Analysis
-
max time kernel
118s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
02-10-2024 05:37
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ed814ae15b3b41e4086355d9c1273e07e6458b3f25dace40d67b92e91ec0c661N.exe
Resource
win7-20240903-en
windows7-x64
9 signatures
120 seconds
Behavioral task
behavioral2
Sample
ed814ae15b3b41e4086355d9c1273e07e6458b3f25dace40d67b92e91ec0c661N.exe
Resource
win10v2004-20240910-en
windows10-2004-x64
8 signatures
120 seconds
General
-
Target
ed814ae15b3b41e4086355d9c1273e07e6458b3f25dace40d67b92e91ec0c661N.exe
-
Size
768KB
-
MD5
8c0a0641b72820bc2650301df8970b30
-
SHA1
06d09e8ce5f2a16beb80fc5289c561b0e9cafa4a
-
SHA256
ed814ae15b3b41e4086355d9c1273e07e6458b3f25dace40d67b92e91ec0c661
-
SHA512
aef167387db107935b42e9fe24ceb67c50e5cdfd6542e96983f3ea35d05eb1669dd901abe4eadbc29ee698ea2ae4e7eb864b11fffbd1e0b9d0e7eaccf27bb841
-
SSDEEP
12288:a6r/+zrWAI5KFum/+zrWAIAqWim/+zrWAI5KF4cr6VDsEqacjgqANXcol27Z5nNm:a6rm0BmmvFimm0Xcr6VDsEqacjgqANXF
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlnmel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jkpbdq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oibmpl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkgoff32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eihgfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nbflno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pcljmdmj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afliclij.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Accnekon.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Halbai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dicnkdnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lhpglecl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gcjbna32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hipmmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Daofpchf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Amfognic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kkjnnn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obbdml32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bcegin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gcgnnlle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hhkopj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jlhkgm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lpflkb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eafkhn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pafbadcm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipehmebh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdkgkcpq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oehdan32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iaeegh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cmpgpond.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmeeepjp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfpldf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djfdob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Keqkofno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ielclkhe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Npolmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qkibcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ioohokoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bkegah32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okgjodmi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eklqcl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iakgefqe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Emgioakg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jeqopcld.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oghhfg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hloiib32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Padhdm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhmhhmlm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eeohkeoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ibcnojnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bqijljfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mfjkdh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Affdle32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpadhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Okgjodmi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mflgih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dmbcen32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjbmelgm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imleli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hpphhp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oidiekdn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obmnna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mokilo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncfalqpm.exe -
Executes dropped EXE 64 IoCs
pid Process 1988 Nkjapglg.exe 2756 Nadimacd.exe 2780 Olbchn32.exe 2680 Oghhfg32.exe 2844 Pdbahpec.exe 2624 Pafbadcm.exe 2652 Pqnlhpfb.exe 1948 Pkcpei32.exe 1924 Accnekon.exe 1892 Akncimmh.exe 2120 Anolkh32.exe 1420 Affdle32.exe 2672 Bgnfdm32.exe 320 Bcegin32.exe 1944 Bigimdjh.exe 448 Ciifbchf.exe 1200 Clgbno32.exe 2468 Cbajkiof.exe 1208 Chnbcpmn.exe 1652 Cjmopkla.exe 680 Comdkipe.exe 2464 Cheido32.exe 1976 Ckcepj32.exe 2432 Dgjfek32.exe 1780 Dbafjlaa.exe 1432 Dljkcb32.exe 2052 Dinklffl.exe 2380 Dedlag32.exe 2700 Dkadjn32.exe 2728 Dakmfh32.exe 2988 Ekcaonhe.exe 2712 Ekfndmfb.exe 2628 Epbfmd32.exe 2968 Epecbd32.exe 2792 Egokonjc.exe 1016 Egahen32.exe 2396 Enkpahon.exe 1900 Fqlicclo.exe 1684 Fcjeon32.exe 2616 Fjdnlhco.exe 1036 Fcmben32.exe 408 Fgohna32.exe 1260 Fdbhge32.exe 2560 Fkmqdpce.exe 1660 Gqiimfam.exe 920 Ggcaiqhj.exe 1400 Gjbmelgm.exe 1912 Gcjbna32.exe 1412 Gnpflj32.exe 2332 Gghkdp32.exe 2384 Gjfgqk32.exe 2956 Gcokiaji.exe 2872 Gbaken32.exe 2740 Gljpncgc.exe 2608 Gbdhjm32.exe 2964 Hllmcc32.exe 1152 Hnkion32.exe 1708 Hipmmg32.exe 1188 Hloiib32.exe 772 Halbai32.exe 964 Hibjbgbh.exe 1832 Hbknkl32.exe 2548 Hanogipc.exe 1932 Hlccdboi.exe -
Loads dropped DLL 64 IoCs
pid Process 2500 ed814ae15b3b41e4086355d9c1273e07e6458b3f25dace40d67b92e91ec0c661N.exe 2500 ed814ae15b3b41e4086355d9c1273e07e6458b3f25dace40d67b92e91ec0c661N.exe 1988 Nkjapglg.exe 1988 Nkjapglg.exe 2756 Nadimacd.exe 2756 Nadimacd.exe 2780 Olbchn32.exe 2780 Olbchn32.exe 2680 Oghhfg32.exe 2680 Oghhfg32.exe 2844 Pdbahpec.exe 2844 Pdbahpec.exe 2624 Pafbadcm.exe 2624 Pafbadcm.exe 2652 Pqnlhpfb.exe 2652 Pqnlhpfb.exe 1948 Pkcpei32.exe 1948 Pkcpei32.exe 1924 Accnekon.exe 1924 Accnekon.exe 1892 Akncimmh.exe 1892 Akncimmh.exe 2120 Anolkh32.exe 2120 Anolkh32.exe 1420 Affdle32.exe 1420 Affdle32.exe 2672 Bgnfdm32.exe 2672 Bgnfdm32.exe 320 Bcegin32.exe 320 Bcegin32.exe 1944 Bigimdjh.exe 1944 Bigimdjh.exe 448 Ciifbchf.exe 448 Ciifbchf.exe 1200 Clgbno32.exe 1200 Clgbno32.exe 2468 Cbajkiof.exe 2468 Cbajkiof.exe 1208 Chnbcpmn.exe 1208 Chnbcpmn.exe 1652 Cjmopkla.exe 1652 Cjmopkla.exe 680 Comdkipe.exe 680 Comdkipe.exe 2464 Cheido32.exe 2464 Cheido32.exe 1976 Ckcepj32.exe 1976 Ckcepj32.exe 2432 Dgjfek32.exe 2432 Dgjfek32.exe 1780 Dbafjlaa.exe 1780 Dbafjlaa.exe 1512 Dohgomgf.exe 1512 Dohgomgf.exe 2052 Dinklffl.exe 2052 Dinklffl.exe 2380 Dedlag32.exe 2380 Dedlag32.exe 2700 Dkadjn32.exe 2700 Dkadjn32.exe 2728 Dakmfh32.exe 2728 Dakmfh32.exe 2988 Ekcaonhe.exe 2988 Ekcaonhe.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Ikfbbjdj.exe Hgkfal32.exe File created C:\Windows\SysWOW64\Iffhohhi.dll Fmohco32.exe File opened for modification C:\Windows\SysWOW64\Goqnae32.exe Glbaei32.exe File created C:\Windows\SysWOW64\Alacdcjm.dll Pkdihhag.exe File opened for modification C:\Windows\SysWOW64\Ecploipa.exe Eihgfd32.exe File created C:\Windows\SysWOW64\Olfcfe32.dll Jbqmhnbo.exe File created C:\Windows\SysWOW64\Iejiodbl.exe Ibkmchbh.exe File created C:\Windows\SysWOW64\Opfegp32.exe Ofnpnkgf.exe File opened for modification C:\Windows\SysWOW64\Okdmjdol.exe Oehdan32.exe File created C:\Windows\SysWOW64\Fjfikeqd.dll Fdmhbplb.exe File created C:\Windows\SysWOW64\Blohcn32.dll Fkkfgi32.exe File created C:\Windows\SysWOW64\Lpkadj32.dll Miehak32.exe File created C:\Windows\SysWOW64\Gkgoff32.exe Gdnfjl32.exe File created C:\Windows\SysWOW64\Epmfgo32.exe Dicnkdnf.exe File created C:\Windows\SysWOW64\Ggkqmoma.exe Gqahqd32.exe File created C:\Windows\SysWOW64\Jampjian.exe Jlphbbbg.exe File created C:\Windows\SysWOW64\Phmaeh32.dll Nbniid32.exe File opened for modification C:\Windows\SysWOW64\Oioggmmc.exe Oagoep32.exe File opened for modification C:\Windows\SysWOW64\Eeohkeoe.exe Ecploipa.exe File created C:\Windows\SysWOW64\Nedmeekj.dll Dhpgfeao.exe File created C:\Windows\SysWOW64\Goldfelp.exe Gecpnp32.exe File created C:\Windows\SysWOW64\Gghkdp32.exe Gnpflj32.exe File opened for modification C:\Windows\SysWOW64\Opglafab.exe Nhlgmd32.exe File created C:\Windows\SysWOW64\Laqojfli.exe Ljigih32.exe File created C:\Windows\SysWOW64\Qggfio32.dll Mobfgdcl.exe File opened for modification C:\Windows\SysWOW64\Ijphofem.exe Iiqldc32.exe File created C:\Windows\SysWOW64\Dociji32.dll Onlahm32.exe File opened for modification C:\Windows\SysWOW64\Lnpgeopa.exe Lomgjb32.exe File created C:\Windows\SysWOW64\Qfljkp32.exe Qobbofgn.exe File opened for modification C:\Windows\SysWOW64\Kkjnnn32.exe Kdpfadlm.exe File created C:\Windows\SysWOW64\Knhjjj32.exe Kkjnnn32.exe File created C:\Windows\SysWOW64\Fhaflo32.dll Fiepea32.exe File created C:\Windows\SysWOW64\Fdekpjbk.dll Klmqapci.exe File created C:\Windows\SysWOW64\Pojecajj.exe Pgcmbcih.exe File created C:\Windows\SysWOW64\Dcjkhi32.dll Fapeic32.exe File created C:\Windows\SysWOW64\Fflkbagk.dll Jdcpkp32.exe File created C:\Windows\SysWOW64\Bfdmobkp.dll Mgmahg32.exe File created C:\Windows\SysWOW64\Giqhcmil.dll Iimfld32.exe File created C:\Windows\SysWOW64\Knnpkl32.dll Iedfqeka.exe File created C:\Windows\SysWOW64\Glchpp32.exe Gdhdkn32.exe File created C:\Windows\SysWOW64\Hgkfal32.exe Hnbaif32.exe File created C:\Windows\SysWOW64\Kablnadm.exe Klecfkff.exe File created C:\Windows\SysWOW64\Genddmep.dll Oehdan32.exe File created C:\Windows\SysWOW64\Ojefmknj.dll Padhdm32.exe File opened for modification C:\Windows\SysWOW64\Edcnakpa.exe Einjdb32.exe File opened for modification C:\Windows\SysWOW64\Pkcpei32.exe Pqnlhpfb.exe File opened for modification C:\Windows\SysWOW64\Pjleclph.exe Pbemboof.exe File created C:\Windows\SysWOW64\Imldmnjj.dll Ejcmmp32.exe File opened for modification C:\Windows\SysWOW64\Gljpncgc.exe Gbaken32.exe File created C:\Windows\SysWOW64\Cabalojc.dll Kcgphp32.exe File opened for modification C:\Windows\SysWOW64\Pfbfhm32.exe Ppinkcnp.exe File opened for modification C:\Windows\SysWOW64\Boifga32.exe Bfabnl32.exe File created C:\Windows\SysWOW64\Jabponba.exe Jcnoejch.exe File opened for modification C:\Windows\SysWOW64\Afjjed32.exe Aopahjll.exe File created C:\Windows\SysWOW64\Gbfkdo32.dll Odchbe32.exe File created C:\Windows\SysWOW64\Gglpmlbm.dll Hbdjcffd.exe File created C:\Windows\SysWOW64\Paocnkph.exe Phfoee32.exe File created C:\Windows\SysWOW64\Canipj32.dll Bqmpdioa.exe File opened for modification C:\Windows\SysWOW64\Inbnhihl.exe Ipomlm32.exe File created C:\Windows\SysWOW64\Olbbhfld.dll Jlfnangf.exe File created C:\Windows\SysWOW64\Obgnhkkh.exe Onlahm32.exe File opened for modification C:\Windows\SysWOW64\Dgjfek32.exe Ckcepj32.exe File opened for modification C:\Windows\SysWOW64\Okgjodmi.exe Oopijc32.exe File created C:\Windows\SysWOW64\Aebmjo32.dll Hfegij32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2632 6704 WerFault.exe 747 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nadimacd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egikjh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmkplgnq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Joidhh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klhgfq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkmmlgik.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klhemhpk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oiljam32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcmfmlen.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hifpke32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jolghndm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lddlkg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjkgjl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pojecajj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nqmnjd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgocmc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njpgpbpf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbafdlod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akabgebj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ceebklai.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnofgg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbigpn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbqmhnbo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eipgjaoi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ieofkp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qbnphngk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmdepg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldbofgme.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oghhfg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lohjnf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qdncmgbj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Keeeje32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppddpd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ciifbchf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Comdkipe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cheido32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lngpog32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljnqdhga.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phfoee32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agbbgqhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcmben32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olkfmi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bckjhl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdkgkcpq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdklfe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opfegp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elgfkhpi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afjjed32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjegog32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjhabndo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chnbcpmn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckcepj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkddnf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndhlhg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Caaggpdh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdmhbplb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llbqfe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mobfgdcl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mflgih32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppinkcnp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgabdlfb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obmnna32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Debadpeg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncfalqpm.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qaemhl32.dll" Gcbabpcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qdncmgbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nenkqi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mokilo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jabponba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kheoph32.dll" Nbflno32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dcohghbk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Klhgfq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gojhafnb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ggcaiqhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nihieggm.dll" Jkbojpna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kkmand32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hqgggnne.dll" Phfoee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dekdikhc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgodelnq.dll" Kmkihbho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Epecbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kcamjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Goejbpjh.dll" Lboiol32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jlfnangf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jfaeme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bodilc32.dll" Kdphjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Adcdbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Olebgfao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Boogmgkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mifnodlj.dll" Emgioakg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gdhdkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmegnj32.dll" Khgkpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Andpoahc.dll" Kcecbq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjdjea32.dll" Ngealejo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgloog32.dll" Cnkjnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Coglpp32.dll" Gbadjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jfofol32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mbchni32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pbemboof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhjpke32.dll" Jdcmbgkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbpfqb32.dll" Npaich32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qobbofgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Poklngnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikmpacaf.dll" Ecploipa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eikgge32.dll" Fjegog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Edcnakpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fiepea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ggkibhjf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Phfoee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bfabnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bddlnn32.dll" Klhemhpk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pkdihhag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qkibcg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cjhabndo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfikmo32.dll" Bffbdadk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jonedp32.dll" Bimoloog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Locjhqpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knqcbd32.dll" Mbcoio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Obmnna32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nqmnjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qopmpa32.dll" Agihgp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cheido32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Poklngnf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iflmjihl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jmdepg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Inbnhihl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jeqopcld.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mhhgpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Agihgp32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2500 wrote to memory of 1988 2500 ed814ae15b3b41e4086355d9c1273e07e6458b3f25dace40d67b92e91ec0c661N.exe 30 PID 2500 wrote to memory of 1988 2500 ed814ae15b3b41e4086355d9c1273e07e6458b3f25dace40d67b92e91ec0c661N.exe 30 PID 2500 wrote to memory of 1988 2500 ed814ae15b3b41e4086355d9c1273e07e6458b3f25dace40d67b92e91ec0c661N.exe 30 PID 2500 wrote to memory of 1988 2500 ed814ae15b3b41e4086355d9c1273e07e6458b3f25dace40d67b92e91ec0c661N.exe 30 PID 1988 wrote to memory of 2756 1988 Nkjapglg.exe 31 PID 1988 wrote to memory of 2756 1988 Nkjapglg.exe 31 PID 1988 wrote to memory of 2756 1988 Nkjapglg.exe 31 PID 1988 wrote to memory of 2756 1988 Nkjapglg.exe 31 PID 2756 wrote to memory of 2780 2756 Nadimacd.exe 32 PID 2756 wrote to memory of 2780 2756 Nadimacd.exe 32 PID 2756 wrote to memory of 2780 2756 Nadimacd.exe 32 PID 2756 wrote to memory of 2780 2756 Nadimacd.exe 32 PID 2780 wrote to memory of 2680 2780 Olbchn32.exe 33 PID 2780 wrote to memory of 2680 2780 Olbchn32.exe 33 PID 2780 wrote to memory of 2680 2780 Olbchn32.exe 33 PID 2780 wrote to memory of 2680 2780 Olbchn32.exe 33 PID 2680 wrote to memory of 2844 2680 Oghhfg32.exe 34 PID 2680 wrote to memory of 2844 2680 Oghhfg32.exe 34 PID 2680 wrote to memory of 2844 2680 Oghhfg32.exe 34 PID 2680 wrote to memory of 2844 2680 Oghhfg32.exe 34 PID 2844 wrote to memory of 2624 2844 Pdbahpec.exe 35 PID 2844 wrote to memory of 2624 2844 Pdbahpec.exe 35 PID 2844 wrote to memory of 2624 2844 Pdbahpec.exe 35 PID 2844 wrote to memory of 2624 2844 Pdbahpec.exe 35 PID 2624 wrote to memory of 2652 2624 Pafbadcm.exe 36 PID 2624 wrote to memory of 2652 2624 Pafbadcm.exe 36 PID 2624 wrote to memory of 2652 2624 Pafbadcm.exe 36 PID 2624 wrote to memory of 2652 2624 Pafbadcm.exe 36 PID 2652 wrote to memory of 1948 2652 Pqnlhpfb.exe 37 PID 2652 wrote to memory of 1948 2652 Pqnlhpfb.exe 37 PID 2652 wrote to memory of 1948 2652 Pqnlhpfb.exe 37 PID 2652 wrote to memory of 1948 2652 Pqnlhpfb.exe 37 PID 1948 wrote to memory of 1924 1948 Pkcpei32.exe 38 PID 1948 wrote to memory of 1924 1948 Pkcpei32.exe 38 PID 1948 wrote to memory of 1924 1948 Pkcpei32.exe 38 PID 1948 wrote to memory of 1924 1948 Pkcpei32.exe 38 PID 1924 wrote to memory of 1892 1924 Accnekon.exe 39 PID 1924 wrote to memory of 1892 1924 Accnekon.exe 39 PID 1924 wrote to memory of 1892 1924 Accnekon.exe 39 PID 1924 wrote to memory of 1892 1924 Accnekon.exe 39 PID 1892 wrote to memory of 2120 1892 Akncimmh.exe 40 PID 1892 wrote to memory of 2120 1892 Akncimmh.exe 40 PID 1892 wrote to memory of 2120 1892 Akncimmh.exe 40 PID 1892 wrote to memory of 2120 1892 Akncimmh.exe 40 PID 2120 wrote to memory of 1420 2120 Anolkh32.exe 41 PID 2120 wrote to memory of 1420 2120 Anolkh32.exe 41 PID 2120 wrote to memory of 1420 2120 Anolkh32.exe 41 PID 2120 wrote to memory of 1420 2120 Anolkh32.exe 41 PID 1420 wrote to memory of 2672 1420 Affdle32.exe 42 PID 1420 wrote to memory of 2672 1420 Affdle32.exe 42 PID 1420 wrote to memory of 2672 1420 Affdle32.exe 42 PID 1420 wrote to memory of 2672 1420 Affdle32.exe 42 PID 2672 wrote to memory of 320 2672 Bgnfdm32.exe 43 PID 2672 wrote to memory of 320 2672 Bgnfdm32.exe 43 PID 2672 wrote to memory of 320 2672 Bgnfdm32.exe 43 PID 2672 wrote to memory of 320 2672 Bgnfdm32.exe 43 PID 320 wrote to memory of 1944 320 Bcegin32.exe 44 PID 320 wrote to memory of 1944 320 Bcegin32.exe 44 PID 320 wrote to memory of 1944 320 Bcegin32.exe 44 PID 320 wrote to memory of 1944 320 Bcegin32.exe 44 PID 1944 wrote to memory of 448 1944 Bigimdjh.exe 45 PID 1944 wrote to memory of 448 1944 Bigimdjh.exe 45 PID 1944 wrote to memory of 448 1944 Bigimdjh.exe 45 PID 1944 wrote to memory of 448 1944 Bigimdjh.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\ed814ae15b3b41e4086355d9c1273e07e6458b3f25dace40d67b92e91ec0c661N.exe"C:\Users\Admin\AppData\Local\Temp\ed814ae15b3b41e4086355d9c1273e07e6458b3f25dace40d67b92e91ec0c661N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Windows\SysWOW64\Nkjapglg.exeC:\Windows\system32\Nkjapglg.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\Windows\SysWOW64\Nadimacd.exeC:\Windows\system32\Nadimacd.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\SysWOW64\Olbchn32.exeC:\Windows\system32\Olbchn32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\SysWOW64\Oghhfg32.exeC:\Windows\system32\Oghhfg32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Windows\SysWOW64\Pdbahpec.exeC:\Windows\system32\Pdbahpec.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\SysWOW64\Pafbadcm.exeC:\Windows\system32\Pafbadcm.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Windows\SysWOW64\Pqnlhpfb.exeC:\Windows\system32\Pqnlhpfb.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Windows\SysWOW64\Pkcpei32.exeC:\Windows\system32\Pkcpei32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1948 -
C:\Windows\SysWOW64\Accnekon.exeC:\Windows\system32\Accnekon.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1924 -
C:\Windows\SysWOW64\Akncimmh.exeC:\Windows\system32\Akncimmh.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1892 -
C:\Windows\SysWOW64\Anolkh32.exeC:\Windows\system32\Anolkh32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Windows\SysWOW64\Affdle32.exeC:\Windows\system32\Affdle32.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1420 -
C:\Windows\SysWOW64\Bgnfdm32.exeC:\Windows\system32\Bgnfdm32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\SysWOW64\Bcegin32.exeC:\Windows\system32\Bcegin32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:320 -
C:\Windows\SysWOW64\Bigimdjh.exeC:\Windows\system32\Bigimdjh.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1944 -
C:\Windows\SysWOW64\Ciifbchf.exeC:\Windows\system32\Ciifbchf.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:448 -
C:\Windows\SysWOW64\Clgbno32.exeC:\Windows\system32\Clgbno32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1200 -
C:\Windows\SysWOW64\Cbajkiof.exeC:\Windows\system32\Cbajkiof.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2468 -
C:\Windows\SysWOW64\Chnbcpmn.exeC:\Windows\system32\Chnbcpmn.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1208 -
C:\Windows\SysWOW64\Cjmopkla.exeC:\Windows\system32\Cjmopkla.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1652 -
C:\Windows\SysWOW64\Comdkipe.exeC:\Windows\system32\Comdkipe.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:680 -
C:\Windows\SysWOW64\Cheido32.exeC:\Windows\system32\Cheido32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2464 -
C:\Windows\SysWOW64\Ckcepj32.exeC:\Windows\system32\Ckcepj32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1976 -
C:\Windows\SysWOW64\Dgjfek32.exeC:\Windows\system32\Dgjfek32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2432 -
C:\Windows\SysWOW64\Dbafjlaa.exeC:\Windows\system32\Dbafjlaa.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1780 -
C:\Windows\SysWOW64\Dljkcb32.exeC:\Windows\system32\Dljkcb32.exe27⤵
- Executes dropped EXE
PID:1432 -
C:\Windows\SysWOW64\Dohgomgf.exeC:\Windows\system32\Dohgomgf.exe28⤵
- Loads dropped DLL
PID:1512 -
C:\Windows\SysWOW64\Dinklffl.exeC:\Windows\system32\Dinklffl.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2052 -
C:\Windows\SysWOW64\Dedlag32.exeC:\Windows\system32\Dedlag32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2380 -
C:\Windows\SysWOW64\Dkadjn32.exeC:\Windows\system32\Dkadjn32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2700 -
C:\Windows\SysWOW64\Dakmfh32.exeC:\Windows\system32\Dakmfh32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2728 -
C:\Windows\SysWOW64\Ekcaonhe.exeC:\Windows\system32\Ekcaonhe.exe33⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2988 -
C:\Windows\SysWOW64\Ekfndmfb.exeC:\Windows\system32\Ekfndmfb.exe34⤵
- Executes dropped EXE
PID:2712 -
C:\Windows\SysWOW64\Epbfmd32.exeC:\Windows\system32\Epbfmd32.exe35⤵
- Executes dropped EXE
PID:2628 -
C:\Windows\SysWOW64\Epecbd32.exeC:\Windows\system32\Epecbd32.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:2968 -
C:\Windows\SysWOW64\Egokonjc.exeC:\Windows\system32\Egokonjc.exe37⤵
- Executes dropped EXE
PID:2792 -
C:\Windows\SysWOW64\Egahen32.exeC:\Windows\system32\Egahen32.exe38⤵
- Executes dropped EXE
PID:1016 -
C:\Windows\SysWOW64\Enkpahon.exeC:\Windows\system32\Enkpahon.exe39⤵
- Executes dropped EXE
PID:2396 -
C:\Windows\SysWOW64\Fqlicclo.exeC:\Windows\system32\Fqlicclo.exe40⤵
- Executes dropped EXE
PID:1900 -
C:\Windows\SysWOW64\Fcjeon32.exeC:\Windows\system32\Fcjeon32.exe41⤵
- Executes dropped EXE
PID:1684 -
C:\Windows\SysWOW64\Fjdnlhco.exeC:\Windows\system32\Fjdnlhco.exe42⤵
- Executes dropped EXE
PID:2616 -
C:\Windows\SysWOW64\Fcmben32.exeC:\Windows\system32\Fcmben32.exe43⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1036 -
C:\Windows\SysWOW64\Fgohna32.exeC:\Windows\system32\Fgohna32.exe44⤵
- Executes dropped EXE
PID:408 -
C:\Windows\SysWOW64\Fdbhge32.exeC:\Windows\system32\Fdbhge32.exe45⤵
- Executes dropped EXE
PID:1260 -
C:\Windows\SysWOW64\Fkmqdpce.exeC:\Windows\system32\Fkmqdpce.exe46⤵
- Executes dropped EXE
PID:2560 -
C:\Windows\SysWOW64\Gqiimfam.exeC:\Windows\system32\Gqiimfam.exe47⤵
- Executes dropped EXE
PID:1660 -
C:\Windows\SysWOW64\Ggcaiqhj.exeC:\Windows\system32\Ggcaiqhj.exe48⤵
- Executes dropped EXE
- Modifies registry class
PID:920 -
C:\Windows\SysWOW64\Gjbmelgm.exeC:\Windows\system32\Gjbmelgm.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1400 -
C:\Windows\SysWOW64\Gcjbna32.exeC:\Windows\system32\Gcjbna32.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1912 -
C:\Windows\SysWOW64\Gnpflj32.exeC:\Windows\system32\Gnpflj32.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1412 -
C:\Windows\SysWOW64\Gghkdp32.exeC:\Windows\system32\Gghkdp32.exe52⤵
- Executes dropped EXE
PID:2332 -
C:\Windows\SysWOW64\Gjfgqk32.exeC:\Windows\system32\Gjfgqk32.exe53⤵
- Executes dropped EXE
PID:2384 -
C:\Windows\SysWOW64\Gcokiaji.exeC:\Windows\system32\Gcokiaji.exe54⤵
- Executes dropped EXE
PID:2956 -
C:\Windows\SysWOW64\Gbaken32.exeC:\Windows\system32\Gbaken32.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2872 -
C:\Windows\SysWOW64\Gljpncgc.exeC:\Windows\system32\Gljpncgc.exe56⤵
- Executes dropped EXE
PID:2740 -
C:\Windows\SysWOW64\Gbdhjm32.exeC:\Windows\system32\Gbdhjm32.exe57⤵
- Executes dropped EXE
PID:2608 -
C:\Windows\SysWOW64\Hllmcc32.exeC:\Windows\system32\Hllmcc32.exe58⤵
- Executes dropped EXE
PID:2964 -
C:\Windows\SysWOW64\Hnkion32.exeC:\Windows\system32\Hnkion32.exe59⤵
- Executes dropped EXE
PID:1152 -
C:\Windows\SysWOW64\Hipmmg32.exeC:\Windows\system32\Hipmmg32.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1708 -
C:\Windows\SysWOW64\Hloiib32.exeC:\Windows\system32\Hloiib32.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1188 -
C:\Windows\SysWOW64\Halbai32.exeC:\Windows\system32\Halbai32.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:772 -
C:\Windows\SysWOW64\Hibjbgbh.exeC:\Windows\system32\Hibjbgbh.exe63⤵
- Executes dropped EXE
PID:964 -
C:\Windows\SysWOW64\Hbknkl32.exeC:\Windows\system32\Hbknkl32.exe64⤵
- Executes dropped EXE
PID:1832 -
C:\Windows\SysWOW64\Hanogipc.exeC:\Windows\system32\Hanogipc.exe65⤵
- Executes dropped EXE
PID:2548 -
C:\Windows\SysWOW64\Hlccdboi.exeC:\Windows\system32\Hlccdboi.exe66⤵
- Executes dropped EXE
PID:1932 -
C:\Windows\SysWOW64\Helgmg32.exeC:\Windows\system32\Helgmg32.exe67⤵PID:1448
-
C:\Windows\SysWOW64\Hfmddp32.exeC:\Windows\system32\Hfmddp32.exe68⤵PID:3040
-
C:\Windows\SysWOW64\Hndlem32.exeC:\Windows\system32\Hndlem32.exe69⤵PID:344
-
C:\Windows\SysWOW64\Ipehmebh.exeC:\Windows\system32\Ipehmebh.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2336 -
C:\Windows\SysWOW64\Iinmfk32.exeC:\Windows\system32\Iinmfk32.exe71⤵PID:2660
-
C:\Windows\SysWOW64\Iaeegh32.exeC:\Windows\system32\Iaeegh32.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2984 -
C:\Windows\SysWOW64\Ifampo32.exeC:\Windows\system32\Ifampo32.exe73⤵PID:2684
-
C:\Windows\SysWOW64\Imleli32.exeC:\Windows\system32\Imleli32.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2584 -
C:\Windows\SysWOW64\Idfnicfl.exeC:\Windows\system32\Idfnicfl.exe75⤵PID:2320
-
C:\Windows\SysWOW64\Iibfajdc.exeC:\Windows\system32\Iibfajdc.exe76⤵PID:1492
-
C:\Windows\SysWOW64\Ilabmedg.exeC:\Windows\system32\Ilabmedg.exe77⤵PID:1692
-
C:\Windows\SysWOW64\Ioooiack.exeC:\Windows\system32\Ioooiack.exe78⤵PID:2128
-
C:\Windows\SysWOW64\Ihhcbf32.exeC:\Windows\system32\Ihhcbf32.exe79⤵PID:1728
-
C:\Windows\SysWOW64\Ibmgpoia.exeC:\Windows\system32\Ibmgpoia.exe80⤵PID:1248
-
C:\Windows\SysWOW64\Ielclkhe.exeC:\Windows\system32\Ielclkhe.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2220 -
C:\Windows\SysWOW64\Jhjphfgi.exeC:\Windows\system32\Jhjphfgi.exe82⤵PID:1732
-
C:\Windows\SysWOW64\Jabdql32.exeC:\Windows\system32\Jabdql32.exe83⤵PID:952
-
C:\Windows\SysWOW64\Jdaqmg32.exeC:\Windows\system32\Jdaqmg32.exe84⤵PID:1304
-
C:\Windows\SysWOW64\Jlhhndno.exeC:\Windows\system32\Jlhhndno.exe85⤵PID:328
-
C:\Windows\SysWOW64\Jaeafklf.exeC:\Windows\system32\Jaeafklf.exe86⤵PID:2280
-
C:\Windows\SysWOW64\Jdcmbgkj.exeC:\Windows\system32\Jdcmbgkj.exe87⤵
- Modifies registry class
PID:2284 -
C:\Windows\SysWOW64\Jhoice32.exeC:\Windows\system32\Jhoice32.exe88⤵PID:1628
-
C:\Windows\SysWOW64\Jnkakl32.exeC:\Windows\system32\Jnkakl32.exe89⤵PID:3060
-
C:\Windows\SysWOW64\Jkpbdq32.exeC:\Windows\system32\Jkpbdq32.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2188 -
C:\Windows\SysWOW64\Jnnnalph.exeC:\Windows\system32\Jnnnalph.exe91⤵PID:2620
-
C:\Windows\SysWOW64\Jkbojpna.exeC:\Windows\system32\Jkbojpna.exe92⤵
- Modifies registry class
PID:276 -
C:\Windows\SysWOW64\Jnpkflne.exeC:\Windows\system32\Jnpkflne.exe93⤵PID:1536
-
C:\Windows\SysWOW64\Jpogbgmi.exeC:\Windows\system32\Jpogbgmi.exe94⤵PID:1040
-
C:\Windows\SysWOW64\Kjglkm32.exeC:\Windows\system32\Kjglkm32.exe95⤵PID:2388
-
C:\Windows\SysWOW64\Kpadhg32.exeC:\Windows\system32\Kpadhg32.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1696 -
C:\Windows\SysWOW64\Kcopdb32.exeC:\Windows\system32\Kcopdb32.exe97⤵PID:264
-
C:\Windows\SysWOW64\Klhemhpk.exeC:\Windows\system32\Klhemhpk.exe98⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1460 -
C:\Windows\SysWOW64\Kcamjb32.exeC:\Windows\system32\Kcamjb32.exe99⤵
- Modifies registry class
PID:1756 -
C:\Windows\SysWOW64\Kkmand32.exeC:\Windows\system32\Kkmand32.exe100⤵
- Modifies registry class
PID:2488 -
C:\Windows\SysWOW64\Kcdjoaee.exeC:\Windows\system32\Kcdjoaee.exe101⤵PID:760
-
C:\Windows\SysWOW64\Kllnhg32.exeC:\Windows\system32\Kllnhg32.exe102⤵PID:1504
-
C:\Windows\SysWOW64\Kbigpn32.exeC:\Windows\system32\Kbigpn32.exe103⤵
- System Location Discovery: System Language Discovery
PID:1516 -
C:\Windows\SysWOW64\Kgfoie32.exeC:\Windows\system32\Kgfoie32.exe104⤵PID:2772
-
C:\Windows\SysWOW64\Lomgjb32.exeC:\Windows\system32\Lomgjb32.exe105⤵
- Drops file in System32 directory
PID:2860 -
C:\Windows\SysWOW64\Lnpgeopa.exeC:\Windows\system32\Lnpgeopa.exe106⤵PID:3012
-
C:\Windows\SysWOW64\Lghlndfa.exeC:\Windows\system32\Lghlndfa.exe107⤵PID:2416
-
C:\Windows\SysWOW64\Ljghjpfe.exeC:\Windows\system32\Ljghjpfe.exe108⤵PID:1580
-
C:\Windows\SysWOW64\Lcomce32.exeC:\Windows\system32\Lcomce32.exe109⤵PID:1612
-
C:\Windows\SysWOW64\Lmgalkcf.exeC:\Windows\system32\Lmgalkcf.exe110⤵PID:1768
-
C:\Windows\SysWOW64\Lfpeeqig.exeC:\Windows\system32\Lfpeeqig.exe111⤵PID:908
-
C:\Windows\SysWOW64\Lohjnf32.exeC:\Windows\system32\Lohjnf32.exe112⤵
- System Location Discovery: System Language Discovery
PID:2408 -
C:\Windows\SysWOW64\Lfbbjpgd.exeC:\Windows\system32\Lfbbjpgd.exe113⤵PID:2072
-
C:\Windows\SysWOW64\Lqhfhigj.exeC:\Windows\system32\Lqhfhigj.exe114⤵PID:2992
-
C:\Windows\SysWOW64\Mfdopp32.exeC:\Windows\system32\Mfdopp32.exe115⤵PID:2340
-
C:\Windows\SysWOW64\Micklk32.exeC:\Windows\system32\Micklk32.exe116⤵PID:2820
-
C:\Windows\SysWOW64\Mpmcielb.exeC:\Windows\system32\Mpmcielb.exe117⤵PID:2640
-
C:\Windows\SysWOW64\Miehak32.exeC:\Windows\system32\Miehak32.exe118⤵
- Drops file in System32 directory
PID:2936 -
C:\Windows\SysWOW64\Mkddnf32.exeC:\Windows\system32\Mkddnf32.exe119⤵
- System Location Discovery: System Language Discovery
PID:840 -
C:\Windows\SysWOW64\Mihdgkpp.exeC:\Windows\system32\Mihdgkpp.exe120⤵PID:712
-
C:\Windows\SysWOW64\Mbpipp32.exeC:\Windows\system32\Mbpipp32.exe121⤵PID:988
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-