Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
08-12-2024 01:33
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
9eb1c9bb12e4cebf0d2561d8ebe8505909fc7bc794d8b1edf99359c5c7281bff.exe
Resource
win7-20240729-en
windows7-x64
9 signatures
150 seconds
Behavioral task
behavioral2
Sample
9eb1c9bb12e4cebf0d2561d8ebe8505909fc7bc794d8b1edf99359c5c7281bff.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
9eb1c9bb12e4cebf0d2561d8ebe8505909fc7bc794d8b1edf99359c5c7281bff.exe
-
Size
314KB
-
MD5
cc3f10c1e12310b4faf7ec6a72a6ed33
-
SHA1
0b4a2d46549c6976c63655a03d3658aeb1bf62b0
-
SHA256
9eb1c9bb12e4cebf0d2561d8ebe8505909fc7bc794d8b1edf99359c5c7281bff
-
SHA512
bfc017ed7b7f1c75f63974dfa0e7e6ca5fe2149074cea48a650a572c095683233919b87ca011ad077dfa224142ba96c14505f601a1f66201b5b09555c9032ed4
-
SSDEEP
6144:ubBqpLfKj6MB8MhjwszeXmr8SeNpgdyuH1lFDjC:u1CA6Najb87gP3C
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://master-x.com/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://crutop.ru/index.php
http://kaspersky.ru/index.php
http://color-bank.ru/index.php
http://adult-empire.com/index.php
http://virus-list.com/index.php
http://trojan.ru/index.php
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://fethard.biz/index.htm
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://kaspersky.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cenmfbml.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kamlhl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmmqmpdm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enhaeldn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gojhafnb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajjgei32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdchneko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fhhbif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gaplfinb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qhkipdeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bqmpdioa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cccdjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hhlaiccm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncfmjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kfodfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pjahakgb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcppkbia.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpgnoo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogdaod32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blaobmkq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nbeedh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iakino32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aeokba32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnppaill.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmqkml32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icdeee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pidaba32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qhincn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abjeejep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cppobaeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ninhamne.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnejim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdqkifmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fenphjei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddkgbc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkjhjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmklak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fkcilc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pllkpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Amhcad32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfagemej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dkmljcdh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clfhml32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojmbgh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgadja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Edcqjc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fimoiopk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecogodlk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aankkqfl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdqiiaih.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nchipb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ainkcf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ladgkmlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aljmbknm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Akpkmo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgmaog32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Geqlnjcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Okinik32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bolcma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fdapcg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lklikj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flfkoeoh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aphehidc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkhbgbkc.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 2776 Joidhh32.exe 2728 Jmlddeio.exe 2168 Jjpdmi32.exe 2636 Kmqmod32.exe 2988 Kdkelolf.exe 1616 Kkdnhi32.exe 2796 Kbbobkol.exe 2412 Kilgoe32.exe 1636 Khadpa32.exe 1916 Klmqapci.exe 2816 Lhcafa32.exe 1828 Lanbdf32.exe 2924 Lhhkapeh.exe 2060 Lkicbk32.exe 3040 Lpflkb32.exe 1152 Mokilo32.exe 1532 Mfeaiime.exe 860 Mfgnnhkc.exe 1676 Mhfjjdjf.exe 2148 Mmccqbpm.exe 1612 Mobomnoq.exe 1760 Modlbmmn.exe 1028 Mnglnj32.exe 2764 Njnmbk32.exe 2908 Nbeedh32.exe 2740 Nnleiipc.exe 1520 Nqjaeeog.exe 2568 Njbfnjeg.exe 2984 Nggggoda.exe 1660 Nihcog32.exe 2880 Npbklabl.exe 1936 Nijpdfhm.exe 2332 Npdhaq32.exe 2328 Ofnpnkgf.exe 2800 Obeacl32.exe 1976 Ohbikbkb.exe 2244 Ohdfqbio.exe 1548 Ojbbmnhc.exe 2376 Oalkih32.exe 2096 Olbogqoe.exe 1780 Oaogognm.exe 1696 Ohipla32.exe 1688 Oflpgnld.exe 2428 Paaddgkj.exe 1344 Ppddpd32.exe 1372 Pfnmmn32.exe 336 Pmhejhao.exe 2400 Ppfafcpb.exe 1524 Pbemboof.exe 2356 Pjleclph.exe 2224 Pmjaohol.exe 2856 Pddjlb32.exe 584 Piabdiep.exe 2028 Ppkjac32.exe 2416 Ponklpcg.exe 2500 Pehcij32.exe 2176 Phfoee32.exe 2172 Popgboae.exe 1012 Qiflohqk.exe 3008 Qhilkege.exe 2152 Qkghgpfi.exe 2944 Qaapcj32.exe 2768 Qhkipdeb.exe 2756 Qoeamo32.exe -
Loads dropped DLL 64 IoCs
pid Process 3068 9eb1c9bb12e4cebf0d2561d8ebe8505909fc7bc794d8b1edf99359c5c7281bff.exe 3068 9eb1c9bb12e4cebf0d2561d8ebe8505909fc7bc794d8b1edf99359c5c7281bff.exe 2776 Joidhh32.exe 2776 Joidhh32.exe 2728 Jmlddeio.exe 2728 Jmlddeio.exe 2168 Jjpdmi32.exe 2168 Jjpdmi32.exe 2636 Kmqmod32.exe 2636 Kmqmod32.exe 2988 Kdkelolf.exe 2988 Kdkelolf.exe 1616 Kkdnhi32.exe 1616 Kkdnhi32.exe 2796 Kbbobkol.exe 2796 Kbbobkol.exe 2412 Kilgoe32.exe 2412 Kilgoe32.exe 1636 Khadpa32.exe 1636 Khadpa32.exe 1916 Klmqapci.exe 1916 Klmqapci.exe 2816 Lhcafa32.exe 2816 Lhcafa32.exe 1828 Lanbdf32.exe 1828 Lanbdf32.exe 2924 Lhhkapeh.exe 2924 Lhhkapeh.exe 2060 Lkicbk32.exe 2060 Lkicbk32.exe 3040 Lpflkb32.exe 3040 Lpflkb32.exe 1152 Mokilo32.exe 1152 Mokilo32.exe 1532 Mfeaiime.exe 1532 Mfeaiime.exe 860 Mfgnnhkc.exe 860 Mfgnnhkc.exe 1676 Mhfjjdjf.exe 1676 Mhfjjdjf.exe 2148 Mmccqbpm.exe 2148 Mmccqbpm.exe 1612 Mobomnoq.exe 1612 Mobomnoq.exe 1760 Modlbmmn.exe 1760 Modlbmmn.exe 1028 Mnglnj32.exe 1028 Mnglnj32.exe 2764 Njnmbk32.exe 2764 Njnmbk32.exe 2736 Ncfalqpm.exe 2736 Ncfalqpm.exe 2740 Nnleiipc.exe 2740 Nnleiipc.exe 1520 Nqjaeeog.exe 1520 Nqjaeeog.exe 2568 Njbfnjeg.exe 2568 Njbfnjeg.exe 2984 Nggggoda.exe 2984 Nggggoda.exe 1660 Nihcog32.exe 1660 Nihcog32.exe 2880 Npbklabl.exe 2880 Npbklabl.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Nggipg32.exe Nopaoj32.exe File created C:\Windows\SysWOW64\Ebmbnn32.dll Kpjhnfof.exe File created C:\Windows\SysWOW64\Nchipb32.exe Nkaane32.exe File created C:\Windows\SysWOW64\Efcckjpl.dll Dblhmoio.exe File opened for modification C:\Windows\SysWOW64\Geqlnjcf.exe Gmidlmcd.exe File created C:\Windows\SysWOW64\Ppopja32.exe Pmpdmfff.exe File opened for modification C:\Windows\SysWOW64\Ccmblnif.exe Clciod32.exe File created C:\Windows\SysWOW64\Flnlkgjq.exe Fdgdji32.exe File created C:\Windows\SysWOW64\Efnodd32.dll Nojnql32.exe File created C:\Windows\SysWOW64\Aiomcb32.dll Kbjbge32.exe File created C:\Windows\SysWOW64\Nnfipe32.dll Flfkoeoh.exe File created C:\Windows\SysWOW64\Iibogmjf.dll Ceickb32.exe File created C:\Windows\SysWOW64\Qopmpa32.dll Aobpfb32.exe File opened for modification C:\Windows\SysWOW64\Inojhc32.exe Igebkiof.exe File created C:\Windows\SysWOW64\Meecaa32.exe Mgbcfdmo.exe File opened for modification C:\Windows\SysWOW64\Ofdeeb32.exe Odcimipf.exe File opened for modification C:\Windows\SysWOW64\Bdaojbjf.exe Bngfmhbj.exe File created C:\Windows\SysWOW64\Eannmi32.exe Ejdfqogm.exe File created C:\Windows\SysWOW64\Hmcqik32.dll Adgein32.exe File opened for modification C:\Windows\SysWOW64\Apclnj32.exe Qmepanje.exe File opened for modification C:\Windows\SysWOW64\Aompambg.exe Alodeacc.exe File created C:\Windows\SysWOW64\Ilefmc32.dll Idohdhbo.exe File created C:\Windows\SysWOW64\Eeebeabe.dll Lfippfej.exe File created C:\Windows\SysWOW64\Ehbgahjb.dll Afgnkilf.exe File opened for modification C:\Windows\SysWOW64\Hgckoofa.exe Hdeoccgn.exe File opened for modification C:\Windows\SysWOW64\Cjogcm32.exe Cbgobp32.exe File created C:\Windows\SysWOW64\Cocajj32.dll Ehnfpifm.exe File opened for modification C:\Windows\SysWOW64\Efhcej32.exe Ecjgio32.exe File created C:\Windows\SysWOW64\Ceickb32.exe Bopknhjd.exe File created C:\Windows\SysWOW64\Lkfhfpel.dll Qhkipdeb.exe File created C:\Windows\SysWOW64\Jgdinn32.dll Mdojnm32.exe File created C:\Windows\SysWOW64\Aompambg.exe Alodeacc.exe File created C:\Windows\SysWOW64\Npgihifq.dll Qaablcej.exe File created C:\Windows\SysWOW64\Iomgfhen.dll Fmbgageq.exe File created C:\Windows\SysWOW64\Ghidcceo.exe Gaplfinb.exe File created C:\Windows\SysWOW64\Emokgnoa.dll Lpckce32.exe File created C:\Windows\SysWOW64\Fgielf32.dll Qjgcecja.exe File created C:\Windows\SysWOW64\Ckpckece.exe Cjogcm32.exe File created C:\Windows\SysWOW64\Pgodelnq.dll Kbhbai32.exe File created C:\Windows\SysWOW64\Gmidlmcd.exe Flhhed32.exe File opened for modification C:\Windows\SysWOW64\Ainkcf32.exe Afpogk32.exe File opened for modification C:\Windows\SysWOW64\Dghjkpck.exe Dqobnf32.exe File opened for modification C:\Windows\SysWOW64\Hiioin32.exe Hfjbmb32.exe File opened for modification C:\Windows\SysWOW64\Ealahi32.exe Epkepakn.exe File created C:\Windows\SysWOW64\Iajpndmp.dll Ecadddjh.exe File created C:\Windows\SysWOW64\Ajipkb32.exe Abbhje32.exe File created C:\Windows\SysWOW64\Apkbnibq.exe Alofnj32.exe File created C:\Windows\SysWOW64\Adipfd32.exe Alageg32.exe File created C:\Windows\SysWOW64\Cdoime32.dll Fdkmeiei.exe File created C:\Windows\SysWOW64\Efmckpko.exe Ecogodlk.exe File created C:\Windows\SysWOW64\Olqdoelc.dll Ajamfh32.exe File created C:\Windows\SysWOW64\Alageg32.exe Anogijnb.exe File created C:\Windows\SysWOW64\Ccgfbken.dll Eannmi32.exe File created C:\Windows\SysWOW64\Kipmhc32.exe Kfaalh32.exe File created C:\Windows\SysWOW64\Dkjhjm32.exe Dhklna32.exe File created C:\Windows\SysWOW64\Gbknnn32.dll Lbojjq32.exe File opened for modification C:\Windows\SysWOW64\Mdlfngcc.exe Mpqjmh32.exe File created C:\Windows\SysWOW64\Qhnmei32.dll Nokqidll.exe File opened for modification C:\Windows\SysWOW64\Aiqjao32.exe Afbnec32.exe File created C:\Windows\SysWOW64\Npbklabl.exe Nihcog32.exe File created C:\Windows\SysWOW64\Lbfchlee.dll Inhdgdmk.exe File created C:\Windows\SysWOW64\Qamnbhdj.dll Bdaabk32.exe File created C:\Windows\SysWOW64\Odiaql32.dll Hqiqjlga.exe File created C:\Windows\SysWOW64\Bccoeo32.exe Bdaojbjf.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dqddmd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaplfinb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kndbko32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmqmod32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnnimkom.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gncgbkki.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Genlgnhd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdgmbhgh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdlacfca.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohbikbkb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijaaae32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dphhka32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilifndlo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkhdnh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aegkfpah.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bckefnki.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejdfqogm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijqjgo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fedfgejh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afbnec32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Inojhc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hecebm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcdldknm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Koflgf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcmklh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Beldao32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efhqmadd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghoijebj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcedne32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adipfd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmqkml32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Goqnae32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogabql32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nkfkidmk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lglmefcg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgnfji32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhglop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nikkkn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aanibhoh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iqapnjli.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enhaeldn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omphocck.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lalhgogb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cncolfcl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkgldm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmkmjoec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elaeeb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnabffeo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgmmfjip.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aeiecfga.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmbabj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cccdjl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekghcq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dahkok32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edidqf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obmpgjbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpflkb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nojnql32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhebhipj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gckfpc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbojjq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmhejhao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogohdeam.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pecelm32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gelafcdj.dll" Ckhfpp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Blfapfpg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fooembgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qpcjeaad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ogabql32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Loglaegj.dll" Obmpgjbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmmmil32.dll" Aeiecfga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ecmjid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Anhpkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Afliclij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjfkgcdc.dll" Djjjga32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jikhnaao.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ogdaod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlilhb32.dll" Codeih32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kpfbegei.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mpkhoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pcnfdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aeokba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bijpeihq.dll" Bpfebmia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppiidm32.dll" Bacihmoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojgfoglc.dll" Cogfqe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mkcplien.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ckkenikc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkadbc32.dll" Qekbgbpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kafano32.dll" Ilgjhena.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dflpeo32.dll" Jdlacfca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pnnfkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aiqjao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkifia32.dll" Eemnnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmainh32.dll" Mojbaham.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgjbpi32.dll" Chgnneiq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bdaojbjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hecebm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jfjhbo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Laahme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nkaoemjm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhklji32.dll" Omiand32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Geqlnjcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bknfeege.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bdfjnkne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kmqmod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebepdj32.dll" Elkofg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njldhk32.dll" Nccnlk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nabcho32.dll" Iqhfnifq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Alofnj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qkghgpfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dhbdleol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccmkid32.dll" Jabponba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njohaaaf.dll" Abnopj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ccqhdmbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jegdgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mdgmbhgh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nijjkf32.dll" Obeacl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Abfoll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfbaik32.dll" Piadma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jnbpqb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lophacfl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dkjhjm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dklepmal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ibillk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfmfaj32.dll" Opodknco.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aepbmhpl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ggdekbgb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hffibceh.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3068 wrote to memory of 2776 3068 9eb1c9bb12e4cebf0d2561d8ebe8505909fc7bc794d8b1edf99359c5c7281bff.exe 31 PID 3068 wrote to memory of 2776 3068 9eb1c9bb12e4cebf0d2561d8ebe8505909fc7bc794d8b1edf99359c5c7281bff.exe 31 PID 3068 wrote to memory of 2776 3068 9eb1c9bb12e4cebf0d2561d8ebe8505909fc7bc794d8b1edf99359c5c7281bff.exe 31 PID 3068 wrote to memory of 2776 3068 9eb1c9bb12e4cebf0d2561d8ebe8505909fc7bc794d8b1edf99359c5c7281bff.exe 31 PID 2776 wrote to memory of 2728 2776 Joidhh32.exe 32 PID 2776 wrote to memory of 2728 2776 Joidhh32.exe 32 PID 2776 wrote to memory of 2728 2776 Joidhh32.exe 32 PID 2776 wrote to memory of 2728 2776 Joidhh32.exe 32 PID 2728 wrote to memory of 2168 2728 Jmlddeio.exe 33 PID 2728 wrote to memory of 2168 2728 Jmlddeio.exe 33 PID 2728 wrote to memory of 2168 2728 Jmlddeio.exe 33 PID 2728 wrote to memory of 2168 2728 Jmlddeio.exe 33 PID 2168 wrote to memory of 2636 2168 Jjpdmi32.exe 34 PID 2168 wrote to memory of 2636 2168 Jjpdmi32.exe 34 PID 2168 wrote to memory of 2636 2168 Jjpdmi32.exe 34 PID 2168 wrote to memory of 2636 2168 Jjpdmi32.exe 34 PID 2636 wrote to memory of 2988 2636 Kmqmod32.exe 35 PID 2636 wrote to memory of 2988 2636 Kmqmod32.exe 35 PID 2636 wrote to memory of 2988 2636 Kmqmod32.exe 35 PID 2636 wrote to memory of 2988 2636 Kmqmod32.exe 35 PID 2988 wrote to memory of 1616 2988 Kdkelolf.exe 36 PID 2988 wrote to memory of 1616 2988 Kdkelolf.exe 36 PID 2988 wrote to memory of 1616 2988 Kdkelolf.exe 36 PID 2988 wrote to memory of 1616 2988 Kdkelolf.exe 36 PID 1616 wrote to memory of 2796 1616 Kkdnhi32.exe 37 PID 1616 wrote to memory of 2796 1616 Kkdnhi32.exe 37 PID 1616 wrote to memory of 2796 1616 Kkdnhi32.exe 37 PID 1616 wrote to memory of 2796 1616 Kkdnhi32.exe 37 PID 2796 wrote to memory of 2412 2796 Kbbobkol.exe 38 PID 2796 wrote to memory of 2412 2796 Kbbobkol.exe 38 PID 2796 wrote to memory of 2412 2796 Kbbobkol.exe 38 PID 2796 wrote to memory of 2412 2796 Kbbobkol.exe 38 PID 2412 wrote to memory of 1636 2412 Kilgoe32.exe 39 PID 2412 wrote to memory of 1636 2412 Kilgoe32.exe 39 PID 2412 wrote to memory of 1636 2412 Kilgoe32.exe 39 PID 2412 wrote to memory of 1636 2412 Kilgoe32.exe 39 PID 1636 wrote to memory of 1916 1636 Khadpa32.exe 40 PID 1636 wrote to memory of 1916 1636 Khadpa32.exe 40 PID 1636 wrote to memory of 1916 1636 Khadpa32.exe 40 PID 1636 wrote to memory of 1916 1636 Khadpa32.exe 40 PID 1916 wrote to memory of 2816 1916 Klmqapci.exe 41 PID 1916 wrote to memory of 2816 1916 Klmqapci.exe 41 PID 1916 wrote to memory of 2816 1916 Klmqapci.exe 41 PID 1916 wrote to memory of 2816 1916 Klmqapci.exe 41 PID 2816 wrote to memory of 1828 2816 Lhcafa32.exe 42 PID 2816 wrote to memory of 1828 2816 Lhcafa32.exe 42 PID 2816 wrote to memory of 1828 2816 Lhcafa32.exe 42 PID 2816 wrote to memory of 1828 2816 Lhcafa32.exe 42 PID 1828 wrote to memory of 2924 1828 Lanbdf32.exe 43 PID 1828 wrote to memory of 2924 1828 Lanbdf32.exe 43 PID 1828 wrote to memory of 2924 1828 Lanbdf32.exe 43 PID 1828 wrote to memory of 2924 1828 Lanbdf32.exe 43 PID 2924 wrote to memory of 2060 2924 Lhhkapeh.exe 44 PID 2924 wrote to memory of 2060 2924 Lhhkapeh.exe 44 PID 2924 wrote to memory of 2060 2924 Lhhkapeh.exe 44 PID 2924 wrote to memory of 2060 2924 Lhhkapeh.exe 44 PID 2060 wrote to memory of 3040 2060 Lkicbk32.exe 45 PID 2060 wrote to memory of 3040 2060 Lkicbk32.exe 45 PID 2060 wrote to memory of 3040 2060 Lkicbk32.exe 45 PID 2060 wrote to memory of 3040 2060 Lkicbk32.exe 45 PID 3040 wrote to memory of 1152 3040 Lpflkb32.exe 46 PID 3040 wrote to memory of 1152 3040 Lpflkb32.exe 46 PID 3040 wrote to memory of 1152 3040 Lpflkb32.exe 46 PID 3040 wrote to memory of 1152 3040 Lpflkb32.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\9eb1c9bb12e4cebf0d2561d8ebe8505909fc7bc794d8b1edf99359c5c7281bff.exe"C:\Users\Admin\AppData\Local\Temp\9eb1c9bb12e4cebf0d2561d8ebe8505909fc7bc794d8b1edf99359c5c7281bff.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Windows\SysWOW64\Joidhh32.exeC:\Windows\system32\Joidhh32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\SysWOW64\Jmlddeio.exeC:\Windows\system32\Jmlddeio.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\SysWOW64\Jjpdmi32.exeC:\Windows\system32\Jjpdmi32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Windows\SysWOW64\Kmqmod32.exeC:\Windows\system32\Kmqmod32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\SysWOW64\Kdkelolf.exeC:\Windows\system32\Kdkelolf.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Windows\SysWOW64\Kkdnhi32.exeC:\Windows\system32\Kkdnhi32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1616 -
C:\Windows\SysWOW64\Kbbobkol.exeC:\Windows\system32\Kbbobkol.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Windows\SysWOW64\Kilgoe32.exeC:\Windows\system32\Kilgoe32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Windows\SysWOW64\Khadpa32.exeC:\Windows\system32\Khadpa32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Windows\SysWOW64\Klmqapci.exeC:\Windows\system32\Klmqapci.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1916 -
C:\Windows\SysWOW64\Lhcafa32.exeC:\Windows\system32\Lhcafa32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Windows\SysWOW64\Lanbdf32.exeC:\Windows\system32\Lanbdf32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1828 -
C:\Windows\SysWOW64\Lhhkapeh.exeC:\Windows\system32\Lhhkapeh.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Windows\SysWOW64\Lkicbk32.exeC:\Windows\system32\Lkicbk32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\Windows\SysWOW64\Lpflkb32.exeC:\Windows\system32\Lpflkb32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Windows\SysWOW64\Mokilo32.exeC:\Windows\system32\Mokilo32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1152 -
C:\Windows\SysWOW64\Mfeaiime.exeC:\Windows\system32\Mfeaiime.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1532 -
C:\Windows\SysWOW64\Mfgnnhkc.exeC:\Windows\system32\Mfgnnhkc.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:860 -
C:\Windows\SysWOW64\Mhfjjdjf.exeC:\Windows\system32\Mhfjjdjf.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1676 -
C:\Windows\SysWOW64\Mmccqbpm.exeC:\Windows\system32\Mmccqbpm.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2148 -
C:\Windows\SysWOW64\Mobomnoq.exeC:\Windows\system32\Mobomnoq.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1612 -
C:\Windows\SysWOW64\Modlbmmn.exeC:\Windows\system32\Modlbmmn.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1760 -
C:\Windows\SysWOW64\Mnglnj32.exeC:\Windows\system32\Mnglnj32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1028 -
C:\Windows\SysWOW64\Njnmbk32.exeC:\Windows\system32\Njnmbk32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2764 -
C:\Windows\SysWOW64\Nbeedh32.exeC:\Windows\system32\Nbeedh32.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2908 -
C:\Windows\SysWOW64\Ncfalqpm.exeC:\Windows\system32\Ncfalqpm.exe27⤵
- Loads dropped DLL
PID:2736 -
C:\Windows\SysWOW64\Nnleiipc.exeC:\Windows\system32\Nnleiipc.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2740 -
C:\Windows\SysWOW64\Nqjaeeog.exeC:\Windows\system32\Nqjaeeog.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1520 -
C:\Windows\SysWOW64\Njbfnjeg.exeC:\Windows\system32\Njbfnjeg.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2568 -
C:\Windows\SysWOW64\Nggggoda.exeC:\Windows\system32\Nggggoda.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2984 -
C:\Windows\SysWOW64\Nihcog32.exeC:\Windows\system32\Nihcog32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1660 -
C:\Windows\SysWOW64\Npbklabl.exeC:\Windows\system32\Npbklabl.exe33⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2880 -
C:\Windows\SysWOW64\Nijpdfhm.exeC:\Windows\system32\Nijpdfhm.exe34⤵
- Executes dropped EXE
PID:1936 -
C:\Windows\SysWOW64\Npdhaq32.exeC:\Windows\system32\Npdhaq32.exe35⤵
- Executes dropped EXE
PID:2332 -
C:\Windows\SysWOW64\Ofnpnkgf.exeC:\Windows\system32\Ofnpnkgf.exe36⤵
- Executes dropped EXE
PID:2328 -
C:\Windows\SysWOW64\Obeacl32.exeC:\Windows\system32\Obeacl32.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:2800 -
C:\Windows\SysWOW64\Ohbikbkb.exeC:\Windows\system32\Ohbikbkb.exe38⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1976 -
C:\Windows\SysWOW64\Ohdfqbio.exeC:\Windows\system32\Ohdfqbio.exe39⤵
- Executes dropped EXE
PID:2244 -
C:\Windows\SysWOW64\Ojbbmnhc.exeC:\Windows\system32\Ojbbmnhc.exe40⤵
- Executes dropped EXE
PID:1548 -
C:\Windows\SysWOW64\Oalkih32.exeC:\Windows\system32\Oalkih32.exe41⤵
- Executes dropped EXE
PID:2376 -
C:\Windows\SysWOW64\Olbogqoe.exeC:\Windows\system32\Olbogqoe.exe42⤵
- Executes dropped EXE
PID:2096 -
C:\Windows\SysWOW64\Oaogognm.exeC:\Windows\system32\Oaogognm.exe43⤵
- Executes dropped EXE
PID:1780 -
C:\Windows\SysWOW64\Ohipla32.exeC:\Windows\system32\Ohipla32.exe44⤵
- Executes dropped EXE
PID:1696 -
C:\Windows\SysWOW64\Oflpgnld.exeC:\Windows\system32\Oflpgnld.exe45⤵
- Executes dropped EXE
PID:1688 -
C:\Windows\SysWOW64\Paaddgkj.exeC:\Windows\system32\Paaddgkj.exe46⤵
- Executes dropped EXE
PID:2428 -
C:\Windows\SysWOW64\Ppddpd32.exeC:\Windows\system32\Ppddpd32.exe47⤵
- Executes dropped EXE
PID:1344 -
C:\Windows\SysWOW64\Pfnmmn32.exeC:\Windows\system32\Pfnmmn32.exe48⤵
- Executes dropped EXE
PID:1372 -
C:\Windows\SysWOW64\Pmhejhao.exeC:\Windows\system32\Pmhejhao.exe49⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:336 -
C:\Windows\SysWOW64\Ppfafcpb.exeC:\Windows\system32\Ppfafcpb.exe50⤵
- Executes dropped EXE
PID:2400 -
C:\Windows\SysWOW64\Pbemboof.exeC:\Windows\system32\Pbemboof.exe51⤵
- Executes dropped EXE
PID:1524 -
C:\Windows\SysWOW64\Pjleclph.exeC:\Windows\system32\Pjleclph.exe52⤵
- Executes dropped EXE
PID:2356 -
C:\Windows\SysWOW64\Pmjaohol.exeC:\Windows\system32\Pmjaohol.exe53⤵
- Executes dropped EXE
PID:2224 -
C:\Windows\SysWOW64\Pddjlb32.exeC:\Windows\system32\Pddjlb32.exe54⤵
- Executes dropped EXE
PID:2856 -
C:\Windows\SysWOW64\Piabdiep.exeC:\Windows\system32\Piabdiep.exe55⤵
- Executes dropped EXE
PID:584 -
C:\Windows\SysWOW64\Ppkjac32.exeC:\Windows\system32\Ppkjac32.exe56⤵
- Executes dropped EXE
PID:2028 -
C:\Windows\SysWOW64\Ponklpcg.exeC:\Windows\system32\Ponklpcg.exe57⤵
- Executes dropped EXE
PID:2416 -
C:\Windows\SysWOW64\Pehcij32.exeC:\Windows\system32\Pehcij32.exe58⤵
- Executes dropped EXE
PID:2500 -
C:\Windows\SysWOW64\Phfoee32.exeC:\Windows\system32\Phfoee32.exe59⤵
- Executes dropped EXE
PID:2176 -
C:\Windows\SysWOW64\Popgboae.exeC:\Windows\system32\Popgboae.exe60⤵
- Executes dropped EXE
PID:2172 -
C:\Windows\SysWOW64\Qiflohqk.exeC:\Windows\system32\Qiflohqk.exe61⤵
- Executes dropped EXE
PID:1012 -
C:\Windows\SysWOW64\Qhilkege.exeC:\Windows\system32\Qhilkege.exe62⤵
- Executes dropped EXE
PID:3008 -
C:\Windows\SysWOW64\Qkghgpfi.exeC:\Windows\system32\Qkghgpfi.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:2152 -
C:\Windows\SysWOW64\Qaapcj32.exeC:\Windows\system32\Qaapcj32.exe64⤵
- Executes dropped EXE
PID:2944 -
C:\Windows\SysWOW64\Qhkipdeb.exeC:\Windows\system32\Qhkipdeb.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2768 -
C:\Windows\SysWOW64\Qoeamo32.exeC:\Windows\system32\Qoeamo32.exe66⤵
- Executes dropped EXE
PID:2756 -
C:\Windows\SysWOW64\Aeoijidl.exeC:\Windows\system32\Aeoijidl.exe67⤵PID:2648
-
C:\Windows\SysWOW64\Ahmefdcp.exeC:\Windows\system32\Ahmefdcp.exe68⤵PID:2844
-
C:\Windows\SysWOW64\Aklabp32.exeC:\Windows\system32\Aklabp32.exe69⤵PID:2520
-
C:\Windows\SysWOW64\Aaejojjq.exeC:\Windows\system32\Aaejojjq.exe70⤵PID:2808
-
C:\Windows\SysWOW64\Addfkeid.exeC:\Windows\system32\Addfkeid.exe71⤵PID:2860
-
C:\Windows\SysWOW64\Aknngo32.exeC:\Windows\system32\Aknngo32.exe72⤵PID:624
-
C:\Windows\SysWOW64\Anljck32.exeC:\Windows\system32\Anljck32.exe73⤵PID:2260
-
C:\Windows\SysWOW64\Apkgpf32.exeC:\Windows\system32\Apkgpf32.exe74⤵PID:1244
-
C:\Windows\SysWOW64\Acicla32.exeC:\Windows\system32\Acicla32.exe75⤵PID:752
-
C:\Windows\SysWOW64\Akpkmo32.exeC:\Windows\system32\Akpkmo32.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2216 -
C:\Windows\SysWOW64\Anogijnb.exeC:\Windows\system32\Anogijnb.exe77⤵
- Drops file in System32 directory
PID:1544 -
C:\Windows\SysWOW64\Alageg32.exeC:\Windows\system32\Alageg32.exe78⤵
- Drops file in System32 directory
PID:2360 -
C:\Windows\SysWOW64\Adipfd32.exeC:\Windows\system32\Adipfd32.exe79⤵
- System Location Discovery: System Language Discovery
PID:828 -
C:\Windows\SysWOW64\Aejlnmkm.exeC:\Windows\system32\Aejlnmkm.exe80⤵PID:968
-
C:\Windows\SysWOW64\Ajehnk32.exeC:\Windows\system32\Ajehnk32.exe81⤵PID:800
-
C:\Windows\SysWOW64\Apppkekc.exeC:\Windows\system32\Apppkekc.exe82⤵PID:2896
-
C:\Windows\SysWOW64\Aobpfb32.exeC:\Windows\system32\Aobpfb32.exe83⤵
- Drops file in System32 directory
PID:2916 -
C:\Windows\SysWOW64\Afliclij.exeC:\Windows\system32\Afliclij.exe84⤵
- Modifies registry class
PID:2560 -
C:\Windows\SysWOW64\Blfapfpg.exeC:\Windows\system32\Blfapfpg.exe85⤵
- Modifies registry class
PID:2596 -
C:\Windows\SysWOW64\Boemlbpk.exeC:\Windows\system32\Boemlbpk.exe86⤵PID:2588
-
C:\Windows\SysWOW64\Bacihmoo.exeC:\Windows\system32\Bacihmoo.exe87⤵
- Modifies registry class
PID:2956 -
C:\Windows\SysWOW64\Bhmaeg32.exeC:\Windows\system32\Bhmaeg32.exe88⤵PID:1444
-
C:\Windows\SysWOW64\Bkknac32.exeC:\Windows\system32\Bkknac32.exe89⤵PID:1900
-
C:\Windows\SysWOW64\Bcbfbp32.exeC:\Windows\system32\Bcbfbp32.exe90⤵PID:1576
-
C:\Windows\SysWOW64\Baefnmml.exeC:\Windows\system32\Baefnmml.exe91⤵PID:2508
-
C:\Windows\SysWOW64\Blkjkflb.exeC:\Windows\system32\Blkjkflb.exe92⤵PID:2256
-
C:\Windows\SysWOW64\Boifga32.exeC:\Windows\system32\Boifga32.exe93⤵PID:1960
-
C:\Windows\SysWOW64\Bbhccm32.exeC:\Windows\system32\Bbhccm32.exe94⤵PID:2424
-
C:\Windows\SysWOW64\Bfcodkcb.exeC:\Windows\system32\Bfcodkcb.exe95⤵PID:112
-
C:\Windows\SysWOW64\Bhbkpgbf.exeC:\Windows\system32\Bhbkpgbf.exe96⤵PID:2192
-
C:\Windows\SysWOW64\Bolcma32.exeC:\Windows\system32\Bolcma32.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2524 -
C:\Windows\SysWOW64\Bbjpil32.exeC:\Windows\system32\Bbjpil32.exe98⤵PID:1492
-
C:\Windows\SysWOW64\Bqmpdioa.exeC:\Windows\system32\Bqmpdioa.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2864 -
C:\Windows\SysWOW64\Bgghac32.exeC:\Windows\system32\Bgghac32.exe100⤵PID:796
-
C:\Windows\SysWOW64\Bkbdabog.exeC:\Windows\system32\Bkbdabog.exe101⤵PID:2584
-
C:\Windows\SysWOW64\Bbllnlfd.exeC:\Windows\system32\Bbllnlfd.exe102⤵PID:2080
-
C:\Windows\SysWOW64\Bdkhjgeh.exeC:\Windows\system32\Bdkhjgeh.exe103⤵PID:2468
-
C:\Windows\SysWOW64\Cjhabndo.exeC:\Windows\system32\Cjhabndo.exe104⤵PID:2000
-
C:\Windows\SysWOW64\Cncmcm32.exeC:\Windows\system32\Cncmcm32.exe105⤵PID:2484
-
C:\Windows\SysWOW64\Cqaiph32.exeC:\Windows\system32\Cqaiph32.exe106⤵PID:1056
-
C:\Windows\SysWOW64\Ccpeld32.exeC:\Windows\system32\Ccpeld32.exe107⤵PID:2452
-
C:\Windows\SysWOW64\Cjjnhnbl.exeC:\Windows\system32\Cjjnhnbl.exe108⤵PID:1876
-
C:\Windows\SysWOW64\Cnejim32.exeC:\Windows\system32\Cnejim32.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2476 -
C:\Windows\SysWOW64\Cogfqe32.exeC:\Windows\system32\Cogfqe32.exe110⤵
- Modifies registry class
PID:2684 -
C:\Windows\SysWOW64\Ccbbachm.exeC:\Windows\system32\Ccbbachm.exe111⤵PID:2252
-
C:\Windows\SysWOW64\Cjljnn32.exeC:\Windows\system32\Cjljnn32.exe112⤵PID:2084
-
C:\Windows\SysWOW64\Ciokijfd.exeC:\Windows\system32\Ciokijfd.exe113⤵PID:1360
-
C:\Windows\SysWOW64\Coicfd32.exeC:\Windows\system32\Coicfd32.exe114⤵PID:2504
-
C:\Windows\SysWOW64\Cceogcfj.exeC:\Windows\system32\Cceogcfj.exe115⤵PID:1904
-
C:\Windows\SysWOW64\Cbgobp32.exeC:\Windows\system32\Cbgobp32.exe116⤵
- Drops file in System32 directory
PID:1312 -
C:\Windows\SysWOW64\Cjogcm32.exeC:\Windows\system32\Cjogcm32.exe117⤵
- Drops file in System32 directory
PID:588 -
C:\Windows\SysWOW64\Ckpckece.exeC:\Windows\system32\Ckpckece.exe118⤵PID:2672
-
C:\Windows\SysWOW64\Cbjlhpkb.exeC:\Windows\system32\Cbjlhpkb.exe119⤵PID:2532
-
C:\Windows\SysWOW64\Cehhdkjf.exeC:\Windows\system32\Cehhdkjf.exe120⤵PID:2644
-
C:\Windows\SysWOW64\Cidddj32.exeC:\Windows\system32\Cidddj32.exe121⤵PID:2564
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-