Analysis
-
max time kernel
95s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
21-01-2025 13:47
Behavioral task
behavioral1
Sample
0ff1e0c9374df272e5e9a825dbbdeb95ea1456872a4210ec6d9cce5726451cc9N.exe
Resource
win7-20240903-en
windows7-x64
12 signatures
120 seconds
General
-
Target
0ff1e0c9374df272e5e9a825dbbdeb95ea1456872a4210ec6d9cce5726451cc9N.exe
-
Size
93KB
-
MD5
a7beaff6c1bc34f4e8a80dc5045d1e50
-
SHA1
a9381803767328c02591ba2b3787a7ff6e0806c3
-
SHA256
0ff1e0c9374df272e5e9a825dbbdeb95ea1456872a4210ec6d9cce5726451cc9
-
SHA512
c236d3c088d5da41676c8f4fcc692b8298087a0a636902a07d8941b4d9ba026c344b0f3a284fdb4dd82ab358468aa30ffbec693505517284998d6f11a3d4f3cd
-
SSDEEP
1536:L/lOX5Wz++nkQFNQVwxR4jiUPrw4UA1DaYfMZRWuLsV+1B:zEXcxkUNZxR4jz5UAgYfc0DV+1B
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ikamfi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghkcbn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbkpingk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mfgnhhbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mebqhp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oacmjm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ameadhfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Olknmeip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Akcajo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cmgpfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkcjam32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggclim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ljeppa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kbdbpmop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kbgoelmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Miapid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qchcqc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knmipg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbdbpmop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jkpqbnlb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eckcpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mcicde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pkindqem.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igkkaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nghfof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bgbkbp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kakelb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Noiabc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nkpbgdlj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebpqab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nlgafaei.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfihplma.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfnkaiki.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpmeknkb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plgdcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mbkkmcgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lcikmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mcdjifod.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oojacg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gikiopej.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Piakli32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dioibnjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Elaoih32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdaagl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jbkpingk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mbqkbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qcffkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ejfcgf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efmclgdi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbkafe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bbpocfej.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfigecac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ehejfkad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ejhpme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mkqleb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fokhiibo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdpphm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Inaggaka.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Moniak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjndpicp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Olleglmk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hacjgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bbflmhmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Coflbj32.exe -
Berbew family
-
Njrat family
-
Executes dropped EXE 64 IoCs
pid Process 2920 Fokhiibo.exe 3228 Feeqec32.exe 4280 Fhcmao32.exe 3716 Fnqejfgg.exe 3424 Fehmkchi.exe 1036 Fgijbk32.exe 2640 Fopbdi32.exe 4260 Fejjqcff.exe 544 Fhhfmnej.exe 3452 Fkgbijdn.exe 4900 Faqkedkk.exe 2104 Felgfb32.exe 5004 Ghkcbn32.exe 2092 Gnglje32.exe 388 Gdadgohl.exe 2836 Gkkldi32.exe 440 Gnjhpd32.exe 412 Gddqmo32.exe 2136 Ggbmij32.exe 3492 Goiejg32.exe 3032 Gecmganl.exe 1808 Ggdinj32.exe 216 Gkpeohlc.exe 748 Gnoakdkg.exe 1500 Gdhjhnbd.exe 1572 Gkbbdh32.exe 3120 Gnanqc32.exe 4956 Hfhfba32.exe 4132 Hkeojh32.exe 1864 Hdmccmno.exe 724 Hocgpf32.exe 1448 Hdpphm32.exe 4584 Hoedff32.exe 4960 Hhmiokbb.exe 1480 Hklekg32.exe 2600 Hfaihp32.exe 4296 Hgbfphgj.exe 4748 Ifdfno32.exe 752 Igebegeg.exe 4436 Ibjgbp32.exe 408 Iidoojlj.exe 4240 Ikckkfln.exe 1612 Inaggaka.exe 2832 Idkpdk32.exe 4080 Iiglejjg.exe 4512 Ioadadbd.exe 4672 Ibopnpah.exe 4400 Idnljkpl.exe 3944 Iglhffop.exe 3364 Iocqgdpb.exe 4752 Ibamcooe.exe 2364 Ioemmcno.exe 2584 Jfpeinel.exe 2188 Jinaeidp.exe 3016 Johjbc32.exe 3784 Jbffno32.exe 1316 Jipnkibm.exe 3164 Jkokgdaq.exe 220 Jbhcdnim.exe 208 Jegopjha.exe 4088 Jkagmd32.exe 2012 Jbkpingk.exe 2996 Jffljm32.exe 3112 Jkcdbc32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Pcqfenfo.exe Pkindqem.exe File created C:\Windows\SysWOW64\Emakcklp.exe Ejbogpml.exe File opened for modification C:\Windows\SysWOW64\Inkpge32.exe Ikmdkjhl.exe File created C:\Windows\SysWOW64\Jqjejohq.exe Jjpmnd32.exe File opened for modification C:\Windows\SysWOW64\Cgdaom32.exe Cpminp32.exe File created C:\Windows\SysWOW64\Bbkehg32.exe Bkamlmab.exe File created C:\Windows\SysWOW64\Gnpefdmb.dll Dfigecac.exe File created C:\Windows\SysWOW64\Ejbogpml.exe Eblgfblj.exe File created C:\Windows\SysWOW64\Ejgibo32.exe Ebpqab32.exe File created C:\Windows\SysWOW64\Nicokkbf.exe Negcjm32.exe File created C:\Windows\SysWOW64\Mebaicfl.dll Dfnpqb32.exe File created C:\Windows\SysWOW64\Ooehhhpd.exe Opbhmk32.exe File opened for modification C:\Windows\SysWOW64\Ccbono32.exe Cmhfae32.exe File created C:\Windows\SysWOW64\Iajphjab.exe Inndgk32.exe File created C:\Windows\SysWOW64\Hgpbpb32.exe Hdafcf32.exe File opened for modification C:\Windows\SysWOW64\Aocffm32.exe Aldjja32.exe File created C:\Windows\SysWOW64\Geilph32.dll Jpeloo32.exe File created C:\Windows\SysWOW64\Icefdj32.dll Lhadoa32.exe File created C:\Windows\SysWOW64\Dieflobi.exe Cfgjpcce.exe File created C:\Windows\SysWOW64\Indojl32.dll Elaoih32.exe File created C:\Windows\SysWOW64\Djcciilk.dll Emchik32.exe File opened for modification C:\Windows\SysWOW64\Nnhkhm32.exe Nljnla32.exe File created C:\Windows\SysWOW64\Kbgoelmm.exe Kphcianj.exe File created C:\Windows\SysWOW64\Fdjgljkh.exe Fakkpnld.exe File opened for modification C:\Windows\SysWOW64\Oahgelgg.exe Ooijiqhc.exe File created C:\Windows\SysWOW64\Gmkdoi32.dll Jqjejohq.exe File opened for modification C:\Windows\SysWOW64\Hdpphm32.exe Hocgpf32.exe File created C:\Windows\SysWOW64\Ihfejdgl.exe Ijedll32.exe File opened for modification C:\Windows\SysWOW64\Kkejmm32.exe Kifnaa32.exe File created C:\Windows\SysWOW64\Kklpnl32.exe Kindbq32.exe File opened for modification C:\Windows\SysWOW64\Jkbfmg32.exe Jcknlj32.exe File created C:\Windows\SysWOW64\Kbdbpmop.exe Kpffcapl.exe File created C:\Windows\SysWOW64\Hgekfj32.dll Kbdbpmop.exe File created C:\Windows\SysWOW64\Lioccdhj.exe Lechbf32.exe File created C:\Windows\SysWOW64\Acoiab32.exe Ameadhfn.exe File opened for modification C:\Windows\SysWOW64\Emakcklp.exe Ejbogpml.exe File created C:\Windows\SysWOW64\Ciadkf32.exe Cjndpicp.exe File created C:\Windows\SysWOW64\Jklggnpg.exe Jdaojdhk.exe File created C:\Windows\SysWOW64\Piakli32.exe Peeokjnm.exe File created C:\Windows\SysWOW64\Neifkm32.dll Mfjjmhql.exe File created C:\Windows\SysWOW64\Phhmhoop.dll Jqmijd32.exe File created C:\Windows\SysWOW64\Ajijiian.dll Labkla32.exe File opened for modification C:\Windows\SysWOW64\Bbmbnggl.exe Boofbkhi.exe File created C:\Windows\SysWOW64\Hikklg32.exe Hgmopldh.exe File created C:\Windows\SysWOW64\Delbpa32.dll Kneldaab.exe File created C:\Windows\SysWOW64\Loflmn32.dll Kikgladd.exe File created C:\Windows\SysWOW64\Ljffjh32.exe Lkcfoklm.exe File opened for modification C:\Windows\SysWOW64\Obbjdp32.exe Okkacb32.exe File created C:\Windows\SysWOW64\Dlkiii32.exe Djilaaef.exe File opened for modification C:\Windows\SysWOW64\Fpndae32.exe Flbhpfgj.exe File created C:\Windows\SysWOW64\Idjboo32.exe Ilcjna32.exe File created C:\Windows\SysWOW64\Lohjhbid.dll Nedpjfhd.exe File opened for modification C:\Windows\SysWOW64\Pcciedhh.exe Ppemihid.exe File created C:\Windows\SysWOW64\Ackpfbbp.exe Amqgii32.exe File created C:\Windows\SysWOW64\Cnbbabfg.dll Bgpomp32.exe File created C:\Windows\SysWOW64\Bpaibaia.exe Bmcmffjn.exe File created C:\Windows\SysWOW64\Fpndae32.exe Flbhpfgj.exe File opened for modification C:\Windows\SysWOW64\Hdiiha32.exe Hpnmhbaq.exe File opened for modification C:\Windows\SysWOW64\Pejifj32.exe Pclmjn32.exe File created C:\Windows\SysWOW64\Aickhdjn.dll Djgplagi.exe File created C:\Windows\SysWOW64\Ajlnclce.exe Agmbgqda.exe File opened for modification C:\Windows\SysWOW64\Ehgfkj32.exe Edlkklgh.exe File opened for modification C:\Windows\SysWOW64\Jhpgqboa.exe Jddlpd32.exe File created C:\Windows\SysWOW64\Lqgjaa32.dll Lbahfdod.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 15812 15736 WerFault.exe 839 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfadqhnf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfgjpcce.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eckcpe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggclim32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcmkai32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Miapid32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlbbam32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djejqhmg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Meipnhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggmlcd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijgabl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lljlojee.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icmbklaa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igkkaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnqejfgg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgbfphgj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oeamka32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0ff1e0c9374df272e5e9a825dbbdeb95ea1456872a4210ec6d9cce5726451cc9N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dioibnjo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkqleb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggdinj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afkamgke.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilcjna32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfigecac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eiccmm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfobnnph.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phgogl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cicqaehg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bojlgl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glpdad32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgkdhh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmockf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Peobaiec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmhjkh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djgplagi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfbdmi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkoend32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnflff32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhbdfbmo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oihhfj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pichai32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfmgjekp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ichipl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mflgcg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejailfbj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iagcbjcd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdokjngb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncbfjdcd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nafgdh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkohjldl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpechaki.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijdnbfka.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nifbka32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fifodq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akqdeo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpnmhbaq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlohgqpa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfnndkol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mankhp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oodana32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dckkihao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmelhmfm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfjico32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpbmldkn.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2012 Jbkpingk.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Halcglnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jqlfaplp.dll" Gmmdfgdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afiineio.dll" Hcabom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jjpmnd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kqooen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ghkcbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qfbfao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eapkdpfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jbeodh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ljglea32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pcampdjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Peobaiec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cefmjb32.dll" Cmgpfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dldqgh32.dll" Dpakni32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bbkehg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aickhdjn.dll" Djgplagi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID 0ff1e0c9374df272e5e9a825dbbdeb95ea1456872a4210ec6d9cce5726451cc9N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Goiejg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlnlgalg.dll" Phlibkje.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bichjhfj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jphieo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hklekg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mobbljpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Idhlde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Knmipg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lljlojee.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dioibnjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hqllgnja.dll" Fjchnn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gpbmldkn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aghhla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ccbono32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebgjee32.dll" Fgkpne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kknmcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kpffcapl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Piakli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gkpeohlc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhlgol32.dll" Mjilfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oahgelgg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mcdjifod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qolfmleo.dll" Meipnhbb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jbhcdnim.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fdcqkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhhpnejj.dll" Gphnaj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Boofbkhi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fbggbabl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dplpah32.dll" Jljpoqdm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jbffno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljimalha.dll" Neadddca.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nonbhifl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jidalb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpohlpic.dll" Pookof32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ajianleg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aofjfcco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfqgmn32.dll" Kcfnhh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Felgfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pminen32.dll" Mbghljok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lkqiiknp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iiglejjg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ooijiqhc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Efbjlbih.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ilcjna32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mjehfoqi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfcpif32.dll" Mlomep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glhjofec.dll" Ajlnclce.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2368 wrote to memory of 2920 2368 0ff1e0c9374df272e5e9a825dbbdeb95ea1456872a4210ec6d9cce5726451cc9N.exe 82 PID 2368 wrote to memory of 2920 2368 0ff1e0c9374df272e5e9a825dbbdeb95ea1456872a4210ec6d9cce5726451cc9N.exe 82 PID 2368 wrote to memory of 2920 2368 0ff1e0c9374df272e5e9a825dbbdeb95ea1456872a4210ec6d9cce5726451cc9N.exe 82 PID 2920 wrote to memory of 3228 2920 Fokhiibo.exe 83 PID 2920 wrote to memory of 3228 2920 Fokhiibo.exe 83 PID 2920 wrote to memory of 3228 2920 Fokhiibo.exe 83 PID 3228 wrote to memory of 4280 3228 Feeqec32.exe 84 PID 3228 wrote to memory of 4280 3228 Feeqec32.exe 84 PID 3228 wrote to memory of 4280 3228 Feeqec32.exe 84 PID 4280 wrote to memory of 3716 4280 Fhcmao32.exe 85 PID 4280 wrote to memory of 3716 4280 Fhcmao32.exe 85 PID 4280 wrote to memory of 3716 4280 Fhcmao32.exe 85 PID 3716 wrote to memory of 3424 3716 Fnqejfgg.exe 86 PID 3716 wrote to memory of 3424 3716 Fnqejfgg.exe 86 PID 3716 wrote to memory of 3424 3716 Fnqejfgg.exe 86 PID 3424 wrote to memory of 1036 3424 Fehmkchi.exe 87 PID 3424 wrote to memory of 1036 3424 Fehmkchi.exe 87 PID 3424 wrote to memory of 1036 3424 Fehmkchi.exe 87 PID 1036 wrote to memory of 2640 1036 Fgijbk32.exe 88 PID 1036 wrote to memory of 2640 1036 Fgijbk32.exe 88 PID 1036 wrote to memory of 2640 1036 Fgijbk32.exe 88 PID 2640 wrote to memory of 4260 2640 Fopbdi32.exe 89 PID 2640 wrote to memory of 4260 2640 Fopbdi32.exe 89 PID 2640 wrote to memory of 4260 2640 Fopbdi32.exe 89 PID 4260 wrote to memory of 544 4260 Fejjqcff.exe 90 PID 4260 wrote to memory of 544 4260 Fejjqcff.exe 90 PID 4260 wrote to memory of 544 4260 Fejjqcff.exe 90 PID 544 wrote to memory of 3452 544 Fhhfmnej.exe 91 PID 544 wrote to memory of 3452 544 Fhhfmnej.exe 91 PID 544 wrote to memory of 3452 544 Fhhfmnej.exe 91 PID 3452 wrote to memory of 4900 3452 Fkgbijdn.exe 92 PID 3452 wrote to memory of 4900 3452 Fkgbijdn.exe 92 PID 3452 wrote to memory of 4900 3452 Fkgbijdn.exe 92 PID 4900 wrote to memory of 2104 4900 Faqkedkk.exe 93 PID 4900 wrote to memory of 2104 4900 Faqkedkk.exe 93 PID 4900 wrote to memory of 2104 4900 Faqkedkk.exe 93 PID 2104 wrote to memory of 5004 2104 Felgfb32.exe 94 PID 2104 wrote to memory of 5004 2104 Felgfb32.exe 94 PID 2104 wrote to memory of 5004 2104 Felgfb32.exe 94 PID 5004 wrote to memory of 2092 5004 Ghkcbn32.exe 95 PID 5004 wrote to memory of 2092 5004 Ghkcbn32.exe 95 PID 5004 wrote to memory of 2092 5004 Ghkcbn32.exe 95 PID 2092 wrote to memory of 388 2092 Gnglje32.exe 96 PID 2092 wrote to memory of 388 2092 Gnglje32.exe 96 PID 2092 wrote to memory of 388 2092 Gnglje32.exe 96 PID 388 wrote to memory of 2836 388 Gdadgohl.exe 97 PID 388 wrote to memory of 2836 388 Gdadgohl.exe 97 PID 388 wrote to memory of 2836 388 Gdadgohl.exe 97 PID 2836 wrote to memory of 440 2836 Gkkldi32.exe 98 PID 2836 wrote to memory of 440 2836 Gkkldi32.exe 98 PID 2836 wrote to memory of 440 2836 Gkkldi32.exe 98 PID 440 wrote to memory of 412 440 Gnjhpd32.exe 99 PID 440 wrote to memory of 412 440 Gnjhpd32.exe 99 PID 440 wrote to memory of 412 440 Gnjhpd32.exe 99 PID 412 wrote to memory of 2136 412 Gddqmo32.exe 100 PID 412 wrote to memory of 2136 412 Gddqmo32.exe 100 PID 412 wrote to memory of 2136 412 Gddqmo32.exe 100 PID 2136 wrote to memory of 3492 2136 Ggbmij32.exe 101 PID 2136 wrote to memory of 3492 2136 Ggbmij32.exe 101 PID 2136 wrote to memory of 3492 2136 Ggbmij32.exe 101 PID 3492 wrote to memory of 3032 3492 Goiejg32.exe 102 PID 3492 wrote to memory of 3032 3492 Goiejg32.exe 102 PID 3492 wrote to memory of 3032 3492 Goiejg32.exe 102 PID 3032 wrote to memory of 1808 3032 Gecmganl.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\0ff1e0c9374df272e5e9a825dbbdeb95ea1456872a4210ec6d9cce5726451cc9N.exe"C:\Users\Admin\AppData\Local\Temp\0ff1e0c9374df272e5e9a825dbbdeb95ea1456872a4210ec6d9cce5726451cc9N.exe"1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Windows\SysWOW64\Fokhiibo.exeC:\Windows\system32\Fokhiibo.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\SysWOW64\Feeqec32.exeC:\Windows\system32\Feeqec32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3228 -
C:\Windows\SysWOW64\Fhcmao32.exeC:\Windows\system32\Fhcmao32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4280 -
C:\Windows\SysWOW64\Fnqejfgg.exeC:\Windows\system32\Fnqejfgg.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3716 -
C:\Windows\SysWOW64\Fehmkchi.exeC:\Windows\system32\Fehmkchi.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3424 -
C:\Windows\SysWOW64\Fgijbk32.exeC:\Windows\system32\Fgijbk32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1036 -
C:\Windows\SysWOW64\Fopbdi32.exeC:\Windows\system32\Fopbdi32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\SysWOW64\Fejjqcff.exeC:\Windows\system32\Fejjqcff.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4260 -
C:\Windows\SysWOW64\Fhhfmnej.exeC:\Windows\system32\Fhhfmnej.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:544 -
C:\Windows\SysWOW64\Fkgbijdn.exeC:\Windows\system32\Fkgbijdn.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3452 -
C:\Windows\SysWOW64\Faqkedkk.exeC:\Windows\system32\Faqkedkk.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4900 -
C:\Windows\SysWOW64\Felgfb32.exeC:\Windows\system32\Felgfb32.exe13⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Windows\SysWOW64\Ghkcbn32.exeC:\Windows\system32\Ghkcbn32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5004 -
C:\Windows\SysWOW64\Gnglje32.exeC:\Windows\system32\Gnglje32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2092 -
C:\Windows\SysWOW64\Gdadgohl.exeC:\Windows\system32\Gdadgohl.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:388 -
C:\Windows\SysWOW64\Gkkldi32.exeC:\Windows\system32\Gkkldi32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Windows\SysWOW64\Gnjhpd32.exeC:\Windows\system32\Gnjhpd32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:440 -
C:\Windows\SysWOW64\Gddqmo32.exeC:\Windows\system32\Gddqmo32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:412 -
C:\Windows\SysWOW64\Ggbmij32.exeC:\Windows\system32\Ggbmij32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2136 -
C:\Windows\SysWOW64\Goiejg32.exeC:\Windows\system32\Goiejg32.exe21⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3492 -
C:\Windows\SysWOW64\Gecmganl.exeC:\Windows\system32\Gecmganl.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Windows\SysWOW64\Ggdinj32.exeC:\Windows\system32\Ggdinj32.exe23⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1808 -
C:\Windows\SysWOW64\Gkpeohlc.exeC:\Windows\system32\Gkpeohlc.exe24⤵
- Executes dropped EXE
- Modifies registry class
PID:216 -
C:\Windows\SysWOW64\Gnoakdkg.exeC:\Windows\system32\Gnoakdkg.exe25⤵
- Executes dropped EXE
PID:748 -
C:\Windows\SysWOW64\Gdhjhnbd.exeC:\Windows\system32\Gdhjhnbd.exe26⤵
- Executes dropped EXE
PID:1500 -
C:\Windows\SysWOW64\Gkbbdh32.exeC:\Windows\system32\Gkbbdh32.exe27⤵
- Executes dropped EXE
PID:1572 -
C:\Windows\SysWOW64\Gnanqc32.exeC:\Windows\system32\Gnanqc32.exe28⤵
- Executes dropped EXE
PID:3120 -
C:\Windows\SysWOW64\Hfhfba32.exeC:\Windows\system32\Hfhfba32.exe29⤵
- Executes dropped EXE
PID:4956 -
C:\Windows\SysWOW64\Hkeojh32.exeC:\Windows\system32\Hkeojh32.exe30⤵
- Executes dropped EXE
PID:4132 -
C:\Windows\SysWOW64\Hdmccmno.exeC:\Windows\system32\Hdmccmno.exe31⤵
- Executes dropped EXE
PID:1864 -
C:\Windows\SysWOW64\Hocgpf32.exeC:\Windows\system32\Hocgpf32.exe32⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:724 -
C:\Windows\SysWOW64\Hdpphm32.exeC:\Windows\system32\Hdpphm32.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1448 -
C:\Windows\SysWOW64\Hoedff32.exeC:\Windows\system32\Hoedff32.exe34⤵
- Executes dropped EXE
PID:4584 -
C:\Windows\SysWOW64\Hhmiokbb.exeC:\Windows\system32\Hhmiokbb.exe35⤵
- Executes dropped EXE
PID:4960 -
C:\Windows\SysWOW64\Hklekg32.exeC:\Windows\system32\Hklekg32.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:1480 -
C:\Windows\SysWOW64\Hfaihp32.exeC:\Windows\system32\Hfaihp32.exe37⤵
- Executes dropped EXE
PID:2600 -
C:\Windows\SysWOW64\Hgbfphgj.exeC:\Windows\system32\Hgbfphgj.exe38⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4296 -
C:\Windows\SysWOW64\Ifdfno32.exeC:\Windows\system32\Ifdfno32.exe39⤵
- Executes dropped EXE
PID:4748 -
C:\Windows\SysWOW64\Igebegeg.exeC:\Windows\system32\Igebegeg.exe40⤵
- Executes dropped EXE
PID:752 -
C:\Windows\SysWOW64\Ibjgbp32.exeC:\Windows\system32\Ibjgbp32.exe41⤵
- Executes dropped EXE
PID:4436 -
C:\Windows\SysWOW64\Iidoojlj.exeC:\Windows\system32\Iidoojlj.exe42⤵
- Executes dropped EXE
PID:408 -
C:\Windows\SysWOW64\Ikckkfln.exeC:\Windows\system32\Ikckkfln.exe43⤵
- Executes dropped EXE
PID:4240 -
C:\Windows\SysWOW64\Inaggaka.exeC:\Windows\system32\Inaggaka.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1612 -
C:\Windows\SysWOW64\Idkpdk32.exeC:\Windows\system32\Idkpdk32.exe45⤵
- Executes dropped EXE
PID:2832 -
C:\Windows\SysWOW64\Iiglejjg.exeC:\Windows\system32\Iiglejjg.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:4080 -
C:\Windows\SysWOW64\Ioadadbd.exeC:\Windows\system32\Ioadadbd.exe47⤵
- Executes dropped EXE
PID:4512 -
C:\Windows\SysWOW64\Ibopnpah.exeC:\Windows\system32\Ibopnpah.exe48⤵
- Executes dropped EXE
PID:4672 -
C:\Windows\SysWOW64\Idnljkpl.exeC:\Windows\system32\Idnljkpl.exe49⤵
- Executes dropped EXE
PID:4400 -
C:\Windows\SysWOW64\Iglhffop.exeC:\Windows\system32\Iglhffop.exe50⤵
- Executes dropped EXE
PID:3944 -
C:\Windows\SysWOW64\Iocqgdpb.exeC:\Windows\system32\Iocqgdpb.exe51⤵
- Executes dropped EXE
PID:3364 -
C:\Windows\SysWOW64\Ibamcooe.exeC:\Windows\system32\Ibamcooe.exe52⤵
- Executes dropped EXE
PID:4752 -
C:\Windows\SysWOW64\Ioemmcno.exeC:\Windows\system32\Ioemmcno.exe53⤵
- Executes dropped EXE
PID:2364 -
C:\Windows\SysWOW64\Jfpeinel.exeC:\Windows\system32\Jfpeinel.exe54⤵
- Executes dropped EXE
PID:2584 -
C:\Windows\SysWOW64\Jinaeidp.exeC:\Windows\system32\Jinaeidp.exe55⤵
- Executes dropped EXE
PID:2188 -
C:\Windows\SysWOW64\Johjbc32.exeC:\Windows\system32\Johjbc32.exe56⤵
- Executes dropped EXE
PID:3016 -
C:\Windows\SysWOW64\Jbffno32.exeC:\Windows\system32\Jbffno32.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:3784 -
C:\Windows\SysWOW64\Jipnkibm.exeC:\Windows\system32\Jipnkibm.exe58⤵
- Executes dropped EXE
PID:1316 -
C:\Windows\SysWOW64\Jkokgdaq.exeC:\Windows\system32\Jkokgdaq.exe59⤵
- Executes dropped EXE
PID:3164 -
C:\Windows\SysWOW64\Jbhcdnim.exeC:\Windows\system32\Jbhcdnim.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:220 -
C:\Windows\SysWOW64\Jegopjha.exeC:\Windows\system32\Jegopjha.exe61⤵
- Executes dropped EXE
PID:208 -
C:\Windows\SysWOW64\Jkagmd32.exeC:\Windows\system32\Jkagmd32.exe62⤵
- Executes dropped EXE
PID:4088 -
C:\Windows\SysWOW64\Jbkpingk.exeC:\Windows\system32\Jbkpingk.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Network Configuration Discovery: Internet Connection Discovery
PID:2012 -
C:\Windows\SysWOW64\Jffljm32.exeC:\Windows\system32\Jffljm32.exe64⤵
- Executes dropped EXE
PID:2996 -
C:\Windows\SysWOW64\Jkcdbc32.exeC:\Windows\system32\Jkcdbc32.exe65⤵
- Executes dropped EXE
PID:3112 -
C:\Windows\SysWOW64\Jnapno32.exeC:\Windows\system32\Jnapno32.exe66⤵PID:5008
-
C:\Windows\SysWOW64\Jfihplma.exeC:\Windows\system32\Jfihplma.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3500 -
C:\Windows\SysWOW64\Jigdlhle.exeC:\Windows\system32\Jigdlhle.exe68⤵PID:4072
-
C:\Windows\SysWOW64\Jleahcki.exeC:\Windows\system32\Jleahcki.exe69⤵PID:3044
-
C:\Windows\SysWOW64\Kbpidm32.exeC:\Windows\system32\Kbpidm32.exe70⤵PID:3604
-
C:\Windows\SysWOW64\Keneqi32.exeC:\Windows\system32\Keneqi32.exe71⤵PID:2220
-
C:\Windows\SysWOW64\Klhnmcif.exeC:\Windows\system32\Klhnmcif.exe72⤵PID:632
-
C:\Windows\SysWOW64\Knfjinhj.exeC:\Windows\system32\Knfjinhj.exe73⤵PID:2736
-
C:\Windows\SysWOW64\Kepbfh32.exeC:\Windows\system32\Kepbfh32.exe74⤵PID:5100
-
C:\Windows\SysWOW64\Kilngg32.exeC:\Windows\system32\Kilngg32.exe75⤵PID:1428
-
C:\Windows\SysWOW64\Kpffcapl.exeC:\Windows\system32\Kpffcapl.exe76⤵
- Drops file in System32 directory
- Modifies registry class
PID:4416 -
C:\Windows\SysWOW64\Kbdbpmop.exeC:\Windows\system32\Kbdbpmop.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1676 -
C:\Windows\SysWOW64\Khakhcmg.exeC:\Windows\system32\Khakhcmg.exe78⤵PID:3428
-
C:\Windows\SysWOW64\Kphcianj.exeC:\Windows\system32\Kphcianj.exe79⤵
- Drops file in System32 directory
PID:1484 -
C:\Windows\SysWOW64\Kbgoelmm.exeC:\Windows\system32\Kbgoelmm.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1028 -
C:\Windows\SysWOW64\Kiqgbf32.exeC:\Windows\system32\Kiqgbf32.exe81⤵PID:3972
-
C:\Windows\SysWOW64\Kpkpoq32.exeC:\Windows\system32\Kpkpoq32.exe82⤵PID:2780
-
C:\Windows\SysWOW64\Knmpjmba.exeC:\Windows\system32\Knmpjmba.exe83⤵PID:4460
-
C:\Windows\SysWOW64\Kicdgfbg.exeC:\Windows\system32\Kicdgfbg.exe84⤵PID:3976
-
C:\Windows\SysWOW64\Lpmldp32.exeC:\Windows\system32\Lpmldp32.exe85⤵PID:2196
-
C:\Windows\SysWOW64\Lbkhpl32.exeC:\Windows\system32\Lbkhpl32.exe86⤵PID:2788
-
C:\Windows\SysWOW64\Lhhahb32.exeC:\Windows\system32\Lhhahb32.exe87⤵PID:1312
-
C:\Windows\SysWOW64\Lpoijpgb.exeC:\Windows\system32\Lpoijpgb.exe88⤵PID:1696
-
C:\Windows\SysWOW64\Lnbiem32.exeC:\Windows\system32\Lnbiem32.exe89⤵PID:4412
-
C:\Windows\SysWOW64\Lhjnnbem.exeC:\Windows\system32\Lhjnnbem.exe90⤵PID:4720
-
C:\Windows\SysWOW64\Lpafopeo.exeC:\Windows\system32\Lpafopeo.exe91⤵PID:2144
-
C:\Windows\SysWOW64\Lbpbkkdc.exeC:\Windows\system32\Lbpbkkdc.exe92⤵PID:5048
-
C:\Windows\SysWOW64\Lenngfcf.exeC:\Windows\system32\Lenngfcf.exe93⤵PID:1916
-
C:\Windows\SysWOW64\Lhmjcbcj.exeC:\Windows\system32\Lhmjcbcj.exe94⤵PID:3680
-
C:\Windows\SysWOW64\Lpdbeo32.exeC:\Windows\system32\Lpdbeo32.exe95⤵PID:4796
-
C:\Windows\SysWOW64\Logbpljg.exeC:\Windows\system32\Logbpljg.exe96⤵PID:556
-
C:\Windows\SysWOW64\Lfnkaiki.exeC:\Windows\system32\Lfnkaiki.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3692 -
C:\Windows\SysWOW64\Lhogia32.exeC:\Windows\system32\Lhogia32.exe98⤵PID:2980
-
C:\Windows\SysWOW64\Llkcjpiq.exeC:\Windows\system32\Llkcjpiq.exe99⤵PID:5080
-
C:\Windows\SysWOW64\Loioflhd.exeC:\Windows\system32\Loioflhd.exe100⤵PID:3308
-
C:\Windows\SysWOW64\Lechbf32.exeC:\Windows\system32\Lechbf32.exe101⤵
- Drops file in System32 directory
PID:1832 -
C:\Windows\SysWOW64\Lioccdhj.exeC:\Windows\system32\Lioccdhj.exe102⤵PID:2192
-
C:\Windows\SysWOW64\Lhadoa32.exeC:\Windows\system32\Lhadoa32.exe103⤵
- Drops file in System32 directory
PID:2536 -
C:\Windows\SysWOW64\Mbghljok.exeC:\Windows\system32\Mbghljok.exe104⤵
- Modifies registry class
PID:2272 -
C:\Windows\SysWOW64\Mfbdmi32.exeC:\Windows\system32\Mfbdmi32.exe105⤵
- System Location Discovery: System Language Discovery
PID:3280 -
C:\Windows\SysWOW64\Miapid32.exeC:\Windows\system32\Miapid32.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:4688 -
C:\Windows\SysWOW64\Mlomep32.exeC:\Windows\system32\Mlomep32.exe107⤵
- Modifies registry class
PID:4984 -
C:\Windows\SysWOW64\Moniak32.exeC:\Windows\system32\Moniak32.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2116 -
C:\Windows\SysWOW64\Mbieajlh.exeC:\Windows\system32\Mbieajlh.exe109⤵PID:4608
-
C:\Windows\SysWOW64\Mehanell.exeC:\Windows\system32\Mehanell.exe110⤵PID:4340
-
C:\Windows\SysWOW64\Mlaijo32.exeC:\Windows\system32\Mlaijo32.exe111⤵PID:3880
-
C:\Windows\SysWOW64\Mpmeknkb.exeC:\Windows\system32\Mpmeknkb.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1476 -
C:\Windows\SysWOW64\Mblagi32.exeC:\Windows\system32\Mblagi32.exe113⤵PID:2444
-
C:\Windows\SysWOW64\Mfgnhhbo.exeC:\Windows\system32\Mfgnhhbo.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3092 -
C:\Windows\SysWOW64\Mhhjop32.exeC:\Windows\system32\Mhhjop32.exe115⤵PID:3384
-
C:\Windows\SysWOW64\Mobbljpj.exeC:\Windows\system32\Mobbljpj.exe116⤵
- Modifies registry class
PID:1756 -
C:\Windows\SysWOW64\Mfjjmhql.exeC:\Windows\system32\Mfjjmhql.exe117⤵
- Drops file in System32 directory
PID:4780 -
C:\Windows\SysWOW64\Meljid32.exeC:\Windows\system32\Meljid32.exe118⤵PID:4352
-
C:\Windows\SysWOW64\Mlfbeooc.exeC:\Windows\system32\Mlfbeooc.exe119⤵PID:5136
-
C:\Windows\SysWOW64\Mbqkbi32.exeC:\Windows\system32\Mbqkbi32.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5180 -
C:\Windows\SysWOW64\Mflgcg32.exeC:\Windows\system32\Mflgcg32.exe121⤵
- System Location Discovery: System Language Discovery
PID:5224
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-