Analysis
-
max time kernel
33s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
23-11-2024 17:45
Behavioral task
behavioral1
Sample
61f3c78842d30d34fd8017dd0a8ae4a91fae4862475362b1d09b514aee12401aN.exe
Resource
win7-20241010-en
windows7-x64
10 signatures
120 seconds
Behavioral task
behavioral2
Sample
61f3c78842d30d34fd8017dd0a8ae4a91fae4862475362b1d09b514aee12401aN.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
120 seconds
General
-
Target
61f3c78842d30d34fd8017dd0a8ae4a91fae4862475362b1d09b514aee12401aN.exe
-
Size
128KB
-
MD5
db0917ff69a8c73a16b7caa06cb97250
-
SHA1
c3b688c840c99026f0f7ce27bd804247af92790f
-
SHA256
61f3c78842d30d34fd8017dd0a8ae4a91fae4862475362b1d09b514aee12401a
-
SHA512
c7fd6f5ba5d14480763b5af0066ca59f531e46b703955f43c0ec9a40ea911f3734bdb20ed43d31e2435558d0d804c71c95b0e493b0ff6063884d38bc1fa56060
-
SSDEEP
1536:jnUJ+TkVpaSn+L31GQ2emzHfQ2bMviYgAa0ZGbwZG9o1nFzz3yjCQRawEDAJB8g:j/keSn+LvdVeMvr/Gbwf1nFzwSAJB8g
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ihhjjm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmhhcaik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mkcjlhdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pkiikm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djddbkck.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dqiakm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mhbhecjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hngbhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gepgni32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hoflpbmo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mibeofaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lkcehkeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lhgeao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mchmblji.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mchmblji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qcgkeonp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bimbbhgh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbmnfajm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpqaanqd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lanmde32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgalnk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gaghcjhd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Idjjih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kaaeegkc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aiegpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ghjjoeei.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmdnjf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcafbm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oofpgolq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Behpcefk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkoikcaq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ghlell32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gohjnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lakqoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Obdlcjkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pcjbfbmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jfnchd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kpcngnob.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Likbpceb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ofkoijhc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Indkgm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgpgae32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilfbpk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djfagjai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Coqaknog.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcaahofh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbmggp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmcimq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnllcoed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hjkneb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oeeeeehe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efdohq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lheilofe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hoflpbmo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odjikh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amfcfk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Joohmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ccinnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fbebcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lkahbkgk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmbfoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qibjjgag.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blelpeoa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlkmeo32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 2920 Jpdibapb.exe 2900 Jmhile32.exe 2464 Jcaahofh.exe 2700 Kopldl32.exe 2832 Kaaeegkc.exe 2728 Ldangbhd.exe 1580 Lddjmb32.exe 2628 Lcignoki.exe 1744 Lejppj32.exe 2764 Lihifhoq.exe 2992 Mknohpqj.exe 2544 Mkplnp32.exe 1016 Ncnmhajo.exe 2384 Njjbjk32.exe 2344 Nbegonmd.exe 1952 Ncdciq32.exe 2552 Nmmgafjh.exe 2172 Odjikh32.exe 3064 Oemfahcn.exe 1484 Omhjejai.exe 1748 Omjgkjof.exe 2016 Ommdqi32.exe 2320 Pjqdjn32.exe 568 Pmamliin.exe 2488 Pbnfdpge.exe 696 Ppbfmdfo.exe 1720 Pmmppm32.exe 2788 Qjqqianh.exe 2060 Amaiklki.exe 3044 Amfcfk32.exe 2856 Abbknb32.exe 2272 Aecdpmbm.exe 952 Bdpgai32.exe 2428 Bnhljnhm.exe 1164 Colegflh.exe 2468 Ccinnd32.exe 1076 Cbokoa32.exe 2368 Cobkhe32.exe 1768 Cqfdem32.exe 2840 Dqiakm32.exe 2548 Dknehe32.exe 2632 Dcijmhdj.exe 2164 Dihojnqo.exe 1008 Dflpdb32.exe 1784 Ebcqicem.exe 2916 Emieflec.exe 1300 Eedijo32.exe 1816 Epinhg32.exe 548 Eibbqmhd.exe 2744 Ebjfiboe.exe 1604 Ejeknelp.exe 2928 Ecnpgj32.exe 2960 Fabppo32.exe 2828 Fjjeid32.exe 2296 Fpijgk32.exe 2440 Fefboabg.exe 2588 Fooghg32.exe 540 Fehodaqd.exe 2192 Fblpnepn.exe 1488 Gocpcfeb.exe 2204 Ghlell32.exe 2520 Gdbeqmag.exe 2460 Gohjnf32.exe 560 Ghpngkhm.exe -
Loads dropped DLL 64 IoCs
pid Process 1996 61f3c78842d30d34fd8017dd0a8ae4a91fae4862475362b1d09b514aee12401aN.exe 1996 61f3c78842d30d34fd8017dd0a8ae4a91fae4862475362b1d09b514aee12401aN.exe 2920 Jpdibapb.exe 2920 Jpdibapb.exe 2900 Jmhile32.exe 2900 Jmhile32.exe 2464 Jcaahofh.exe 2464 Jcaahofh.exe 2700 Kopldl32.exe 2700 Kopldl32.exe 2832 Kaaeegkc.exe 2832 Kaaeegkc.exe 2728 Ldangbhd.exe 2728 Ldangbhd.exe 1580 Lddjmb32.exe 1580 Lddjmb32.exe 2628 Lcignoki.exe 2628 Lcignoki.exe 1744 Lejppj32.exe 1744 Lejppj32.exe 2764 Lihifhoq.exe 2764 Lihifhoq.exe 2992 Mknohpqj.exe 2992 Mknohpqj.exe 2544 Mkplnp32.exe 2544 Mkplnp32.exe 1016 Ncnmhajo.exe 1016 Ncnmhajo.exe 2384 Njjbjk32.exe 2384 Njjbjk32.exe 2344 Nbegonmd.exe 2344 Nbegonmd.exe 1952 Ncdciq32.exe 1952 Ncdciq32.exe 2552 Nmmgafjh.exe 2552 Nmmgafjh.exe 2172 Odjikh32.exe 2172 Odjikh32.exe 3064 Oemfahcn.exe 3064 Oemfahcn.exe 1484 Omhjejai.exe 1484 Omhjejai.exe 1748 Omjgkjof.exe 1748 Omjgkjof.exe 2016 Ommdqi32.exe 2016 Ommdqi32.exe 2320 Pjqdjn32.exe 2320 Pjqdjn32.exe 568 Pmamliin.exe 568 Pmamliin.exe 2488 Pbnfdpge.exe 2488 Pbnfdpge.exe 2540 Pbcooo32.exe 2540 Pbcooo32.exe 1720 Pmmppm32.exe 1720 Pmmppm32.exe 2788 Qjqqianh.exe 2788 Qjqqianh.exe 2060 Amaiklki.exe 2060 Amaiklki.exe 3044 Amfcfk32.exe 3044 Amfcfk32.exe 2856 Abbknb32.exe 2856 Abbknb32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Ghliap32.dll Jigmeagl.exe File opened for modification C:\Windows\SysWOW64\Mojmbg32.exe Mkihfi32.exe File created C:\Windows\SysWOW64\Oclilliq.dll Qgeckn32.exe File opened for modification C:\Windows\SysWOW64\Indkgm32.exe Ihgcof32.exe File created C:\Windows\SysWOW64\Jjddkg32.dll Ldangbhd.exe File created C:\Windows\SysWOW64\Fibqhibd.exe Fpjlpclc.exe File created C:\Windows\SysWOW64\Lbcclpol.dll Inbobn32.exe File created C:\Windows\SysWOW64\Dfnalqca.dll Jpdibapb.exe File created C:\Windows\SysWOW64\Qcmkoiee.dll Dihojnqo.exe File created C:\Windows\SysWOW64\Lfehmgfd.dll Hgpgae32.exe File created C:\Windows\SysWOW64\Mojmbg32.exe Mkihfi32.exe File created C:\Windows\SysWOW64\Bbamec32.dll Cocnanmd.exe File opened for modification C:\Windows\SysWOW64\Ghndjd32.exe Gepgni32.exe File opened for modification C:\Windows\SysWOW64\Epinhg32.exe Eedijo32.exe File created C:\Windows\SysWOW64\Cbbfhncl.dll Lakqoe32.exe File created C:\Windows\SysWOW64\Eejgkg32.dll Igpcpi32.exe File opened for modification C:\Windows\SysWOW64\Pobhfl32.exe Pncllifp.exe File created C:\Windows\SysWOW64\Dhgjjgoq.dll Hccbnhla.exe File created C:\Windows\SysWOW64\Indiodbh.exe Icnealbb.exe File opened for modification C:\Windows\SysWOW64\Fbebcp32.exe Fngjmb32.exe File opened for modification C:\Windows\SysWOW64\Ipedihgm.exe Igmppcpm.exe File created C:\Windows\SysWOW64\Omccmkee.dll Ghjjoeei.exe File created C:\Windows\SysWOW64\Lqicio32.dll Colegflh.exe File opened for modification C:\Windows\SysWOW64\Jnfbcg32.exe Jncenh32.exe File created C:\Windows\SysWOW64\Qogcek32.dll Lheilofe.exe File opened for modification C:\Windows\SysWOW64\Pbienj32.exe Oeeeeehe.exe File created C:\Windows\SysWOW64\Mkihfi32.exe Lblflgqk.exe File created C:\Windows\SysWOW64\Ecnbpcje.exe Ekcmkamj.exe File opened for modification C:\Windows\SysWOW64\Jlqniihl.exe Jchjqc32.exe File opened for modification C:\Windows\SysWOW64\Benpik32.exe Blelpeoa.exe File created C:\Windows\SysWOW64\Fabppo32.exe Ecnpgj32.exe File created C:\Windows\SysWOW64\Kjgoaflj.exe Kaojiqej.exe File opened for modification C:\Windows\SysWOW64\Bfliqmjg.exe Bmdehgcf.exe File created C:\Windows\SysWOW64\Dnmdmj32.exe Dpicceon.exe File opened for modification C:\Windows\SysWOW64\Fbjeao32.exe Fibqhibd.exe File created C:\Windows\SysWOW64\Gocpcfeb.exe Fblpnepn.exe File created C:\Windows\SysWOW64\Pidgnc32.exe Pfekbg32.exe File created C:\Windows\SysWOW64\Hadged32.dll Hcohbh32.exe File opened for modification C:\Windows\SysWOW64\Lakqoe32.exe Lkahbkgk.exe File created C:\Windows\SysWOW64\Efknddjn.dll Pbienj32.exe File created C:\Windows\SysWOW64\Gpolcg32.dll Bbmggp32.exe File created C:\Windows\SysWOW64\Ppbfmdfo.exe Pbnfdpge.exe File created C:\Windows\SysWOW64\Blelpeoa.exe Bbmggp32.exe File created C:\Windows\SysWOW64\Pfekbg32.exe Ogpnakfp.exe File opened for modification C:\Windows\SysWOW64\Dpggnfap.exe Chkbjc32.exe File opened for modification C:\Windows\SysWOW64\Lkahbkgk.exe Ldgpea32.exe File created C:\Windows\SysWOW64\Fngjmb32.exe Fijadk32.exe File created C:\Windows\SysWOW64\Pcahga32.exe Pmgpjgph.exe File created C:\Windows\SysWOW64\Pjkpckob.exe Pcahga32.exe File opened for modification C:\Windows\SysWOW64\Boohgk32.exe Ajqoqm32.exe File opened for modification C:\Windows\SysWOW64\Jqonjmbn.exe Jdhmel32.exe File created C:\Windows\SysWOW64\Ibbbhe32.dll Behpcefk.exe File opened for modification C:\Windows\SysWOW64\Ejeknelp.exe Ebjfiboe.exe File created C:\Windows\SysWOW64\Jjhecdda.dll Fehodaqd.exe File created C:\Windows\SysWOW64\Idmkjp32.dll Lebcdd32.exe File created C:\Windows\SysWOW64\Canhcacd.dll Pghklq32.exe File opened for modification C:\Windows\SysWOW64\Qipmdhcj.exe Pbfehn32.exe File created C:\Windows\SysWOW64\Lnikgnhe.dll Coqaknog.exe File opened for modification C:\Windows\SysWOW64\Gdbeqmag.exe Ghlell32.exe File created C:\Windows\SysWOW64\Hkngbj32.exe Hddoep32.exe File created C:\Windows\SysWOW64\Mcafbm32.exe Lmdnjf32.exe File opened for modification C:\Windows\SysWOW64\Pcokaa32.exe Pghklq32.exe File created C:\Windows\SysWOW64\Bmdehgcf.exe Behpcefk.exe File created C:\Windows\SysWOW64\Kaaeegkc.exe Kopldl32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3892 3908 WerFault.exe 327 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odkkdqmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pidgnc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgpjpnhk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aamhdckg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kaaeegkc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghagjj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Liohhbno.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkihfi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgcoal32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lejppj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkcjlhdh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igpcpi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jqonjmbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbmnfajm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbnfdpge.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifoncgpc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lebcdd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obdlcjkd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Micnbe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djddbkck.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipedihgm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lanmde32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocoobngl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qpmbgaid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Feeldk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Indkgm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aaeeoihj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmcimq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Coqaknog.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cocnanmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghlell32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iqnlpq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcjbfbmm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aelgdhei.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glgcec32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hoflpbmo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlqniihl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fqdong32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iniebmfg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amfcfk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dqiakm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epinhg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blelpeoa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odjikh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofkoijhc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fallil32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnfbcg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbebcp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilaieljl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncplfj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lihifhoq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnhljnhm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iolohhpc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icnealbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gocpcfeb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdbeqmag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jigmeagl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Allbpqcp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mknohpqj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omhjejai.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcaiqfib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igdqmeke.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qjqqianh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aabhiikm.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pbienj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Blhifemo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Elfakg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lcignoki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgfjjigo.dll" Ofkoijhc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lblflgqk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Boohgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Likbpceb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Obdlcjkd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Micnbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Glgcec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nofnglhg.dll" Ncdciq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Godaagfg.dll" Lanmde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikfpol32.dll" Odpljf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Chafpfqp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kbgqbdbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Linmmf32.dll" Mojmbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pojfinhh.dll" Mknohpqj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maieqidm.dll" Icnealbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pmgpjgph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mkihfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hoflpbmo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fngjmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmgkqq32.dll" Ilfbpk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mkcjlhdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bimbbhgh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jehmda32.dll" Ipedihgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjddkg32.dll" Ldangbhd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcabebjh.dll" Iolohhpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iniekbig.dll" Mgalnk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jknlfg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cebfcj32.dll" Gncblo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gaghcjhd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lmhhcaik.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nlkmeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmdicgof.dll" Hdgkkppm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iolohhpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aceapdem.dll" Kpqaanqd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pmbfoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hmefcp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kjgoaflj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omccmkee.dll" Ghjjoeei.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ldangbhd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Efglmpbn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ilaieljl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Odkkdqmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ihgcof32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ommdqi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Igpcpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjjoef32.dll" Jnnehb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifflnb32.dll" Nlkmeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpkjfq32.dll" Fngjmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iklmip32.dll" Pcahga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Meecojqp.dll" Fpjlpclc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lihifhoq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Odjikh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ghpngkhm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hjkneb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kpndlobg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kqfgpkij.dll" Lmdnjf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gpledf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fomflmlg.dll" Qmoone32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cpigeblb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hllgeipk.dll" Pmamliin.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1996 wrote to memory of 2920 1996 61f3c78842d30d34fd8017dd0a8ae4a91fae4862475362b1d09b514aee12401aN.exe 29 PID 1996 wrote to memory of 2920 1996 61f3c78842d30d34fd8017dd0a8ae4a91fae4862475362b1d09b514aee12401aN.exe 29 PID 1996 wrote to memory of 2920 1996 61f3c78842d30d34fd8017dd0a8ae4a91fae4862475362b1d09b514aee12401aN.exe 29 PID 1996 wrote to memory of 2920 1996 61f3c78842d30d34fd8017dd0a8ae4a91fae4862475362b1d09b514aee12401aN.exe 29 PID 2920 wrote to memory of 2900 2920 Jpdibapb.exe 30 PID 2920 wrote to memory of 2900 2920 Jpdibapb.exe 30 PID 2920 wrote to memory of 2900 2920 Jpdibapb.exe 30 PID 2920 wrote to memory of 2900 2920 Jpdibapb.exe 30 PID 2900 wrote to memory of 2464 2900 Jmhile32.exe 31 PID 2900 wrote to memory of 2464 2900 Jmhile32.exe 31 PID 2900 wrote to memory of 2464 2900 Jmhile32.exe 31 PID 2900 wrote to memory of 2464 2900 Jmhile32.exe 31 PID 2464 wrote to memory of 2700 2464 Jcaahofh.exe 32 PID 2464 wrote to memory of 2700 2464 Jcaahofh.exe 32 PID 2464 wrote to memory of 2700 2464 Jcaahofh.exe 32 PID 2464 wrote to memory of 2700 2464 Jcaahofh.exe 32 PID 2700 wrote to memory of 2832 2700 Kopldl32.exe 33 PID 2700 wrote to memory of 2832 2700 Kopldl32.exe 33 PID 2700 wrote to memory of 2832 2700 Kopldl32.exe 33 PID 2700 wrote to memory of 2832 2700 Kopldl32.exe 33 PID 2832 wrote to memory of 2728 2832 Kaaeegkc.exe 34 PID 2832 wrote to memory of 2728 2832 Kaaeegkc.exe 34 PID 2832 wrote to memory of 2728 2832 Kaaeegkc.exe 34 PID 2832 wrote to memory of 2728 2832 Kaaeegkc.exe 34 PID 2728 wrote to memory of 1580 2728 Ldangbhd.exe 35 PID 2728 wrote to memory of 1580 2728 Ldangbhd.exe 35 PID 2728 wrote to memory of 1580 2728 Ldangbhd.exe 35 PID 2728 wrote to memory of 1580 2728 Ldangbhd.exe 35 PID 1580 wrote to memory of 2628 1580 Lddjmb32.exe 36 PID 1580 wrote to memory of 2628 1580 Lddjmb32.exe 36 PID 1580 wrote to memory of 2628 1580 Lddjmb32.exe 36 PID 1580 wrote to memory of 2628 1580 Lddjmb32.exe 36 PID 2628 wrote to memory of 1744 2628 Lcignoki.exe 37 PID 2628 wrote to memory of 1744 2628 Lcignoki.exe 37 PID 2628 wrote to memory of 1744 2628 Lcignoki.exe 37 PID 2628 wrote to memory of 1744 2628 Lcignoki.exe 37 PID 1744 wrote to memory of 2764 1744 Lejppj32.exe 38 PID 1744 wrote to memory of 2764 1744 Lejppj32.exe 38 PID 1744 wrote to memory of 2764 1744 Lejppj32.exe 38 PID 1744 wrote to memory of 2764 1744 Lejppj32.exe 38 PID 2764 wrote to memory of 2992 2764 Lihifhoq.exe 39 PID 2764 wrote to memory of 2992 2764 Lihifhoq.exe 39 PID 2764 wrote to memory of 2992 2764 Lihifhoq.exe 39 PID 2764 wrote to memory of 2992 2764 Lihifhoq.exe 39 PID 2992 wrote to memory of 2544 2992 Mknohpqj.exe 40 PID 2992 wrote to memory of 2544 2992 Mknohpqj.exe 40 PID 2992 wrote to memory of 2544 2992 Mknohpqj.exe 40 PID 2992 wrote to memory of 2544 2992 Mknohpqj.exe 40 PID 2544 wrote to memory of 1016 2544 Mkplnp32.exe 41 PID 2544 wrote to memory of 1016 2544 Mkplnp32.exe 41 PID 2544 wrote to memory of 1016 2544 Mkplnp32.exe 41 PID 2544 wrote to memory of 1016 2544 Mkplnp32.exe 41 PID 1016 wrote to memory of 2384 1016 Ncnmhajo.exe 42 PID 1016 wrote to memory of 2384 1016 Ncnmhajo.exe 42 PID 1016 wrote to memory of 2384 1016 Ncnmhajo.exe 42 PID 1016 wrote to memory of 2384 1016 Ncnmhajo.exe 42 PID 2384 wrote to memory of 2344 2384 Njjbjk32.exe 43 PID 2384 wrote to memory of 2344 2384 Njjbjk32.exe 43 PID 2384 wrote to memory of 2344 2384 Njjbjk32.exe 43 PID 2384 wrote to memory of 2344 2384 Njjbjk32.exe 43 PID 2344 wrote to memory of 1952 2344 Nbegonmd.exe 44 PID 2344 wrote to memory of 1952 2344 Nbegonmd.exe 44 PID 2344 wrote to memory of 1952 2344 Nbegonmd.exe 44 PID 2344 wrote to memory of 1952 2344 Nbegonmd.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\61f3c78842d30d34fd8017dd0a8ae4a91fae4862475362b1d09b514aee12401aN.exe"C:\Users\Admin\AppData\Local\Temp\61f3c78842d30d34fd8017dd0a8ae4a91fae4862475362b1d09b514aee12401aN.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Windows\SysWOW64\Jpdibapb.exeC:\Windows\system32\Jpdibapb.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\SysWOW64\Jmhile32.exeC:\Windows\system32\Jmhile32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Windows\SysWOW64\Jcaahofh.exeC:\Windows\system32\Jcaahofh.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2464 -
C:\Windows\SysWOW64\Kopldl32.exeC:\Windows\system32\Kopldl32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Windows\SysWOW64\Kaaeegkc.exeC:\Windows\system32\Kaaeegkc.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Windows\SysWOW64\Ldangbhd.exeC:\Windows\system32\Ldangbhd.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\SysWOW64\Lddjmb32.exeC:\Windows\system32\Lddjmb32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1580 -
C:\Windows\SysWOW64\Lcignoki.exeC:\Windows\system32\Lcignoki.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\SysWOW64\Lejppj32.exeC:\Windows\system32\Lejppj32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1744 -
C:\Windows\SysWOW64\Lihifhoq.exeC:\Windows\system32\Lihifhoq.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Windows\SysWOW64\Mknohpqj.exeC:\Windows\system32\Mknohpqj.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\Windows\SysWOW64\Mkplnp32.exeC:\Windows\system32\Mkplnp32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Windows\SysWOW64\Ncnmhajo.exeC:\Windows\system32\Ncnmhajo.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1016 -
C:\Windows\SysWOW64\Njjbjk32.exeC:\Windows\system32\Njjbjk32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Windows\SysWOW64\Nbegonmd.exeC:\Windows\system32\Nbegonmd.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\Windows\SysWOW64\Ncdciq32.exeC:\Windows\system32\Ncdciq32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1952 -
C:\Windows\SysWOW64\Nmmgafjh.exeC:\Windows\system32\Nmmgafjh.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2552 -
C:\Windows\SysWOW64\Odjikh32.exeC:\Windows\system32\Odjikh32.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2172 -
C:\Windows\SysWOW64\Oemfahcn.exeC:\Windows\system32\Oemfahcn.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3064 -
C:\Windows\SysWOW64\Omhjejai.exeC:\Windows\system32\Omhjejai.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1484 -
C:\Windows\SysWOW64\Omjgkjof.exeC:\Windows\system32\Omjgkjof.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1748 -
C:\Windows\SysWOW64\Ommdqi32.exeC:\Windows\system32\Ommdqi32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2016 -
C:\Windows\SysWOW64\Pjqdjn32.exeC:\Windows\system32\Pjqdjn32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2320 -
C:\Windows\SysWOW64\Pmamliin.exeC:\Windows\system32\Pmamliin.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:568 -
C:\Windows\SysWOW64\Pbnfdpge.exeC:\Windows\system32\Pbnfdpge.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2488 -
C:\Windows\SysWOW64\Ppbfmdfo.exeC:\Windows\system32\Ppbfmdfo.exe27⤵
- Executes dropped EXE
PID:696 -
C:\Windows\SysWOW64\Pbcooo32.exeC:\Windows\system32\Pbcooo32.exe28⤵
- Loads dropped DLL
PID:2540 -
C:\Windows\SysWOW64\Pmmppm32.exeC:\Windows\system32\Pmmppm32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1720 -
C:\Windows\SysWOW64\Qjqqianh.exeC:\Windows\system32\Qjqqianh.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2788 -
C:\Windows\SysWOW64\Amaiklki.exeC:\Windows\system32\Amaiklki.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2060 -
C:\Windows\SysWOW64\Amfcfk32.exeC:\Windows\system32\Amfcfk32.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3044 -
C:\Windows\SysWOW64\Abbknb32.exeC:\Windows\system32\Abbknb32.exe33⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2856 -
C:\Windows\SysWOW64\Aecdpmbm.exeC:\Windows\system32\Aecdpmbm.exe34⤵
- Executes dropped EXE
PID:2272 -
C:\Windows\SysWOW64\Bdpgai32.exeC:\Windows\system32\Bdpgai32.exe35⤵
- Executes dropped EXE
PID:952 -
C:\Windows\SysWOW64\Bnhljnhm.exeC:\Windows\system32\Bnhljnhm.exe36⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2428 -
C:\Windows\SysWOW64\Colegflh.exeC:\Windows\system32\Colegflh.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1164 -
C:\Windows\SysWOW64\Ccinnd32.exeC:\Windows\system32\Ccinnd32.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2468 -
C:\Windows\SysWOW64\Cbokoa32.exeC:\Windows\system32\Cbokoa32.exe39⤵
- Executes dropped EXE
PID:1076 -
C:\Windows\SysWOW64\Cobkhe32.exeC:\Windows\system32\Cobkhe32.exe40⤵
- Executes dropped EXE
PID:2368 -
C:\Windows\SysWOW64\Cqfdem32.exeC:\Windows\system32\Cqfdem32.exe41⤵
- Executes dropped EXE
PID:1768 -
C:\Windows\SysWOW64\Dqiakm32.exeC:\Windows\system32\Dqiakm32.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2840 -
C:\Windows\SysWOW64\Dknehe32.exeC:\Windows\system32\Dknehe32.exe43⤵
- Executes dropped EXE
PID:2548 -
C:\Windows\SysWOW64\Dcijmhdj.exeC:\Windows\system32\Dcijmhdj.exe44⤵
- Executes dropped EXE
PID:2632 -
C:\Windows\SysWOW64\Dihojnqo.exeC:\Windows\system32\Dihojnqo.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2164 -
C:\Windows\SysWOW64\Dflpdb32.exeC:\Windows\system32\Dflpdb32.exe46⤵
- Executes dropped EXE
PID:1008 -
C:\Windows\SysWOW64\Ebcqicem.exeC:\Windows\system32\Ebcqicem.exe47⤵
- Executes dropped EXE
PID:1784 -
C:\Windows\SysWOW64\Emieflec.exeC:\Windows\system32\Emieflec.exe48⤵
- Executes dropped EXE
PID:2916 -
C:\Windows\SysWOW64\Eedijo32.exeC:\Windows\system32\Eedijo32.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1300 -
C:\Windows\SysWOW64\Epinhg32.exeC:\Windows\system32\Epinhg32.exe50⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1816 -
C:\Windows\SysWOW64\Eibbqmhd.exeC:\Windows\system32\Eibbqmhd.exe51⤵
- Executes dropped EXE
PID:548 -
C:\Windows\SysWOW64\Ebjfiboe.exeC:\Windows\system32\Ebjfiboe.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2744 -
C:\Windows\SysWOW64\Ejeknelp.exeC:\Windows\system32\Ejeknelp.exe53⤵
- Executes dropped EXE
PID:1604 -
C:\Windows\SysWOW64\Ecnpgj32.exeC:\Windows\system32\Ecnpgj32.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2928 -
C:\Windows\SysWOW64\Fabppo32.exeC:\Windows\system32\Fabppo32.exe55⤵
- Executes dropped EXE
PID:2960 -
C:\Windows\SysWOW64\Fjjeid32.exeC:\Windows\system32\Fjjeid32.exe56⤵
- Executes dropped EXE
PID:2828 -
C:\Windows\SysWOW64\Fpijgk32.exeC:\Windows\system32\Fpijgk32.exe57⤵
- Executes dropped EXE
PID:2296 -
C:\Windows\SysWOW64\Fefboabg.exeC:\Windows\system32\Fefboabg.exe58⤵
- Executes dropped EXE
PID:2440 -
C:\Windows\SysWOW64\Fooghg32.exeC:\Windows\system32\Fooghg32.exe59⤵
- Executes dropped EXE
PID:2588 -
C:\Windows\SysWOW64\Fehodaqd.exeC:\Windows\system32\Fehodaqd.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:540 -
C:\Windows\SysWOW64\Fblpnepn.exeC:\Windows\system32\Fblpnepn.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2192 -
C:\Windows\SysWOW64\Gocpcfeb.exeC:\Windows\system32\Gocpcfeb.exe62⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1488 -
C:\Windows\SysWOW64\Ghlell32.exeC:\Windows\system32\Ghlell32.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2204 -
C:\Windows\SysWOW64\Gdbeqmag.exeC:\Windows\system32\Gdbeqmag.exe64⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2520 -
C:\Windows\SysWOW64\Gohjnf32.exeC:\Windows\system32\Gohjnf32.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2460 -
C:\Windows\SysWOW64\Ghpngkhm.exeC:\Windows\system32\Ghpngkhm.exe66⤵
- Executes dropped EXE
- Modifies registry class
PID:560 -
C:\Windows\SysWOW64\Gdgoll32.exeC:\Windows\system32\Gdgoll32.exe67⤵PID:1724
-
C:\Windows\SysWOW64\Gkaghf32.exeC:\Windows\system32\Gkaghf32.exe68⤵PID:612
-
C:\Windows\SysWOW64\Hcllmi32.exeC:\Windows\system32\Hcllmi32.exe69⤵PID:2092
-
C:\Windows\SysWOW64\Hnapja32.exeC:\Windows\system32\Hnapja32.exe70⤵PID:1108
-
C:\Windows\SysWOW64\Hcohbh32.exeC:\Windows\system32\Hcohbh32.exe71⤵
- Drops file in System32 directory
PID:1568 -
C:\Windows\SysWOW64\Hjhaob32.exeC:\Windows\system32\Hjhaob32.exe72⤵PID:1548
-
C:\Windows\SysWOW64\Hcaehhnd.exeC:\Windows\system32\Hcaehhnd.exe73⤵PID:2772
-
C:\Windows\SysWOW64\Hjkneb32.exeC:\Windows\system32\Hjkneb32.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2932 -
C:\Windows\SysWOW64\Hccbnhla.exeC:\Windows\system32\Hccbnhla.exe75⤵
- Drops file in System32 directory
PID:2860 -
C:\Windows\SysWOW64\Hddoep32.exeC:\Windows\system32\Hddoep32.exe76⤵
- Drops file in System32 directory
PID:2136 -
C:\Windows\SysWOW64\Hkngbj32.exeC:\Windows\system32\Hkngbj32.exe77⤵PID:2944
-
C:\Windows\SysWOW64\Hdgkkppm.exeC:\Windows\system32\Hdgkkppm.exe78⤵
- Modifies registry class
PID:2760 -
C:\Windows\SysWOW64\Iolohhpc.exeC:\Windows\system32\Iolohhpc.exe79⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2472 -
C:\Windows\SysWOW64\Iqnlpq32.exeC:\Windows\system32\Iqnlpq32.exe80⤵
- System Location Discovery: System Language Discovery
PID:1312 -
C:\Windows\SysWOW64\Inaliedk.exeC:\Windows\system32\Inaliedk.exe81⤵PID:1528
-
C:\Windows\SysWOW64\Icnealbb.exeC:\Windows\system32\Icnealbb.exe82⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2200 -
C:\Windows\SysWOW64\Indiodbh.exeC:\Windows\system32\Indiodbh.exe83⤵PID:2216
-
C:\Windows\SysWOW64\Ifoncgpc.exeC:\Windows\system32\Ifoncgpc.exe84⤵
- System Location Discovery: System Language Discovery
PID:2528 -
C:\Windows\SysWOW64\Iccnmk32.exeC:\Windows\system32\Iccnmk32.exe85⤵PID:2524
-
C:\Windows\SysWOW64\Iipgeb32.exeC:\Windows\system32\Iipgeb32.exe86⤵PID:1468
-
C:\Windows\SysWOW64\Jbhkngcd.exeC:\Windows\system32\Jbhkngcd.exe87⤵PID:1844
-
C:\Windows\SysWOW64\Jkqpfmje.exeC:\Windows\system32\Jkqpfmje.exe88⤵PID:2284
-
C:\Windows\SysWOW64\Jbkhcg32.exeC:\Windows\system32\Jbkhcg32.exe89⤵PID:2936
-
C:\Windows\SysWOW64\Joohmk32.exeC:\Windows\system32\Joohmk32.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2848 -
C:\Windows\SysWOW64\Jigmeagl.exeC:\Windows\system32\Jigmeagl.exe91⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2784 -
C:\Windows\SysWOW64\Jncenh32.exeC:\Windows\system32\Jncenh32.exe92⤵
- Drops file in System32 directory
PID:1808 -
C:\Windows\SysWOW64\Jnfbcg32.exeC:\Windows\system32\Jnfbcg32.exe93⤵
- System Location Discovery: System Language Discovery
PID:1216 -
C:\Windows\SysWOW64\Kpndlobg.exeC:\Windows\system32\Kpndlobg.exe94⤵
- Modifies registry class
PID:2352 -
C:\Windows\SysWOW64\Kpqaanqd.exeC:\Windows\system32\Kpqaanqd.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1820 -
C:\Windows\SysWOW64\Kpcngnob.exeC:\Windows\system32\Kpcngnob.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2184 -
C:\Windows\SysWOW64\Likbpceb.exeC:\Windows\system32\Likbpceb.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2160 -
C:\Windows\SysWOW64\Lebcdd32.exeC:\Windows\system32\Lebcdd32.exe98⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:700 -
C:\Windows\SysWOW64\Lojhmjag.exeC:\Windows\system32\Lojhmjag.exe99⤵PID:1812
-
C:\Windows\SysWOW64\Ldgpea32.exeC:\Windows\system32\Ldgpea32.exe100⤵
- Drops file in System32 directory
PID:1540 -
C:\Windows\SysWOW64\Lkahbkgk.exeC:\Windows\system32\Lkahbkgk.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2480 -
C:\Windows\SysWOW64\Lakqoe32.exeC:\Windows\system32\Lakqoe32.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2300 -
C:\Windows\SysWOW64\Lheilofe.exeC:\Windows\system32\Lheilofe.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2940 -
C:\Windows\SysWOW64\Lkcehkeh.exeC:\Windows\system32\Lkcehkeh.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2704 -
C:\Windows\SysWOW64\Lanmde32.exeC:\Windows\system32\Lanmde32.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2844 -
C:\Windows\SysWOW64\Lhgeao32.exeC:\Windows\system32\Lhgeao32.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2264 -
C:\Windows\SysWOW64\Lmdnjf32.exeC:\Windows\system32\Lmdnjf32.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2244 -
C:\Windows\SysWOW64\Mcafbm32.exeC:\Windows\system32\Mcafbm32.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3024 -
C:\Windows\SysWOW64\Mikooghn.exeC:\Windows\system32\Mikooghn.exe109⤵PID:3004
-
C:\Windows\SysWOW64\Minldf32.exeC:\Windows\system32\Minldf32.exe110⤵PID:2376
-
C:\Windows\SysWOW64\Mgalnk32.exeC:\Windows\system32\Mgalnk32.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2176 -
C:\Windows\SysWOW64\Mhbhecjc.exeC:\Windows\system32\Mhbhecjc.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1672 -
C:\Windows\SysWOW64\Mchmblji.exeC:\Windows\system32\Mchmblji.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1740 -
C:\Windows\SysWOW64\Mibeofaf.exeC:\Windows\system32\Mibeofaf.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1736 -
C:\Windows\SysWOW64\Moomgmpm.exeC:\Windows\system32\Moomgmpm.exe115⤵PID:1460
-
C:\Windows\SysWOW64\Meiedg32.exeC:\Windows\system32\Meiedg32.exe116⤵PID:2904
-
C:\Windows\SysWOW64\Noajmlnj.exeC:\Windows\system32\Noajmlnj.exe117⤵PID:2712
-
C:\Windows\SysWOW64\Nhjofbdk.exeC:\Windows\system32\Nhjofbdk.exe118⤵PID:2676
-
C:\Windows\SysWOW64\Ngolgn32.exeC:\Windows\system32\Ngolgn32.exe119⤵PID:2420
-
C:\Windows\SysWOW64\Ndclpb32.exeC:\Windows\system32\Ndclpb32.exe120⤵PID:2988
-
C:\Windows\SysWOW64\Njbanida.exeC:\Windows\system32\Njbanida.exe121⤵PID:1564
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-