Analysis
-
max time kernel
39s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
02/10/2024, 03:32
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
415a615c8642a649074d49c4adb159df6cfb2bbb851b1a0ce87d6bca355906b6N.exe
Resource
win7-20240903-en
windows7-x64
9 signatures
120 seconds
Behavioral task
behavioral2
Sample
415a615c8642a649074d49c4adb159df6cfb2bbb851b1a0ce87d6bca355906b6N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
8 signatures
120 seconds
General
-
Target
415a615c8642a649074d49c4adb159df6cfb2bbb851b1a0ce87d6bca355906b6N.exe
-
Size
844KB
-
MD5
2b6968de4cf7e34d5d642bf35c31bb80
-
SHA1
362f4195658c13da32b53dd096c020a3adda7077
-
SHA256
415a615c8642a649074d49c4adb159df6cfb2bbb851b1a0ce87d6bca355906b6
-
SHA512
d5f8a417b5babcc030489a01922043dfc291bf01435f3a161d80cf8b5a2a239f0cdb65850b66e813b499af346d5cb8aef76ce527ab63beb98f2b784962a04bce
-
SSDEEP
24576:gDpH5W3TnbQihMpQnqrdX72LbY6x46uR/qYglMi:gDpH5W3TbQihw+cdX2x46uhqllMi
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpcgji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gcbchhmc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgedlbfj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkjkkf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlejhmge.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glddig32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opbjpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hkbagjfi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mqinpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dpldkf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnnkmdfq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mfpfbemc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ibjkfpih.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndblbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Omnapi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahlnpg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehaleg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndjloanf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jaiknk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhcfiogc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahlphpmk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibafhmph.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgfdmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bgedlbfj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bqjcli32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibgenaqk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijdggc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpidii32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlgcqp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fokqae32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhlkmnmj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhabemgi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnbinl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Depgeiag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ehaleg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmcjceam.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omdfgq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ahlnpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fpqjeiji.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfpfbemc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Acjllqke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fliaecjo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gemham32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ikeldenf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjjmgo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Leflapab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pffnfdhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ibafhmph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gqmqkn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmoijc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jlgcqp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnicgi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Komhfcgj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifckaodd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cbmann32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mocjeedn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mqinpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cffqhmqd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cdadie32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Incfhh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mhfckc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbnhmdmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pflnlj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dnlafm32.exe -
Executes dropped EXE 64 IoCs
pid Process 1780 Iiiapg32.exe 2108 Ibafhmph.exe 2748 Kabbehjb.exe 2392 Klqmaebl.exe 2908 Mmebkg32.exe 2540 Mqckaf32.exe 2180 Nieffgok.exe 2884 Omnapi32.exe 2160 Pmqkellk.exe 956 Pdmpgfae.exe 584 Anpgdp32.exe 1440 Bqjcli32.exe 1860 Cgdggg32.exe 944 Cgfdmf32.exe 2224 Eobenc32.exe 1296 Eilfoapg.exe 108 Fhpoalho.exe 2448 Gqmqkn32.exe 2348 Gjjoob32.exe 2148 Gcbchhmc.exe 1980 Hkbagjfi.exe 676 Hcnfllcd.exe 2412 Hmkdpafo.exe 1532 Iiaddb32.exe 2272 Incfhh32.exe 1208 Inecnh32.exe 3064 Jmoijc32.exe 1612 Jppbkoaf.exe 2744 Jlgcqp32.exe 2900 Kceehijb.exe 2584 Kchaniho.exe 2616 Lfcmchla.exe 2124 Mhfckc32.exe 2120 Mdmdpd32.exe 2156 Mqfajdpe.exe 2256 Mqinpd32.exe 2852 Nfhcmkkg.exe 2328 Nbaqhk32.exe 692 Nikide32.exe 2968 Nimeje32.exe 2176 Nnjnbl32.exe 2044 Onmkhlph.exe 2024 Oheoaa32.exe 980 Omddohbm.exe 1516 Ominjg32.exe 1984 Pdebladb.exe 592 Phghedga.exe 1732 Pifdog32.exe 2236 Pemedh32.exe 2208 Qepbjh32.exe 1600 Qgckgp32.exe 2664 Acjllqke.exe 2868 Appikd32.exe 800 Ahlnpg32.exe 860 Ahnjefcd.exe 2484 Accobock.exe 2640 Bllcke32.exe 2276 Bgedlbfj.exe 2912 Bnbinl32.exe 1736 Cipcii32.exe 852 Cjppclkp.exe 2976 Cffqhmqd.exe 1360 Cbmann32.exe 588 Cenjoi32.exe -
Loads dropped DLL 64 IoCs
pid Process 984 415a615c8642a649074d49c4adb159df6cfb2bbb851b1a0ce87d6bca355906b6N.exe 984 415a615c8642a649074d49c4adb159df6cfb2bbb851b1a0ce87d6bca355906b6N.exe 1780 Iiiapg32.exe 1780 Iiiapg32.exe 2108 Ibafhmph.exe 2108 Ibafhmph.exe 2748 Kabbehjb.exe 2748 Kabbehjb.exe 2392 Klqmaebl.exe 2392 Klqmaebl.exe 2908 Mmebkg32.exe 2908 Mmebkg32.exe 2540 Mqckaf32.exe 2540 Mqckaf32.exe 2180 Nieffgok.exe 2180 Nieffgok.exe 2884 Omnapi32.exe 2884 Omnapi32.exe 2160 Pmqkellk.exe 2160 Pmqkellk.exe 956 Pdmpgfae.exe 956 Pdmpgfae.exe 584 Anpgdp32.exe 584 Anpgdp32.exe 1440 Bqjcli32.exe 1440 Bqjcli32.exe 1860 Cgdggg32.exe 1860 Cgdggg32.exe 944 Cgfdmf32.exe 944 Cgfdmf32.exe 2224 Eobenc32.exe 2224 Eobenc32.exe 1296 Eilfoapg.exe 1296 Eilfoapg.exe 108 Fhpoalho.exe 108 Fhpoalho.exe 2448 Gqmqkn32.exe 2448 Gqmqkn32.exe 2348 Gjjoob32.exe 2348 Gjjoob32.exe 2148 Gcbchhmc.exe 2148 Gcbchhmc.exe 1980 Hkbagjfi.exe 1980 Hkbagjfi.exe 676 Hcnfllcd.exe 676 Hcnfllcd.exe 2412 Hmkdpafo.exe 2412 Hmkdpafo.exe 1532 Iiaddb32.exe 1532 Iiaddb32.exe 2272 Incfhh32.exe 2272 Incfhh32.exe 1208 Inecnh32.exe 1208 Inecnh32.exe 3064 Jmoijc32.exe 3064 Jmoijc32.exe 1612 Jppbkoaf.exe 1612 Jppbkoaf.exe 2744 Jlgcqp32.exe 2744 Jlgcqp32.exe 2900 Kceehijb.exe 2900 Kceehijb.exe 2584 Kchaniho.exe 2584 Kchaniho.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Mfepmd32.exe Mhobnqlg.exe File created C:\Windows\SysWOW64\Gjmnmk32.exe Gemham32.exe File created C:\Windows\SysWOW64\Phmoca32.dll Jaiknk32.exe File created C:\Windows\SysWOW64\Depgeiag.exe Cenjoi32.exe File created C:\Windows\SysWOW64\Epkijl32.dll Lcmdlgoj.exe File created C:\Windows\SysWOW64\Aollklac.exe Qbelfk32.exe File created C:\Windows\SysWOW64\Fjoghlmb.dll Ndjloanf.exe File created C:\Windows\SysWOW64\Inihnndl.dll Ofellh32.exe File created C:\Windows\SysWOW64\Leflapab.exe Lpidii32.exe File created C:\Windows\SysWOW64\Bgkppkih.exe Bkdokjdd.exe File created C:\Windows\SysWOW64\Nikide32.exe Nbaqhk32.exe File created C:\Windows\SysWOW64\Hqholphh.dll Icjokidf.exe File created C:\Windows\SysWOW64\Oieencik.exe Ofellh32.exe File created C:\Windows\SysWOW64\Iocehf32.dll Aehanfgm.exe File created C:\Windows\SysWOW64\Hepfob32.dll Jakhckdb.exe File opened for modification C:\Windows\SysWOW64\Oclbok32.exe Oibanm32.exe File created C:\Windows\SysWOW64\Jlgcqp32.exe Jppbkoaf.exe File opened for modification C:\Windows\SysWOW64\Kchaniho.exe Kceehijb.exe File created C:\Windows\SysWOW64\Dlljfo32.dll Mcpmqj32.exe File created C:\Windows\SysWOW64\Agimahlk.dll Hdikch32.exe File created C:\Windows\SysWOW64\Hmkdpafo.exe Hcnfllcd.exe File created C:\Windows\SysWOW64\Llcioogq.dll Digfil32.exe File created C:\Windows\SysWOW64\Pemedh32.exe Pifdog32.exe File created C:\Windows\SysWOW64\Ahnjefcd.exe Ahlnpg32.exe File created C:\Windows\SysWOW64\Nfoqlokg.dll Gndgmq32.exe File created C:\Windows\SysWOW64\Igaapiqe.exe Hfnhcami.exe File opened for modification C:\Windows\SysWOW64\Fbnpfnfa.exe Ffhoam32.exe File created C:\Windows\SysWOW64\Iijkfi32.dll Nghbpfin.exe File created C:\Windows\SysWOW64\Pmqkellk.exe Omnapi32.exe File created C:\Windows\SysWOW64\Pocbcp32.dll Mqfajdpe.exe File created C:\Windows\SysWOW64\Ancfbhdh.exe Aehanfgm.exe File opened for modification C:\Windows\SysWOW64\Cgicko32.exe Cnoamj32.exe File created C:\Windows\SysWOW64\Llobhcnd.dll Oibanm32.exe File created C:\Windows\SysWOW64\Knjbcd32.dll Phjgdm32.exe File created C:\Windows\SysWOW64\Kabbehjb.exe Ibafhmph.exe File created C:\Windows\SysWOW64\Qgckgp32.exe Qepbjh32.exe File created C:\Windows\SysWOW64\Ahlphpmk.exe Ambohapm.exe File opened for modification C:\Windows\SysWOW64\Igaapiqe.exe Hfnhcami.exe File created C:\Windows\SysWOW64\Kfbjlgnk.exe Jhjpekkf.exe File created C:\Windows\SysWOW64\Hckblf32.exe Gdciej32.exe File created C:\Windows\SysWOW64\Dglcoefp.dll Igcnfhob.exe File created C:\Windows\SysWOW64\Jaiknk32.exe Jkjfpe32.exe File created C:\Windows\SysWOW64\Kchaniho.exe Kceehijb.exe File created C:\Windows\SysWOW64\Ahlnpg32.exe Appikd32.exe File created C:\Windows\SysWOW64\Piajea32.dll Gjmnmk32.exe File opened for modification C:\Windows\SysWOW64\Jbnhmdmn.exe Jiecdn32.exe File opened for modification C:\Windows\SysWOW64\Nqamcbcj.exe Ndjloanf.exe File opened for modification C:\Windows\SysWOW64\Igcnfhob.exe Ibgenaqk.exe File created C:\Windows\SysWOW64\Ncdmcd32.dll Ancfbhdh.exe File created C:\Windows\SysWOW64\Oglgji32.exe Omdfgq32.exe File created C:\Windows\SysWOW64\Mmebkg32.exe Klqmaebl.exe File opened for modification C:\Windows\SysWOW64\Ehaleg32.exe Ehnpph32.exe File created C:\Windows\SysWOW64\Ifckaodd.exe Hgnnpc32.exe File opened for modification C:\Windows\SysWOW64\Jaiknk32.exe Jkjfpe32.exe File created C:\Windows\SysWOW64\Oelecd32.exe Oieencik.exe File opened for modification C:\Windows\SysWOW64\Honpqaff.exe Hdikch32.exe File opened for modification C:\Windows\SysWOW64\Mmebkg32.exe Klqmaebl.exe File opened for modification C:\Windows\SysWOW64\Nghbpfin.exe Nfhefc32.exe File opened for modification C:\Windows\SysWOW64\Ikeldenf.exe Iekdhkfi.exe File created C:\Windows\SysWOW64\Oacpeajj.dll Lkeeqckl.exe File created C:\Windows\SysWOW64\Paobhd32.dll Mkjkkf32.exe File created C:\Windows\SysWOW64\Mqinpd32.exe Mqfajdpe.exe File opened for modification C:\Windows\SysWOW64\Dcbpfp32.exe Djjlmj32.exe File created C:\Windows\SysWOW64\Liehdo32.dll Mfepmd32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3812 3788 WerFault.exe 240 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhfckc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pflnlj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jppbkoaf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhlkmnmj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdmpgfae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Appikd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhmijn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eilfoapg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbaqhk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Goojldgf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Godcgcca.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfhnmiii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgfdmf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdadie32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edgfpbcl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfcmchla.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijdggc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Depgeiag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpqjeiji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iekdhkfi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omdfgq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onmkhlph.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmkdpafo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oclbok32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mklhpfho.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhpoalho.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcjmkdpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Neabophn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmcjceam.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 415a615c8642a649074d49c4adb159df6cfb2bbb851b1a0ce87d6bca355906b6N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bllcke32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdikch32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jaiknk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nimeje32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fokqae32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcchoj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jphepidb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pffnfdhg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhjpekkf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffhoam32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fliaecjo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfhefc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bokapipc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mqinpd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Digfil32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ancfbhdh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdebladb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfepmd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dehfig32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibjkfpih.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnoamj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkjfpe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jakhckdb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmoijc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcpmqj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpncdfkl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nghbpfin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omnapi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjdkhpih.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pengmqkl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndblbo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipclej32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khpccibp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klqmaebl.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hahbam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ifckaodd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kpbajggh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Omnapi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fpcgji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aajhgedl.dll" Jicgoohq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mhobnqlg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cgdggg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdkoelai.dll" Pnnmbhme.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ancfbhdh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ifckaodd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nfhcmkkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Godcgcca.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ifkgldag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bnjlcgnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Piajea32.dll" Gjmnmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iiiapg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mqinpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfnakhql.dll" Acjllqke.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gdciej32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Glddig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pffnfdhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Anpgdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkmllp32.dll" Qepbjh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Icjokidf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bhhfnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fhbnpdnq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjklgj32.dll" Nhlkmnmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pldjnqlb.dll" Eilfoapg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Igcnfhob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onancd32.dll" Djjlmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Djjlmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" 415a615c8642a649074d49c4adb159df6cfb2bbb851b1a0ce87d6bca355906b6N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ndjloanf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cgicko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eemobc32.dll" Kpbajggh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Khpccibp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Leflapab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emdikm32.dll" Adjkol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elmpjghl.dll" Dpldkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ccinpa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jkjfpe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kpbajggh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fokqae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ijdggc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Debcjiod.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ehaleg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Opbjpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idkncp32.dll" Leflapab.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mdelik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jmoijc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cenjoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dnlafm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ejjhlmqa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ogcddjpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oclbok32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qfaqji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldkhgheg.dll" Bhcfiogc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mhfckc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pjpdlj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hmkdpafo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mfepmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhcajp32.dll" Hjdkhpih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Phjgdm32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 984 wrote to memory of 1780 984 415a615c8642a649074d49c4adb159df6cfb2bbb851b1a0ce87d6bca355906b6N.exe 29 PID 984 wrote to memory of 1780 984 415a615c8642a649074d49c4adb159df6cfb2bbb851b1a0ce87d6bca355906b6N.exe 29 PID 984 wrote to memory of 1780 984 415a615c8642a649074d49c4adb159df6cfb2bbb851b1a0ce87d6bca355906b6N.exe 29 PID 984 wrote to memory of 1780 984 415a615c8642a649074d49c4adb159df6cfb2bbb851b1a0ce87d6bca355906b6N.exe 29 PID 1780 wrote to memory of 2108 1780 Iiiapg32.exe 30 PID 1780 wrote to memory of 2108 1780 Iiiapg32.exe 30 PID 1780 wrote to memory of 2108 1780 Iiiapg32.exe 30 PID 1780 wrote to memory of 2108 1780 Iiiapg32.exe 30 PID 2108 wrote to memory of 2748 2108 Ibafhmph.exe 31 PID 2108 wrote to memory of 2748 2108 Ibafhmph.exe 31 PID 2108 wrote to memory of 2748 2108 Ibafhmph.exe 31 PID 2108 wrote to memory of 2748 2108 Ibafhmph.exe 31 PID 2748 wrote to memory of 2392 2748 Kabbehjb.exe 32 PID 2748 wrote to memory of 2392 2748 Kabbehjb.exe 32 PID 2748 wrote to memory of 2392 2748 Kabbehjb.exe 32 PID 2748 wrote to memory of 2392 2748 Kabbehjb.exe 32 PID 2392 wrote to memory of 2908 2392 Klqmaebl.exe 33 PID 2392 wrote to memory of 2908 2392 Klqmaebl.exe 33 PID 2392 wrote to memory of 2908 2392 Klqmaebl.exe 33 PID 2392 wrote to memory of 2908 2392 Klqmaebl.exe 33 PID 2908 wrote to memory of 2540 2908 Mmebkg32.exe 34 PID 2908 wrote to memory of 2540 2908 Mmebkg32.exe 34 PID 2908 wrote to memory of 2540 2908 Mmebkg32.exe 34 PID 2908 wrote to memory of 2540 2908 Mmebkg32.exe 34 PID 2540 wrote to memory of 2180 2540 Mqckaf32.exe 35 PID 2540 wrote to memory of 2180 2540 Mqckaf32.exe 35 PID 2540 wrote to memory of 2180 2540 Mqckaf32.exe 35 PID 2540 wrote to memory of 2180 2540 Mqckaf32.exe 35 PID 2180 wrote to memory of 2884 2180 Nieffgok.exe 36 PID 2180 wrote to memory of 2884 2180 Nieffgok.exe 36 PID 2180 wrote to memory of 2884 2180 Nieffgok.exe 36 PID 2180 wrote to memory of 2884 2180 Nieffgok.exe 36 PID 2884 wrote to memory of 2160 2884 Omnapi32.exe 37 PID 2884 wrote to memory of 2160 2884 Omnapi32.exe 37 PID 2884 wrote to memory of 2160 2884 Omnapi32.exe 37 PID 2884 wrote to memory of 2160 2884 Omnapi32.exe 37 PID 2160 wrote to memory of 956 2160 Pmqkellk.exe 38 PID 2160 wrote to memory of 956 2160 Pmqkellk.exe 38 PID 2160 wrote to memory of 956 2160 Pmqkellk.exe 38 PID 2160 wrote to memory of 956 2160 Pmqkellk.exe 38 PID 956 wrote to memory of 584 956 Pdmpgfae.exe 39 PID 956 wrote to memory of 584 956 Pdmpgfae.exe 39 PID 956 wrote to memory of 584 956 Pdmpgfae.exe 39 PID 956 wrote to memory of 584 956 Pdmpgfae.exe 39 PID 584 wrote to memory of 1440 584 Anpgdp32.exe 40 PID 584 wrote to memory of 1440 584 Anpgdp32.exe 40 PID 584 wrote to memory of 1440 584 Anpgdp32.exe 40 PID 584 wrote to memory of 1440 584 Anpgdp32.exe 40 PID 1440 wrote to memory of 1860 1440 Bqjcli32.exe 41 PID 1440 wrote to memory of 1860 1440 Bqjcli32.exe 41 PID 1440 wrote to memory of 1860 1440 Bqjcli32.exe 41 PID 1440 wrote to memory of 1860 1440 Bqjcli32.exe 41 PID 1860 wrote to memory of 944 1860 Cgdggg32.exe 42 PID 1860 wrote to memory of 944 1860 Cgdggg32.exe 42 PID 1860 wrote to memory of 944 1860 Cgdggg32.exe 42 PID 1860 wrote to memory of 944 1860 Cgdggg32.exe 42 PID 944 wrote to memory of 2224 944 Cgfdmf32.exe 43 PID 944 wrote to memory of 2224 944 Cgfdmf32.exe 43 PID 944 wrote to memory of 2224 944 Cgfdmf32.exe 43 PID 944 wrote to memory of 2224 944 Cgfdmf32.exe 43 PID 2224 wrote to memory of 1296 2224 Eobenc32.exe 44 PID 2224 wrote to memory of 1296 2224 Eobenc32.exe 44 PID 2224 wrote to memory of 1296 2224 Eobenc32.exe 44 PID 2224 wrote to memory of 1296 2224 Eobenc32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\415a615c8642a649074d49c4adb159df6cfb2bbb851b1a0ce87d6bca355906b6N.exe"C:\Users\Admin\AppData\Local\Temp\415a615c8642a649074d49c4adb159df6cfb2bbb851b1a0ce87d6bca355906b6N.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:984 -
C:\Windows\SysWOW64\Iiiapg32.exeC:\Windows\system32\Iiiapg32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1780 -
C:\Windows\SysWOW64\Ibafhmph.exeC:\Windows\system32\Ibafhmph.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2108 -
C:\Windows\SysWOW64\Kabbehjb.exeC:\Windows\system32\Kabbehjb.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\SysWOW64\Klqmaebl.exeC:\Windows\system32\Klqmaebl.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Windows\SysWOW64\Mmebkg32.exeC:\Windows\system32\Mmebkg32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Windows\SysWOW64\Mqckaf32.exeC:\Windows\system32\Mqckaf32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Windows\SysWOW64\Nieffgok.exeC:\Windows\system32\Nieffgok.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Windows\SysWOW64\Omnapi32.exeC:\Windows\system32\Omnapi32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Windows\SysWOW64\Pmqkellk.exeC:\Windows\system32\Pmqkellk.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2160 -
C:\Windows\SysWOW64\Pdmpgfae.exeC:\Windows\system32\Pdmpgfae.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:956 -
C:\Windows\SysWOW64\Anpgdp32.exeC:\Windows\system32\Anpgdp32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:584 -
C:\Windows\SysWOW64\Bqjcli32.exeC:\Windows\system32\Bqjcli32.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1440 -
C:\Windows\SysWOW64\Cgdggg32.exeC:\Windows\system32\Cgdggg32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1860 -
C:\Windows\SysWOW64\Cgfdmf32.exeC:\Windows\system32\Cgfdmf32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:944 -
C:\Windows\SysWOW64\Eobenc32.exeC:\Windows\system32\Eobenc32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\Windows\SysWOW64\Eilfoapg.exeC:\Windows\system32\Eilfoapg.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1296 -
C:\Windows\SysWOW64\Fhpoalho.exeC:\Windows\system32\Fhpoalho.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:108 -
C:\Windows\SysWOW64\Gqmqkn32.exeC:\Windows\system32\Gqmqkn32.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2448 -
C:\Windows\SysWOW64\Gjjoob32.exeC:\Windows\system32\Gjjoob32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2348 -
C:\Windows\SysWOW64\Gcbchhmc.exeC:\Windows\system32\Gcbchhmc.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2148 -
C:\Windows\SysWOW64\Hkbagjfi.exeC:\Windows\system32\Hkbagjfi.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1980 -
C:\Windows\SysWOW64\Hcnfllcd.exeC:\Windows\system32\Hcnfllcd.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:676 -
C:\Windows\SysWOW64\Hmkdpafo.exeC:\Windows\system32\Hmkdpafo.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2412 -
C:\Windows\SysWOW64\Iiaddb32.exeC:\Windows\system32\Iiaddb32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1532 -
C:\Windows\SysWOW64\Incfhh32.exeC:\Windows\system32\Incfhh32.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2272 -
C:\Windows\SysWOW64\Inecnh32.exeC:\Windows\system32\Inecnh32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1208 -
C:\Windows\SysWOW64\Jmoijc32.exeC:\Windows\system32\Jmoijc32.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3064 -
C:\Windows\SysWOW64\Jppbkoaf.exeC:\Windows\system32\Jppbkoaf.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1612 -
C:\Windows\SysWOW64\Jlgcqp32.exeC:\Windows\system32\Jlgcqp32.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2744 -
C:\Windows\SysWOW64\Kceehijb.exeC:\Windows\system32\Kceehijb.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2900 -
C:\Windows\SysWOW64\Kchaniho.exeC:\Windows\system32\Kchaniho.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2584 -
C:\Windows\SysWOW64\Lfcmchla.exeC:\Windows\system32\Lfcmchla.exe33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2616 -
C:\Windows\SysWOW64\Mhfckc32.exeC:\Windows\system32\Mhfckc32.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2124 -
C:\Windows\SysWOW64\Mdmdpd32.exeC:\Windows\system32\Mdmdpd32.exe35⤵
- Executes dropped EXE
PID:2120 -
C:\Windows\SysWOW64\Mqfajdpe.exeC:\Windows\system32\Mqfajdpe.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2156 -
C:\Windows\SysWOW64\Mqinpd32.exeC:\Windows\system32\Mqinpd32.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2256 -
C:\Windows\SysWOW64\Nfhcmkkg.exeC:\Windows\system32\Nfhcmkkg.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:2852 -
C:\Windows\SysWOW64\Nbaqhk32.exeC:\Windows\system32\Nbaqhk32.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2328 -
C:\Windows\SysWOW64\Nikide32.exeC:\Windows\system32\Nikide32.exe40⤵
- Executes dropped EXE
PID:692 -
C:\Windows\SysWOW64\Nimeje32.exeC:\Windows\system32\Nimeje32.exe41⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2968 -
C:\Windows\SysWOW64\Nnjnbl32.exeC:\Windows\system32\Nnjnbl32.exe42⤵
- Executes dropped EXE
PID:2176 -
C:\Windows\SysWOW64\Onmkhlph.exeC:\Windows\system32\Onmkhlph.exe43⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2044 -
C:\Windows\SysWOW64\Oheoaa32.exeC:\Windows\system32\Oheoaa32.exe44⤵
- Executes dropped EXE
PID:2024 -
C:\Windows\SysWOW64\Omddohbm.exeC:\Windows\system32\Omddohbm.exe45⤵
- Executes dropped EXE
PID:980 -
C:\Windows\SysWOW64\Ominjg32.exeC:\Windows\system32\Ominjg32.exe46⤵
- Executes dropped EXE
PID:1516 -
C:\Windows\SysWOW64\Pdebladb.exeC:\Windows\system32\Pdebladb.exe47⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1984 -
C:\Windows\SysWOW64\Phghedga.exeC:\Windows\system32\Phghedga.exe48⤵
- Executes dropped EXE
PID:592 -
C:\Windows\SysWOW64\Pifdog32.exeC:\Windows\system32\Pifdog32.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1732 -
C:\Windows\SysWOW64\Pemedh32.exeC:\Windows\system32\Pemedh32.exe50⤵
- Executes dropped EXE
PID:2236 -
C:\Windows\SysWOW64\Qepbjh32.exeC:\Windows\system32\Qepbjh32.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2208 -
C:\Windows\SysWOW64\Qgckgp32.exeC:\Windows\system32\Qgckgp32.exe52⤵
- Executes dropped EXE
PID:1600 -
C:\Windows\SysWOW64\Acjllqke.exeC:\Windows\system32\Acjllqke.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2664 -
C:\Windows\SysWOW64\Appikd32.exeC:\Windows\system32\Appikd32.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2868 -
C:\Windows\SysWOW64\Ahlnpg32.exeC:\Windows\system32\Ahlnpg32.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:800 -
C:\Windows\SysWOW64\Ahnjefcd.exeC:\Windows\system32\Ahnjefcd.exe56⤵
- Executes dropped EXE
PID:860 -
C:\Windows\SysWOW64\Accobock.exeC:\Windows\system32\Accobock.exe57⤵
- Executes dropped EXE
PID:2484 -
C:\Windows\SysWOW64\Bllcke32.exeC:\Windows\system32\Bllcke32.exe58⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2640 -
C:\Windows\SysWOW64\Bgedlbfj.exeC:\Windows\system32\Bgedlbfj.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2276 -
C:\Windows\SysWOW64\Bnbinl32.exeC:\Windows\system32\Bnbinl32.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2912 -
C:\Windows\SysWOW64\Cipcii32.exeC:\Windows\system32\Cipcii32.exe61⤵
- Executes dropped EXE
PID:1736 -
C:\Windows\SysWOW64\Cjppclkp.exeC:\Windows\system32\Cjppclkp.exe62⤵
- Executes dropped EXE
PID:852 -
C:\Windows\SysWOW64\Cffqhmqd.exeC:\Windows\system32\Cffqhmqd.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2976 -
C:\Windows\SysWOW64\Cbmann32.exeC:\Windows\system32\Cbmann32.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1360 -
C:\Windows\SysWOW64\Cenjoi32.exeC:\Windows\system32\Cenjoi32.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:588 -
C:\Windows\SysWOW64\Depgeiag.exeC:\Windows\system32\Depgeiag.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:960 -
C:\Windows\SysWOW64\Debcjiod.exeC:\Windows\system32\Debcjiod.exe67⤵
- Modifies registry class
PID:856 -
C:\Windows\SysWOW64\Dpldkf32.exeC:\Windows\system32\Dpldkf32.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2284 -
C:\Windows\SysWOW64\Digfil32.exeC:\Windows\system32\Digfil32.exe69⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1692 -
C:\Windows\SysWOW64\Ehnpph32.exeC:\Windows\system32\Ehnpph32.exe70⤵
- Drops file in System32 directory
PID:1104 -
C:\Windows\SysWOW64\Ehaleg32.exeC:\Windows\system32\Ehaleg32.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1808 -
C:\Windows\SysWOW64\Edgmjhfh.exeC:\Windows\system32\Edgmjhfh.exe72⤵PID:2680
-
C:\Windows\SysWOW64\Eegidknj.exeC:\Windows\system32\Eegidknj.exe73⤵PID:2756
-
C:\Windows\SysWOW64\Fpqjeiji.exeC:\Windows\system32\Fpqjeiji.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2728 -
C:\Windows\SysWOW64\Fpcgji32.exeC:\Windows\system32\Fpcgji32.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3036 -
C:\Windows\SysWOW64\Fokqae32.exeC:\Windows\system32\Fokqae32.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1868 -
C:\Windows\SysWOW64\Fommfd32.exeC:\Windows\system32\Fommfd32.exe77⤵PID:2524
-
C:\Windows\SysWOW64\Goojldgf.exeC:\Windows\system32\Goojldgf.exe78⤵
- System Location Discovery: System Language Discovery
PID:2052 -
C:\Windows\SysWOW64\Gndgmq32.exeC:\Windows\system32\Gndgmq32.exe79⤵
- Drops file in System32 directory
PID:2444 -
C:\Windows\SysWOW64\Godcgcca.exeC:\Windows\system32\Godcgcca.exe80⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2876 -
C:\Windows\SysWOW64\Gdciej32.exeC:\Windows\system32\Gdciej32.exe81⤵
- Drops file in System32 directory
- Modifies registry class
PID:2924 -
C:\Windows\SysWOW64\Hckblf32.exeC:\Windows\system32\Hckblf32.exe82⤵PID:2332
-
C:\Windows\SysWOW64\Hjdkhpih.exeC:\Windows\system32\Hjdkhpih.exe83⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2320 -
C:\Windows\SysWOW64\Hcmoafph.exeC:\Windows\system32\Hcmoafph.exe84⤵PID:1084
-
C:\Windows\SysWOW64\Hfnhcami.exeC:\Windows\system32\Hfnhcami.exe85⤵
- Drops file in System32 directory
PID:1964 -
C:\Windows\SysWOW64\Igaapiqe.exeC:\Windows\system32\Igaapiqe.exe86⤵PID:308
-
C:\Windows\SysWOW64\Ibgenaqk.exeC:\Windows\system32\Ibgenaqk.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2008 -
C:\Windows\SysWOW64\Igcnfhob.exeC:\Windows\system32\Igcnfhob.exe88⤵
- Drops file in System32 directory
- Modifies registry class
PID:2940 -
C:\Windows\SysWOW64\Icjokidf.exeC:\Windows\system32\Icjokidf.exe89⤵
- Drops file in System32 directory
- Modifies registry class
PID:2644 -
C:\Windows\SysWOW64\Ijdggc32.exeC:\Windows\system32\Ijdggc32.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2652 -
C:\Windows\SysWOW64\Ifkgldag.exeC:\Windows\system32\Ifkgldag.exe91⤵
- Modifies registry class
PID:2704 -
C:\Windows\SysWOW64\Ipclej32.exeC:\Windows\system32\Ipclej32.exe92⤵
- System Location Discovery: System Language Discovery
PID:2580 -
C:\Windows\SysWOW64\Jphepidb.exeC:\Windows\system32\Jphepidb.exe93⤵
- System Location Discovery: System Language Discovery
PID:968 -
C:\Windows\SysWOW64\Jicgoohq.exeC:\Windows\system32\Jicgoohq.exe94⤵
- Modifies registry class
PID:2960 -
C:\Windows\SysWOW64\Jiecdn32.exeC:\Windows\system32\Jiecdn32.exe95⤵
- Drops file in System32 directory
PID:1968 -
C:\Windows\SysWOW64\Jbnhmdmn.exeC:\Windows\system32\Jbnhmdmn.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2984 -
C:\Windows\SysWOW64\Jhjpekkf.exeC:\Windows\system32\Jhjpekkf.exe97⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2144 -
C:\Windows\SysWOW64\Kfbjlgnk.exeC:\Windows\system32\Kfbjlgnk.exe98⤵PID:2872
-
C:\Windows\SysWOW64\Lcmdlgoj.exeC:\Windows\system32\Lcmdlgoj.exe99⤵
- Drops file in System32 directory
PID:2608 -
C:\Windows\SysWOW64\Llfiemfj.exeC:\Windows\system32\Llfiemfj.exe100⤵PID:1988
-
C:\Windows\SysWOW64\Lhmijn32.exeC:\Windows\system32\Lhmijn32.exe101⤵
- System Location Discovery: System Language Discovery
PID:2400 -
C:\Windows\SysWOW64\Lhabemgi.exeC:\Windows\system32\Lhabemgi.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2632 -
C:\Windows\SysWOW64\Lnnkmdfq.exeC:\Windows\system32\Lnnkmdfq.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2508 -
C:\Windows\SysWOW64\Lhcpkmef.exeC:\Windows\system32\Lhcpkmef.exe104⤵PID:548
-
C:\Windows\SysWOW64\Mncdhc32.exeC:\Windows\system32\Mncdhc32.exe105⤵PID:2992
-
C:\Windows\SysWOW64\Mcpmqj32.exeC:\Windows\system32\Mcpmqj32.exe106⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2600 -
C:\Windows\SysWOW64\Mfpfbemc.exeC:\Windows\system32\Mfpfbemc.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2440 -
C:\Windows\SysWOW64\Mhobnqlg.exeC:\Windows\system32\Mhobnqlg.exe108⤵
- Drops file in System32 directory
- Modifies registry class
PID:940 -
C:\Windows\SysWOW64\Mfepmd32.exeC:\Windows\system32\Mfepmd32.exe109⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1108 -
C:\Windows\SysWOW64\Ndjloanf.exeC:\Windows\system32\Ndjloanf.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2344 -
C:\Windows\SysWOW64\Nqamcbcj.exeC:\Windows\system32\Nqamcbcj.exe111⤵PID:1316
-
C:\Windows\SysWOW64\Njialh32.exeC:\Windows\system32\Njialh32.exe112⤵PID:2128
-
C:\Windows\SysWOW64\Njlnbg32.exeC:\Windows\system32\Njlnbg32.exe113⤵PID:2716
-
C:\Windows\SysWOW64\Neabophn.exeC:\Windows\system32\Neabophn.exe114⤵
- System Location Discovery: System Language Discovery
PID:2264 -
C:\Windows\SysWOW64\Ofellh32.exeC:\Windows\system32\Ofellh32.exe115⤵
- Drops file in System32 directory
PID:1240 -
C:\Windows\SysWOW64\Oieencik.exeC:\Windows\system32\Oieencik.exe116⤵
- Drops file in System32 directory
PID:2248 -
C:\Windows\SysWOW64\Oelecd32.exeC:\Windows\system32\Oelecd32.exe117⤵PID:3040
-
C:\Windows\SysWOW64\Opbjpm32.exeC:\Windows\system32\Opbjpm32.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1788 -
C:\Windows\SysWOW64\Oeobidll.exeC:\Windows\system32\Oeobidll.exe119⤵PID:1428
-
C:\Windows\SysWOW64\Pnicgi32.exeC:\Windows\system32\Pnicgi32.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2436 -
C:\Windows\SysWOW64\Pjpdlj32.exeC:\Windows\system32\Pjpdlj32.exe121⤵
- Modifies registry class
PID:1820
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-