Analysis
-
max time kernel
119s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
09/12/2024, 04:57
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
fe740713e9b96c00747e517f796cf997d7b40964a052e8ebe2b552a709c8e021.exe
Resource
win7-20240903-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
fe740713e9b96c00747e517f796cf997d7b40964a052e8ebe2b552a709c8e021.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
fe740713e9b96c00747e517f796cf997d7b40964a052e8ebe2b552a709c8e021.exe
-
Size
80KB
-
MD5
edff325243f025760f96ceffbd3690e1
-
SHA1
34cb2fd2168c0b415b5480c2d5f21352f1f764f9
-
SHA256
fe740713e9b96c00747e517f796cf997d7b40964a052e8ebe2b552a709c8e021
-
SHA512
cd6c106c4a3f6eb5393fd24fd1b4666779d9c85a018a58937bfe58bfda31ab38e697e55378a58507940cc4c6f1d66c1779499991df191bf28bb37a337e80d19d
-
SSDEEP
1536:YQAhDmLCyiYZi2o4NdqOAngwmJGRF6ZOJhTIpIAJFeJuqnhCN:3uDmLhi8i2ourZwmJGRF/TEVJFeJLCN
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcmcoblm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lqncaj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phcpgm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nameek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nidmfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Alqnah32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abmgjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kcamjb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dahifbpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dgeaoinb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggicgopd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jajcdjca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jkhldafl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kljabgnh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eeohkeoe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Famope32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ggicgopd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ioohokoo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhknaf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdeqfhjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Demofaol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eejopecj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eaheeecg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hahnac32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdbbgdjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Opglafab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pdgmlhha.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qkfocaki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bccmmf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opfbngfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mjkgjl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bqgmfkhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aijbfo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdkklp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ilcoce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jofejpmc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kokjdb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcaiiejc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lgoboc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opaebkmc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmojkc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hneeilgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jefpeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bjdkjpkb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idcacc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iibfajdc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kofaicon.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfidjbdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gmmfaa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iflmjihl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ifjlcmmj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnfddp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dahifbpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Idicbbpi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkhejkcq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jimbkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kdbbgdjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mbhlek32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nedhjj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obhdcanc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Omnipjni.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oidiekdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Flhmfbim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qdlggg32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 1780 Hbknkl32.exe 1744 Heikgh32.exe 2196 Hhhgcc32.exe 2816 Helgmg32.exe 2892 Hfmddp32.exe 2640 Hndlem32.exe 2660 Iabhah32.exe 2732 Idadnd32.exe 1280 Ifoqjo32.exe 2948 Imiigiab.exe 696 Idcacc32.exe 1244 Ifampo32.exe 1608 Iipiljgf.exe 1408 Ipjahd32.exe 2960 Idfnicfl.exe 2560 Iibfajdc.exe 344 Imnbbi32.exe 3032 Iplnnd32.exe 1348 Ioooiack.exe 2020 Ibkkjp32.exe 1268 Ieigfk32.exe 1848 Ihhcbf32.exe 1796 Ilcoce32.exe 2532 Ibmgpoia.exe 1156 Iapgkl32.exe 1588 Iigpli32.exe 2312 Jkhldafl.exe 2720 Jodhdp32.exe 2876 Jkkija32.exe 2768 Jofejpmc.exe 2636 Jepmgj32.exe 2776 Jkmeoa32.exe 2360 Jnkakl32.exe 2492 Jdejhfig.exe 2792 Jgdfdbhk.exe 688 Jkpbdq32.exe 2920 Jaijak32.exe 332 Jdhgnf32.exe 2952 Jkbojpna.exe 2996 Kdjccf32.exe 2148 Kcmcoblm.exe 2200 Kghpoa32.exe 2024 Knbhlkkc.exe 1616 Kpadhg32.exe 1660 Kcopdb32.exe 1912 Khlili32.exe 1540 Kpcqnf32.exe 1708 Kofaicon.exe 1620 Kcamjb32.exe 1736 Kbdmeoob.exe 2072 Kjleflod.exe 2888 Kljabgnh.exe 2772 Kkmand32.exe 2688 Kbgjkn32.exe 2232 Kfbfkmeh.exe 1464 Khabghdl.exe 776 Kkoncdcp.exe 1924 Kokjdb32.exe 1192 Kbigpn32.exe 2040 Kfebambf.exe 2944 Khcomhbi.exe 1764 Kgfoie32.exe 3040 Lomgjb32.exe 2348 Lnpgeopa.exe -
Loads dropped DLL 64 IoCs
pid Process 2544 fe740713e9b96c00747e517f796cf997d7b40964a052e8ebe2b552a709c8e021.exe 2544 fe740713e9b96c00747e517f796cf997d7b40964a052e8ebe2b552a709c8e021.exe 1780 Hbknkl32.exe 1780 Hbknkl32.exe 1744 Heikgh32.exe 1744 Heikgh32.exe 2196 Hhhgcc32.exe 2196 Hhhgcc32.exe 2816 Helgmg32.exe 2816 Helgmg32.exe 2892 Hfmddp32.exe 2892 Hfmddp32.exe 2640 Hndlem32.exe 2640 Hndlem32.exe 2660 Iabhah32.exe 2660 Iabhah32.exe 2732 Idadnd32.exe 2732 Idadnd32.exe 1280 Ifoqjo32.exe 1280 Ifoqjo32.exe 2948 Imiigiab.exe 2948 Imiigiab.exe 696 Idcacc32.exe 696 Idcacc32.exe 1244 Ifampo32.exe 1244 Ifampo32.exe 1608 Iipiljgf.exe 1608 Iipiljgf.exe 1408 Ipjahd32.exe 1408 Ipjahd32.exe 2960 Idfnicfl.exe 2960 Idfnicfl.exe 2560 Iibfajdc.exe 2560 Iibfajdc.exe 344 Imnbbi32.exe 344 Imnbbi32.exe 3032 Iplnnd32.exe 3032 Iplnnd32.exe 1348 Ioooiack.exe 1348 Ioooiack.exe 2020 Ibkkjp32.exe 2020 Ibkkjp32.exe 1268 Ieigfk32.exe 1268 Ieigfk32.exe 1848 Ihhcbf32.exe 1848 Ihhcbf32.exe 1796 Ilcoce32.exe 1796 Ilcoce32.exe 2532 Ibmgpoia.exe 2532 Ibmgpoia.exe 1156 Iapgkl32.exe 1156 Iapgkl32.exe 1588 Iigpli32.exe 1588 Iigpli32.exe 2312 Jkhldafl.exe 2312 Jkhldafl.exe 2720 Jodhdp32.exe 2720 Jodhdp32.exe 2876 Jkkija32.exe 2876 Jkkija32.exe 2768 Jofejpmc.exe 2768 Jofejpmc.exe 2636 Jepmgj32.exe 2636 Jepmgj32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Eppcmncq.exe Emagacdm.exe File opened for modification C:\Windows\SysWOW64\Jlkngc32.exe Jmhnkfpa.exe File created C:\Windows\SysWOW64\Kcecbq32.exe Kdbbgdjj.exe File opened for modification C:\Windows\SysWOW64\Mnifja32.exe Mjnjjbbh.exe File created C:\Windows\SysWOW64\Pglabp32.dll Opaebkmc.exe File opened for modification C:\Windows\SysWOW64\Jbefcm32.exe Jpgjgboe.exe File created C:\Windows\SysWOW64\Ohbamn32.dll Jbhcim32.exe File opened for modification C:\Windows\SysWOW64\Oadkej32.exe Onfoin32.exe File opened for modification C:\Windows\SysWOW64\Bjpaop32.exe Bgaebe32.exe File created C:\Windows\SysWOW64\Nbniid32.exe Ndkhngdd.exe File opened for modification C:\Windows\SysWOW64\Plaimk32.exe Pegqpacp.exe File created C:\Windows\SysWOW64\Peedka32.exe Pcghof32.exe File created C:\Windows\SysWOW64\Bgaebe32.exe Bceibfgj.exe File opened for modification C:\Windows\SysWOW64\Dpapaj32.exe Dmbcen32.exe File created C:\Windows\SysWOW64\Kbnclf32.dll Jofejpmc.exe File created C:\Windows\SysWOW64\Kdfkqifa.dll Mpopnejo.exe File opened for modification C:\Windows\SysWOW64\Agpcihcf.exe Qhmcmk32.exe File opened for modification C:\Windows\SysWOW64\Befmfpbi.exe Bajqfq32.exe File created C:\Windows\SysWOW64\Gggpgo32.dll Agjobffl.exe File created C:\Windows\SysWOW64\Idkhmgco.dll Pphkbj32.exe File opened for modification C:\Windows\SysWOW64\Locjhqpa.exe Lldmleam.exe File created C:\Windows\SysWOW64\Ldmffpom.dll Aqmamm32.exe File created C:\Windows\SysWOW64\Lflhon32.dll Opihgfop.exe File created C:\Windows\SysWOW64\Qndkpmkm.exe Qiioon32.exe File created C:\Windows\SysWOW64\Kljabgnh.exe Kjleflod.exe File created C:\Windows\SysWOW64\Hlbhgd32.dll Olophhjd.exe File created C:\Windows\SysWOW64\Aacinhhc.dll Apgagg32.exe File created C:\Windows\SysWOW64\Mfglep32.exe Mbkpeake.exe File created C:\Windows\SysWOW64\Ifhckf32.dll Mkqqnq32.exe File created C:\Windows\SysWOW64\Ingkfk32.dll Aopahjll.exe File opened for modification C:\Windows\SysWOW64\Cjgoje32.exe Bflbigdb.exe File opened for modification C:\Windows\SysWOW64\Gkglnm32.exe Giipab32.exe File created C:\Windows\SysWOW64\Acnenl32.dll Ceebklai.exe File opened for modification C:\Windows\SysWOW64\Jgdfdbhk.exe Jdejhfig.exe File created C:\Windows\SysWOW64\Bbknmg32.dll Kbdmeoob.exe File created C:\Windows\SysWOW64\Dajjmhne.dll Bcmfmlen.exe File opened for modification C:\Windows\SysWOW64\Diaaeepi.exe Dgbeiiqe.exe File created C:\Windows\SysWOW64\Gdmdacnn.exe Gbohehoj.exe File created C:\Windows\SysWOW64\Gepafc32.exe Gqdefddb.exe File created C:\Windows\SysWOW64\Lgmeid32.exe Lcaiiejc.exe File created C:\Windows\SysWOW64\Gloiniaa.dll Lcdfnehp.exe File opened for modification C:\Windows\SysWOW64\Bgdibkam.exe Befmfpbi.exe File created C:\Windows\SysWOW64\Kmimme32.dll Gceailog.exe File created C:\Windows\SysWOW64\Llgjaeoj.exe Lhknaf32.exe File opened for modification C:\Windows\SysWOW64\Objaha32.exe Odgamdef.exe File opened for modification C:\Windows\SysWOW64\Pgfjhcge.exe Pdgmlhha.exe File created C:\Windows\SysWOW64\Pdmnam32.exe Pejmfqan.exe File created C:\Windows\SysWOW64\Ilnmeelc.dll Afjjed32.exe File created C:\Windows\SysWOW64\Cbpdaj32.dll Fgldnkkf.exe File opened for modification C:\Windows\SysWOW64\Nabopjmj.exe Nmfbpk32.exe File created C:\Windows\SysWOW64\Jpebhied.dll Bjbndpmd.exe File created C:\Windows\SysWOW64\Nmcmgm32.exe Njdqka32.exe File created C:\Windows\SysWOW64\Palepb32.exe Pciddedl.exe File created C:\Windows\SysWOW64\Ndmcdl32.dll Ookpodkj.exe File created C:\Windows\SysWOW64\Jeafjiop.exe Jbcjnnpl.exe File created C:\Windows\SysWOW64\Bdpeiada.dll Llgjaeoj.exe File opened for modification C:\Windows\SysWOW64\Plgolf32.exe Phlclgfc.exe File opened for modification C:\Windows\SysWOW64\Helgmg32.exe Hhhgcc32.exe File created C:\Windows\SysWOW64\Pabgjc32.dll Ipjahd32.exe File created C:\Windows\SysWOW64\Jeecim32.dll Ghdgfbkl.exe File opened for modification C:\Windows\SysWOW64\Oidiekdn.exe Oeindm32.exe File opened for modification C:\Windows\SysWOW64\Cmpgpond.exe Cnmfdb32.exe File created C:\Windows\SysWOW64\Niidma32.dll Lmjnak32.exe File created C:\Windows\SysWOW64\Kdlbfien.dll Anjlebjc.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 7484 7388 WerFault.exe 785 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Achjibcl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkjdndjo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lqcmmjko.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okbpde32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogiaif32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhfefgkg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcjhmcok.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alihaioe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjbndpmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agbpnh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bflbigdb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dddimn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ioohokoo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnaiol32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flfpabkp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gneijien.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljnnko32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lqhfhigj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aciqcifh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aobnniji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Befmfpbi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjhcegll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdiefffn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnjcomcf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnpciaef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lneaqn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nijnln32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgpgjepk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Daofpchf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eaheeecg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjojef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnpgeopa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogknoe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eecafd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knmdeioh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkmlmbcd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckjamgmk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Necogkbo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohagbj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ciaefa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ieomef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdnmma32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohfqmi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iflmjihl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fggkcl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iplnnd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jodhdp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jaijak32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcaiiejc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbicoamh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajeeeblb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oijjka32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pplaki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Folfoj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlkngc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkhldafl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlfacfpc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Najpll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pomhcg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bofgii32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccbphk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agjobffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhjlli32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkmhnjlh.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aciqcifh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebaijflc.dll" Fhbnbpjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ihbcmaje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kblikadd.dll" Pgfjhcge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Epmfgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afhgaocl.dll" Flfpabkp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Acfdnihk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Acfdnihk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lomgjb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dphmloih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pipnmn32.dll" Jhbold32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eddmlhaq.dll" Lbcbjlmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qjdaldla.dll" Mqklqhpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfamoi32.dll" Dhkkbmnp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ohiffh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aaimopli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ifjlcmmj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Onfoin32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iigpli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgnadk32.dll" Lcomce32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bimoloog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bnnaoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oqfqioai.dll" Kdbbgdjj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lgqkbb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ngealejo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ncfoch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Npaich32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fagina32.dll" Jajcdjca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dombicdm.dll" Obmnna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gegfanil.dll" Fpmbfbgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmhlga32.dll" Jkpbdq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljnnefda.dll" Khlili32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mleijpbj.dll" Pomhcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Manghajd.dll" Qackpado.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kikpibof.dll" Bgdibkam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gbjojh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gblkoham.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cefkjiak.dll" Gdhkfd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hkiicmdh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mmicfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pafdjmkq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbpdaj32.dll" Fgldnkkf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jmhnkfpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Klpdaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkpidd32.dll" Phlclgfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmfaflol.dll" Qkfocaki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kgfoie32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lnpgeopa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pphkbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bejfao32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kjahej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lohccp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Okdmjdol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhfcho32.dll" Cehfkb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mmgfqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Difnaqih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lhfefgkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qdojgmfe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dhkkbmnp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eklqcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aekeef32.dll" Gqdefddb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iapgkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" fe740713e9b96c00747e517f796cf997d7b40964a052e8ebe2b552a709c8e021.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kkmand32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2544 wrote to memory of 1780 2544 fe740713e9b96c00747e517f796cf997d7b40964a052e8ebe2b552a709c8e021.exe 30 PID 2544 wrote to memory of 1780 2544 fe740713e9b96c00747e517f796cf997d7b40964a052e8ebe2b552a709c8e021.exe 30 PID 2544 wrote to memory of 1780 2544 fe740713e9b96c00747e517f796cf997d7b40964a052e8ebe2b552a709c8e021.exe 30 PID 2544 wrote to memory of 1780 2544 fe740713e9b96c00747e517f796cf997d7b40964a052e8ebe2b552a709c8e021.exe 30 PID 1780 wrote to memory of 1744 1780 Hbknkl32.exe 31 PID 1780 wrote to memory of 1744 1780 Hbknkl32.exe 31 PID 1780 wrote to memory of 1744 1780 Hbknkl32.exe 31 PID 1780 wrote to memory of 1744 1780 Hbknkl32.exe 31 PID 1744 wrote to memory of 2196 1744 Heikgh32.exe 32 PID 1744 wrote to memory of 2196 1744 Heikgh32.exe 32 PID 1744 wrote to memory of 2196 1744 Heikgh32.exe 32 PID 1744 wrote to memory of 2196 1744 Heikgh32.exe 32 PID 2196 wrote to memory of 2816 2196 Hhhgcc32.exe 33 PID 2196 wrote to memory of 2816 2196 Hhhgcc32.exe 33 PID 2196 wrote to memory of 2816 2196 Hhhgcc32.exe 33 PID 2196 wrote to memory of 2816 2196 Hhhgcc32.exe 33 PID 2816 wrote to memory of 2892 2816 Helgmg32.exe 34 PID 2816 wrote to memory of 2892 2816 Helgmg32.exe 34 PID 2816 wrote to memory of 2892 2816 Helgmg32.exe 34 PID 2816 wrote to memory of 2892 2816 Helgmg32.exe 34 PID 2892 wrote to memory of 2640 2892 Hfmddp32.exe 35 PID 2892 wrote to memory of 2640 2892 Hfmddp32.exe 35 PID 2892 wrote to memory of 2640 2892 Hfmddp32.exe 35 PID 2892 wrote to memory of 2640 2892 Hfmddp32.exe 35 PID 2640 wrote to memory of 2660 2640 Hndlem32.exe 36 PID 2640 wrote to memory of 2660 2640 Hndlem32.exe 36 PID 2640 wrote to memory of 2660 2640 Hndlem32.exe 36 PID 2640 wrote to memory of 2660 2640 Hndlem32.exe 36 PID 2660 wrote to memory of 2732 2660 Iabhah32.exe 37 PID 2660 wrote to memory of 2732 2660 Iabhah32.exe 37 PID 2660 wrote to memory of 2732 2660 Iabhah32.exe 37 PID 2660 wrote to memory of 2732 2660 Iabhah32.exe 37 PID 2732 wrote to memory of 1280 2732 Idadnd32.exe 38 PID 2732 wrote to memory of 1280 2732 Idadnd32.exe 38 PID 2732 wrote to memory of 1280 2732 Idadnd32.exe 38 PID 2732 wrote to memory of 1280 2732 Idadnd32.exe 38 PID 1280 wrote to memory of 2948 1280 Ifoqjo32.exe 39 PID 1280 wrote to memory of 2948 1280 Ifoqjo32.exe 39 PID 1280 wrote to memory of 2948 1280 Ifoqjo32.exe 39 PID 1280 wrote to memory of 2948 1280 Ifoqjo32.exe 39 PID 2948 wrote to memory of 696 2948 Imiigiab.exe 40 PID 2948 wrote to memory of 696 2948 Imiigiab.exe 40 PID 2948 wrote to memory of 696 2948 Imiigiab.exe 40 PID 2948 wrote to memory of 696 2948 Imiigiab.exe 40 PID 696 wrote to memory of 1244 696 Idcacc32.exe 41 PID 696 wrote to memory of 1244 696 Idcacc32.exe 41 PID 696 wrote to memory of 1244 696 Idcacc32.exe 41 PID 696 wrote to memory of 1244 696 Idcacc32.exe 41 PID 1244 wrote to memory of 1608 1244 Ifampo32.exe 42 PID 1244 wrote to memory of 1608 1244 Ifampo32.exe 42 PID 1244 wrote to memory of 1608 1244 Ifampo32.exe 42 PID 1244 wrote to memory of 1608 1244 Ifampo32.exe 42 PID 1608 wrote to memory of 1408 1608 Iipiljgf.exe 43 PID 1608 wrote to memory of 1408 1608 Iipiljgf.exe 43 PID 1608 wrote to memory of 1408 1608 Iipiljgf.exe 43 PID 1608 wrote to memory of 1408 1608 Iipiljgf.exe 43 PID 1408 wrote to memory of 2960 1408 Ipjahd32.exe 44 PID 1408 wrote to memory of 2960 1408 Ipjahd32.exe 44 PID 1408 wrote to memory of 2960 1408 Ipjahd32.exe 44 PID 1408 wrote to memory of 2960 1408 Ipjahd32.exe 44 PID 2960 wrote to memory of 2560 2960 Idfnicfl.exe 45 PID 2960 wrote to memory of 2560 2960 Idfnicfl.exe 45 PID 2960 wrote to memory of 2560 2960 Idfnicfl.exe 45 PID 2960 wrote to memory of 2560 2960 Idfnicfl.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\fe740713e9b96c00747e517f796cf997d7b40964a052e8ebe2b552a709c8e021.exe"C:\Users\Admin\AppData\Local\Temp\fe740713e9b96c00747e517f796cf997d7b40964a052e8ebe2b552a709c8e021.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Windows\SysWOW64\Hbknkl32.exeC:\Windows\system32\Hbknkl32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1780 -
C:\Windows\SysWOW64\Heikgh32.exeC:\Windows\system32\Heikgh32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1744 -
C:\Windows\SysWOW64\Hhhgcc32.exeC:\Windows\system32\Hhhgcc32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Windows\SysWOW64\Helgmg32.exeC:\Windows\system32\Helgmg32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Windows\SysWOW64\Hfmddp32.exeC:\Windows\system32\Hfmddp32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Windows\SysWOW64\Hndlem32.exeC:\Windows\system32\Hndlem32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\SysWOW64\Iabhah32.exeC:\Windows\system32\Iabhah32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\SysWOW64\Idadnd32.exeC:\Windows\system32\Idadnd32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\SysWOW64\Ifoqjo32.exeC:\Windows\system32\Ifoqjo32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1280 -
C:\Windows\SysWOW64\Imiigiab.exeC:\Windows\system32\Imiigiab.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\Windows\SysWOW64\Idcacc32.exeC:\Windows\system32\Idcacc32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:696 -
C:\Windows\SysWOW64\Ifampo32.exeC:\Windows\system32\Ifampo32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1244 -
C:\Windows\SysWOW64\Iipiljgf.exeC:\Windows\system32\Iipiljgf.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1608 -
C:\Windows\SysWOW64\Ipjahd32.exeC:\Windows\system32\Ipjahd32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1408 -
C:\Windows\SysWOW64\Idfnicfl.exeC:\Windows\system32\Idfnicfl.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Windows\SysWOW64\Iibfajdc.exeC:\Windows\system32\Iibfajdc.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2560 -
C:\Windows\SysWOW64\Imnbbi32.exeC:\Windows\system32\Imnbbi32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:344 -
C:\Windows\SysWOW64\Iplnnd32.exeC:\Windows\system32\Iplnnd32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3032 -
C:\Windows\SysWOW64\Ioooiack.exeC:\Windows\system32\Ioooiack.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1348 -
C:\Windows\SysWOW64\Ibkkjp32.exeC:\Windows\system32\Ibkkjp32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2020 -
C:\Windows\SysWOW64\Ieigfk32.exeC:\Windows\system32\Ieigfk32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1268 -
C:\Windows\SysWOW64\Ihhcbf32.exeC:\Windows\system32\Ihhcbf32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1848 -
C:\Windows\SysWOW64\Ilcoce32.exeC:\Windows\system32\Ilcoce32.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1796 -
C:\Windows\SysWOW64\Ibmgpoia.exeC:\Windows\system32\Ibmgpoia.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2532 -
C:\Windows\SysWOW64\Iapgkl32.exeC:\Windows\system32\Iapgkl32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1156 -
C:\Windows\SysWOW64\Iigpli32.exeC:\Windows\system32\Iigpli32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1588 -
C:\Windows\SysWOW64\Jkhldafl.exeC:\Windows\system32\Jkhldafl.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2312 -
C:\Windows\SysWOW64\Jodhdp32.exeC:\Windows\system32\Jodhdp32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2720 -
C:\Windows\SysWOW64\Jkkija32.exeC:\Windows\system32\Jkkija32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2876 -
C:\Windows\SysWOW64\Jofejpmc.exeC:\Windows\system32\Jofejpmc.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2768 -
C:\Windows\SysWOW64\Jepmgj32.exeC:\Windows\system32\Jepmgj32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2636 -
C:\Windows\SysWOW64\Jkmeoa32.exeC:\Windows\system32\Jkmeoa32.exe33⤵
- Executes dropped EXE
PID:2776 -
C:\Windows\SysWOW64\Jnkakl32.exeC:\Windows\system32\Jnkakl32.exe34⤵
- Executes dropped EXE
PID:2360 -
C:\Windows\SysWOW64\Jdejhfig.exeC:\Windows\system32\Jdejhfig.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2492 -
C:\Windows\SysWOW64\Jgdfdbhk.exeC:\Windows\system32\Jgdfdbhk.exe36⤵
- Executes dropped EXE
PID:2792 -
C:\Windows\SysWOW64\Jkpbdq32.exeC:\Windows\system32\Jkpbdq32.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:688 -
C:\Windows\SysWOW64\Jaijak32.exeC:\Windows\system32\Jaijak32.exe38⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2920 -
C:\Windows\SysWOW64\Jdhgnf32.exeC:\Windows\system32\Jdhgnf32.exe39⤵
- Executes dropped EXE
PID:332 -
C:\Windows\SysWOW64\Jkbojpna.exeC:\Windows\system32\Jkbojpna.exe40⤵
- Executes dropped EXE
PID:2952 -
C:\Windows\SysWOW64\Kdjccf32.exeC:\Windows\system32\Kdjccf32.exe41⤵
- Executes dropped EXE
PID:2996 -
C:\Windows\SysWOW64\Kcmcoblm.exeC:\Windows\system32\Kcmcoblm.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2148 -
C:\Windows\SysWOW64\Kghpoa32.exeC:\Windows\system32\Kghpoa32.exe43⤵
- Executes dropped EXE
PID:2200 -
C:\Windows\SysWOW64\Knbhlkkc.exeC:\Windows\system32\Knbhlkkc.exe44⤵
- Executes dropped EXE
PID:2024 -
C:\Windows\SysWOW64\Kpadhg32.exeC:\Windows\system32\Kpadhg32.exe45⤵
- Executes dropped EXE
PID:1616 -
C:\Windows\SysWOW64\Kcopdb32.exeC:\Windows\system32\Kcopdb32.exe46⤵
- Executes dropped EXE
PID:1660 -
C:\Windows\SysWOW64\Khlili32.exeC:\Windows\system32\Khlili32.exe47⤵
- Executes dropped EXE
- Modifies registry class
PID:1912 -
C:\Windows\SysWOW64\Kpcqnf32.exeC:\Windows\system32\Kpcqnf32.exe48⤵
- Executes dropped EXE
PID:1540 -
C:\Windows\SysWOW64\Kofaicon.exeC:\Windows\system32\Kofaicon.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1708 -
C:\Windows\SysWOW64\Kcamjb32.exeC:\Windows\system32\Kcamjb32.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1620 -
C:\Windows\SysWOW64\Kbdmeoob.exeC:\Windows\system32\Kbdmeoob.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1736 -
C:\Windows\SysWOW64\Kjleflod.exeC:\Windows\system32\Kjleflod.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2072 -
C:\Windows\SysWOW64\Kljabgnh.exeC:\Windows\system32\Kljabgnh.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2888 -
C:\Windows\SysWOW64\Kkmand32.exeC:\Windows\system32\Kkmand32.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:2772 -
C:\Windows\SysWOW64\Kbgjkn32.exeC:\Windows\system32\Kbgjkn32.exe55⤵
- Executes dropped EXE
PID:2688 -
C:\Windows\SysWOW64\Kfbfkmeh.exeC:\Windows\system32\Kfbfkmeh.exe56⤵
- Executes dropped EXE
PID:2232 -
C:\Windows\SysWOW64\Khabghdl.exeC:\Windows\system32\Khabghdl.exe57⤵
- Executes dropped EXE
PID:1464 -
C:\Windows\SysWOW64\Kkoncdcp.exeC:\Windows\system32\Kkoncdcp.exe58⤵
- Executes dropped EXE
PID:776 -
C:\Windows\SysWOW64\Kokjdb32.exeC:\Windows\system32\Kokjdb32.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1924 -
C:\Windows\SysWOW64\Kbigpn32.exeC:\Windows\system32\Kbigpn32.exe60⤵
- Executes dropped EXE
PID:1192 -
C:\Windows\SysWOW64\Kfebambf.exeC:\Windows\system32\Kfebambf.exe61⤵
- Executes dropped EXE
PID:2040 -
C:\Windows\SysWOW64\Khcomhbi.exeC:\Windows\system32\Khcomhbi.exe62⤵
- Executes dropped EXE
PID:2944 -
C:\Windows\SysWOW64\Kgfoie32.exeC:\Windows\system32\Kgfoie32.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:1764 -
C:\Windows\SysWOW64\Lomgjb32.exeC:\Windows\system32\Lomgjb32.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:3040 -
C:\Windows\SysWOW64\Lnpgeopa.exeC:\Windows\system32\Lnpgeopa.exe65⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2348 -
C:\Windows\SysWOW64\Lqncaj32.exeC:\Windows\system32\Lqncaj32.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:900 -
C:\Windows\SysWOW64\Ldjpbign.exeC:\Windows\system32\Ldjpbign.exe67⤵PID:2208
-
C:\Windows\SysWOW64\Lghlndfa.exeC:\Windows\system32\Lghlndfa.exe68⤵PID:2692
-
C:\Windows\SysWOW64\Lkdhoc32.exeC:\Windows\system32\Lkdhoc32.exe69⤵PID:2216
-
C:\Windows\SysWOW64\Ljghjpfe.exeC:\Windows\system32\Ljghjpfe.exe70⤵PID:2884
-
C:\Windows\SysWOW64\Lbnpkmfg.exeC:\Windows\system32\Lbnpkmfg.exe71⤵PID:2900
-
C:\Windows\SysWOW64\Lqqpgj32.exeC:\Windows\system32\Lqqpgj32.exe72⤵PID:2608
-
C:\Windows\SysWOW64\Lcomce32.exeC:\Windows\system32\Lcomce32.exe73⤵
- Modifies registry class
PID:2136 -
C:\Windows\SysWOW64\Lneaqn32.exeC:\Windows\system32\Lneaqn32.exe74⤵
- System Location Discovery: System Language Discovery
PID:2940 -
C:\Windows\SysWOW64\Lmgalkcf.exeC:\Windows\system32\Lmgalkcf.exe75⤵PID:2368
-
C:\Windows\SysWOW64\Lqcmmjko.exeC:\Windows\system32\Lqcmmjko.exe76⤵
- System Location Discovery: System Language Discovery
PID:2864 -
C:\Windows\SysWOW64\Ldoimh32.exeC:\Windows\system32\Ldoimh32.exe77⤵PID:2976
-
C:\Windows\SysWOW64\Lcaiiejc.exeC:\Windows\system32\Lcaiiejc.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2076 -
C:\Windows\SysWOW64\Lgmeid32.exeC:\Windows\system32\Lgmeid32.exe79⤵PID:2104
-
C:\Windows\SysWOW64\Ljkaeo32.exeC:\Windows\system32\Ljkaeo32.exe80⤵PID:652
-
C:\Windows\SysWOW64\Lngnfnji.exeC:\Windows\system32\Lngnfnji.exe81⤵PID:1960
-
C:\Windows\SysWOW64\Lmjnak32.exeC:\Windows\system32\Lmjnak32.exe82⤵
- Drops file in System32 directory
PID:1696 -
C:\Windows\SysWOW64\Lohjnf32.exeC:\Windows\system32\Lohjnf32.exe83⤵PID:1752
-
C:\Windows\SysWOW64\Lcdfnehp.exeC:\Windows\system32\Lcdfnehp.exe84⤵
- Drops file in System32 directory
PID:2008 -
C:\Windows\SysWOW64\Lgoboc32.exeC:\Windows\system32\Lgoboc32.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2760 -
C:\Windows\SysWOW64\Ljnnko32.exeC:\Windows\system32\Ljnnko32.exe86⤵
- System Location Discovery: System Language Discovery
PID:2764 -
C:\Windows\SysWOW64\Liqoflfh.exeC:\Windows\system32\Liqoflfh.exe87⤵PID:2964
-
C:\Windows\SysWOW64\Lqhfhigj.exeC:\Windows\system32\Lqhfhigj.exe88⤵
- System Location Discovery: System Language Discovery
PID:2248 -
C:\Windows\SysWOW64\Lbicoamh.exeC:\Windows\system32\Lbicoamh.exe89⤵
- System Location Discovery: System Language Discovery
PID:352 -
C:\Windows\SysWOW64\Mjpkqonj.exeC:\Windows\system32\Mjpkqonj.exe90⤵PID:1712
-
C:\Windows\SysWOW64\Micklk32.exeC:\Windows\system32\Micklk32.exe91⤵PID:1292
-
C:\Windows\SysWOW64\Mmogmjmn.exeC:\Windows\system32\Mmogmjmn.exe92⤵PID:2512
-
C:\Windows\SysWOW64\Mkaghg32.exeC:\Windows\system32\Mkaghg32.exe93⤵PID:1380
-
C:\Windows\SysWOW64\Mchoid32.exeC:\Windows\system32\Mchoid32.exe94⤵PID:1856
-
C:\Windows\SysWOW64\Mbkpeake.exeC:\Windows\system32\Mbkpeake.exe95⤵
- Drops file in System32 directory
PID:1808 -
C:\Windows\SysWOW64\Mfglep32.exeC:\Windows\system32\Mfglep32.exe96⤵PID:2184
-
C:\Windows\SysWOW64\Mejlalji.exeC:\Windows\system32\Mejlalji.exe97⤵PID:2600
-
C:\Windows\SysWOW64\Miehak32.exeC:\Windows\system32\Miehak32.exe98⤵PID:2236
-
C:\Windows\SysWOW64\Mkddnf32.exeC:\Windows\system32\Mkddnf32.exe99⤵PID:2752
-
C:\Windows\SysWOW64\Mpopnejo.exeC:\Windows\system32\Mpopnejo.exe100⤵
- Drops file in System32 directory
PID:2624 -
C:\Windows\SysWOW64\Mbnljqic.exeC:\Windows\system32\Mbnljqic.exe101⤵PID:2956
-
C:\Windows\SysWOW64\Mfihkoal.exeC:\Windows\system32\Mfihkoal.exe102⤵PID:1128
-
C:\Windows\SysWOW64\Mgjebg32.exeC:\Windows\system32\Mgjebg32.exe103⤵PID:2112
-
C:\Windows\SysWOW64\Mgjebg32.exeC:\Windows\system32\Mgjebg32.exe104⤵PID:1480
-
C:\Windows\SysWOW64\Mlfacfpc.exeC:\Windows\system32\Mlfacfpc.exe105⤵
- System Location Discovery: System Language Discovery
PID:2652 -
C:\Windows\SysWOW64\Mbpipp32.exeC:\Windows\system32\Mbpipp32.exe106⤵PID:2416
-
C:\Windows\SysWOW64\Macilmnk.exeC:\Windows\system32\Macilmnk.exe107⤵PID:1084
-
C:\Windows\SysWOW64\Meoell32.exeC:\Windows\system32\Meoell32.exe108⤵PID:708
-
C:\Windows\SysWOW64\Mijamjnm.exeC:\Windows\system32\Mijamjnm.exe109⤵PID:2344
-
C:\Windows\SysWOW64\Mlhnifmq.exeC:\Windows\system32\Mlhnifmq.exe110⤵PID:3012
-
C:\Windows\SysWOW64\Mngjeamd.exeC:\Windows\system32\Mngjeamd.exe111⤵PID:3028
-
C:\Windows\SysWOW64\Mbbfep32.exeC:\Windows\system32\Mbbfep32.exe112⤵PID:1424
-
C:\Windows\SysWOW64\Maefamlh.exeC:\Windows\system32\Maefamlh.exe113⤵PID:2916
-
C:\Windows\SysWOW64\Mccbmh32.exeC:\Windows\system32\Mccbmh32.exe114⤵PID:1860
-
C:\Windows\SysWOW64\Mhonngce.exeC:\Windows\system32\Mhonngce.exe115⤵PID:1552
-
C:\Windows\SysWOW64\Mjnjjbbh.exeC:\Windows\system32\Mjnjjbbh.exe116⤵
- Drops file in System32 directory
PID:780 -
C:\Windows\SysWOW64\Mnifja32.exeC:\Windows\system32\Mnifja32.exe117⤵PID:1788
-
C:\Windows\SysWOW64\Mnifja32.exeC:\Windows\system32\Mnifja32.exe118⤵PID:1920
-
C:\Windows\SysWOW64\Nagbgl32.exeC:\Windows\system32\Nagbgl32.exe119⤵PID:2108
-
C:\Windows\SysWOW64\Necogkbo.exeC:\Windows\system32\Necogkbo.exe120⤵
- System Location Discovery: System Language Discovery
PID:1720 -
C:\Windows\SysWOW64\Ncfoch32.exeC:\Windows\system32\Ncfoch32.exe121⤵
- Modifies registry class
PID:2728
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-