Analysis
-
max time kernel
30s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
22-12-2024 14:23
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
801eb699dcbb76f23ee89f3c4570611767302a5a47ae5a2e6f4b3f7cf9f85c12.exe
Resource
win7-20240903-en
windows7-x64
10 signatures
120 seconds
Behavioral task
behavioral2
Sample
801eb699dcbb76f23ee89f3c4570611767302a5a47ae5a2e6f4b3f7cf9f85c12.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
120 seconds
General
-
Target
801eb699dcbb76f23ee89f3c4570611767302a5a47ae5a2e6f4b3f7cf9f85c12.exe
-
Size
74KB
-
MD5
1e782cb07bfcfb4420459c6f380ece47
-
SHA1
bae1e434aa979482805ad41e0a346d93ccfb46ad
-
SHA256
801eb699dcbb76f23ee89f3c4570611767302a5a47ae5a2e6f4b3f7cf9f85c12
-
SHA512
b11120d5092ad80fcd59e7c0d39459022a833b99386d164fdde0760e651439c563c795c26b0bbded2a8aee7fe36069f13734aee6a73a50486539a7133acb0bcc
-
SSDEEP
768:HGtT2f3jtJB3S38xmeeTRSHAZCigJmU7uae1fLfd+RBcdhL6NF8y265k6U74x/DZ:Hbf3jtJBKRSg4igB7urFdYE2yr+s71Cz
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mooaljkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Picnndmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pmojocel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ileiplhn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jbgkcb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Moidahcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iapebchh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mponel32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pomfkndo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Blkioa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kkolkk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qeaedd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kgemplap.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhloponc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nadpgggp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdoajb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kmjojo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Leljop32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgmcqkkh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngkogj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nljddpfe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Picnndmb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qkhpkoen.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knpemf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iedkbc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Liplnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Niikceid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nhllob32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qbbhgi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amcpie32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Baadng32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iimjmbae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jnmlhchd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qijdocfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bbgnak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bkglameg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lapnnafn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nadpgggp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Neplhf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfdabino.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckiigmcd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijdqna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Knpemf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oegbheiq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okfgfl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Becnhgmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qbbhgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lclnemgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pbnoliap.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oomjlk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajgpbj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qngmgjeb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lclnemgd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbiqfied.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akmjfn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blobjaba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ljffag32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jqnejn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pngphgbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jqlhdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kbkameaf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbkmlh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pdaheq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikhjki32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 1944 Hoamgd32.exe 2012 Hapicp32.exe 2828 Hkhnle32.exe 2716 Habfipdj.exe 2584 Hpefdl32.exe 3052 Ikkjbe32.exe 568 Iimjmbae.exe 3068 Igakgfpn.exe 2228 Iedkbc32.exe 1804 Ipjoplgo.exe 2868 Iompkh32.exe 2800 Igchlf32.exe 2368 Ijbdha32.exe 1792 Icjhagdp.exe 2788 Ijdqna32.exe 2156 Ihgainbg.exe 544 Ioaifhid.exe 1828 Icmegf32.exe 1040 Iapebchh.exe 976 Ileiplhn.exe 1600 Ikhjki32.exe 2488 Jnffgd32.exe 1720 Jfnnha32.exe 2328 Jgojpjem.exe 1696 Jofbag32.exe 2692 Jnicmdli.exe 2652 Jqgoiokm.exe 2820 Jkmcfhkc.exe 2892 Jbgkcb32.exe 2536 Jnmlhchd.exe 2000 Jqlhdo32.exe 2780 Jdgdempa.exe 3056 Jqnejn32.exe 1904 Jghmfhmb.exe 1248 Kmefooki.exe 2884 Kfmjgeaj.exe 2848 Kilfcpqm.exe 556 Kfpgmdog.exe 1660 Kincipnk.exe 2316 Kmjojo32.exe 2120 Kohkfj32.exe 2236 Kiqpop32.exe 2644 Kkolkk32.exe 1896 Kaldcb32.exe 1676 Kicmdo32.exe 1520 Kgemplap.exe 660 Knpemf32.exe 3000 Kbkameaf.exe 2852 Lclnemgd.exe 2672 Lghjel32.exe 2832 Ljffag32.exe 2580 Lmebnb32.exe 1500 Lapnnafn.exe 476 Leljop32.exe 332 Lcojjmea.exe 1432 Lfmffhde.exe 2888 Ljibgg32.exe 2448 Lndohedg.exe 2292 Labkdack.exe 2320 Lpekon32.exe 1292 Lcagpl32.exe 2524 Lgmcqkkh.exe 2444 Linphc32.exe 1532 Lmikibio.exe -
Loads dropped DLL 64 IoCs
pid Process 2288 801eb699dcbb76f23ee89f3c4570611767302a5a47ae5a2e6f4b3f7cf9f85c12.exe 2288 801eb699dcbb76f23ee89f3c4570611767302a5a47ae5a2e6f4b3f7cf9f85c12.exe 1944 Hoamgd32.exe 1944 Hoamgd32.exe 2012 Hapicp32.exe 2012 Hapicp32.exe 2828 Hkhnle32.exe 2828 Hkhnle32.exe 2716 Habfipdj.exe 2716 Habfipdj.exe 2584 Hpefdl32.exe 2584 Hpefdl32.exe 3052 Ikkjbe32.exe 3052 Ikkjbe32.exe 568 Iimjmbae.exe 568 Iimjmbae.exe 3068 Igakgfpn.exe 3068 Igakgfpn.exe 2228 Iedkbc32.exe 2228 Iedkbc32.exe 1804 Ipjoplgo.exe 1804 Ipjoplgo.exe 2868 Iompkh32.exe 2868 Iompkh32.exe 2800 Igchlf32.exe 2800 Igchlf32.exe 2368 Ijbdha32.exe 2368 Ijbdha32.exe 1792 Icjhagdp.exe 1792 Icjhagdp.exe 2788 Ijdqna32.exe 2788 Ijdqna32.exe 2156 Ihgainbg.exe 2156 Ihgainbg.exe 544 Ioaifhid.exe 544 Ioaifhid.exe 1828 Icmegf32.exe 1828 Icmegf32.exe 1040 Iapebchh.exe 1040 Iapebchh.exe 976 Ileiplhn.exe 976 Ileiplhn.exe 1600 Ikhjki32.exe 1600 Ikhjki32.exe 2488 Jnffgd32.exe 2488 Jnffgd32.exe 1720 Jfnnha32.exe 1720 Jfnnha32.exe 2328 Jgojpjem.exe 2328 Jgojpjem.exe 1696 Jofbag32.exe 1696 Jofbag32.exe 2692 Jnicmdli.exe 2692 Jnicmdli.exe 2652 Jqgoiokm.exe 2652 Jqgoiokm.exe 2820 Jkmcfhkc.exe 2820 Jkmcfhkc.exe 2892 Jbgkcb32.exe 2892 Jbgkcb32.exe 2536 Jnmlhchd.exe 2536 Jnmlhchd.exe 2000 Jqlhdo32.exe 2000 Jqlhdo32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Ndjfeo32.exe Nlcnda32.exe File created C:\Windows\SysWOW64\Pfdabino.exe Pcfefmnk.exe File created C:\Windows\SysWOW64\Dhbkakib.dll Pcfefmnk.exe File created C:\Windows\SysWOW64\Olonpp32.exe Ohcaoajg.exe File created C:\Windows\SysWOW64\Chdqghfp.dll Okfgfl32.exe File created C:\Windows\SysWOW64\Pdaheq32.exe Pqemdbaj.exe File created C:\Windows\SysWOW64\Fhbhji32.dll Bbgnak32.exe File opened for modification C:\Windows\SysWOW64\Jqgoiokm.exe Jnicmdli.exe File created C:\Windows\SysWOW64\Nkeghkck.dll Mhloponc.exe File opened for modification C:\Windows\SysWOW64\Niikceid.exe Ngkogj32.exe File created C:\Windows\SysWOW64\Abeemhkh.exe Qjnmlk32.exe File created C:\Windows\SysWOW64\Aedeic32.dll Icmegf32.exe File opened for modification C:\Windows\SysWOW64\Lfmffhde.exe Lcojjmea.exe File created C:\Windows\SysWOW64\Imogmg32.dll Pkdgpo32.exe File opened for modification C:\Windows\SysWOW64\Lmebnb32.exe Ljffag32.exe File created C:\Windows\SysWOW64\Liplnc32.exe Lfbpag32.exe File opened for modification C:\Windows\SysWOW64\Mlaeonld.exe Mmneda32.exe File created C:\Windows\SysWOW64\Nilhhdga.exe Neplhf32.exe File opened for modification C:\Windows\SysWOW64\Poocpnbm.exe Pkdgpo32.exe File created C:\Windows\SysWOW64\Pkfaka32.dll Bdmddc32.exe File created C:\Windows\SysWOW64\Mcblodlj.dll Jbgkcb32.exe File created C:\Windows\SysWOW64\Jqlhdo32.exe Jnmlhchd.exe File created C:\Windows\SysWOW64\Jdgdempa.exe Jqlhdo32.exe File created C:\Windows\SysWOW64\Pkdgpo32.exe Piekcd32.exe File opened for modification C:\Windows\SysWOW64\Apoooa32.exe Amqccfed.exe File opened for modification C:\Windows\SysWOW64\Abbeflpf.exe Acpdko32.exe File created C:\Windows\SysWOW64\Nffjeaid.dll Leljop32.exe File opened for modification C:\Windows\SysWOW64\Neplhf32.exe Nadpgggp.exe File created C:\Windows\SysWOW64\Pmlmic32.exe Pjnamh32.exe File created C:\Windows\SysWOW64\Pmojocel.exe Picnndmb.exe File opened for modification C:\Windows\SysWOW64\Akmjfn32.exe Acfaeq32.exe File created C:\Windows\SysWOW64\Blaopqpo.exe Bhfcpb32.exe File opened for modification C:\Windows\SysWOW64\Jdgdempa.exe Jqlhdo32.exe File created C:\Windows\SysWOW64\Ihclng32.dll Kgemplap.exe File created C:\Windows\SysWOW64\Fdilgioe.dll Lcagpl32.exe File created C:\Windows\SysWOW64\Oilpcd32.dll Aigchgkh.exe File created C:\Windows\SysWOW64\Ipjcbn32.dll Liplnc32.exe File opened for modification C:\Windows\SysWOW64\Lbiqfied.exe Llohjo32.exe File created C:\Windows\SysWOW64\Amcpie32.exe Aigchgkh.exe File created C:\Windows\SysWOW64\Lclclfdi.dll Poocpnbm.exe File opened for modification C:\Windows\SysWOW64\Blkioa32.exe Bilmcf32.exe File created C:\Windows\SysWOW64\Bjbcfn32.exe Blobjaba.exe File opened for modification C:\Windows\SysWOW64\Blaopqpo.exe Bhfcpb32.exe File created C:\Windows\SysWOW64\Igakgfpn.exe Iimjmbae.exe File opened for modification C:\Windows\SysWOW64\Ijbdha32.exe Igchlf32.exe File created C:\Windows\SysWOW64\Lbfdaigg.exe Lphhenhc.exe File created C:\Windows\SysWOW64\Jhcfhi32.dll Libicbma.exe File opened for modification C:\Windows\SysWOW64\Ndjfeo32.exe Nlcnda32.exe File created C:\Windows\SysWOW64\Okfgfl32.exe Ogkkfmml.exe File opened for modification C:\Windows\SysWOW64\Achojp32.exe Aeenochi.exe File opened for modification C:\Windows\SysWOW64\Bobhal32.exe Bkglameg.exe File opened for modification C:\Windows\SysWOW64\Ihgainbg.exe Ijdqna32.exe File created C:\Windows\SysWOW64\Ileiplhn.exe Iapebchh.exe File opened for modification C:\Windows\SysWOW64\Jqnejn32.exe Jdgdempa.exe File opened for modification C:\Windows\SysWOW64\Qjnmlk32.exe Qkkmqnck.exe File created C:\Windows\SysWOW64\Lgahjhop.dll Aeqabgoj.exe File created C:\Windows\SysWOW64\Alfadj32.dll Lghjel32.exe File opened for modification C:\Windows\SysWOW64\Ogkkfmml.exe Odlojanh.exe File opened for modification C:\Windows\SysWOW64\Pomfkndo.exe Pmojocel.exe File opened for modification C:\Windows\SysWOW64\Kfmjgeaj.exe Kmefooki.exe File created C:\Windows\SysWOW64\Mmneda32.exe Libicbma.exe File opened for modification C:\Windows\SysWOW64\Mholen32.exe Meppiblm.exe File created C:\Windows\SysWOW64\Hhppho32.dll Nadpgggp.exe File created C:\Windows\SysWOW64\Mfkbpc32.dll Oaiibg32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3280 3248 WerFault.exe 255 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkolkk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmpnhdfc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oaiibg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alhmjbhj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhfcpb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbkmlh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oagmmgdm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pomfkndo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anlfbi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkmcfhkc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bobhal32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgojpjem.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nplmop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amcpie32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bajomhbl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijbdha32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnicmdli.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jqlhdo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kilfcpqm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmjojo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Neplhf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jqgoiokm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kohkfj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amqccfed.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Biafnecn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgmcqkkh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndhipoob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qgmdjp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qiladcdh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngfflj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohendqhd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aigchgkh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iapebchh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfdmggnm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Meppiblm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlekia32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qbbhgi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfpgmdog.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbfdaigg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlcnda32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nilhhdga.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oebimf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okfgfl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qkkmqnck.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apoooa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijdqna32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihgainbg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcagpl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajbggjfq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajgpbj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jghmfhmb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Leljop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oqcpob32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmlhnagm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mponel32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mholen32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qjnmlk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icmegf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ileiplhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llohjo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocalkn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amnfnfgg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okoafmkm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bphbeplm.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jnmlhchd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mbkmlh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpahiebe.dll" Mlfojn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bjbcfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bdmddc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnhplkhl.dll" Ijbdha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Noomnjpj.dll" Magqncba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Diceon32.dll" Ndemjoae.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oqcpob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lapefgai.dll" Pfgngh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Apoooa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cilibi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kkolkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ncmfqkdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pmlmic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nkpegi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odmoin32.dll" Akmjfn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bbdallnd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pfdabino.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jbgkcb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kfpgmdog.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Niikceid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aecaidjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbkbki32.dll" Apoooa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Habfipdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mkmhaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Moidahcn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oebimf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aeenochi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Biojif32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Chkmkacq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mencccop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogjgkqaa.dll" Nmpnhdfc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aeqabgoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjdmohgl.dll" Lcojjmea.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lndohedg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pecomlgc.dll" Mmneda32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Poocpnbm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Akmjfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pghhkllb.dll" Kbkameaf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ohendqhd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aeqabgoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihmnkh32.dll" Biafnecn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kilfcpqm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jqgoiokm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Allepo32.dll" Kicmdo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mlaeonld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpkdli32.dll" Oagmmgdm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oalfhf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oancnfoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofbhhkda.dll" Pgpeal32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jnffgd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pomfkndo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldhfglad.dll" Blmfea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnabbkhk.dll" Baadng32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pmlmic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggfblnnh.dll" Mieeibkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kfmjgeaj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pjnamh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blkahecm.dll" Pbnoliap.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qbbhgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bbikgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmihnd32.dll" Olonpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gabqfggi.dll" Labkdack.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2288 wrote to memory of 1944 2288 801eb699dcbb76f23ee89f3c4570611767302a5a47ae5a2e6f4b3f7cf9f85c12.exe 30 PID 2288 wrote to memory of 1944 2288 801eb699dcbb76f23ee89f3c4570611767302a5a47ae5a2e6f4b3f7cf9f85c12.exe 30 PID 2288 wrote to memory of 1944 2288 801eb699dcbb76f23ee89f3c4570611767302a5a47ae5a2e6f4b3f7cf9f85c12.exe 30 PID 2288 wrote to memory of 1944 2288 801eb699dcbb76f23ee89f3c4570611767302a5a47ae5a2e6f4b3f7cf9f85c12.exe 30 PID 1944 wrote to memory of 2012 1944 Hoamgd32.exe 31 PID 1944 wrote to memory of 2012 1944 Hoamgd32.exe 31 PID 1944 wrote to memory of 2012 1944 Hoamgd32.exe 31 PID 1944 wrote to memory of 2012 1944 Hoamgd32.exe 31 PID 2012 wrote to memory of 2828 2012 Hapicp32.exe 32 PID 2012 wrote to memory of 2828 2012 Hapicp32.exe 32 PID 2012 wrote to memory of 2828 2012 Hapicp32.exe 32 PID 2012 wrote to memory of 2828 2012 Hapicp32.exe 32 PID 2828 wrote to memory of 2716 2828 Hkhnle32.exe 33 PID 2828 wrote to memory of 2716 2828 Hkhnle32.exe 33 PID 2828 wrote to memory of 2716 2828 Hkhnle32.exe 33 PID 2828 wrote to memory of 2716 2828 Hkhnle32.exe 33 PID 2716 wrote to memory of 2584 2716 Habfipdj.exe 34 PID 2716 wrote to memory of 2584 2716 Habfipdj.exe 34 PID 2716 wrote to memory of 2584 2716 Habfipdj.exe 34 PID 2716 wrote to memory of 2584 2716 Habfipdj.exe 34 PID 2584 wrote to memory of 3052 2584 Hpefdl32.exe 35 PID 2584 wrote to memory of 3052 2584 Hpefdl32.exe 35 PID 2584 wrote to memory of 3052 2584 Hpefdl32.exe 35 PID 2584 wrote to memory of 3052 2584 Hpefdl32.exe 35 PID 3052 wrote to memory of 568 3052 Ikkjbe32.exe 36 PID 3052 wrote to memory of 568 3052 Ikkjbe32.exe 36 PID 3052 wrote to memory of 568 3052 Ikkjbe32.exe 36 PID 3052 wrote to memory of 568 3052 Ikkjbe32.exe 36 PID 568 wrote to memory of 3068 568 Iimjmbae.exe 37 PID 568 wrote to memory of 3068 568 Iimjmbae.exe 37 PID 568 wrote to memory of 3068 568 Iimjmbae.exe 37 PID 568 wrote to memory of 3068 568 Iimjmbae.exe 37 PID 3068 wrote to memory of 2228 3068 Igakgfpn.exe 38 PID 3068 wrote to memory of 2228 3068 Igakgfpn.exe 38 PID 3068 wrote to memory of 2228 3068 Igakgfpn.exe 38 PID 3068 wrote to memory of 2228 3068 Igakgfpn.exe 38 PID 2228 wrote to memory of 1804 2228 Iedkbc32.exe 39 PID 2228 wrote to memory of 1804 2228 Iedkbc32.exe 39 PID 2228 wrote to memory of 1804 2228 Iedkbc32.exe 39 PID 2228 wrote to memory of 1804 2228 Iedkbc32.exe 39 PID 1804 wrote to memory of 2868 1804 Ipjoplgo.exe 40 PID 1804 wrote to memory of 2868 1804 Ipjoplgo.exe 40 PID 1804 wrote to memory of 2868 1804 Ipjoplgo.exe 40 PID 1804 wrote to memory of 2868 1804 Ipjoplgo.exe 40 PID 2868 wrote to memory of 2800 2868 Iompkh32.exe 41 PID 2868 wrote to memory of 2800 2868 Iompkh32.exe 41 PID 2868 wrote to memory of 2800 2868 Iompkh32.exe 41 PID 2868 wrote to memory of 2800 2868 Iompkh32.exe 41 PID 2800 wrote to memory of 2368 2800 Igchlf32.exe 42 PID 2800 wrote to memory of 2368 2800 Igchlf32.exe 42 PID 2800 wrote to memory of 2368 2800 Igchlf32.exe 42 PID 2800 wrote to memory of 2368 2800 Igchlf32.exe 42 PID 2368 wrote to memory of 1792 2368 Ijbdha32.exe 43 PID 2368 wrote to memory of 1792 2368 Ijbdha32.exe 43 PID 2368 wrote to memory of 1792 2368 Ijbdha32.exe 43 PID 2368 wrote to memory of 1792 2368 Ijbdha32.exe 43 PID 1792 wrote to memory of 2788 1792 Icjhagdp.exe 44 PID 1792 wrote to memory of 2788 1792 Icjhagdp.exe 44 PID 1792 wrote to memory of 2788 1792 Icjhagdp.exe 44 PID 1792 wrote to memory of 2788 1792 Icjhagdp.exe 44 PID 2788 wrote to memory of 2156 2788 Ijdqna32.exe 45 PID 2788 wrote to memory of 2156 2788 Ijdqna32.exe 45 PID 2788 wrote to memory of 2156 2788 Ijdqna32.exe 45 PID 2788 wrote to memory of 2156 2788 Ijdqna32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\801eb699dcbb76f23ee89f3c4570611767302a5a47ae5a2e6f4b3f7cf9f85c12.exe"C:\Users\Admin\AppData\Local\Temp\801eb699dcbb76f23ee89f3c4570611767302a5a47ae5a2e6f4b3f7cf9f85c12.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2288 -
C:\Windows\SysWOW64\Hoamgd32.exeC:\Windows\system32\Hoamgd32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1944 -
C:\Windows\SysWOW64\Hapicp32.exeC:\Windows\system32\Hapicp32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Windows\SysWOW64\Hkhnle32.exeC:\Windows\system32\Hkhnle32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Windows\SysWOW64\Habfipdj.exeC:\Windows\system32\Habfipdj.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\SysWOW64\Hpefdl32.exeC:\Windows\system32\Hpefdl32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Windows\SysWOW64\Ikkjbe32.exeC:\Windows\system32\Ikkjbe32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Windows\SysWOW64\Iimjmbae.exeC:\Windows\system32\Iimjmbae.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:568 -
C:\Windows\SysWOW64\Igakgfpn.exeC:\Windows\system32\Igakgfpn.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Windows\SysWOW64\Iedkbc32.exeC:\Windows\system32\Iedkbc32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2228 -
C:\Windows\SysWOW64\Ipjoplgo.exeC:\Windows\system32\Ipjoplgo.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1804 -
C:\Windows\SysWOW64\Iompkh32.exeC:\Windows\system32\Iompkh32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\SysWOW64\Igchlf32.exeC:\Windows\system32\Igchlf32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Windows\SysWOW64\Ijbdha32.exeC:\Windows\system32\Ijbdha32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Windows\SysWOW64\Icjhagdp.exeC:\Windows\system32\Icjhagdp.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1792 -
C:\Windows\SysWOW64\Ijdqna32.exeC:\Windows\system32\Ijdqna32.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Windows\SysWOW64\Ihgainbg.exeC:\Windows\system32\Ihgainbg.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2156 -
C:\Windows\SysWOW64\Ioaifhid.exeC:\Windows\system32\Ioaifhid.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:544 -
C:\Windows\SysWOW64\Icmegf32.exeC:\Windows\system32\Icmegf32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1828 -
C:\Windows\SysWOW64\Iapebchh.exeC:\Windows\system32\Iapebchh.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1040 -
C:\Windows\SysWOW64\Ileiplhn.exeC:\Windows\system32\Ileiplhn.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:976 -
C:\Windows\SysWOW64\Ikhjki32.exeC:\Windows\system32\Ikhjki32.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1600 -
C:\Windows\SysWOW64\Jnffgd32.exeC:\Windows\system32\Jnffgd32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2488 -
C:\Windows\SysWOW64\Jfnnha32.exeC:\Windows\system32\Jfnnha32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1720 -
C:\Windows\SysWOW64\Jgojpjem.exeC:\Windows\system32\Jgojpjem.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2328 -
C:\Windows\SysWOW64\Jofbag32.exeC:\Windows\system32\Jofbag32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1696 -
C:\Windows\SysWOW64\Jnicmdli.exeC:\Windows\system32\Jnicmdli.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2692 -
C:\Windows\SysWOW64\Jqgoiokm.exeC:\Windows\system32\Jqgoiokm.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2652 -
C:\Windows\SysWOW64\Jkmcfhkc.exeC:\Windows\system32\Jkmcfhkc.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2820 -
C:\Windows\SysWOW64\Jbgkcb32.exeC:\Windows\system32\Jbgkcb32.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2892 -
C:\Windows\SysWOW64\Jnmlhchd.exeC:\Windows\system32\Jnmlhchd.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2536 -
C:\Windows\SysWOW64\Jqlhdo32.exeC:\Windows\system32\Jqlhdo32.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2000 -
C:\Windows\SysWOW64\Jdgdempa.exeC:\Windows\system32\Jdgdempa.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2780 -
C:\Windows\SysWOW64\Jqnejn32.exeC:\Windows\system32\Jqnejn32.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3056 -
C:\Windows\SysWOW64\Jghmfhmb.exeC:\Windows\system32\Jghmfhmb.exe35⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1904 -
C:\Windows\SysWOW64\Kmefooki.exeC:\Windows\system32\Kmefooki.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1248 -
C:\Windows\SysWOW64\Kfmjgeaj.exeC:\Windows\system32\Kfmjgeaj.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:2884 -
C:\Windows\SysWOW64\Kilfcpqm.exeC:\Windows\system32\Kilfcpqm.exe38⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2848 -
C:\Windows\SysWOW64\Kfpgmdog.exeC:\Windows\system32\Kfpgmdog.exe39⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:556 -
C:\Windows\SysWOW64\Kincipnk.exeC:\Windows\system32\Kincipnk.exe40⤵
- Executes dropped EXE
PID:1660 -
C:\Windows\SysWOW64\Kmjojo32.exeC:\Windows\system32\Kmjojo32.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2316 -
C:\Windows\SysWOW64\Kohkfj32.exeC:\Windows\system32\Kohkfj32.exe42⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2120 -
C:\Windows\SysWOW64\Kiqpop32.exeC:\Windows\system32\Kiqpop32.exe43⤵
- Executes dropped EXE
PID:2236 -
C:\Windows\SysWOW64\Kkolkk32.exeC:\Windows\system32\Kkolkk32.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2644 -
C:\Windows\SysWOW64\Kaldcb32.exeC:\Windows\system32\Kaldcb32.exe45⤵
- Executes dropped EXE
PID:1896 -
C:\Windows\SysWOW64\Kicmdo32.exeC:\Windows\system32\Kicmdo32.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:1676 -
C:\Windows\SysWOW64\Kgemplap.exeC:\Windows\system32\Kgemplap.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1520 -
C:\Windows\SysWOW64\Knpemf32.exeC:\Windows\system32\Knpemf32.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:660 -
C:\Windows\SysWOW64\Kbkameaf.exeC:\Windows\system32\Kbkameaf.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3000 -
C:\Windows\SysWOW64\Lclnemgd.exeC:\Windows\system32\Lclnemgd.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2852 -
C:\Windows\SysWOW64\Lghjel32.exeC:\Windows\system32\Lghjel32.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2672 -
C:\Windows\SysWOW64\Ljffag32.exeC:\Windows\system32\Ljffag32.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2832 -
C:\Windows\SysWOW64\Lmebnb32.exeC:\Windows\system32\Lmebnb32.exe53⤵
- Executes dropped EXE
PID:2580 -
C:\Windows\SysWOW64\Lapnnafn.exeC:\Windows\system32\Lapnnafn.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1500 -
C:\Windows\SysWOW64\Leljop32.exeC:\Windows\system32\Leljop32.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:476 -
C:\Windows\SysWOW64\Lcojjmea.exeC:\Windows\system32\Lcojjmea.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:332 -
C:\Windows\SysWOW64\Lfmffhde.exeC:\Windows\system32\Lfmffhde.exe57⤵
- Executes dropped EXE
PID:1432 -
C:\Windows\SysWOW64\Ljibgg32.exeC:\Windows\system32\Ljibgg32.exe58⤵
- Executes dropped EXE
PID:2888 -
C:\Windows\SysWOW64\Lndohedg.exeC:\Windows\system32\Lndohedg.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:2448 -
C:\Windows\SysWOW64\Labkdack.exeC:\Windows\system32\Labkdack.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:2292 -
C:\Windows\SysWOW64\Lpekon32.exeC:\Windows\system32\Lpekon32.exe61⤵
- Executes dropped EXE
PID:2320 -
C:\Windows\SysWOW64\Lcagpl32.exeC:\Windows\system32\Lcagpl32.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1292 -
C:\Windows\SysWOW64\Lgmcqkkh.exeC:\Windows\system32\Lgmcqkkh.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2524 -
C:\Windows\SysWOW64\Linphc32.exeC:\Windows\system32\Linphc32.exe64⤵
- Executes dropped EXE
PID:2444 -
C:\Windows\SysWOW64\Lmikibio.exeC:\Windows\system32\Lmikibio.exe65⤵
- Executes dropped EXE
PID:1532 -
C:\Windows\SysWOW64\Lphhenhc.exeC:\Windows\system32\Lphhenhc.exe66⤵
- Drops file in System32 directory
PID:1704 -
C:\Windows\SysWOW64\Lbfdaigg.exeC:\Windows\system32\Lbfdaigg.exe67⤵
- System Location Discovery: System Language Discovery
PID:2516 -
C:\Windows\SysWOW64\Lfbpag32.exeC:\Windows\system32\Lfbpag32.exe68⤵
- Drops file in System32 directory
PID:2984 -
C:\Windows\SysWOW64\Liplnc32.exeC:\Windows\system32\Liplnc32.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2936 -
C:\Windows\SysWOW64\Lmlhnagm.exeC:\Windows\system32\Lmlhnagm.exe70⤵
- System Location Discovery: System Language Discovery
PID:2568 -
C:\Windows\SysWOW64\Llohjo32.exeC:\Windows\system32\Llohjo32.exe71⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:236 -
C:\Windows\SysWOW64\Lbiqfied.exeC:\Windows\system32\Lbiqfied.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2028 -
C:\Windows\SysWOW64\Lfdmggnm.exeC:\Windows\system32\Lfdmggnm.exe73⤵
- System Location Discovery: System Language Discovery
PID:2896 -
C:\Windows\SysWOW64\Libicbma.exeC:\Windows\system32\Libicbma.exe74⤵
- Drops file in System32 directory
PID:3020 -
C:\Windows\SysWOW64\Mmneda32.exeC:\Windows\system32\Mmneda32.exe75⤵
- Drops file in System32 directory
- Modifies registry class
PID:1264 -
C:\Windows\SysWOW64\Mlaeonld.exeC:\Windows\system32\Mlaeonld.exe76⤵
- Modifies registry class
PID:1140 -
C:\Windows\SysWOW64\Mpmapm32.exeC:\Windows\system32\Mpmapm32.exe77⤵PID:2860
-
C:\Windows\SysWOW64\Mooaljkh.exeC:\Windows\system32\Mooaljkh.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2004 -
C:\Windows\SysWOW64\Mbkmlh32.exeC:\Windows\system32\Mbkmlh32.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1920 -
C:\Windows\SysWOW64\Mieeibkn.exeC:\Windows\system32\Mieeibkn.exe80⤵
- Modifies registry class
PID:1176 -
C:\Windows\SysWOW64\Mhhfdo32.exeC:\Windows\system32\Mhhfdo32.exe81⤵PID:816
-
C:\Windows\SysWOW64\Mponel32.exeC:\Windows\system32\Mponel32.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1244 -
C:\Windows\SysWOW64\Mapjmehi.exeC:\Windows\system32\Mapjmehi.exe83⤵PID:1688
-
C:\Windows\SysWOW64\Migbnb32.exeC:\Windows\system32\Migbnb32.exe84⤵PID:1740
-
C:\Windows\SysWOW64\Mlfojn32.exeC:\Windows\system32\Mlfojn32.exe85⤵
- Modifies registry class
PID:2408 -
C:\Windows\SysWOW64\Mbpgggol.exeC:\Windows\system32\Mbpgggol.exe86⤵PID:2688
-
C:\Windows\SysWOW64\Mabgcd32.exeC:\Windows\system32\Mabgcd32.exe87⤵PID:1988
-
C:\Windows\SysWOW64\Mencccop.exeC:\Windows\system32\Mencccop.exe88⤵
- Modifies registry class
PID:2388 -
C:\Windows\SysWOW64\Mhloponc.exeC:\Windows\system32\Mhloponc.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1468 -
C:\Windows\SysWOW64\Mmihhelk.exeC:\Windows\system32\Mmihhelk.exe90⤵PID:2784
-
C:\Windows\SysWOW64\Meppiblm.exeC:\Windows\system32\Meppiblm.exe91⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:624 -
C:\Windows\SysWOW64\Mholen32.exeC:\Windows\system32\Mholen32.exe92⤵
- System Location Discovery: System Language Discovery
PID:2912 -
C:\Windows\SysWOW64\Mkmhaj32.exeC:\Windows\system32\Mkmhaj32.exe93⤵
- Modifies registry class
PID:2728 -
C:\Windows\SysWOW64\Moidahcn.exeC:\Windows\system32\Moidahcn.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2200 -
C:\Windows\SysWOW64\Magqncba.exeC:\Windows\system32\Magqncba.exe95⤵
- Modifies registry class
PID:940 -
C:\Windows\SysWOW64\Ndemjoae.exeC:\Windows\system32\Ndemjoae.exe96⤵
- Modifies registry class
PID:1716 -
C:\Windows\SysWOW64\Nhaikn32.exeC:\Windows\system32\Nhaikn32.exe97⤵PID:1948
-
C:\Windows\SysWOW64\Nkpegi32.exeC:\Windows\system32\Nkpegi32.exe98⤵
- Modifies registry class
PID:2256 -
C:\Windows\SysWOW64\Nibebfpl.exeC:\Windows\system32\Nibebfpl.exe99⤵PID:2616
-
C:\Windows\SysWOW64\Nplmop32.exeC:\Windows\system32\Nplmop32.exe100⤵
- System Location Discovery: System Language Discovery
PID:3036 -
C:\Windows\SysWOW64\Ndhipoob.exeC:\Windows\system32\Ndhipoob.exe101⤵
- System Location Discovery: System Language Discovery
PID:2528 -
C:\Windows\SysWOW64\Ngfflj32.exeC:\Windows\system32\Ngfflj32.exe102⤵
- System Location Discovery: System Language Discovery
PID:2792 -
C:\Windows\SysWOW64\Nmpnhdfc.exeC:\Windows\system32\Nmpnhdfc.exe103⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3024 -
C:\Windows\SysWOW64\Nlcnda32.exeC:\Windows\system32\Nlcnda32.exe104⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2460 -
C:\Windows\SysWOW64\Ndjfeo32.exeC:\Windows\system32\Ndjfeo32.exe105⤵PID:3008
-
C:\Windows\SysWOW64\Ncmfqkdj.exeC:\Windows\system32\Ncmfqkdj.exe106⤵
- Modifies registry class
PID:2124 -
C:\Windows\SysWOW64\Nigome32.exeC:\Windows\system32\Nigome32.exe107⤵PID:1492
-
C:\Windows\SysWOW64\Nmbknddp.exeC:\Windows\system32\Nmbknddp.exe108⤵PID:2176
-
C:\Windows\SysWOW64\Nlekia32.exeC:\Windows\system32\Nlekia32.exe109⤵
- System Location Discovery: System Language Discovery
PID:1576 -
C:\Windows\SysWOW64\Ncpcfkbg.exeC:\Windows\system32\Ncpcfkbg.exe110⤵PID:2304
-
C:\Windows\SysWOW64\Ngkogj32.exeC:\Windows\system32\Ngkogj32.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2776 -
C:\Windows\SysWOW64\Niikceid.exeC:\Windows\system32\Niikceid.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2128 -
C:\Windows\SysWOW64\Nhllob32.exeC:\Windows\system32\Nhllob32.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2804 -
C:\Windows\SysWOW64\Npccpo32.exeC:\Windows\system32\Npccpo32.exe114⤵PID:2384
-
C:\Windows\SysWOW64\Nadpgggp.exeC:\Windows\system32\Nadpgggp.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2016 -
C:\Windows\SysWOW64\Neplhf32.exeC:\Windows\system32\Neplhf32.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2116 -
C:\Windows\SysWOW64\Nilhhdga.exeC:\Windows\system32\Nilhhdga.exe117⤵
- System Location Discovery: System Language Discovery
PID:2172 -
C:\Windows\SysWOW64\Nljddpfe.exeC:\Windows\system32\Nljddpfe.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1840 -
C:\Windows\SysWOW64\Oohqqlei.exeC:\Windows\system32\Oohqqlei.exe119⤵PID:744
-
C:\Windows\SysWOW64\Oagmmgdm.exeC:\Windows\system32\Oagmmgdm.exe120⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2344 -
C:\Windows\SysWOW64\Oebimf32.exeC:\Windows\system32\Oebimf32.exe121⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2676
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-