Analysis
-
max time kernel
118s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
24-12-2024 23:22
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
7084193c4af2a00a57c69a81647109b21b7501ac9cb704a7662677355e1218f9.exe
Resource
win7-20240903-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
7084193c4af2a00a57c69a81647109b21b7501ac9cb704a7662677355e1218f9.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
7084193c4af2a00a57c69a81647109b21b7501ac9cb704a7662677355e1218f9.exe
-
Size
96KB
-
MD5
fad09b6f8691f9b1c3f9ccbc64a8094e
-
SHA1
f372160cbb95cae4f594f8d09fe47dfde4e59529
-
SHA256
7084193c4af2a00a57c69a81647109b21b7501ac9cb704a7662677355e1218f9
-
SHA512
bfae049163a7449dfb7a7a313b9ec654ec6f90867a0f2c5afbdab7426442923d0a479b5d20af1cb3a53ff24797dc97d42a1ec068fa2e0adb0214780ad909b410
-
SSDEEP
3072:cTzU4XJL8+qzqVjECkhxF8n5OmECMyELiAHONd+:Ez7Zg+1jQIYmEbBum
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eoiiijcc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hihlqeib.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Godaakic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bgghac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cmjdaqgi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijqoilii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jpajbl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfibhjlj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnjcomcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pafdjmkq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kbmfgk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnofgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ebklic32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qhjfgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Icafgmbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hoqjqhjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pkoicb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jgjkfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nbpeoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Copjdhib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iakgefqe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhljkm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpgmpk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dboeco32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccpcckck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Doecog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ecfnmh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nqhepeai.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjogcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Flhmfbim.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmdhad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hbofmcij.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jondnnbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kpgffe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dljmlj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dipjkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Blfapfpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dhhhbg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcedad32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Biolanld.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onlahm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkpglbaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hfegij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jpdnbbah.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmhkmm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdpfadlm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gonale32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjacjifm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qeppdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fhljkm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aklabp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djiqdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hohkmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cmmcpi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkegah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fcbecl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nlnpgd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opihgfop.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofnpnkgf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmmcpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hffibceh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kdnild32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mokilo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pjihmmbk.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 804 Mkddnf32.exe 2476 Mnbpjb32.exe 2772 Mfihkoal.exe 2788 Mihdgkpp.exe 2148 Mbpipp32.exe 2452 Mngjeamd.exe 2684 Mhonngce.exe 1880 Nagbgl32.exe 1280 Nhakcfab.exe 956 Ndhlhg32.exe 1180 Nallalep.exe 2044 Nfidjbdg.exe 3012 Ndmecgba.exe 2296 Nbpeoc32.exe 1632 Nmejllia.exe 1264 Ohojmjep.exe 2508 Ooicid32.exe 2104 Oagoep32.exe 1860 Olmcchlg.exe 1564 Ookpodkj.exe 1772 Odhhgkib.exe 904 Olophhjd.exe 2092 Oalhqohl.exe 1624 Oanefo32.exe 2512 Odmabj32.exe 1868 Ohhmcinf.exe 2268 Ppcbgkka.exe 2944 Pkifdd32.exe 2660 Pmgbao32.exe 2628 Pcdkif32.exe 2364 Pecgea32.exe 328 Pphkbj32.exe 1208 Poklngnf.exe 1644 Plolgk32.exe 264 Pomhcg32.exe 448 Pciddedl.exe 2012 Palepb32.exe 3004 Pegqpacp.exe 1904 Phfmllbd.exe 2180 Popeif32.exe 2176 Pejmfqan.exe 1680 Pdmnam32.exe 468 Phhjblpa.exe 1916 Qobbofgn.exe 2576 Qaqnkafa.exe 1108 Qhjfgl32.exe 2600 Qkibcg32.exe 2472 Qngopb32.exe 2896 Qqfkln32.exe 2908 Qhmcmk32.exe 2304 Ajnpecbj.exe 2744 Anjlebjc.exe 2708 Aqhhanig.exe 2348 Adcdbl32.exe 2964 Agbpnh32.exe 580 Anlhkbhq.exe 604 Aqjdgmgd.exe 1284 Agdmdg32.exe 3052 Afgmodel.exe 2372 Anneqafn.exe 1596 Aqmamm32.exe 780 Ackmih32.exe 1544 Aggiigmn.exe 1052 Ajeeeblb.exe -
Loads dropped DLL 64 IoCs
pid Process 1884 7084193c4af2a00a57c69a81647109b21b7501ac9cb704a7662677355e1218f9.exe 1884 7084193c4af2a00a57c69a81647109b21b7501ac9cb704a7662677355e1218f9.exe 804 Mkddnf32.exe 804 Mkddnf32.exe 2476 Mnbpjb32.exe 2476 Mnbpjb32.exe 2772 Mfihkoal.exe 2772 Mfihkoal.exe 2788 Mihdgkpp.exe 2788 Mihdgkpp.exe 2148 Mbpipp32.exe 2148 Mbpipp32.exe 2452 Mngjeamd.exe 2452 Mngjeamd.exe 2684 Mhonngce.exe 2684 Mhonngce.exe 1880 Nagbgl32.exe 1880 Nagbgl32.exe 1280 Nhakcfab.exe 1280 Nhakcfab.exe 956 Ndhlhg32.exe 956 Ndhlhg32.exe 1180 Nallalep.exe 1180 Nallalep.exe 2044 Nfidjbdg.exe 2044 Nfidjbdg.exe 3012 Ndmecgba.exe 3012 Ndmecgba.exe 2296 Nbpeoc32.exe 2296 Nbpeoc32.exe 1632 Nmejllia.exe 1632 Nmejllia.exe 1264 Ohojmjep.exe 1264 Ohojmjep.exe 2508 Ooicid32.exe 2508 Ooicid32.exe 2104 Oagoep32.exe 2104 Oagoep32.exe 1860 Olmcchlg.exe 1860 Olmcchlg.exe 1564 Ookpodkj.exe 1564 Ookpodkj.exe 1772 Odhhgkib.exe 1772 Odhhgkib.exe 904 Olophhjd.exe 904 Olophhjd.exe 2092 Oalhqohl.exe 2092 Oalhqohl.exe 1624 Oanefo32.exe 1624 Oanefo32.exe 2512 Odmabj32.exe 2512 Odmabj32.exe 1868 Ohhmcinf.exe 1868 Ohhmcinf.exe 2268 Ppcbgkka.exe 2268 Ppcbgkka.exe 2944 Pkifdd32.exe 2944 Pkifdd32.exe 2660 Pmgbao32.exe 2660 Pmgbao32.exe 2628 Pcdkif32.exe 2628 Pcdkif32.exe 2364 Pecgea32.exe 2364 Pecgea32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Liempneg.dll Ckmnbg32.exe File created C:\Windows\SysWOW64\Hgflflqg.exe Hiclkp32.exe File opened for modification C:\Windows\SysWOW64\Bqolji32.exe Bnapnm32.exe File created C:\Windows\SysWOW64\Cacclpae.exe Cjjkpe32.exe File opened for modification C:\Windows\SysWOW64\Hneeilgj.exe Hmdhad32.exe File created C:\Windows\SysWOW64\Gobdahei.dll Kpkpadnl.exe File created C:\Windows\SysWOW64\Gaokcb32.dll Nhlgmd32.exe File created C:\Windows\SysWOW64\Eakhdj32.exe Ejaphpnp.exe File created C:\Windows\SysWOW64\Imldmnjj.dll Edlafebn.exe File created C:\Windows\SysWOW64\Ffbafegj.dll Ackmih32.exe File opened for modification C:\Windows\SysWOW64\Jlkngc32.exe Jmhnkfpa.exe File created C:\Windows\SysWOW64\Acfgdc32.dll Bhonjg32.exe File created C:\Windows\SysWOW64\Eafkhn32.exe Eogolc32.exe File created C:\Windows\SysWOW64\Iediin32.exe Injqmdki.exe File opened for modification C:\Windows\SysWOW64\Ipjdameg.exe Iahceq32.exe File created C:\Windows\SysWOW64\Agglbp32.exe Adipfd32.exe File created C:\Windows\SysWOW64\Pjnpem32.dll Ghlfjq32.exe File created C:\Windows\SysWOW64\Pacmhh32.dll Ldheebad.exe File opened for modification C:\Windows\SysWOW64\Laqojfli.exe Ljigih32.exe File opened for modification C:\Windows\SysWOW64\Qhilkege.exe Qiflohqk.exe File opened for modification C:\Windows\SysWOW64\Khnapkjg.exe Kpgionie.exe File created C:\Windows\SysWOW64\Dkqnoh32.exe Dbifnj32.exe File opened for modification C:\Windows\SysWOW64\Jmdepg32.exe Ijehdl32.exe File created C:\Windows\SysWOW64\Golnjpio.dll Bofgii32.exe File opened for modification C:\Windows\SysWOW64\Hfhcoj32.exe Hpnkbpdd.exe File created C:\Windows\SysWOW64\Ekfpmf32.exe Ehhdaj32.exe File opened for modification C:\Windows\SysWOW64\Anlhkbhq.exe Agbpnh32.exe File opened for modification C:\Windows\SysWOW64\Abpjjeim.exe Aqonbm32.exe File created C:\Windows\SysWOW64\Hcgjmo32.exe Hahnac32.exe File created C:\Windows\SysWOW64\Nbjeinje.exe Nnoiio32.exe File created C:\Windows\SysWOW64\Ekmfne32.exe Ecfnmh32.exe File opened for modification C:\Windows\SysWOW64\Iphgln32.exe Imjkpb32.exe File opened for modification C:\Windows\SysWOW64\Kmcjedcg.exe Kfibhjlj.exe File created C:\Windows\SysWOW64\Lpcoeb32.exe Laqojfli.exe File created C:\Windows\SysWOW64\Dohafell.dll Gbjojh32.exe File created C:\Windows\SysWOW64\Hjlioj32.exe Ggnmbn32.exe File created C:\Windows\SysWOW64\Jjfkmdlg.exe Jfjolf32.exe File opened for modification C:\Windows\SysWOW64\Gnbejb32.exe Gfkmie32.exe File created C:\Windows\SysWOW64\Ifgicg32.exe Ichmgl32.exe File created C:\Windows\SysWOW64\Aehlpleg.dll Kofcbl32.exe File created C:\Windows\SysWOW64\Bnlgbnbp.exe Bknjfb32.exe File created C:\Windows\SysWOW64\Ldeiojhn.dll Injqmdki.exe File opened for modification C:\Windows\SysWOW64\Bmpkqklh.exe Bieopm32.exe File opened for modification C:\Windows\SysWOW64\Gkoobhhg.exe Ggdcbi32.exe File created C:\Windows\SysWOW64\Hgnokgcc.exe Hdpcokdo.exe File created C:\Windows\SysWOW64\Hgeefjhh.dll Hdbpekam.exe File opened for modification C:\Windows\SysWOW64\Ldgnklmi.exe Llpfjomf.exe File created C:\Windows\SysWOW64\Hcajhi32.exe Gqcnln32.exe File created C:\Windows\SysWOW64\Phfoee32.exe Pehcij32.exe File created C:\Windows\SysWOW64\Alecllfh.dll Bgcbhd32.exe File created C:\Windows\SysWOW64\Fijjok32.dll Homdhjai.exe File created C:\Windows\SysWOW64\Pojhbfni.dll Jaecod32.exe File opened for modification C:\Windows\SysWOW64\Objjnkie.exe Onnnml32.exe File created C:\Windows\SysWOW64\Ajokhp32.dll Eikfdl32.exe File created C:\Windows\SysWOW64\Oagoep32.exe Ooicid32.exe File created C:\Windows\SysWOW64\Jcojqm32.dll Bjkhdacm.exe File created C:\Windows\SysWOW64\Oepoia32.dll Lcjlnpmo.exe File created C:\Windows\SysWOW64\Baajep32.dll Gdnfjl32.exe File created C:\Windows\SysWOW64\Emclhigi.dll Phhjblpa.exe File opened for modification C:\Windows\SysWOW64\Aqonbm32.exe Amcbankf.exe File created C:\Windows\SysWOW64\Ikmpacaf.dll Ecploipa.exe File created C:\Windows\SysWOW64\Nflchkii.exe Ncmglp32.exe File created C:\Windows\SysWOW64\Npdhaq32.exe Nmflee32.exe File created C:\Windows\SysWOW64\Mappnp32.dll Nmflee32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 9224 10208 WerFault.exe 1046 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knfndjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pifbjn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egonhf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Boemlbpk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmhkmm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfhcoj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbaaik32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmdepg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pejmfqan.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djiqdb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nppofado.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdbbgdjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Daplkmbg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Heliepmn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmjdaqgi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cblfdg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iahkpg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijqoilii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmkeke32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohfcfb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ooicid32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbeedh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcjmmdbf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfohgepi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dipjkn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjgehgnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qlfdac32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjihmmbk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkebafoa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gceailog.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hifpke32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgaebe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bffbdadk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjebdfnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkpjnkig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijphofem.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mimpkcdn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oemgplgo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nknimnap.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Keqkofno.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iegeonpc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpgionie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcknhm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adipfd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acnlgajg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijaaae32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mihdgkpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edibhmml.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkoobhhg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icdcllpc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcdlhj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djjjga32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggapbcne.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olmcchlg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pciddedl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cicalakk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hokhbj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Feiddbbj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohdfqbio.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dldkmlhl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfcnegnk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgcmbcih.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qdncmgbj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdjjag32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnkdfakf.dll" Ebklic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iblkei32.dll" Ijphofem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfakep32.dll" Cmkfji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gmhkin32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gbohehoj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hcldhnkk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dphfbiem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejilio32.dll" Objjnkie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Elfcbo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mmgfqh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ggfpgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkclcjqj.dll" Nlefhcnc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Calcpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ecfnmh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jaecod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pojhbfni.dll" Jaecod32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Doecog32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fkpjnkig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Folfoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfijlo32.dll" Bcbfbp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cogfqe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbkngi32.dll" Onlahm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Plbkfdba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbpifm32.dll" Iclbpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kenhopmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Goiehm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qndkpmkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nckkgp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egmhoeom.dll" Mdadjd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ghgfekpn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iofjqboi.dll" Jfliim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jlfnangf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jmlddeio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jhenjmbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhiaka32.dll" Gcbabpcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ljigih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chpmbe32.dll" Hbofmcij.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Elacliin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmqejl32.dll" Imaapa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qlfdac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Anlhkbhq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aqmamm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aaiioe32.dll" Edibhmml.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ibipmiek.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iladfn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pmhejhao.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hcgmfgfd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dahifbpk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hpnkbpdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ckhdggom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lcdhgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mommgm32.dll" Dgnjqe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eeojcmfi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Feachqgb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jkhejkcq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nbjeinje.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pgfjhcge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Copjdhib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fmkilb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Blfapfpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nmejllia.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qhjfgl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bgffhkoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nihcog32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1884 wrote to memory of 804 1884 7084193c4af2a00a57c69a81647109b21b7501ac9cb704a7662677355e1218f9.exe 30 PID 1884 wrote to memory of 804 1884 7084193c4af2a00a57c69a81647109b21b7501ac9cb704a7662677355e1218f9.exe 30 PID 1884 wrote to memory of 804 1884 7084193c4af2a00a57c69a81647109b21b7501ac9cb704a7662677355e1218f9.exe 30 PID 1884 wrote to memory of 804 1884 7084193c4af2a00a57c69a81647109b21b7501ac9cb704a7662677355e1218f9.exe 30 PID 804 wrote to memory of 2476 804 Mkddnf32.exe 31 PID 804 wrote to memory of 2476 804 Mkddnf32.exe 31 PID 804 wrote to memory of 2476 804 Mkddnf32.exe 31 PID 804 wrote to memory of 2476 804 Mkddnf32.exe 31 PID 2476 wrote to memory of 2772 2476 Mnbpjb32.exe 32 PID 2476 wrote to memory of 2772 2476 Mnbpjb32.exe 32 PID 2476 wrote to memory of 2772 2476 Mnbpjb32.exe 32 PID 2476 wrote to memory of 2772 2476 Mnbpjb32.exe 32 PID 2772 wrote to memory of 2788 2772 Mfihkoal.exe 33 PID 2772 wrote to memory of 2788 2772 Mfihkoal.exe 33 PID 2772 wrote to memory of 2788 2772 Mfihkoal.exe 33 PID 2772 wrote to memory of 2788 2772 Mfihkoal.exe 33 PID 2788 wrote to memory of 2148 2788 Mihdgkpp.exe 34 PID 2788 wrote to memory of 2148 2788 Mihdgkpp.exe 34 PID 2788 wrote to memory of 2148 2788 Mihdgkpp.exe 34 PID 2788 wrote to memory of 2148 2788 Mihdgkpp.exe 34 PID 2148 wrote to memory of 2452 2148 Mbpipp32.exe 35 PID 2148 wrote to memory of 2452 2148 Mbpipp32.exe 35 PID 2148 wrote to memory of 2452 2148 Mbpipp32.exe 35 PID 2148 wrote to memory of 2452 2148 Mbpipp32.exe 35 PID 2452 wrote to memory of 2684 2452 Mngjeamd.exe 36 PID 2452 wrote to memory of 2684 2452 Mngjeamd.exe 36 PID 2452 wrote to memory of 2684 2452 Mngjeamd.exe 36 PID 2452 wrote to memory of 2684 2452 Mngjeamd.exe 36 PID 2684 wrote to memory of 1880 2684 Mhonngce.exe 37 PID 2684 wrote to memory of 1880 2684 Mhonngce.exe 37 PID 2684 wrote to memory of 1880 2684 Mhonngce.exe 37 PID 2684 wrote to memory of 1880 2684 Mhonngce.exe 37 PID 1880 wrote to memory of 1280 1880 Nagbgl32.exe 38 PID 1880 wrote to memory of 1280 1880 Nagbgl32.exe 38 PID 1880 wrote to memory of 1280 1880 Nagbgl32.exe 38 PID 1880 wrote to memory of 1280 1880 Nagbgl32.exe 38 PID 1280 wrote to memory of 956 1280 Nhakcfab.exe 39 PID 1280 wrote to memory of 956 1280 Nhakcfab.exe 39 PID 1280 wrote to memory of 956 1280 Nhakcfab.exe 39 PID 1280 wrote to memory of 956 1280 Nhakcfab.exe 39 PID 956 wrote to memory of 1180 956 Ndhlhg32.exe 40 PID 956 wrote to memory of 1180 956 Ndhlhg32.exe 40 PID 956 wrote to memory of 1180 956 Ndhlhg32.exe 40 PID 956 wrote to memory of 1180 956 Ndhlhg32.exe 40 PID 1180 wrote to memory of 2044 1180 Nallalep.exe 41 PID 1180 wrote to memory of 2044 1180 Nallalep.exe 41 PID 1180 wrote to memory of 2044 1180 Nallalep.exe 41 PID 1180 wrote to memory of 2044 1180 Nallalep.exe 41 PID 2044 wrote to memory of 3012 2044 Nfidjbdg.exe 42 PID 2044 wrote to memory of 3012 2044 Nfidjbdg.exe 42 PID 2044 wrote to memory of 3012 2044 Nfidjbdg.exe 42 PID 2044 wrote to memory of 3012 2044 Nfidjbdg.exe 42 PID 3012 wrote to memory of 2296 3012 Ndmecgba.exe 43 PID 3012 wrote to memory of 2296 3012 Ndmecgba.exe 43 PID 3012 wrote to memory of 2296 3012 Ndmecgba.exe 43 PID 3012 wrote to memory of 2296 3012 Ndmecgba.exe 43 PID 2296 wrote to memory of 1632 2296 Nbpeoc32.exe 44 PID 2296 wrote to memory of 1632 2296 Nbpeoc32.exe 44 PID 2296 wrote to memory of 1632 2296 Nbpeoc32.exe 44 PID 2296 wrote to memory of 1632 2296 Nbpeoc32.exe 44 PID 1632 wrote to memory of 1264 1632 Nmejllia.exe 45 PID 1632 wrote to memory of 1264 1632 Nmejllia.exe 45 PID 1632 wrote to memory of 1264 1632 Nmejllia.exe 45 PID 1632 wrote to memory of 1264 1632 Nmejllia.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\7084193c4af2a00a57c69a81647109b21b7501ac9cb704a7662677355e1218f9.exe"C:\Users\Admin\AppData\Local\Temp\7084193c4af2a00a57c69a81647109b21b7501ac9cb704a7662677355e1218f9.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1884 -
C:\Windows\SysWOW64\Mkddnf32.exeC:\Windows\system32\Mkddnf32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:804 -
C:\Windows\SysWOW64\Mnbpjb32.exeC:\Windows\system32\Mnbpjb32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2476 -
C:\Windows\SysWOW64\Mfihkoal.exeC:\Windows\system32\Mfihkoal.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\SysWOW64\Mihdgkpp.exeC:\Windows\system32\Mihdgkpp.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Windows\SysWOW64\Mbpipp32.exeC:\Windows\system32\Mbpipp32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Windows\SysWOW64\Mngjeamd.exeC:\Windows\system32\Mngjeamd.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2452 -
C:\Windows\SysWOW64\Mhonngce.exeC:\Windows\system32\Mhonngce.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Windows\SysWOW64\Nagbgl32.exeC:\Windows\system32\Nagbgl32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1880 -
C:\Windows\SysWOW64\Nhakcfab.exeC:\Windows\system32\Nhakcfab.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1280 -
C:\Windows\SysWOW64\Ndhlhg32.exeC:\Windows\system32\Ndhlhg32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:956 -
C:\Windows\SysWOW64\Nallalep.exeC:\Windows\system32\Nallalep.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1180 -
C:\Windows\SysWOW64\Nfidjbdg.exeC:\Windows\system32\Nfidjbdg.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Windows\SysWOW64\Ndmecgba.exeC:\Windows\system32\Ndmecgba.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Windows\SysWOW64\Nbpeoc32.exeC:\Windows\system32\Nbpeoc32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\Windows\SysWOW64\Nmejllia.exeC:\Windows\system32\Nmejllia.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\Windows\SysWOW64\Ohojmjep.exeC:\Windows\system32\Ohojmjep.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1264 -
C:\Windows\SysWOW64\Ooicid32.exeC:\Windows\system32\Ooicid32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2508 -
C:\Windows\SysWOW64\Oagoep32.exeC:\Windows\system32\Oagoep32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2104 -
C:\Windows\SysWOW64\Olmcchlg.exeC:\Windows\system32\Olmcchlg.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1860 -
C:\Windows\SysWOW64\Ookpodkj.exeC:\Windows\system32\Ookpodkj.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1564 -
C:\Windows\SysWOW64\Odhhgkib.exeC:\Windows\system32\Odhhgkib.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1772 -
C:\Windows\SysWOW64\Olophhjd.exeC:\Windows\system32\Olophhjd.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:904 -
C:\Windows\SysWOW64\Oalhqohl.exeC:\Windows\system32\Oalhqohl.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2092 -
C:\Windows\SysWOW64\Oanefo32.exeC:\Windows\system32\Oanefo32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1624 -
C:\Windows\SysWOW64\Odmabj32.exeC:\Windows\system32\Odmabj32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2512 -
C:\Windows\SysWOW64\Ohhmcinf.exeC:\Windows\system32\Ohhmcinf.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1868 -
C:\Windows\SysWOW64\Ppcbgkka.exeC:\Windows\system32\Ppcbgkka.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2268 -
C:\Windows\SysWOW64\Pkifdd32.exeC:\Windows\system32\Pkifdd32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2944 -
C:\Windows\SysWOW64\Pmgbao32.exeC:\Windows\system32\Pmgbao32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2660 -
C:\Windows\SysWOW64\Pcdkif32.exeC:\Windows\system32\Pcdkif32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2628 -
C:\Windows\SysWOW64\Pecgea32.exeC:\Windows\system32\Pecgea32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2364 -
C:\Windows\SysWOW64\Pphkbj32.exeC:\Windows\system32\Pphkbj32.exe33⤵
- Executes dropped EXE
PID:328 -
C:\Windows\SysWOW64\Poklngnf.exeC:\Windows\system32\Poklngnf.exe34⤵
- Executes dropped EXE
PID:1208 -
C:\Windows\SysWOW64\Plolgk32.exeC:\Windows\system32\Plolgk32.exe35⤵
- Executes dropped EXE
PID:1644 -
C:\Windows\SysWOW64\Pomhcg32.exeC:\Windows\system32\Pomhcg32.exe36⤵
- Executes dropped EXE
PID:264 -
C:\Windows\SysWOW64\Pciddedl.exeC:\Windows\system32\Pciddedl.exe37⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:448 -
C:\Windows\SysWOW64\Palepb32.exeC:\Windows\system32\Palepb32.exe38⤵
- Executes dropped EXE
PID:2012 -
C:\Windows\SysWOW64\Pegqpacp.exeC:\Windows\system32\Pegqpacp.exe39⤵
- Executes dropped EXE
PID:3004 -
C:\Windows\SysWOW64\Phfmllbd.exeC:\Windows\system32\Phfmllbd.exe40⤵
- Executes dropped EXE
PID:1904 -
C:\Windows\SysWOW64\Popeif32.exeC:\Windows\system32\Popeif32.exe41⤵
- Executes dropped EXE
PID:2180 -
C:\Windows\SysWOW64\Pejmfqan.exeC:\Windows\system32\Pejmfqan.exe42⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2176 -
C:\Windows\SysWOW64\Pdmnam32.exeC:\Windows\system32\Pdmnam32.exe43⤵
- Executes dropped EXE
PID:1680 -
C:\Windows\SysWOW64\Phhjblpa.exeC:\Windows\system32\Phhjblpa.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:468 -
C:\Windows\SysWOW64\Qobbofgn.exeC:\Windows\system32\Qobbofgn.exe45⤵
- Executes dropped EXE
PID:1916 -
C:\Windows\SysWOW64\Qaqnkafa.exeC:\Windows\system32\Qaqnkafa.exe46⤵
- Executes dropped EXE
PID:2576 -
C:\Windows\SysWOW64\Qhjfgl32.exeC:\Windows\system32\Qhjfgl32.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1108 -
C:\Windows\SysWOW64\Qkibcg32.exeC:\Windows\system32\Qkibcg32.exe48⤵
- Executes dropped EXE
PID:2600 -
C:\Windows\SysWOW64\Qngopb32.exeC:\Windows\system32\Qngopb32.exe49⤵
- Executes dropped EXE
PID:2472 -
C:\Windows\SysWOW64\Qqfkln32.exeC:\Windows\system32\Qqfkln32.exe50⤵
- Executes dropped EXE
PID:2896 -
C:\Windows\SysWOW64\Qhmcmk32.exeC:\Windows\system32\Qhmcmk32.exe51⤵
- Executes dropped EXE
PID:2908 -
C:\Windows\SysWOW64\Ajnpecbj.exeC:\Windows\system32\Ajnpecbj.exe52⤵
- Executes dropped EXE
PID:2304 -
C:\Windows\SysWOW64\Anjlebjc.exeC:\Windows\system32\Anjlebjc.exe53⤵
- Executes dropped EXE
PID:2744 -
C:\Windows\SysWOW64\Aqhhanig.exeC:\Windows\system32\Aqhhanig.exe54⤵
- Executes dropped EXE
PID:2708 -
C:\Windows\SysWOW64\Adcdbl32.exeC:\Windows\system32\Adcdbl32.exe55⤵
- Executes dropped EXE
PID:2348 -
C:\Windows\SysWOW64\Agbpnh32.exeC:\Windows\system32\Agbpnh32.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2964 -
C:\Windows\SysWOW64\Anlhkbhq.exeC:\Windows\system32\Anlhkbhq.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:580 -
C:\Windows\SysWOW64\Aqjdgmgd.exeC:\Windows\system32\Aqjdgmgd.exe58⤵
- Executes dropped EXE
PID:604 -
C:\Windows\SysWOW64\Agdmdg32.exeC:\Windows\system32\Agdmdg32.exe59⤵
- Executes dropped EXE
PID:1284 -
C:\Windows\SysWOW64\Afgmodel.exeC:\Windows\system32\Afgmodel.exe60⤵
- Executes dropped EXE
PID:3052 -
C:\Windows\SysWOW64\Anneqafn.exeC:\Windows\system32\Anneqafn.exe61⤵
- Executes dropped EXE
PID:2372 -
C:\Windows\SysWOW64\Aqmamm32.exeC:\Windows\system32\Aqmamm32.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:1596 -
C:\Windows\SysWOW64\Ackmih32.exeC:\Windows\system32\Ackmih32.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:780 -
C:\Windows\SysWOW64\Aggiigmn.exeC:\Windows\system32\Aggiigmn.exe64⤵
- Executes dropped EXE
PID:1544 -
C:\Windows\SysWOW64\Ajeeeblb.exeC:\Windows\system32\Ajeeeblb.exe65⤵
- Executes dropped EXE
PID:1052 -
C:\Windows\SysWOW64\Amcbankf.exeC:\Windows\system32\Amcbankf.exe66⤵
- Drops file in System32 directory
PID:832 -
C:\Windows\SysWOW64\Aqonbm32.exeC:\Windows\system32\Aqonbm32.exe67⤵
- Drops file in System32 directory
PID:1844 -
C:\Windows\SysWOW64\Abpjjeim.exeC:\Windows\system32\Abpjjeim.exe68⤵PID:2088
-
C:\Windows\SysWOW64\Aflfjc32.exeC:\Windows\system32\Aflfjc32.exe69⤵PID:1876
-
C:\Windows\SysWOW64\Aijbfo32.exeC:\Windows\system32\Aijbfo32.exe70⤵PID:2308
-
C:\Windows\SysWOW64\Akiobk32.exeC:\Windows\system32\Akiobk32.exe71⤵PID:2764
-
C:\Windows\SysWOW64\Bcpgdhpp.exeC:\Windows\system32\Bcpgdhpp.exe72⤵PID:2988
-
C:\Windows\SysWOW64\Beackp32.exeC:\Windows\system32\Beackp32.exe73⤵PID:2940
-
C:\Windows\SysWOW64\Bmhkmm32.exeC:\Windows\system32\Bmhkmm32.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1276 -
C:\Windows\SysWOW64\Bofgii32.exeC:\Windows\system32\Bofgii32.exe75⤵
- Drops file in System32 directory
PID:2888 -
C:\Windows\SysWOW64\Bnihdemo.exeC:\Windows\system32\Bnihdemo.exe76⤵PID:2868
-
C:\Windows\SysWOW64\Becpap32.exeC:\Windows\system32\Becpap32.exe77⤵PID:2848
-
C:\Windows\SysWOW64\Biolanld.exeC:\Windows\system32\Biolanld.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3016 -
C:\Windows\SysWOW64\Bkmhnjlh.exeC:\Windows\system32\Bkmhnjlh.exe79⤵PID:3008
-
C:\Windows\SysWOW64\Befmfpbi.exeC:\Windows\system32\Befmfpbi.exe80⤵PID:1000
-
C:\Windows\SysWOW64\Bgdibkam.exeC:\Windows\system32\Bgdibkam.exe81⤵PID:2720
-
C:\Windows\SysWOW64\Bjbeofpp.exeC:\Windows\system32\Bjbeofpp.exe82⤵PID:2420
-
C:\Windows\SysWOW64\Bbjmpcab.exeC:\Windows\system32\Bbjmpcab.exe83⤵PID:1756
-
C:\Windows\SysWOW64\Behilopf.exeC:\Windows\system32\Behilopf.exe84⤵PID:2564
-
C:\Windows\SysWOW64\Bgffhkoj.exeC:\Windows\system32\Bgffhkoj.exe85⤵
- Modifies registry class
PID:2068 -
C:\Windows\SysWOW64\Bkbaii32.exeC:\Windows\system32\Bkbaii32.exe86⤵PID:1720
-
C:\Windows\SysWOW64\Bjebdfnn.exeC:\Windows\system32\Bjebdfnn.exe87⤵
- System Location Discovery: System Language Discovery
PID:2900 -
C:\Windows\SysWOW64\Bmcnqama.exeC:\Windows\system32\Bmcnqama.exe88⤵PID:2448
-
C:\Windows\SysWOW64\Bejfao32.exeC:\Windows\system32\Bejfao32.exe89⤵PID:2952
-
C:\Windows\SysWOW64\Bgibnj32.exeC:\Windows\system32\Bgibnj32.exe90⤵PID:2232
-
C:\Windows\SysWOW64\Cjgoje32.exeC:\Windows\system32\Cjgoje32.exe91⤵PID:1176
-
C:\Windows\SysWOW64\Cmfkfa32.exeC:\Windows\system32\Cmfkfa32.exe92⤵PID:484
-
C:\Windows\SysWOW64\Caaggpdh.exeC:\Windows\system32\Caaggpdh.exe93⤵PID:1076
-
C:\Windows\SysWOW64\Ccpcckck.exeC:\Windows\system32\Ccpcckck.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3000 -
C:\Windows\SysWOW64\Cgkocj32.exeC:\Windows\system32\Cgkocj32.exe95⤵PID:3036
-
C:\Windows\SysWOW64\Cjjkpe32.exeC:\Windows\system32\Cjjkpe32.exe96⤵
- Drops file in System32 directory
PID:2616 -
C:\Windows\SysWOW64\Cacclpae.exeC:\Windows\system32\Cacclpae.exe97⤵PID:1696
-
C:\Windows\SysWOW64\Cbepdhgc.exeC:\Windows\system32\Cbepdhgc.exe98⤵PID:1764
-
C:\Windows\SysWOW64\Cjlheehe.exeC:\Windows\system32\Cjlheehe.exe99⤵PID:1540
-
C:\Windows\SysWOW64\Cmjdaqgi.exeC:\Windows\system32\Cmjdaqgi.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1464 -
C:\Windows\SysWOW64\Cpiqmlfm.exeC:\Windows\system32\Cpiqmlfm.exe101⤵PID:2240
-
C:\Windows\SysWOW64\Cbgmigeq.exeC:\Windows\system32\Cbgmigeq.exe102⤵PID:2640
-
C:\Windows\SysWOW64\Ceeieced.exeC:\Windows\system32\Ceeieced.exe103⤵PID:2740
-
C:\Windows\SysWOW64\Cmmagpef.exeC:\Windows\system32\Cmmagpef.exe104⤵PID:2800
-
C:\Windows\SysWOW64\Cpkmcldj.exeC:\Windows\system32\Cpkmcldj.exe105⤵PID:556
-
C:\Windows\SysWOW64\Cbiiog32.exeC:\Windows\system32\Cbiiog32.exe106⤵PID:320
-
C:\Windows\SysWOW64\Cehfkb32.exeC:\Windows\system32\Cehfkb32.exe107⤵PID:2876
-
C:\Windows\SysWOW64\Cicalakk.exeC:\Windows\system32\Cicalakk.exe108⤵
- System Location Discovery: System Language Discovery
PID:2388 -
C:\Windows\SysWOW64\Clbnhmjo.exeC:\Windows\system32\Clbnhmjo.exe109⤵PID:2532
-
C:\Windows\SysWOW64\Copjdhib.exeC:\Windows\system32\Copjdhib.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1100 -
C:\Windows\SysWOW64\Cblfdg32.exeC:\Windows\system32\Cblfdg32.exe111⤵
- System Location Discovery: System Language Discovery
PID:2480 -
C:\Windows\SysWOW64\Difnaqih.exeC:\Windows\system32\Difnaqih.exe112⤵PID:352
-
C:\Windows\SysWOW64\Dldkmlhl.exeC:\Windows\system32\Dldkmlhl.exe113⤵
- System Location Discovery: System Language Discovery
PID:2580 -
C:\Windows\SysWOW64\Djgkii32.exeC:\Windows\system32\Djgkii32.exe114⤵PID:2812
-
C:\Windows\SysWOW64\Dobgihgp.exeC:\Windows\system32\Dobgihgp.exe115⤵PID:2252
-
C:\Windows\SysWOW64\Daacecfc.exeC:\Windows\system32\Daacecfc.exe116⤵PID:2392
-
C:\Windows\SysWOW64\Dhkkbmnp.exeC:\Windows\system32\Dhkkbmnp.exe117⤵PID:2664
-
C:\Windows\SysWOW64\Dlfgcl32.exeC:\Windows\system32\Dlfgcl32.exe118⤵PID:1312
-
C:\Windows\SysWOW64\Doecog32.exeC:\Windows\system32\Doecog32.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2032 -
C:\Windows\SysWOW64\Deollamj.exeC:\Windows\system32\Deollamj.exe120⤵PID:2040
-
C:\Windows\SysWOW64\Dfphcj32.exeC:\Windows\system32\Dfphcj32.exe121⤵PID:2124
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-