Analysis
-
max time kernel
74s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
25-12-2024 02:25
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
c1619271a5fd30db339d660b95118fb96735f5327cae5912b02128e955cbf3f8.exe
Resource
win7-20241010-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
c1619271a5fd30db339d660b95118fb96735f5327cae5912b02128e955cbf3f8.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
c1619271a5fd30db339d660b95118fb96735f5327cae5912b02128e955cbf3f8.exe
-
Size
88KB
-
MD5
563567bcb9e3f5dccfcc87f576684d07
-
SHA1
24e3b8b71fbf0c9e3c118851f7c3fea548aedd22
-
SHA256
c1619271a5fd30db339d660b95118fb96735f5327cae5912b02128e955cbf3f8
-
SHA512
9a6d24af5de4a17b4f52b0fcf055d3676011a4b9a84736bd22555da710ec531e05602f38ffd36fc2d6f5d68a6700b79b727b4139a22c83bea190d1f6648f683d
-
SSDEEP
1536:9s9VPLIkngULgAwF+ANsMPq0bhRiGkU9rtgbHn+++++++++++++++++++++++++P:6Puvrs4BTkU2Hn+++++++++++++++++v
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Maocekoo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmkfqind.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kfbemi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mpoppadq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pcmabnhm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfppfcmj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oaaghp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dabkla32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmlnjcgg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lojeda32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojoood32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmbkfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Abeghmmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nmhlnngi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dbidof32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnbbjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Edfqclni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pjpicfdb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qkcdigpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bqilfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Polobd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fclbgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Glhhgahg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfkhch32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gddpndhp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mffgfo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnimeg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qfljmmjl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbannb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Camqpnel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fmbjjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Phmfpddb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cinahhff.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jepoao32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edpoeoea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gfgpgmql.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dogbolep.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agqfme32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhniebne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lddoopbi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnmmidhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iddfqi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jaopcbga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oohlaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mnneabff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Popkeh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcnhcdkp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gljdlq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Phoeomjc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbjoki32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghkbccdn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bqilfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fagqed32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hopgikop.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hobcok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ndmeecmb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oacbdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dcfknooi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Faonqiod.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jogjgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mmmpdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bdoeipjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hnnkbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dilddl32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 2364 Maocekoo.exe 2916 Mkggnp32.exe 2256 Noepdo32.exe 2816 Npiiafpa.exe 2976 Npkfff32.exe 2524 Nlbgkgcc.exe 2988 Oihdjk32.exe 2360 Ocqhcqgk.exe 2996 Ohpnag32.exe 1952 Odfofhic.exe 980 Oajopl32.exe 580 Ojfcdo32.exe 764 Pgjdmc32.exe 2336 Pglacbbo.exe 2412 Pqdelh32.exe 2408 Pmkfqind.exe 2000 Pbhoip32.exe 1680 Polobd32.exe 1788 Pdigkk32.exe 2576 Qbmhdp32.exe 1064 Qkelme32.exe 2780 Aemafjeg.exe 544 Ajjinaco.exe 2636 Acbnggjo.exe 888 Agqfme32.exe 2368 Anjojphb.exe 2956 Ajapoqmf.exe 1612 Abldccka.exe 2324 Biiiempl.exe 2844 Bbannb32.exe 2252 Bnhncclq.exe 2272 Bbfgiabg.exe 1692 Camqpnel.exe 1492 Ckfeic32.exe 3028 Cgobcd32.exe 1056 Ccecheeb.exe 1352 Chblqlcj.exe 696 Dooqceid.exe 588 Dkeahf32.exe 2292 Ddnfql32.exe 2384 Dnhgoa32.exe 1260 Eoajgh32.exe 2700 Edpoeoea.exe 2148 Ffpkob32.exe 1004 Fhngkm32.exe 1764 Fqilppic.exe 2704 Fnmmidhm.exe 536 Fcjeakfd.exe 1824 Fmbjjp32.exe 2288 Fclbgj32.exe 2212 Fmdfppkb.exe 1456 Gabofn32.exe 2964 Gbdlnf32.exe 3040 Gphlgk32.exe 2812 Gpjilj32.exe 1944 Ghenamai.exe 916 Gplebjbk.exe 668 Ghgjflof.exe 1324 Gdnkkmej.exe 1548 Hjhchg32.exe 2308 Hdqhambg.exe 2404 Hpghfn32.exe 680 Hjmmcgha.exe 612 Hfdmhh32.exe -
Loads dropped DLL 64 IoCs
pid Process 1688 c1619271a5fd30db339d660b95118fb96735f5327cae5912b02128e955cbf3f8.exe 1688 c1619271a5fd30db339d660b95118fb96735f5327cae5912b02128e955cbf3f8.exe 2364 Maocekoo.exe 2364 Maocekoo.exe 2916 Mkggnp32.exe 2916 Mkggnp32.exe 2256 Noepdo32.exe 2256 Noepdo32.exe 2816 Npiiafpa.exe 2816 Npiiafpa.exe 2976 Npkfff32.exe 2976 Npkfff32.exe 2524 Nlbgkgcc.exe 2524 Nlbgkgcc.exe 2988 Oihdjk32.exe 2988 Oihdjk32.exe 2360 Ocqhcqgk.exe 2360 Ocqhcqgk.exe 2996 Ohpnag32.exe 2996 Ohpnag32.exe 1952 Odfofhic.exe 1952 Odfofhic.exe 980 Oajopl32.exe 980 Oajopl32.exe 580 Ojfcdo32.exe 580 Ojfcdo32.exe 764 Pgjdmc32.exe 764 Pgjdmc32.exe 2336 Pglacbbo.exe 2336 Pglacbbo.exe 2412 Pqdelh32.exe 2412 Pqdelh32.exe 2408 Pmkfqind.exe 2408 Pmkfqind.exe 2000 Pbhoip32.exe 2000 Pbhoip32.exe 1680 Polobd32.exe 1680 Polobd32.exe 1788 Pdigkk32.exe 1788 Pdigkk32.exe 2576 Qbmhdp32.exe 2576 Qbmhdp32.exe 1064 Qkelme32.exe 1064 Qkelme32.exe 2780 Aemafjeg.exe 2780 Aemafjeg.exe 544 Ajjinaco.exe 544 Ajjinaco.exe 2636 Acbnggjo.exe 2636 Acbnggjo.exe 888 Agqfme32.exe 888 Agqfme32.exe 2368 Anjojphb.exe 2368 Anjojphb.exe 2956 Ajapoqmf.exe 2956 Ajapoqmf.exe 1612 Abldccka.exe 1612 Abldccka.exe 2324 Biiiempl.exe 2324 Biiiempl.exe 2844 Bbannb32.exe 2844 Bbannb32.exe 2252 Bnhncclq.exe 2252 Bnhncclq.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Bijnecld.dll Acbnggjo.exe File opened for modification C:\Windows\SysWOW64\Bbannb32.exe Biiiempl.exe File opened for modification C:\Windows\SysWOW64\Kqqdjceh.exe Kheofahm.exe File created C:\Windows\SysWOW64\Bedene32.exe Bgqeea32.exe File created C:\Windows\SysWOW64\Fimamm32.dll Apdminod.exe File opened for modification C:\Windows\SysWOW64\Mkconepp.exe Mffgfo32.exe File created C:\Windows\SysWOW64\Ldcenn32.dll Mffgfo32.exe File opened for modification C:\Windows\SysWOW64\Pbhoip32.exe Pmkfqind.exe File opened for modification C:\Windows\SysWOW64\Cohlnkeg.exe Cincaq32.exe File opened for modification C:\Windows\SysWOW64\Dgemgm32.exe Dbidof32.exe File created C:\Windows\SysWOW64\Oinbglkm.exe Onhnjclg.exe File opened for modification C:\Windows\SysWOW64\Chblqlcj.exe Ccecheeb.exe File created C:\Windows\SysWOW64\Okgfkeda.dll Lbbiii32.exe File opened for modification C:\Windows\SysWOW64\Odfofhic.exe Ohpnag32.exe File opened for modification C:\Windows\SysWOW64\Nilndfgl.exe Ndoelpid.exe File created C:\Windows\SysWOW64\Mmkcpmmb.dll Piemih32.exe File created C:\Windows\SysWOW64\Bkhppp32.dll Nfppfcmj.exe File created C:\Windows\SysWOW64\Qbcebiqf.dll Ojilqf32.exe File created C:\Windows\SysWOW64\Bjmgmelp.dll Dbkaee32.exe File created C:\Windows\SysWOW64\Pdigkk32.exe Polobd32.exe File opened for modification C:\Windows\SysWOW64\Khpaidpk.exe Jmkmlk32.exe File opened for modification C:\Windows\SysWOW64\Leaallcb.exe Khnqbhdi.exe File created C:\Windows\SysWOW64\Pokjahgh.dll Hgpeimhf.exe File created C:\Windows\SysWOW64\Dgpdlk32.dll Mgigpgkd.exe File opened for modification C:\Windows\SysWOW64\Ijbjpg32.exe Hgbanlfc.exe File created C:\Windows\SysWOW64\Pljnmkoo.exe Pjhaec32.exe File created C:\Windows\SysWOW64\Nebgoa32.exe Nbaomf32.exe File opened for modification C:\Windows\SysWOW64\Ndgdpn32.exe Nebgoa32.exe File opened for modification C:\Windows\SysWOW64\Qakmghbm.exe Polakmbi.exe File created C:\Windows\SysWOW64\Kllboe32.dll Cinahhff.exe File created C:\Windows\SysWOW64\Fjfllm32.exe Fhccoe32.exe File created C:\Windows\SysWOW64\Plheil32.exe Pbppqf32.exe File created C:\Windows\SysWOW64\Bbjoki32.exe Bjnjfffm.exe File created C:\Windows\SysWOW64\Dkpgohdb.dll Jhniebne.exe File opened for modification C:\Windows\SysWOW64\Glhhgahg.exe Gpagbp32.exe File created C:\Windows\SysWOW64\Igffogeb.dll Ngcbie32.exe File opened for modification C:\Windows\SysWOW64\Gnenfjdh.exe Fhifmcfa.exe File created C:\Windows\SysWOW64\Nolilcpb.dll Ccmanjch.exe File created C:\Windows\SysWOW64\Laeqgcbl.dll Gfgpgmql.exe File created C:\Windows\SysWOW64\Ipekokia.dll Gplebjbk.exe File opened for modification C:\Windows\SysWOW64\Hcndag32.exe Gamkol32.exe File opened for modification C:\Windows\SysWOW64\Hmlkhk32.exe Hgobpd32.exe File created C:\Windows\SysWOW64\Qbmhdp32.exe Pdigkk32.exe File opened for modification C:\Windows\SysWOW64\Bgqeea32.exe Bbdmljln.exe File created C:\Windows\SysWOW64\Kpnnbm32.dll Pbppqf32.exe File created C:\Windows\SysWOW64\Pjhaec32.exe Pdnihiad.exe File opened for modification C:\Windows\SysWOW64\Adncoc32.exe Qamjmh32.exe File opened for modification C:\Windows\SysWOW64\Ndmeecmb.exe Nkdpmn32.exe File created C:\Windows\SysWOW64\Oedqcdim.exe Oebdndlp.exe File opened for modification C:\Windows\SysWOW64\Eonhpk32.exe Edidcb32.exe File created C:\Windows\SysWOW64\Efghmkeb.dll Gdfmccfm.exe File created C:\Windows\SysWOW64\Ihckdmko.dll Gebiefle.exe File created C:\Windows\SysWOW64\Pglacbbo.exe Pgjdmc32.exe File created C:\Windows\SysWOW64\Kpkcdn32.exe Jgbolhoa.exe File opened for modification C:\Windows\SysWOW64\Flphccbp.exe Fcgdjmlo.exe File opened for modification C:\Windows\SysWOW64\Mdkcgk32.exe Mkconepp.exe File created C:\Windows\SysWOW64\Boolhikf.exe Agchdfmk.exe File created C:\Windows\SysWOW64\Ncjnhhid.dll Fmdfppkb.exe File created C:\Windows\SysWOW64\Jjilde32.exe Jdlclo32.exe File created C:\Windows\SysWOW64\Foibjlda.dll Mnkfcjqe.exe File created C:\Windows\SysWOW64\Dgjoqd32.dll Ophoecoa.exe File created C:\Windows\SysWOW64\Gaikpd32.dll Pccdqloh.exe File opened for modification C:\Windows\SysWOW64\Dbhbfmkd.exe Cinahhff.exe File opened for modification C:\Windows\SysWOW64\Pieobaiq.exe Popkeh32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2504 2020 WerFault.exe 547 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Piemih32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bphdpe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chhbpfhi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipimic32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abldccka.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nilndfgl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qoaaqb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjgbmoda.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jaopcbga.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Beplcfmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elkbipdi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Moahdd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aemafjeg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cohlnkeg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cincaq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plheil32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkndiabh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nebgoa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kidjfl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpmlcpdm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjnjfffm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jehbfjia.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llgllj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffpkob32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdqhambg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfblmofp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbpolb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbcbag32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnhncclq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gqendf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jaaoakmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkhdml32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhniebne.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qamjmh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjpmkdpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aniffaim.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmnakege.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdigkk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Achikonn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Incgfl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phelnhnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlfbck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndoelpid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjddnjdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggnqfgce.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llfcik32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apdminod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ieiegf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kaieai32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjhaec32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gabofn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gljdlq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhlogo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aqljdclg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jplinckj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcahjqfa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mqgahh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pqhkdg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ficilgai.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glhhgahg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opjlkc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Faonqiod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkmhij32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iljifm32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717} c1619271a5fd30db339d660b95118fb96735f5327cae5912b02128e955cbf3f8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kcahjqfa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Abldccka.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oedqcdim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbbndk32.dll" Boqgep32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mdahnmck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Acbnggjo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lglnajjb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kgknpfdi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iadphghe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfigef32.dll" Lmcdkbao.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jmhpfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djgbkf32.dll" Acfonhgd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jlgaek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fqqdigko.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Leaallcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgeahmik.dll" Glhhgahg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Odanqb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hkhbkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkbkei32.dll" Npieoi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Anjojphb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jogjgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ankabh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Acplpjpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kqemeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qmcedg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npceanij.dll" Qgdbpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cajkfi32.dll" Gljdlq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eckomcec.dll" Fclbgj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hpghfn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lhenmm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Goekpm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iljifm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kbppdfmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fihcdkom.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fnnobl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jceahq32.dll" Ndbjgjqh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nlbgkgcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fnmmidhm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mjddnjdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aicipgqe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfimpl32.dll" Fgqcel32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kppohf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aniffaim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obnpcb32.dll" Qbmhdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gegknghg.dll" Bbfgiabg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbphjkai.dll" Iadnon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lqmliqfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkohkj32.dll" Ndgdpn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Damhmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjidml32.dll" Lmqgec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Akmlacdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Khjkiikl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dpmlcpdm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnlodlcj.dll" Eonhpk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Onmgeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apeoom32.dll" Edfqclni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Edfqclni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abfcdgde.dll" Hdailaib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onobqhia.dll" Odfofhic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Almjcobe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cfjdfg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mdkcgk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fagqed32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1688 wrote to memory of 2364 1688 c1619271a5fd30db339d660b95118fb96735f5327cae5912b02128e955cbf3f8.exe 30 PID 1688 wrote to memory of 2364 1688 c1619271a5fd30db339d660b95118fb96735f5327cae5912b02128e955cbf3f8.exe 30 PID 1688 wrote to memory of 2364 1688 c1619271a5fd30db339d660b95118fb96735f5327cae5912b02128e955cbf3f8.exe 30 PID 1688 wrote to memory of 2364 1688 c1619271a5fd30db339d660b95118fb96735f5327cae5912b02128e955cbf3f8.exe 30 PID 2364 wrote to memory of 2916 2364 Maocekoo.exe 31 PID 2364 wrote to memory of 2916 2364 Maocekoo.exe 31 PID 2364 wrote to memory of 2916 2364 Maocekoo.exe 31 PID 2364 wrote to memory of 2916 2364 Maocekoo.exe 31 PID 2916 wrote to memory of 2256 2916 Mkggnp32.exe 32 PID 2916 wrote to memory of 2256 2916 Mkggnp32.exe 32 PID 2916 wrote to memory of 2256 2916 Mkggnp32.exe 32 PID 2916 wrote to memory of 2256 2916 Mkggnp32.exe 32 PID 2256 wrote to memory of 2816 2256 Noepdo32.exe 33 PID 2256 wrote to memory of 2816 2256 Noepdo32.exe 33 PID 2256 wrote to memory of 2816 2256 Noepdo32.exe 33 PID 2256 wrote to memory of 2816 2256 Noepdo32.exe 33 PID 2816 wrote to memory of 2976 2816 Npiiafpa.exe 34 PID 2816 wrote to memory of 2976 2816 Npiiafpa.exe 34 PID 2816 wrote to memory of 2976 2816 Npiiafpa.exe 34 PID 2816 wrote to memory of 2976 2816 Npiiafpa.exe 34 PID 2976 wrote to memory of 2524 2976 Npkfff32.exe 35 PID 2976 wrote to memory of 2524 2976 Npkfff32.exe 35 PID 2976 wrote to memory of 2524 2976 Npkfff32.exe 35 PID 2976 wrote to memory of 2524 2976 Npkfff32.exe 35 PID 2524 wrote to memory of 2988 2524 Nlbgkgcc.exe 36 PID 2524 wrote to memory of 2988 2524 Nlbgkgcc.exe 36 PID 2524 wrote to memory of 2988 2524 Nlbgkgcc.exe 36 PID 2524 wrote to memory of 2988 2524 Nlbgkgcc.exe 36 PID 2988 wrote to memory of 2360 2988 Oihdjk32.exe 37 PID 2988 wrote to memory of 2360 2988 Oihdjk32.exe 37 PID 2988 wrote to memory of 2360 2988 Oihdjk32.exe 37 PID 2988 wrote to memory of 2360 2988 Oihdjk32.exe 37 PID 2360 wrote to memory of 2996 2360 Ocqhcqgk.exe 38 PID 2360 wrote to memory of 2996 2360 Ocqhcqgk.exe 38 PID 2360 wrote to memory of 2996 2360 Ocqhcqgk.exe 38 PID 2360 wrote to memory of 2996 2360 Ocqhcqgk.exe 38 PID 2996 wrote to memory of 1952 2996 Ohpnag32.exe 39 PID 2996 wrote to memory of 1952 2996 Ohpnag32.exe 39 PID 2996 wrote to memory of 1952 2996 Ohpnag32.exe 39 PID 2996 wrote to memory of 1952 2996 Ohpnag32.exe 39 PID 1952 wrote to memory of 980 1952 Odfofhic.exe 40 PID 1952 wrote to memory of 980 1952 Odfofhic.exe 40 PID 1952 wrote to memory of 980 1952 Odfofhic.exe 40 PID 1952 wrote to memory of 980 1952 Odfofhic.exe 40 PID 980 wrote to memory of 580 980 Oajopl32.exe 41 PID 980 wrote to memory of 580 980 Oajopl32.exe 41 PID 980 wrote to memory of 580 980 Oajopl32.exe 41 PID 980 wrote to memory of 580 980 Oajopl32.exe 41 PID 580 wrote to memory of 764 580 Ojfcdo32.exe 42 PID 580 wrote to memory of 764 580 Ojfcdo32.exe 42 PID 580 wrote to memory of 764 580 Ojfcdo32.exe 42 PID 580 wrote to memory of 764 580 Ojfcdo32.exe 42 PID 764 wrote to memory of 2336 764 Pgjdmc32.exe 43 PID 764 wrote to memory of 2336 764 Pgjdmc32.exe 43 PID 764 wrote to memory of 2336 764 Pgjdmc32.exe 43 PID 764 wrote to memory of 2336 764 Pgjdmc32.exe 43 PID 2336 wrote to memory of 2412 2336 Pglacbbo.exe 44 PID 2336 wrote to memory of 2412 2336 Pglacbbo.exe 44 PID 2336 wrote to memory of 2412 2336 Pglacbbo.exe 44 PID 2336 wrote to memory of 2412 2336 Pglacbbo.exe 44 PID 2412 wrote to memory of 2408 2412 Pqdelh32.exe 45 PID 2412 wrote to memory of 2408 2412 Pqdelh32.exe 45 PID 2412 wrote to memory of 2408 2412 Pqdelh32.exe 45 PID 2412 wrote to memory of 2408 2412 Pqdelh32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\c1619271a5fd30db339d660b95118fb96735f5327cae5912b02128e955cbf3f8.exe"C:\Users\Admin\AppData\Local\Temp\c1619271a5fd30db339d660b95118fb96735f5327cae5912b02128e955cbf3f8.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Windows\SysWOW64\Maocekoo.exeC:\Windows\system32\Maocekoo.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Windows\SysWOW64\Mkggnp32.exeC:\Windows\system32\Mkggnp32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Windows\SysWOW64\Noepdo32.exeC:\Windows\system32\Noepdo32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2256 -
C:\Windows\SysWOW64\Npiiafpa.exeC:\Windows\system32\Npiiafpa.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Windows\SysWOW64\Npkfff32.exeC:\Windows\system32\Npkfff32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2976 -
C:\Windows\SysWOW64\Nlbgkgcc.exeC:\Windows\system32\Nlbgkgcc.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\SysWOW64\Oihdjk32.exeC:\Windows\system32\Oihdjk32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Windows\SysWOW64\Ocqhcqgk.exeC:\Windows\system32\Ocqhcqgk.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Windows\SysWOW64\Ohpnag32.exeC:\Windows\system32\Ohpnag32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Windows\SysWOW64\Odfofhic.exeC:\Windows\system32\Odfofhic.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1952 -
C:\Windows\SysWOW64\Oajopl32.exeC:\Windows\system32\Oajopl32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:980 -
C:\Windows\SysWOW64\Ojfcdo32.exeC:\Windows\system32\Ojfcdo32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:580 -
C:\Windows\SysWOW64\Pgjdmc32.exeC:\Windows\system32\Pgjdmc32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:764 -
C:\Windows\SysWOW64\Pglacbbo.exeC:\Windows\system32\Pglacbbo.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Windows\SysWOW64\Pqdelh32.exeC:\Windows\system32\Pqdelh32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Windows\SysWOW64\Pmkfqind.exeC:\Windows\system32\Pmkfqind.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2408 -
C:\Windows\SysWOW64\Pbhoip32.exeC:\Windows\system32\Pbhoip32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2000 -
C:\Windows\SysWOW64\Polobd32.exeC:\Windows\system32\Polobd32.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1680 -
C:\Windows\SysWOW64\Pdigkk32.exeC:\Windows\system32\Pdigkk32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1788 -
C:\Windows\SysWOW64\Qbmhdp32.exeC:\Windows\system32\Qbmhdp32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2576 -
C:\Windows\SysWOW64\Qkelme32.exeC:\Windows\system32\Qkelme32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1064 -
C:\Windows\SysWOW64\Aemafjeg.exeC:\Windows\system32\Aemafjeg.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2780 -
C:\Windows\SysWOW64\Ajjinaco.exeC:\Windows\system32\Ajjinaco.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:544 -
C:\Windows\SysWOW64\Acbnggjo.exeC:\Windows\system32\Acbnggjo.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2636 -
C:\Windows\SysWOW64\Agqfme32.exeC:\Windows\system32\Agqfme32.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:888 -
C:\Windows\SysWOW64\Anjojphb.exeC:\Windows\system32\Anjojphb.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2368 -
C:\Windows\SysWOW64\Ajapoqmf.exeC:\Windows\system32\Ajapoqmf.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2956 -
C:\Windows\SysWOW64\Abldccka.exeC:\Windows\system32\Abldccka.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1612 -
C:\Windows\SysWOW64\Biiiempl.exeC:\Windows\system32\Biiiempl.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2324 -
C:\Windows\SysWOW64\Bbannb32.exeC:\Windows\system32\Bbannb32.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2844 -
C:\Windows\SysWOW64\Bnhncclq.exeC:\Windows\system32\Bnhncclq.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2252 -
C:\Windows\SysWOW64\Bbfgiabg.exeC:\Windows\system32\Bbfgiabg.exe33⤵
- Executes dropped EXE
- Modifies registry class
PID:2272 -
C:\Windows\SysWOW64\Camqpnel.exeC:\Windows\system32\Camqpnel.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1692 -
C:\Windows\SysWOW64\Ckfeic32.exeC:\Windows\system32\Ckfeic32.exe35⤵
- Executes dropped EXE
PID:1492 -
C:\Windows\SysWOW64\Cgobcd32.exeC:\Windows\system32\Cgobcd32.exe36⤵
- Executes dropped EXE
PID:3028 -
C:\Windows\SysWOW64\Ccecheeb.exeC:\Windows\system32\Ccecheeb.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1056 -
C:\Windows\SysWOW64\Chblqlcj.exeC:\Windows\system32\Chblqlcj.exe38⤵
- Executes dropped EXE
PID:1352 -
C:\Windows\SysWOW64\Dooqceid.exeC:\Windows\system32\Dooqceid.exe39⤵
- Executes dropped EXE
PID:696 -
C:\Windows\SysWOW64\Dkeahf32.exeC:\Windows\system32\Dkeahf32.exe40⤵
- Executes dropped EXE
PID:588 -
C:\Windows\SysWOW64\Ddnfql32.exeC:\Windows\system32\Ddnfql32.exe41⤵
- Executes dropped EXE
PID:2292 -
C:\Windows\SysWOW64\Dnhgoa32.exeC:\Windows\system32\Dnhgoa32.exe42⤵
- Executes dropped EXE
PID:2384 -
C:\Windows\SysWOW64\Eoajgh32.exeC:\Windows\system32\Eoajgh32.exe43⤵
- Executes dropped EXE
PID:1260 -
C:\Windows\SysWOW64\Edpoeoea.exeC:\Windows\system32\Edpoeoea.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2700 -
C:\Windows\SysWOW64\Ffpkob32.exeC:\Windows\system32\Ffpkob32.exe45⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2148 -
C:\Windows\SysWOW64\Fhngkm32.exeC:\Windows\system32\Fhngkm32.exe46⤵
- Executes dropped EXE
PID:1004 -
C:\Windows\SysWOW64\Fqilppic.exeC:\Windows\system32\Fqilppic.exe47⤵
- Executes dropped EXE
PID:1764 -
C:\Windows\SysWOW64\Fnmmidhm.exeC:\Windows\system32\Fnmmidhm.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2704 -
C:\Windows\SysWOW64\Fcjeakfd.exeC:\Windows\system32\Fcjeakfd.exe49⤵
- Executes dropped EXE
PID:536 -
C:\Windows\SysWOW64\Fmbjjp32.exeC:\Windows\system32\Fmbjjp32.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1824 -
C:\Windows\SysWOW64\Fclbgj32.exeC:\Windows\system32\Fclbgj32.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2288 -
C:\Windows\SysWOW64\Fmdfppkb.exeC:\Windows\system32\Fmdfppkb.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2212 -
C:\Windows\SysWOW64\Gabofn32.exeC:\Windows\system32\Gabofn32.exe53⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1456 -
C:\Windows\SysWOW64\Gbdlnf32.exeC:\Windows\system32\Gbdlnf32.exe54⤵
- Executes dropped EXE
PID:2964 -
C:\Windows\SysWOW64\Gphlgk32.exeC:\Windows\system32\Gphlgk32.exe55⤵
- Executes dropped EXE
PID:3040 -
C:\Windows\SysWOW64\Gpjilj32.exeC:\Windows\system32\Gpjilj32.exe56⤵
- Executes dropped EXE
PID:2812 -
C:\Windows\SysWOW64\Ghenamai.exeC:\Windows\system32\Ghenamai.exe57⤵
- Executes dropped EXE
PID:1944 -
C:\Windows\SysWOW64\Gplebjbk.exeC:\Windows\system32\Gplebjbk.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:916 -
C:\Windows\SysWOW64\Ghgjflof.exeC:\Windows\system32\Ghgjflof.exe59⤵
- Executes dropped EXE
PID:668 -
C:\Windows\SysWOW64\Gdnkkmej.exeC:\Windows\system32\Gdnkkmej.exe60⤵
- Executes dropped EXE
PID:1324 -
C:\Windows\SysWOW64\Hjhchg32.exeC:\Windows\system32\Hjhchg32.exe61⤵
- Executes dropped EXE
PID:1548 -
C:\Windows\SysWOW64\Hdqhambg.exeC:\Windows\system32\Hdqhambg.exe62⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2308 -
C:\Windows\SysWOW64\Hpghfn32.exeC:\Windows\system32\Hpghfn32.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:2404 -
C:\Windows\SysWOW64\Hjmmcgha.exeC:\Windows\system32\Hjmmcgha.exe64⤵
- Executes dropped EXE
PID:680 -
C:\Windows\SysWOW64\Hfdmhh32.exeC:\Windows\system32\Hfdmhh32.exe65⤵
- Executes dropped EXE
PID:612 -
C:\Windows\SysWOW64\Hdhnal32.exeC:\Windows\system32\Hdhnal32.exe66⤵PID:1796
-
C:\Windows\SysWOW64\Hmpbja32.exeC:\Windows\system32\Hmpbja32.exe67⤵PID:2440
-
C:\Windows\SysWOW64\Iigcobid.exeC:\Windows\system32\Iigcobid.exe68⤵PID:2376
-
C:\Windows\SysWOW64\Iiipeb32.exeC:\Windows\system32\Iiipeb32.exe69⤵PID:1816
-
C:\Windows\SysWOW64\Ibadnhmb.exeC:\Windows\system32\Ibadnhmb.exe70⤵PID:2236
-
C:\Windows\SysWOW64\Iljifm32.exeC:\Windows\system32\Iljifm32.exe71⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1256 -
C:\Windows\SysWOW64\Iagaod32.exeC:\Windows\system32\Iagaod32.exe72⤵PID:1624
-
C:\Windows\SysWOW64\Ikoehj32.exeC:\Windows\system32\Ikoehj32.exe73⤵PID:3016
-
C:\Windows\SysWOW64\Iplnpq32.exeC:\Windows\system32\Iplnpq32.exe74⤵PID:3044
-
C:\Windows\SysWOW64\Jnpoie32.exeC:\Windows\system32\Jnpoie32.exe75⤵PID:2248
-
C:\Windows\SysWOW64\Jghcbjll.exeC:\Windows\system32\Jghcbjll.exe76⤵PID:1264
-
C:\Windows\SysWOW64\Jdlclo32.exeC:\Windows\system32\Jdlclo32.exe77⤵
- Drops file in System32 directory
PID:2276 -
C:\Windows\SysWOW64\Jjilde32.exeC:\Windows\system32\Jjilde32.exe78⤵PID:2560
-
C:\Windows\SysWOW64\Jcaqmkpn.exeC:\Windows\system32\Jcaqmkpn.exe79⤵PID:2356
-
C:\Windows\SysWOW64\Jhniebne.exeC:\Windows\system32\Jhniebne.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2052 -
C:\Windows\SysWOW64\Jfbinf32.exeC:\Windows\system32\Jfbinf32.exe81⤵PID:1532
-
C:\Windows\SysWOW64\Jkobgm32.exeC:\Windows\system32\Jkobgm32.exe82⤵PID:2436
-
C:\Windows\SysWOW64\Kdgfpbaf.exeC:\Windows\system32\Kdgfpbaf.exe83⤵PID:1080
-
C:\Windows\SysWOW64\Kkaolm32.exeC:\Windows\system32\Kkaolm32.exe84⤵PID:2532
-
C:\Windows\SysWOW64\Kheofahm.exeC:\Windows\system32\Kheofahm.exe85⤵
- Drops file in System32 directory
PID:2388 -
C:\Windows\SysWOW64\Kqqdjceh.exeC:\Windows\system32\Kqqdjceh.exe86⤵PID:2140
-
C:\Windows\SysWOW64\Kkfhglen.exeC:\Windows\system32\Kkfhglen.exe87⤵PID:1236
-
C:\Windows\SysWOW64\Kbppdfmk.exeC:\Windows\system32\Kbppdfmk.exe88⤵
- Modifies registry class
PID:2008 -
C:\Windows\SysWOW64\Kkhdml32.exeC:\Windows\system32\Kkhdml32.exe89⤵
- System Location Discovery: System Language Discovery
PID:3060 -
C:\Windows\SysWOW64\Kqemeb32.exeC:\Windows\system32\Kqemeb32.exe90⤵
- Modifies registry class
PID:2800 -
C:\Windows\SysWOW64\Kfbemi32.exeC:\Windows\system32\Kfbemi32.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:940 -
C:\Windows\SysWOW64\Lmlnjcgg.exeC:\Windows\system32\Lmlnjcgg.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3056 -
C:\Windows\SysWOW64\Lfdbcing.exeC:\Windows\system32\Lfdbcing.exe93⤵PID:2460
-
C:\Windows\SysWOW64\Lchclmla.exeC:\Windows\system32\Lchclmla.exe94⤵PID:2120
-
C:\Windows\SysWOW64\Lmqgec32.exeC:\Windows\system32\Lmqgec32.exe95⤵
- Modifies registry class
PID:1424 -
C:\Windows\SysWOW64\Lmcdkbao.exeC:\Windows\system32\Lmcdkbao.exe96⤵
- Modifies registry class
PID:2464 -
C:\Windows\SysWOW64\Lfkhch32.exeC:\Windows\system32\Lfkhch32.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2776 -
C:\Windows\SysWOW64\Lgmekpmn.exeC:\Windows\system32\Lgmekpmn.exe98⤵PID:2552
-
C:\Windows\SysWOW64\Lbbiii32.exeC:\Windows\system32\Lbbiii32.exe99⤵
- Drops file in System32 directory
PID:1204 -
C:\Windows\SysWOW64\Milaecdp.exeC:\Windows\system32\Milaecdp.exe100⤵PID:2616
-
C:\Windows\SysWOW64\Mcfbfaao.exeC:\Windows\system32\Mcfbfaao.exe101⤵PID:1984
-
C:\Windows\SysWOW64\Mnkfcjqe.exeC:\Windows\system32\Mnkfcjqe.exe102⤵
- Drops file in System32 directory
PID:1924 -
C:\Windows\SysWOW64\Mjbghkfi.exeC:\Windows\system32\Mjbghkfi.exe103⤵PID:3068
-
C:\Windows\SysWOW64\Mpoppadq.exeC:\Windows\system32\Mpoppadq.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2480 -
C:\Windows\SysWOW64\Mjddnjdf.exeC:\Windows\system32\Mjddnjdf.exe105⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2784 -
C:\Windows\SysWOW64\Mmcpjfcj.exeC:\Windows\system32\Mmcpjfcj.exe106⤵PID:1192
-
C:\Windows\SysWOW64\Mbpibm32.exeC:\Windows\system32\Mbpibm32.exe107⤵PID:1780
-
C:\Windows\SysWOW64\Miiaogio.exeC:\Windows\system32\Miiaogio.exe108⤵PID:2504
-
C:\Windows\SysWOW64\Ndoelpid.exeC:\Windows\system32\Ndoelpid.exe109⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2268 -
C:\Windows\SysWOW64\Nilndfgl.exeC:\Windows\system32\Nilndfgl.exe110⤵
- System Location Discovery: System Language Discovery
PID:820 -
C:\Windows\SysWOW64\Nlocka32.exeC:\Windows\system32\Nlocka32.exe111⤵PID:2400
-
C:\Windows\SysWOW64\Neghdg32.exeC:\Windows\system32\Neghdg32.exe112⤵PID:2604
-
C:\Windows\SysWOW64\Nkdpmn32.exeC:\Windows\system32\Nkdpmn32.exe113⤵
- Drops file in System32 directory
PID:1928 -
C:\Windows\SysWOW64\Ndmeecmb.exeC:\Windows\system32\Ndmeecmb.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2936 -
C:\Windows\SysWOW64\Omeini32.exeC:\Windows\system32\Omeini32.exe115⤵PID:2972
-
C:\Windows\SysWOW64\Odoakckp.exeC:\Windows\system32\Odoakckp.exe116⤵PID:944
-
C:\Windows\SysWOW64\Okijhmcm.exeC:\Windows\system32\Okijhmcm.exe117⤵PID:2984
-
C:\Windows\SysWOW64\Oacbdg32.exeC:\Windows\system32\Oacbdg32.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:608 -
C:\Windows\SysWOW64\Odanqb32.exeC:\Windows\system32\Odanqb32.exe119⤵
- Modifies registry class
PID:2124 -
C:\Windows\SysWOW64\Oingii32.exeC:\Windows\system32\Oingii32.exe120⤵PID:856
-
C:\Windows\SysWOW64\Ophoecoa.exeC:\Windows\system32\Ophoecoa.exe121⤵
- Drops file in System32 directory
PID:2264
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-