Analysis
-
max time kernel
118s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
06/03/2025, 13:52
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e865ae0a260bae269398e59ff7f19d361aae92e859f60e509baec5d2e23ada00.exe
Resource
win7-20241010-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
e865ae0a260bae269398e59ff7f19d361aae92e859f60e509baec5d2e23ada00.exe
Resource
win10v2004-20250217-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
e865ae0a260bae269398e59ff7f19d361aae92e859f60e509baec5d2e23ada00.exe
-
Size
378KB
-
MD5
9110eae66e904f4cf8e20dd3db3f0e4b
-
SHA1
7dee52f0357a5ea4f16b6a29cd05886d74d6a3d6
-
SHA256
e865ae0a260bae269398e59ff7f19d361aae92e859f60e509baec5d2e23ada00
-
SHA512
d82d2a0802ad8cee64b93bd964873c2c583ef43a783f5145ef23fa8efbe3ffca821cbf4b03f8a9b12026b70ca74d9aee5d84c11c605f7ee1675bc7e2c9f3f407
-
SSDEEP
6144:1e075EteYr75lHzpaF2e6UK+42GTQMJSZO5f7M0rx7/hP66qve6UK+42GTQMJSZE:I2KteYr75lTefkY660fIaDZkY660f2lO
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lpcoeb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mciabmlo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bcbfbp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ciokijfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fmnopp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jaecod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Klfjpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lkbmbl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcblan32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmmpolof.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdbpekam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jbfilffm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Colpld32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Goldfelp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kechdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ajhddk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Modlbmmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jggoqimd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bieopm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkbaci32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cogfqe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gkebafoa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jijokbfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kgkonj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gcjmmdbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ekmfne32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hclfag32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlkglm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lopfhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mfjkdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qoeamo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfcodkcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hghillnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ijnkifgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jokqnhpa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmqmod32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgkonj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nqjaeeog.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aobpfb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ichmgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kkpqlm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mhcmedli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gpggei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hgeelf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Japciodd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ckmnbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nqjaeeog.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jipaip32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jacfidem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ndcapd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pmehdh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmmneg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dboeco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hifbdnbi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngdjaofc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ponklpcg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obgnhkkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ioeclg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gnnlocgk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Felajbpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Npdhaq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Obgnhkkh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajehnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jcqlkjae.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 624 Adnpkjde.exe 1028 Bjkhdacm.exe 2744 Bdqlajbb.exe 2880 Bieopm32.exe 2916 Ciihklpj.exe 2800 Cgoelh32.exe 2264 Ckmnbg32.exe 1104 Caifjn32.exe 2620 Cfhkhd32.exe 1776 Dfkhndca.exe 2868 Dilapopb.exe 688 Dfpaic32.exe 1828 Dpjbgh32.exe 2116 Eanldqgf.exe 2148 Eaphjp32.exe 448 Ekhmcelc.exe 836 Eaebeoan.exe 1840 Ekmfne32.exe 912 Fmnopp32.exe 1536 Foolgh32.exe 740 Foahmh32.exe 2236 Felajbpg.exe 2060 Fkkfgi32.exe 304 Fnibcd32.exe 2532 Gdegfn32.exe 2300 Gnnlocgk.exe 2608 Gkalhgfd.exe 2460 Gdjqamme.exe 2936 Gghmmilh.exe 2200 Gjifodii.exe 2844 Ghlfjq32.exe 2808 Hinbppna.exe 2440 Hmlkfo32.exe 1804 Hokhbj32.exe 1092 Hbidne32.exe 2520 Hejmpqop.exe 2860 Hghillnd.exe 2012 Hjgehgnh.exe 756 Ikfbbjdj.exe 3008 Indnnfdn.exe 2172 Iacjjacb.exe 1528 Ijnkifgp.exe 2136 Ifdlng32.exe 2044 Imodkadq.exe 904 Ichmgl32.exe 292 Iieepbje.exe 2232 Jfieigio.exe 2456 Jlfnangf.exe 3048 Jacfidem.exe 2252 Jijokbfp.exe 980 Jaecod32.exe 2724 Jlkglm32.exe 2768 Jeclebja.exe 2752 Jfdhmk32.exe 2836 Jokqnhpa.exe 1684 Jajmjcoe.exe 1236 Jkbaci32.exe 1512 Kmqmod32.exe 1624 Kbmfgk32.exe 2736 Kigndekn.exe 2864 Klfjpa32.exe 2168 Kpafapbk.exe 1736 Kgkonj32.exe 1532 Kpdcfoph.exe -
Loads dropped DLL 64 IoCs
pid Process 956 e865ae0a260bae269398e59ff7f19d361aae92e859f60e509baec5d2e23ada00.exe 956 e865ae0a260bae269398e59ff7f19d361aae92e859f60e509baec5d2e23ada00.exe 624 Adnpkjde.exe 624 Adnpkjde.exe 1028 Bjkhdacm.exe 1028 Bjkhdacm.exe 2744 Bdqlajbb.exe 2744 Bdqlajbb.exe 2880 Bieopm32.exe 2880 Bieopm32.exe 2916 Ciihklpj.exe 2916 Ciihklpj.exe 2800 Cgoelh32.exe 2800 Cgoelh32.exe 2264 Ckmnbg32.exe 2264 Ckmnbg32.exe 1104 Caifjn32.exe 1104 Caifjn32.exe 2620 Cfhkhd32.exe 2620 Cfhkhd32.exe 1776 Dfkhndca.exe 1776 Dfkhndca.exe 2868 Dilapopb.exe 2868 Dilapopb.exe 688 Dfpaic32.exe 688 Dfpaic32.exe 1828 Dpjbgh32.exe 1828 Dpjbgh32.exe 2116 Eanldqgf.exe 2116 Eanldqgf.exe 2148 Eaphjp32.exe 2148 Eaphjp32.exe 448 Ekhmcelc.exe 448 Ekhmcelc.exe 836 Eaebeoan.exe 836 Eaebeoan.exe 1840 Ekmfne32.exe 1840 Ekmfne32.exe 912 Fmnopp32.exe 912 Fmnopp32.exe 1536 Foolgh32.exe 1536 Foolgh32.exe 740 Foahmh32.exe 740 Foahmh32.exe 2236 Felajbpg.exe 2236 Felajbpg.exe 2060 Fkkfgi32.exe 2060 Fkkfgi32.exe 304 Fnibcd32.exe 304 Fnibcd32.exe 2532 Gdegfn32.exe 2532 Gdegfn32.exe 2300 Gnnlocgk.exe 2300 Gnnlocgk.exe 2608 Gkalhgfd.exe 2608 Gkalhgfd.exe 2460 Gdjqamme.exe 2460 Gdjqamme.exe 2936 Gghmmilh.exe 2936 Gghmmilh.exe 2200 Gjifodii.exe 2200 Gjifodii.exe 2844 Ghlfjq32.exe 2844 Ghlfjq32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Dlgjldnm.exe Dboeco32.exe File opened for modification C:\Windows\SysWOW64\Eafkhn32.exe Eogolc32.exe File created C:\Windows\SysWOW64\Mgmdapml.exe Mflgih32.exe File opened for modification C:\Windows\SysWOW64\Jipaip32.exe Jbfilffm.exe File created C:\Windows\SysWOW64\Kdhdfgep.dll Jkbaci32.exe File created C:\Windows\SysWOW64\Jkcfefdg.dll Qobdgo32.exe File opened for modification C:\Windows\SysWOW64\Gojhafnb.exe Gpggei32.exe File created C:\Windows\SysWOW64\Bccjfi32.dll Kkojbf32.exe File created C:\Windows\SysWOW64\Jacfidem.exe Jlfnangf.exe File created C:\Windows\SysWOW64\Dggajf32.dll Olkifaen.exe File created C:\Windows\SysWOW64\Goldfelp.exe Ghbljk32.exe File created C:\Windows\SysWOW64\Ogbogkjn.dll Ibcphc32.exe File opened for modification C:\Windows\SysWOW64\Jggoqimd.exe Imbjcpnn.exe File created C:\Windows\SysWOW64\Kcadppco.dll Kdnkdmec.exe File created C:\Windows\SysWOW64\Pcqejkep.dll Hghillnd.exe File created C:\Windows\SysWOW64\Ichmgl32.exe Imodkadq.exe File created C:\Windows\SysWOW64\Ngpqfp32.exe Modlbmmn.exe File created C:\Windows\SysWOW64\Ieponofk.exe Ibacbcgg.exe File opened for modification C:\Windows\SysWOW64\Jfmkbebl.exe Japciodd.exe File created C:\Windows\SysWOW64\Indnnfdn.exe Ikfbbjdj.exe File opened for modification C:\Windows\SysWOW64\Jkbaci32.exe Jajmjcoe.exe File created C:\Windows\SysWOW64\Elkofg32.exe Eafkhn32.exe File created C:\Windows\SysWOW64\Ikdngobg.dll Fkefbcmf.exe File created C:\Windows\SysWOW64\Ofqmcj32.exe Oniebmda.exe File created C:\Windows\SysWOW64\Alageg32.exe Ageompfe.exe File created C:\Windows\SysWOW64\Pofhpf32.dll Colpld32.exe File opened for modification C:\Windows\SysWOW64\Gdkjdl32.exe Gcjmmdbf.exe File created C:\Windows\SysWOW64\Jlkglm32.exe Jaecod32.exe File opened for modification C:\Windows\SysWOW64\Kpfplo32.exe Kljdkpfl.exe File opened for modification C:\Windows\SysWOW64\Bhonjg32.exe Bcbfbp32.exe File opened for modification C:\Windows\SysWOW64\Edlafebn.exe Eldiehbk.exe File opened for modification C:\Windows\SysWOW64\Ghdiokbq.exe Gefmcp32.exe File created C:\Windows\SysWOW64\Adnpkjde.exe e865ae0a260bae269398e59ff7f19d361aae92e859f60e509baec5d2e23ada00.exe File opened for modification C:\Windows\SysWOW64\Gdjqamme.exe Gkalhgfd.exe File opened for modification C:\Windows\SysWOW64\Nfgjml32.exe Ngdjaofc.exe File created C:\Windows\SysWOW64\Faiboc32.dll Pfnmmn32.exe File created C:\Windows\SysWOW64\Klmqapci.exe Kechdf32.exe File created C:\Windows\SysWOW64\Modlbmmn.exe Mgmdapml.exe File created C:\Windows\SysWOW64\Nckkgp32.exe Nppofado.exe File opened for modification C:\Windows\SysWOW64\Phfoee32.exe Ponklpcg.exe File opened for modification C:\Windows\SysWOW64\Edidqf32.exe Emoldlmc.exe File opened for modification C:\Windows\SysWOW64\Fppaej32.exe Famaimfe.exe File created C:\Windows\SysWOW64\Diodocki.dll Iegeonpc.exe File created C:\Windows\SysWOW64\Caifjn32.exe Ckmnbg32.exe File opened for modification C:\Windows\SysWOW64\Foolgh32.exe Fmnopp32.exe File created C:\Windows\SysWOW64\Jfeflj32.dll Ichmgl32.exe File opened for modification C:\Windows\SysWOW64\Ponklpcg.exe Pmmneg32.exe File created C:\Windows\SysWOW64\Gkgoff32.exe Gdnfjl32.exe File opened for modification C:\Windows\SysWOW64\Hdpcokdo.exe Gkgoff32.exe File created C:\Windows\SysWOW64\Aiomcb32.dll Kambcbhb.exe File created C:\Windows\SysWOW64\Fnibcd32.exe Fkkfgi32.exe File opened for modification C:\Windows\SysWOW64\Gkalhgfd.exe Gnnlocgk.exe File created C:\Windows\SysWOW64\Fbegbacp.exe Elkofg32.exe File created C:\Windows\SysWOW64\Jflomd32.dll Gjifodii.exe File opened for modification C:\Windows\SysWOW64\Bgghac32.exe Bqmpdioa.exe File created C:\Windows\SysWOW64\Jlhbje32.dll Cjhabndo.exe File created C:\Windows\SysWOW64\Cehhdkjf.exe Colpld32.exe File created C:\Windows\SysWOW64\Cmojeo32.dll Jpepkk32.exe File created C:\Windows\SysWOW64\Ncekdcqn.dll Dfkhndca.exe File opened for modification C:\Windows\SysWOW64\Ifdlng32.exe Ijnkifgp.exe File opened for modification C:\Windows\SysWOW64\Jacfidem.exe Jlfnangf.exe File created C:\Windows\SysWOW64\Lpkclikh.dll Klmqapci.exe File created C:\Windows\SysWOW64\Obgnhkkh.exe Opialpld.exe File opened for modification C:\Windows\SysWOW64\Onnnml32.exe Obgnhkkh.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3144 3092 WerFault.exe 302 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnqjnhge.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ioeclg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnofgg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdqlajbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfieigio.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Modlbmmn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nckkgp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olbogqoe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dncibp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Famaimfe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngdjaofc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iogpag32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekhmcelc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hejmpqop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aacmij32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Boifga32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgeelf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmbndmkb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iaimipjl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghbljk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnkdnqhm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eaebeoan.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgkkmm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apkgpf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bqmpdioa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhbpkh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Japciodd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jokqnhpa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofqmcj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ciihklpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjgehgnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbeedh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmmpolof.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkefbcmf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpgmpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njeccjcd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkjpggkn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmcopebh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hghillnd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgkonj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkfclo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gghmmilh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfnmmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghdiokbq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfdhmk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klmqapci.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnecigcp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llmmpcfe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngpqfp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npdhaq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blinefnd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhbdleol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eanldqgf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijnkifgp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcbfbp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fppaej32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkgoff32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iediin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jipaip32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbjofi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imbjcpnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bacihmoo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjhabndo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jefbnacn.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbfghckb.dll" Kpafapbk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kpdcfoph.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ppfafcpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dcbnpgkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eafkhn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbonaedo.dll" Hnmacpfj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eaphjp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Indnnfdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dboeco32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fgocmc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jbfilffm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ahpbkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iffhohhi.dll" Fefqdl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hkjkle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ikgkei32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ieponofk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iogpag32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ijnkifgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nklpbacp.dll" Kgkonj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocaadj32.dll" Lngpog32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mciabmlo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aligmfnp.dll" Alageg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bdfooh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ongcaafk.dll" Dcdkef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljfepegb.dll" Emdeok32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID e865ae0a260bae269398e59ff7f19d361aae92e859f60e509baec5d2e23ada00.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bjkhdacm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fckkff32.dll" Kechdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pfnmmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ahpbkd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dnefhpma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckkhdaei.dll" Gojhafnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gkgoff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olfknedh.dll" Hokhbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obkglbmf.dll" Mlafkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pmjaohol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hccadd32.dll" Ciokijfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onepbd32.dll" Dahkok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idhdck32.dll" Fbegbacp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iaimipjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kkojbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" e865ae0a260bae269398e59ff7f19d361aae92e859f60e509baec5d2e23ada00.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbjjjgna.dll" Pjleclph.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pmmneg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aiaoclgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ageompfe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Coicfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhohnoea.dll" Eldiehbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Emdeok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ikfbbjdj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Boifga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Folhgbid.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fmdbnnlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Goldfelp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jmdgipkk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jpepkk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jnofgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eanldqgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gkalhgfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poibnekg.dll" Mkfclo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pmhejhao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fafdibdo.dll" Ajhddk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Licpomcb.dll" Edidqf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fbegbacp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 956 wrote to memory of 624 956 e865ae0a260bae269398e59ff7f19d361aae92e859f60e509baec5d2e23ada00.exe 31 PID 956 wrote to memory of 624 956 e865ae0a260bae269398e59ff7f19d361aae92e859f60e509baec5d2e23ada00.exe 31 PID 956 wrote to memory of 624 956 e865ae0a260bae269398e59ff7f19d361aae92e859f60e509baec5d2e23ada00.exe 31 PID 956 wrote to memory of 624 956 e865ae0a260bae269398e59ff7f19d361aae92e859f60e509baec5d2e23ada00.exe 31 PID 624 wrote to memory of 1028 624 Adnpkjde.exe 32 PID 624 wrote to memory of 1028 624 Adnpkjde.exe 32 PID 624 wrote to memory of 1028 624 Adnpkjde.exe 32 PID 624 wrote to memory of 1028 624 Adnpkjde.exe 32 PID 1028 wrote to memory of 2744 1028 Bjkhdacm.exe 33 PID 1028 wrote to memory of 2744 1028 Bjkhdacm.exe 33 PID 1028 wrote to memory of 2744 1028 Bjkhdacm.exe 33 PID 1028 wrote to memory of 2744 1028 Bjkhdacm.exe 33 PID 2744 wrote to memory of 2880 2744 Bdqlajbb.exe 34 PID 2744 wrote to memory of 2880 2744 Bdqlajbb.exe 34 PID 2744 wrote to memory of 2880 2744 Bdqlajbb.exe 34 PID 2744 wrote to memory of 2880 2744 Bdqlajbb.exe 34 PID 2880 wrote to memory of 2916 2880 Bieopm32.exe 35 PID 2880 wrote to memory of 2916 2880 Bieopm32.exe 35 PID 2880 wrote to memory of 2916 2880 Bieopm32.exe 35 PID 2880 wrote to memory of 2916 2880 Bieopm32.exe 35 PID 2916 wrote to memory of 2800 2916 Ciihklpj.exe 36 PID 2916 wrote to memory of 2800 2916 Ciihklpj.exe 36 PID 2916 wrote to memory of 2800 2916 Ciihklpj.exe 36 PID 2916 wrote to memory of 2800 2916 Ciihklpj.exe 36 PID 2800 wrote to memory of 2264 2800 Cgoelh32.exe 37 PID 2800 wrote to memory of 2264 2800 Cgoelh32.exe 37 PID 2800 wrote to memory of 2264 2800 Cgoelh32.exe 37 PID 2800 wrote to memory of 2264 2800 Cgoelh32.exe 37 PID 2264 wrote to memory of 1104 2264 Ckmnbg32.exe 38 PID 2264 wrote to memory of 1104 2264 Ckmnbg32.exe 38 PID 2264 wrote to memory of 1104 2264 Ckmnbg32.exe 38 PID 2264 wrote to memory of 1104 2264 Ckmnbg32.exe 38 PID 1104 wrote to memory of 2620 1104 Caifjn32.exe 39 PID 1104 wrote to memory of 2620 1104 Caifjn32.exe 39 PID 1104 wrote to memory of 2620 1104 Caifjn32.exe 39 PID 1104 wrote to memory of 2620 1104 Caifjn32.exe 39 PID 2620 wrote to memory of 1776 2620 Cfhkhd32.exe 40 PID 2620 wrote to memory of 1776 2620 Cfhkhd32.exe 40 PID 2620 wrote to memory of 1776 2620 Cfhkhd32.exe 40 PID 2620 wrote to memory of 1776 2620 Cfhkhd32.exe 40 PID 1776 wrote to memory of 2868 1776 Dfkhndca.exe 41 PID 1776 wrote to memory of 2868 1776 Dfkhndca.exe 41 PID 1776 wrote to memory of 2868 1776 Dfkhndca.exe 41 PID 1776 wrote to memory of 2868 1776 Dfkhndca.exe 41 PID 2868 wrote to memory of 688 2868 Dilapopb.exe 42 PID 2868 wrote to memory of 688 2868 Dilapopb.exe 42 PID 2868 wrote to memory of 688 2868 Dilapopb.exe 42 PID 2868 wrote to memory of 688 2868 Dilapopb.exe 42 PID 688 wrote to memory of 1828 688 Dfpaic32.exe 43 PID 688 wrote to memory of 1828 688 Dfpaic32.exe 43 PID 688 wrote to memory of 1828 688 Dfpaic32.exe 43 PID 688 wrote to memory of 1828 688 Dfpaic32.exe 43 PID 1828 wrote to memory of 2116 1828 Dpjbgh32.exe 44 PID 1828 wrote to memory of 2116 1828 Dpjbgh32.exe 44 PID 1828 wrote to memory of 2116 1828 Dpjbgh32.exe 44 PID 1828 wrote to memory of 2116 1828 Dpjbgh32.exe 44 PID 2116 wrote to memory of 2148 2116 Eanldqgf.exe 45 PID 2116 wrote to memory of 2148 2116 Eanldqgf.exe 45 PID 2116 wrote to memory of 2148 2116 Eanldqgf.exe 45 PID 2116 wrote to memory of 2148 2116 Eanldqgf.exe 45 PID 2148 wrote to memory of 448 2148 Eaphjp32.exe 46 PID 2148 wrote to memory of 448 2148 Eaphjp32.exe 46 PID 2148 wrote to memory of 448 2148 Eaphjp32.exe 46 PID 2148 wrote to memory of 448 2148 Eaphjp32.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\e865ae0a260bae269398e59ff7f19d361aae92e859f60e509baec5d2e23ada00.exe"C:\Users\Admin\AppData\Local\Temp\e865ae0a260bae269398e59ff7f19d361aae92e859f60e509baec5d2e23ada00.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:956 -
C:\Windows\SysWOW64\Adnpkjde.exeC:\Windows\system32\Adnpkjde.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:624 -
C:\Windows\SysWOW64\Bjkhdacm.exeC:\Windows\system32\Bjkhdacm.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1028 -
C:\Windows\SysWOW64\Bdqlajbb.exeC:\Windows\system32\Bdqlajbb.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\SysWOW64\Bieopm32.exeC:\Windows\system32\Bieopm32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Windows\SysWOW64\Ciihklpj.exeC:\Windows\system32\Ciihklpj.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Windows\SysWOW64\Cgoelh32.exeC:\Windows\system32\Cgoelh32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Windows\SysWOW64\Ckmnbg32.exeC:\Windows\system32\Ckmnbg32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2264 -
C:\Windows\SysWOW64\Caifjn32.exeC:\Windows\system32\Caifjn32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1104 -
C:\Windows\SysWOW64\Cfhkhd32.exeC:\Windows\system32\Cfhkhd32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Windows\SysWOW64\Dfkhndca.exeC:\Windows\system32\Dfkhndca.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1776 -
C:\Windows\SysWOW64\Dilapopb.exeC:\Windows\system32\Dilapopb.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\SysWOW64\Dfpaic32.exeC:\Windows\system32\Dfpaic32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:688 -
C:\Windows\SysWOW64\Dpjbgh32.exeC:\Windows\system32\Dpjbgh32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1828 -
C:\Windows\SysWOW64\Eanldqgf.exeC:\Windows\system32\Eanldqgf.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2116 -
C:\Windows\SysWOW64\Eaphjp32.exeC:\Windows\system32\Eaphjp32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Windows\SysWOW64\Ekhmcelc.exeC:\Windows\system32\Ekhmcelc.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:448 -
C:\Windows\SysWOW64\Eaebeoan.exeC:\Windows\system32\Eaebeoan.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:836 -
C:\Windows\SysWOW64\Ekmfne32.exeC:\Windows\system32\Ekmfne32.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1840 -
C:\Windows\SysWOW64\Fmnopp32.exeC:\Windows\system32\Fmnopp32.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:912 -
C:\Windows\SysWOW64\Foolgh32.exeC:\Windows\system32\Foolgh32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1536 -
C:\Windows\SysWOW64\Foahmh32.exeC:\Windows\system32\Foahmh32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:740 -
C:\Windows\SysWOW64\Felajbpg.exeC:\Windows\system32\Felajbpg.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2236 -
C:\Windows\SysWOW64\Fkkfgi32.exeC:\Windows\system32\Fkkfgi32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2060 -
C:\Windows\SysWOW64\Fnibcd32.exeC:\Windows\system32\Fnibcd32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:304 -
C:\Windows\SysWOW64\Gdegfn32.exeC:\Windows\system32\Gdegfn32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2532 -
C:\Windows\SysWOW64\Gnnlocgk.exeC:\Windows\system32\Gnnlocgk.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2300 -
C:\Windows\SysWOW64\Gkalhgfd.exeC:\Windows\system32\Gkalhgfd.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2608 -
C:\Windows\SysWOW64\Gdjqamme.exeC:\Windows\system32\Gdjqamme.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2460 -
C:\Windows\SysWOW64\Gghmmilh.exeC:\Windows\system32\Gghmmilh.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2936 -
C:\Windows\SysWOW64\Gjifodii.exeC:\Windows\system32\Gjifodii.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2200 -
C:\Windows\SysWOW64\Ghlfjq32.exeC:\Windows\system32\Ghlfjq32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2844 -
C:\Windows\SysWOW64\Hinbppna.exeC:\Windows\system32\Hinbppna.exe33⤵
- Executes dropped EXE
PID:2808 -
C:\Windows\SysWOW64\Hmlkfo32.exeC:\Windows\system32\Hmlkfo32.exe34⤵
- Executes dropped EXE
PID:2440 -
C:\Windows\SysWOW64\Hokhbj32.exeC:\Windows\system32\Hokhbj32.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:1804 -
C:\Windows\SysWOW64\Hbidne32.exeC:\Windows\system32\Hbidne32.exe36⤵
- Executes dropped EXE
PID:1092 -
C:\Windows\SysWOW64\Hejmpqop.exeC:\Windows\system32\Hejmpqop.exe37⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2520 -
C:\Windows\SysWOW64\Hghillnd.exeC:\Windows\system32\Hghillnd.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2860 -
C:\Windows\SysWOW64\Hjgehgnh.exeC:\Windows\system32\Hjgehgnh.exe39⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2012 -
C:\Windows\SysWOW64\Ikfbbjdj.exeC:\Windows\system32\Ikfbbjdj.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:756 -
C:\Windows\SysWOW64\Indnnfdn.exeC:\Windows\system32\Indnnfdn.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:3008 -
C:\Windows\SysWOW64\Iacjjacb.exeC:\Windows\system32\Iacjjacb.exe42⤵
- Executes dropped EXE
PID:2172 -
C:\Windows\SysWOW64\Ijnkifgp.exeC:\Windows\system32\Ijnkifgp.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1528 -
C:\Windows\SysWOW64\Ifdlng32.exeC:\Windows\system32\Ifdlng32.exe44⤵
- Executes dropped EXE
PID:2136 -
C:\Windows\SysWOW64\Imodkadq.exeC:\Windows\system32\Imodkadq.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2044 -
C:\Windows\SysWOW64\Ichmgl32.exeC:\Windows\system32\Ichmgl32.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:904 -
C:\Windows\SysWOW64\Iieepbje.exeC:\Windows\system32\Iieepbje.exe47⤵
- Executes dropped EXE
PID:292 -
C:\Windows\SysWOW64\Jfieigio.exeC:\Windows\system32\Jfieigio.exe48⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2232 -
C:\Windows\SysWOW64\Jlfnangf.exeC:\Windows\system32\Jlfnangf.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2456 -
C:\Windows\SysWOW64\Jacfidem.exeC:\Windows\system32\Jacfidem.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3048 -
C:\Windows\SysWOW64\Jijokbfp.exeC:\Windows\system32\Jijokbfp.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2252 -
C:\Windows\SysWOW64\Jaecod32.exeC:\Windows\system32\Jaecod32.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:980 -
C:\Windows\SysWOW64\Jlkglm32.exeC:\Windows\system32\Jlkglm32.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2724 -
C:\Windows\SysWOW64\Jeclebja.exeC:\Windows\system32\Jeclebja.exe54⤵
- Executes dropped EXE
PID:2768 -
C:\Windows\SysWOW64\Jfdhmk32.exeC:\Windows\system32\Jfdhmk32.exe55⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2752 -
C:\Windows\SysWOW64\Jokqnhpa.exeC:\Windows\system32\Jokqnhpa.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2836 -
C:\Windows\SysWOW64\Jajmjcoe.exeC:\Windows\system32\Jajmjcoe.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1684 -
C:\Windows\SysWOW64\Jkbaci32.exeC:\Windows\system32\Jkbaci32.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1236 -
C:\Windows\SysWOW64\Kmqmod32.exeC:\Windows\system32\Kmqmod32.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1512 -
C:\Windows\SysWOW64\Kbmfgk32.exeC:\Windows\system32\Kbmfgk32.exe60⤵
- Executes dropped EXE
PID:1624 -
C:\Windows\SysWOW64\Kigndekn.exeC:\Windows\system32\Kigndekn.exe61⤵
- Executes dropped EXE
PID:2736 -
C:\Windows\SysWOW64\Klfjpa32.exeC:\Windows\system32\Klfjpa32.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2864 -
C:\Windows\SysWOW64\Kpafapbk.exeC:\Windows\system32\Kpafapbk.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:2168 -
C:\Windows\SysWOW64\Kgkonj32.exeC:\Windows\system32\Kgkonj32.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1736 -
C:\Windows\SysWOW64\Kpdcfoph.exeC:\Windows\system32\Kpdcfoph.exe65⤵
- Executes dropped EXE
- Modifies registry class
PID:1532 -
C:\Windows\SysWOW64\Kbbobkol.exeC:\Windows\system32\Kbbobkol.exe66⤵PID:1820
-
C:\Windows\SysWOW64\Keqkofno.exeC:\Windows\system32\Keqkofno.exe67⤵PID:1716
-
C:\Windows\SysWOW64\Kljdkpfl.exeC:\Windows\system32\Kljdkpfl.exe68⤵
- Drops file in System32 directory
PID:1796 -
C:\Windows\SysWOW64\Kpfplo32.exeC:\Windows\system32\Kpfplo32.exe69⤵PID:2512
-
C:\Windows\SysWOW64\Kechdf32.exeC:\Windows\system32\Kechdf32.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:1264 -
C:\Windows\SysWOW64\Klmqapci.exeC:\Windows\system32\Klmqapci.exe71⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1704 -
C:\Windows\SysWOW64\Kkpqlm32.exeC:\Windows\system32\Kkpqlm32.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1980 -
C:\Windows\SysWOW64\Ldheebad.exeC:\Windows\system32\Ldheebad.exe73⤵PID:1440
-
C:\Windows\SysWOW64\Lkbmbl32.exeC:\Windows\system32\Lkbmbl32.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2940 -
C:\Windows\SysWOW64\Lnqjnhge.exeC:\Windows\system32\Lnqjnhge.exe75⤵
- System Location Discovery: System Language Discovery
PID:2924 -
C:\Windows\SysWOW64\Legaoehg.exeC:\Windows\system32\Legaoehg.exe76⤵PID:2688
-
C:\Windows\SysWOW64\Lopfhk32.exeC:\Windows\system32\Lopfhk32.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:868 -
C:\Windows\SysWOW64\Lgkkmm32.exeC:\Windows\system32\Lgkkmm32.exe78⤵
- System Location Discovery: System Language Discovery
PID:1496 -
C:\Windows\SysWOW64\Lnecigcp.exeC:\Windows\system32\Lnecigcp.exe79⤵
- System Location Discovery: System Language Discovery
PID:1960 -
C:\Windows\SysWOW64\Lpcoeb32.exeC:\Windows\system32\Lpcoeb32.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1328 -
C:\Windows\SysWOW64\Lcblan32.exeC:\Windows\system32\Lcblan32.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2216 -
C:\Windows\SysWOW64\Lngpog32.exeC:\Windows\system32\Lngpog32.exe82⤵
- Modifies registry class
PID:2360 -
C:\Windows\SysWOW64\Ldahkaij.exeC:\Windows\system32\Ldahkaij.exe83⤵PID:1256
-
C:\Windows\SysWOW64\Ljnqdhga.exeC:\Windows\system32\Ljnqdhga.exe84⤵PID:948
-
C:\Windows\SysWOW64\Llmmpcfe.exeC:\Windows\system32\Llmmpcfe.exe85⤵
- System Location Discovery: System Language Discovery
PID:2096 -
C:\Windows\SysWOW64\Mhcmedli.exeC:\Windows\system32\Mhcmedli.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2500 -
C:\Windows\SysWOW64\Mciabmlo.exeC:\Windows\system32\Mciabmlo.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2308 -
C:\Windows\SysWOW64\Mlafkb32.exeC:\Windows\system32\Mlafkb32.exe88⤵
- Modifies registry class
PID:2276 -
C:\Windows\SysWOW64\Mcknhm32.exeC:\Windows\system32\Mcknhm32.exe89⤵PID:2640
-
C:\Windows\SysWOW64\Mfjkdh32.exeC:\Windows\system32\Mfjkdh32.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2004 -
C:\Windows\SysWOW64\Mkfclo32.exeC:\Windows\system32\Mkfclo32.exe91⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2944 -
C:\Windows\SysWOW64\Mbqkiind.exeC:\Windows\system32\Mbqkiind.exe92⤵PID:1144
-
C:\Windows\SysWOW64\Mflgih32.exeC:\Windows\system32\Mflgih32.exe93⤵
- Drops file in System32 directory
PID:1688 -
C:\Windows\SysWOW64\Mgmdapml.exeC:\Windows\system32\Mgmdapml.exe94⤵
- Drops file in System32 directory
PID:3000 -
C:\Windows\SysWOW64\Modlbmmn.exeC:\Windows\system32\Modlbmmn.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1048 -
C:\Windows\SysWOW64\Ngpqfp32.exeC:\Windows\system32\Ngpqfp32.exe96⤵
- System Location Discovery: System Language Discovery
PID:2576 -
C:\Windows\SysWOW64\Nbeedh32.exeC:\Windows\system32\Nbeedh32.exe97⤵
- System Location Discovery: System Language Discovery
PID:696 -
C:\Windows\SysWOW64\Ndcapd32.exeC:\Windows\system32\Ndcapd32.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1940 -
C:\Windows\SysWOW64\Nnleiipc.exeC:\Windows\system32\Nnleiipc.exe99⤵PID:2480
-
C:\Windows\SysWOW64\Nqjaeeog.exeC:\Windows\system32\Nqjaeeog.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:768 -
C:\Windows\SysWOW64\Ngdjaofc.exeC:\Windows\system32\Ngdjaofc.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2548 -
C:\Windows\SysWOW64\Nfgjml32.exeC:\Windows\system32\Nfgjml32.exe102⤵PID:1964
-
C:\Windows\SysWOW64\Nppofado.exeC:\Windows\system32\Nppofado.exe103⤵
- Drops file in System32 directory
PID:568 -
C:\Windows\SysWOW64\Nckkgp32.exeC:\Windows\system32\Nckkgp32.exe104⤵
- System Location Discovery: System Language Discovery
PID:2784 -
C:\Windows\SysWOW64\Njeccjcd.exeC:\Windows\system32\Njeccjcd.exe105⤵
- System Location Discovery: System Language Discovery
PID:2748 -
C:\Windows\SysWOW64\Nmcopebh.exeC:\Windows\system32\Nmcopebh.exe106⤵
- System Location Discovery: System Language Discovery
PID:900 -
C:\Windows\SysWOW64\Nbpghl32.exeC:\Windows\system32\Nbpghl32.exe107⤵PID:1192
-
C:\Windows\SysWOW64\Npdhaq32.exeC:\Windows\system32\Npdhaq32.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2016 -
C:\Windows\SysWOW64\Obbdml32.exeC:\Windows\system32\Obbdml32.exe109⤵PID:2008
-
C:\Windows\SysWOW64\Olkifaen.exeC:\Windows\system32\Olkifaen.exe110⤵
- Drops file in System32 directory
PID:2156 -
C:\Windows\SysWOW64\Oniebmda.exeC:\Windows\system32\Oniebmda.exe111⤵
- Drops file in System32 directory
PID:1996 -
C:\Windows\SysWOW64\Ofqmcj32.exeC:\Windows\system32\Ofqmcj32.exe112⤵
- System Location Discovery: System Language Discovery
PID:1744 -
C:\Windows\SysWOW64\Opialpld.exeC:\Windows\system32\Opialpld.exe113⤵
- Drops file in System32 directory
PID:556 -
C:\Windows\SysWOW64\Obgnhkkh.exeC:\Windows\system32\Obgnhkkh.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1056 -
C:\Windows\SysWOW64\Onnnml32.exeC:\Windows\system32\Onnnml32.exe115⤵PID:2320
-
C:\Windows\SysWOW64\Ohfcfb32.exeC:\Windows\system32\Ohfcfb32.exe116⤵PID:2432
-
C:\Windows\SysWOW64\Olbogqoe.exeC:\Windows\system32\Olbogqoe.exe117⤵
- System Location Discovery: System Language Discovery
PID:536 -
C:\Windows\SysWOW64\Oejcpf32.exeC:\Windows\system32\Oejcpf32.exe118⤵PID:268
-
C:\Windows\SysWOW64\Oflpgnld.exeC:\Windows\system32\Oflpgnld.exe119⤵PID:1608
-
C:\Windows\SysWOW64\Pmehdh32.exeC:\Windows\system32\Pmehdh32.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2952 -
C:\Windows\SysWOW64\Ppddpd32.exeC:\Windows\system32\Ppddpd32.exe121⤵PID:2104
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-