Analysis
-
max time kernel
84s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
23-11-2024 03:09
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
c000825d89f9acef1c479a2cac393ad0165b87279a06a7248094618a4a1c0ef0.exe
Resource
win7-20240729-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
c000825d89f9acef1c479a2cac393ad0165b87279a06a7248094618a4a1c0ef0.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
c000825d89f9acef1c479a2cac393ad0165b87279a06a7248094618a4a1c0ef0.exe
-
Size
120KB
-
MD5
a38e9aea384403d81054c8342a44dca5
-
SHA1
e09fcbe4dfe818cdfe9468af12127b1f932e227e
-
SHA256
c000825d89f9acef1c479a2cac393ad0165b87279a06a7248094618a4a1c0ef0
-
SHA512
9a08fa0b514e928971e2ef78a041290f3b1558f50d72db960a6313887a5f419e28e2ee4c4877695cf7c99a678262fd1a90378619cb34f175778198c61e0577d4
-
SSDEEP
1536:llMtYB5fFi23x08G9Cwjw3iUE1w9VnRYCVvLpXwEcYIrEOjz0cZ44mjD9r823F4:bMtKiN8ICwckyvlwEcYIrEi/mjRrz3C
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Iihgadhl.exeAbnbccia.exeElnonp32.exeFlmlmc32.exeGcgpiq32.exeJdplmflg.exeLnmfpnqn.exePciiccbm.exeOfklpa32.exeEdfqclni.exePbqbioeb.exeLflklaoc.exeAncdgcab.exeFlkohc32.exeAlcqcjgd.exeCjaieoko.exeElleai32.exeMoflkfca.exeBcbedm32.exeGoekpm32.exeAhgdbk32.exeDcijmhdj.exeEbhjdc32.exeHhbgkn32.exeDjkodg32.exeLpkkbcle.exeGledgkfn.exeCgpjin32.exeHogddpld.exeHbepplkh.exeMmpobi32.exeCincaq32.exeHobcok32.exeGocnjn32.exeNplkhh32.exeBdmklico.exeKegebn32.exeEpdncb32.exeFigoefkf.exeGgmldj32.exeHnmcne32.exeKhnqbhdi.exedescription ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iihgadhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Abnbccia.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elnonp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Flmlmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gcgpiq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdplmflg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lnmfpnqn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pciiccbm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofklpa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edfqclni.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbqbioeb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lflklaoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ancdgcab.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flkohc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Alcqcjgd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjaieoko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Elleai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Moflkfca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bcbedm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Goekpm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahgdbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dcijmhdj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebhjdc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hhbgkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Djkodg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lpkkbcle.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gledgkfn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgpjin32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hogddpld.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbepplkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mmpobi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cincaq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hobcok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gocnjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nplkhh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bdmklico.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kegebn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Epdncb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Figoefkf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggmldj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hnmcne32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Khnqbhdi.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
Processes:
Hbkpfa32.exeHiehbl32.exeIeligmho.exeIbpjaagi.exeIhlbih32.exeInfjfblm.exeIhooog32.exeIjmkkc32.exeIdepdhia.exeIokdaa32.exeIeelnkpd.exeJffhec32.exeJmpqbnmp.exeJdjioh32.exeJmbnhm32.exeJdmfdgbj.exeJiinmnaa.exeJlhjijpe.exeJbbbed32.exeJilkbn32.exeJpfcohfk.exeJbdokceo.exeJeblgodb.exeJhahcjcf.exeKbflqccl.exeKeehmobp.exeKkaaee32.exeKegebn32.exeKdjenkgh.exeKnbjgq32.exeKgknpfdi.exeKobfqc32.exeKdooij32.exeKgmkef32.exeKkigfdjo.exeKdakoj32.exeLphlck32.exeLcfhpf32.exeLgbdpena.exeLnlmmo32.exeLlainlje.exeLpmeojbo.exeLfingaaf.exeLlcfck32.exeLflklaoc.exeLdokhn32.exeLkhcdhmk.exeLngpac32.exeMfngbq32.exeMdahnmck.exeMkkpjg32.exeMoflkfca.exeMbehgabe.exeMdcdcmai.exeMgaqohql.exeMnlilb32.exeMqjehngm.exeMdeaim32.exeMkpieggc.exeMqlbnnej.exeMdhnnl32.exeMgfjjh32.exeMnpbgbdd.exeMmcbbo32.exepid Process 2384 Hbkpfa32.exe 2848 Hiehbl32.exe 2784 Ieligmho.exe 2948 Ibpjaagi.exe 2712 Ihlbih32.exe 2736 Infjfblm.exe 2132 Ihooog32.exe 1044 Ijmkkc32.exe 2104 Idepdhia.exe 2496 Iokdaa32.exe 3000 Ieelnkpd.exe 1528 Jffhec32.exe 2524 Jmpqbnmp.exe 1108 Jdjioh32.exe 2112 Jmbnhm32.exe 2288 Jdmfdgbj.exe 2236 Jiinmnaa.exe 2216 Jlhjijpe.exe 764 Jbbbed32.exe 1432 Jilkbn32.exe 2356 Jpfcohfk.exe 1008 Jbdokceo.exe 1224 Jeblgodb.exe 1992 Jhahcjcf.exe 2264 Kbflqccl.exe 2788 Keehmobp.exe 2868 Kkaaee32.exe 2764 Kegebn32.exe 2968 Kdjenkgh.exe 2796 Knbjgq32.exe 2708 Kgknpfdi.exe 2268 Kobfqc32.exe 832 Kdooij32.exe 2508 Kgmkef32.exe 2468 Kkigfdjo.exe 2316 Kdakoj32.exe 2696 Lphlck32.exe 2376 Lcfhpf32.exe 1048 Lgbdpena.exe 352 Lnlmmo32.exe 1952 Llainlje.exe 2480 Lpmeojbo.exe 2344 Lfingaaf.exe 2168 Llcfck32.exe 2744 Lflklaoc.exe 1652 Ldokhn32.exe 1036 Lkhcdhmk.exe 1984 Lngpac32.exe 2416 Mfngbq32.exe 2752 Mdahnmck.exe 1968 Mkkpjg32.exe 2064 Moflkfca.exe 2684 Mbehgabe.exe 1624 Mdcdcmai.exe 2044 Mgaqohql.exe 1304 Mnlilb32.exe 2896 Mqjehngm.exe 3028 Mdeaim32.exe 1080 Mkpieggc.exe 2836 Mqlbnnej.exe 3056 Mdhnnl32.exe 2180 Mgfjjh32.exe 2240 Mnpbgbdd.exe 1636 Mmcbbo32.exe -
Loads dropped DLL 64 IoCs
Processes:
c000825d89f9acef1c479a2cac393ad0165b87279a06a7248094618a4a1c0ef0.exeHbkpfa32.exeHiehbl32.exeIeligmho.exeIbpjaagi.exeIhlbih32.exeInfjfblm.exeIhooog32.exeIjmkkc32.exeIdepdhia.exeIokdaa32.exeIeelnkpd.exeJffhec32.exeJmpqbnmp.exeJdjioh32.exeJmbnhm32.exeJdmfdgbj.exeJiinmnaa.exeJlhjijpe.exeJbbbed32.exeJilkbn32.exeJpfcohfk.exeJbdokceo.exeJeblgodb.exeJhahcjcf.exeKbflqccl.exeKeehmobp.exeKkaaee32.exeKegebn32.exeKdjenkgh.exeKnbjgq32.exeKgknpfdi.exepid Process 2116 c000825d89f9acef1c479a2cac393ad0165b87279a06a7248094618a4a1c0ef0.exe 2116 c000825d89f9acef1c479a2cac393ad0165b87279a06a7248094618a4a1c0ef0.exe 2384 Hbkpfa32.exe 2384 Hbkpfa32.exe 2848 Hiehbl32.exe 2848 Hiehbl32.exe 2784 Ieligmho.exe 2784 Ieligmho.exe 2948 Ibpjaagi.exe 2948 Ibpjaagi.exe 2712 Ihlbih32.exe 2712 Ihlbih32.exe 2736 Infjfblm.exe 2736 Infjfblm.exe 2132 Ihooog32.exe 2132 Ihooog32.exe 1044 Ijmkkc32.exe 1044 Ijmkkc32.exe 2104 Idepdhia.exe 2104 Idepdhia.exe 2496 Iokdaa32.exe 2496 Iokdaa32.exe 3000 Ieelnkpd.exe 3000 Ieelnkpd.exe 1528 Jffhec32.exe 1528 Jffhec32.exe 2524 Jmpqbnmp.exe 2524 Jmpqbnmp.exe 1108 Jdjioh32.exe 1108 Jdjioh32.exe 2112 Jmbnhm32.exe 2112 Jmbnhm32.exe 2288 Jdmfdgbj.exe 2288 Jdmfdgbj.exe 2236 Jiinmnaa.exe 2236 Jiinmnaa.exe 2216 Jlhjijpe.exe 2216 Jlhjijpe.exe 764 Jbbbed32.exe 764 Jbbbed32.exe 1432 Jilkbn32.exe 1432 Jilkbn32.exe 2356 Jpfcohfk.exe 2356 Jpfcohfk.exe 1008 Jbdokceo.exe 1008 Jbdokceo.exe 1224 Jeblgodb.exe 1224 Jeblgodb.exe 1992 Jhahcjcf.exe 1992 Jhahcjcf.exe 2264 Kbflqccl.exe 2264 Kbflqccl.exe 2788 Keehmobp.exe 2788 Keehmobp.exe 2868 Kkaaee32.exe 2868 Kkaaee32.exe 2764 Kegebn32.exe 2764 Kegebn32.exe 2968 Kdjenkgh.exe 2968 Kdjenkgh.exe 2796 Knbjgq32.exe 2796 Knbjgq32.exe 2708 Kgknpfdi.exe 2708 Kgknpfdi.exe -
Drops file in System32 directory 64 IoCs
Processes:
Pbkgegad.exeKiamql32.exePlkchdiq.exeAhmehqna.exeHfookk32.exeCdgdlnop.exeDbkaee32.exeMqjehngm.exePelpgb32.exeBkefcc32.exeCcinnd32.exeFdefgimi.exePpjjcogn.exeFeccqime.exeEenckc32.exeFhgkqmph.exeMbhnpplb.exePojgnf32.exeLamkllea.exeJpfehq32.exeKldchgag.exePicdejbg.exeFdpmljan.exeAcdfki32.exeCifdmbib.exeEhgmiq32.exePhhhchlp.exeNfbmlckg.exeNjdbefnf.exeLgbdpena.exeFpncbjqj.exeHhnnpolk.exeQajfmbna.exeCgkanomj.exeLpnobi32.exeQamleagn.exeBnicddki.exeIflhjh32.exeMkbhco32.exedescription ioc Process File created C:\Windows\SysWOW64\Bdlhjkpi.dll File created C:\Windows\SysWOW64\Hbfalpab.exe File opened for modification C:\Windows\SysWOW64\Pieobaiq.exe Pbkgegad.exe File created C:\Windows\SysWOW64\Nmooblli.dll File opened for modification C:\Windows\SysWOW64\Kaieai32.exe Kiamql32.exe File created C:\Windows\SysWOW64\Pjndca32.exe Plkchdiq.exe File opened for modification C:\Windows\SysWOW64\Jkklpk32.exe File created C:\Windows\SysWOW64\Gmfccjei.dll File created C:\Windows\SysWOW64\Bpbfom32.dll File created C:\Windows\SysWOW64\Makhce32.dll File created C:\Windows\SysWOW64\Apdminod.exe Ahmehqna.exe File created C:\Windows\SysWOW64\Himkgf32.exe Hfookk32.exe File created C:\Windows\SysWOW64\Cgfqii32.exe Cdgdlnop.exe File created C:\Windows\SysWOW64\Deimaa32.exe Dbkaee32.exe File opened for modification C:\Windows\SysWOW64\Lmondpbc.exe File opened for modification C:\Windows\SysWOW64\Fhjcmcep.exe File opened for modification C:\Windows\SysWOW64\Mdeaim32.exe Mqjehngm.exe File opened for modification C:\Windows\SysWOW64\Plfhdlfb.exe Pelpgb32.exe File created C:\Windows\SysWOW64\Jffaaoip.dll Bkefcc32.exe File created C:\Windows\SysWOW64\Biehcmhh.dll Ccinnd32.exe File created C:\Windows\SysWOW64\Bpnmhiij.dll Fdefgimi.exe File created C:\Windows\SysWOW64\Iioimj32.dll Ppjjcogn.exe File created C:\Windows\SysWOW64\Fmjkbfnh.exe Feccqime.exe File created C:\Windows\SysWOW64\Flhkhnel.exe Eenckc32.exe File created C:\Windows\SysWOW64\Fpncbjqj.exe Fhgkqmph.exe File created C:\Windows\SysWOW64\Qegpbaqb.exe File opened for modification C:\Windows\SysWOW64\Mjofanld.exe Mbhnpplb.exe File created C:\Windows\SysWOW64\Laokdncm.dll Pojgnf32.exe File opened for modification C:\Windows\SysWOW64\Lgcooh32.exe File created C:\Windows\SysWOW64\Mamngm32.dll File created C:\Windows\SysWOW64\Eilknaem.dll File opened for modification C:\Windows\SysWOW64\Fqjbme32.exe File opened for modification C:\Windows\SysWOW64\Lcnhcdkp.exe Lamkllea.exe File created C:\Windows\SysWOW64\Jbdadl32.exe Jpfehq32.exe File created C:\Windows\SysWOW64\Kocodbpk.exe Kldchgag.exe File opened for modification C:\Windows\SysWOW64\Plbaafak.exe Picdejbg.exe File created C:\Windows\SysWOW64\Ffoihepa.exe Fdpmljan.exe File created C:\Windows\SysWOW64\Idlgohcl.exe File created C:\Windows\SysWOW64\Jakjlpif.exe File opened for modification C:\Windows\SysWOW64\Ehkgnpbe.exe File opened for modification C:\Windows\SysWOW64\Afcbgd32.exe Acdfki32.exe File created C:\Windows\SysWOW64\Ckdpinhf.exe Cifdmbib.exe File created C:\Windows\SysWOW64\Egimdmmc.exe Ehgmiq32.exe File created C:\Windows\SysWOW64\Pjfdpckc.exe Phhhchlp.exe File opened for modification C:\Windows\SysWOW64\Kplhfo32.exe File opened for modification C:\Windows\SysWOW64\Qfegakmc.exe File created C:\Windows\SysWOW64\Iimqnd32.dll File opened for modification C:\Windows\SysWOW64\Gmipmlan.exe File created C:\Windows\SysWOW64\Nhdjdk32.exe Nfbmlckg.exe File opened for modification C:\Windows\SysWOW64\Naokbq32.exe Njdbefnf.exe File created C:\Windows\SysWOW64\Fffabman.exe File created C:\Windows\SysWOW64\Lnlmmo32.exe Lgbdpena.exe File created C:\Windows\SysWOW64\Faopib32.exe Fpncbjqj.exe File created C:\Windows\SysWOW64\Hohfmi32.exe Hhnnpolk.exe File opened for modification C:\Windows\SysWOW64\Ekcdegqe.exe File opened for modification C:\Windows\SysWOW64\Milagp32.exe File opened for modification C:\Windows\SysWOW64\Aomdpj32.exe File opened for modification C:\Windows\SysWOW64\Qdhcinme.exe Qajfmbna.exe File created C:\Windows\SysWOW64\Cpbiolnl.exe Cgkanomj.exe File created C:\Windows\SysWOW64\Hpehnofm.dll Lpnobi32.exe File created C:\Windows\SysWOW64\Qdlialfb.exe Qamleagn.exe File opened for modification C:\Windows\SysWOW64\Bbdoec32.exe Bnicddki.exe File created C:\Windows\SysWOW64\Gcpolmao.dll Iflhjh32.exe File created C:\Windows\SysWOW64\Fhlpince.dll Mkbhco32.exe -
Program crash 1 IoCs
Processes:
pid pid_target Process procid_target 932 7792 1877 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Jhahcjcf.exeNcpgeh32.exeClkfjman.exeJhgnbehe.exeCeanmc32.exeJdplmflg.exeFgnfpm32.exeBabbpc32.exeGokmnlcf.exeHqcpfcbl.exeInopce32.exeGklkdn32.exeEhilgikj.exeGdpikmci.exeKdjenkgh.exeOclpdf32.exeHifdjcif.exeCopobe32.exePljnmkoo.exeEonhpk32.exeMlhbgc32.exeHghhngjb.exeIkhqbo32.exeFfaeneno.exeAncdgcab.exeAfcbgd32.exeBjjakg32.exeGomjckqc.exeMaejpj32.exeHohfmi32.exeFhifmcfa.exeBkmcni32.exeEhopnk32.exeObijpgcf.exeBjlnaghp.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhahcjcf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncpgeh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clkfjman.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhgnbehe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ceanmc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdplmflg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgnfpm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Babbpc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gokmnlcf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hqcpfcbl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Inopce32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gklkdn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehilgikj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdpikmci.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdjenkgh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oclpdf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hifdjcif.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Copobe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pljnmkoo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eonhpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlhbgc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hghhngjb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikhqbo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffaeneno.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ancdgcab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afcbgd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjjakg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gomjckqc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Maejpj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hohfmi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhifmcfa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkmcni32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehopnk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obijpgcf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjlnaghp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language -
Modifies registry class 64 IoCs
Processes:
Jecnpg32.exeQiekadkl.exeJlkigbef.exePciiccbm.exeEgbffj32.exeNfbmlckg.exeJephgi32.exeJpalmaad.exeKelqff32.exePlbaafak.exeEhgoaiml.exePeaibajp.exeCjifpdib.exeMjofanld.exeEhdpcahk.exeGcgpiq32.exeHbhmfk32.exeKegebn32.exeApjpglfn.exeCfpgee32.exeQggoeilh.exeKeehmobp.exePlfhdlfb.exeOmddmkhl.exeEfbpihoo.exec000825d89f9acef1c479a2cac393ad0165b87279a06a7248094618a4a1c0ef0.exeBehnkm32.exeFpdqlkhe.exeEhpgha32.exeIeiegf32.exeOeobfgak.exeDnjeoa32.exeAfeold32.exeMglpjc32.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oabdgo32.dll" Jecnpg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qiekadkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jlkigbef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lglpbp32.dll" Pciiccbm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Egbffj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nfbmlckg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jephgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npqbka32.dll" Jpalmaad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cieamnan.dll" Kelqff32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Plbaafak.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ehgoaiml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcognhco.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjlmpk32.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Peaibajp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cjifpdib.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pajicf32.dll" Mjofanld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ehdpcahk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cffgqn32.dll" Gcgpiq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hbhmfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpbbba32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bncdfnog.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpbgqo32.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kegebn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jocfda32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Apjpglfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cfpgee32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehlolh32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klhegdbg.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aejbfc32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qggoeilh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Padbmn32.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Keehmobp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdgnnfme.dll" Plfhdlfb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Omddmkhl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Efbpihoo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717} c000825d89f9acef1c479a2cac393ad0165b87279a06a7248094618a4a1c0ef0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldhhfdpd.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgopbe32.dll" Behnkm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fpdqlkhe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ehpgha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ieiegf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oeobfgak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dnjeoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Afeold32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mglpjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcmpkcpl.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmffif32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfkdpp32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpmgid32.dll" -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
c000825d89f9acef1c479a2cac393ad0165b87279a06a7248094618a4a1c0ef0.exeHbkpfa32.exeHiehbl32.exeIeligmho.exeIbpjaagi.exeIhlbih32.exeInfjfblm.exeIhooog32.exeIjmkkc32.exeIdepdhia.exeIokdaa32.exeIeelnkpd.exeJffhec32.exeJmpqbnmp.exeJdjioh32.exeJmbnhm32.exedescription pid Process procid_target PID 2116 wrote to memory of 2384 2116 c000825d89f9acef1c479a2cac393ad0165b87279a06a7248094618a4a1c0ef0.exe 29 PID 2116 wrote to memory of 2384 2116 c000825d89f9acef1c479a2cac393ad0165b87279a06a7248094618a4a1c0ef0.exe 29 PID 2116 wrote to memory of 2384 2116 c000825d89f9acef1c479a2cac393ad0165b87279a06a7248094618a4a1c0ef0.exe 29 PID 2116 wrote to memory of 2384 2116 c000825d89f9acef1c479a2cac393ad0165b87279a06a7248094618a4a1c0ef0.exe 29 PID 2384 wrote to memory of 2848 2384 Hbkpfa32.exe 30 PID 2384 wrote to memory of 2848 2384 Hbkpfa32.exe 30 PID 2384 wrote to memory of 2848 2384 Hbkpfa32.exe 30 PID 2384 wrote to memory of 2848 2384 Hbkpfa32.exe 30 PID 2848 wrote to memory of 2784 2848 Hiehbl32.exe 31 PID 2848 wrote to memory of 2784 2848 Hiehbl32.exe 31 PID 2848 wrote to memory of 2784 2848 Hiehbl32.exe 31 PID 2848 wrote to memory of 2784 2848 Hiehbl32.exe 31 PID 2784 wrote to memory of 2948 2784 Ieligmho.exe 32 PID 2784 wrote to memory of 2948 2784 Ieligmho.exe 32 PID 2784 wrote to memory of 2948 2784 Ieligmho.exe 32 PID 2784 wrote to memory of 2948 2784 Ieligmho.exe 32 PID 2948 wrote to memory of 2712 2948 Ibpjaagi.exe 33 PID 2948 wrote to memory of 2712 2948 Ibpjaagi.exe 33 PID 2948 wrote to memory of 2712 2948 Ibpjaagi.exe 33 PID 2948 wrote to memory of 2712 2948 Ibpjaagi.exe 33 PID 2712 wrote to memory of 2736 2712 Ihlbih32.exe 34 PID 2712 wrote to memory of 2736 2712 Ihlbih32.exe 34 PID 2712 wrote to memory of 2736 2712 Ihlbih32.exe 34 PID 2712 wrote to memory of 2736 2712 Ihlbih32.exe 34 PID 2736 wrote to memory of 2132 2736 Infjfblm.exe 35 PID 2736 wrote to memory of 2132 2736 Infjfblm.exe 35 PID 2736 wrote to memory of 2132 2736 Infjfblm.exe 35 PID 2736 wrote to memory of 2132 2736 Infjfblm.exe 35 PID 2132 wrote to memory of 1044 2132 Ihooog32.exe 36 PID 2132 wrote to memory of 1044 2132 Ihooog32.exe 36 PID 2132 wrote to memory of 1044 2132 Ihooog32.exe 36 PID 2132 wrote to memory of 1044 2132 Ihooog32.exe 36 PID 1044 wrote to memory of 2104 1044 Ijmkkc32.exe 37 PID 1044 wrote to memory of 2104 1044 Ijmkkc32.exe 37 PID 1044 wrote to memory of 2104 1044 Ijmkkc32.exe 37 PID 1044 wrote to memory of 2104 1044 Ijmkkc32.exe 37 PID 2104 wrote to memory of 2496 2104 Idepdhia.exe 38 PID 2104 wrote to memory of 2496 2104 Idepdhia.exe 38 PID 2104 wrote to memory of 2496 2104 Idepdhia.exe 38 PID 2104 wrote to memory of 2496 2104 Idepdhia.exe 38 PID 2496 wrote to memory of 3000 2496 Iokdaa32.exe 39 PID 2496 wrote to memory of 3000 2496 Iokdaa32.exe 39 PID 2496 wrote to memory of 3000 2496 Iokdaa32.exe 39 PID 2496 wrote to memory of 3000 2496 Iokdaa32.exe 39 PID 3000 wrote to memory of 1528 3000 Ieelnkpd.exe 40 PID 3000 wrote to memory of 1528 3000 Ieelnkpd.exe 40 PID 3000 wrote to memory of 1528 3000 Ieelnkpd.exe 40 PID 3000 wrote to memory of 1528 3000 Ieelnkpd.exe 40 PID 1528 wrote to memory of 2524 1528 Jffhec32.exe 41 PID 1528 wrote to memory of 2524 1528 Jffhec32.exe 41 PID 1528 wrote to memory of 2524 1528 Jffhec32.exe 41 PID 1528 wrote to memory of 2524 1528 Jffhec32.exe 41 PID 2524 wrote to memory of 1108 2524 Jmpqbnmp.exe 42 PID 2524 wrote to memory of 1108 2524 Jmpqbnmp.exe 42 PID 2524 wrote to memory of 1108 2524 Jmpqbnmp.exe 42 PID 2524 wrote to memory of 1108 2524 Jmpqbnmp.exe 42 PID 1108 wrote to memory of 2112 1108 Jdjioh32.exe 43 PID 1108 wrote to memory of 2112 1108 Jdjioh32.exe 43 PID 1108 wrote to memory of 2112 1108 Jdjioh32.exe 43 PID 1108 wrote to memory of 2112 1108 Jdjioh32.exe 43 PID 2112 wrote to memory of 2288 2112 Jmbnhm32.exe 44 PID 2112 wrote to memory of 2288 2112 Jmbnhm32.exe 44 PID 2112 wrote to memory of 2288 2112 Jmbnhm32.exe 44 PID 2112 wrote to memory of 2288 2112 Jmbnhm32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\c000825d89f9acef1c479a2cac393ad0165b87279a06a7248094618a4a1c0ef0.exe"C:\Users\Admin\AppData\Local\Temp\c000825d89f9acef1c479a2cac393ad0165b87279a06a7248094618a4a1c0ef0.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2116 -
C:\Windows\SysWOW64\Hbkpfa32.exeC:\Windows\system32\Hbkpfa32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Windows\SysWOW64\Hiehbl32.exeC:\Windows\system32\Hiehbl32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Windows\SysWOW64\Ieligmho.exeC:\Windows\system32\Ieligmho.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\SysWOW64\Ibpjaagi.exeC:\Windows\system32\Ibpjaagi.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\Windows\SysWOW64\Ihlbih32.exeC:\Windows\system32\Ihlbih32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\SysWOW64\Infjfblm.exeC:\Windows\system32\Infjfblm.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\SysWOW64\Ihooog32.exeC:\Windows\system32\Ihooog32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Windows\SysWOW64\Ijmkkc32.exeC:\Windows\system32\Ijmkkc32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1044 -
C:\Windows\SysWOW64\Idepdhia.exeC:\Windows\system32\Idepdhia.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Windows\SysWOW64\Iokdaa32.exeC:\Windows\system32\Iokdaa32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2496 -
C:\Windows\SysWOW64\Ieelnkpd.exeC:\Windows\system32\Ieelnkpd.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Windows\SysWOW64\Jffhec32.exeC:\Windows\system32\Jffhec32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1528 -
C:\Windows\SysWOW64\Jmpqbnmp.exeC:\Windows\system32\Jmpqbnmp.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\SysWOW64\Jdjioh32.exeC:\Windows\system32\Jdjioh32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1108 -
C:\Windows\SysWOW64\Jmbnhm32.exeC:\Windows\system32\Jmbnhm32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Windows\SysWOW64\Jdmfdgbj.exeC:\Windows\system32\Jdmfdgbj.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2288 -
C:\Windows\SysWOW64\Jiinmnaa.exeC:\Windows\system32\Jiinmnaa.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2236 -
C:\Windows\SysWOW64\Jlhjijpe.exeC:\Windows\system32\Jlhjijpe.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2216 -
C:\Windows\SysWOW64\Jbbbed32.exeC:\Windows\system32\Jbbbed32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:764 -
C:\Windows\SysWOW64\Jilkbn32.exeC:\Windows\system32\Jilkbn32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1432 -
C:\Windows\SysWOW64\Jpfcohfk.exeC:\Windows\system32\Jpfcohfk.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2356 -
C:\Windows\SysWOW64\Jbdokceo.exeC:\Windows\system32\Jbdokceo.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1008 -
C:\Windows\SysWOW64\Jeblgodb.exeC:\Windows\system32\Jeblgodb.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1224 -
C:\Windows\SysWOW64\Jhahcjcf.exeC:\Windows\system32\Jhahcjcf.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1992 -
C:\Windows\SysWOW64\Kbflqccl.exeC:\Windows\system32\Kbflqccl.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2264 -
C:\Windows\SysWOW64\Keehmobp.exeC:\Windows\system32\Keehmobp.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2788 -
C:\Windows\SysWOW64\Kkaaee32.exeC:\Windows\system32\Kkaaee32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2868 -
C:\Windows\SysWOW64\Kegebn32.exeC:\Windows\system32\Kegebn32.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2764 -
C:\Windows\SysWOW64\Kdjenkgh.exeC:\Windows\system32\Kdjenkgh.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2968 -
C:\Windows\SysWOW64\Knbjgq32.exeC:\Windows\system32\Knbjgq32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2796 -
C:\Windows\SysWOW64\Kgknpfdi.exeC:\Windows\system32\Kgknpfdi.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2708 -
C:\Windows\SysWOW64\Kobfqc32.exeC:\Windows\system32\Kobfqc32.exe33⤵
- Executes dropped EXE
PID:2268 -
C:\Windows\SysWOW64\Kdooij32.exeC:\Windows\system32\Kdooij32.exe34⤵
- Executes dropped EXE
PID:832 -
C:\Windows\SysWOW64\Kgmkef32.exeC:\Windows\system32\Kgmkef32.exe35⤵
- Executes dropped EXE
PID:2508 -
C:\Windows\SysWOW64\Kkigfdjo.exeC:\Windows\system32\Kkigfdjo.exe36⤵
- Executes dropped EXE
PID:2468 -
C:\Windows\SysWOW64\Kdakoj32.exeC:\Windows\system32\Kdakoj32.exe37⤵
- Executes dropped EXE
PID:2316 -
C:\Windows\SysWOW64\Lphlck32.exeC:\Windows\system32\Lphlck32.exe38⤵
- Executes dropped EXE
PID:2696 -
C:\Windows\SysWOW64\Lcfhpf32.exeC:\Windows\system32\Lcfhpf32.exe39⤵
- Executes dropped EXE
PID:2376 -
C:\Windows\SysWOW64\Lgbdpena.exeC:\Windows\system32\Lgbdpena.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1048 -
C:\Windows\SysWOW64\Lnlmmo32.exeC:\Windows\system32\Lnlmmo32.exe41⤵
- Executes dropped EXE
PID:352 -
C:\Windows\SysWOW64\Llainlje.exeC:\Windows\system32\Llainlje.exe42⤵
- Executes dropped EXE
PID:1952 -
C:\Windows\SysWOW64\Lpmeojbo.exeC:\Windows\system32\Lpmeojbo.exe43⤵
- Executes dropped EXE
PID:2480 -
C:\Windows\SysWOW64\Lfingaaf.exeC:\Windows\system32\Lfingaaf.exe44⤵
- Executes dropped EXE
PID:2344 -
C:\Windows\SysWOW64\Llcfck32.exeC:\Windows\system32\Llcfck32.exe45⤵
- Executes dropped EXE
PID:2168 -
C:\Windows\SysWOW64\Lflklaoc.exeC:\Windows\system32\Lflklaoc.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2744 -
C:\Windows\SysWOW64\Ldokhn32.exeC:\Windows\system32\Ldokhn32.exe47⤵
- Executes dropped EXE
PID:1652 -
C:\Windows\SysWOW64\Lkhcdhmk.exeC:\Windows\system32\Lkhcdhmk.exe48⤵
- Executes dropped EXE
PID:1036 -
C:\Windows\SysWOW64\Lngpac32.exeC:\Windows\system32\Lngpac32.exe49⤵
- Executes dropped EXE
PID:1984 -
C:\Windows\SysWOW64\Mfngbq32.exeC:\Windows\system32\Mfngbq32.exe50⤵
- Executes dropped EXE
PID:2416 -
C:\Windows\SysWOW64\Mdahnmck.exeC:\Windows\system32\Mdahnmck.exe51⤵
- Executes dropped EXE
PID:2752 -
C:\Windows\SysWOW64\Mkkpjg32.exeC:\Windows\system32\Mkkpjg32.exe52⤵
- Executes dropped EXE
PID:1968 -
C:\Windows\SysWOW64\Moflkfca.exeC:\Windows\system32\Moflkfca.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2064 -
C:\Windows\SysWOW64\Mbehgabe.exeC:\Windows\system32\Mbehgabe.exe54⤵
- Executes dropped EXE
PID:2684 -
C:\Windows\SysWOW64\Mdcdcmai.exeC:\Windows\system32\Mdcdcmai.exe55⤵
- Executes dropped EXE
PID:1624 -
C:\Windows\SysWOW64\Mgaqohql.exeC:\Windows\system32\Mgaqohql.exe56⤵
- Executes dropped EXE
PID:2044 -
C:\Windows\SysWOW64\Mnlilb32.exeC:\Windows\system32\Mnlilb32.exe57⤵
- Executes dropped EXE
PID:1304 -
C:\Windows\SysWOW64\Mqjehngm.exeC:\Windows\system32\Mqjehngm.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2896 -
C:\Windows\SysWOW64\Mdeaim32.exeC:\Windows\system32\Mdeaim32.exe59⤵
- Executes dropped EXE
PID:3028 -
C:\Windows\SysWOW64\Mkpieggc.exeC:\Windows\system32\Mkpieggc.exe60⤵
- Executes dropped EXE
PID:1080 -
C:\Windows\SysWOW64\Mqlbnnej.exeC:\Windows\system32\Mqlbnnej.exe61⤵
- Executes dropped EXE
PID:2836 -
C:\Windows\SysWOW64\Mdhnnl32.exeC:\Windows\system32\Mdhnnl32.exe62⤵
- Executes dropped EXE
PID:3056 -
C:\Windows\SysWOW64\Mgfjjh32.exeC:\Windows\system32\Mgfjjh32.exe63⤵
- Executes dropped EXE
PID:2180 -
C:\Windows\SysWOW64\Mnpbgbdd.exeC:\Windows\system32\Mnpbgbdd.exe64⤵
- Executes dropped EXE
PID:2240 -
C:\Windows\SysWOW64\Mmcbbo32.exeC:\Windows\system32\Mmcbbo32.exe65⤵
- Executes dropped EXE
PID:1636 -
C:\Windows\SysWOW64\Mpaoojjb.exeC:\Windows\system32\Mpaoojjb.exe66⤵PID:820
-
C:\Windows\SysWOW64\Mflgkd32.exeC:\Windows\system32\Mflgkd32.exe67⤵PID:924
-
C:\Windows\SysWOW64\Nijcgp32.exeC:\Windows\system32\Nijcgp32.exe68⤵PID:264
-
C:\Windows\SysWOW64\Nqakim32.exeC:\Windows\system32\Nqakim32.exe69⤵PID:3036
-
C:\Windows\SysWOW64\Ncpgeh32.exeC:\Windows\system32\Ncpgeh32.exe70⤵
- System Location Discovery: System Language Discovery
PID:1580 -
C:\Windows\SysWOW64\Nfncad32.exeC:\Windows\system32\Nfncad32.exe71⤵PID:3044
-
C:\Windows\SysWOW64\Nilpmo32.exeC:\Windows\system32\Nilpmo32.exe72⤵PID:2772
-
C:\Windows\SysWOW64\Nmhlnngi.exeC:\Windows\system32\Nmhlnngi.exe73⤵PID:2672
-
C:\Windows\SysWOW64\Nlklik32.exeC:\Windows\system32\Nlklik32.exe74⤵PID:1656
-
C:\Windows\SysWOW64\Ncbdjhnf.exeC:\Windows\system32\Ncbdjhnf.exe75⤵PID:1776
-
C:\Windows\SysWOW64\Nfppfcmj.exeC:\Windows\system32\Nfppfcmj.exe76⤵PID:2512
-
C:\Windows\SysWOW64\Necqbp32.exeC:\Windows\system32\Necqbp32.exe77⤵PID:2892
-
C:\Windows\SysWOW64\Nlmiojla.exeC:\Windows\system32\Nlmiojla.exe78⤵PID:2504
-
C:\Windows\SysWOW64\Npieoi32.exeC:\Windows\system32\Npieoi32.exe79⤵PID:2300
-
C:\Windows\SysWOW64\Nnkekfkd.exeC:\Windows\system32\Nnkekfkd.exe80⤵PID:2068
-
C:\Windows\SysWOW64\Nfbmlckg.exeC:\Windows\system32\Nfbmlckg.exe81⤵
- Drops file in System32 directory
- Modifies registry class
PID:2136 -
C:\Windows\SysWOW64\Nhdjdk32.exeC:\Windows\system32\Nhdjdk32.exe82⤵PID:2552
-
C:\Windows\SysWOW64\Nloedjin.exeC:\Windows\system32\Nloedjin.exe83⤵PID:2308
-
C:\Windows\SysWOW64\Nnnbqeib.exeC:\Windows\system32\Nnnbqeib.exe84⤵PID:2020
-
C:\Windows\SysWOW64\Nehjmppo.exeC:\Windows\system32\Nehjmppo.exe85⤵PID:1368
-
C:\Windows\SysWOW64\Nhffikob.exeC:\Windows\system32\Nhffikob.exe86⤵PID:2260
-
C:\Windows\SysWOW64\Njdbefnf.exeC:\Windows\system32\Njdbefnf.exe87⤵
- Drops file in System32 directory
PID:2816 -
C:\Windows\SysWOW64\Naokbq32.exeC:\Windows\system32\Naokbq32.exe88⤵PID:1976
-
C:\Windows\SysWOW64\Odmgnl32.exeC:\Windows\system32\Odmgnl32.exe89⤵PID:2368
-
C:\Windows\SysWOW64\Ojgokflc.exeC:\Windows\system32\Ojgokflc.exe90⤵PID:2424
-
C:\Windows\SysWOW64\Omekgakg.exeC:\Windows\system32\Omekgakg.exe91⤵PID:2920
-
C:\Windows\SysWOW64\Oelcho32.exeC:\Windows\system32\Oelcho32.exe92⤵PID:2760
-
C:\Windows\SysWOW64\Ohkpdj32.exeC:\Windows\system32\Ohkpdj32.exe93⤵PID:1456
-
C:\Windows\SysWOW64\Ojilqf32.exeC:\Windows\system32\Ojilqf32.exe94⤵PID:2444
-
C:\Windows\SysWOW64\Onehadbj.exeC:\Windows\system32\Onehadbj.exe95⤵PID:2196
-
C:\Windows\SysWOW64\Ohmljj32.exeC:\Windows\system32\Ohmljj32.exe96⤵PID:2636
-
C:\Windows\SysWOW64\Ojlife32.exeC:\Windows\system32\Ojlife32.exe97⤵PID:2620
-
C:\Windows\SysWOW64\Oaeacppk.exeC:\Windows\system32\Oaeacppk.exe98⤵PID:852
-
C:\Windows\SysWOW64\Ophanl32.exeC:\Windows\system32\Ophanl32.exe99⤵PID:1628
-
C:\Windows\SysWOW64\Obgmjh32.exeC:\Windows\system32\Obgmjh32.exe100⤵PID:2296
-
C:\Windows\SysWOW64\Ojnelefl.exeC:\Windows\system32\Ojnelefl.exe101⤵PID:2360
-
C:\Windows\SysWOW64\Omlahqeo.exeC:\Windows\system32\Omlahqeo.exe102⤵PID:2700
-
C:\Windows\SysWOW64\Opkndldc.exeC:\Windows\system32\Opkndldc.exe103⤵PID:2720
-
C:\Windows\SysWOW64\Obijpgcf.exeC:\Windows\system32\Obijpgcf.exe104⤵
- System Location Discovery: System Language Discovery
PID:772 -
C:\Windows\SysWOW64\Oicbma32.exeC:\Windows\system32\Oicbma32.exe105⤵PID:1500
-
C:\Windows\SysWOW64\Plaoim32.exeC:\Windows\system32\Plaoim32.exe106⤵PID:2144
-
C:\Windows\SysWOW64\Pbkgegad.exeC:\Windows\system32\Pbkgegad.exe107⤵
- Drops file in System32 directory
PID:2244 -
C:\Windows\SysWOW64\Pieobaiq.exeC:\Windows\system32\Pieobaiq.exe108⤵PID:696
-
C:\Windows\SysWOW64\Ppogok32.exeC:\Windows\system32\Ppogok32.exe109⤵PID:880
-
C:\Windows\SysWOW64\Pbnckg32.exeC:\Windows\system32\Pbnckg32.exe110⤵PID:1720
-
C:\Windows\SysWOW64\Pelpgb32.exeC:\Windows\system32\Pelpgb32.exe111⤵
- Drops file in System32 directory
PID:984 -
C:\Windows\SysWOW64\Plfhdlfb.exeC:\Windows\system32\Plfhdlfb.exe112⤵
- Modifies registry class
PID:3048 -
C:\Windows\SysWOW64\Poddphee.exeC:\Windows\system32\Poddphee.exe113⤵PID:2352
-
C:\Windows\SysWOW64\Pbppqf32.exeC:\Windows\system32\Pbppqf32.exe114⤵PID:2756
-
C:\Windows\SysWOW64\Peolmb32.exeC:\Windows\system32\Peolmb32.exe115⤵PID:2980
-
C:\Windows\SysWOW64\Phmiimlf.exeC:\Windows\system32\Phmiimlf.exe116⤵PID:928
-
C:\Windows\SysWOW64\Pogaeg32.exeC:\Windows\system32\Pogaeg32.exe117⤵PID:2492
-
C:\Windows\SysWOW64\Paemac32.exeC:\Windows\system32\Paemac32.exe118⤵PID:2208
-
C:\Windows\SysWOW64\Peaibajp.exeC:\Windows\system32\Peaibajp.exe119⤵
- Modifies registry class
PID:2032 -
C:\Windows\SysWOW64\Pknakhig.exeC:\Windows\system32\Pknakhig.exe120⤵PID:1980
-
C:\Windows\SysWOW64\Poinkg32.exeC:\Windows\system32\Poinkg32.exe121⤵PID:1584
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-