Analysis
-
max time kernel
120s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
19/11/2024, 15:42
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
f939ac96a332a8507cf0858b94bfaa5aeb0ed4a67ed30510475530fce17e0a12N.exe
Resource
win7-20241010-en
windows7-x64
9 signatures
120 seconds
Behavioral task
behavioral2
Sample
f939ac96a332a8507cf0858b94bfaa5aeb0ed4a67ed30510475530fce17e0a12N.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
120 seconds
General
-
Target
f939ac96a332a8507cf0858b94bfaa5aeb0ed4a67ed30510475530fce17e0a12N.exe
-
Size
92KB
-
MD5
ef718a0457f3a44202f7740b4050c050
-
SHA1
d5d389c2714335b88016459b58709643def478ba
-
SHA256
f939ac96a332a8507cf0858b94bfaa5aeb0ed4a67ed30510475530fce17e0a12
-
SHA512
33225ef516ffab64c0010f7f063fe5ac2acd11effefa3e3117d480325d446e30093ae11d6993e72054373a5688b374036805a71c16bfd39ebde3aab5a9d62e82
-
SSDEEP
1536:mDCIgigmlf+q6cbX3FxI2rk2czgHcwZ529qKQ/9UwFFN3imnunGP+G:MCIf+q6cjVVghScwZ49QUOFVbe4+G
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kgdijk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcmfeldm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofcnmh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcdmbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jpfcohfk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Copljmpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bhngbm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hqcpfcbl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aahkhgag.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Boncej32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifljcanj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ejdaoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lccepqdo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njgeel32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gipqpplq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkhpfo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcaaloed.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfnfjmgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Opicgenj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mfngbq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Npfhjifm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bdoeipjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kmiolk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amjiln32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alaccj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abldccka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gihpcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ebkndibq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fpcghl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Paqoef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgnhhq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pqlfjfni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hmefcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Malmllfb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnhjae32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcdnpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbagpp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eibgbj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Biakbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hbboiknb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qjbehfbo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cafbmdbh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nqlikc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Amjkefmd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aoijjjcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Clpeajjb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cldolj32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 2872 Blgcio32.exe 2492 Bhndnpnp.exe 2948 Bhpqcpkm.exe 2884 Blniinac.exe 2264 Cnabffeo.exe 432 Cdngip32.exe 2216 Cdpdnpif.exe 2524 Cpgecq32.exe 2424 Dhdfmbjc.exe 2984 Ddkgbc32.exe 2464 Dbadagln.exe 1084 Dcemnopj.exe 2224 Efffpjmk.exe 2236 Egebjmdn.exe 2540 Epcddopf.exe 936 Efoifiep.exe 1940 Faijggao.exe 2560 Fjckelfm.exe 1512 Fjfhkl32.exe 736 Fikelhib.exe 3032 Gminbfoh.exe 2556 Gedbfimc.exe 2240 Glpgibbn.exe 1008 Gidhbgag.exe 1068 Hememgdi.exe 2856 Hkjnenbp.exe 2800 Hnkffi32.exe 2932 Hlpchfdi.exe 3028 Hclhjpjc.exe 2672 Ihiabfhk.exe 2076 Ioefdpne.exe 920 Ihbdhepp.exe 2852 Jcleiclo.exe 3004 Jmdiahco.exe 1672 Jgjmoace.exe 2956 Jcandb32.exe 1484 Jjkfqlpf.exe 1460 Jcckibfg.exe 1052 Jmlobg32.exe 2008 Jibpghbk.exe 2608 Kiemmh32.exe 956 Kapaaj32.exe 2128 Kenjgi32.exe 1592 Kmiolk32.exe 2552 Kmklak32.exe 548 Lhapocoi.exe 2448 Lmnhgjmp.exe 2312 Lffmpp32.exe 1876 Lmpeljkm.exe 1768 Ligfakaa.exe 2816 Lodnjboi.exe 2676 Lhlbbg32.exe 2772 Lbagpp32.exe 2708 Lljkif32.exe 1668 Magdam32.exe 1172 Mllhne32.exe 2188 Maiqfl32.exe 1372 Mgfiocfl.exe 908 Malmllfb.exe 2084 Mghfdcdi.exe 2368 Manjaldo.exe 1648 Mkfojakp.exe 2532 Mmdkfmjc.exe 1292 Nepokogo.exe -
Loads dropped DLL 64 IoCs
pid Process 2184 f939ac96a332a8507cf0858b94bfaa5aeb0ed4a67ed30510475530fce17e0a12N.exe 2184 f939ac96a332a8507cf0858b94bfaa5aeb0ed4a67ed30510475530fce17e0a12N.exe 2872 Blgcio32.exe 2872 Blgcio32.exe 2492 Bhndnpnp.exe 2492 Bhndnpnp.exe 2948 Bhpqcpkm.exe 2948 Bhpqcpkm.exe 2884 Blniinac.exe 2884 Blniinac.exe 2264 Cnabffeo.exe 2264 Cnabffeo.exe 432 Cdngip32.exe 432 Cdngip32.exe 2216 Cdpdnpif.exe 2216 Cdpdnpif.exe 2524 Cpgecq32.exe 2524 Cpgecq32.exe 2424 Dhdfmbjc.exe 2424 Dhdfmbjc.exe 2984 Ddkgbc32.exe 2984 Ddkgbc32.exe 2464 Dbadagln.exe 2464 Dbadagln.exe 1084 Dcemnopj.exe 1084 Dcemnopj.exe 2224 Efffpjmk.exe 2224 Efffpjmk.exe 2236 Egebjmdn.exe 2236 Egebjmdn.exe 2540 Epcddopf.exe 2540 Epcddopf.exe 936 Efoifiep.exe 936 Efoifiep.exe 1940 Faijggao.exe 1940 Faijggao.exe 2560 Fjckelfm.exe 2560 Fjckelfm.exe 1512 Fjfhkl32.exe 1512 Fjfhkl32.exe 736 Fikelhib.exe 736 Fikelhib.exe 3032 Gminbfoh.exe 3032 Gminbfoh.exe 2556 Gedbfimc.exe 2556 Gedbfimc.exe 2240 Glpgibbn.exe 2240 Glpgibbn.exe 1008 Gidhbgag.exe 1008 Gidhbgag.exe 1068 Hememgdi.exe 1068 Hememgdi.exe 2856 Hkjnenbp.exe 2856 Hkjnenbp.exe 2800 Hnkffi32.exe 2800 Hnkffi32.exe 2932 Hlpchfdi.exe 2932 Hlpchfdi.exe 3028 Hclhjpjc.exe 3028 Hclhjpjc.exe 2672 Ihiabfhk.exe 2672 Ihiabfhk.exe 2076 Ioefdpne.exe 2076 Ioefdpne.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Ligfakaa.exe Lmpeljkm.exe File created C:\Windows\SysWOW64\Klpmek32.dll Fkldgi32.exe File created C:\Windows\SysWOW64\Mgmbff32.dll Iaaaiobc.exe File created C:\Windows\SysWOW64\Aeikohgk.exe Qhejed32.exe File created C:\Windows\SysWOW64\Hnlnmd32.exe Hbengc32.exe File created C:\Windows\SysWOW64\Edjlgq32.exe Enpdjfgj.exe File opened for modification C:\Windows\SysWOW64\Peiaij32.exe Oibpdico.exe File created C:\Windows\SysWOW64\Nqdjge32.exe Nfnfjmgp.exe File created C:\Windows\SysWOW64\Jhbaboaj.dll Process not Found File created C:\Windows\SysWOW64\Nkdegmha.dll Ejohdbok.exe File created C:\Windows\SysWOW64\Bfnnpbnn.exe Blejgm32.exe File created C:\Windows\SysWOW64\Jmelfeqn.exe Jcmhmp32.exe File created C:\Windows\SysWOW64\Ceajdhdn.dll Process not Found File created C:\Windows\SysWOW64\Iaknmm32.exe Process not Found File created C:\Windows\SysWOW64\Lnpcabef.exe Process not Found File created C:\Windows\SysWOW64\Lifdifgc.dll Process not Found File opened for modification C:\Windows\SysWOW64\Nahemf32.exe Nimaic32.exe File opened for modification C:\Windows\SysWOW64\Gdobqgpn.exe Gdmekg32.exe File created C:\Windows\SysWOW64\Bbegkn32.exe Process not Found File created C:\Windows\SysWOW64\Pgfpoimj.exe Process not Found File created C:\Windows\SysWOW64\Lfhenelp.dll Cagjqbam.exe File created C:\Windows\SysWOW64\Ckmbcq32.dll Flphccbp.exe File created C:\Windows\SysWOW64\Gojcia32.dll Dabkla32.exe File opened for modification C:\Windows\SysWOW64\Bpbokj32.exe Bgijbede.exe File created C:\Windows\SysWOW64\Aljcblpk.dll Joohmk32.exe File created C:\Windows\SysWOW64\Cggnqmhb.dll Process not Found File created C:\Windows\SysWOW64\Nhmdoq32.exe Nelkme32.exe File opened for modification C:\Windows\SysWOW64\Nlanhh32.exe Nakikpin.exe File created C:\Windows\SysWOW64\Dfbbpd32.exe Doijcjde.exe File opened for modification C:\Windows\SysWOW64\Jfkbqcam.exe Jfiekc32.exe File created C:\Windows\SysWOW64\Ffghlcei.exe Fjpggb32.exe File opened for modification C:\Windows\SysWOW64\Gjjlfjoo.exe Process not Found File created C:\Windows\SysWOW64\Aghijlbj.dll Mgfiocfl.exe File created C:\Windows\SysWOW64\Cadmjo32.dll Pdndggcl.exe File opened for modification C:\Windows\SysWOW64\Hhkjpi32.exe Hmefcp32.exe File created C:\Windows\SysWOW64\Liekddkh.exe Lqjfpbmm.exe File created C:\Windows\SysWOW64\Bjnqkj32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Bpomdmqa.exe Process not Found File opened for modification C:\Windows\SysWOW64\Jibpghbk.exe Jmlobg32.exe File opened for modification C:\Windows\SysWOW64\Ninhamne.exe Npechhgd.exe File created C:\Windows\SysWOW64\Jhfljm32.exe Jgeobdkc.exe File opened for modification C:\Windows\SysWOW64\Gcbaop32.exe Process not Found File created C:\Windows\SysWOW64\Oaaklmao.exe Process not Found File created C:\Windows\SysWOW64\Hhkjpi32.exe Hmefcp32.exe File created C:\Windows\SysWOW64\Oifjjk32.dll Process not Found File created C:\Windows\SysWOW64\Pjlbld32.exe Process not Found File created C:\Windows\SysWOW64\Pkknia32.dll Ckkenikc.exe File opened for modification C:\Windows\SysWOW64\Dggbgadf.exe Dkpabqoa.exe File created C:\Windows\SysWOW64\Jhfehjna.dll Jmejmm32.exe File created C:\Windows\SysWOW64\Knmflijn.dll Jcmhmp32.exe File created C:\Windows\SysWOW64\Gjoflo32.dll Egobfdpi.exe File created C:\Windows\SysWOW64\Hjcocbgi.dll Process not Found File created C:\Windows\SysWOW64\Afbpph32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Gfippego.exe Process not Found File created C:\Windows\SysWOW64\Pkfghh32.exe Obnbpb32.exe File created C:\Windows\SysWOW64\Koehka32.dll Hbafel32.exe File opened for modification C:\Windows\SysWOW64\Ffghlcei.exe Fjpggb32.exe File created C:\Windows\SysWOW64\Klhegdbg.dll Kmjhjndm.exe File created C:\Windows\SysWOW64\Allbpqcp.exe Aliejq32.exe File created C:\Windows\SysWOW64\Iebmpcjc.exe Iljifm32.exe File created C:\Windows\SysWOW64\Dclbgadl.dll Nhookh32.exe File created C:\Windows\SysWOW64\Pomceb32.dll Process not Found File created C:\Windows\SysWOW64\Cmcjldbf.exe Process not Found File opened for modification C:\Windows\SysWOW64\Khfdcgmp.exe Process not Found -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehonebqq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljfckodo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pildgl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eojoelcm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldikbhfh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhmjha32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Allbpqcp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aagadh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glpgibbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihbdhepp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlchfp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbemho32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Naihdb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpmlcpdm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbimbpld.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkaihkih.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnapja32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnfbmgcj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjfhkl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mblcin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hejaon32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojpaeq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Majdkifd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qahlpkhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amjiln32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Keodflee.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hclhjpjc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qnciiq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hadhjaaa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oelcho32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehgmiq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gidhbgag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gieaef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akhkkmdh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgknpfdi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmeffp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kehidp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpgdaqmh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ligfakaa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbfcbdce.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhmchljg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdmekg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knjdimdh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hadece32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bmjekahk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hcpqfgol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Londmb32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cnabffeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjlgai32.dll" Hlpchfdi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Manjaldo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnkleo32.dll" Chofhm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gqknjlfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpligk32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnjkec32.dll" Ninhamne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hilkhl32.dll" Felekcop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gdobqgpn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opoonh32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Deeakhnj.dll" Lmpeljkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bhnffi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdinjj32.dll" Ailboh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lobpmfmi.dll" Jfiekc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpnpll32.dll" Aaeeoihj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pmpcoabe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qcchheoq.dll" Jepoao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fccaicfb.dll" Ejpipf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkghniol.dll" Kmklak32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Npechhgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Koehka32.dll" Hbafel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aefaemqj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hieegjdf.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kenamefo.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klnigglg.dll" Qjbehfbo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Onmgeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhhfncqb.dll" Nimaic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfdffojl.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aeeafk32.dll" Nbfobllj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Galfpgpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dfpfke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ohfgeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbkingcj.dll" Phocfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Naihdb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nbegonmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnchedie.dll" Joaebkni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Poibmdmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kiqdmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pkepnalk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ieeidi32.dll" Mknohpqj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nonqca32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjkegjeg.dll" Ofmiea32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cklpml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nljikmpj.dll" Jbbenlof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnaeccqh.dll" Cjiiim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2184 wrote to memory of 2872 2184 f939ac96a332a8507cf0858b94bfaa5aeb0ed4a67ed30510475530fce17e0a12N.exe 30 PID 2184 wrote to memory of 2872 2184 f939ac96a332a8507cf0858b94bfaa5aeb0ed4a67ed30510475530fce17e0a12N.exe 30 PID 2184 wrote to memory of 2872 2184 f939ac96a332a8507cf0858b94bfaa5aeb0ed4a67ed30510475530fce17e0a12N.exe 30 PID 2184 wrote to memory of 2872 2184 f939ac96a332a8507cf0858b94bfaa5aeb0ed4a67ed30510475530fce17e0a12N.exe 30 PID 2872 wrote to memory of 2492 2872 Blgcio32.exe 31 PID 2872 wrote to memory of 2492 2872 Blgcio32.exe 31 PID 2872 wrote to memory of 2492 2872 Blgcio32.exe 31 PID 2872 wrote to memory of 2492 2872 Blgcio32.exe 31 PID 2492 wrote to memory of 2948 2492 Bhndnpnp.exe 32 PID 2492 wrote to memory of 2948 2492 Bhndnpnp.exe 32 PID 2492 wrote to memory of 2948 2492 Bhndnpnp.exe 32 PID 2492 wrote to memory of 2948 2492 Bhndnpnp.exe 32 PID 2948 wrote to memory of 2884 2948 Bhpqcpkm.exe 33 PID 2948 wrote to memory of 2884 2948 Bhpqcpkm.exe 33 PID 2948 wrote to memory of 2884 2948 Bhpqcpkm.exe 33 PID 2948 wrote to memory of 2884 2948 Bhpqcpkm.exe 33 PID 2884 wrote to memory of 2264 2884 Blniinac.exe 34 PID 2884 wrote to memory of 2264 2884 Blniinac.exe 34 PID 2884 wrote to memory of 2264 2884 Blniinac.exe 34 PID 2884 wrote to memory of 2264 2884 Blniinac.exe 34 PID 2264 wrote to memory of 432 2264 Cnabffeo.exe 35 PID 2264 wrote to memory of 432 2264 Cnabffeo.exe 35 PID 2264 wrote to memory of 432 2264 Cnabffeo.exe 35 PID 2264 wrote to memory of 432 2264 Cnabffeo.exe 35 PID 432 wrote to memory of 2216 432 Cdngip32.exe 36 PID 432 wrote to memory of 2216 432 Cdngip32.exe 36 PID 432 wrote to memory of 2216 432 Cdngip32.exe 36 PID 432 wrote to memory of 2216 432 Cdngip32.exe 36 PID 2216 wrote to memory of 2524 2216 Cdpdnpif.exe 37 PID 2216 wrote to memory of 2524 2216 Cdpdnpif.exe 37 PID 2216 wrote to memory of 2524 2216 Cdpdnpif.exe 37 PID 2216 wrote to memory of 2524 2216 Cdpdnpif.exe 37 PID 2524 wrote to memory of 2424 2524 Cpgecq32.exe 38 PID 2524 wrote to memory of 2424 2524 Cpgecq32.exe 38 PID 2524 wrote to memory of 2424 2524 Cpgecq32.exe 38 PID 2524 wrote to memory of 2424 2524 Cpgecq32.exe 38 PID 2424 wrote to memory of 2984 2424 Dhdfmbjc.exe 39 PID 2424 wrote to memory of 2984 2424 Dhdfmbjc.exe 39 PID 2424 wrote to memory of 2984 2424 Dhdfmbjc.exe 39 PID 2424 wrote to memory of 2984 2424 Dhdfmbjc.exe 39 PID 2984 wrote to memory of 2464 2984 Ddkgbc32.exe 40 PID 2984 wrote to memory of 2464 2984 Ddkgbc32.exe 40 PID 2984 wrote to memory of 2464 2984 Ddkgbc32.exe 40 PID 2984 wrote to memory of 2464 2984 Ddkgbc32.exe 40 PID 2464 wrote to memory of 1084 2464 Dbadagln.exe 41 PID 2464 wrote to memory of 1084 2464 Dbadagln.exe 41 PID 2464 wrote to memory of 1084 2464 Dbadagln.exe 41 PID 2464 wrote to memory of 1084 2464 Dbadagln.exe 41 PID 1084 wrote to memory of 2224 1084 Dcemnopj.exe 42 PID 1084 wrote to memory of 2224 1084 Dcemnopj.exe 42 PID 1084 wrote to memory of 2224 1084 Dcemnopj.exe 42 PID 1084 wrote to memory of 2224 1084 Dcemnopj.exe 42 PID 2224 wrote to memory of 2236 2224 Efffpjmk.exe 43 PID 2224 wrote to memory of 2236 2224 Efffpjmk.exe 43 PID 2224 wrote to memory of 2236 2224 Efffpjmk.exe 43 PID 2224 wrote to memory of 2236 2224 Efffpjmk.exe 43 PID 2236 wrote to memory of 2540 2236 Egebjmdn.exe 44 PID 2236 wrote to memory of 2540 2236 Egebjmdn.exe 44 PID 2236 wrote to memory of 2540 2236 Egebjmdn.exe 44 PID 2236 wrote to memory of 2540 2236 Egebjmdn.exe 44 PID 2540 wrote to memory of 936 2540 Epcddopf.exe 45 PID 2540 wrote to memory of 936 2540 Epcddopf.exe 45 PID 2540 wrote to memory of 936 2540 Epcddopf.exe 45 PID 2540 wrote to memory of 936 2540 Epcddopf.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\f939ac96a332a8507cf0858b94bfaa5aeb0ed4a67ed30510475530fce17e0a12N.exe"C:\Users\Admin\AppData\Local\Temp\f939ac96a332a8507cf0858b94bfaa5aeb0ed4a67ed30510475530fce17e0a12N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Windows\SysWOW64\Blgcio32.exeC:\Windows\system32\Blgcio32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\SysWOW64\Bhndnpnp.exeC:\Windows\system32\Bhndnpnp.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2492 -
C:\Windows\SysWOW64\Bhpqcpkm.exeC:\Windows\system32\Bhpqcpkm.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\Windows\SysWOW64\Blniinac.exeC:\Windows\system32\Blniinac.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Windows\SysWOW64\Cnabffeo.exeC:\Windows\system32\Cnabffeo.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2264 -
C:\Windows\SysWOW64\Cdngip32.exeC:\Windows\system32\Cdngip32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:432 -
C:\Windows\SysWOW64\Cdpdnpif.exeC:\Windows\system32\Cdpdnpif.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Windows\SysWOW64\Cpgecq32.exeC:\Windows\system32\Cpgecq32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\SysWOW64\Dhdfmbjc.exeC:\Windows\system32\Dhdfmbjc.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Windows\SysWOW64\Ddkgbc32.exeC:\Windows\system32\Ddkgbc32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Windows\SysWOW64\Dbadagln.exeC:\Windows\system32\Dbadagln.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2464 -
C:\Windows\SysWOW64\Dcemnopj.exeC:\Windows\system32\Dcemnopj.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1084 -
C:\Windows\SysWOW64\Efffpjmk.exeC:\Windows\system32\Efffpjmk.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\Windows\SysWOW64\Egebjmdn.exeC:\Windows\system32\Egebjmdn.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Windows\SysWOW64\Epcddopf.exeC:\Windows\system32\Epcddopf.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Windows\SysWOW64\Efoifiep.exeC:\Windows\system32\Efoifiep.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:936 -
C:\Windows\SysWOW64\Faijggao.exeC:\Windows\system32\Faijggao.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1940 -
C:\Windows\SysWOW64\Fjckelfm.exeC:\Windows\system32\Fjckelfm.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2560 -
C:\Windows\SysWOW64\Fjfhkl32.exeC:\Windows\system32\Fjfhkl32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1512 -
C:\Windows\SysWOW64\Fikelhib.exeC:\Windows\system32\Fikelhib.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:736 -
C:\Windows\SysWOW64\Gminbfoh.exeC:\Windows\system32\Gminbfoh.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3032 -
C:\Windows\SysWOW64\Gedbfimc.exeC:\Windows\system32\Gedbfimc.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2556 -
C:\Windows\SysWOW64\Glpgibbn.exeC:\Windows\system32\Glpgibbn.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2240 -
C:\Windows\SysWOW64\Gidhbgag.exeC:\Windows\system32\Gidhbgag.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1008 -
C:\Windows\SysWOW64\Hememgdi.exeC:\Windows\system32\Hememgdi.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1068 -
C:\Windows\SysWOW64\Hkjnenbp.exeC:\Windows\system32\Hkjnenbp.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2856 -
C:\Windows\SysWOW64\Hnkffi32.exeC:\Windows\system32\Hnkffi32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2800 -
C:\Windows\SysWOW64\Hlpchfdi.exeC:\Windows\system32\Hlpchfdi.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2932 -
C:\Windows\SysWOW64\Hclhjpjc.exeC:\Windows\system32\Hclhjpjc.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3028 -
C:\Windows\SysWOW64\Ihiabfhk.exeC:\Windows\system32\Ihiabfhk.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2672 -
C:\Windows\SysWOW64\Ioefdpne.exeC:\Windows\system32\Ioefdpne.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2076 -
C:\Windows\SysWOW64\Ihbdhepp.exeC:\Windows\system32\Ihbdhepp.exe33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:920 -
C:\Windows\SysWOW64\Jcleiclo.exeC:\Windows\system32\Jcleiclo.exe34⤵
- Executes dropped EXE
PID:2852 -
C:\Windows\SysWOW64\Jmdiahco.exeC:\Windows\system32\Jmdiahco.exe35⤵
- Executes dropped EXE
PID:3004 -
C:\Windows\SysWOW64\Jgjmoace.exeC:\Windows\system32\Jgjmoace.exe36⤵
- Executes dropped EXE
PID:1672 -
C:\Windows\SysWOW64\Jcandb32.exeC:\Windows\system32\Jcandb32.exe37⤵
- Executes dropped EXE
PID:2956 -
C:\Windows\SysWOW64\Jjkfqlpf.exeC:\Windows\system32\Jjkfqlpf.exe38⤵
- Executes dropped EXE
PID:1484 -
C:\Windows\SysWOW64\Jcckibfg.exeC:\Windows\system32\Jcckibfg.exe39⤵
- Executes dropped EXE
PID:1460 -
C:\Windows\SysWOW64\Jmlobg32.exeC:\Windows\system32\Jmlobg32.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1052 -
C:\Windows\SysWOW64\Jibpghbk.exeC:\Windows\system32\Jibpghbk.exe41⤵
- Executes dropped EXE
PID:2008 -
C:\Windows\SysWOW64\Kiemmh32.exeC:\Windows\system32\Kiemmh32.exe42⤵
- Executes dropped EXE
PID:2608 -
C:\Windows\SysWOW64\Kapaaj32.exeC:\Windows\system32\Kapaaj32.exe43⤵
- Executes dropped EXE
PID:956 -
C:\Windows\SysWOW64\Kenjgi32.exeC:\Windows\system32\Kenjgi32.exe44⤵
- Executes dropped EXE
PID:2128 -
C:\Windows\SysWOW64\Kmiolk32.exeC:\Windows\system32\Kmiolk32.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1592 -
C:\Windows\SysWOW64\Kmklak32.exeC:\Windows\system32\Kmklak32.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:2552 -
C:\Windows\SysWOW64\Lhapocoi.exeC:\Windows\system32\Lhapocoi.exe47⤵
- Executes dropped EXE
PID:548 -
C:\Windows\SysWOW64\Lmnhgjmp.exeC:\Windows\system32\Lmnhgjmp.exe48⤵
- Executes dropped EXE
PID:2448 -
C:\Windows\SysWOW64\Lffmpp32.exeC:\Windows\system32\Lffmpp32.exe49⤵
- Executes dropped EXE
PID:2312 -
C:\Windows\SysWOW64\Lmpeljkm.exeC:\Windows\system32\Lmpeljkm.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1876 -
C:\Windows\SysWOW64\Ligfakaa.exeC:\Windows\system32\Ligfakaa.exe51⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1768 -
C:\Windows\SysWOW64\Lodnjboi.exeC:\Windows\system32\Lodnjboi.exe52⤵
- Executes dropped EXE
PID:2816 -
C:\Windows\SysWOW64\Lhlbbg32.exeC:\Windows\system32\Lhlbbg32.exe53⤵
- Executes dropped EXE
PID:2676 -
C:\Windows\SysWOW64\Lbagpp32.exeC:\Windows\system32\Lbagpp32.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2772 -
C:\Windows\SysWOW64\Lljkif32.exeC:\Windows\system32\Lljkif32.exe55⤵
- Executes dropped EXE
PID:2708 -
C:\Windows\SysWOW64\Magdam32.exeC:\Windows\system32\Magdam32.exe56⤵
- Executes dropped EXE
PID:1668 -
C:\Windows\SysWOW64\Mllhne32.exeC:\Windows\system32\Mllhne32.exe57⤵
- Executes dropped EXE
PID:1172 -
C:\Windows\SysWOW64\Maiqfl32.exeC:\Windows\system32\Maiqfl32.exe58⤵
- Executes dropped EXE
PID:2188 -
C:\Windows\SysWOW64\Mgfiocfl.exeC:\Windows\system32\Mgfiocfl.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1372 -
C:\Windows\SysWOW64\Malmllfb.exeC:\Windows\system32\Malmllfb.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:908 -
C:\Windows\SysWOW64\Mghfdcdi.exeC:\Windows\system32\Mghfdcdi.exe61⤵
- Executes dropped EXE
PID:2084 -
C:\Windows\SysWOW64\Manjaldo.exeC:\Windows\system32\Manjaldo.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:2368 -
C:\Windows\SysWOW64\Mkfojakp.exeC:\Windows\system32\Mkfojakp.exe63⤵
- Executes dropped EXE
PID:1648 -
C:\Windows\SysWOW64\Mmdkfmjc.exeC:\Windows\system32\Mmdkfmjc.exe64⤵
- Executes dropped EXE
PID:2532 -
C:\Windows\SysWOW64\Nepokogo.exeC:\Windows\system32\Nepokogo.exe65⤵
- Executes dropped EXE
PID:1292 -
C:\Windows\SysWOW64\Npechhgd.exeC:\Windows\system32\Npechhgd.exe66⤵
- Drops file in System32 directory
- Modifies registry class
PID:788 -
C:\Windows\SysWOW64\Ninhamne.exeC:\Windows\system32\Ninhamne.exe67⤵
- Modifies registry class
PID:752 -
C:\Windows\SysWOW64\Nipefmkb.exeC:\Windows\system32\Nipefmkb.exe68⤵PID:1356
-
C:\Windows\SysWOW64\Nkaane32.exeC:\Windows\system32\Nkaane32.exe69⤵PID:2352
-
C:\Windows\SysWOW64\Nakikpin.exeC:\Windows\system32\Nakikpin.exe70⤵
- Drops file in System32 directory
PID:1620 -
C:\Windows\SysWOW64\Nlanhh32.exeC:\Windows\system32\Nlanhh32.exe71⤵PID:1004
-
C:\Windows\SysWOW64\Nanfqo32.exeC:\Windows\system32\Nanfqo32.exe72⤵PID:2580
-
C:\Windows\SysWOW64\Ngjoif32.exeC:\Windows\system32\Ngjoif32.exe73⤵PID:2784
-
C:\Windows\SysWOW64\Nndgeplo.exeC:\Windows\system32\Nndgeplo.exe74⤵PID:1660
-
C:\Windows\SysWOW64\Okhgod32.exeC:\Windows\system32\Okhgod32.exe75⤵PID:2732
-
C:\Windows\SysWOW64\Oqepgk32.exeC:\Windows\system32\Oqepgk32.exe76⤵PID:2796
-
C:\Windows\SysWOW64\Okkddd32.exeC:\Windows\system32\Okkddd32.exe77⤵PID:1184
-
C:\Windows\SysWOW64\Ollqllod.exeC:\Windows\system32\Ollqllod.exe78⤵PID:2196
-
C:\Windows\SysWOW64\Ojpaeq32.exeC:\Windows\system32\Ojpaeq32.exe79⤵
- System Location Discovery: System Language Discovery
PID:3008 -
C:\Windows\SysWOW64\Ojbnkp32.exeC:\Windows\system32\Ojbnkp32.exe80⤵PID:2988
-
C:\Windows\SysWOW64\Obnbpb32.exeC:\Windows\system32\Obnbpb32.exe81⤵
- Drops file in System32 directory
PID:2180 -
C:\Windows\SysWOW64\Pkfghh32.exeC:\Windows\system32\Pkfghh32.exe82⤵PID:2528
-
C:\Windows\SysWOW64\Pmecbkgj.exeC:\Windows\system32\Pmecbkgj.exe83⤵PID:2200
-
C:\Windows\SysWOW64\Pfnhkq32.exeC:\Windows\system32\Pfnhkq32.exe84⤵PID:2272
-
C:\Windows\SysWOW64\Pildgl32.exeC:\Windows\system32\Pildgl32.exe85⤵
- System Location Discovery: System Language Discovery
PID:1548 -
C:\Windows\SysWOW64\Pbdipa32.exeC:\Windows\system32\Pbdipa32.exe86⤵PID:2588
-
C:\Windows\SysWOW64\Pkmmigjo.exeC:\Windows\system32\Pkmmigjo.exe87⤵PID:2604
-
C:\Windows\SysWOW64\Pkojoghl.exeC:\Windows\system32\Pkojoghl.exe88⤵PID:2776
-
C:\Windows\SysWOW64\Palbgn32.exeC:\Windows\system32\Palbgn32.exe89⤵PID:1564
-
C:\Windows\SysWOW64\Qnpcpa32.exeC:\Windows\system32\Qnpcpa32.exe90⤵PID:1412
-
C:\Windows\SysWOW64\Qghgigkn.exeC:\Windows\system32\Qghgigkn.exe91⤵PID:2712
-
C:\Windows\SysWOW64\Qijdqp32.exeC:\Windows\system32\Qijdqp32.exe92⤵PID:108
-
C:\Windows\SysWOW64\Afndjdpe.exeC:\Windows\system32\Afndjdpe.exe93⤵PID:2768
-
C:\Windows\SysWOW64\Apfici32.exeC:\Windows\system32\Apfici32.exe94⤵PID:992
-
C:\Windows\SysWOW64\Aebakp32.exeC:\Windows\system32\Aebakp32.exe95⤵PID:2160
-
C:\Windows\SysWOW64\Amjiln32.exeC:\Windows\system32\Amjiln32.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2248 -
C:\Windows\SysWOW64\Ankedf32.exeC:\Windows\system32\Ankedf32.exe97⤵PID:520
-
C:\Windows\SysWOW64\Aiqjao32.exeC:\Windows\system32\Aiqjao32.exe98⤵PID:1960
-
C:\Windows\SysWOW64\Anmbje32.exeC:\Windows\system32\Anmbje32.exe99⤵PID:1800
-
C:\Windows\SysWOW64\Alaccj32.exeC:\Windows\system32\Alaccj32.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2636 -
C:\Windows\SysWOW64\Bacefpbg.exeC:\Windows\system32\Bacefpbg.exe101⤵PID:1708
-
C:\Windows\SysWOW64\Bmjekahk.exeC:\Windows\system32\Bmjekahk.exe102⤵
- Modifies registry class
PID:2332 -
C:\Windows\SysWOW64\Bbikig32.exeC:\Windows\system32\Bbikig32.exe103⤵PID:2900
-
C:\Windows\SysWOW64\Blaobmkq.exeC:\Windows\system32\Blaobmkq.exe104⤵PID:2832
-
C:\Windows\SysWOW64\Cggcofkf.exeC:\Windows\system32\Cggcofkf.exe105⤵PID:912
-
C:\Windows\SysWOW64\Chhpgn32.exeC:\Windows\system32\Chhpgn32.exe106⤵PID:2736
-
C:\Windows\SysWOW64\Ccnddg32.exeC:\Windows\system32\Ccnddg32.exe107⤵PID:2152
-
C:\Windows\SysWOW64\Clfhml32.exeC:\Windows\system32\Clfhml32.exe108⤵PID:1784
-
C:\Windows\SysWOW64\Cabaec32.exeC:\Windows\system32\Cabaec32.exe109⤵PID:2356
-
C:\Windows\SysWOW64\Ckkenikc.exeC:\Windows\system32\Ckkenikc.exe110⤵
- Drops file in System32 directory
PID:1576 -
C:\Windows\SysWOW64\Chofhm32.exeC:\Windows\system32\Chofhm32.exe111⤵
- Modifies registry class
PID:816 -
C:\Windows\SysWOW64\Ckmbdh32.exeC:\Windows\system32\Ckmbdh32.exe112⤵PID:1392
-
C:\Windows\SysWOW64\Cagjqbam.exeC:\Windows\system32\Cagjqbam.exe113⤵
- Drops file in System32 directory
PID:2208 -
C:\Windows\SysWOW64\Ckpoih32.exeC:\Windows\system32\Ckpoih32.exe114⤵PID:1904
-
C:\Windows\SysWOW64\Ddhcbnnn.exeC:\Windows\system32\Ddhcbnnn.exe115⤵PID:1704
-
C:\Windows\SysWOW64\Dkblohek.exeC:\Windows\system32\Dkblohek.exe116⤵PID:2804
-
C:\Windows\SysWOW64\Dlchfp32.exeC:\Windows\system32\Dlchfp32.exe117⤵
- System Location Discovery: System Language Discovery
PID:2896 -
C:\Windows\SysWOW64\Dflmpebj.exeC:\Windows\system32\Dflmpebj.exe118⤵PID:2992
-
C:\Windows\SysWOW64\Dpaqmnap.exeC:\Windows\system32\Dpaqmnap.exe119⤵PID:3000
-
C:\Windows\SysWOW64\Dcpmijqc.exeC:\Windows\system32\Dcpmijqc.exe120⤵PID:1464
-
C:\Windows\SysWOW64\Djjeedhp.exeC:\Windows\system32\Djjeedhp.exe121⤵PID:828
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-