Analysis
-
max time kernel
101s -
max time network
20s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
20/11/2024, 03:24
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
f724ffd872b3af07d21665ae72a608ca132bb0899ab9040ee54031d67ffda545N.exe
Resource
win7-20241010-en
windows7-x64
10 signatures
120 seconds
Behavioral task
behavioral2
Sample
f724ffd872b3af07d21665ae72a608ca132bb0899ab9040ee54031d67ffda545N.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
120 seconds
General
-
Target
f724ffd872b3af07d21665ae72a608ca132bb0899ab9040ee54031d67ffda545N.exe
-
Size
79KB
-
MD5
56fb97b0fc6b4015d072ebdcdeeaa620
-
SHA1
947af1927ca769e5b6954e3df15ab3da7c9fe5ad
-
SHA256
f724ffd872b3af07d21665ae72a608ca132bb0899ab9040ee54031d67ffda545
-
SHA512
fc17a36c173ead95ce10c7cec2a87dda72af600d0b4a0b3ea5fecbe3a459bb00fc1964643671b09ee05d21afab14ad58d7b4b176980d6aaf2c8b63a5f09fac97
-
SSDEEP
1536:k14ZKaHJhkOq48LtkMpySM2Y7/Se2nfRCIJRQtQRbRUs3cO57OWxXPu4b:g4Zdj+vs5S755eulj9puE
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://viruslist.com/wcmd.txt
http://viruslist.com/ppslog.php
http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lohiob32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omddmkhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gbihmcqp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ehfmkmqj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcpglhpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fqdong32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbkladpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Paihgboc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pdpepejb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cblniaii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hnfnik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Majfcb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hkoikcaq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fbgaahgl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjgfol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Celnjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gnjhaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Idkdfo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpfblh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhgpgjoj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkookd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnpkkm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhlogo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgklma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Danblfmk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjpodhfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aijgemok.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nefncd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmmihk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Babpgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dghlfe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Feqbilcq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bigbmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hafngggd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bjfmmnck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njbanida.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lkjadh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ljhppo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgkokjjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gmmihk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efkfbp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cofohkgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fglkeaqk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kahedf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Alifee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjicnlqe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glhjpjok.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nndhpqma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ncnoaj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fffabman.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oakdkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nfcfob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ffiebc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eemded32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnkedemc.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 2524 Ceoagcld.exe 2784 Clkfjman.exe 2912 Dmopge32.exe 2888 Difplf32.exe 2224 Djemfibq.exe 2708 Dijjgegh.exe 2012 Dimfmeef.exe 3016 Ebekej32.exe 2588 Eolljk32.exe 948 Eonhpk32.exe 3044 Egimdmmc.exe 1072 Emfbgg32.exe 1740 Fpfkhbon.exe 1720 Fcgdjmlo.exe 1996 Flphccbp.exe 1008 Faonqiod.exe 1828 Gnenfjdh.exe 1100 Gnjhaj32.exe 1548 Gnmdfi32.exe 456 Gdfmccfm.exe 1416 Gnoaliln.exe 2476 Hmdnme32.exe 2484 Hjhofj32.exe 1280 Hdapggln.exe 1672 Hfalaj32.exe 636 Hjcajn32.exe 2772 Ieiegf32.exe 2556 Incgfl32.exe 2968 Icponb32.exe 2824 Iimhfj32.exe 2712 Icbldbgi.exe 2812 Iceiibef.exe 2428 Jehbfjia.exe 944 Jblbpnhk.exe 3000 Jdplmflg.exe 852 Jfadoaih.exe 2740 Khpaidpk.exe 1272 Kmbclj32.exe 1832 Koelibnh.exe 2184 Lohiob32.exe 1224 Lkoidcaj.exe 2128 Lgejidgn.exe 2492 Lkccob32.exe 2124 Lamkllea.exe 1948 Ljhppo32.exe 1900 Mjkmfn32.exe 2564 Mliibj32.exe 2632 Mccaodgj.exe 2444 Mlkegimk.exe 2316 Mkqbhf32.exe 1608 Mdigakic.exe 2980 Mookod32.exe 2952 Mhgpgjoj.exe 2972 Nndhpqma.exe 2840 Nnfeep32.exe 1636 Nccmng32.exe 2672 Nqgngk32.exe 1928 Nfcfob32.exe 2940 Nqijmkfm.exe 2992 Ngcbie32.exe 2568 Ncjcnfcn.exe 2204 Ojdlkp32.exe 2544 Obopobhe.exe 1128 Omddmkhl.exe -
Loads dropped DLL 64 IoCs
pid Process 2412 f724ffd872b3af07d21665ae72a608ca132bb0899ab9040ee54031d67ffda545N.exe 2412 f724ffd872b3af07d21665ae72a608ca132bb0899ab9040ee54031d67ffda545N.exe 2524 Ceoagcld.exe 2524 Ceoagcld.exe 2784 Clkfjman.exe 2784 Clkfjman.exe 2912 Dmopge32.exe 2912 Dmopge32.exe 2888 Difplf32.exe 2888 Difplf32.exe 2224 Djemfibq.exe 2224 Djemfibq.exe 2708 Dijjgegh.exe 2708 Dijjgegh.exe 2012 Dimfmeef.exe 2012 Dimfmeef.exe 3016 Ebekej32.exe 3016 Ebekej32.exe 2588 Eolljk32.exe 2588 Eolljk32.exe 948 Eonhpk32.exe 948 Eonhpk32.exe 3044 Egimdmmc.exe 3044 Egimdmmc.exe 1072 Emfbgg32.exe 1072 Emfbgg32.exe 1740 Fpfkhbon.exe 1740 Fpfkhbon.exe 1720 Fcgdjmlo.exe 1720 Fcgdjmlo.exe 1996 Flphccbp.exe 1996 Flphccbp.exe 1008 Faonqiod.exe 1008 Faonqiod.exe 1828 Gnenfjdh.exe 1828 Gnenfjdh.exe 1100 Gnjhaj32.exe 1100 Gnjhaj32.exe 1548 Gnmdfi32.exe 1548 Gnmdfi32.exe 456 Gdfmccfm.exe 456 Gdfmccfm.exe 1416 Gnoaliln.exe 1416 Gnoaliln.exe 2476 Hmdnme32.exe 2476 Hmdnme32.exe 2484 Hjhofj32.exe 2484 Hjhofj32.exe 1280 Hdapggln.exe 1280 Hdapggln.exe 1672 Hfalaj32.exe 1672 Hfalaj32.exe 636 Hjcajn32.exe 636 Hjcajn32.exe 2772 Ieiegf32.exe 2772 Ieiegf32.exe 2556 Incgfl32.exe 2556 Incgfl32.exe 2968 Icponb32.exe 2968 Icponb32.exe 2824 Iimhfj32.exe 2824 Iimhfj32.exe 2712 Icbldbgi.exe 2712 Icbldbgi.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Lkjlcjpb.exe Laahjdib.exe File opened for modification C:\Windows\SysWOW64\Odcffafd.exe Oimaih32.exe File opened for modification C:\Windows\SysWOW64\Ooccap32.exe Obpbhk32.exe File created C:\Windows\SysWOW64\Mnlpcl32.dll Fbgaahgl.exe File opened for modification C:\Windows\SysWOW64\Mgkiaihl.exe Process not Found File created C:\Windows\SysWOW64\Cgklma32.exe Cnbhcl32.exe File created C:\Windows\SysWOW64\Kdkhbh32.exe Konpjafp.exe File opened for modification C:\Windows\SysWOW64\Indkgm32.exe Idlgohcl.exe File created C:\Windows\SysWOW64\Cilbnian.dll Cijkaehj.exe File opened for modification C:\Windows\SysWOW64\Gbbdemnl.exe Gaahmd32.exe File created C:\Windows\SysWOW64\Dqnkig32.dll Ieiegf32.exe File opened for modification C:\Windows\SysWOW64\Jcfmkcdn.exe Iniebmfg.exe File created C:\Windows\SysWOW64\Ghjcmh32.dll Baeanl32.exe File opened for modification C:\Windows\SysWOW64\Mikjmi32.exe Mpbfddef.exe File created C:\Windows\SysWOW64\Fhiqmobf.dll Process not Found File opened for modification C:\Windows\SysWOW64\Jjdcdjcm.exe Jehklc32.exe File created C:\Windows\SysWOW64\Elnagijk.exe Ebemnc32.exe File created C:\Windows\SysWOW64\Nmccnc32.exe Ncnoaj32.exe File created C:\Windows\SysWOW64\Jliaac32.dll Ogigpllh.exe File created C:\Windows\SysWOW64\Damhij32.dll Aebllocg.exe File opened for modification C:\Windows\SysWOW64\Gnjhaj32.exe Gnenfjdh.exe File created C:\Windows\SysWOW64\Jggiah32.exe Jnnehb32.exe File created C:\Windows\SysWOW64\Ijahed32.dll Fnnpma32.exe File created C:\Windows\SysWOW64\Iohiafag.exe Process not Found File created C:\Windows\SysWOW64\Daggcbmj.dll Lqnbffkn.exe File created C:\Windows\SysWOW64\Bddeal32.dll Process not Found File created C:\Windows\SysWOW64\Nhmbfhfd.exe Mnjnolap.exe File created C:\Windows\SysWOW64\Nbqnobge.exe Nmdfglhm.exe File opened for modification C:\Windows\SysWOW64\Mbcofobg.exe Mikjmi32.exe File created C:\Windows\SysWOW64\Ikcpmieg.exe Iqnlpq32.exe File created C:\Windows\SysWOW64\Igjlnf32.dll Pkglenej.exe File opened for modification C:\Windows\SysWOW64\Adekhkng.exe Acfonhgd.exe File created C:\Windows\SysWOW64\Gomjckqc.exe Gjpakdbl.exe File created C:\Windows\SysWOW64\Jjnqhh32.exe Jeahpa32.exe File opened for modification C:\Windows\SysWOW64\Cdjckfda.exe Ckboba32.exe File created C:\Windows\SysWOW64\Abpjgekf.exe Agkfil32.exe File opened for modification C:\Windows\SysWOW64\Hjgnhf32.exe Hblidd32.exe File created C:\Windows\SysWOW64\Ihefhgnm.dll Process not Found File opened for modification C:\Windows\SysWOW64\Boekqn32.exe Process not Found File created C:\Windows\SysWOW64\Fhbaqhmq.dll Emfbgg32.exe File opened for modification C:\Windows\SysWOW64\Ieiegf32.exe Hjcajn32.exe File created C:\Windows\SysWOW64\Fgjnpb32.exe Eqpfchka.exe File created C:\Windows\SysWOW64\Kccehneq.dll Egmhjm32.exe File created C:\Windows\SysWOW64\Cnpieceq.exe Cgfqii32.exe File created C:\Windows\SysWOW64\Efbbba32.exe Emjnikpc.exe File opened for modification C:\Windows\SysWOW64\Laahjdib.exe Ldngqqjh.exe File created C:\Windows\SysWOW64\Lanmde32.exe Lheilofe.exe File opened for modification C:\Windows\SysWOW64\Ekifcd32.exe Epdafl32.exe File created C:\Windows\SysWOW64\Ijelmq32.dll Abbknb32.exe File opened for modification C:\Windows\SysWOW64\Gdedoegh.exe Ghndjd32.exe File created C:\Windows\SysWOW64\Bfipbdop.dll Chgkgmoo.exe File opened for modification C:\Windows\SysWOW64\Ajbdpblo.exe Adekhkng.exe File opened for modification C:\Windows\SysWOW64\Danblfmk.exe Ddjbbbna.exe File created C:\Windows\SysWOW64\Nghjkn32.dll Aijgemok.exe File opened for modification C:\Windows\SysWOW64\Idofmp32.exe Ifkecl32.exe File opened for modification C:\Windows\SysWOW64\Hcpbalaa.exe Hjgnhf32.exe File created C:\Windows\SysWOW64\Ehibfm32.dll Cjmcnmmc.exe File created C:\Windows\SysWOW64\Oppmkm32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Cqqbgoba.exe Cfknjfbl.exe File created C:\Windows\SysWOW64\Omkidb32.exe Ognakk32.exe File opened for modification C:\Windows\SysWOW64\Plhfda32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Abieajgi.exe Process not Found File created C:\Windows\SysWOW64\Cjqigm32.dll Nqgngk32.exe File created C:\Windows\SysWOW64\Jdaclb32.dll Babpgo32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4888 4780 Process not Found 1227 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phacnm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fflgahfm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcmcmcjc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flmecm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgbanlfc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Biiljjnk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncnoaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlnlcg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iaicpepa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fopnma32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebekej32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qjcmoqlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihopjl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odcffafd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nogodcli.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhaogp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oigokj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhlogo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Faanibeh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nipbpe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkqbhf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgfqii32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edbjljpm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfmfchfo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phgfmk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpgdaqmh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfmcapna.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aikkgnnc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hidekn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdgoll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Infhmmhi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abpjgekf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qjaejbmq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cohoqd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpfkhbon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmccnc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpppbf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehnmgo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehechn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alemjfpc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eljkqfko.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdplmflg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bqilfp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnojpdfb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmclem32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iekbob32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcaahofh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmlofhmb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckpdej32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hilbfc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abbknb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lheilofe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gigllafc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Leebcm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjhofj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pembpkfi.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Okdahbmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkdnmc32.dll" Npgppdpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lkahbkgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kcbcah32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nknmplji.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ogqpjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bjfmmnck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kfkpjm32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Oeipje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hfalaj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Koacjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbeklf32.dll" Lnpcabef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgapqgcb.dll" Lcllii32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Enjmlgoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kfknpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qljaah32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Omkidb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Piiekp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejnepaom.dll" Dqcmdjjo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Eakkkdnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epcdai32.dll" Japfphle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kkcfbkfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cffebb32.dll" Qmlief32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Niqebpek.dll" Fdnabo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kaeokg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmeanaca.dll" Flmecm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fjpbeecn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gigllafc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jdlefd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qegdad32.dll" Nqijmkfm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Onfadc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Oikeal32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Glhjpjok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qklhifhi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Colhlcig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjjlglao.dll" Nmkklflj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhnlfhhj.dll" Digfil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmlpmddp.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gphmbolk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emhnah32.dll" Akhopj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Egbcne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cfknjfbl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Qegnii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgkpbhmo.dll" Bigpdjpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idadacnh.dll" Phacnm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Abpjgekf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geolio32.dll" Hidledja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngebbepl.dll" Dfnncb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bhiglh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gflcplhh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cpkaai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Himanf32.dll" Ooccap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Johmhhhj.dll" Gjpodhfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mqlpph32.dll" Pnefiq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egbkjc32.dll" Befcne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olafdoej.dll" Iaicpepa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bimnqk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obbbpp32.dll" Qlnghj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kefbbmbg.dll" Ppkahi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nafbiphj.dll" Gcnjmi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jeahpa32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2412 wrote to memory of 2524 2412 f724ffd872b3af07d21665ae72a608ca132bb0899ab9040ee54031d67ffda545N.exe 29 PID 2412 wrote to memory of 2524 2412 f724ffd872b3af07d21665ae72a608ca132bb0899ab9040ee54031d67ffda545N.exe 29 PID 2412 wrote to memory of 2524 2412 f724ffd872b3af07d21665ae72a608ca132bb0899ab9040ee54031d67ffda545N.exe 29 PID 2412 wrote to memory of 2524 2412 f724ffd872b3af07d21665ae72a608ca132bb0899ab9040ee54031d67ffda545N.exe 29 PID 2524 wrote to memory of 2784 2524 Ceoagcld.exe 30 PID 2524 wrote to memory of 2784 2524 Ceoagcld.exe 30 PID 2524 wrote to memory of 2784 2524 Ceoagcld.exe 30 PID 2524 wrote to memory of 2784 2524 Ceoagcld.exe 30 PID 2784 wrote to memory of 2912 2784 Clkfjman.exe 31 PID 2784 wrote to memory of 2912 2784 Clkfjman.exe 31 PID 2784 wrote to memory of 2912 2784 Clkfjman.exe 31 PID 2784 wrote to memory of 2912 2784 Clkfjman.exe 31 PID 2912 wrote to memory of 2888 2912 Dmopge32.exe 32 PID 2912 wrote to memory of 2888 2912 Dmopge32.exe 32 PID 2912 wrote to memory of 2888 2912 Dmopge32.exe 32 PID 2912 wrote to memory of 2888 2912 Dmopge32.exe 32 PID 2888 wrote to memory of 2224 2888 Difplf32.exe 33 PID 2888 wrote to memory of 2224 2888 Difplf32.exe 33 PID 2888 wrote to memory of 2224 2888 Difplf32.exe 33 PID 2888 wrote to memory of 2224 2888 Difplf32.exe 33 PID 2224 wrote to memory of 2708 2224 Djemfibq.exe 34 PID 2224 wrote to memory of 2708 2224 Djemfibq.exe 34 PID 2224 wrote to memory of 2708 2224 Djemfibq.exe 34 PID 2224 wrote to memory of 2708 2224 Djemfibq.exe 34 PID 2708 wrote to memory of 2012 2708 Dijjgegh.exe 35 PID 2708 wrote to memory of 2012 2708 Dijjgegh.exe 35 PID 2708 wrote to memory of 2012 2708 Dijjgegh.exe 35 PID 2708 wrote to memory of 2012 2708 Dijjgegh.exe 35 PID 2012 wrote to memory of 3016 2012 Dimfmeef.exe 36 PID 2012 wrote to memory of 3016 2012 Dimfmeef.exe 36 PID 2012 wrote to memory of 3016 2012 Dimfmeef.exe 36 PID 2012 wrote to memory of 3016 2012 Dimfmeef.exe 36 PID 3016 wrote to memory of 2588 3016 Ebekej32.exe 37 PID 3016 wrote to memory of 2588 3016 Ebekej32.exe 37 PID 3016 wrote to memory of 2588 3016 Ebekej32.exe 37 PID 3016 wrote to memory of 2588 3016 Ebekej32.exe 37 PID 2588 wrote to memory of 948 2588 Eolljk32.exe 38 PID 2588 wrote to memory of 948 2588 Eolljk32.exe 38 PID 2588 wrote to memory of 948 2588 Eolljk32.exe 38 PID 2588 wrote to memory of 948 2588 Eolljk32.exe 38 PID 948 wrote to memory of 3044 948 Eonhpk32.exe 39 PID 948 wrote to memory of 3044 948 Eonhpk32.exe 39 PID 948 wrote to memory of 3044 948 Eonhpk32.exe 39 PID 948 wrote to memory of 3044 948 Eonhpk32.exe 39 PID 3044 wrote to memory of 1072 3044 Egimdmmc.exe 40 PID 3044 wrote to memory of 1072 3044 Egimdmmc.exe 40 PID 3044 wrote to memory of 1072 3044 Egimdmmc.exe 40 PID 3044 wrote to memory of 1072 3044 Egimdmmc.exe 40 PID 1072 wrote to memory of 1740 1072 Emfbgg32.exe 41 PID 1072 wrote to memory of 1740 1072 Emfbgg32.exe 41 PID 1072 wrote to memory of 1740 1072 Emfbgg32.exe 41 PID 1072 wrote to memory of 1740 1072 Emfbgg32.exe 41 PID 1740 wrote to memory of 1720 1740 Fpfkhbon.exe 42 PID 1740 wrote to memory of 1720 1740 Fpfkhbon.exe 42 PID 1740 wrote to memory of 1720 1740 Fpfkhbon.exe 42 PID 1740 wrote to memory of 1720 1740 Fpfkhbon.exe 42 PID 1720 wrote to memory of 1996 1720 Fcgdjmlo.exe 43 PID 1720 wrote to memory of 1996 1720 Fcgdjmlo.exe 43 PID 1720 wrote to memory of 1996 1720 Fcgdjmlo.exe 43 PID 1720 wrote to memory of 1996 1720 Fcgdjmlo.exe 43 PID 1996 wrote to memory of 1008 1996 Flphccbp.exe 44 PID 1996 wrote to memory of 1008 1996 Flphccbp.exe 44 PID 1996 wrote to memory of 1008 1996 Flphccbp.exe 44 PID 1996 wrote to memory of 1008 1996 Flphccbp.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\f724ffd872b3af07d21665ae72a608ca132bb0899ab9040ee54031d67ffda545N.exe"C:\Users\Admin\AppData\Local\Temp\f724ffd872b3af07d21665ae72a608ca132bb0899ab9040ee54031d67ffda545N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Windows\SysWOW64\Ceoagcld.exeC:\Windows\system32\Ceoagcld.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\SysWOW64\Clkfjman.exeC:\Windows\system32\Clkfjman.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\SysWOW64\Dmopge32.exeC:\Windows\system32\Dmopge32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Windows\SysWOW64\Difplf32.exeC:\Windows\system32\Difplf32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Windows\SysWOW64\Djemfibq.exeC:\Windows\system32\Djemfibq.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\Windows\SysWOW64\Dijjgegh.exeC:\Windows\system32\Dijjgegh.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\SysWOW64\Dimfmeef.exeC:\Windows\system32\Dimfmeef.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Windows\SysWOW64\Ebekej32.exeC:\Windows\system32\Ebekej32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Windows\SysWOW64\Eolljk32.exeC:\Windows\system32\Eolljk32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Windows\SysWOW64\Eonhpk32.exeC:\Windows\system32\Eonhpk32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:948 -
C:\Windows\SysWOW64\Egimdmmc.exeC:\Windows\system32\Egimdmmc.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Windows\SysWOW64\Emfbgg32.exeC:\Windows\system32\Emfbgg32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1072 -
C:\Windows\SysWOW64\Fpfkhbon.exeC:\Windows\system32\Fpfkhbon.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\Windows\SysWOW64\Fcgdjmlo.exeC:\Windows\system32\Fcgdjmlo.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1720 -
C:\Windows\SysWOW64\Flphccbp.exeC:\Windows\system32\Flphccbp.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Windows\SysWOW64\Faonqiod.exeC:\Windows\system32\Faonqiod.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1008 -
C:\Windows\SysWOW64\Gnenfjdh.exeC:\Windows\system32\Gnenfjdh.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1828 -
C:\Windows\SysWOW64\Gnjhaj32.exeC:\Windows\system32\Gnjhaj32.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1100 -
C:\Windows\SysWOW64\Gnmdfi32.exeC:\Windows\system32\Gnmdfi32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1548 -
C:\Windows\SysWOW64\Gdfmccfm.exeC:\Windows\system32\Gdfmccfm.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:456 -
C:\Windows\SysWOW64\Gnoaliln.exeC:\Windows\system32\Gnoaliln.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1416 -
C:\Windows\SysWOW64\Hmdnme32.exeC:\Windows\system32\Hmdnme32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2476 -
C:\Windows\SysWOW64\Hjhofj32.exeC:\Windows\system32\Hjhofj32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2484 -
C:\Windows\SysWOW64\Hdapggln.exeC:\Windows\system32\Hdapggln.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1280 -
C:\Windows\SysWOW64\Hfalaj32.exeC:\Windows\system32\Hfalaj32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1672 -
C:\Windows\SysWOW64\Hjcajn32.exeC:\Windows\system32\Hjcajn32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:636 -
C:\Windows\SysWOW64\Ieiegf32.exeC:\Windows\system32\Ieiegf32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2772 -
C:\Windows\SysWOW64\Incgfl32.exeC:\Windows\system32\Incgfl32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2556 -
C:\Windows\SysWOW64\Icponb32.exeC:\Windows\system32\Icponb32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2968 -
C:\Windows\SysWOW64\Iimhfj32.exeC:\Windows\system32\Iimhfj32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2824 -
C:\Windows\SysWOW64\Icbldbgi.exeC:\Windows\system32\Icbldbgi.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2712 -
C:\Windows\SysWOW64\Iceiibef.exeC:\Windows\system32\Iceiibef.exe33⤵
- Executes dropped EXE
PID:2812 -
C:\Windows\SysWOW64\Jehbfjia.exeC:\Windows\system32\Jehbfjia.exe34⤵
- Executes dropped EXE
PID:2428 -
C:\Windows\SysWOW64\Jblbpnhk.exeC:\Windows\system32\Jblbpnhk.exe35⤵
- Executes dropped EXE
PID:944 -
C:\Windows\SysWOW64\Jdplmflg.exeC:\Windows\system32\Jdplmflg.exe36⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3000 -
C:\Windows\SysWOW64\Jfadoaih.exeC:\Windows\system32\Jfadoaih.exe37⤵
- Executes dropped EXE
PID:852 -
C:\Windows\SysWOW64\Khpaidpk.exeC:\Windows\system32\Khpaidpk.exe38⤵
- Executes dropped EXE
PID:2740 -
C:\Windows\SysWOW64\Kmbclj32.exeC:\Windows\system32\Kmbclj32.exe39⤵
- Executes dropped EXE
PID:1272 -
C:\Windows\SysWOW64\Koelibnh.exeC:\Windows\system32\Koelibnh.exe40⤵
- Executes dropped EXE
PID:1832 -
C:\Windows\SysWOW64\Lohiob32.exeC:\Windows\system32\Lohiob32.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2184 -
C:\Windows\SysWOW64\Lkoidcaj.exeC:\Windows\system32\Lkoidcaj.exe42⤵
- Executes dropped EXE
PID:1224 -
C:\Windows\SysWOW64\Lgejidgn.exeC:\Windows\system32\Lgejidgn.exe43⤵
- Executes dropped EXE
PID:2128 -
C:\Windows\SysWOW64\Lkccob32.exeC:\Windows\system32\Lkccob32.exe44⤵
- Executes dropped EXE
PID:2492 -
C:\Windows\SysWOW64\Lamkllea.exeC:\Windows\system32\Lamkllea.exe45⤵
- Executes dropped EXE
PID:2124 -
C:\Windows\SysWOW64\Ljhppo32.exeC:\Windows\system32\Ljhppo32.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1948 -
C:\Windows\SysWOW64\Mjkmfn32.exeC:\Windows\system32\Mjkmfn32.exe47⤵
- Executes dropped EXE
PID:1900 -
C:\Windows\SysWOW64\Mliibj32.exeC:\Windows\system32\Mliibj32.exe48⤵
- Executes dropped EXE
PID:2564 -
C:\Windows\SysWOW64\Mccaodgj.exeC:\Windows\system32\Mccaodgj.exe49⤵
- Executes dropped EXE
PID:2632 -
C:\Windows\SysWOW64\Mlkegimk.exeC:\Windows\system32\Mlkegimk.exe50⤵
- Executes dropped EXE
PID:2444 -
C:\Windows\SysWOW64\Mkqbhf32.exeC:\Windows\system32\Mkqbhf32.exe51⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2316 -
C:\Windows\SysWOW64\Mdigakic.exeC:\Windows\system32\Mdigakic.exe52⤵
- Executes dropped EXE
PID:1608 -
C:\Windows\SysWOW64\Mookod32.exeC:\Windows\system32\Mookod32.exe53⤵
- Executes dropped EXE
PID:2980 -
C:\Windows\SysWOW64\Mhgpgjoj.exeC:\Windows\system32\Mhgpgjoj.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2952 -
C:\Windows\SysWOW64\Nndhpqma.exeC:\Windows\system32\Nndhpqma.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2972 -
C:\Windows\SysWOW64\Nnfeep32.exeC:\Windows\system32\Nnfeep32.exe56⤵
- Executes dropped EXE
PID:2840 -
C:\Windows\SysWOW64\Nccmng32.exeC:\Windows\system32\Nccmng32.exe57⤵
- Executes dropped EXE
PID:1636 -
C:\Windows\SysWOW64\Nqgngk32.exeC:\Windows\system32\Nqgngk32.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2672 -
C:\Windows\SysWOW64\Nfcfob32.exeC:\Windows\system32\Nfcfob32.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1928 -
C:\Windows\SysWOW64\Nqijmkfm.exeC:\Windows\system32\Nqijmkfm.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:2940 -
C:\Windows\SysWOW64\Ngcbie32.exeC:\Windows\system32\Ngcbie32.exe61⤵
- Executes dropped EXE
PID:2992 -
C:\Windows\SysWOW64\Ncjcnfcn.exeC:\Windows\system32\Ncjcnfcn.exe62⤵
- Executes dropped EXE
PID:2568 -
C:\Windows\SysWOW64\Ojdlkp32.exeC:\Windows\system32\Ojdlkp32.exe63⤵
- Executes dropped EXE
PID:2204 -
C:\Windows\SysWOW64\Obopobhe.exeC:\Windows\system32\Obopobhe.exe64⤵
- Executes dropped EXE
PID:2544 -
C:\Windows\SysWOW64\Omddmkhl.exeC:\Windows\system32\Omddmkhl.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1128 -
C:\Windows\SysWOW64\Onfadc32.exeC:\Windows\system32\Onfadc32.exe66⤵
- Modifies registry class
PID:2392 -
C:\Windows\SysWOW64\Oikeal32.exeC:\Windows\system32\Oikeal32.exe67⤵
- Modifies registry class
PID:1696 -
C:\Windows\SysWOW64\Oafjfokk.exeC:\Windows\system32\Oafjfokk.exe68⤵PID:2196
-
C:\Windows\SysWOW64\Ollncgjq.exeC:\Windows\system32\Ollncgjq.exe69⤵PID:1316
-
C:\Windows\SysWOW64\Oedclm32.exeC:\Windows\system32\Oedclm32.exe70⤵PID:2356
-
C:\Windows\SysWOW64\Olokighn.exeC:\Windows\system32\Olokighn.exe71⤵PID:1568
-
C:\Windows\SysWOW64\Ompgqonl.exeC:\Windows\system32\Ompgqonl.exe72⤵PID:844
-
C:\Windows\SysWOW64\Pfhlie32.exeC:\Windows\system32\Pfhlie32.exe73⤵PID:2892
-
C:\Windows\SysWOW64\Panpgn32.exeC:\Windows\system32\Panpgn32.exe74⤵PID:3056
-
C:\Windows\SysWOW64\Piiekp32.exeC:\Windows\system32\Piiekp32.exe75⤵
- Modifies registry class
PID:2928 -
C:\Windows\SysWOW64\Pbaide32.exeC:\Windows\system32\Pbaide32.exe76⤵PID:2032
-
C:\Windows\SysWOW64\Pjhaec32.exeC:\Windows\system32\Pjhaec32.exe77⤵PID:2092
-
C:\Windows\SysWOW64\Ppejmj32.exeC:\Windows\system32\Ppejmj32.exe78⤵PID:2604
-
C:\Windows\SysWOW64\Pebbeq32.exeC:\Windows\system32\Pebbeq32.exe79⤵PID:2504
-
C:\Windows\SysWOW64\Pojgnf32.exeC:\Windows\system32\Pojgnf32.exe80⤵PID:1908
-
C:\Windows\SysWOW64\Pedokpcm.exeC:\Windows\system32\Pedokpcm.exe81⤵PID:1612
-
C:\Windows\SysWOW64\Qlnghj32.exeC:\Windows\system32\Qlnghj32.exe82⤵
- Modifies registry class
PID:2404 -
C:\Windows\SysWOW64\Qakppa32.exeC:\Windows\system32\Qakppa32.exe83⤵PID:2436
-
C:\Windows\SysWOW64\Qoopie32.exeC:\Windows\system32\Qoopie32.exe84⤵PID:2212
-
C:\Windows\SysWOW64\Ahgdbk32.exeC:\Windows\system32\Ahgdbk32.exe85⤵PID:752
-
C:\Windows\SysWOW64\Amdmkb32.exeC:\Windows\system32\Amdmkb32.exe86⤵PID:2644
-
C:\Windows\SysWOW64\Adnegldo.exeC:\Windows\system32\Adnegldo.exe87⤵PID:472
-
C:\Windows\SysWOW64\Aodjdede.exeC:\Windows\system32\Aodjdede.exe88⤵PID:1600
-
C:\Windows\SysWOW64\Adqbml32.exeC:\Windows\system32\Adqbml32.exe89⤵PID:2440
-
C:\Windows\SysWOW64\Aadbfp32.exeC:\Windows\system32\Aadbfp32.exe90⤵PID:2144
-
C:\Windows\SysWOW64\Acfonhgd.exeC:\Windows\system32\Acfonhgd.exe91⤵
- Drops file in System32 directory
PID:2860 -
C:\Windows\SysWOW64\Adekhkng.exeC:\Windows\system32\Adekhkng.exe92⤵
- Drops file in System32 directory
PID:1620 -
C:\Windows\SysWOW64\Ajbdpblo.exeC:\Windows\system32\Ajbdpblo.exe93⤵PID:1576
-
C:\Windows\SysWOW64\Bgfdjfkh.exeC:\Windows\system32\Bgfdjfkh.exe94⤵PID:3052
-
C:\Windows\SysWOW64\Blcmbmip.exeC:\Windows\system32\Blcmbmip.exe95⤵PID:652
-
C:\Windows\SysWOW64\Bapejd32.exeC:\Windows\system32\Bapejd32.exe96⤵PID:1988
-
C:\Windows\SysWOW64\Blejgm32.exeC:\Windows\system32\Blejgm32.exe97⤵PID:1808
-
C:\Windows\SysWOW64\Bcobdgoj.exeC:\Windows\system32\Bcobdgoj.exe98⤵PID:2652
-
C:\Windows\SysWOW64\Blgfml32.exeC:\Windows\system32\Blgfml32.exe99⤵PID:2616
-
C:\Windows\SysWOW64\Bbdoec32.exeC:\Windows\system32\Bbdoec32.exe100⤵PID:2608
-
C:\Windows\SysWOW64\Bkmcni32.exeC:\Windows\system32\Bkmcni32.exe101⤵PID:2028
-
C:\Windows\SysWOW64\Bqilfp32.exeC:\Windows\system32\Bqilfp32.exe102⤵
- System Location Discovery: System Language Discovery
PID:2000 -
C:\Windows\SysWOW64\Cnmlpd32.exeC:\Windows\system32\Cnmlpd32.exe103⤵PID:2904
-
C:\Windows\SysWOW64\Cgfqii32.exeC:\Windows\system32\Cgfqii32.exe104⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2852 -
C:\Windows\SysWOW64\Cnpieceq.exeC:\Windows\system32\Cnpieceq.exe105⤵PID:2724
-
C:\Windows\SysWOW64\Cfknjfbl.exeC:\Windows\system32\Cfknjfbl.exe106⤵
- Drops file in System32 directory
- Modifies registry class
PID:2744 -
C:\Windows\SysWOW64\Cqqbgoba.exeC:\Windows\system32\Cqqbgoba.exe107⤵PID:1492
-
C:\Windows\SysWOW64\Cgjjdijo.exeC:\Windows\system32\Cgjjdijo.exe108⤵PID:856
-
C:\Windows\SysWOW64\Cilfka32.exeC:\Windows\system32\Cilfka32.exe109⤵PID:2984
-
C:\Windows\SysWOW64\Cofohkgi.exeC:\Windows\system32\Cofohkgi.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2336 -
C:\Windows\SysWOW64\Cincaq32.exeC:\Windows\system32\Cincaq32.exe111⤵PID:2240
-
C:\Windows\SysWOW64\Dlcfnk32.exeC:\Windows\system32\Dlcfnk32.exe112⤵PID:1160
-
C:\Windows\SysWOW64\Dapnfb32.exeC:\Windows\system32\Dapnfb32.exe113⤵PID:2040
-
C:\Windows\SysWOW64\Dndoof32.exeC:\Windows\system32\Dndoof32.exe114⤵PID:2328
-
C:\Windows\SysWOW64\Emlhfb32.exeC:\Windows\system32\Emlhfb32.exe115⤵PID:2836
-
C:\Windows\SysWOW64\Ebhani32.exeC:\Windows\system32\Ebhani32.exe116⤵PID:2900
-
C:\Windows\SysWOW64\Elaego32.exeC:\Windows\system32\Elaego32.exe117⤵PID:2304
-
C:\Windows\SysWOW64\Eeijpdbd.exeC:\Windows\system32\Eeijpdbd.exe118⤵PID:516
-
C:\Windows\SysWOW64\Ebmjihqn.exeC:\Windows\system32\Ebmjihqn.exe119⤵PID:3020
-
C:\Windows\SysWOW64\Epakcm32.exeC:\Windows\system32\Epakcm32.exe120⤵PID:1816
-
C:\Windows\SysWOW64\Eenckc32.exeC:\Windows\system32\Eenckc32.exe121⤵PID:1252
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-