\system32\Kncofa32.exe55⤵
- Executes dropped EXE
PID:2632 -
C:\Windows\SysWOW64\Kbokgpgg.exeC:\Windows\system32\Kbokgpgg.exe56⤵
- Executes dropped EXE
PID:2300 -
C:\Windows\SysWOW64\Kdmgclfk.exeC:\Windows\system32\Kdmgclfk.exe57⤵
- Executes dropped EXE
PID:2544 -
C:\Windows\SysWOW64\Kkgopf32.exeC:\Windows\system32\Kkgopf32.exe58⤵
- Executes dropped EXE
PID:2440 -
C:\Windows\SysWOW64\Knekla32.exeC:\Windows\system32\Knekla32.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2836 -
C:\Windows\SysWOW64\Kbaglpee.exeC:\Windows\system32\Kbaglpee.exe60⤵
- Executes dropped EXE
PID:2916 -
C:\Windows\SysWOW64\Kdpcikdi.exeC:\Windows\system32\Kdpcikdi.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2256 -
C:\Windows\SysWOW64\Khkpijma.exeC:\Windows\system32\Khkpijma.exe62⤵
- Executes dropped EXE
PID:1236 -
C:\Windows\SysWOW64\Kkileele.exeC:\Windows\system32\Kkileele.exe63⤵
- Executes dropped EXE
PID:1612 -
C:\Windows\SysWOW64\Knhhaaki.exeC:\Windows\system32\Knhhaaki.exe64⤵
- Executes dropped EXE
PID:2388 -
C:\Windows\SysWOW64\Kqfdnljm.exeC:\Windows\system32\Kqfdnljm.exe65⤵
- Executes dropped EXE
PID:1744 -
C:\Windows\SysWOW64\Kceqjhiq.exeC:\Windows\system32\Kceqjhiq.exe66⤵PID:2800
-
C:\Windows\SysWOW64\Kgpmjf32.exeC:\Windows\system32\Kgpmjf32.exe67⤵PID:1724
-
C:\Windows\SysWOW64\Kjoifb32.exeC:\Windows\system32\Kjoifb32.exe68⤵PID:892
-
C:\Windows\SysWOW64\Kmmebm32.exeC:\Windows\system32\Kmmebm32.exe69⤵PID:2316
-
C:\Windows\SysWOW64\Kqiaclhj.exeC:\Windows\system32\Kqiaclhj.exe70⤵PID:1780
-
C:\Windows\SysWOW64\Kcgmoggn.exeC:\Windows\system32\Kcgmoggn.exe71⤵PID:1048
-
C:\Windows\SysWOW64\Kfeikcfa.exeC:\Windows\system32\Kfeikcfa.exe72⤵PID:1580
-
C:\Windows\SysWOW64\Knmamp32.exeC:\Windows\system32\Knmamp32.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2292 -
C:\Windows\SysWOW64\Kmobhmnn.exeC:\Windows\system32\Kmobhmnn.exe74⤵PID:2744
-
C:\Windows\SysWOW64\Konndhmb.exeC:\Windows\system32\Konndhmb.exe75⤵PID:2720
-
C:\Windows\SysWOW64\Kgefefnd.exeC:\Windows\system32\Kgefefnd.exe76⤵PID:2504
-
C:\Windows\SysWOW64\Ljcbaamh.exeC:\Windows\system32\Ljcbaamh.exe77⤵PID:2312
-
C:\Windows\SysWOW64\Lifbmn32.exeC:\Windows\system32\Lifbmn32.exe78⤵PID:1892
-
C:\Windows\SysWOW64\Lqmjnk32.exeC:\Windows\system32\Lqmjnk32.exe79⤵PID:2964
-
C:\Windows\SysWOW64\Lopkjhko.exeC:\Windows\system32\Lopkjhko.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2328 -
C:\Windows\SysWOW64\Lclgjg32.exeC:\Windows\system32\Lclgjg32.exe81⤵PID:668
-
C:\Windows\SysWOW64\Ljfogake.exeC:\Windows\system32\Ljfogake.exe82⤵
- System Location Discovery: System Language Discovery
PID:2264 -
C:\Windows\SysWOW64\Lmdkcl32.exeC:\Windows\system32\Lmdkcl32.exe83⤵PID:2112
-
C:\Windows\SysWOW64\Lobgoh32.exeC:\Windows\system32\Lobgoh32.exe84⤵PID:768
-
C:\Windows\SysWOW64\Lbackc32.exeC:\Windows\system32\Lbackc32.exe85⤵PID:920
-
C:\Windows\SysWOW64\Lflplbpi.exeC:\Windows\system32\Lflplbpi.exe86⤵PID:284
-
C:\Windows\SysWOW64\Liklhmom.exeC:\Windows\system32\Liklhmom.exe87⤵
- Modifies registry class
PID:2988 -
C:\Windows\SysWOW64\Lkihdioa.exeC:\Windows\system32\Lkihdioa.exe88⤵PID:2144
-
C:\Windows\SysWOW64\Lnhdqdnd.exeC:\Windows\system32\Lnhdqdnd.exe89⤵PID:2668
-
C:\Windows\SysWOW64\Lbcpac32.exeC:\Windows\system32\Lbcpac32.exe90⤵PID:760
-
C:\Windows\SysWOW64\Leammn32.exeC:\Windows\system32\Leammn32.exe91⤵PID:2684
-
C:\Windows\SysWOW64\Lgpiij32.exeC:\Windows\system32\Lgpiij32.exe92⤵PID:2564
-
C:\Windows\SysWOW64\Lpgajgeg.exeC:\Windows\system32\Lpgajgeg.exe93⤵PID:1604
-
C:\Windows\SysWOW64\Lahmbo32.exeC:\Windows\system32\Lahmbo32.exe94⤵PID:2528
-
C:\Windows\SysWOW64\Ledibnco.exeC:\Windows\system32\Ledibnco.exe95⤵PID:316
-
C:\Windows\SysWOW64\Lipecm32.exeC:\Windows\system32\Lipecm32.exe96⤵PID:2676
-
C:\Windows\SysWOW64\Llnaoh32.exeC:\Windows\system32\Llnaoh32.exe97⤵PID:1932
-
C:\Windows\SysWOW64\Lnlnlc32.exeC:\Windows\system32\Lnlnlc32.exe98⤵PID:1924
-
C:\Windows\SysWOW64\Makjho32.exeC:\Windows\system32\Makjho32.exe99⤵PID:1704
-
C:\Windows\SysWOW64\Meffhnal.exeC:\Windows\system32\Meffhnal.exe100⤵PID:3044
-
C:\Windows\SysWOW64\Mlpneh32.exeC:\Windows\system32\Mlpneh32.exe101⤵PID:2176
-
C:\Windows\SysWOW64\Mnojacgm.exeC:\Windows\system32\Mnojacgm.exe102⤵PID:2856
-
C:\Windows\SysWOW64\Mmakmp32.exeC:\Windows\system32\Mmakmp32.exe103⤵PID:1588
-
C:\Windows\SysWOW64\Mamgmofp.exeC:\Windows\system32\Mamgmofp.exe104⤵PID:2848
-
C:\Windows\SysWOW64\Mclcijfd.exeC:\Windows\system32\Mclcijfd.exe105⤵PID:2864
-
C:\Windows\SysWOW64\Mfjoeeeh.exeC:\Windows\system32\Mfjoeeeh.exe106⤵PID:2624
-
C:\Windows\SysWOW64\Mjekfd32.exeC:\Windows\system32\Mjekfd32.exe107⤵
- Drops file in System32 directory
PID:1828 -
C:\Windows\SysWOW64\Mnaggcej.exeC:\Windows\system32\Mnaggcej.exe108⤵PID:2832
-
C:\Windows\SysWOW64\Mapccndn.exeC:\Windows\system32\Mapccndn.exe109⤵PID:268
-
C:\Windows\SysWOW64\Mcnpojca.exeC:\Windows\system32\Mcnpojca.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1208 -
C:\Windows\SysWOW64\Mhilph32.exeC:\Windows\system32\Mhilph32.exe111⤵PID:2332
-
C:\Windows\SysWOW64\Mabphn32.exeC:\Windows\system32\Mabphn32.exe112⤵PID:1076
-
C:\Windows\SysWOW64\Mpdqdkie.exeC:\Windows\system32\Mpdqdkie.exe113⤵PID:2896
-
C:\Windows\SysWOW64\Mdpldi32.exeC:\Windows\system32\Mdpldi32.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2984 -
C:\Windows\SysWOW64\Mfoiqe32.exeC:\Windows\system32\Mfoiqe32.exe115⤵PID:1696
-
C:\Windows\SysWOW64\Mjjdacik.exeC:\Windows\system32\Mjjdacik.exe116⤵PID:2636
-
C:\Windows\SysWOW64\Mmhamoho.exeC:\Windows\system32\Mmhamoho.exe117⤵PID:2780
-
C:\Windows\SysWOW64\Mlkail32.exeC:\Windows\system32\Mlkail32.exe118⤵
- Modifies registry class
PID:2536 -
C:\Windows\SysWOW64\Mpgmijgc.exeC:\Windows\system32\Mpgmijgc.exe119⤵PID:2232
-
C:\Windows\SysWOW64\Mbeiefff.exeC:\Windows\system32\Mbeiefff.exe120⤵PID:2024
-
C:\Windows\SysWOW64\Medeaaej.exeC:\Windows\system32\Medeaaej.exe121⤵PID:1952
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-