Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
08-12-2024 00:47
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
70cc61b13b27d056e489f47f778f361cfba14adadb6f4dcc594a6913f9868b49N.exe
Resource
win7-20240903-en
windows7-x64
10 signatures
120 seconds
Behavioral task
behavioral2
Sample
70cc61b13b27d056e489f47f778f361cfba14adadb6f4dcc594a6913f9868b49N.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
120 seconds
General
-
Target
70cc61b13b27d056e489f47f778f361cfba14adadb6f4dcc594a6913f9868b49N.exe
-
Size
800KB
-
MD5
7043d78c9a08ee55ebd75b8986caef00
-
SHA1
e05d4fd93a2bd9b921c3399ccdb59e828d502104
-
SHA256
70cc61b13b27d056e489f47f778f361cfba14adadb6f4dcc594a6913f9868b49
-
SHA512
00ef0260e2acdd412fdd2c1a458bc409f44a10b66ce5b2b47f10f5e2ad0f90d5ec5fd553d815075438a00c2b53d28f69376b6d4ec864b04c0ce764bdc11c4dbd
-
SSDEEP
12288:W1oxueI/+zrWAI5KFum/+zrWAIAqWim/+zrWAI5KFHTP7rXFr/+zrWAI5KFum/+S:4m0BmmvFimm0MTP7hm0BmmvK
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jpepkk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkdffoij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Djfdob32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hegpjaac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nqmnjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bnapnm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icifjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kipmhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bcjcme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nqokpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aognbnkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Feddombd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fefqdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Imgnjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fadndbci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mgmdapml.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pddjlb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Giaidnkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hmdkjmip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nidmfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ahmefdcp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmhjdiap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Elkofg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Flclam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kambcbhb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lcblan32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klcgpkhh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Momfan32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eicpcm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgnokgcc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Feggob32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adnpkjde.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icfpbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ckbpqe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fkhbgbkc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iknafhjb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpbcek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pifbjn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pioeoi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnjoco32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iakino32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kdnkdmec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ppfafcpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iladfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kijkje32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qejpoi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcgmfgfd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iikkon32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hghillnd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkolakkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Haqnea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Njpihk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njeccjcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bknjfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dboeco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dmkcil32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcajhi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcciqi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jfcabd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkefbcmf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehjqgjmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oalkih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hifbdnbi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djdgic32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 1356 Nidmfh32.exe 2484 Nbmaon32.exe 2240 Ofadnq32.exe 2736 Ofcqcp32.exe 2932 Ooabmbbe.exe 2720 Oiffkkbk.exe 2612 Pljlbf32.exe 2592 Phqmgg32.exe 1876 Pgfjhcge.exe 812 Pifbjn32.exe 1144 Qnghel32.exe 1636 Apgagg32.exe 2144 Achjibcl.exe 1536 Alqnah32.exe 1632 Adnpkjde.exe 2164 Bnfddp32.exe 1700 Boljgg32.exe 2852 Bffbdadk.exe 1444 Bcjcme32.exe 776 Bfioia32.exe 2276 Bmbgfkje.exe 236 Cbppnbhm.exe 2088 Cfmhdpnc.exe 1696 Ckjamgmk.exe 536 Cgaaah32.exe 2092 Cnkjnb32.exe 1492 Cjakccop.exe 1744 Cmpgpond.exe 2804 Djdgic32.exe 2224 Dnpciaef.exe 2712 Dhhhbg32.exe 2560 Djfdob32.exe 2360 Dljmlj32.exe 1748 Ddaemh32.exe 808 Dbdehdfc.exe 544 Deenjpcd.exe 1564 Domccejd.exe 1796 Eibgpnjk.exe 2216 Eeiheo32.exe 448 Elcpbigl.exe 1512 Ehjqgjmp.exe 1616 Eabepp32.exe 1692 Einjdb32.exe 1552 Ephbal32.exe 1292 Eipgjaoi.exe 2408 Fdekgjno.exe 2928 Feggob32.exe 1240 Flapkmlj.exe 2172 Feiddbbj.exe 1732 Flclam32.exe 2096 Fpohakbp.exe 2696 Fhjmfnok.exe 2828 Fleifl32.exe 2604 Fabaocfl.exe 3016 Fofbhgde.exe 2272 Fadndbci.exe 316 Gdcjpncm.exe 2028 Goiongbc.exe 1980 Ghacfmic.exe 2868 Gkoobhhg.exe 1804 Gqlhkofn.exe 1640 Ggfpgi32.exe 1584 Gdjqamme.exe 2384 Gfkmie32.exe -
Loads dropped DLL 64 IoCs
pid Process 1756 70cc61b13b27d056e489f47f778f361cfba14adadb6f4dcc594a6913f9868b49N.exe 1756 70cc61b13b27d056e489f47f778f361cfba14adadb6f4dcc594a6913f9868b49N.exe 1356 Nidmfh32.exe 1356 Nidmfh32.exe 2484 Nbmaon32.exe 2484 Nbmaon32.exe 2240 Ofadnq32.exe 2240 Ofadnq32.exe 2736 Ofcqcp32.exe 2736 Ofcqcp32.exe 2932 Ooabmbbe.exe 2932 Ooabmbbe.exe 2720 Oiffkkbk.exe 2720 Oiffkkbk.exe 2612 Pljlbf32.exe 2612 Pljlbf32.exe 2592 Phqmgg32.exe 2592 Phqmgg32.exe 1876 Pgfjhcge.exe 1876 Pgfjhcge.exe 812 Pifbjn32.exe 812 Pifbjn32.exe 1144 Qnghel32.exe 1144 Qnghel32.exe 1636 Apgagg32.exe 1636 Apgagg32.exe 2144 Achjibcl.exe 2144 Achjibcl.exe 1536 Alqnah32.exe 1536 Alqnah32.exe 1632 Adnpkjde.exe 1632 Adnpkjde.exe 2164 Bnfddp32.exe 2164 Bnfddp32.exe 1700 Boljgg32.exe 1700 Boljgg32.exe 2852 Bffbdadk.exe 2852 Bffbdadk.exe 1444 Bcjcme32.exe 1444 Bcjcme32.exe 776 Bfioia32.exe 776 Bfioia32.exe 2276 Bmbgfkje.exe 2276 Bmbgfkje.exe 236 Cbppnbhm.exe 236 Cbppnbhm.exe 2088 Cfmhdpnc.exe 2088 Cfmhdpnc.exe 1696 Ckjamgmk.exe 1696 Ckjamgmk.exe 536 Cgaaah32.exe 536 Cgaaah32.exe 2092 Cnkjnb32.exe 2092 Cnkjnb32.exe 1492 Cjakccop.exe 1492 Cjakccop.exe 1744 Cmpgpond.exe 1744 Cmpgpond.exe 2804 Djdgic32.exe 2804 Djdgic32.exe 2224 Dnpciaef.exe 2224 Dnpciaef.exe 2712 Dhhhbg32.exe 2712 Dhhhbg32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Fefqdl32.exe Fhbpkh32.exe File created C:\Windows\SysWOW64\Gckobc32.dll Gnfkba32.exe File created C:\Windows\SysWOW64\Jbbccgmp.exe Jjkkbjln.exe File created C:\Windows\SysWOW64\Jpbcek32.exe Jjfkmdlg.exe File created C:\Windows\SysWOW64\Apppkekc.exe Agglbp32.exe File opened for modification C:\Windows\SysWOW64\Lhfnkqgk.exe Laleof32.exe File created C:\Windows\SysWOW64\Ifmocb32.exe Hmdkjmip.exe File created C:\Windows\SysWOW64\Djfdob32.exe Dhhhbg32.exe File created C:\Windows\SysWOW64\Gejgei32.dll Djfdob32.exe File opened for modification C:\Windows\SysWOW64\Fgocmc32.exe Fdpgph32.exe File opened for modification C:\Windows\SysWOW64\Hcgmfgfd.exe Hqiqjlga.exe File created C:\Windows\SysWOW64\Jjjdhc32.exe Jbclgf32.exe File opened for modification C:\Windows\SysWOW64\Laleof32.exe Keeeje32.exe File created C:\Windows\SysWOW64\Cdlfik32.dll Paaddgkj.exe File created C:\Windows\SysWOW64\Pddjlb32.exe Pioeoi32.exe File created C:\Windows\SysWOW64\Dnpciaef.exe Djdgic32.exe File opened for modification C:\Windows\SysWOW64\Ijnkifgp.exe Iaegpaao.exe File created C:\Windows\SysWOW64\Pkbnjifp.dll Gockgdeh.exe File opened for modification C:\Windows\SysWOW64\Hmdkjmip.exe Hjfnnajl.exe File created C:\Windows\SysWOW64\Gbmhafee.dll Iakino32.exe File created C:\Windows\SysWOW64\Bfabnl32.exe Bogjaamh.exe File created C:\Windows\SysWOW64\Pifbjn32.exe Pgfjhcge.exe File opened for modification C:\Windows\SysWOW64\Goiongbc.exe Gdcjpncm.exe File opened for modification C:\Windows\SysWOW64\Iknafhjb.exe Iaimipjl.exe File created C:\Windows\SysWOW64\Iclnjd32.dll Domccejd.exe File created C:\Windows\SysWOW64\Obeacl32.exe Omhhke32.exe File opened for modification C:\Windows\SysWOW64\Kgcnahoo.exe Kmkihbho.exe File opened for modification C:\Windows\SysWOW64\Mhhgpc32.exe Mcknhm32.exe File created C:\Windows\SysWOW64\Aamhcmdo.dll Bknjfb32.exe File created C:\Windows\SysWOW64\Dlcdel32.dll Libjncnc.exe File created C:\Windows\SysWOW64\Picojhcm.exe Ppkjac32.exe File created C:\Windows\SysWOW64\Ocfqdk32.dll Fefqdl32.exe File opened for modification C:\Windows\SysWOW64\Jjfkmdlg.exe Iamfdo32.exe File created C:\Windows\SysWOW64\Dfaaak32.dll Jikhnaao.exe File opened for modification C:\Windows\SysWOW64\Apppkekc.exe Agglbp32.exe File opened for modification C:\Windows\SysWOW64\Elibpg32.exe Ebqngb32.exe File opened for modification C:\Windows\SysWOW64\Mgmdapml.exe Mflgih32.exe File created C:\Windows\SysWOW64\Ncbdnb32.dll Iikkon32.exe File created C:\Windows\SysWOW64\Pcaibd32.dll Cjakccop.exe File opened for modification C:\Windows\SysWOW64\Deenjpcd.exe Dbdehdfc.exe File created C:\Windows\SysWOW64\Kablnadm.exe Khjgel32.exe File created C:\Windows\SysWOW64\Qoblpdnf.dll Achjibcl.exe File created C:\Windows\SysWOW64\Mfnokgjk.dll Eabepp32.exe File created C:\Windows\SysWOW64\Jofial32.dll Mphiqbon.exe File created C:\Windows\SysWOW64\Hjmlhbbg.exe Hgnokgcc.exe File created C:\Windows\SysWOW64\Dgnjqe32.exe Dadbdkld.exe File opened for modification C:\Windows\SysWOW64\Bfioia32.exe Bcjcme32.exe File created C:\Windows\SysWOW64\Dcjjhc32.dll Mimpkcdn.exe File opened for modification C:\Windows\SysWOW64\Ncinap32.exe Njpihk32.exe File opened for modification C:\Windows\SysWOW64\Kbpbmkan.exe Kkdnhi32.exe File created C:\Windows\SysWOW64\Lplbjm32.exe Libjncnc.exe File created C:\Windows\SysWOW64\Noihdcih.dll Lnecigcp.exe File opened for modification C:\Windows\SysWOW64\Pddjlb32.exe Pioeoi32.exe File opened for modification C:\Windows\SysWOW64\Ofcqcp32.exe Ofadnq32.exe File created C:\Windows\SysWOW64\Gpajfg32.dll Cnkjnb32.exe File created C:\Windows\SysWOW64\Hpdgka32.dll Ggfpgi32.exe File created C:\Windows\SysWOW64\Ghacfmic.exe Goiongbc.exe File created C:\Windows\SysWOW64\Aljcpg32.dll Gkoobhhg.exe File opened for modification C:\Windows\SysWOW64\Kechdf32.exe Kljdkpfl.exe File opened for modification C:\Windows\SysWOW64\Iaimipjl.exe Injqmdki.exe File created C:\Windows\SysWOW64\Jlfnangf.exe Jigbebhb.exe File created C:\Windows\SysWOW64\Bnapnm32.exe Bhdhefpc.exe File created C:\Windows\SysWOW64\Pnalcc32.dll Hcgmfgfd.exe File created C:\Windows\SysWOW64\Canhhi32.dll Kipmhc32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3260 3920 WerFault.exe 324 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bffbdadk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghacfmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ieofkp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aognbnkm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajckilei.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fefqdl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oioipf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbhccm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlkglm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifmocb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oiffkkbk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hqnapb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofqmcj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcblan32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljldnhid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hifbdnbi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmeeepjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmflee32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbegbacp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lplbjm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nidmfh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obbdml32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgnjqe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmkihbho.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpohakbp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fofbhgde.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omhhke32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccpeld32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbjofi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjakccop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hghillnd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfoeil32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djfdob32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfkmie32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfabnl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khjgel32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbdehdfc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eabepp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdppqbkn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfhdnn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnmiag32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qbnphngk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pddjlb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmhjdiap.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dppigchi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjfkmdlg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khldkllj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhjmfnok.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Momfan32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhfjjdjf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmkfji32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iikkon32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofadnq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgaaah32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkolakkb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opialpld.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjmlhbbg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hklhae32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icfpbl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlfnangf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kljdkpfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnecigcp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iknafhjb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnkjnb32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgdqap32.dll" Ephbal32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bolcma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Efhqmadd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jjfkmdlg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kdnkdmec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gdjqamme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljfepegb.dll" Epbbkf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kgcnahoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aemgfj32.dll" Qdompf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cmpgpond.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gcedad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Incjbkig.dll" Qnghel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cmpgpond.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ckbpqe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kijkje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbbofa32.dll" Lpabpcdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ahmefdcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncbdnb32.dll" Iikkon32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gaojnq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iaimipjl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fleifl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fabaocfl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mgmdapml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cmhjdiap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lddblcik.dll" Ckpckece.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oiimgf32.dll" Elcpbigl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Haqnea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmofpf32.dll" Kambcbhb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfnokgjk.dll" Eabepp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kkdnhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Addfkeid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chpmbe32.dll" Hqnjek32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Djdgic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ehjqgjmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlhjdd32.dll" Opialpld.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Elibpg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ofcqcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kojgdjqe.dll" Ehjqgjmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Igmbgk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pioeoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aijpfppe.dll" Hadcipbi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oaogognm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cmfmojcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ccpeld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fafdibdo.dll" Ajhddk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Deenjpcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmnnpb32.dll" Eipgjaoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Goiongbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imienpig.dll" Gfkmie32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Apmcefmf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717} 70cc61b13b27d056e489f47f778f361cfba14adadb6f4dcc594a6913f9868b49N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ilalae32.dll" Fbegbacp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fggmldfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbonaedo.dll" Hmpaom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ljldnhid.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Omhhke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Faibdo32.dll" Hklhae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpdidmdg.dll" 70cc61b13b27d056e489f47f778f361cfba14adadb6f4dcc594a6913f9868b49N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oiffkkbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekddecnj.dll" Dhhhbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jflomd32.dll" Godaakic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kilgoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hiqoeplo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hkolakkb.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1756 wrote to memory of 1356 1756 70cc61b13b27d056e489f47f778f361cfba14adadb6f4dcc594a6913f9868b49N.exe 31 PID 1756 wrote to memory of 1356 1756 70cc61b13b27d056e489f47f778f361cfba14adadb6f4dcc594a6913f9868b49N.exe 31 PID 1756 wrote to memory of 1356 1756 70cc61b13b27d056e489f47f778f361cfba14adadb6f4dcc594a6913f9868b49N.exe 31 PID 1756 wrote to memory of 1356 1756 70cc61b13b27d056e489f47f778f361cfba14adadb6f4dcc594a6913f9868b49N.exe 31 PID 1356 wrote to memory of 2484 1356 Nidmfh32.exe 32 PID 1356 wrote to memory of 2484 1356 Nidmfh32.exe 32 PID 1356 wrote to memory of 2484 1356 Nidmfh32.exe 32 PID 1356 wrote to memory of 2484 1356 Nidmfh32.exe 32 PID 2484 wrote to memory of 2240 2484 Nbmaon32.exe 33 PID 2484 wrote to memory of 2240 2484 Nbmaon32.exe 33 PID 2484 wrote to memory of 2240 2484 Nbmaon32.exe 33 PID 2484 wrote to memory of 2240 2484 Nbmaon32.exe 33 PID 2240 wrote to memory of 2736 2240 Ofadnq32.exe 34 PID 2240 wrote to memory of 2736 2240 Ofadnq32.exe 34 PID 2240 wrote to memory of 2736 2240 Ofadnq32.exe 34 PID 2240 wrote to memory of 2736 2240 Ofadnq32.exe 34 PID 2736 wrote to memory of 2932 2736 Ofcqcp32.exe 35 PID 2736 wrote to memory of 2932 2736 Ofcqcp32.exe 35 PID 2736 wrote to memory of 2932 2736 Ofcqcp32.exe 35 PID 2736 wrote to memory of 2932 2736 Ofcqcp32.exe 35 PID 2932 wrote to memory of 2720 2932 Ooabmbbe.exe 36 PID 2932 wrote to memory of 2720 2932 Ooabmbbe.exe 36 PID 2932 wrote to memory of 2720 2932 Ooabmbbe.exe 36 PID 2932 wrote to memory of 2720 2932 Ooabmbbe.exe 36 PID 2720 wrote to memory of 2612 2720 Oiffkkbk.exe 37 PID 2720 wrote to memory of 2612 2720 Oiffkkbk.exe 37 PID 2720 wrote to memory of 2612 2720 Oiffkkbk.exe 37 PID 2720 wrote to memory of 2612 2720 Oiffkkbk.exe 37 PID 2612 wrote to memory of 2592 2612 Pljlbf32.exe 38 PID 2612 wrote to memory of 2592 2612 Pljlbf32.exe 38 PID 2612 wrote to memory of 2592 2612 Pljlbf32.exe 38 PID 2612 wrote to memory of 2592 2612 Pljlbf32.exe 38 PID 2592 wrote to memory of 1876 2592 Phqmgg32.exe 39 PID 2592 wrote to memory of 1876 2592 Phqmgg32.exe 39 PID 2592 wrote to memory of 1876 2592 Phqmgg32.exe 39 PID 2592 wrote to memory of 1876 2592 Phqmgg32.exe 39 PID 1876 wrote to memory of 812 1876 Pgfjhcge.exe 40 PID 1876 wrote to memory of 812 1876 Pgfjhcge.exe 40 PID 1876 wrote to memory of 812 1876 Pgfjhcge.exe 40 PID 1876 wrote to memory of 812 1876 Pgfjhcge.exe 40 PID 812 wrote to memory of 1144 812 Pifbjn32.exe 41 PID 812 wrote to memory of 1144 812 Pifbjn32.exe 41 PID 812 wrote to memory of 1144 812 Pifbjn32.exe 41 PID 812 wrote to memory of 1144 812 Pifbjn32.exe 41 PID 1144 wrote to memory of 1636 1144 Qnghel32.exe 42 PID 1144 wrote to memory of 1636 1144 Qnghel32.exe 42 PID 1144 wrote to memory of 1636 1144 Qnghel32.exe 42 PID 1144 wrote to memory of 1636 1144 Qnghel32.exe 42 PID 1636 wrote to memory of 2144 1636 Apgagg32.exe 43 PID 1636 wrote to memory of 2144 1636 Apgagg32.exe 43 PID 1636 wrote to memory of 2144 1636 Apgagg32.exe 43 PID 1636 wrote to memory of 2144 1636 Apgagg32.exe 43 PID 2144 wrote to memory of 1536 2144 Achjibcl.exe 44 PID 2144 wrote to memory of 1536 2144 Achjibcl.exe 44 PID 2144 wrote to memory of 1536 2144 Achjibcl.exe 44 PID 2144 wrote to memory of 1536 2144 Achjibcl.exe 44 PID 1536 wrote to memory of 1632 1536 Alqnah32.exe 45 PID 1536 wrote to memory of 1632 1536 Alqnah32.exe 45 PID 1536 wrote to memory of 1632 1536 Alqnah32.exe 45 PID 1536 wrote to memory of 1632 1536 Alqnah32.exe 45 PID 1632 wrote to memory of 2164 1632 Adnpkjde.exe 46 PID 1632 wrote to memory of 2164 1632 Adnpkjde.exe 46 PID 1632 wrote to memory of 2164 1632 Adnpkjde.exe 46 PID 1632 wrote to memory of 2164 1632 Adnpkjde.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\70cc61b13b27d056e489f47f778f361cfba14adadb6f4dcc594a6913f9868b49N.exe"C:\Users\Admin\AppData\Local\Temp\70cc61b13b27d056e489f47f778f361cfba14adadb6f4dcc594a6913f9868b49N.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1756 -
C:\Windows\SysWOW64\Nidmfh32.exeC:\Windows\system32\Nidmfh32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1356 -
C:\Windows\SysWOW64\Nbmaon32.exeC:\Windows\system32\Nbmaon32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2484 -
C:\Windows\SysWOW64\Ofadnq32.exeC:\Windows\system32\Ofadnq32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Windows\SysWOW64\Ofcqcp32.exeC:\Windows\system32\Ofcqcp32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\SysWOW64\Ooabmbbe.exeC:\Windows\system32\Ooabmbbe.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Windows\SysWOW64\Oiffkkbk.exeC:\Windows\system32\Oiffkkbk.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\SysWOW64\Pljlbf32.exeC:\Windows\system32\Pljlbf32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\SysWOW64\Phqmgg32.exeC:\Windows\system32\Phqmgg32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Windows\SysWOW64\Pgfjhcge.exeC:\Windows\system32\Pgfjhcge.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1876 -
C:\Windows\SysWOW64\Pifbjn32.exeC:\Windows\system32\Pifbjn32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:812 -
C:\Windows\SysWOW64\Qnghel32.exeC:\Windows\system32\Qnghel32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1144 -
C:\Windows\SysWOW64\Apgagg32.exeC:\Windows\system32\Apgagg32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Windows\SysWOW64\Achjibcl.exeC:\Windows\system32\Achjibcl.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2144 -
C:\Windows\SysWOW64\Alqnah32.exeC:\Windows\system32\Alqnah32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1536 -
C:\Windows\SysWOW64\Adnpkjde.exeC:\Windows\system32\Adnpkjde.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\Windows\SysWOW64\Bnfddp32.exeC:\Windows\system32\Bnfddp32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2164 -
C:\Windows\SysWOW64\Boljgg32.exeC:\Windows\system32\Boljgg32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1700 -
C:\Windows\SysWOW64\Bffbdadk.exeC:\Windows\system32\Bffbdadk.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2852 -
C:\Windows\SysWOW64\Bcjcme32.exeC:\Windows\system32\Bcjcme32.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1444 -
C:\Windows\SysWOW64\Bfioia32.exeC:\Windows\system32\Bfioia32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:776 -
C:\Windows\SysWOW64\Bmbgfkje.exeC:\Windows\system32\Bmbgfkje.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2276 -
C:\Windows\SysWOW64\Cbppnbhm.exeC:\Windows\system32\Cbppnbhm.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:236 -
C:\Windows\SysWOW64\Cfmhdpnc.exeC:\Windows\system32\Cfmhdpnc.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2088 -
C:\Windows\SysWOW64\Ckjamgmk.exeC:\Windows\system32\Ckjamgmk.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1696 -
C:\Windows\SysWOW64\Cgaaah32.exeC:\Windows\system32\Cgaaah32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:536 -
C:\Windows\SysWOW64\Cnkjnb32.exeC:\Windows\system32\Cnkjnb32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2092 -
C:\Windows\SysWOW64\Cjakccop.exeC:\Windows\system32\Cjakccop.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1492 -
C:\Windows\SysWOW64\Cmpgpond.exeC:\Windows\system32\Cmpgpond.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1744 -
C:\Windows\SysWOW64\Djdgic32.exeC:\Windows\system32\Djdgic32.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2804 -
C:\Windows\SysWOW64\Dnpciaef.exeC:\Windows\system32\Dnpciaef.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2224 -
C:\Windows\SysWOW64\Dhhhbg32.exeC:\Windows\system32\Dhhhbg32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2712 -
C:\Windows\SysWOW64\Djfdob32.exeC:\Windows\system32\Djfdob32.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2560 -
C:\Windows\SysWOW64\Dljmlj32.exeC:\Windows\system32\Dljmlj32.exe34⤵
- Executes dropped EXE
PID:2360 -
C:\Windows\SysWOW64\Ddaemh32.exeC:\Windows\system32\Ddaemh32.exe35⤵
- Executes dropped EXE
PID:1748 -
C:\Windows\SysWOW64\Dbdehdfc.exeC:\Windows\system32\Dbdehdfc.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:808 -
C:\Windows\SysWOW64\Deenjpcd.exeC:\Windows\system32\Deenjpcd.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:544 -
C:\Windows\SysWOW64\Domccejd.exeC:\Windows\system32\Domccejd.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1564 -
C:\Windows\SysWOW64\Eibgpnjk.exeC:\Windows\system32\Eibgpnjk.exe39⤵
- Executes dropped EXE
PID:1796 -
C:\Windows\SysWOW64\Eeiheo32.exeC:\Windows\system32\Eeiheo32.exe40⤵
- Executes dropped EXE
PID:2216 -
C:\Windows\SysWOW64\Elcpbigl.exeC:\Windows\system32\Elcpbigl.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:448 -
C:\Windows\SysWOW64\Ehjqgjmp.exeC:\Windows\system32\Ehjqgjmp.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1512 -
C:\Windows\SysWOW64\Eabepp32.exeC:\Windows\system32\Eabepp32.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1616 -
C:\Windows\SysWOW64\Einjdb32.exeC:\Windows\system32\Einjdb32.exe44⤵
- Executes dropped EXE
PID:1692 -
C:\Windows\SysWOW64\Ephbal32.exeC:\Windows\system32\Ephbal32.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:1552 -
C:\Windows\SysWOW64\Eipgjaoi.exeC:\Windows\system32\Eipgjaoi.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:1292 -
C:\Windows\SysWOW64\Fdekgjno.exeC:\Windows\system32\Fdekgjno.exe47⤵
- Executes dropped EXE
PID:2408 -
C:\Windows\SysWOW64\Feggob32.exeC:\Windows\system32\Feggob32.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2928 -
C:\Windows\SysWOW64\Flapkmlj.exeC:\Windows\system32\Flapkmlj.exe49⤵
- Executes dropped EXE
PID:1240 -
C:\Windows\SysWOW64\Feiddbbj.exeC:\Windows\system32\Feiddbbj.exe50⤵
- Executes dropped EXE
PID:2172 -
C:\Windows\SysWOW64\Flclam32.exeC:\Windows\system32\Flclam32.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1732 -
C:\Windows\SysWOW64\Fpohakbp.exeC:\Windows\system32\Fpohakbp.exe52⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2096 -
C:\Windows\SysWOW64\Fhjmfnok.exeC:\Windows\system32\Fhjmfnok.exe53⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2696 -
C:\Windows\SysWOW64\Fleifl32.exeC:\Windows\system32\Fleifl32.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:2828 -
C:\Windows\SysWOW64\Fabaocfl.exeC:\Windows\system32\Fabaocfl.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:2604 -
C:\Windows\SysWOW64\Fofbhgde.exeC:\Windows\system32\Fofbhgde.exe56⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3016 -
C:\Windows\SysWOW64\Fadndbci.exeC:\Windows\system32\Fadndbci.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2272 -
C:\Windows\SysWOW64\Gdcjpncm.exeC:\Windows\system32\Gdcjpncm.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:316 -
C:\Windows\SysWOW64\Goiongbc.exeC:\Windows\system32\Goiongbc.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2028 -
C:\Windows\SysWOW64\Ghacfmic.exeC:\Windows\system32\Ghacfmic.exe60⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1980 -
C:\Windows\SysWOW64\Gkoobhhg.exeC:\Windows\system32\Gkoobhhg.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2868 -
C:\Windows\SysWOW64\Gqlhkofn.exeC:\Windows\system32\Gqlhkofn.exe62⤵
- Executes dropped EXE
PID:1804 -
C:\Windows\SysWOW64\Ggfpgi32.exeC:\Windows\system32\Ggfpgi32.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1640 -
C:\Windows\SysWOW64\Gdjqamme.exeC:\Windows\system32\Gdjqamme.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:1584 -
C:\Windows\SysWOW64\Gfkmie32.exeC:\Windows\system32\Gfkmie32.exe65⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2384 -
C:\Windows\SysWOW64\Gmeeepjp.exeC:\Windows\system32\Gmeeepjp.exe66⤵
- System Location Discovery: System Language Discovery
PID:1652 -
C:\Windows\SysWOW64\Godaakic.exeC:\Windows\system32\Godaakic.exe67⤵
- Modifies registry class
PID:1688 -
C:\Windows\SysWOW64\Ghlfjq32.exeC:\Windows\system32\Ghlfjq32.exe68⤵PID:1800
-
C:\Windows\SysWOW64\Hofngkga.exeC:\Windows\system32\Hofngkga.exe69⤵PID:2132
-
C:\Windows\SysWOW64\Hcajhi32.exeC:\Windows\system32\Hcajhi32.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2160 -
C:\Windows\SysWOW64\Hinbppna.exeC:\Windows\system32\Hinbppna.exe71⤵PID:2808
-
C:\Windows\SysWOW64\Hbggif32.exeC:\Windows\system32\Hbggif32.exe72⤵PID:2596
-
C:\Windows\SysWOW64\Hiqoeplo.exeC:\Windows\system32\Hiqoeplo.exe73⤵
- Modifies registry class
PID:2620 -
C:\Windows\SysWOW64\Hkolakkb.exeC:\Windows\system32\Hkolakkb.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1556 -
C:\Windows\SysWOW64\Hfepod32.exeC:\Windows\system32\Hfepod32.exe75⤵PID:2796
-
C:\Windows\SysWOW64\Hegpjaac.exeC:\Windows\system32\Hegpjaac.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1016 -
C:\Windows\SysWOW64\Hnpdcf32.exeC:\Windows\system32\Hnpdcf32.exe77⤵PID:2784
-
C:\Windows\SysWOW64\Hqnapb32.exeC:\Windows\system32\Hqnapb32.exe78⤵
- System Location Discovery: System Language Discovery
PID:2120 -
C:\Windows\SysWOW64\Hghillnd.exeC:\Windows\system32\Hghillnd.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1180 -
C:\Windows\SysWOW64\Haqnea32.exeC:\Windows\system32\Haqnea32.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1264 -
C:\Windows\SysWOW64\Hcojam32.exeC:\Windows\system32\Hcojam32.exe81⤵PID:2780
-
C:\Windows\SysWOW64\Imgnjb32.exeC:\Windows\system32\Imgnjb32.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1424 -
C:\Windows\SysWOW64\Ieofkp32.exeC:\Windows\system32\Ieofkp32.exe83⤵
- System Location Discovery: System Language Discovery
PID:3048 -
C:\Windows\SysWOW64\Igmbgk32.exeC:\Windows\system32\Igmbgk32.exe84⤵
- Modifies registry class
PID:496 -
C:\Windows\SysWOW64\Iaegpaao.exeC:\Windows\system32\Iaegpaao.exe85⤵
- Drops file in System32 directory
PID:276 -
C:\Windows\SysWOW64\Ijnkifgp.exeC:\Windows\system32\Ijnkifgp.exe86⤵PID:2124
-
C:\Windows\SysWOW64\Imlhebfc.exeC:\Windows\system32\Imlhebfc.exe87⤵PID:2844
-
C:\Windows\SysWOW64\Icfpbl32.exeC:\Windows\system32\Icfpbl32.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2648 -
C:\Windows\SysWOW64\Imodkadq.exeC:\Windows\system32\Imodkadq.exe89⤵PID:1588
-
C:\Windows\SysWOW64\Iladfn32.exeC:\Windows\system32\Iladfn32.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1532 -
C:\Windows\SysWOW64\Ifgicg32.exeC:\Windows\system32\Ifgicg32.exe91⤵PID:1200
-
C:\Windows\SysWOW64\Ilcalnii.exeC:\Windows\system32\Ilcalnii.exe92⤵PID:2916
-
C:\Windows\SysWOW64\Inbnhihl.exeC:\Windows\system32\Inbnhihl.exe93⤵PID:408
-
C:\Windows\SysWOW64\Jigbebhb.exeC:\Windows\system32\Jigbebhb.exe94⤵
- Drops file in System32 directory
PID:2840 -
C:\Windows\SysWOW64\Jlfnangf.exeC:\Windows\system32\Jlfnangf.exe95⤵
- System Location Discovery: System Language Discovery
PID:1528 -
C:\Windows\SysWOW64\Jhmofo32.exeC:\Windows\system32\Jhmofo32.exe96⤵PID:1440
-
C:\Windows\SysWOW64\Jjkkbjln.exeC:\Windows\system32\Jjkkbjln.exe97⤵
- Drops file in System32 directory
PID:2588 -
C:\Windows\SysWOW64\Jbbccgmp.exeC:\Windows\system32\Jbbccgmp.exe98⤵PID:2996
-
C:\Windows\SysWOW64\Jlkglm32.exeC:\Windows\system32\Jlkglm32.exe99⤵
- System Location Discovery: System Language Discovery
PID:2924 -
C:\Windows\SysWOW64\Jhahanie.exeC:\Windows\system32\Jhahanie.exe100⤵PID:2656
-
C:\Windows\SysWOW64\Jjpdmi32.exeC:\Windows\system32\Jjpdmi32.exe101⤵PID:2556
-
C:\Windows\SysWOW64\Jmnqje32.exeC:\Windows\system32\Jmnqje32.exe102⤵PID:2572
-
C:\Windows\SysWOW64\Jfgebjnm.exeC:\Windows\system32\Jfgebjnm.exe103⤵PID:3064
-
C:\Windows\SysWOW64\Kalipcmb.exeC:\Windows\system32\Kalipcmb.exe104⤵PID:2364
-
C:\Windows\SysWOW64\Kkdnhi32.exeC:\Windows\system32\Kkdnhi32.exe105⤵
- Drops file in System32 directory
- Modifies registry class
PID:1644 -
C:\Windows\SysWOW64\Kbpbmkan.exeC:\Windows\system32\Kbpbmkan.exe106⤵PID:2148
-
C:\Windows\SysWOW64\Kijkje32.exeC:\Windows\system32\Kijkje32.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:604 -
C:\Windows\SysWOW64\Kbbobkol.exeC:\Windows\system32\Kbbobkol.exe108⤵PID:960
-
C:\Windows\SysWOW64\Kilgoe32.exeC:\Windows\system32\Kilgoe32.exe109⤵
- Modifies registry class
PID:2168 -
C:\Windows\SysWOW64\Kljdkpfl.exeC:\Windows\system32\Kljdkpfl.exe110⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1208 -
C:\Windows\SysWOW64\Kechdf32.exeC:\Windows\system32\Kechdf32.exe111⤵PID:2836
-
C:\Windows\SysWOW64\Kcginj32.exeC:\Windows\system32\Kcginj32.exe112⤵PID:2936
-
C:\Windows\SysWOW64\Keeeje32.exeC:\Windows\system32\Keeeje32.exe113⤵
- Drops file in System32 directory
PID:2688 -
C:\Windows\SysWOW64\Laleof32.exeC:\Windows\system32\Laleof32.exe114⤵
- Drops file in System32 directory
PID:2872 -
C:\Windows\SysWOW64\Lhfnkqgk.exeC:\Windows\system32\Lhfnkqgk.exe115⤵PID:2036
-
C:\Windows\SysWOW64\Lanbdf32.exeC:\Windows\system32\Lanbdf32.exe116⤵PID:2856
-
C:\Windows\SysWOW64\Lpabpcdf.exeC:\Windows\system32\Lpabpcdf.exe117⤵
- Modifies registry class
PID:1628 -
C:\Windows\SysWOW64\Lhhkapeh.exeC:\Windows\system32\Lhhkapeh.exe118⤵PID:1212
-
C:\Windows\SysWOW64\Lnecigcp.exeC:\Windows\system32\Lnecigcp.exe119⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2984 -
C:\Windows\SysWOW64\Lcblan32.exeC:\Windows\system32\Lcblan32.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2220 -
C:\Windows\SysWOW64\Ljldnhid.exeC:\Windows\system32\Ljldnhid.exe121⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:292
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-