Analysis
-
max time kernel
119s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
06/03/2025, 05:21
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
7ba41e31ce7952167d136428efa6ba1ee575998ee2b015f45a82c6170b2ba34d.exe
Resource
win7-20241010-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
7ba41e31ce7952167d136428efa6ba1ee575998ee2b015f45a82c6170b2ba34d.exe
Resource
win10v2004-20250217-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
7ba41e31ce7952167d136428efa6ba1ee575998ee2b015f45a82c6170b2ba34d.exe
-
Size
211KB
-
MD5
a550ccc58e1f99e1859a04497f10f6d4
-
SHA1
c138508bfe61b3600237dd75dc76d807444071c1
-
SHA256
7ba41e31ce7952167d136428efa6ba1ee575998ee2b015f45a82c6170b2ba34d
-
SHA512
fe04e4854cf0cd0cc22ce9a59d80701d3da9b1addd8e58271f4639cdefabf5393478c34f8a04597b115f50f52787a4f07cf42beb514292057443cb0f6d6a5c64
-
SSDEEP
6144:R2FP8gxmIr80/EKeYr75lHzpaF2e6UK+42GTQMJSZO5f7M0rx7/N:w8gxV8KeYr75lTefkY660fII
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" 7ba41e31ce7952167d136428efa6ba1ee575998ee2b015f45a82c6170b2ba34d.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbmfgk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppmgfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Agihgp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Koipglep.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlafkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Opialpld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ebnabb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Faonom32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khnapkjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dmijfmfi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Laleof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lngpog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mimpkcdn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oniebmda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bjjaikoa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gaojnq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njpihk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofnpnkgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bacihmoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cjjnhnbl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmmcpi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkefbcmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Feachqgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jefbnacn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lnjldf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nmflee32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dncibp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gghmmilh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Njbfnjeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Djjjga32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epbbkf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dokfme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lgkkmm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Colpld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ejcmmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eimcjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fbegbacp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Famaimfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Giaidnkf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngdjaofc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ofnpnkgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ebqngb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Japciodd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jcnoejch.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad 7ba41e31ce7952167d136428efa6ba1ee575998ee2b015f45a82c6170b2ba34d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kajiigba.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncinap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ponklpcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gcjmmdbf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjhgbd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkdjglfo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlilqbgp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdpcokdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hqkmplen.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibfmmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Emdmjamj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpmmfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kmqmod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aknngo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iediin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Imodkadq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oiafee32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmhejhao.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 2768 Dmijfmfi.exe 2728 Dlljaj32.exe 2784 Dokfme32.exe 2756 Dfbnoc32.exe 2684 Eheglk32.exe 2456 Emdmjamj.exe 1200 Eodicd32.exe 2224 Epeekmjk.exe 2844 Edcnakpa.exe 3048 Fchkbg32.exe 2228 Feggob32.exe 536 Fpohakbp.exe 2596 Fapeic32.exe 1800 Fabaocfl.exe 2044 Fkkfgi32.exe 1872 Gpjkeoha.exe 840 Ghacfmic.exe 1376 Gqodqodl.exe 2320 Gghmmilh.exe 1692 Ghlfjq32.exe 1736 Gqcnln32.exe 1668 Hmjoqo32.exe 356 Hohkmj32.exe 1576 Hdecea32.exe 2772 Hbidne32.exe 1584 Hgflflqg.exe 2124 Hejmpqop.exe 3032 Haqnea32.exe 2796 Hcojam32.exe 1068 Imgnjb32.exe 2444 Ifpcchai.exe 2092 Iaegpaao.exe 2804 Icdcllpc.exe 2988 Ifdlng32.exe 2856 Imodkadq.exe 760 Ichmgl32.exe 2496 Ipomlm32.exe 1916 Jlfnangf.exe 1868 Jndjmifj.exe 1608 Jjkkbjln.exe 1324 Jbbccgmp.exe 1028 Jeqopcld.exe 764 Jlkglm32.exe 1708 Joidhh32.exe 2540 Jdflqo32.exe 2864 Jokqnhpa.exe 1596 Jpmmfp32.exe 1988 Jhdegn32.exe 2896 Jieaofmp.exe 2876 Kmqmod32.exe 2204 Kbmfgk32.exe 2624 Kkdnhi32.exe 2732 Klfjpa32.exe 2104 Kdmban32.exe 2292 Kgkonj32.exe 2972 Kijkje32.exe 2008 Kpdcfoph.exe 2200 Kofcbl32.exe 2600 Kilgoe32.exe 2384 Kljdkpfl.exe 1080 Koipglep.exe 900 Kcdlhj32.exe 1776 Kechdf32.exe 1936 Kindeddf.exe -
Loads dropped DLL 64 IoCs
pid Process 2100 7ba41e31ce7952167d136428efa6ba1ee575998ee2b015f45a82c6170b2ba34d.exe 2100 7ba41e31ce7952167d136428efa6ba1ee575998ee2b015f45a82c6170b2ba34d.exe 2768 Dmijfmfi.exe 2768 Dmijfmfi.exe 2728 Dlljaj32.exe 2728 Dlljaj32.exe 2784 Dokfme32.exe 2784 Dokfme32.exe 2756 Dfbnoc32.exe 2756 Dfbnoc32.exe 2684 Eheglk32.exe 2684 Eheglk32.exe 2456 Emdmjamj.exe 2456 Emdmjamj.exe 1200 Eodicd32.exe 1200 Eodicd32.exe 2224 Epeekmjk.exe 2224 Epeekmjk.exe 2844 Edcnakpa.exe 2844 Edcnakpa.exe 3048 Fchkbg32.exe 3048 Fchkbg32.exe 2228 Feggob32.exe 2228 Feggob32.exe 536 Fpohakbp.exe 536 Fpohakbp.exe 2596 Fapeic32.exe 2596 Fapeic32.exe 1800 Fabaocfl.exe 1800 Fabaocfl.exe 2044 Fkkfgi32.exe 2044 Fkkfgi32.exe 1872 Gpjkeoha.exe 1872 Gpjkeoha.exe 840 Ghacfmic.exe 840 Ghacfmic.exe 1376 Gqodqodl.exe 1376 Gqodqodl.exe 2320 Gghmmilh.exe 2320 Gghmmilh.exe 1692 Ghlfjq32.exe 1692 Ghlfjq32.exe 1736 Gqcnln32.exe 1736 Gqcnln32.exe 1668 Hmjoqo32.exe 1668 Hmjoqo32.exe 356 Hohkmj32.exe 356 Hohkmj32.exe 1576 Hdecea32.exe 1576 Hdecea32.exe 2772 Hbidne32.exe 2772 Hbidne32.exe 1584 Hgflflqg.exe 1584 Hgflflqg.exe 2124 Hejmpqop.exe 2124 Hejmpqop.exe 3032 Haqnea32.exe 3032 Haqnea32.exe 2796 Hcojam32.exe 2796 Hcojam32.exe 1068 Imgnjb32.exe 1068 Imgnjb32.exe 2444 Ifpcchai.exe 2444 Ifpcchai.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Ddmidgbj.dll Feggob32.exe File created C:\Windows\SysWOW64\Lhkbmo32.dll Dafoikjb.exe File opened for modification C:\Windows\SysWOW64\Ngdjaofc.exe Ncinap32.exe File created C:\Windows\SysWOW64\Ikgjnobg.dll Njbfnjeg.exe File created C:\Windows\SysWOW64\Npdfik32.dll Ncmglp32.exe File created C:\Windows\SysWOW64\Bkbdabog.exe Bdhleh32.exe File created C:\Windows\SysWOW64\Ibfmmb32.exe Ikldqile.exe File created C:\Windows\SysWOW64\Gbmhafee.dll Inmmbc32.exe File opened for modification C:\Windows\SysWOW64\Dlljaj32.exe Dmijfmfi.exe File opened for modification C:\Windows\SysWOW64\Ldjbkb32.exe Laleof32.exe File opened for modification C:\Windows\SysWOW64\Cmppehkh.exe Cehhdkjf.exe File opened for modification C:\Windows\SysWOW64\Hnhgha32.exe Hkjkle32.exe File opened for modification C:\Windows\SysWOW64\Lghgmg32.exe Lmpcca32.exe File created C:\Windows\SysWOW64\Dhcihn32.dll Elkofg32.exe File created C:\Windows\SysWOW64\Lcadghnk.exe Llgljn32.exe File opened for modification C:\Windows\SysWOW64\Kofcbl32.exe Kpdcfoph.exe File created C:\Windows\SysWOW64\Oniebmda.exe Olkifaen.exe File created C:\Windows\SysWOW64\Cjjnhnbl.exe Cmfmojcb.exe File created C:\Windows\SysWOW64\Faibdo32.dll Hklhae32.exe File created C:\Windows\SysWOW64\Mdogedmh.exe Mbqkiind.exe File opened for modification C:\Windows\SysWOW64\Nggggoda.exe Nppofado.exe File created C:\Windows\SysWOW64\Dgcgbb32.dll Jpgmpk32.exe File created C:\Windows\SysWOW64\Kpdcfoph.exe Kijkje32.exe File created C:\Windows\SysWOW64\Jagcgk32.dll Mfgnnhkc.exe File created C:\Windows\SysWOW64\Fmdpgmhn.dll Mkipao32.exe File opened for modification C:\Windows\SysWOW64\Opialpld.exe Olmela32.exe File created C:\Windows\SysWOW64\Aligmfnp.dll Aclpaali.exe File opened for modification C:\Windows\SysWOW64\Bknjfb32.exe Bddbjhlp.exe File created C:\Windows\SysWOW64\Mffbkj32.dll Gekfnoog.exe File created C:\Windows\SysWOW64\Mfjgiobf.dll Lpflkb32.exe File created C:\Windows\SysWOW64\Npfdjdfc.dll Nggggoda.exe File created C:\Windows\SysWOW64\Gecpnp32.exe Gojhafnb.exe File created C:\Windows\SysWOW64\Jieaofmp.exe Jhdegn32.exe File created C:\Windows\SysWOW64\Nflchkii.exe Ncmglp32.exe File created C:\Windows\SysWOW64\Bfglkheo.dll Hgflflqg.exe File opened for modification C:\Windows\SysWOW64\Jlkglm32.exe Jeqopcld.exe File created C:\Windows\SysWOW64\Hagojlib.dll Qldhkc32.exe File created C:\Windows\SysWOW64\Egjeoijn.dll Bdhleh32.exe File created C:\Windows\SysWOW64\Elibpg32.exe Eikfdl32.exe File created C:\Windows\SysWOW64\Fmohco32.exe Fkqlgc32.exe File created C:\Windows\SysWOW64\Hqgddm32.exe Hnhgha32.exe File created C:\Windows\SysWOW64\Fdekpjbk.dll Kokmmkcm.exe File created C:\Windows\SysWOW64\Oehiknbl.dll Agihgp32.exe File opened for modification C:\Windows\SysWOW64\Fkefbcmf.exe Fgjjad32.exe File created C:\Windows\SysWOW64\Iacoff32.dll Gaojnq32.exe File created C:\Windows\SysWOW64\Mnpkephg.dll Jipaip32.exe File opened for modification C:\Windows\SysWOW64\Fkkfgi32.exe Fabaocfl.exe File created C:\Windows\SysWOW64\Alddjg32.exe Ajehnk32.exe File created C:\Windows\SysWOW64\Mndofg32.dll Djlfma32.exe File created C:\Windows\SysWOW64\Eemnnn32.exe Ebnabb32.exe File created C:\Windows\SysWOW64\Jipaip32.exe Jfaeme32.exe File opened for modification C:\Windows\SysWOW64\Kpdcfoph.exe Kijkje32.exe File created C:\Windows\SysWOW64\Fdnjkh32.exe Faonom32.exe File created C:\Windows\SysWOW64\Keacjqlh.dll Gqodqodl.exe File created C:\Windows\SysWOW64\Mneohj32.exe Mmccqbpm.exe File created C:\Windows\SysWOW64\Pkbnjifp.dll Gkgoff32.exe File created C:\Windows\SysWOW64\Hpdjnn32.dll Jjfkmdlg.exe File created C:\Windows\SysWOW64\Onpeobjf.dll Khnapkjg.exe File created C:\Windows\SysWOW64\Dmqejl32.dll Ichmgl32.exe File opened for modification C:\Windows\SysWOW64\Kokmmkcm.exe Kindeddf.exe File opened for modification C:\Windows\SysWOW64\Nqjaeeog.exe Njpihk32.exe File opened for modification C:\Windows\SysWOW64\Qbnphngk.exe Qldhkc32.exe File opened for modification C:\Windows\SysWOW64\Ghacfmic.exe Gpjkeoha.exe File opened for modification C:\Windows\SysWOW64\Hgflflqg.exe Hbidne32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4964 4940 WerFault.exe 359 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojbbmnhc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcdkef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gekfnoog.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mneohj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajhddk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfjolf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgflflqg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mqjefamk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nqjaeeog.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjhgbd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lepaccmo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Demaoj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elkofg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkipao32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhdegn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbmfgk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kijkje32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Laqojfli.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pddjlb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Colpld32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaojnq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hddmjk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khldkllj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lekghdad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpqlemaj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imodkadq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdogedmh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfabnl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkbdabog.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aognbnkm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gamnhq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnmiag32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epeekmjk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fchkbg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifdlng32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpabpcdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nppofado.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nflchkii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llgljn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jndjmifj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhhkapeh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkdnhi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Keeeje32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmhjdiap.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgnjqe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Koipglep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epbbkf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmohco32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcjilgdb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpgmpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifpcchai.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npdhaq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Piabdiep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdiqpigl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfbnoc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmqmod32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpdcfoph.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njpihk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Peefcjlg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qldhkc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbegbacp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fooembgb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbidne32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcgqgd32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Keeolpie.dll" Dfbnoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Njnmbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hgflflqg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Akpkmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpnghhmn.dll" Kocpbfei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nekkhdgo.dll" Nqjaeeog.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fbegbacp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gcjmmdbf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ikjhki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Edcnakpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acejfl32.dll" Koipglep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpnehm32.dll" Bacihmoo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bddbjhlp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fflkbagk.dll" Jlkglm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pikijafg.dll" Mmccqbpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fieacp32.dll" Oniebmda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Demaoj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hffibceh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fkkfgi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nggggoda.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ajhddk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fkkfgi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ghlfjq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hdecea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hcojam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eghoka32.dll" Kenhopmf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oniebmda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hqhepmkh.dll" Gcjmmdbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfcqihha.dll" Klfjpa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lngpog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jjhgbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hbidne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mdogedmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dkdmfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahemgiea.dll" Elibpg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Klecfkff.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lmmfnb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node 7ba41e31ce7952167d136428efa6ba1ee575998ee2b015f45a82c6170b2ba34d.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hcjilgdb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onpeobjf.dll" Khnapkjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hohkmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kkdnhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdjjgb32.dll" Mdogedmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdioqoen.dll" Ofnpnkgf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ppmgfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ppmgfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cehhdkjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmofpf32.dll" Kidjdpie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocfqdk32.dll" Fdiqpigl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gpidki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Klcgpkhh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lekghdad.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lhcafa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jeomfi32.dll" Pmhejhao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ckeqga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbgklp32.dll" Epnhpglg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lncfcgeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hahkbf32.dll" Bknjfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jfaeme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pknaqdia.dll" Ifpcchai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfjgiobf.dll" Lpflkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ojbbmnhc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pddjlb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fggmldfp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2100 wrote to memory of 2768 2100 7ba41e31ce7952167d136428efa6ba1ee575998ee2b015f45a82c6170b2ba34d.exe 31 PID 2100 wrote to memory of 2768 2100 7ba41e31ce7952167d136428efa6ba1ee575998ee2b015f45a82c6170b2ba34d.exe 31 PID 2100 wrote to memory of 2768 2100 7ba41e31ce7952167d136428efa6ba1ee575998ee2b015f45a82c6170b2ba34d.exe 31 PID 2100 wrote to memory of 2768 2100 7ba41e31ce7952167d136428efa6ba1ee575998ee2b015f45a82c6170b2ba34d.exe 31 PID 2768 wrote to memory of 2728 2768 Dmijfmfi.exe 32 PID 2768 wrote to memory of 2728 2768 Dmijfmfi.exe 32 PID 2768 wrote to memory of 2728 2768 Dmijfmfi.exe 32 PID 2768 wrote to memory of 2728 2768 Dmijfmfi.exe 32 PID 2728 wrote to memory of 2784 2728 Dlljaj32.exe 33 PID 2728 wrote to memory of 2784 2728 Dlljaj32.exe 33 PID 2728 wrote to memory of 2784 2728 Dlljaj32.exe 33 PID 2728 wrote to memory of 2784 2728 Dlljaj32.exe 33 PID 2784 wrote to memory of 2756 2784 Dokfme32.exe 34 PID 2784 wrote to memory of 2756 2784 Dokfme32.exe 34 PID 2784 wrote to memory of 2756 2784 Dokfme32.exe 34 PID 2784 wrote to memory of 2756 2784 Dokfme32.exe 34 PID 2756 wrote to memory of 2684 2756 Dfbnoc32.exe 35 PID 2756 wrote to memory of 2684 2756 Dfbnoc32.exe 35 PID 2756 wrote to memory of 2684 2756 Dfbnoc32.exe 35 PID 2756 wrote to memory of 2684 2756 Dfbnoc32.exe 35 PID 2684 wrote to memory of 2456 2684 Eheglk32.exe 36 PID 2684 wrote to memory of 2456 2684 Eheglk32.exe 36 PID 2684 wrote to memory of 2456 2684 Eheglk32.exe 36 PID 2684 wrote to memory of 2456 2684 Eheglk32.exe 36 PID 2456 wrote to memory of 1200 2456 Emdmjamj.exe 37 PID 2456 wrote to memory of 1200 2456 Emdmjamj.exe 37 PID 2456 wrote to memory of 1200 2456 Emdmjamj.exe 37 PID 2456 wrote to memory of 1200 2456 Emdmjamj.exe 37 PID 1200 wrote to memory of 2224 1200 Eodicd32.exe 38 PID 1200 wrote to memory of 2224 1200 Eodicd32.exe 38 PID 1200 wrote to memory of 2224 1200 Eodicd32.exe 38 PID 1200 wrote to memory of 2224 1200 Eodicd32.exe 38 PID 2224 wrote to memory of 2844 2224 Epeekmjk.exe 39 PID 2224 wrote to memory of 2844 2224 Epeekmjk.exe 39 PID 2224 wrote to memory of 2844 2224 Epeekmjk.exe 39 PID 2224 wrote to memory of 2844 2224 Epeekmjk.exe 39 PID 2844 wrote to memory of 3048 2844 Edcnakpa.exe 40 PID 2844 wrote to memory of 3048 2844 Edcnakpa.exe 40 PID 2844 wrote to memory of 3048 2844 Edcnakpa.exe 40 PID 2844 wrote to memory of 3048 2844 Edcnakpa.exe 40 PID 3048 wrote to memory of 2228 3048 Fchkbg32.exe 41 PID 3048 wrote to memory of 2228 3048 Fchkbg32.exe 41 PID 3048 wrote to memory of 2228 3048 Fchkbg32.exe 41 PID 3048 wrote to memory of 2228 3048 Fchkbg32.exe 41 PID 2228 wrote to memory of 536 2228 Feggob32.exe 42 PID 2228 wrote to memory of 536 2228 Feggob32.exe 42 PID 2228 wrote to memory of 536 2228 Feggob32.exe 42 PID 2228 wrote to memory of 536 2228 Feggob32.exe 42 PID 536 wrote to memory of 2596 536 Fpohakbp.exe 43 PID 536 wrote to memory of 2596 536 Fpohakbp.exe 43 PID 536 wrote to memory of 2596 536 Fpohakbp.exe 43 PID 536 wrote to memory of 2596 536 Fpohakbp.exe 43 PID 2596 wrote to memory of 1800 2596 Fapeic32.exe 44 PID 2596 wrote to memory of 1800 2596 Fapeic32.exe 44 PID 2596 wrote to memory of 1800 2596 Fapeic32.exe 44 PID 2596 wrote to memory of 1800 2596 Fapeic32.exe 44 PID 1800 wrote to memory of 2044 1800 Fabaocfl.exe 45 PID 1800 wrote to memory of 2044 1800 Fabaocfl.exe 45 PID 1800 wrote to memory of 2044 1800 Fabaocfl.exe 45 PID 1800 wrote to memory of 2044 1800 Fabaocfl.exe 45 PID 2044 wrote to memory of 1872 2044 Fkkfgi32.exe 46 PID 2044 wrote to memory of 1872 2044 Fkkfgi32.exe 46 PID 2044 wrote to memory of 1872 2044 Fkkfgi32.exe 46 PID 2044 wrote to memory of 1872 2044 Fkkfgi32.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\7ba41e31ce7952167d136428efa6ba1ee575998ee2b015f45a82c6170b2ba34d.exe"C:\Users\Admin\AppData\Local\Temp\7ba41e31ce7952167d136428efa6ba1ee575998ee2b015f45a82c6170b2ba34d.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Windows\SysWOW64\Dmijfmfi.exeC:\Windows\system32\Dmijfmfi.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Windows\SysWOW64\Dlljaj32.exeC:\Windows\system32\Dlljaj32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\SysWOW64\Dokfme32.exeC:\Windows\system32\Dokfme32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\SysWOW64\Dfbnoc32.exeC:\Windows\system32\Dfbnoc32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\SysWOW64\Eheglk32.exeC:\Windows\system32\Eheglk32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Windows\SysWOW64\Emdmjamj.exeC:\Windows\system32\Emdmjamj.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2456 -
C:\Windows\SysWOW64\Eodicd32.exeC:\Windows\system32\Eodicd32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1200 -
C:\Windows\SysWOW64\Epeekmjk.exeC:\Windows\system32\Epeekmjk.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\Windows\SysWOW64\Edcnakpa.exeC:\Windows\system32\Edcnakpa.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\SysWOW64\Fchkbg32.exeC:\Windows\system32\Fchkbg32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Windows\SysWOW64\Feggob32.exeC:\Windows\system32\Feggob32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2228 -
C:\Windows\SysWOW64\Fpohakbp.exeC:\Windows\system32\Fpohakbp.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:536 -
C:\Windows\SysWOW64\Fapeic32.exeC:\Windows\system32\Fapeic32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\SysWOW64\Fabaocfl.exeC:\Windows\system32\Fabaocfl.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1800 -
C:\Windows\SysWOW64\Fkkfgi32.exeC:\Windows\system32\Fkkfgi32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Windows\SysWOW64\Gpjkeoha.exeC:\Windows\system32\Gpjkeoha.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1872 -
C:\Windows\SysWOW64\Ghacfmic.exeC:\Windows\system32\Ghacfmic.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:840 -
C:\Windows\SysWOW64\Gqodqodl.exeC:\Windows\system32\Gqodqodl.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1376 -
C:\Windows\SysWOW64\Gghmmilh.exeC:\Windows\system32\Gghmmilh.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2320 -
C:\Windows\SysWOW64\Ghlfjq32.exeC:\Windows\system32\Ghlfjq32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1692 -
C:\Windows\SysWOW64\Gqcnln32.exeC:\Windows\system32\Gqcnln32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1736 -
C:\Windows\SysWOW64\Hmjoqo32.exeC:\Windows\system32\Hmjoqo32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1668 -
C:\Windows\SysWOW64\Hohkmj32.exeC:\Windows\system32\Hohkmj32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:356 -
C:\Windows\SysWOW64\Hdecea32.exeC:\Windows\system32\Hdecea32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1576 -
C:\Windows\SysWOW64\Hbidne32.exeC:\Windows\system32\Hbidne32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2772 -
C:\Windows\SysWOW64\Hgflflqg.exeC:\Windows\system32\Hgflflqg.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1584 -
C:\Windows\SysWOW64\Hejmpqop.exeC:\Windows\system32\Hejmpqop.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2124 -
C:\Windows\SysWOW64\Haqnea32.exeC:\Windows\system32\Haqnea32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3032 -
C:\Windows\SysWOW64\Hcojam32.exeC:\Windows\system32\Hcojam32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2796 -
C:\Windows\SysWOW64\Imgnjb32.exeC:\Windows\system32\Imgnjb32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1068 -
C:\Windows\SysWOW64\Ifpcchai.exeC:\Windows\system32\Ifpcchai.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2444 -
C:\Windows\SysWOW64\Iaegpaao.exeC:\Windows\system32\Iaegpaao.exe33⤵
- Executes dropped EXE
PID:2092 -
C:\Windows\SysWOW64\Icdcllpc.exeC:\Windows\system32\Icdcllpc.exe34⤵
- Executes dropped EXE
PID:2804 -
C:\Windows\SysWOW64\Ifdlng32.exeC:\Windows\system32\Ifdlng32.exe35⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2988 -
C:\Windows\SysWOW64\Imodkadq.exeC:\Windows\system32\Imodkadq.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2856 -
C:\Windows\SysWOW64\Ichmgl32.exeC:\Windows\system32\Ichmgl32.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:760 -
C:\Windows\SysWOW64\Ipomlm32.exeC:\Windows\system32\Ipomlm32.exe38⤵
- Executes dropped EXE
PID:2496 -
C:\Windows\SysWOW64\Jlfnangf.exeC:\Windows\system32\Jlfnangf.exe39⤵
- Executes dropped EXE
PID:1916 -
C:\Windows\SysWOW64\Jndjmifj.exeC:\Windows\system32\Jndjmifj.exe40⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1868 -
C:\Windows\SysWOW64\Jjkkbjln.exeC:\Windows\system32\Jjkkbjln.exe41⤵
- Executes dropped EXE
PID:1608 -
C:\Windows\SysWOW64\Jbbccgmp.exeC:\Windows\system32\Jbbccgmp.exe42⤵
- Executes dropped EXE
PID:1324 -
C:\Windows\SysWOW64\Jeqopcld.exeC:\Windows\system32\Jeqopcld.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1028 -
C:\Windows\SysWOW64\Jlkglm32.exeC:\Windows\system32\Jlkglm32.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:764 -
C:\Windows\SysWOW64\Joidhh32.exeC:\Windows\system32\Joidhh32.exe45⤵
- Executes dropped EXE
PID:1708 -
C:\Windows\SysWOW64\Jdflqo32.exeC:\Windows\system32\Jdflqo32.exe46⤵
- Executes dropped EXE
PID:2540 -
C:\Windows\SysWOW64\Jokqnhpa.exeC:\Windows\system32\Jokqnhpa.exe47⤵
- Executes dropped EXE
PID:2864 -
C:\Windows\SysWOW64\Jpmmfp32.exeC:\Windows\system32\Jpmmfp32.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1596 -
C:\Windows\SysWOW64\Jhdegn32.exeC:\Windows\system32\Jhdegn32.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1988 -
C:\Windows\SysWOW64\Jieaofmp.exeC:\Windows\system32\Jieaofmp.exe50⤵
- Executes dropped EXE
PID:2896 -
C:\Windows\SysWOW64\Kmqmod32.exeC:\Windows\system32\Kmqmod32.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2876 -
C:\Windows\SysWOW64\Kbmfgk32.exeC:\Windows\system32\Kbmfgk32.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2204 -
C:\Windows\SysWOW64\Kkdnhi32.exeC:\Windows\system32\Kkdnhi32.exe53⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2624 -
C:\Windows\SysWOW64\Klfjpa32.exeC:\Windows\system32\Klfjpa32.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:2732 -
C:\Windows\SysWOW64\Kdmban32.exeC:\Windows\system32\Kdmban32.exe55⤵
- Executes dropped EXE
PID:2104 -
C:\Windows\SysWOW64\Kgkonj32.exeC:\Windows\system32\Kgkonj32.exe56⤵
- Executes dropped EXE
PID:2292 -
C:\Windows\SysWOW64\Kijkje32.exeC:\Windows\system32\Kijkje32.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2972 -
C:\Windows\SysWOW64\Kpdcfoph.exeC:\Windows\system32\Kpdcfoph.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2008 -
C:\Windows\SysWOW64\Kofcbl32.exeC:\Windows\system32\Kofcbl32.exe59⤵
- Executes dropped EXE
PID:2200 -
C:\Windows\SysWOW64\Kilgoe32.exeC:\Windows\system32\Kilgoe32.exe60⤵
- Executes dropped EXE
PID:2600 -
C:\Windows\SysWOW64\Kljdkpfl.exeC:\Windows\system32\Kljdkpfl.exe61⤵
- Executes dropped EXE
PID:2384 -
C:\Windows\SysWOW64\Koipglep.exeC:\Windows\system32\Koipglep.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1080 -
C:\Windows\SysWOW64\Kcdlhj32.exeC:\Windows\system32\Kcdlhj32.exe63⤵
- Executes dropped EXE
PID:900 -
C:\Windows\SysWOW64\Kechdf32.exeC:\Windows\system32\Kechdf32.exe64⤵
- Executes dropped EXE
PID:1776 -
C:\Windows\SysWOW64\Kindeddf.exeC:\Windows\system32\Kindeddf.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1936 -
C:\Windows\SysWOW64\Kokmmkcm.exeC:\Windows\system32\Kokmmkcm.exe66⤵PID:880
-
C:\Windows\SysWOW64\Kokmmkcm.exeC:\Windows\system32\Kokmmkcm.exe67⤵
- Drops file in System32 directory
PID:924 -
C:\Windows\SysWOW64\Kajiigba.exeC:\Windows\system32\Kajiigba.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2912 -
C:\Windows\SysWOW64\Keeeje32.exeC:\Windows\system32\Keeeje32.exe69⤵
- System Location Discovery: System Language Discovery
PID:2448 -
C:\Windows\SysWOW64\Lhcafa32.exeC:\Windows\system32\Lhcafa32.exe70⤵
- Modifies registry class
PID:2648 -
C:\Windows\SysWOW64\Lonibk32.exeC:\Windows\system32\Lonibk32.exe71⤵PID:2644
-
C:\Windows\SysWOW64\Laleof32.exeC:\Windows\system32\Laleof32.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1728 -
C:\Windows\SysWOW64\Ldjbkb32.exeC:\Windows\system32\Ldjbkb32.exe73⤵PID:2660
-
C:\Windows\SysWOW64\Lgingm32.exeC:\Windows\system32\Lgingm32.exe74⤵PID:1472
-
C:\Windows\SysWOW64\Lkdjglfo.exeC:\Windows\system32\Lkdjglfo.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3008 -
C:\Windows\SysWOW64\Lncfcgeb.exeC:\Windows\system32\Lncfcgeb.exe76⤵
- Modifies registry class
PID:2800 -
C:\Windows\SysWOW64\Lpabpcdf.exeC:\Windows\system32\Lpabpcdf.exe77⤵
- System Location Discovery: System Language Discovery
PID:548 -
C:\Windows\SysWOW64\Lhhkapeh.exeC:\Windows\system32\Lhhkapeh.exe78⤵
- System Location Discovery: System Language Discovery
PID:2132 -
C:\Windows\SysWOW64\Lgkkmm32.exeC:\Windows\system32\Lgkkmm32.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2304 -
C:\Windows\SysWOW64\Ljigih32.exeC:\Windows\system32\Ljigih32.exe80⤵PID:1344
-
C:\Windows\SysWOW64\Laqojfli.exeC:\Windows\system32\Laqojfli.exe81⤵
- System Location Discovery: System Language Discovery
PID:1996 -
C:\Windows\SysWOW64\Lgngbmjp.exeC:\Windows\system32\Lgngbmjp.exe82⤵PID:1784
-
C:\Windows\SysWOW64\Lngpog32.exeC:\Windows\system32\Lngpog32.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1756 -
C:\Windows\SysWOW64\Lpflkb32.exeC:\Windows\system32\Lpflkb32.exe84⤵
- Drops file in System32 directory
- Modifies registry class
PID:2236 -
C:\Windows\SysWOW64\Lnjldf32.exeC:\Windows\system32\Lnjldf32.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:580 -
C:\Windows\SysWOW64\Llmmpcfe.exeC:\Windows\system32\Llmmpcfe.exe86⤵PID:2108
-
C:\Windows\SysWOW64\Mhcmedli.exeC:\Windows\system32\Mhcmedli.exe87⤵PID:1588
-
C:\Windows\SysWOW64\Mqjefamk.exeC:\Windows\system32\Mqjefamk.exe88⤵
- System Location Discovery: System Language Discovery
PID:2888 -
C:\Windows\SysWOW64\Mfgnnhkc.exeC:\Windows\system32\Mfgnnhkc.exe89⤵
- Drops file in System32 directory
PID:2948 -
C:\Windows\SysWOW64\Mlafkb32.exeC:\Windows\system32\Mlafkb32.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2848 -
C:\Windows\SysWOW64\Mkdffoij.exeC:\Windows\system32\Mkdffoij.exe91⤵PID:572
-
C:\Windows\SysWOW64\Mopbgn32.exeC:\Windows\system32\Mopbgn32.exe92⤵PID:3044
-
C:\Windows\SysWOW64\Mbnocipg.exeC:\Windows\system32\Mbnocipg.exe93⤵PID:1632
-
C:\Windows\SysWOW64\Mdmkoepk.exeC:\Windows\system32\Mdmkoepk.exe94⤵PID:2188
-
C:\Windows\SysWOW64\Mmccqbpm.exeC:\Windows\system32\Mmccqbpm.exe95⤵
- Drops file in System32 directory
- Modifies registry class
PID:1972 -
C:\Windows\SysWOW64\Mneohj32.exeC:\Windows\system32\Mneohj32.exe96⤵
- System Location Discovery: System Language Discovery
PID:980 -
C:\Windows\SysWOW64\Mbqkiind.exeC:\Windows\system32\Mbqkiind.exe97⤵
- Drops file in System32 directory
PID:1212 -
C:\Windows\SysWOW64\Mdogedmh.exeC:\Windows\system32\Mdogedmh.exe98⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2900 -
C:\Windows\SysWOW64\Mkipao32.exeC:\Windows\system32\Mkipao32.exe99⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2928 -
C:\Windows\SysWOW64\Modlbmmn.exeC:\Windows\system32\Modlbmmn.exe100⤵PID:3028
-
C:\Windows\SysWOW64\Mimpkcdn.exeC:\Windows\system32\Mimpkcdn.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2360 -
C:\Windows\SysWOW64\Njnmbk32.exeC:\Windows\system32\Njnmbk32.exe102⤵
- Modifies registry class
PID:2056 -
C:\Windows\SysWOW64\Nnjicjbf.exeC:\Windows\system32\Nnjicjbf.exe103⤵PID:2680
-
C:\Windows\SysWOW64\Nqhepeai.exeC:\Windows\system32\Nqhepeai.exe104⤵PID:1304
-
C:\Windows\SysWOW64\Ncfalqpm.exeC:\Windows\system32\Ncfalqpm.exe105⤵PID:1636
-
C:\Windows\SysWOW64\Njpihk32.exeC:\Windows\system32\Njpihk32.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1808 -
C:\Windows\SysWOW64\Nqjaeeog.exeC:\Windows\system32\Nqjaeeog.exe107⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1524 -
C:\Windows\SysWOW64\Ncinap32.exeC:\Windows\system32\Ncinap32.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1664 -
C:\Windows\SysWOW64\Ngdjaofc.exeC:\Windows\system32\Ngdjaofc.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1720 -
C:\Windows\SysWOW64\Njbfnjeg.exeC:\Windows\system32\Njbfnjeg.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2184 -
C:\Windows\SysWOW64\Nmabjfek.exeC:\Windows\system32\Nmabjfek.exe111⤵PID:2632
-
C:\Windows\SysWOW64\Nppofado.exeC:\Windows\system32\Nppofado.exe112⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2656 -
C:\Windows\SysWOW64\Nggggoda.exeC:\Windows\system32\Nggggoda.exe113⤵
- Drops file in System32 directory
- Modifies registry class
PID:2664 -
C:\Windows\SysWOW64\Nmcopebh.exeC:\Windows\system32\Nmcopebh.exe114⤵PID:2636
-
C:\Windows\SysWOW64\Npbklabl.exeC:\Windows\system32\Npbklabl.exe115⤵PID:3020
-
C:\Windows\SysWOW64\Ncmglp32.exeC:\Windows\system32\Ncmglp32.exe116⤵
- Drops file in System32 directory
PID:2544 -
C:\Windows\SysWOW64\Nflchkii.exeC:\Windows\system32\Nflchkii.exe117⤵
- System Location Discovery: System Language Discovery
PID:1944 -
C:\Windows\SysWOW64\Nmflee32.exeC:\Windows\system32\Nmflee32.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2280 -
C:\Windows\SysWOW64\Nlilqbgp.exeC:\Windows\system32\Nlilqbgp.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2584 -
C:\Windows\SysWOW64\Npdhaq32.exeC:\Windows\system32\Npdhaq32.exe120⤵
- System Location Discovery: System Language Discovery
PID:1724 -
C:\Windows\SysWOW64\Obbdml32.exeC:\Windows\system32\Obbdml32.exe121⤵PID:1152
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-