Analysis
-
max time kernel
114s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
22-01-2025 03:25
Behavioral task
behavioral1
Sample
ef63b64a6f6ac94c7b05b5ab8cd534b5e3dd0027be085d7bda62ea44ac0965e2N.exe
Resource
win7-20241010-en
windows7-x64
12 signatures
120 seconds
General
-
Target
ef63b64a6f6ac94c7b05b5ab8cd534b5e3dd0027be085d7bda62ea44ac0965e2N.exe
-
Size
93KB
-
MD5
6715464fbc6e9a6f282b40ad74b3d830
-
SHA1
829179d73db85c6355a5bf8e33699e914583d143
-
SHA256
ef63b64a6f6ac94c7b05b5ab8cd534b5e3dd0027be085d7bda62ea44ac0965e2
-
SHA512
aa6992eb61ca6a7ac33c5f27928fa8838e932c3353864997c210f1e8bc3e47d68ad45637f0550faff0ab5d8e4152a6f56770c703b1126efbd0bd371bdf346584
-
SSDEEP
1536:PiIRte/KU+seonBNISVDq1DaYfMZRWuLsV+1D:Pi8tWZ+sJNtVDqgYfc0DV+1D
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Elgioe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gegbpe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imepgbnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bgichoqj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Konpjafp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Henipenb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cinahhff.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Koogdg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kanhph32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cnbfkccn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jgbboa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Coehnecn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fabppo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lmbadfdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cljajh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcokhaho.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aogpmcmb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edidcb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emogdk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnipgp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dokjlcjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hhkjpi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flqmddah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Immnlh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmgenh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lkdmneoo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jqeqhlii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oljbil32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckhdihlp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ihopjl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eabeal32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdllci32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nenaho32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bieegcid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ljogknmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ampncd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aahkhgag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kgfannba.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edafjiqe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qoonqmqf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qakmghbm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Makhlkel.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Flnpoe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpgaohej.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Padcqp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Acncngpl.exe -
Berbew family
-
Njrat family
-
Executes dropped EXE 64 IoCs
pid Process 2840 Mfhabe32.exe 2888 Maabcc32.exe 2988 Njjfli32.exe 2904 Nnhobgag.exe 2796 Nfcdfiob.exe 1876 Nfeqli32.exe 2260 Nblaajbd.exe 796 Odlnkmjg.exe 1248 Oepghe32.exe 1500 Oafhmf32.exe 2924 Oojhfj32.exe 1896 Oolelj32.exe 2636 Pooaaink.exe 2080 Pihbbgjj.exe 2436 Pikohg32.exe 1860 Peapmhnk.exe 236 Pllhib32.exe 2600 Pedmbg32.exe 2708 Qakmghbm.exe 860 Qoonqmqf.exe 620 Qdkfic32.exe 2224 Aaogbh32.exe 1864 Anfggicl.exe 432 Ajmhljip.exe 868 Acemeo32.exe 2644 Aqimoc32.exe 2880 Ampncd32.exe 3052 Bclcfnih.exe 2116 Bbapgknp.exe 1384 Bikhce32.exe 2788 Bgqeea32.exe 2160 Baiingae.exe 2108 Cegbce32.exe 1392 Cappnf32.exe 1764 Cmgpcg32.exe 924 Cinahhff.exe 1424 Cipnng32.exe 288 Domffn32.exe 1784 Dlqgob32.exe 2196 Deikhhhe.exe 2176 Dkfcqo32.exe 908 Dekhnh32.exe 1260 Dgoakpjn.exe 1868 Eabeal32.exe 1352 Elgioe32.exe 1840 Fcaaloed.exe 472 Fkmfpabp.exe 2328 Fdekigip.exe 2668 Fokofpif.exe 2616 Fhccoe32.exe 2940 Fakhhk32.exe 3056 Fcmdpcle.exe 2856 Fnbhmlkk.exe 1696 Fgjmfa32.exe 2576 Gmgenh32.exe 2448 Ggmjkapi.exe 1380 Gqendf32.exe 1564 Gfbfln32.exe 1808 Gojkecka.exe 2928 Gbigao32.exe 2172 Gicpnhbb.exe 2696 Gbkdgn32.exe 1096 Gkchpcoc.exe 2392 Hqpahkmj.exe -
Loads dropped DLL 64 IoCs
pid Process 2824 ef63b64a6f6ac94c7b05b5ab8cd534b5e3dd0027be085d7bda62ea44ac0965e2N.exe 2824 ef63b64a6f6ac94c7b05b5ab8cd534b5e3dd0027be085d7bda62ea44ac0965e2N.exe 2840 Mfhabe32.exe 2840 Mfhabe32.exe 2888 Maabcc32.exe 2888 Maabcc32.exe 2988 Njjfli32.exe 2988 Njjfli32.exe 2904 Nnhobgag.exe 2904 Nnhobgag.exe 2796 Nfcdfiob.exe 2796 Nfcdfiob.exe 1876 Nfeqli32.exe 1876 Nfeqli32.exe 2260 Nblaajbd.exe 2260 Nblaajbd.exe 796 Odlnkmjg.exe 796 Odlnkmjg.exe 1248 Oepghe32.exe 1248 Oepghe32.exe 1500 Oafhmf32.exe 1500 Oafhmf32.exe 2924 Oojhfj32.exe 2924 Oojhfj32.exe 1896 Oolelj32.exe 1896 Oolelj32.exe 2636 Pooaaink.exe 2636 Pooaaink.exe 2080 Pihbbgjj.exe 2080 Pihbbgjj.exe 2436 Pikohg32.exe 2436 Pikohg32.exe 1860 Peapmhnk.exe 1860 Peapmhnk.exe 236 Pllhib32.exe 236 Pllhib32.exe 2600 Pedmbg32.exe 2600 Pedmbg32.exe 2708 Qakmghbm.exe 2708 Qakmghbm.exe 860 Qoonqmqf.exe 860 Qoonqmqf.exe 620 Qdkfic32.exe 620 Qdkfic32.exe 2224 Aaogbh32.exe 2224 Aaogbh32.exe 1864 Anfggicl.exe 1864 Anfggicl.exe 432 Ajmhljip.exe 432 Ajmhljip.exe 868 Acemeo32.exe 868 Acemeo32.exe 2644 Aqimoc32.exe 2644 Aqimoc32.exe 2880 Ampncd32.exe 2880 Ampncd32.exe 3052 Bclcfnih.exe 3052 Bclcfnih.exe 2116 Bbapgknp.exe 2116 Bbapgknp.exe 1384 Bikhce32.exe 1384 Bikhce32.exe 2788 Bgqeea32.exe 2788 Bgqeea32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Lohkhjcj.exe Lljolodf.exe File opened for modification C:\Windows\SysWOW64\Ekqqea32.exe Ebhlmlhl.exe File created C:\Windows\SysWOW64\Kdinea32.exe Process not Found File created C:\Windows\SysWOW64\Nfoinj32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Pdpoeo32.exe Process not Found File created C:\Windows\SysWOW64\Iahckl32.dll Eipekmjg.exe File created C:\Windows\SysWOW64\Kcjqlm32.exe Kjalch32.exe File opened for modification C:\Windows\SysWOW64\Odpljf32.exe Omeged32.exe File created C:\Windows\SysWOW64\Gfcjqkbp.exe Gpiadq32.exe File created C:\Windows\SysWOW64\Idcodh32.dll Aediaoae.exe File opened for modification C:\Windows\SysWOW64\Bkfigqjn.exe Process not Found File created C:\Windows\SysWOW64\Ombhgljn.exe Nbmcjc32.exe File created C:\Windows\SysWOW64\Fmfpnb32.exe Fflgahfm.exe File opened for modification C:\Windows\SysWOW64\Jajcaj32.exe Jhboidoj.exe File created C:\Windows\SysWOW64\Jeaiel32.dll Process not Found File created C:\Windows\SysWOW64\Oafhmf32.exe Oepghe32.exe File created C:\Windows\SysWOW64\Ncpjnahm.exe Nncaejie.exe File opened for modification C:\Windows\SysWOW64\Omqnfiip.exe Opmnle32.exe File created C:\Windows\SysWOW64\Fieiephm.exe Process not Found File created C:\Windows\SysWOW64\Ojlkonpb.exe Ocbbbd32.exe File opened for modification C:\Windows\SysWOW64\Nnknqpgi.exe Ndbjgjqh.exe File created C:\Windows\SysWOW64\Iadphghe.exe Iglkoaad.exe File created C:\Windows\SysWOW64\Kpmkjlbi.exe Process not Found File created C:\Windows\SysWOW64\Cammfg32.dll Dljdcqek.exe File opened for modification C:\Windows\SysWOW64\Fhaibnim.exe Fbdpjgjf.exe File created C:\Windows\SysWOW64\Nmefnofj.dll Kiolio32.exe File created C:\Windows\SysWOW64\Opdmpe32.dll Ggmjkapi.exe File created C:\Windows\SysWOW64\Geehcoaf.exe Ghagjj32.exe File created C:\Windows\SysWOW64\Bqnhll32.dll Process not Found File created C:\Windows\SysWOW64\Dcedfe32.exe Process not Found File created C:\Windows\SysWOW64\Mbehgabe.exe Mhlcnl32.exe File opened for modification C:\Windows\SysWOW64\Aniffaim.exe Adqbml32.exe File created C:\Windows\SysWOW64\Ehpgha32.exe Dbcnpk32.exe File created C:\Windows\SysWOW64\Geqnho32.exe Gbbbld32.exe File opened for modification C:\Windows\SysWOW64\Kkpgdc32.exe Kbhckm32.exe File created C:\Windows\SysWOW64\Jklfokoe.dll Nimcallo.exe File opened for modification C:\Windows\SysWOW64\Ppoijq32.exe Process not Found File created C:\Windows\SysWOW64\Iglmjf32.exe Process not Found File created C:\Windows\SysWOW64\Dccbefif.dll Gkchpcoc.exe File created C:\Windows\SysWOW64\Nifmqm32.exe Makhlkel.exe File created C:\Windows\SysWOW64\Jgdjhmph.dll Gplgmodq.exe File opened for modification C:\Windows\SysWOW64\Eiibok32.exe Process not Found File created C:\Windows\SysWOW64\Qadhcj32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Dekcng32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Hpfamd32.exe Hfnmdo32.exe File created C:\Windows\SysWOW64\Ijenpn32.exe Iamjghnm.exe File opened for modification C:\Windows\SysWOW64\Ombjpd32.exe Ojdndi32.exe File created C:\Windows\SysWOW64\Gjgmhaim.exe Gpaikiig.exe File created C:\Windows\SysWOW64\Jobgmokc.dll Cdflhppk.exe File created C:\Windows\SysWOW64\Jmoqmm32.dll Process not Found File created C:\Windows\SysWOW64\Poinkg32.exe Pddinn32.exe File created C:\Windows\SysWOW64\Ifgpnf32.dll Fehodaqd.exe File opened for modification C:\Windows\SysWOW64\Cnbhcl32.exe Cnpknl32.exe File created C:\Windows\SysWOW64\Dlmqip32.exe Dindme32.exe File created C:\Windows\SysWOW64\Emqaaabg.exe Elaego32.exe File created C:\Windows\SysWOW64\Edkbdf32.exe Enajgllm.exe File opened for modification C:\Windows\SysWOW64\Eabeal32.exe Dgoakpjn.exe File created C:\Windows\SysWOW64\Caqoan32.dll Giikkehc.exe File created C:\Windows\SysWOW64\Ahhgkdfo.exe Qipmdhcj.exe File created C:\Windows\SysWOW64\Dhlkbbnm.dll Process not Found File created C:\Windows\SysWOW64\Maeljf32.dll Eamdlf32.exe File opened for modification C:\Windows\SysWOW64\Ncpjnahm.exe Nncaejie.exe File created C:\Windows\SysWOW64\Gfklfa32.dll Ianambhc.exe File opened for modification C:\Windows\SysWOW64\Opgjfb32.exe Process not Found -
Program crash 1 IoCs
pid pid_target Process procid_target 828 936 Process not Found 1419 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plfhdlfb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocglmcdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmflmfpe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfgeoo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npdlpnnj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdedoegh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgfkoh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbkpfa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gegbpe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pllmkcdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kaojiqej.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odpeop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pncllifp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hidjml32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dindme32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpgpfdoj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cappnf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgjdcghp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cffejk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bqambacb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hqpjndio.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcfioj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efglmpbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obopobhe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mognco32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Almmlg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hqpahkmj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngoinfao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipedihgm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkdanngk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akpkok32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpfkhbon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nffenj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhhhphmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iedmhlqf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oodhca32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idhplaoe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkhbkc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjgclcjh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaibpa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbeakllj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgfannba.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpldjajo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Haggijgb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kommediq.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Infjfblm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jcpglhpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jakmfc32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oeiapp32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pohcck32.dll" Andlmnki.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ilcfjkgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nenaho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pgkjji32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Daibfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njcfdpkb.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cmgpcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fokofpif.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Onehadbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obbdgajq.dll" Gjmpfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Moljfnpo.dll" Pedmbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cipnng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cpldjajo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egiabnan.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oikinnhd.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfnkia32.dll" Hccbnhla.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Imifpagp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jkgfgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aipickfe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ekcdegqe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfgbjc32.dll" Dclikp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Afbpph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flkmlgnl.dll" Ojgado32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imoqbo32.dll" Abcngkmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ighfecdb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dkfcqo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlamcqni.dll" Nenaho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajmhjb32.dll" Hepffelp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Llhcad32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llkamfnj.dll" Plfjme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gohjnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bofbih32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Imkqmh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Knkbimbg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Edkbdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jaafdelg.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nlabjj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hobfgcdb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ikfdmogp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjoflo32.dll" Ejnnbpol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Higcbj32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Blcmbmip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oagkfqbe.dll" Nhmbfhfd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Inkgdjqn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kfgedkko.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnkfoiql.dll" Plfhdlfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcckbeha.dll" Fhaibnim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fadmenpg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iomaaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Baiingae.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2824 wrote to memory of 2840 2824 ef63b64a6f6ac94c7b05b5ab8cd534b5e3dd0027be085d7bda62ea44ac0965e2N.exe 29 PID 2824 wrote to memory of 2840 2824 ef63b64a6f6ac94c7b05b5ab8cd534b5e3dd0027be085d7bda62ea44ac0965e2N.exe 29 PID 2824 wrote to memory of 2840 2824 ef63b64a6f6ac94c7b05b5ab8cd534b5e3dd0027be085d7bda62ea44ac0965e2N.exe 29 PID 2824 wrote to memory of 2840 2824 ef63b64a6f6ac94c7b05b5ab8cd534b5e3dd0027be085d7bda62ea44ac0965e2N.exe 29 PID 2840 wrote to memory of 2888 2840 Mfhabe32.exe 30 PID 2840 wrote to memory of 2888 2840 Mfhabe32.exe 30 PID 2840 wrote to memory of 2888 2840 Mfhabe32.exe 30 PID 2840 wrote to memory of 2888 2840 Mfhabe32.exe 30 PID 2888 wrote to memory of 2988 2888 Maabcc32.exe 31 PID 2888 wrote to memory of 2988 2888 Maabcc32.exe 31 PID 2888 wrote to memory of 2988 2888 Maabcc32.exe 31 PID 2888 wrote to memory of 2988 2888 Maabcc32.exe 31 PID 2988 wrote to memory of 2904 2988 Njjfli32.exe 32 PID 2988 wrote to memory of 2904 2988 Njjfli32.exe 32 PID 2988 wrote to memory of 2904 2988 Njjfli32.exe 32 PID 2988 wrote to memory of 2904 2988 Njjfli32.exe 32 PID 2904 wrote to memory of 2796 2904 Nnhobgag.exe 33 PID 2904 wrote to memory of 2796 2904 Nnhobgag.exe 33 PID 2904 wrote to memory of 2796 2904 Nnhobgag.exe 33 PID 2904 wrote to memory of 2796 2904 Nnhobgag.exe 33 PID 2796 wrote to memory of 1876 2796 Nfcdfiob.exe 34 PID 2796 wrote to memory of 1876 2796 Nfcdfiob.exe 34 PID 2796 wrote to memory of 1876 2796 Nfcdfiob.exe 34 PID 2796 wrote to memory of 1876 2796 Nfcdfiob.exe 34 PID 1876 wrote to memory of 2260 1876 Nfeqli32.exe 35 PID 1876 wrote to memory of 2260 1876 Nfeqli32.exe 35 PID 1876 wrote to memory of 2260 1876 Nfeqli32.exe 35 PID 1876 wrote to memory of 2260 1876 Nfeqli32.exe 35 PID 2260 wrote to memory of 796 2260 Nblaajbd.exe 36 PID 2260 wrote to memory of 796 2260 Nblaajbd.exe 36 PID 2260 wrote to memory of 796 2260 Nblaajbd.exe 36 PID 2260 wrote to memory of 796 2260 Nblaajbd.exe 36 PID 796 wrote to memory of 1248 796 Odlnkmjg.exe 37 PID 796 wrote to memory of 1248 796 Odlnkmjg.exe 37 PID 796 wrote to memory of 1248 796 Odlnkmjg.exe 37 PID 796 wrote to memory of 1248 796 Odlnkmjg.exe 37 PID 1248 wrote to memory of 1500 1248 Oepghe32.exe 38 PID 1248 wrote to memory of 1500 1248 Oepghe32.exe 38 PID 1248 wrote to memory of 1500 1248 Oepghe32.exe 38 PID 1248 wrote to memory of 1500 1248 Oepghe32.exe 38 PID 1500 wrote to memory of 2924 1500 Oafhmf32.exe 39 PID 1500 wrote to memory of 2924 1500 Oafhmf32.exe 39 PID 1500 wrote to memory of 2924 1500 Oafhmf32.exe 39 PID 1500 wrote to memory of 2924 1500 Oafhmf32.exe 39 PID 2924 wrote to memory of 1896 2924 Oojhfj32.exe 40 PID 2924 wrote to memory of 1896 2924 Oojhfj32.exe 40 PID 2924 wrote to memory of 1896 2924 Oojhfj32.exe 40 PID 2924 wrote to memory of 1896 2924 Oojhfj32.exe 40 PID 1896 wrote to memory of 2636 1896 Oolelj32.exe 41 PID 1896 wrote to memory of 2636 1896 Oolelj32.exe 41 PID 1896 wrote to memory of 2636 1896 Oolelj32.exe 41 PID 1896 wrote to memory of 2636 1896 Oolelj32.exe 41 PID 2636 wrote to memory of 2080 2636 Pooaaink.exe 42 PID 2636 wrote to memory of 2080 2636 Pooaaink.exe 42 PID 2636 wrote to memory of 2080 2636 Pooaaink.exe 42 PID 2636 wrote to memory of 2080 2636 Pooaaink.exe 42 PID 2080 wrote to memory of 2436 2080 Pihbbgjj.exe 43 PID 2080 wrote to memory of 2436 2080 Pihbbgjj.exe 43 PID 2080 wrote to memory of 2436 2080 Pihbbgjj.exe 43 PID 2080 wrote to memory of 2436 2080 Pihbbgjj.exe 43 PID 2436 wrote to memory of 1860 2436 Pikohg32.exe 44 PID 2436 wrote to memory of 1860 2436 Pikohg32.exe 44 PID 2436 wrote to memory of 1860 2436 Pikohg32.exe 44 PID 2436 wrote to memory of 1860 2436 Pikohg32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\ef63b64a6f6ac94c7b05b5ab8cd534b5e3dd0027be085d7bda62ea44ac0965e2N.exe"C:\Users\Admin\AppData\Local\Temp\ef63b64a6f6ac94c7b05b5ab8cd534b5e3dd0027be085d7bda62ea44ac0965e2N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\SysWOW64\Mfhabe32.exeC:\Windows\system32\Mfhabe32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Windows\SysWOW64\Maabcc32.exeC:\Windows\system32\Maabcc32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Windows\SysWOW64\Njjfli32.exeC:\Windows\system32\Njjfli32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Windows\SysWOW64\Nnhobgag.exeC:\Windows\system32\Nnhobgag.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Windows\SysWOW64\Nfcdfiob.exeC:\Windows\system32\Nfcdfiob.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Windows\SysWOW64\Nfeqli32.exeC:\Windows\system32\Nfeqli32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1876 -
C:\Windows\SysWOW64\Nblaajbd.exeC:\Windows\system32\Nblaajbd.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2260 -
C:\Windows\SysWOW64\Odlnkmjg.exeC:\Windows\system32\Odlnkmjg.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:796 -
C:\Windows\SysWOW64\Oepghe32.exeC:\Windows\system32\Oepghe32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1248 -
C:\Windows\SysWOW64\Oafhmf32.exeC:\Windows\system32\Oafhmf32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1500 -
C:\Windows\SysWOW64\Oojhfj32.exeC:\Windows\system32\Oojhfj32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Windows\SysWOW64\Oolelj32.exeC:\Windows\system32\Oolelj32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1896 -
C:\Windows\SysWOW64\Pooaaink.exeC:\Windows\system32\Pooaaink.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\SysWOW64\Pihbbgjj.exeC:\Windows\system32\Pihbbgjj.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\Windows\SysWOW64\Pikohg32.exeC:\Windows\system32\Pikohg32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2436 -
C:\Windows\SysWOW64\Peapmhnk.exeC:\Windows\system32\Peapmhnk.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1860 -
C:\Windows\SysWOW64\Pllhib32.exeC:\Windows\system32\Pllhib32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:236 -
C:\Windows\SysWOW64\Pedmbg32.exeC:\Windows\system32\Pedmbg32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2600 -
C:\Windows\SysWOW64\Qakmghbm.exeC:\Windows\system32\Qakmghbm.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2708 -
C:\Windows\SysWOW64\Qoonqmqf.exeC:\Windows\system32\Qoonqmqf.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:860 -
C:\Windows\SysWOW64\Qdkfic32.exeC:\Windows\system32\Qdkfic32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:620 -
C:\Windows\SysWOW64\Aaogbh32.exeC:\Windows\system32\Aaogbh32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2224 -
C:\Windows\SysWOW64\Anfggicl.exeC:\Windows\system32\Anfggicl.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1864 -
C:\Windows\SysWOW64\Ajmhljip.exeC:\Windows\system32\Ajmhljip.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:432 -
C:\Windows\SysWOW64\Acemeo32.exeC:\Windows\system32\Acemeo32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:868 -
C:\Windows\SysWOW64\Aqimoc32.exeC:\Windows\system32\Aqimoc32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2644 -
C:\Windows\SysWOW64\Ampncd32.exeC:\Windows\system32\Ampncd32.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2880 -
C:\Windows\SysWOW64\Bclcfnih.exeC:\Windows\system32\Bclcfnih.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3052 -
C:\Windows\SysWOW64\Bbapgknp.exeC:\Windows\system32\Bbapgknp.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2116 -
C:\Windows\SysWOW64\Bikhce32.exeC:\Windows\system32\Bikhce32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1384 -
C:\Windows\SysWOW64\Bgqeea32.exeC:\Windows\system32\Bgqeea32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2788 -
C:\Windows\SysWOW64\Baiingae.exeC:\Windows\system32\Baiingae.exe33⤵
- Executes dropped EXE
- Modifies registry class
PID:2160 -
C:\Windows\SysWOW64\Cegbce32.exeC:\Windows\system32\Cegbce32.exe34⤵
- Executes dropped EXE
PID:2108 -
C:\Windows\SysWOW64\Cappnf32.exeC:\Windows\system32\Cappnf32.exe35⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1392 -
C:\Windows\SysWOW64\Cmgpcg32.exeC:\Windows\system32\Cmgpcg32.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:1764 -
C:\Windows\SysWOW64\Cinahhff.exeC:\Windows\system32\Cinahhff.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:924 -
C:\Windows\SysWOW64\Cipnng32.exeC:\Windows\system32\Cipnng32.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:1424 -
C:\Windows\SysWOW64\Domffn32.exeC:\Windows\system32\Domffn32.exe39⤵
- Executes dropped EXE
PID:288 -
C:\Windows\SysWOW64\Dlqgob32.exeC:\Windows\system32\Dlqgob32.exe40⤵
- Executes dropped EXE
PID:1784 -
C:\Windows\SysWOW64\Deikhhhe.exeC:\Windows\system32\Deikhhhe.exe41⤵
- Executes dropped EXE
PID:2196 -
C:\Windows\SysWOW64\Dkfcqo32.exeC:\Windows\system32\Dkfcqo32.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:2176 -
C:\Windows\SysWOW64\Dekhnh32.exeC:\Windows\system32\Dekhnh32.exe43⤵
- Executes dropped EXE
PID:908 -
C:\Windows\SysWOW64\Dgoakpjn.exeC:\Windows\system32\Dgoakpjn.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1260 -
C:\Windows\SysWOW64\Eabeal32.exeC:\Windows\system32\Eabeal32.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1868 -
C:\Windows\SysWOW64\Elgioe32.exeC:\Windows\system32\Elgioe32.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1352 -
C:\Windows\SysWOW64\Fcaaloed.exeC:\Windows\system32\Fcaaloed.exe47⤵
- Executes dropped EXE
PID:1840 -
C:\Windows\SysWOW64\Fkmfpabp.exeC:\Windows\system32\Fkmfpabp.exe48⤵
- Executes dropped EXE
PID:472 -
C:\Windows\SysWOW64\Fdekigip.exeC:\Windows\system32\Fdekigip.exe49⤵
- Executes dropped EXE
PID:2328 -
C:\Windows\SysWOW64\Fokofpif.exeC:\Windows\system32\Fokofpif.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:2668 -
C:\Windows\SysWOW64\Fhccoe32.exeC:\Windows\system32\Fhccoe32.exe51⤵
- Executes dropped EXE
PID:2616 -
C:\Windows\SysWOW64\Fakhhk32.exeC:\Windows\system32\Fakhhk32.exe52⤵
- Executes dropped EXE
PID:2940 -
C:\Windows\SysWOW64\Fcmdpcle.exeC:\Windows\system32\Fcmdpcle.exe53⤵
- Executes dropped EXE
PID:3056 -
C:\Windows\SysWOW64\Fnbhmlkk.exeC:\Windows\system32\Fnbhmlkk.exe54⤵
- Executes dropped EXE
PID:2856 -
C:\Windows\SysWOW64\Fgjmfa32.exeC:\Windows\system32\Fgjmfa32.exe55⤵
- Executes dropped EXE
PID:1696 -
C:\Windows\SysWOW64\Gmgenh32.exeC:\Windows\system32\Gmgenh32.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2576 -
C:\Windows\SysWOW64\Ggmjkapi.exeC:\Windows\system32\Ggmjkapi.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2448 -
C:\Windows\SysWOW64\Gqendf32.exeC:\Windows\system32\Gqendf32.exe58⤵
- Executes dropped EXE
PID:1380 -
C:\Windows\SysWOW64\Gfbfln32.exeC:\Windows\system32\Gfbfln32.exe59⤵
- Executes dropped EXE
PID:1564 -
C:\Windows\SysWOW64\Gojkecka.exeC:\Windows\system32\Gojkecka.exe60⤵
- Executes dropped EXE
PID:1808 -
C:\Windows\SysWOW64\Gbigao32.exeC:\Windows\system32\Gbigao32.exe61⤵
- Executes dropped EXE
PID:2928 -
C:\Windows\SysWOW64\Gicpnhbb.exeC:\Windows\system32\Gicpnhbb.exe62⤵
- Executes dropped EXE
PID:2172 -
C:\Windows\SysWOW64\Gbkdgn32.exeC:\Windows\system32\Gbkdgn32.exe63⤵
- Executes dropped EXE
PID:2696 -
C:\Windows\SysWOW64\Gkchpcoc.exeC:\Windows\system32\Gkchpcoc.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1096 -
C:\Windows\SysWOW64\Hqpahkmj.exeC:\Windows\system32\Hqpahkmj.exe65⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2392 -
C:\Windows\SysWOW64\Hkfeec32.exeC:\Windows\system32\Hkfeec32.exe66⤵PID:1300
-
C:\Windows\SysWOW64\Hqbnnj32.exeC:\Windows\system32\Hqbnnj32.exe67⤵PID:2148
-
C:\Windows\SysWOW64\Hkhbkc32.exeC:\Windows\system32\Hkhbkc32.exe68⤵
- System Location Discovery: System Language Discovery
PID:1904 -
C:\Windows\SysWOW64\Haejcj32.exeC:\Windows\system32\Haejcj32.exe69⤵PID:1680
-
C:\Windows\SysWOW64\Hfbckagm.exeC:\Windows\system32\Hfbckagm.exe70⤵PID:752
-
C:\Windows\SysWOW64\Haggijgb.exeC:\Windows\system32\Haggijgb.exe71⤵
- System Location Discovery: System Language Discovery
PID:2456 -
C:\Windows\SysWOW64\Hfdpaqej.exeC:\Windows\system32\Hfdpaqej.exe72⤵PID:1684
-
C:\Windows\SysWOW64\Hmnhnk32.exeC:\Windows\system32\Hmnhnk32.exe73⤵PID:2968
-
C:\Windows\SysWOW64\Hbkpfa32.exeC:\Windows\system32\Hbkpfa32.exe74⤵
- System Location Discovery: System Language Discovery
PID:1552 -
C:\Windows\SysWOW64\Ilceog32.exeC:\Windows\system32\Ilceog32.exe75⤵PID:2736
-
C:\Windows\SysWOW64\Icjmpd32.exeC:\Windows\system32\Icjmpd32.exe76⤵PID:2184
-
C:\Windows\SysWOW64\Ieligmho.exeC:\Windows\system32\Ieligmho.exe77⤵PID:2452
-
C:\Windows\SysWOW64\Indnqb32.exeC:\Windows\system32\Indnqb32.exe78⤵PID:1252
-
C:\Windows\SysWOW64\Ienfml32.exeC:\Windows\system32\Ienfml32.exe79⤵PID:984
-
C:\Windows\SysWOW64\Infjfblm.exeC:\Windows\system32\Infjfblm.exe80⤵
- Modifies registry class
PID:2720 -
C:\Windows\SysWOW64\Ieqbbl32.exeC:\Windows\system32\Ieqbbl32.exe81⤵PID:1232
-
C:\Windows\SysWOW64\Iniglajj.exeC:\Windows\system32\Iniglajj.exe82⤵PID:1052
-
C:\Windows\SysWOW64\Ilmgef32.exeC:\Windows\system32\Ilmgef32.exe83⤵PID:2244
-
C:\Windows\SysWOW64\Iaipmm32.exeC:\Windows\system32\Iaipmm32.exe84⤵PID:2272
-
C:\Windows\SysWOW64\Jhchjgoh.exeC:\Windows\system32\Jhchjgoh.exe85⤵PID:1812
-
C:\Windows\SysWOW64\Jonqfq32.exeC:\Windows\system32\Jonqfq32.exe86⤵PID:844
-
C:\Windows\SysWOW64\Jdjioh32.exeC:\Windows\system32\Jdjioh32.exe87⤵PID:1888
-
C:\Windows\SysWOW64\Janihlcf.exeC:\Windows\system32\Janihlcf.exe88⤵PID:1136
-
C:\Windows\SysWOW64\Jbpfpd32.exeC:\Windows\system32\Jbpfpd32.exe89⤵PID:2848
-
C:\Windows\SysWOW64\Jmejmm32.exeC:\Windows\system32\Jmejmm32.exe90⤵PID:2472
-
C:\Windows\SysWOW64\Jbbbed32.exeC:\Windows\system32\Jbbbed32.exe91⤵PID:2804
-
C:\Windows\SysWOW64\Jljgni32.exeC:\Windows\system32\Jljgni32.exe92⤵PID:2188
-
C:\Windows\SysWOW64\Jbdokceo.exeC:\Windows\system32\Jbdokceo.exe93⤵PID:2124
-
C:\Windows\SysWOW64\Jlmddi32.exeC:\Windows\system32\Jlmddi32.exe94⤵PID:2640
-
C:\Windows\SysWOW64\Khcdijac.exeC:\Windows\system32\Khcdijac.exe95⤵PID:1196
-
C:\Windows\SysWOW64\Kommediq.exeC:\Windows\system32\Kommediq.exe96⤵
- System Location Discovery: System Language Discovery
PID:2280 -
C:\Windows\SysWOW64\Kdjenkgh.exeC:\Windows\system32\Kdjenkgh.exe97⤵PID:2504
-
C:\Windows\SysWOW64\Knbjgq32.exeC:\Windows\system32\Knbjgq32.exe98⤵PID:1584
-
C:\Windows\SysWOW64\Kdlbckee.exeC:\Windows\system32\Kdlbckee.exe99⤵PID:1828
-
C:\Windows\SysWOW64\Kneflplf.exeC:\Windows\system32\Kneflplf.exe100⤵PID:1480
-
C:\Windows\SysWOW64\Kpcbhlki.exeC:\Windows\system32\Kpcbhlki.exe101⤵PID:1640
-
C:\Windows\SysWOW64\Kkigfdjo.exeC:\Windows\system32\Kkigfdjo.exe102⤵PID:764
-
C:\Windows\SysWOW64\Kabobo32.exeC:\Windows\system32\Kabobo32.exe103⤵PID:2992
-
C:\Windows\SysWOW64\Lgphke32.exeC:\Windows\system32\Lgphke32.exe104⤵PID:2764
-
C:\Windows\SysWOW64\Lnipgp32.exeC:\Windows\system32\Lnipgp32.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2728 -
C:\Windows\SysWOW64\Lfedlb32.exeC:\Windows\system32\Lfedlb32.exe106⤵PID:3020
-
C:\Windows\SysWOW64\Lomidgkl.exeC:\Windows\system32\Lomidgkl.exe107⤵PID:1624
-
C:\Windows\SysWOW64\Lfgaaa32.exeC:\Windows\system32\Lfgaaa32.exe108⤵PID:2592
-
C:\Windows\SysWOW64\Lhenmm32.exeC:\Windows\system32\Lhenmm32.exe109⤵PID:2204
-
C:\Windows\SysWOW64\Lckbkfbb.exeC:\Windows\system32\Lckbkfbb.exe110⤵PID:2056
-
C:\Windows\SysWOW64\Lhhjcmpj.exeC:\Windows\system32\Lhhjcmpj.exe111⤵PID:1304
-
C:\Windows\SysWOW64\Lbpolb32.exeC:\Windows\system32\Lbpolb32.exe112⤵PID:1832
-
C:\Windows\SysWOW64\Llfcik32.exeC:\Windows\system32\Llfcik32.exe113⤵PID:1512
-
C:\Windows\SysWOW64\Mfngbq32.exeC:\Windows\system32\Mfngbq32.exe114⤵PID:2580
-
C:\Windows\SysWOW64\Mhlcnl32.exeC:\Windows\system32\Mhlcnl32.exe115⤵
- Drops file in System32 directory
PID:2860 -
C:\Windows\SysWOW64\Mbehgabe.exeC:\Windows\system32\Mbehgabe.exe116⤵PID:2896
-
C:\Windows\SysWOW64\Mhopcl32.exeC:\Windows\system32\Mhopcl32.exe117⤵PID:2360
-
C:\Windows\SysWOW64\Mnlilb32.exeC:\Windows\system32\Mnlilb32.exe118⤵PID:2440
-
C:\Windows\SysWOW64\Mgdmeh32.exeC:\Windows\system32\Mgdmeh32.exe119⤵PID:1528
-
C:\Windows\SysWOW64\Mnneabff.exeC:\Windows\system32\Mnneabff.exe120⤵PID:2084
-
C:\Windows\SysWOW64\Mdhnnl32.exeC:\Windows\system32\Mdhnnl32.exe121⤵PID:2812
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-