Analysis
-
max time kernel
37s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
01-10-2024 11:21
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
8dd610e41dbb908521f52586d2398cd2cb600fba8f988379a4bfcebc48d1ab34N.exe
Resource
win7-20240903-en
windows7-x64
9 signatures
120 seconds
Behavioral task
behavioral2
Sample
8dd610e41dbb908521f52586d2398cd2cb600fba8f988379a4bfcebc48d1ab34N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
8 signatures
120 seconds
General
-
Target
8dd610e41dbb908521f52586d2398cd2cb600fba8f988379a4bfcebc48d1ab34N.exe
-
Size
123KB
-
MD5
e40db0280ef14ef9b01cc84643fec3d0
-
SHA1
16ec43e5a6ce58bd0f85ea52c7cf22e5c0047686
-
SHA256
8dd610e41dbb908521f52586d2398cd2cb600fba8f988379a4bfcebc48d1ab34
-
SHA512
178420b10d528917070de2372ca94be12567fd3510c11ff34fa9d27d3502289663bb2fe048050eaaad5b661e2733c22cfdf012b0b576516f7bd4db45c1f6f9de
-
SSDEEP
3072:i0JrHDUB510M+QKAiRYSa9rR85DEn5k7r8:TlADRKAi4rQD85k/8
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgemplap.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lccdel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oohqqlei.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocdmaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cpceidcn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkklljmg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngfflj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjpnbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Moidahcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nhaikn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nodgel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pcdipnqn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Apdhjq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bnielm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ackkppma.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmjojo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lphhenhc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mencccop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ncbplk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pmjqcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pomfkndo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qkkmqnck.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afnagk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bhdgjb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilncom32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhngjmlo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nlekia32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oancnfoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pmccjbaf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lapnnafn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ljibgg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmneda32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmccjbaf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjpcbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lmebnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lcagpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qngmgjeb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afkdakjb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lclnemgd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lphhenhc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npojdpef.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhllob32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhhpeafc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kgemplap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lfpclh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ohhkjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pkdgpo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qbplbi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfkpqn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Onpjghhn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikkjbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lfdmggnm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkhofjoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mholen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nmnace32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nckjkl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndjfeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Poapfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qbbhgi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chkmkacq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kconkibf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lmikibio.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oagmmgdm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aeenochi.exe -
Executes dropped EXE 64 IoCs
pid Process 2684 Hapicp32.exe 2012 Hhjapjmi.exe 2836 Hgmalg32.exe 2716 Hdqbekcm.exe 2608 Ikkjbe32.exe 1136 Igakgfpn.exe 1468 Ilncom32.exe 2384 Igchlf32.exe 1248 Iamimc32.exe 2888 Ihgainbg.exe 348 Ikhjki32.exe 1788 Jdpndnei.exe 2004 Jofbag32.exe 316 Jhngjmlo.exe 1120 Jjpcbe32.exe 1960 Jgcdki32.exe 1532 Jmplcp32.exe 2216 Jdgdempa.exe 2976 Jgfqaiod.exe 1240 Kjfjbdle.exe 704 Kmefooki.exe 1708 Kconkibf.exe 2744 Kilfcpqm.exe 2840 Kfpgmdog.exe 2772 Kmjojo32.exe 2796 Kiqpop32.exe 2892 Kkolkk32.exe 2112 Kicmdo32.exe 640 Kgemplap.exe 2992 Lclnemgd.exe 2428 Lghjel32.exe 2528 Lmebnb32.exe 2868 Lapnnafn.exe 1736 Lgjfkk32.exe 2292 Ljibgg32.exe 2960 Lndohedg.exe 1204 Labkdack.exe 344 Lcagpl32.exe 2420 Lfpclh32.exe 1244 Linphc32.exe 1684 Lmikibio.exe 1688 Lphhenhc.exe 1564 Lccdel32.exe 2520 Lbfdaigg.exe 2252 Lfbpag32.exe 2220 Ljmlbfhi.exe 1692 Lmlhnagm.exe 2704 Lpjdjmfp.exe 2768 Lbiqfied.exe 1500 Lfdmggnm.exe 772 Libicbma.exe 612 Mmneda32.exe 2152 Mpmapm32.exe 2896 Mieeibkn.exe 892 Mhhfdo32.exe 2008 Mlcbenjb.exe 2912 Moanaiie.exe 1112 Melfncqb.exe 2140 Migbnb32.exe 2644 Mkhofjoj.exe 816 Modkfi32.exe 1752 Mbpgggol.exe 660 Mencccop.exe 2284 Mdacop32.exe -
Loads dropped DLL 64 IoCs
pid Process 2440 8dd610e41dbb908521f52586d2398cd2cb600fba8f988379a4bfcebc48d1ab34N.exe 2440 8dd610e41dbb908521f52586d2398cd2cb600fba8f988379a4bfcebc48d1ab34N.exe 2684 Hapicp32.exe 2684 Hapicp32.exe 2012 Hhjapjmi.exe 2012 Hhjapjmi.exe 2836 Hgmalg32.exe 2836 Hgmalg32.exe 2716 Hdqbekcm.exe 2716 Hdqbekcm.exe 2608 Ikkjbe32.exe 2608 Ikkjbe32.exe 1136 Igakgfpn.exe 1136 Igakgfpn.exe 1468 Ilncom32.exe 1468 Ilncom32.exe 2384 Igchlf32.exe 2384 Igchlf32.exe 1248 Iamimc32.exe 1248 Iamimc32.exe 2888 Ihgainbg.exe 2888 Ihgainbg.exe 348 Ikhjki32.exe 348 Ikhjki32.exe 1788 Jdpndnei.exe 1788 Jdpndnei.exe 2004 Jofbag32.exe 2004 Jofbag32.exe 316 Jhngjmlo.exe 316 Jhngjmlo.exe 1120 Jjpcbe32.exe 1120 Jjpcbe32.exe 1960 Jgcdki32.exe 1960 Jgcdki32.exe 1532 Jmplcp32.exe 1532 Jmplcp32.exe 2216 Jdgdempa.exe 2216 Jdgdempa.exe 2976 Jgfqaiod.exe 2976 Jgfqaiod.exe 1240 Kjfjbdle.exe 1240 Kjfjbdle.exe 704 Kmefooki.exe 704 Kmefooki.exe 1708 Kconkibf.exe 1708 Kconkibf.exe 2744 Kilfcpqm.exe 2744 Kilfcpqm.exe 2840 Kfpgmdog.exe 2840 Kfpgmdog.exe 2772 Kmjojo32.exe 2772 Kmjojo32.exe 2796 Kiqpop32.exe 2796 Kiqpop32.exe 2892 Kkolkk32.exe 2892 Kkolkk32.exe 2112 Kicmdo32.exe 2112 Kicmdo32.exe 640 Kgemplap.exe 640 Kgemplap.exe 2992 Lclnemgd.exe 2992 Lclnemgd.exe 2428 Lghjel32.exe 2428 Lghjel32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Ocdneocc.dll Pjldghjm.exe File created C:\Windows\SysWOW64\Pfnkga32.dll Qbbhgi32.exe File created C:\Windows\SysWOW64\Fmhbhf32.dll Hapicp32.exe File created C:\Windows\SysWOW64\Fjngcolf.dll Lfbpag32.exe File created C:\Windows\SysWOW64\Aliolp32.dll Onbgmg32.exe File created C:\Windows\SysWOW64\Bjbcfn32.exe Bhdgjb32.exe File created C:\Windows\SysWOW64\Ecjlgm32.dll Igakgfpn.exe File created C:\Windows\SysWOW64\Lcnaga32.dll Okoafmkm.exe File created C:\Windows\SysWOW64\Pdaheq32.exe Pmjqcc32.exe File opened for modification C:\Windows\SysWOW64\Qngmgjeb.exe Qodlkm32.exe File created C:\Windows\SysWOW64\Naaffn32.dll Amnfnfgg.exe File created C:\Windows\SysWOW64\Kmcipd32.dll Kconkibf.exe File created C:\Windows\SysWOW64\Phmkjbfe.dll Nigome32.exe File opened for modification C:\Windows\SysWOW64\Cacacg32.exe Cilibi32.exe File opened for modification C:\Windows\SysWOW64\Lndohedg.exe Ljibgg32.exe File opened for modification C:\Windows\SysWOW64\Lfbpag32.exe Lbfdaigg.exe File created C:\Windows\SysWOW64\Blkepk32.dll Oohqqlei.exe File created C:\Windows\SysWOW64\Jaofqdkb.dll Ocfigjlp.exe File created C:\Windows\SysWOW64\Alhmjbhj.exe Aijpnfif.exe File created C:\Windows\SysWOW64\Jodjlm32.dll Bejdiffp.exe File opened for modification C:\Windows\SysWOW64\Bfpnmj32.exe Bnielm32.exe File opened for modification C:\Windows\SysWOW64\Cfnmfn32.exe Chkmkacq.exe File opened for modification C:\Windows\SysWOW64\Jdgdempa.exe Jmplcp32.exe File created C:\Windows\SysWOW64\Fhhiii32.dll Nenobfak.exe File created C:\Windows\SysWOW64\Ojigbhlp.exe Ohhkjp32.exe File created C:\Windows\SysWOW64\Oepbgcpb.dll Oqcpob32.exe File opened for modification C:\Windows\SysWOW64\Pdaheq32.exe Pmjqcc32.exe File opened for modification C:\Windows\SysWOW64\Aeenochi.exe Amnfnfgg.exe File opened for modification C:\Windows\SysWOW64\Lapnnafn.exe Lmebnb32.exe File created C:\Windows\SysWOW64\Fcihoc32.dll Ngfflj32.exe File created C:\Windows\SysWOW64\Qodlkm32.exe Qgmdjp32.exe File created C:\Windows\SysWOW64\Apalea32.exe Amcpie32.exe File opened for modification C:\Windows\SysWOW64\Ilncom32.exe Igakgfpn.exe File created C:\Windows\SysWOW64\Cpbplnnk.dll Melfncqb.exe File opened for modification C:\Windows\SysWOW64\Pomfkndo.exe Pmojocel.exe File created C:\Windows\SysWOW64\Imklkg32.dll Bfkpqn32.exe File created C:\Windows\SysWOW64\Oimbjlde.dll Bobhal32.exe File opened for modification C:\Windows\SysWOW64\Jofbag32.exe Jdpndnei.exe File created C:\Windows\SysWOW64\Eeieql32.dll Kiqpop32.exe File created C:\Windows\SysWOW64\Ljmlbfhi.exe Lfbpag32.exe File created C:\Windows\SysWOW64\Mmneda32.exe Libicbma.exe File created C:\Windows\SysWOW64\Kjfjbdle.exe Jgfqaiod.exe File created C:\Windows\SysWOW64\Ggfblnnh.dll Mieeibkn.exe File created C:\Windows\SysWOW64\Lnlmhpjh.dll Migbnb32.exe File created C:\Windows\SysWOW64\Niebhf32.exe Ngfflj32.exe File created C:\Windows\SysWOW64\Ghkekdhl.dll Oancnfoe.exe File opened for modification C:\Windows\SysWOW64\Ajecmj32.exe Agfgqo32.exe File opened for modification C:\Windows\SysWOW64\Linphc32.exe Lfpclh32.exe File created C:\Windows\SysWOW64\Djdfhjik.dll Moanaiie.exe File opened for modification C:\Windows\SysWOW64\Oagmmgdm.exe Ocdmaj32.exe File created C:\Windows\SysWOW64\Faflglmh.dll Ocalkn32.exe File opened for modification C:\Windows\SysWOW64\Bmhideol.exe Aeqabgoj.exe File opened for modification C:\Windows\SysWOW64\Iamimc32.exe Igchlf32.exe File created C:\Windows\SysWOW64\Lcagpl32.exe Labkdack.exe File opened for modification C:\Windows\SysWOW64\Onbgmg32.exe Okdkal32.exe File opened for modification C:\Windows\SysWOW64\Ohhkjp32.exe Oqacic32.exe File opened for modification C:\Windows\SysWOW64\Bmclhi32.exe Bjdplm32.exe File created C:\Windows\SysWOW64\Ljibgg32.exe Lgjfkk32.exe File opened for modification C:\Windows\SysWOW64\Oqcpob32.exe Ojigbhlp.exe File created C:\Windows\SysWOW64\Aganeoip.exe Aecaidjl.exe File created C:\Windows\SysWOW64\Cfnmfn32.exe Chkmkacq.exe File opened for modification C:\Windows\SysWOW64\Jhngjmlo.exe Jofbag32.exe File created C:\Windows\SysWOW64\Moanaiie.exe Mlcbenjb.exe File opened for modification C:\Windows\SysWOW64\Pjldghjm.exe Pkidlk32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3700 3676 WerFault.exe 221 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkhofjoj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdacop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcdipnqn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qeohnd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aniimjbo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afkdakjb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kicmdo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Melfncqb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npojdpef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oancnfoe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkdgpo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qflhbhgg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qodlkm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apalea32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igakgfpn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgemplap.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcagpl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Poapfn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aijpnfif.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kiqpop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbfdaigg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nodgel32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbiqfied.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Niebhf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohhkjp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qgmdjp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfnmfn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhhfdo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mencccop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgalqkbk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmojocel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qbplbi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aeenochi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apdhjq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Biojif32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdqbekcm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbpgggol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Maedhd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oghopm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmjqcc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmccjbaf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cilibi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhjapjmi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgmalg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Migbnb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlekia32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odeiibdq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onpjghhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cacacg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8dd610e41dbb908521f52586d2398cd2cb600fba8f988379a4bfcebc48d1ab34N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgcdki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmefooki.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mieeibkn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Moanaiie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmihhelk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbgnak32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bejdiffp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmplcp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmjojo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lphhenhc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndjfeo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nenobfak.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olonpp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbkbgjcc.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pmccjbaf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kicmdo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mkhofjoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mholen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ngfflj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nilhhdga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nilhhdga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jdpndnei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elonamqm.dll" Moidahcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gioicn32.dll" Apalea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bjdplm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iodahd32.dll" Hdqbekcm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lphhenhc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iggbhk32.dll" Mkhofjoj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Moidahcn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nckjkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjbkcgmo.dll" Jhngjmlo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Melfncqb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Okoafmkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcgdenbm.dll" Nilhhdga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lclclfdi.dll" Pkdgpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qeaedd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bonoflae.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lmlhnagm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lbiqfied.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pkidlk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igciil32.dll" Pomfkndo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekdnehnn.dll" Biojif32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kconkibf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oqaedifk.dll" Nekbmgcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ackkppma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bhdgjb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hapicp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Migbnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cophek32.dll" Agdjkogm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lcagpl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ocfigjlp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ohcaoajg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgenio32.dll" Oomjlk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aecaidjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Afkdakjb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ncbplk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Apdhjq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oancnfoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oqacic32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pkdgpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aganeoip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggfblnnh.dll" Mieeibkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Noomnjpj.dll" Magqncba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aeqmqeba.dll" Poapfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aaheie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Agfgqo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcnilecc.dll" Okdkal32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Igchlf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfnkga32.dll" Qbbhgi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jdgdempa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nodmbemj.dll" Blmfea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngdfge32.dll" Igchlf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kjfjbdle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kacgbnfl.dll" Lccdel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pmojocel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkfaka32.dll" Bhhpeafc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" 8dd610e41dbb908521f52586d2398cd2cb600fba8f988379a4bfcebc48d1ab34N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qeohnd32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2440 wrote to memory of 2684 2440 8dd610e41dbb908521f52586d2398cd2cb600fba8f988379a4bfcebc48d1ab34N.exe 30 PID 2440 wrote to memory of 2684 2440 8dd610e41dbb908521f52586d2398cd2cb600fba8f988379a4bfcebc48d1ab34N.exe 30 PID 2440 wrote to memory of 2684 2440 8dd610e41dbb908521f52586d2398cd2cb600fba8f988379a4bfcebc48d1ab34N.exe 30 PID 2440 wrote to memory of 2684 2440 8dd610e41dbb908521f52586d2398cd2cb600fba8f988379a4bfcebc48d1ab34N.exe 30 PID 2684 wrote to memory of 2012 2684 Hapicp32.exe 31 PID 2684 wrote to memory of 2012 2684 Hapicp32.exe 31 PID 2684 wrote to memory of 2012 2684 Hapicp32.exe 31 PID 2684 wrote to memory of 2012 2684 Hapicp32.exe 31 PID 2012 wrote to memory of 2836 2012 Hhjapjmi.exe 32 PID 2012 wrote to memory of 2836 2012 Hhjapjmi.exe 32 PID 2012 wrote to memory of 2836 2012 Hhjapjmi.exe 32 PID 2012 wrote to memory of 2836 2012 Hhjapjmi.exe 32 PID 2836 wrote to memory of 2716 2836 Hgmalg32.exe 33 PID 2836 wrote to memory of 2716 2836 Hgmalg32.exe 33 PID 2836 wrote to memory of 2716 2836 Hgmalg32.exe 33 PID 2836 wrote to memory of 2716 2836 Hgmalg32.exe 33 PID 2716 wrote to memory of 2608 2716 Hdqbekcm.exe 34 PID 2716 wrote to memory of 2608 2716 Hdqbekcm.exe 34 PID 2716 wrote to memory of 2608 2716 Hdqbekcm.exe 34 PID 2716 wrote to memory of 2608 2716 Hdqbekcm.exe 34 PID 2608 wrote to memory of 1136 2608 Ikkjbe32.exe 35 PID 2608 wrote to memory of 1136 2608 Ikkjbe32.exe 35 PID 2608 wrote to memory of 1136 2608 Ikkjbe32.exe 35 PID 2608 wrote to memory of 1136 2608 Ikkjbe32.exe 35 PID 1136 wrote to memory of 1468 1136 Igakgfpn.exe 36 PID 1136 wrote to memory of 1468 1136 Igakgfpn.exe 36 PID 1136 wrote to memory of 1468 1136 Igakgfpn.exe 36 PID 1136 wrote to memory of 1468 1136 Igakgfpn.exe 36 PID 1468 wrote to memory of 2384 1468 Ilncom32.exe 37 PID 1468 wrote to memory of 2384 1468 Ilncom32.exe 37 PID 1468 wrote to memory of 2384 1468 Ilncom32.exe 37 PID 1468 wrote to memory of 2384 1468 Ilncom32.exe 37 PID 2384 wrote to memory of 1248 2384 Igchlf32.exe 38 PID 2384 wrote to memory of 1248 2384 Igchlf32.exe 38 PID 2384 wrote to memory of 1248 2384 Igchlf32.exe 38 PID 2384 wrote to memory of 1248 2384 Igchlf32.exe 38 PID 1248 wrote to memory of 2888 1248 Iamimc32.exe 39 PID 1248 wrote to memory of 2888 1248 Iamimc32.exe 39 PID 1248 wrote to memory of 2888 1248 Iamimc32.exe 39 PID 1248 wrote to memory of 2888 1248 Iamimc32.exe 39 PID 2888 wrote to memory of 348 2888 Ihgainbg.exe 40 PID 2888 wrote to memory of 348 2888 Ihgainbg.exe 40 PID 2888 wrote to memory of 348 2888 Ihgainbg.exe 40 PID 2888 wrote to memory of 348 2888 Ihgainbg.exe 40 PID 348 wrote to memory of 1788 348 Ikhjki32.exe 41 PID 348 wrote to memory of 1788 348 Ikhjki32.exe 41 PID 348 wrote to memory of 1788 348 Ikhjki32.exe 41 PID 348 wrote to memory of 1788 348 Ikhjki32.exe 41 PID 1788 wrote to memory of 2004 1788 Jdpndnei.exe 42 PID 1788 wrote to memory of 2004 1788 Jdpndnei.exe 42 PID 1788 wrote to memory of 2004 1788 Jdpndnei.exe 42 PID 1788 wrote to memory of 2004 1788 Jdpndnei.exe 42 PID 2004 wrote to memory of 316 2004 Jofbag32.exe 43 PID 2004 wrote to memory of 316 2004 Jofbag32.exe 43 PID 2004 wrote to memory of 316 2004 Jofbag32.exe 43 PID 2004 wrote to memory of 316 2004 Jofbag32.exe 43 PID 316 wrote to memory of 1120 316 Jhngjmlo.exe 44 PID 316 wrote to memory of 1120 316 Jhngjmlo.exe 44 PID 316 wrote to memory of 1120 316 Jhngjmlo.exe 44 PID 316 wrote to memory of 1120 316 Jhngjmlo.exe 44 PID 1120 wrote to memory of 1960 1120 Jjpcbe32.exe 45 PID 1120 wrote to memory of 1960 1120 Jjpcbe32.exe 45 PID 1120 wrote to memory of 1960 1120 Jjpcbe32.exe 45 PID 1120 wrote to memory of 1960 1120 Jjpcbe32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\8dd610e41dbb908521f52586d2398cd2cb600fba8f988379a4bfcebc48d1ab34N.exe"C:\Users\Admin\AppData\Local\Temp\8dd610e41dbb908521f52586d2398cd2cb600fba8f988379a4bfcebc48d1ab34N.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2440 -
C:\Windows\SysWOW64\Hapicp32.exeC:\Windows\system32\Hapicp32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Windows\SysWOW64\Hhjapjmi.exeC:\Windows\system32\Hhjapjmi.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Windows\SysWOW64\Hgmalg32.exeC:\Windows\system32\Hgmalg32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Windows\SysWOW64\Hdqbekcm.exeC:\Windows\system32\Hdqbekcm.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\SysWOW64\Ikkjbe32.exeC:\Windows\system32\Ikkjbe32.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Windows\SysWOW64\Igakgfpn.exeC:\Windows\system32\Igakgfpn.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1136 -
C:\Windows\SysWOW64\Ilncom32.exeC:\Windows\system32\Ilncom32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1468 -
C:\Windows\SysWOW64\Igchlf32.exeC:\Windows\system32\Igchlf32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Windows\SysWOW64\Iamimc32.exeC:\Windows\system32\Iamimc32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1248 -
C:\Windows\SysWOW64\Ihgainbg.exeC:\Windows\system32\Ihgainbg.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Windows\SysWOW64\Ikhjki32.exeC:\Windows\system32\Ikhjki32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:348 -
C:\Windows\SysWOW64\Jdpndnei.exeC:\Windows\system32\Jdpndnei.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1788 -
C:\Windows\SysWOW64\Jofbag32.exeC:\Windows\system32\Jofbag32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Windows\SysWOW64\Jhngjmlo.exeC:\Windows\system32\Jhngjmlo.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:316 -
C:\Windows\SysWOW64\Jjpcbe32.exeC:\Windows\system32\Jjpcbe32.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1120 -
C:\Windows\SysWOW64\Jgcdki32.exeC:\Windows\system32\Jgcdki32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1960 -
C:\Windows\SysWOW64\Jmplcp32.exeC:\Windows\system32\Jmplcp32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1532 -
C:\Windows\SysWOW64\Jdgdempa.exeC:\Windows\system32\Jdgdempa.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2216 -
C:\Windows\SysWOW64\Jgfqaiod.exeC:\Windows\system32\Jgfqaiod.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2976 -
C:\Windows\SysWOW64\Kjfjbdle.exeC:\Windows\system32\Kjfjbdle.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1240 -
C:\Windows\SysWOW64\Kmefooki.exeC:\Windows\system32\Kmefooki.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:704 -
C:\Windows\SysWOW64\Kconkibf.exeC:\Windows\system32\Kconkibf.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1708 -
C:\Windows\SysWOW64\Kilfcpqm.exeC:\Windows\system32\Kilfcpqm.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2744 -
C:\Windows\SysWOW64\Kfpgmdog.exeC:\Windows\system32\Kfpgmdog.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2840 -
C:\Windows\SysWOW64\Kmjojo32.exeC:\Windows\system32\Kmjojo32.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2772 -
C:\Windows\SysWOW64\Kiqpop32.exeC:\Windows\system32\Kiqpop32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2796 -
C:\Windows\SysWOW64\Kkolkk32.exeC:\Windows\system32\Kkolkk32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2892 -
C:\Windows\SysWOW64\Kicmdo32.exeC:\Windows\system32\Kicmdo32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2112 -
C:\Windows\SysWOW64\Kgemplap.exeC:\Windows\system32\Kgemplap.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:640 -
C:\Windows\SysWOW64\Lclnemgd.exeC:\Windows\system32\Lclnemgd.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2992 -
C:\Windows\SysWOW64\Lghjel32.exeC:\Windows\system32\Lghjel32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2428 -
C:\Windows\SysWOW64\Lmebnb32.exeC:\Windows\system32\Lmebnb32.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2528 -
C:\Windows\SysWOW64\Lapnnafn.exeC:\Windows\system32\Lapnnafn.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2868 -
C:\Windows\SysWOW64\Lgjfkk32.exeC:\Windows\system32\Lgjfkk32.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1736 -
C:\Windows\SysWOW64\Ljibgg32.exeC:\Windows\system32\Ljibgg32.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2292 -
C:\Windows\SysWOW64\Lndohedg.exeC:\Windows\system32\Lndohedg.exe37⤵
- Executes dropped EXE
PID:2960 -
C:\Windows\SysWOW64\Labkdack.exeC:\Windows\system32\Labkdack.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1204 -
C:\Windows\SysWOW64\Lcagpl32.exeC:\Windows\system32\Lcagpl32.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:344 -
C:\Windows\SysWOW64\Lfpclh32.exeC:\Windows\system32\Lfpclh32.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2420 -
C:\Windows\SysWOW64\Linphc32.exeC:\Windows\system32\Linphc32.exe41⤵
- Executes dropped EXE
PID:1244 -
C:\Windows\SysWOW64\Lmikibio.exeC:\Windows\system32\Lmikibio.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1684 -
C:\Windows\SysWOW64\Lphhenhc.exeC:\Windows\system32\Lphhenhc.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1688 -
C:\Windows\SysWOW64\Lccdel32.exeC:\Windows\system32\Lccdel32.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1564 -
C:\Windows\SysWOW64\Lbfdaigg.exeC:\Windows\system32\Lbfdaigg.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2520 -
C:\Windows\SysWOW64\Lfbpag32.exeC:\Windows\system32\Lfbpag32.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2252 -
C:\Windows\SysWOW64\Ljmlbfhi.exeC:\Windows\system32\Ljmlbfhi.exe47⤵
- Executes dropped EXE
PID:2220 -
C:\Windows\SysWOW64\Lmlhnagm.exeC:\Windows\system32\Lmlhnagm.exe48⤵
- Executes dropped EXE
- Modifies registry class
PID:1692 -
C:\Windows\SysWOW64\Lpjdjmfp.exeC:\Windows\system32\Lpjdjmfp.exe49⤵
- Executes dropped EXE
PID:2704 -
C:\Windows\SysWOW64\Lbiqfied.exeC:\Windows\system32\Lbiqfied.exe50⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2768 -
C:\Windows\SysWOW64\Lfdmggnm.exeC:\Windows\system32\Lfdmggnm.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1500 -
C:\Windows\SysWOW64\Libicbma.exeC:\Windows\system32\Libicbma.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:772 -
C:\Windows\SysWOW64\Mmneda32.exeC:\Windows\system32\Mmneda32.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:612 -
C:\Windows\SysWOW64\Mpmapm32.exeC:\Windows\system32\Mpmapm32.exe54⤵
- Executes dropped EXE
PID:2152 -
C:\Windows\SysWOW64\Mieeibkn.exeC:\Windows\system32\Mieeibkn.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2896 -
C:\Windows\SysWOW64\Mhhfdo32.exeC:\Windows\system32\Mhhfdo32.exe56⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:892 -
C:\Windows\SysWOW64\Mlcbenjb.exeC:\Windows\system32\Mlcbenjb.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2008 -
C:\Windows\SysWOW64\Moanaiie.exeC:\Windows\system32\Moanaiie.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2912 -
C:\Windows\SysWOW64\Melfncqb.exeC:\Windows\system32\Melfncqb.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1112 -
C:\Windows\SysWOW64\Migbnb32.exeC:\Windows\system32\Migbnb32.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2140 -
C:\Windows\SysWOW64\Mkhofjoj.exeC:\Windows\system32\Mkhofjoj.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2644 -
C:\Windows\SysWOW64\Modkfi32.exeC:\Windows\system32\Modkfi32.exe62⤵
- Executes dropped EXE
PID:816 -
C:\Windows\SysWOW64\Mbpgggol.exeC:\Windows\system32\Mbpgggol.exe63⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1752 -
C:\Windows\SysWOW64\Mencccop.exeC:\Windows\system32\Mencccop.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:660 -
C:\Windows\SysWOW64\Mdacop32.exeC:\Windows\system32\Mdacop32.exe65⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2284 -
C:\Windows\SysWOW64\Mlhkpm32.exeC:\Windows\system32\Mlhkpm32.exe66⤵PID:1460
-
C:\Windows\SysWOW64\Mkklljmg.exeC:\Windows\system32\Mkklljmg.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1936 -
C:\Windows\SysWOW64\Mmihhelk.exeC:\Windows\system32\Mmihhelk.exe68⤵
- System Location Discovery: System Language Discovery
PID:2732 -
C:\Windows\SysWOW64\Maedhd32.exeC:\Windows\system32\Maedhd32.exe69⤵
- System Location Discovery: System Language Discovery
PID:2748 -
C:\Windows\SysWOW64\Mholen32.exeC:\Windows\system32\Mholen32.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2660 -
C:\Windows\SysWOW64\Mgalqkbk.exeC:\Windows\system32\Mgalqkbk.exe71⤵
- System Location Discovery: System Language Discovery
PID:2552 -
C:\Windows\SysWOW64\Moidahcn.exeC:\Windows\system32\Moidahcn.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:332 -
C:\Windows\SysWOW64\Magqncba.exeC:\Windows\system32\Magqncba.exe73⤵
- Modifies registry class
PID:3064 -
C:\Windows\SysWOW64\Ndemjoae.exeC:\Windows\system32\Ndemjoae.exe74⤵PID:2640
-
C:\Windows\SysWOW64\Nhaikn32.exeC:\Windows\system32\Nhaikn32.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1264 -
C:\Windows\SysWOW64\Nkpegi32.exeC:\Windows\system32\Nkpegi32.exe76⤵PID:1780
-
C:\Windows\SysWOW64\Nmnace32.exeC:\Windows\system32\Nmnace32.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3032 -
C:\Windows\SysWOW64\Naimccpo.exeC:\Windows\system32\Naimccpo.exe78⤵PID:1424
-
C:\Windows\SysWOW64\Ndhipoob.exeC:\Windows\system32\Ndhipoob.exe79⤵PID:1828
-
C:\Windows\SysWOW64\Nckjkl32.exeC:\Windows\system32\Nckjkl32.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1760 -
C:\Windows\SysWOW64\Ngfflj32.exeC:\Windows\system32\Ngfflj32.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:1892 -
C:\Windows\SysWOW64\Niebhf32.exeC:\Windows\system32\Niebhf32.exe82⤵
- System Location Discovery: System Language Discovery
PID:1528 -
C:\Windows\SysWOW64\Npojdpef.exeC:\Windows\system32\Npojdpef.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2476 -
C:\Windows\SysWOW64\Ndjfeo32.exeC:\Windows\system32\Ndjfeo32.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2256 -
C:\Windows\SysWOW64\Nekbmgcn.exeC:\Windows\system32\Nekbmgcn.exe85⤵
- Modifies registry class
PID:2304 -
C:\Windows\SysWOW64\Nigome32.exeC:\Windows\system32\Nigome32.exe86⤵
- Drops file in System32 directory
PID:1580 -
C:\Windows\SysWOW64\Nlekia32.exeC:\Windows\system32\Nlekia32.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2568 -
C:\Windows\SysWOW64\Nodgel32.exeC:\Windows\system32\Nodgel32.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2540 -
C:\Windows\SysWOW64\Nenobfak.exeC:\Windows\system32\Nenobfak.exe89⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2572 -
C:\Windows\SysWOW64\Nhllob32.exeC:\Windows\system32\Nhllob32.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:776 -
C:\Windows\SysWOW64\Npccpo32.exeC:\Windows\system32\Npccpo32.exe91⤵PID:2104
-
C:\Windows\SysWOW64\Nofdklgl.exeC:\Windows\system32\Nofdklgl.exe92⤵PID:1324
-
C:\Windows\SysWOW64\Ncbplk32.exeC:\Windows\system32\Ncbplk32.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:352 -
C:\Windows\SysWOW64\Nadpgggp.exeC:\Windows\system32\Nadpgggp.exe94⤵PID:2904
-
C:\Windows\SysWOW64\Nilhhdga.exeC:\Windows\system32\Nilhhdga.exe95⤵
- Modifies registry class
PID:2964 -
C:\Windows\SysWOW64\Nhohda32.exeC:\Windows\system32\Nhohda32.exe96⤵PID:2180
-
C:\Windows\SysWOW64\Oohqqlei.exeC:\Windows\system32\Oohqqlei.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:680 -
C:\Windows\SysWOW64\Ocdmaj32.exeC:\Windows\system32\Ocdmaj32.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:692 -
C:\Windows\SysWOW64\Oagmmgdm.exeC:\Windows\system32\Oagmmgdm.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2516 -
C:\Windows\SysWOW64\Odeiibdq.exeC:\Windows\system32\Odeiibdq.exe100⤵
- System Location Discovery: System Language Discovery
PID:2408 -
C:\Windows\SysWOW64\Okoafmkm.exeC:\Windows\system32\Okoafmkm.exe101⤵
- Drops file in System32 directory
- Modifies registry class
PID:2776 -
C:\Windows\SysWOW64\Ocfigjlp.exeC:\Windows\system32\Ocfigjlp.exe102⤵
- Drops file in System32 directory
- Modifies registry class
PID:2560 -
C:\Windows\SysWOW64\Oeeecekc.exeC:\Windows\system32\Oeeecekc.exe103⤵PID:2556
-
C:\Windows\SysWOW64\Ohcaoajg.exeC:\Windows\system32\Ohcaoajg.exe104⤵
- Modifies registry class
PID:1976 -
C:\Windows\SysWOW64\Olonpp32.exeC:\Windows\system32\Olonpp32.exe105⤵
- System Location Discovery: System Language Discovery
PID:1276 -
C:\Windows\SysWOW64\Oomjlk32.exeC:\Windows\system32\Oomjlk32.exe106⤵
- Modifies registry class
PID:2448 -
C:\Windows\SysWOW64\Onpjghhn.exeC:\Windows\system32\Onpjghhn.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1612 -
C:\Windows\SysWOW64\Oegbheiq.exeC:\Windows\system32\Oegbheiq.exe108⤵PID:1800
-
C:\Windows\SysWOW64\Oghopm32.exeC:\Windows\system32\Oghopm32.exe109⤵
- System Location Discovery: System Language Discovery
PID:2952 -
C:\Windows\SysWOW64\Okdkal32.exeC:\Windows\system32\Okdkal32.exe110⤵
- Drops file in System32 directory
- Modifies registry class
PID:1304 -
C:\Windows\SysWOW64\Onbgmg32.exeC:\Windows\system32\Onbgmg32.exe111⤵
- Drops file in System32 directory
PID:2176 -
C:\Windows\SysWOW64\Oancnfoe.exeC:\Windows\system32\Oancnfoe.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1728 -
C:\Windows\SysWOW64\Oqacic32.exeC:\Windows\system32\Oqacic32.exe113⤵
- Drops file in System32 directory
- Modifies registry class
PID:1548 -
C:\Windows\SysWOW64\Ohhkjp32.exeC:\Windows\system32\Ohhkjp32.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2456 -
C:\Windows\SysWOW64\Ojigbhlp.exeC:\Windows\system32\Ojigbhlp.exe115⤵
- Drops file in System32 directory
PID:2680 -
C:\Windows\SysWOW64\Oqcpob32.exeC:\Windows\system32\Oqcpob32.exe116⤵
- Drops file in System32 directory
PID:1476 -
C:\Windows\SysWOW64\Ocalkn32.exeC:\Windows\system32\Ocalkn32.exe117⤵
- Drops file in System32 directory
PID:2128 -
C:\Windows\SysWOW64\Pkidlk32.exeC:\Windows\system32\Pkidlk32.exe118⤵
- Drops file in System32 directory
- Modifies registry class
PID:3024 -
C:\Windows\SysWOW64\Pjldghjm.exeC:\Windows\system32\Pjldghjm.exe119⤵
- Drops file in System32 directory
PID:2132 -
C:\Windows\SysWOW64\Pmjqcc32.exeC:\Windows\system32\Pmjqcc32.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:448 -
C:\Windows\SysWOW64\Pdaheq32.exeC:\Windows\system32\Pdaheq32.exe121⤵PID:888
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-