Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
23/12/2024, 03:29
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
d45c8e2f4a5b57a0a33de6d3770c8ea8e4da771de7f9c590eea543a435094509.exe
Resource
win7-20240903-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
d45c8e2f4a5b57a0a33de6d3770c8ea8e4da771de7f9c590eea543a435094509.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
d45c8e2f4a5b57a0a33de6d3770c8ea8e4da771de7f9c590eea543a435094509.exe
-
Size
128KB
-
MD5
acb3ec790d68ba9f6661aca9ec8cb8dd
-
SHA1
18f1eddfcf9ebf9cf66a4bf94fcc859baec743e7
-
SHA256
d45c8e2f4a5b57a0a33de6d3770c8ea8e4da771de7f9c590eea543a435094509
-
SHA512
ed971284f99eaa9946229abf9c63f888dea6d30b933a8e37c430acceb7d3d9c043bebf689bf1ea3c60c7a95b37b017f7dfe474e03e91616c37c62863ef9154a0
-
SSDEEP
3072:NOeOw/GR1q47cZt3xgS9Q9Tq/s99CgI08uFafmHURHAVgnvedh6:c3EZt3xgS9Q9Tq/s99CgI08uF8YU8gnE
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lqejbiim.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abpjjeim.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knhjjj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mikjpiim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nplimbka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bgaebe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bleeioil.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qfmafg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbncjf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oklnff32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Findhdcb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Popeif32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjgoje32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opnbbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikpmpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lpgajgeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cifelgmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jepmgj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgmeid32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnkcpq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkqnoh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbcjnnpl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgqpkc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hndlem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Meabakda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lgehno32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbblda32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjlgfaco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fgohna32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfkkpmko.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmejllia.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pebpkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jgncfcaa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gnpmfqap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cbgmigeq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iinmfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jgdfdbhk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idicbbpi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlpeij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bmkomchi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cadjgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pdmnam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nnafnopi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ajmijmnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Poeipifl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Accnekon.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjdjklek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bmhkmm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Demofaol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Odchbe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjekfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fkmqdpce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fdmhbplb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hpbdmo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjkgjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Plgolf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ilkpogmm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qkffng32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mbhjlbbh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pnjofo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aflfjc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eobchk32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 2788 Eoigpa32.exe 2852 Efcomkcl.exe 2712 Egdlec32.exe 2624 Fidhof32.exe 2748 Fblmglgm.exe 1108 Fgiepced.exe 2272 Fncmmmma.exe 2216 Fgkbeb32.exe 1852 Fnejbmko.exe 1244 Fcbbjcif.exe 1272 Fmjgcipg.exe 112 Fcdopc32.exe 2664 Gjngmmnp.exe 2280 Glpdde32.exe 2112 Gbjlaplk.exe 1932 Gmoqnhla.exe 1548 Gnpmfqap.exe 1596 Gejebk32.exe 1620 Gnbjlpom.exe 1284 Gaafhloq.exe 1872 Gjijqa32.exe 3032 Gbqbaofc.exe 1212 Gjlgfaco.exe 2384 Gmjcblbb.exe 1676 Hfbhkb32.exe 2840 Hjndlqal.exe 2620 Hdfhdfgl.exe 2568 Hfedqagp.exe 3016 Hpmiig32.exe 264 Hbleeb32.exe 2436 Hppfog32.exe 2464 Hbnbkbja.exe 2544 Hflkaq32.exe 1980 Heokmmgb.exe 1044 Ihmgiiff.exe 2764 Iogoec32.exe 1376 Iaelanmg.exe 2188 Ilkpogmm.exe 2228 Ioilkblq.exe 2200 Idfdcijh.exe 2036 Ikpmpc32.exe 2092 Iefamlak.exe 964 Inafbooe.exe 2244 Iamabm32.exe 1652 Ihfjognl.exe 2224 Igijkd32.exe 2304 Iihfgp32.exe 2056 Iaonhm32.exe 2832 Jglgpdcc.exe 2588 Jjjclobg.exe 3044 Jliohkak.exe 2100 Jdpgjhbm.exe 2460 Jgncfcaa.exe 2820 Jjmpbopd.exe 1264 Jnhlbn32.exe 2992 Jpfhoi32.exe 1868 Jgqpkc32.exe 2232 Jhamckel.exe 2352 Jlmicj32.exe 2428 Jolepe32.exe 2184 Jcgapdeb.exe 1536 Jfemlpdf.exe 1888 Jlpeij32.exe 608 Jkbfdfbm.exe -
Loads dropped DLL 64 IoCs
pid Process 2684 d45c8e2f4a5b57a0a33de6d3770c8ea8e4da771de7f9c590eea543a435094509.exe 2684 d45c8e2f4a5b57a0a33de6d3770c8ea8e4da771de7f9c590eea543a435094509.exe 2788 Eoigpa32.exe 2788 Eoigpa32.exe 2852 Efcomkcl.exe 2852 Efcomkcl.exe 2712 Egdlec32.exe 2712 Egdlec32.exe 2624 Fidhof32.exe 2624 Fidhof32.exe 2748 Fblmglgm.exe 2748 Fblmglgm.exe 1108 Fgiepced.exe 1108 Fgiepced.exe 2272 Fncmmmma.exe 2272 Fncmmmma.exe 2216 Fgkbeb32.exe 2216 Fgkbeb32.exe 1852 Fnejbmko.exe 1852 Fnejbmko.exe 1244 Fcbbjcif.exe 1244 Fcbbjcif.exe 1272 Fmjgcipg.exe 1272 Fmjgcipg.exe 112 Fcdopc32.exe 112 Fcdopc32.exe 2664 Gjngmmnp.exe 2664 Gjngmmnp.exe 2280 Glpdde32.exe 2280 Glpdde32.exe 2112 Gbjlaplk.exe 2112 Gbjlaplk.exe 1932 Gmoqnhla.exe 1932 Gmoqnhla.exe 1548 Gnpmfqap.exe 1548 Gnpmfqap.exe 1596 Gejebk32.exe 1596 Gejebk32.exe 1620 Gnbjlpom.exe 1620 Gnbjlpom.exe 1284 Gaafhloq.exe 1284 Gaafhloq.exe 1872 Gjijqa32.exe 1872 Gjijqa32.exe 3032 Gbqbaofc.exe 3032 Gbqbaofc.exe 1212 Gjlgfaco.exe 1212 Gjlgfaco.exe 2384 Gmjcblbb.exe 2384 Gmjcblbb.exe 1676 Hfbhkb32.exe 1676 Hfbhkb32.exe 2840 Hjndlqal.exe 2840 Hjndlqal.exe 2620 Hdfhdfgl.exe 2620 Hdfhdfgl.exe 2568 Hfedqagp.exe 2568 Hfedqagp.exe 3016 Hpmiig32.exe 3016 Hpmiig32.exe 264 Hbleeb32.exe 264 Hbleeb32.exe 2436 Hppfog32.exe 2436 Hppfog32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Oeeikk32.dll Mpgobc32.exe File opened for modification C:\Windows\SysWOW64\Qppkfhlc.exe Pnbojmmp.exe File created C:\Windows\SysWOW64\Mljgjbmc.dll Jnhlbn32.exe File opened for modification C:\Windows\SysWOW64\Ejkkfjkj.exe Egmojnlf.exe File created C:\Windows\SysWOW64\Fqlicclo.exe Flqmbd32.exe File created C:\Windows\SysWOW64\Ghmekc32.dll Iaeegh32.exe File created C:\Windows\SysWOW64\Nncdpa32.dll Meoell32.exe File created C:\Windows\SysWOW64\Mlfbgb32.dll Ippdgc32.exe File opened for modification C:\Windows\SysWOW64\Anjlebjc.exe Akkoig32.exe File created C:\Windows\SysWOW64\Inoaljog.dll Clbnhmjo.exe File created C:\Windows\SysWOW64\Gmoqnhla.exe Gbjlaplk.exe File created C:\Windows\SysWOW64\Kqknil32.exe Kjaelaok.exe File created C:\Windows\SysWOW64\Binoil32.dll Qmifhq32.exe File opened for modification C:\Windows\SysWOW64\Domqjm32.exe Dkadjn32.exe File opened for modification C:\Windows\SysWOW64\Olkfmi32.exe Oiljam32.exe File created C:\Windows\SysWOW64\Damocb32.dll Pdmnam32.exe File created C:\Windows\SysWOW64\Eobchk32.exe Eldglp32.exe File opened for modification C:\Windows\SysWOW64\Fqdiga32.exe Fnflke32.exe File created C:\Windows\SysWOW64\Klbdgb32.exe Khghgchk.exe File opened for modification C:\Windows\SysWOW64\Calcpm32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Cmmhaf32.exe Ckolek32.exe File opened for modification C:\Windows\SysWOW64\Fjdnlhco.exe Ffibkj32.exe File created C:\Windows\SysWOW64\Jdodbpja.dll Mpopnejo.exe File created C:\Windows\SysWOW64\Hnjbeh32.exe Hjofdi32.exe File created C:\Windows\SysWOW64\Lboiol32.exe Lclicpkm.exe File created C:\Windows\SysWOW64\Hbocphim.dll Cjonncab.exe File opened for modification C:\Windows\SysWOW64\Knekla32.exe Kkgopf32.exe File created C:\Windows\SysWOW64\Biliep32.dll Danmmd32.exe File created C:\Windows\SysWOW64\Dikogf32.exe Depbfhpe.exe File created C:\Windows\SysWOW64\Innmlblo.dll Fdpkbf32.exe File created C:\Windows\SysWOW64\Bglbcj32.dll Gifclb32.exe File created C:\Windows\SysWOW64\Ifjlcmmj.exe Ihglhp32.exe File opened for modification C:\Windows\SysWOW64\Hfbhkb32.exe Gmjcblbb.exe File created C:\Windows\SysWOW64\Okdmjdol.exe Ogiaif32.exe File opened for modification C:\Windows\SysWOW64\Cillkbac.exe Cgkocj32.exe File opened for modification C:\Windows\SysWOW64\Cjlheehe.exe Cbepdhgc.exe File opened for modification C:\Windows\SysWOW64\Kpkpadnl.exe Knmdeioh.exe File created C:\Windows\SysWOW64\Cgfkmgnj.exe Process not Found File created C:\Windows\SysWOW64\Odchbe32.exe Oadkej32.exe File opened for modification C:\Windows\SysWOW64\Nehomq32.exe Namclbil.exe File created C:\Windows\SysWOW64\Onhlmh32.dll Eeaepd32.exe File created C:\Windows\SysWOW64\Abnhjmjc.dll Lqipkhbj.exe File opened for modification C:\Windows\SysWOW64\Odedge32.exe Oaghki32.exe File created C:\Windows\SysWOW64\Kalpeaik.dll Jkebjf32.exe File created C:\Windows\SysWOW64\Afbqkf32.dll Micklk32.exe File opened for modification C:\Windows\SysWOW64\Mnifja32.exe Mlkjne32.exe File created C:\Windows\SysWOW64\Agbpnh32.exe Adcdbl32.exe File created C:\Windows\SysWOW64\Pcdhbgoc.dll Clmdmm32.exe File created C:\Windows\SysWOW64\Gaokcb32.dll Nhlgmd32.exe File created C:\Windows\SysWOW64\Ippdgc32.exe Imahkg32.exe File opened for modification C:\Windows\SysWOW64\Kekiphge.exe Kncaojfb.exe File opened for modification C:\Windows\SysWOW64\Gegabegc.exe Gmpjagfa.exe File created C:\Windows\SysWOW64\Hllmcc32.exe Hinqgg32.exe File created C:\Windows\SysWOW64\Micklk32.exe Mjpkqonj.exe File created C:\Windows\SysWOW64\Mlfacfpc.exe Mpopnejo.exe File created C:\Windows\SysWOW64\Adcdbl32.exe Abegfa32.exe File created C:\Windows\SysWOW64\Fgdnnl32.exe Edfbaabj.exe File opened for modification C:\Windows\SysWOW64\Aaimopli.exe Apgagg32.exe File created C:\Windows\SysWOW64\Mneedo32.dll Hfbhkb32.exe File created C:\Windows\SysWOW64\Pkldcj32.dll Pjcckf32.exe File created C:\Windows\SysWOW64\Kofaicon.exe Kpcqnf32.exe File created C:\Windows\SysWOW64\Ahbakd32.dll Ndkhngdd.exe File opened for modification C:\Windows\SysWOW64\Jgqpkc32.exe Jpfhoi32.exe File created C:\Windows\SysWOW64\Ehmdgp32.exe Eacljf32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 9968 9852 Process not Found 1063 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opifnm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfkifhib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olkfmi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Baojapfj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckmnbg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfhjbobc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgnfdm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjbafi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkbojpna.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oaaifdhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oidiekdn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npaich32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ackmih32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmicfh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ledibnco.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nianhplq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgdfdbhk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfdddm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdjjag32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlkjne32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmfkfa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hneeilgj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obokcqhk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qlgkki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akncimmh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egmojnlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgdnnl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofhjopbg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjmpbopd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iaeegh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfkpknkq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndkhngdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcbncfjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Demofaol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnfcel32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okbpde32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cicalakk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aekqmbod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dphmloih.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbcjnnpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojomdoof.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aibcba32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chnbcpmn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clbnhmjo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gceailog.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ioilkblq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbkpeake.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adfqgl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Difnaqih.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbffoabe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Heealhla.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lclicpkm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjhhld32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkmqdpce.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcgphp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nefbga32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlckbh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldjpbign.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aodkci32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdgkco32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bncaekhp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dedlag32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpdnbbah.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gmoqnhla.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iakgefqe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mneedo32.dll" Hfbhkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Danmmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lflhon32.dll" Oaghki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmlnjo32.dll" Abpjjeim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Difnaqih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mfmndn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gbqbaofc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dkadjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gckemgnc.dll" Jkhldafl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aihfap32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fjegog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fdmhbplb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oeeikk32.dll" Mpgobc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkgela32.dll" Ndpicm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pohfehdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eecomg32.dll" Dpcjnabn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Npdfhhhe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cfeepelg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dklddhka.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qkfocaki.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nmkncofl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bidlgdlk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ipjahd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kbigpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbcdeq32.dll" Opifnm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gqnbhf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eelkeeah.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID d45c8e2f4a5b57a0a33de6d3770c8ea8e4da771de7f9c590eea543a435094509.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dklddhka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lpgajgeg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Makjho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fgdnnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjbklf32.dll" Nfdddm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Abmgjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bfccei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ejkkfjkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Damocb32.dll" Pdmnam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jpgjgboe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgeogj32.dll" Eabcggll.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jofejpmc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kpkpadnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qqfkbadh.dll" Loefnpnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpmddpid.dll" Ioilkblq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edaimkbc.dll" Ljcbaamh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oldpnn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Anahqh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nmlgfnal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cflimhmp.dll" Phfmllbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcdgejhm.dll" Ackmih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgfkgo32.dll" Fggkcl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kjoifb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Diibag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hebdfind.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnbkmo32.dll" Kfnmpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iflmjihl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcbaab32.dll" Jpdnbbah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qndkpmkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cceell32.dll" Qgmpibam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hhcmhdke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jhdlad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bdcifi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phcobkam.dll" Kcijeg32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2684 wrote to memory of 2788 2684 d45c8e2f4a5b57a0a33de6d3770c8ea8e4da771de7f9c590eea543a435094509.exe 30 PID 2684 wrote to memory of 2788 2684 d45c8e2f4a5b57a0a33de6d3770c8ea8e4da771de7f9c590eea543a435094509.exe 30 PID 2684 wrote to memory of 2788 2684 d45c8e2f4a5b57a0a33de6d3770c8ea8e4da771de7f9c590eea543a435094509.exe 30 PID 2684 wrote to memory of 2788 2684 d45c8e2f4a5b57a0a33de6d3770c8ea8e4da771de7f9c590eea543a435094509.exe 30 PID 2788 wrote to memory of 2852 2788 Eoigpa32.exe 31 PID 2788 wrote to memory of 2852 2788 Eoigpa32.exe 31 PID 2788 wrote to memory of 2852 2788 Eoigpa32.exe 31 PID 2788 wrote to memory of 2852 2788 Eoigpa32.exe 31 PID 2852 wrote to memory of 2712 2852 Efcomkcl.exe 32 PID 2852 wrote to memory of 2712 2852 Efcomkcl.exe 32 PID 2852 wrote to memory of 2712 2852 Efcomkcl.exe 32 PID 2852 wrote to memory of 2712 2852 Efcomkcl.exe 32 PID 2712 wrote to memory of 2624 2712 Egdlec32.exe 33 PID 2712 wrote to memory of 2624 2712 Egdlec32.exe 33 PID 2712 wrote to memory of 2624 2712 Egdlec32.exe 33 PID 2712 wrote to memory of 2624 2712 Egdlec32.exe 33 PID 2624 wrote to memory of 2748 2624 Fidhof32.exe 34 PID 2624 wrote to memory of 2748 2624 Fidhof32.exe 34 PID 2624 wrote to memory of 2748 2624 Fidhof32.exe 34 PID 2624 wrote to memory of 2748 2624 Fidhof32.exe 34 PID 2748 wrote to memory of 1108 2748 Fblmglgm.exe 35 PID 2748 wrote to memory of 1108 2748 Fblmglgm.exe 35 PID 2748 wrote to memory of 1108 2748 Fblmglgm.exe 35 PID 2748 wrote to memory of 1108 2748 Fblmglgm.exe 35 PID 1108 wrote to memory of 2272 1108 Fgiepced.exe 36 PID 1108 wrote to memory of 2272 1108 Fgiepced.exe 36 PID 1108 wrote to memory of 2272 1108 Fgiepced.exe 36 PID 1108 wrote to memory of 2272 1108 Fgiepced.exe 36 PID 2272 wrote to memory of 2216 2272 Fncmmmma.exe 37 PID 2272 wrote to memory of 2216 2272 Fncmmmma.exe 37 PID 2272 wrote to memory of 2216 2272 Fncmmmma.exe 37 PID 2272 wrote to memory of 2216 2272 Fncmmmma.exe 37 PID 2216 wrote to memory of 1852 2216 Fgkbeb32.exe 38 PID 2216 wrote to memory of 1852 2216 Fgkbeb32.exe 38 PID 2216 wrote to memory of 1852 2216 Fgkbeb32.exe 38 PID 2216 wrote to memory of 1852 2216 Fgkbeb32.exe 38 PID 1852 wrote to memory of 1244 1852 Fnejbmko.exe 39 PID 1852 wrote to memory of 1244 1852 Fnejbmko.exe 39 PID 1852 wrote to memory of 1244 1852 Fnejbmko.exe 39 PID 1852 wrote to memory of 1244 1852 Fnejbmko.exe 39 PID 1244 wrote to memory of 1272 1244 Fcbbjcif.exe 40 PID 1244 wrote to memory of 1272 1244 Fcbbjcif.exe 40 PID 1244 wrote to memory of 1272 1244 Fcbbjcif.exe 40 PID 1244 wrote to memory of 1272 1244 Fcbbjcif.exe 40 PID 1272 wrote to memory of 112 1272 Fmjgcipg.exe 41 PID 1272 wrote to memory of 112 1272 Fmjgcipg.exe 41 PID 1272 wrote to memory of 112 1272 Fmjgcipg.exe 41 PID 1272 wrote to memory of 112 1272 Fmjgcipg.exe 41 PID 112 wrote to memory of 2664 112 Fcdopc32.exe 42 PID 112 wrote to memory of 2664 112 Fcdopc32.exe 42 PID 112 wrote to memory of 2664 112 Fcdopc32.exe 42 PID 112 wrote to memory of 2664 112 Fcdopc32.exe 42 PID 2664 wrote to memory of 2280 2664 Gjngmmnp.exe 43 PID 2664 wrote to memory of 2280 2664 Gjngmmnp.exe 43 PID 2664 wrote to memory of 2280 2664 Gjngmmnp.exe 43 PID 2664 wrote to memory of 2280 2664 Gjngmmnp.exe 43 PID 2280 wrote to memory of 2112 2280 Glpdde32.exe 44 PID 2280 wrote to memory of 2112 2280 Glpdde32.exe 44 PID 2280 wrote to memory of 2112 2280 Glpdde32.exe 44 PID 2280 wrote to memory of 2112 2280 Glpdde32.exe 44 PID 2112 wrote to memory of 1932 2112 Gbjlaplk.exe 45 PID 2112 wrote to memory of 1932 2112 Gbjlaplk.exe 45 PID 2112 wrote to memory of 1932 2112 Gbjlaplk.exe 45 PID 2112 wrote to memory of 1932 2112 Gbjlaplk.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\d45c8e2f4a5b57a0a33de6d3770c8ea8e4da771de7f9c590eea543a435094509.exe"C:\Users\Admin\AppData\Local\Temp\d45c8e2f4a5b57a0a33de6d3770c8ea8e4da771de7f9c590eea543a435094509.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Windows\SysWOW64\Eoigpa32.exeC:\Windows\system32\Eoigpa32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Windows\SysWOW64\Efcomkcl.exeC:\Windows\system32\Efcomkcl.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Windows\SysWOW64\Egdlec32.exeC:\Windows\system32\Egdlec32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\SysWOW64\Fidhof32.exeC:\Windows\system32\Fidhof32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Windows\SysWOW64\Fblmglgm.exeC:\Windows\system32\Fblmglgm.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\SysWOW64\Fgiepced.exeC:\Windows\system32\Fgiepced.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1108 -
C:\Windows\SysWOW64\Fncmmmma.exeC:\Windows\system32\Fncmmmma.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2272 -
C:\Windows\SysWOW64\Fgkbeb32.exeC:\Windows\system32\Fgkbeb32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Windows\SysWOW64\Fnejbmko.exeC:\Windows\system32\Fnejbmko.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1852 -
C:\Windows\SysWOW64\Fcbbjcif.exeC:\Windows\system32\Fcbbjcif.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1244 -
C:\Windows\SysWOW64\Fmjgcipg.exeC:\Windows\system32\Fmjgcipg.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1272 -
C:\Windows\SysWOW64\Fcdopc32.exeC:\Windows\system32\Fcdopc32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:112 -
C:\Windows\SysWOW64\Gjngmmnp.exeC:\Windows\system32\Gjngmmnp.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\SysWOW64\Glpdde32.exeC:\Windows\system32\Glpdde32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Windows\SysWOW64\Gbjlaplk.exeC:\Windows\system32\Gbjlaplk.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Windows\SysWOW64\Gmoqnhla.exeC:\Windows\system32\Gmoqnhla.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1932 -
C:\Windows\SysWOW64\Gnpmfqap.exeC:\Windows\system32\Gnpmfqap.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1548 -
C:\Windows\SysWOW64\Gejebk32.exeC:\Windows\system32\Gejebk32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1596 -
C:\Windows\SysWOW64\Gnbjlpom.exeC:\Windows\system32\Gnbjlpom.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1620 -
C:\Windows\SysWOW64\Gaafhloq.exeC:\Windows\system32\Gaafhloq.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1284 -
C:\Windows\SysWOW64\Gjijqa32.exeC:\Windows\system32\Gjijqa32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1872 -
C:\Windows\SysWOW64\Gbqbaofc.exeC:\Windows\system32\Gbqbaofc.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:3032 -
C:\Windows\SysWOW64\Gjlgfaco.exeC:\Windows\system32\Gjlgfaco.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1212 -
C:\Windows\SysWOW64\Gmjcblbb.exeC:\Windows\system32\Gmjcblbb.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2384 -
C:\Windows\SysWOW64\Hfbhkb32.exeC:\Windows\system32\Hfbhkb32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1676 -
C:\Windows\SysWOW64\Hjndlqal.exeC:\Windows\system32\Hjndlqal.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2840 -
C:\Windows\SysWOW64\Hdfhdfgl.exeC:\Windows\system32\Hdfhdfgl.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2620 -
C:\Windows\SysWOW64\Hfedqagp.exeC:\Windows\system32\Hfedqagp.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2568 -
C:\Windows\SysWOW64\Hpmiig32.exeC:\Windows\system32\Hpmiig32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3016 -
C:\Windows\SysWOW64\Hbleeb32.exeC:\Windows\system32\Hbleeb32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:264 -
C:\Windows\SysWOW64\Hppfog32.exeC:\Windows\system32\Hppfog32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2436 -
C:\Windows\SysWOW64\Hbnbkbja.exeC:\Windows\system32\Hbnbkbja.exe33⤵
- Executes dropped EXE
PID:2464 -
C:\Windows\SysWOW64\Hflkaq32.exeC:\Windows\system32\Hflkaq32.exe34⤵
- Executes dropped EXE
PID:2544 -
C:\Windows\SysWOW64\Heokmmgb.exeC:\Windows\system32\Heokmmgb.exe35⤵
- Executes dropped EXE
PID:1980 -
C:\Windows\SysWOW64\Ihmgiiff.exeC:\Windows\system32\Ihmgiiff.exe36⤵
- Executes dropped EXE
PID:1044 -
C:\Windows\SysWOW64\Iogoec32.exeC:\Windows\system32\Iogoec32.exe37⤵
- Executes dropped EXE
PID:2764 -
C:\Windows\SysWOW64\Iaelanmg.exeC:\Windows\system32\Iaelanmg.exe38⤵
- Executes dropped EXE
PID:1376 -
C:\Windows\SysWOW64\Ilkpogmm.exeC:\Windows\system32\Ilkpogmm.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2188 -
C:\Windows\SysWOW64\Ioilkblq.exeC:\Windows\system32\Ioilkblq.exe40⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2228 -
C:\Windows\SysWOW64\Idfdcijh.exeC:\Windows\system32\Idfdcijh.exe41⤵
- Executes dropped EXE
PID:2200 -
C:\Windows\SysWOW64\Ikpmpc32.exeC:\Windows\system32\Ikpmpc32.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2036 -
C:\Windows\SysWOW64\Iefamlak.exeC:\Windows\system32\Iefamlak.exe43⤵
- Executes dropped EXE
PID:2092 -
C:\Windows\SysWOW64\Inafbooe.exeC:\Windows\system32\Inafbooe.exe44⤵
- Executes dropped EXE
PID:964 -
C:\Windows\SysWOW64\Iamabm32.exeC:\Windows\system32\Iamabm32.exe45⤵
- Executes dropped EXE
PID:2244 -
C:\Windows\SysWOW64\Ihfjognl.exeC:\Windows\system32\Ihfjognl.exe46⤵
- Executes dropped EXE
PID:1652 -
C:\Windows\SysWOW64\Igijkd32.exeC:\Windows\system32\Igijkd32.exe47⤵
- Executes dropped EXE
PID:2224 -
C:\Windows\SysWOW64\Iihfgp32.exeC:\Windows\system32\Iihfgp32.exe48⤵
- Executes dropped EXE
PID:2304 -
C:\Windows\SysWOW64\Iaonhm32.exeC:\Windows\system32\Iaonhm32.exe49⤵
- Executes dropped EXE
PID:2056 -
C:\Windows\SysWOW64\Jglgpdcc.exeC:\Windows\system32\Jglgpdcc.exe50⤵
- Executes dropped EXE
PID:2832 -
C:\Windows\SysWOW64\Jjjclobg.exeC:\Windows\system32\Jjjclobg.exe51⤵
- Executes dropped EXE
PID:2588 -
C:\Windows\SysWOW64\Jliohkak.exeC:\Windows\system32\Jliohkak.exe52⤵
- Executes dropped EXE
PID:3044 -
C:\Windows\SysWOW64\Jdpgjhbm.exeC:\Windows\system32\Jdpgjhbm.exe53⤵
- Executes dropped EXE
PID:2100 -
C:\Windows\SysWOW64\Jgncfcaa.exeC:\Windows\system32\Jgncfcaa.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2460 -
C:\Windows\SysWOW64\Jjmpbopd.exeC:\Windows\system32\Jjmpbopd.exe55⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2820 -
C:\Windows\SysWOW64\Jnhlbn32.exeC:\Windows\system32\Jnhlbn32.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1264 -
C:\Windows\SysWOW64\Jpfhoi32.exeC:\Windows\system32\Jpfhoi32.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2992 -
C:\Windows\SysWOW64\Jgqpkc32.exeC:\Windows\system32\Jgqpkc32.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1868 -
C:\Windows\SysWOW64\Jhamckel.exeC:\Windows\system32\Jhamckel.exe59⤵
- Executes dropped EXE
PID:2232 -
C:\Windows\SysWOW64\Jlmicj32.exeC:\Windows\system32\Jlmicj32.exe60⤵
- Executes dropped EXE
PID:2352 -
C:\Windows\SysWOW64\Jolepe32.exeC:\Windows\system32\Jolepe32.exe61⤵
- Executes dropped EXE
PID:2428 -
C:\Windows\SysWOW64\Jcgapdeb.exeC:\Windows\system32\Jcgapdeb.exe62⤵
- Executes dropped EXE
PID:2184 -
C:\Windows\SysWOW64\Jfemlpdf.exeC:\Windows\system32\Jfemlpdf.exe63⤵
- Executes dropped EXE
PID:1536 -
C:\Windows\SysWOW64\Jlpeij32.exeC:\Windows\system32\Jlpeij32.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1888 -
C:\Windows\SysWOW64\Jkbfdfbm.exeC:\Windows\system32\Jkbfdfbm.exe65⤵
- Executes dropped EXE
PID:608 -
C:\Windows\SysWOW64\Jblnaq32.exeC:\Windows\system32\Jblnaq32.exe66⤵PID:2380
-
C:\Windows\SysWOW64\Jfhjbobc.exeC:\Windows\system32\Jfhjbobc.exe67⤵
- System Location Discovery: System Language Discovery
PID:2532 -
C:\Windows\SysWOW64\Jhffnk32.exeC:\Windows\system32\Jhffnk32.exe68⤵PID:1556
-
C:\Windows\SysWOW64\Jkebjf32.exeC:\Windows\system32\Jkebjf32.exe69⤵
- Drops file in System32 directory
PID:2824 -
C:\Windows\SysWOW64\Kbokgpgg.exeC:\Windows\system32\Kbokgpgg.exe70⤵PID:2696
-
C:\Windows\SysWOW64\Kfjggo32.exeC:\Windows\system32\Kfjggo32.exe71⤵PID:1308
-
C:\Windows\SysWOW64\Khiccj32.exeC:\Windows\system32\Khiccj32.exe72⤵PID:1792
-
C:\Windows\SysWOW64\Kkgopf32.exeC:\Windows\system32\Kkgopf32.exe73⤵
- Drops file in System32 directory
PID:2540 -
C:\Windows\SysWOW64\Knekla32.exeC:\Windows\system32\Knekla32.exe74⤵PID:2132
-
C:\Windows\SysWOW64\Kbaglpee.exeC:\Windows\system32\Kbaglpee.exe75⤵PID:1612
-
C:\Windows\SysWOW64\Kdpcikdi.exeC:\Windows\system32\Kdpcikdi.exe76⤵PID:1372
-
C:\Windows\SysWOW64\Khkpijma.exeC:\Windows\system32\Khkpijma.exe77⤵PID:1740
-
C:\Windows\SysWOW64\Kkileele.exeC:\Windows\system32\Kkileele.exe78⤵PID:2336
-
C:\Windows\SysWOW64\Knhhaaki.exeC:\Windows\system32\Knhhaaki.exe79⤵PID:2716
-
C:\Windows\SysWOW64\Kbcdbp32.exeC:\Windows\system32\Kbcdbp32.exe80⤵PID:864
-
C:\Windows\SysWOW64\Kdbpnk32.exeC:\Windows\system32\Kdbpnk32.exe81⤵PID:2500
-
C:\Windows\SysWOW64\Kgpmjf32.exeC:\Windows\system32\Kgpmjf32.exe82⤵PID:2924
-
C:\Windows\SysWOW64\Kjoifb32.exeC:\Windows\system32\Kjoifb32.exe83⤵
- Modifies registry class
PID:2356 -
C:\Windows\SysWOW64\Kqiaclhj.exeC:\Windows\system32\Kqiaclhj.exe84⤵PID:2608
-
C:\Windows\SysWOW64\Kddmdk32.exeC:\Windows\system32\Kddmdk32.exe85⤵PID:1660
-
C:\Windows\SysWOW64\Kfeikcfa.exeC:\Windows\system32\Kfeikcfa.exe86⤵PID:1416
-
C:\Windows\SysWOW64\Kjaelaok.exeC:\Windows\system32\Kjaelaok.exe87⤵
- Drops file in System32 directory
PID:2176 -
C:\Windows\SysWOW64\Kqknil32.exeC:\Windows\system32\Kqknil32.exe88⤵PID:2812
-
C:\Windows\SysWOW64\Kcijeg32.exeC:\Windows\system32\Kcijeg32.exe89⤵
- Modifies registry class
PID:2476 -
C:\Windows\SysWOW64\Kgefefnd.exeC:\Windows\system32\Kgefefnd.exe90⤵PID:1940
-
C:\Windows\SysWOW64\Ljcbaamh.exeC:\Windows\system32\Ljcbaamh.exe91⤵
- Modifies registry class
PID:2452 -
C:\Windows\SysWOW64\Lqmjnk32.exeC:\Windows\system32\Lqmjnk32.exe92⤵PID:3040
-
C:\Windows\SysWOW64\Lclgjg32.exeC:\Windows\system32\Lclgjg32.exe93⤵PID:1508
-
C:\Windows\SysWOW64\Lbogfcjc.exeC:\Windows\system32\Lbogfcjc.exe94⤵PID:764
-
C:\Windows\SysWOW64\Ljfogake.exeC:\Windows\system32\Ljfogake.exe95⤵PID:2972
-
C:\Windows\SysWOW64\Lkgkoiqc.exeC:\Windows\system32\Lkgkoiqc.exe96⤵PID:284
-
C:\Windows\SysWOW64\Lcncpfaf.exeC:\Windows\system32\Lcncpfaf.exe97⤵PID:2284
-
C:\Windows\SysWOW64\Lbackc32.exeC:\Windows\system32\Lbackc32.exe98⤵PID:3012
-
C:\Windows\SysWOW64\Leopgo32.exeC:\Windows\system32\Leopgo32.exe99⤵PID:576
-
C:\Windows\SysWOW64\Lkihdioa.exeC:\Windows\system32\Lkihdioa.exe100⤵PID:2104
-
C:\Windows\SysWOW64\Lnhdqdnd.exeC:\Windows\system32\Lnhdqdnd.exe101⤵PID:2888
-
C:\Windows\SysWOW64\Lbcpac32.exeC:\Windows\system32\Lbcpac32.exe102⤵PID:2872
-
C:\Windows\SysWOW64\Liminmmk.exeC:\Windows\system32\Liminmmk.exe103⤵PID:2900
-
C:\Windows\SysWOW64\Lgpiij32.exeC:\Windows\system32\Lgpiij32.exe104⤵PID:1048
-
C:\Windows\SysWOW64\Lpgajgeg.exeC:\Windows\system32\Lpgajgeg.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2440 -
C:\Windows\SysWOW64\Lbemfbdk.exeC:\Windows\system32\Lbemfbdk.exe106⤵PID:1644
-
C:\Windows\SysWOW64\Ledibnco.exeC:\Windows\system32\Ledibnco.exe107⤵
- System Location Discovery: System Language Discovery
PID:1640 -
C:\Windows\SysWOW64\Lipecm32.exeC:\Windows\system32\Lipecm32.exe108⤵PID:1680
-
C:\Windows\SysWOW64\Lgbeoibb.exeC:\Windows\system32\Lgbeoibb.exe109⤵PID:2584
-
C:\Windows\SysWOW64\Ljabkeaf.exeC:\Windows\system32\Ljabkeaf.exe110⤵PID:1560
-
C:\Windows\SysWOW64\Mbhjlbbh.exeC:\Windows\system32\Mbhjlbbh.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2644 -
C:\Windows\SysWOW64\Makjho32.exeC:\Windows\system32\Makjho32.exe112⤵
- Modifies registry class
PID:852 -
C:\Windows\SysWOW64\Mgebdipp.exeC:\Windows\system32\Mgebdipp.exe113⤵PID:1628
-
C:\Windows\SysWOW64\Mlpneh32.exeC:\Windows\system32\Mlpneh32.exe114⤵PID:1132
-
C:\Windows\SysWOW64\Mnojacgm.exeC:\Windows\system32\Mnojacgm.exe115⤵PID:1040
-
C:\Windows\SysWOW64\Mmakmp32.exeC:\Windows\system32\Mmakmp32.exe116⤵PID:2536
-
C:\Windows\SysWOW64\Meicnm32.exeC:\Windows\system32\Meicnm32.exe117⤵PID:1632
-
C:\Windows\SysWOW64\Mhgoji32.exeC:\Windows\system32\Mhgoji32.exe118⤵PID:2688
-
C:\Windows\SysWOW64\Mjekfd32.exeC:\Windows\system32\Mjekfd32.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2208 -
C:\Windows\SysWOW64\Mapccndn.exeC:\Windows\system32\Mapccndn.exe120⤵PID:1996
-
C:\Windows\SysWOW64\Mcnpojca.exeC:\Windows\system32\Mcnpojca.exe121⤵PID:1760
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-