Analysis
-
max time kernel
122s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
06/03/2025, 22:11
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
1dcf0eda84e89100cb064fd08d30978703854017a621dea7f62e95db83b7d099.exe
Resource
win7-20240903-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
1dcf0eda84e89100cb064fd08d30978703854017a621dea7f62e95db83b7d099.exe
Resource
win10v2004-20250217-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
1dcf0eda84e89100cb064fd08d30978703854017a621dea7f62e95db83b7d099.exe
-
Size
576KB
-
MD5
4399ed4bcb346691a7e7230b1df146b0
-
SHA1
29bc679b1c1c63eba51826503c1cf1fc93a73a44
-
SHA256
1dcf0eda84e89100cb064fd08d30978703854017a621dea7f62e95db83b7d099
-
SHA512
e58d4555d867ecd6509bc92d22fe876a562a6f043419732586c8c4c38a7c550080bce42b6aa1e2c65bfdd1cb9b71c429a8bfea2f226a3faf82b43ab28c5466ca
-
SSDEEP
12288:ztkGJGyXu1jGG1wsGeBgRTGAzciETdqvZNemWrsiLk6mqgSgRDO:fJGyXsGG1wsLUT3IipX6
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fgldnkkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ibcnojnp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlphbbbg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfokinhf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhgnaehm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pafdjmkq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bqlfaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cagienkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nbjeinje.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgeaoinb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eijdkcgn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijclol32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjahej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Llbqfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ohiffh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aficjnpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dgbeiiqe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fjlmpfhg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgclio32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkndhabp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bgcbhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hcdnhoac.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iedfqeka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nibqqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nabopjmj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohiffh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdjjag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pghfnc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgaebe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcdnhoac.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ippdgc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ldbofgme.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pofkha32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qgjccb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmedlk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eggndi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ihbcmaje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Idicbbpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ihdpbq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ippdgc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lclicpkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lbfook32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pojecajj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Goplilpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lgqkbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Paknelgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qcachc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cepipm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ckmnbg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Caifjn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Goplilpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mnmpdlac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Agolnbok.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bqgmfkhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dnpciaef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pcljmdmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bjdkjpkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fjegog32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdmdacnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Knhjjj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcjlnpmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mkndhabp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apgagg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Caifjn32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 1504 Bjebdfnn.exe 2496 Caaggpdh.exe 540 Cpfdhl32.exe 2728 Ccdmnj32.exe 2744 Cpkmcldj.exe 2872 Cblfdg32.exe 2752 Demofaol.exe 2644 Ddblgn32.exe 3008 Dgbeiiqe.exe 1656 Dgeaoinb.exe 2028 Eggndi32.exe 1072 Eelkeeah.exe 1968 Eijdkcgn.exe 2332 Eoiiijcc.exe 2436 Folfoj32.exe 1932 Fjegog32.exe 1508 Fpoolael.exe 944 Fgldnkkf.exe 1752 Fjjpjgjj.exe 1732 Fgnadkic.exe 1648 Fjlmpfhg.exe 2440 Fmkilb32.exe 1612 Gbhbdi32.exe 2464 Golbnm32.exe 1748 Gbjojh32.exe 1660 Gnaooi32.exe 1584 Gfhgpg32.exe 2964 Goplilpf.exe 3064 Gdmdacnn.exe 764 Gbadjg32.exe 2736 Gqdefddb.exe 2160 Ggnmbn32.exe 2884 Hcdnhoac.exe 2628 Hnjbeh32.exe 3040 Hahnac32.exe 1484 Hmoofdea.exe 1996 Hpnkbpdd.exe 1856 Hldlga32.exe 2372 Hpphhp32.exe 840 Hmdhad32.exe 2568 Hneeilgj.exe 1288 Ibcnojnp.exe 904 Ieajkfmd.exe 2276 Iedfqeka.exe 1912 Ihbcmaje.exe 1724 Idicbbpi.exe 552 Ihdpbq32.exe 2908 Ijclol32.exe 2516 Ippdgc32.exe 1132 Ifjlcmmj.exe 2196 Jmdepg32.exe 2180 Jpbalb32.exe 264 Jbqmhnbo.exe 2156 Jikeeh32.exe 2716 Jliaac32.exe 2800 Jfofol32.exe 2656 Jlkngc32.exe 1088 Jojkco32.exe 2380 Jioopgef.exe 2044 Jolghndm.exe 1368 Jhdlad32.exe 2904 Jlphbbbg.exe 2444 Jondnnbk.exe 1444 Kdklfe32.exe -
Loads dropped DLL 64 IoCs
pid Process 2260 1dcf0eda84e89100cb064fd08d30978703854017a621dea7f62e95db83b7d099.exe 2260 1dcf0eda84e89100cb064fd08d30978703854017a621dea7f62e95db83b7d099.exe 1504 Bjebdfnn.exe 1504 Bjebdfnn.exe 2496 Caaggpdh.exe 2496 Caaggpdh.exe 540 Cpfdhl32.exe 540 Cpfdhl32.exe 2728 Ccdmnj32.exe 2728 Ccdmnj32.exe 2744 Cpkmcldj.exe 2744 Cpkmcldj.exe 2872 Cblfdg32.exe 2872 Cblfdg32.exe 2752 Demofaol.exe 2752 Demofaol.exe 2644 Ddblgn32.exe 2644 Ddblgn32.exe 3008 Dgbeiiqe.exe 3008 Dgbeiiqe.exe 1656 Dgeaoinb.exe 1656 Dgeaoinb.exe 2028 Eggndi32.exe 2028 Eggndi32.exe 1072 Eelkeeah.exe 1072 Eelkeeah.exe 1968 Eijdkcgn.exe 1968 Eijdkcgn.exe 2332 Eoiiijcc.exe 2332 Eoiiijcc.exe 2436 Folfoj32.exe 2436 Folfoj32.exe 1932 Fjegog32.exe 1932 Fjegog32.exe 1508 Fpoolael.exe 1508 Fpoolael.exe 944 Fgldnkkf.exe 944 Fgldnkkf.exe 1752 Fjjpjgjj.exe 1752 Fjjpjgjj.exe 1732 Fgnadkic.exe 1732 Fgnadkic.exe 1648 Fjlmpfhg.exe 1648 Fjlmpfhg.exe 2440 Fmkilb32.exe 2440 Fmkilb32.exe 1612 Gbhbdi32.exe 1612 Gbhbdi32.exe 2464 Golbnm32.exe 2464 Golbnm32.exe 1748 Gbjojh32.exe 1748 Gbjojh32.exe 1660 Gnaooi32.exe 1660 Gnaooi32.exe 1584 Gfhgpg32.exe 1584 Gfhgpg32.exe 2964 Goplilpf.exe 2964 Goplilpf.exe 3064 Gdmdacnn.exe 3064 Gdmdacnn.exe 764 Gbadjg32.exe 764 Gbadjg32.exe 2736 Gqdefddb.exe 2736 Gqdefddb.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Klpdaf32.exe Kjahej32.exe File created C:\Windows\SysWOW64\Ljlmgnqj.dll Ldpbpgoh.exe File created C:\Windows\SysWOW64\Ibcnojnp.exe Hneeilgj.exe File created C:\Windows\SysWOW64\Mmgfqh32.exe Mjhjdm32.exe File opened for modification C:\Windows\SysWOW64\Neiaeiii.exe Nbjeinje.exe File created C:\Windows\SysWOW64\Mdhpmg32.dll Pojecajj.exe File created C:\Windows\SysWOW64\Kjahej32.exe Kgclio32.exe File opened for modification C:\Windows\SysWOW64\Accqnc32.exe Qnghel32.exe File created C:\Windows\SysWOW64\Ihkhkcdl.dll Bniajoic.exe File created C:\Windows\SysWOW64\Cafngogd.dll Eijdkcgn.exe File created C:\Windows\SysWOW64\Mhiaka32.dll Gqdefddb.exe File created C:\Windows\SysWOW64\Hakapcjd.dll Ihbcmaje.exe File opened for modification C:\Windows\SysWOW64\Ifjlcmmj.exe Ippdgc32.exe File opened for modification C:\Windows\SysWOW64\Jlphbbbg.exe Jhdlad32.exe File opened for modification C:\Windows\SysWOW64\Hpphhp32.exe Hldlga32.exe File created C:\Windows\SysWOW64\Ldbofgme.exe Lkjjma32.exe File opened for modification C:\Windows\SysWOW64\Mclebc32.exe Mgedmb32.exe File opened for modification C:\Windows\SysWOW64\Neknki32.exe Nnafnopi.exe File opened for modification C:\Windows\SysWOW64\Ohiffh32.exe Oekjjl32.exe File opened for modification C:\Windows\SysWOW64\Demofaol.exe Cblfdg32.exe File opened for modification C:\Windows\SysWOW64\Dgeaoinb.exe Dgbeiiqe.exe File opened for modification C:\Windows\SysWOW64\Folfoj32.exe Eoiiijcc.exe File created C:\Windows\SysWOW64\Lddlkg32.exe Lbfook32.exe File created C:\Windows\SysWOW64\Nnafnopi.exe Nhgnaehm.exe File created C:\Windows\SysWOW64\Olbfagca.exe Oeindm32.exe File opened for modification C:\Windows\SysWOW64\Cabalojc.dll Kgclio32.exe File created C:\Windows\SysWOW64\Oghnkh32.dll Ccmpce32.exe File created C:\Windows\SysWOW64\Jhogdg32.dll Cagienkb.exe File opened for modification C:\Windows\SysWOW64\ÿs.e¢e Dpapaj32.exe File created C:\Windows\SysWOW64\Eelkeeah.exe Eggndi32.exe File created C:\Windows\SysWOW64\Jlphbbbg.exe Jhdlad32.exe File created C:\Windows\SysWOW64\Eifppipg.dll Nbjeinje.exe File opened for modification C:\Windows\SysWOW64\Nlefhcnc.exe Neknki32.exe File opened for modification C:\Windows\SysWOW64\Nabopjmj.exe Njhfcp32.exe File opened for modification C:\Windows\SysWOW64\Oekjjl32.exe Olbfagca.exe File created C:\Windows\SysWOW64\Bqgmfkhg.exe Bniajoic.exe File created C:\Windows\SysWOW64\Lbmnig32.dll Boogmgkl.exe File created C:\Windows\SysWOW64\Ijclol32.exe Ihdpbq32.exe File created C:\Windows\SysWOW64\Ifjlcmmj.exe Ippdgc32.exe File opened for modification C:\Windows\SysWOW64\Nibqqh32.exe Nefdpjkl.exe File opened for modification C:\Windows\SysWOW64\Pojecajj.exe Phqmgg32.exe File created C:\Windows\SysWOW64\Qnghel32.exe Qcachc32.exe File opened for modification C:\Windows\SysWOW64\Bjdkjpkb.exe Boogmgkl.exe File opened for modification C:\Windows\SysWOW64\Ddblgn32.exe Demofaol.exe File created C:\Windows\SysWOW64\Lcghbo32.dll Ieajkfmd.exe File created C:\Windows\SysWOW64\Njhfcp32.exe Nlefhcnc.exe File created C:\Windows\SysWOW64\Qgjccb32.exe Qdlggg32.exe File created C:\Windows\SysWOW64\Bniajoic.exe Bccmmf32.exe File opened for modification C:\Windows\SysWOW64\Bqgmfkhg.exe Bniajoic.exe File created C:\Windows\SysWOW64\Boljgg32.exe Bfdenafn.exe File created C:\Windows\SysWOW64\Onaiomjo.dll Cnkjnb32.exe File opened for modification C:\Windows\SysWOW64\Cblfdg32.exe Cpkmcldj.exe File opened for modification C:\Windows\SysWOW64\Ggnmbn32.exe Gqdefddb.exe File created C:\Windows\SysWOW64\Gchfle32.dll Jfofol32.exe File created C:\Windows\SysWOW64\Kcnfobob.dll Lgqkbb32.exe File created C:\Windows\SysWOW64\Neiaeiii.exe Nbjeinje.exe File created C:\Windows\SysWOW64\Paknelgk.exe Phcilf32.exe File opened for modification C:\Windows\SysWOW64\Acfmcc32.exe Apgagg32.exe File created C:\Windows\SysWOW64\Gggpgo32.dll Adlcfjgh.exe File created C:\Windows\SysWOW64\Kdpfadlm.exe Kocmim32.exe File created C:\Windows\SysWOW64\Knhjjj32.exe Kgnbnpkp.exe File opened for modification C:\Windows\SysWOW64\Ibcnojnp.exe Hneeilgj.exe File opened for modification C:\Windows\SysWOW64\Ieajkfmd.exe Ibcnojnp.exe File opened for modification C:\Windows\SysWOW64\Mmgfqh32.exe Mjhjdm32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3772 3736 WerFault.exe 224 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eelkeeah.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcdnhoac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jolghndm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgclio32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhfefgkg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfkeokjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmicfh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Objaha32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnjbeh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Koaqcn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlnpgd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akfkbd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgaebe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eoiiijcc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjegog32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgldnkkf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idicbbpi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfahomfd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdbdqh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pljlbf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmkilb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jikeeh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcjlnpmo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mklcadfn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akabgebj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnkjnb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Calcpm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgnadkic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfofol32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpicle32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Loqmba32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Piicpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcljmdmj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pghfnc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anbkipok.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Caaggpdh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbhbdi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpphhp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgedmb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nibqqh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apgagg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Boljgg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iedfqeka.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oekjjl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phqmgg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfkloq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjjpjgjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibcnojnp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkgahoel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgclio32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnmpdlac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nefdpjkl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njhfcp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjdkjpkb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpfdhl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkndhabp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aqbdkk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cocphf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpapaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnaooi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdmdacnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agolnbok.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccmpce32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmedlk32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odldga32.dll" Nnafnopi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aqbdkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bqeqqk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cfkloq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqlapaeh.dll" Demofaol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ippdgc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kkgahoel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odlhoigp.dll" Odgamdef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fchook32.dll" Bigkel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fjlmpfhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqimphik.dll" Hpnkbpdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Obokcqhk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekndacia.dll" Accqnc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fjjpjgjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iajfhi32.dll" Gdmdacnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Anbkipok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Demofaol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gbadjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hmoofdea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cihifg32.dll" Ippdgc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kcecbq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kjokokha.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bgaebe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iclfgl32.dll" Ddblgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oljomn32.dll" Golbnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qdlggg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ccjoli32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pcljmdmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddaafojo.dll" Oeindm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cblfdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ihbcmaje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jfofol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oeindm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qkfocaki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkdhln32.dll" Akabgebj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Caifjn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bjebdfnn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gbadjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jmdepg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mklcadfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cblfdg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nlnpgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfebhg32.dll" Nhgnaehm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjcgnola.dll" Jojkco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Doempm32.dll" Kdklfe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Koaqcn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oekjjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pdgmlhha.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aficjnpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bqgmfkhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmbfdl32.dll" Cepipm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bhjlli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkfalipj.dll" Eoiiijcc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qdlggg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ahbekjcf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jbqmhnbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlcgpm32.dll" Mnmpdlac.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pdjjag32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pghfnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maanne32.dll" Acfmcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Akabgebj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gbjojh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gdmdacnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lcjlnpmo.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2260 wrote to memory of 1504 2260 1dcf0eda84e89100cb064fd08d30978703854017a621dea7f62e95db83b7d099.exe 30 PID 2260 wrote to memory of 1504 2260 1dcf0eda84e89100cb064fd08d30978703854017a621dea7f62e95db83b7d099.exe 30 PID 2260 wrote to memory of 1504 2260 1dcf0eda84e89100cb064fd08d30978703854017a621dea7f62e95db83b7d099.exe 30 PID 2260 wrote to memory of 1504 2260 1dcf0eda84e89100cb064fd08d30978703854017a621dea7f62e95db83b7d099.exe 30 PID 1504 wrote to memory of 2496 1504 Bjebdfnn.exe 31 PID 1504 wrote to memory of 2496 1504 Bjebdfnn.exe 31 PID 1504 wrote to memory of 2496 1504 Bjebdfnn.exe 31 PID 1504 wrote to memory of 2496 1504 Bjebdfnn.exe 31 PID 2496 wrote to memory of 540 2496 Caaggpdh.exe 32 PID 2496 wrote to memory of 540 2496 Caaggpdh.exe 32 PID 2496 wrote to memory of 540 2496 Caaggpdh.exe 32 PID 2496 wrote to memory of 540 2496 Caaggpdh.exe 32 PID 540 wrote to memory of 2728 540 Cpfdhl32.exe 33 PID 540 wrote to memory of 2728 540 Cpfdhl32.exe 33 PID 540 wrote to memory of 2728 540 Cpfdhl32.exe 33 PID 540 wrote to memory of 2728 540 Cpfdhl32.exe 33 PID 2728 wrote to memory of 2744 2728 Ccdmnj32.exe 34 PID 2728 wrote to memory of 2744 2728 Ccdmnj32.exe 34 PID 2728 wrote to memory of 2744 2728 Ccdmnj32.exe 34 PID 2728 wrote to memory of 2744 2728 Ccdmnj32.exe 34 PID 2744 wrote to memory of 2872 2744 Cpkmcldj.exe 35 PID 2744 wrote to memory of 2872 2744 Cpkmcldj.exe 35 PID 2744 wrote to memory of 2872 2744 Cpkmcldj.exe 35 PID 2744 wrote to memory of 2872 2744 Cpkmcldj.exe 35 PID 2872 wrote to memory of 2752 2872 Cblfdg32.exe 36 PID 2872 wrote to memory of 2752 2872 Cblfdg32.exe 36 PID 2872 wrote to memory of 2752 2872 Cblfdg32.exe 36 PID 2872 wrote to memory of 2752 2872 Cblfdg32.exe 36 PID 2752 wrote to memory of 2644 2752 Demofaol.exe 37 PID 2752 wrote to memory of 2644 2752 Demofaol.exe 37 PID 2752 wrote to memory of 2644 2752 Demofaol.exe 37 PID 2752 wrote to memory of 2644 2752 Demofaol.exe 37 PID 2644 wrote to memory of 3008 2644 Ddblgn32.exe 38 PID 2644 wrote to memory of 3008 2644 Ddblgn32.exe 38 PID 2644 wrote to memory of 3008 2644 Ddblgn32.exe 38 PID 2644 wrote to memory of 3008 2644 Ddblgn32.exe 38 PID 3008 wrote to memory of 1656 3008 Dgbeiiqe.exe 39 PID 3008 wrote to memory of 1656 3008 Dgbeiiqe.exe 39 PID 3008 wrote to memory of 1656 3008 Dgbeiiqe.exe 39 PID 3008 wrote to memory of 1656 3008 Dgbeiiqe.exe 39 PID 1656 wrote to memory of 2028 1656 Dgeaoinb.exe 40 PID 1656 wrote to memory of 2028 1656 Dgeaoinb.exe 40 PID 1656 wrote to memory of 2028 1656 Dgeaoinb.exe 40 PID 1656 wrote to memory of 2028 1656 Dgeaoinb.exe 40 PID 2028 wrote to memory of 1072 2028 Eggndi32.exe 41 PID 2028 wrote to memory of 1072 2028 Eggndi32.exe 41 PID 2028 wrote to memory of 1072 2028 Eggndi32.exe 41 PID 2028 wrote to memory of 1072 2028 Eggndi32.exe 41 PID 1072 wrote to memory of 1968 1072 Eelkeeah.exe 42 PID 1072 wrote to memory of 1968 1072 Eelkeeah.exe 42 PID 1072 wrote to memory of 1968 1072 Eelkeeah.exe 42 PID 1072 wrote to memory of 1968 1072 Eelkeeah.exe 42 PID 1968 wrote to memory of 2332 1968 Eijdkcgn.exe 43 PID 1968 wrote to memory of 2332 1968 Eijdkcgn.exe 43 PID 1968 wrote to memory of 2332 1968 Eijdkcgn.exe 43 PID 1968 wrote to memory of 2332 1968 Eijdkcgn.exe 43 PID 2332 wrote to memory of 2436 2332 Eoiiijcc.exe 44 PID 2332 wrote to memory of 2436 2332 Eoiiijcc.exe 44 PID 2332 wrote to memory of 2436 2332 Eoiiijcc.exe 44 PID 2332 wrote to memory of 2436 2332 Eoiiijcc.exe 44 PID 2436 wrote to memory of 1932 2436 Folfoj32.exe 45 PID 2436 wrote to memory of 1932 2436 Folfoj32.exe 45 PID 2436 wrote to memory of 1932 2436 Folfoj32.exe 45 PID 2436 wrote to memory of 1932 2436 Folfoj32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\1dcf0eda84e89100cb064fd08d30978703854017a621dea7f62e95db83b7d099.exe"C:\Users\Admin\AppData\Local\Temp\1dcf0eda84e89100cb064fd08d30978703854017a621dea7f62e95db83b7d099.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2260 -
C:\Windows\SysWOW64\Bjebdfnn.exeC:\Windows\system32\Bjebdfnn.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1504 -
C:\Windows\SysWOW64\Caaggpdh.exeC:\Windows\system32\Caaggpdh.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2496 -
C:\Windows\SysWOW64\Cpfdhl32.exeC:\Windows\system32\Cpfdhl32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:540 -
C:\Windows\SysWOW64\Ccdmnj32.exeC:\Windows\system32\Ccdmnj32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\SysWOW64\Cpkmcldj.exeC:\Windows\system32\Cpkmcldj.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\SysWOW64\Cblfdg32.exeC:\Windows\system32\Cblfdg32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\SysWOW64\Demofaol.exeC:\Windows\system32\Demofaol.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\SysWOW64\Ddblgn32.exeC:\Windows\system32\Ddblgn32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\SysWOW64\Dgbeiiqe.exeC:\Windows\system32\Dgbeiiqe.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Windows\SysWOW64\Dgeaoinb.exeC:\Windows\system32\Dgeaoinb.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Windows\SysWOW64\Eggndi32.exeC:\Windows\system32\Eggndi32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Windows\SysWOW64\Eelkeeah.exeC:\Windows\system32\Eelkeeah.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1072 -
C:\Windows\SysWOW64\Eijdkcgn.exeC:\Windows\system32\Eijdkcgn.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\Windows\SysWOW64\Eoiiijcc.exeC:\Windows\system32\Eoiiijcc.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Windows\SysWOW64\Folfoj32.exeC:\Windows\system32\Folfoj32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2436 -
C:\Windows\SysWOW64\Fjegog32.exeC:\Windows\system32\Fjegog32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1932 -
C:\Windows\SysWOW64\Fpoolael.exeC:\Windows\system32\Fpoolael.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1508 -
C:\Windows\SysWOW64\Fgldnkkf.exeC:\Windows\system32\Fgldnkkf.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:944 -
C:\Windows\SysWOW64\Fjjpjgjj.exeC:\Windows\system32\Fjjpjgjj.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1752 -
C:\Windows\SysWOW64\Fgnadkic.exeC:\Windows\system32\Fgnadkic.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1732 -
C:\Windows\SysWOW64\Fjlmpfhg.exeC:\Windows\system32\Fjlmpfhg.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1648 -
C:\Windows\SysWOW64\Fmkilb32.exeC:\Windows\system32\Fmkilb32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2440 -
C:\Windows\SysWOW64\Gbhbdi32.exeC:\Windows\system32\Gbhbdi32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1612 -
C:\Windows\SysWOW64\Golbnm32.exeC:\Windows\system32\Golbnm32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2464 -
C:\Windows\SysWOW64\Gbjojh32.exeC:\Windows\system32\Gbjojh32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1748 -
C:\Windows\SysWOW64\Gnaooi32.exeC:\Windows\system32\Gnaooi32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1660 -
C:\Windows\SysWOW64\Gfhgpg32.exeC:\Windows\system32\Gfhgpg32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1584 -
C:\Windows\SysWOW64\Goplilpf.exeC:\Windows\system32\Goplilpf.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2964 -
C:\Windows\SysWOW64\Gdmdacnn.exeC:\Windows\system32\Gdmdacnn.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3064 -
C:\Windows\SysWOW64\Gbadjg32.exeC:\Windows\system32\Gbadjg32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:764 -
C:\Windows\SysWOW64\Gqdefddb.exeC:\Windows\system32\Gqdefddb.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2736 -
C:\Windows\SysWOW64\Ggnmbn32.exeC:\Windows\system32\Ggnmbn32.exe33⤵
- Executes dropped EXE
PID:2160 -
C:\Windows\SysWOW64\Hcdnhoac.exeC:\Windows\system32\Hcdnhoac.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2884 -
C:\Windows\SysWOW64\Hnjbeh32.exeC:\Windows\system32\Hnjbeh32.exe35⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2628 -
C:\Windows\SysWOW64\Hahnac32.exeC:\Windows\system32\Hahnac32.exe36⤵
- Executes dropped EXE
PID:3040 -
C:\Windows\SysWOW64\Hmoofdea.exeC:\Windows\system32\Hmoofdea.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:1484 -
C:\Windows\SysWOW64\Hpnkbpdd.exeC:\Windows\system32\Hpnkbpdd.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:1996 -
C:\Windows\SysWOW64\Hldlga32.exeC:\Windows\system32\Hldlga32.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1856 -
C:\Windows\SysWOW64\Hpphhp32.exeC:\Windows\system32\Hpphhp32.exe40⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2372 -
C:\Windows\SysWOW64\Hmdhad32.exeC:\Windows\system32\Hmdhad32.exe41⤵
- Executes dropped EXE
PID:840 -
C:\Windows\SysWOW64\Hneeilgj.exeC:\Windows\system32\Hneeilgj.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2568 -
C:\Windows\SysWOW64\Ibcnojnp.exeC:\Windows\system32\Ibcnojnp.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1288 -
C:\Windows\SysWOW64\Ieajkfmd.exeC:\Windows\system32\Ieajkfmd.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:904 -
C:\Windows\SysWOW64\Iedfqeka.exeC:\Windows\system32\Iedfqeka.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2276 -
C:\Windows\SysWOW64\Ihbcmaje.exeC:\Windows\system32\Ihbcmaje.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1912 -
C:\Windows\SysWOW64\Idicbbpi.exeC:\Windows\system32\Idicbbpi.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1724 -
C:\Windows\SysWOW64\Ihdpbq32.exeC:\Windows\system32\Ihdpbq32.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:552 -
C:\Windows\SysWOW64\Ijclol32.exeC:\Windows\system32\Ijclol32.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2908 -
C:\Windows\SysWOW64\Ippdgc32.exeC:\Windows\system32\Ippdgc32.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2516 -
C:\Windows\SysWOW64\Ifjlcmmj.exeC:\Windows\system32\Ifjlcmmj.exe51⤵
- Executes dropped EXE
PID:1132 -
C:\Windows\SysWOW64\Jmdepg32.exeC:\Windows\system32\Jmdepg32.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:2196 -
C:\Windows\SysWOW64\Jpbalb32.exeC:\Windows\system32\Jpbalb32.exe53⤵
- Executes dropped EXE
PID:2180 -
C:\Windows\SysWOW64\Jbqmhnbo.exeC:\Windows\system32\Jbqmhnbo.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:264 -
C:\Windows\SysWOW64\Jikeeh32.exeC:\Windows\system32\Jikeeh32.exe55⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2156 -
C:\Windows\SysWOW64\Jliaac32.exeC:\Windows\system32\Jliaac32.exe56⤵
- Executes dropped EXE
PID:2716 -
C:\Windows\SysWOW64\Jfofol32.exeC:\Windows\system32\Jfofol32.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2800 -
C:\Windows\SysWOW64\Jlkngc32.exeC:\Windows\system32\Jlkngc32.exe58⤵
- Executes dropped EXE
PID:2656 -
C:\Windows\SysWOW64\Jojkco32.exeC:\Windows\system32\Jojkco32.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:1088 -
C:\Windows\SysWOW64\Jioopgef.exeC:\Windows\system32\Jioopgef.exe60⤵
- Executes dropped EXE
PID:2380 -
C:\Windows\SysWOW64\Jolghndm.exeC:\Windows\system32\Jolghndm.exe61⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2044 -
C:\Windows\SysWOW64\Jhdlad32.exeC:\Windows\system32\Jhdlad32.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1368 -
C:\Windows\SysWOW64\Jlphbbbg.exeC:\Windows\system32\Jlphbbbg.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2904 -
C:\Windows\SysWOW64\Jondnnbk.exeC:\Windows\system32\Jondnnbk.exe64⤵
- Executes dropped EXE
PID:2444 -
C:\Windows\SysWOW64\Kdklfe32.exeC:\Windows\system32\Kdklfe32.exe65⤵
- Executes dropped EXE
- Modifies registry class
PID:1444 -
C:\Windows\SysWOW64\Koaqcn32.exeC:\Windows\system32\Koaqcn32.exe66⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1304 -
C:\Windows\SysWOW64\Kaompi32.exeC:\Windows\system32\Kaompi32.exe67⤵PID:1396
-
C:\Windows\SysWOW64\Kekiphge.exeC:\Windows\system32\Kekiphge.exe68⤵PID:2680
-
C:\Windows\SysWOW64\Kkgahoel.exeC:\Windows\system32\Kkgahoel.exe69⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2544 -
C:\Windows\SysWOW64\Kocmim32.exeC:\Windows\system32\Kocmim32.exe70⤵
- Drops file in System32 directory
PID:1084 -
C:\Windows\SysWOW64\Kdpfadlm.exeC:\Windows\system32\Kdpfadlm.exe71⤵PID:2976
-
C:\Windows\SysWOW64\Kgnbnpkp.exeC:\Windows\system32\Kgnbnpkp.exe72⤵
- Drops file in System32 directory
PID:2152 -
C:\Windows\SysWOW64\Knhjjj32.exeC:\Windows\system32\Knhjjj32.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2784 -
C:\Windows\SysWOW64\Kcecbq32.exeC:\Windows\system32\Kcecbq32.exe74⤵
- Modifies registry class
PID:2920 -
C:\Windows\SysWOW64\Kjokokha.exeC:\Windows\system32\Kjokokha.exe75⤵
- Modifies registry class
PID:636 -
C:\Windows\SysWOW64\Kpicle32.exeC:\Windows\system32\Kpicle32.exe76⤵
- System Location Discovery: System Language Discovery
PID:2268 -
C:\Windows\SysWOW64\Kgclio32.exeC:\Windows\system32\Kgclio32.exe77⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1160 -
C:\Windows\SysWOW64\Kgclio32.exeC:\Windows\system32\Kgclio32.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1480 -
C:\Windows\SysWOW64\Kjahej32.exeC:\Windows\system32\Kjahej32.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2488 -
C:\Windows\SysWOW64\Klpdaf32.exeC:\Windows\system32\Klpdaf32.exe80⤵PID:1772
-
C:\Windows\SysWOW64\Lcjlnpmo.exeC:\Windows\system32\Lcjlnpmo.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2896 -
C:\Windows\SysWOW64\Lhfefgkg.exeC:\Windows\system32\Lhfefgkg.exe82⤵
- System Location Discovery: System Language Discovery
PID:1816 -
C:\Windows\SysWOW64\Llbqfe32.exeC:\Windows\system32\Llbqfe32.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:560 -
C:\Windows\SysWOW64\Loqmba32.exeC:\Windows\system32\Loqmba32.exe84⤵
- System Location Discovery: System Language Discovery
PID:1464 -
C:\Windows\SysWOW64\Lclicpkm.exeC:\Windows\system32\Lclicpkm.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1716 -
C:\Windows\SysWOW64\Lfkeokjp.exeC:\Windows\system32\Lfkeokjp.exe86⤵
- System Location Discovery: System Language Discovery
PID:884 -
C:\Windows\SysWOW64\Lcofio32.exeC:\Windows\system32\Lcofio32.exe87⤵PID:2312
-
C:\Windows\SysWOW64\Ldpbpgoh.exeC:\Windows\system32\Ldpbpgoh.exe88⤵
- Drops file in System32 directory
PID:1580 -
C:\Windows\SysWOW64\Lkjjma32.exeC:\Windows\system32\Lkjjma32.exe89⤵
- Drops file in System32 directory
PID:2480 -
C:\Windows\SysWOW64\Ldbofgme.exeC:\Windows\system32\Ldbofgme.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2812 -
C:\Windows\SysWOW64\Lgqkbb32.exeC:\Windows\system32\Lgqkbb32.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2772 -
C:\Windows\SysWOW64\Lbfook32.exeC:\Windows\system32\Lbfook32.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3004 -
C:\Windows\SysWOW64\Lddlkg32.exeC:\Windows\system32\Lddlkg32.exe93⤵PID:2008
-
C:\Windows\SysWOW64\Mkndhabp.exeC:\Windows\system32\Mkndhabp.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2384 -
C:\Windows\SysWOW64\Mnmpdlac.exeC:\Windows\system32\Mnmpdlac.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2552 -
C:\Windows\SysWOW64\Mqklqhpg.exeC:\Windows\system32\Mqklqhpg.exe96⤵PID:2236
-
C:\Windows\SysWOW64\Mdghaf32.exeC:\Windows\system32\Mdghaf32.exe97⤵PID:660
-
C:\Windows\SysWOW64\Mgedmb32.exeC:\Windows\system32\Mgedmb32.exe98⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1984 -
C:\Windows\SysWOW64\Mclebc32.exeC:\Windows\system32\Mclebc32.exe99⤵PID:680
-
C:\Windows\SysWOW64\Mfjann32.exeC:\Windows\system32\Mfjann32.exe100⤵PID:620
-
C:\Windows\SysWOW64\Mnaiol32.exeC:\Windows\system32\Mnaiol32.exe101⤵PID:2100
-
C:\Windows\SysWOW64\Mjhjdm32.exeC:\Windows\system32\Mjhjdm32.exe102⤵
- Drops file in System32 directory
PID:2768 -
C:\Windows\SysWOW64\Mmgfqh32.exeC:\Windows\system32\Mmgfqh32.exe103⤵PID:2776
-
C:\Windows\SysWOW64\Mfokinhf.exeC:\Windows\system32\Mfokinhf.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2844 -
C:\Windows\SysWOW64\Mmicfh32.exeC:\Windows\system32\Mmicfh32.exe105⤵
- System Location Discovery: System Language Discovery
PID:2584 -
C:\Windows\SysWOW64\Mklcadfn.exeC:\Windows\system32\Mklcadfn.exe106⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1616 -
C:\Windows\SysWOW64\Nfahomfd.exeC:\Windows\system32\Nfahomfd.exe107⤵
- System Location Discovery: System Language Discovery
PID:1992 -
C:\Windows\SysWOW64\Nlnpgd32.exeC:\Windows\system32\Nlnpgd32.exe108⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2364 -
C:\Windows\SysWOW64\Nnmlcp32.exeC:\Windows\system32\Nnmlcp32.exe109⤵PID:1156
-
C:\Windows\SysWOW64\Nefdpjkl.exeC:\Windows\system32\Nefdpjkl.exe110⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2460 -
C:\Windows\SysWOW64\Nibqqh32.exeC:\Windows\system32\Nibqqh32.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2900 -
C:\Windows\SysWOW64\Nbjeinje.exeC:\Windows\system32\Nbjeinje.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1532 -
C:\Windows\SysWOW64\Neiaeiii.exeC:\Windows\system32\Neiaeiii.exe113⤵PID:2996
-
C:\Windows\SysWOW64\Nhgnaehm.exeC:\Windows\system32\Nhgnaehm.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2168 -
C:\Windows\SysWOW64\Nnafnopi.exeC:\Windows\system32\Nnafnopi.exe115⤵
- Drops file in System32 directory
- Modifies registry class
PID:2788 -
C:\Windows\SysWOW64\Neknki32.exeC:\Windows\system32\Neknki32.exe116⤵
- Drops file in System32 directory
PID:2624 -
C:\Windows\SysWOW64\Nlefhcnc.exeC:\Windows\system32\Nlefhcnc.exe117⤵
- Drops file in System32 directory
PID:2696 -
C:\Windows\SysWOW64\Njhfcp32.exeC:\Windows\system32\Njhfcp32.exe118⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:316 -
C:\Windows\SysWOW64\Nabopjmj.exeC:\Windows\system32\Nabopjmj.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2000 -
C:\Windows\SysWOW64\Ndqkleln.exeC:\Windows\system32\Ndqkleln.exe120⤵PID:752
-
C:\Windows\SysWOW64\Njjcip32.exeC:\Windows\system32\Njjcip32.exe121⤵PID:348
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-