Analysis
-
max time kernel
150s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
05/03/2025, 19:14
Behavioral task
behavioral1
Sample
02c9a2f7fe3075cbfe1b75cde0616e48dd22d2e8202d47a421e7bc181d84383f.exe
Resource
win7-20241010-en
windows7-x64
9 signatures
150 seconds
Behavioral task
behavioral2
Sample
02c9a2f7fe3075cbfe1b75cde0616e48dd22d2e8202d47a421e7bc181d84383f.exe
Resource
win10v2004-20250217-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
02c9a2f7fe3075cbfe1b75cde0616e48dd22d2e8202d47a421e7bc181d84383f.exe
-
Size
318KB
-
MD5
21227c73ad803ac1212180c67977cfd9
-
SHA1
4d7b692ba135d02dfc4423d369fd0ac052c8ba6d
-
SHA256
02c9a2f7fe3075cbfe1b75cde0616e48dd22d2e8202d47a421e7bc181d84383f
-
SHA512
cc9b4fcc9270ba365daa6d9d110d9d5fe2fcfc50b1084a1fb7398fc0cd1a77e72c260184c6ba7a533118bad62d04021edf2b4035701bf2769eb6bfe4359a4cee
-
SSDEEP
6144:ycxE47RVEQHdMcm4FmowdHoS7c5cm4FmowdHoSrNF9xRVEQHd4:ycpO4wFHoS04wFHoSrZx8
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://tat-neftbank.ru/kkq.php
http://tat-neftbank.ru/wcmd.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfkakbpp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfmbmkgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kjhajo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnjdpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbmbgngb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eamdlf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aniffaim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Noighakn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckebbgoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hpqoofhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gfcjqkbp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmkipb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ekgcbcke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ebcqicem.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fefboabg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iccnmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Beignlig.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bofebqlb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fjhjlm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnbhpl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qakmghbm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kloqiijm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cnbfkccn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnjpdphd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfhficcn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlibhhme.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekofijic.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdgefn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdcmjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qkoeoe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Beibln32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbkdgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgodjico.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dicmlpje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhlogjko.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pabncj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Caepdk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhndcd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efgnfi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmifiahi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jdmfdgbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ljbmbpkb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bohoogbk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eklgjbca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cmcjldbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ljljenoi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bibagmhk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Babbpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pjjmonac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Giejkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bncpffdn.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 2208 Kmhhae32.exe 3056 Lknebaba.exe 2096 Lggbmbfc.exe 2940 Lekcffem.exe 2772 Lpddgd32.exe 2752 Mpimbcnf.exe 1060 Mkggnp32.exe 264 Nmmjjk32.exe 2436 Ngencpel.exe 2128 Nldcagaq.exe 1740 Ohmalgeb.exe 944 Ohbjgg32.exe 2468 Oqmokioh.exe 1988 Pjjmonac.exe 1956 Poibmdmh.exe 840 Pmmcfi32.exe 1132 Acbnggjo.exe 1576 Aafnpkii.exe 2472 Ajapoqmf.exe 1272 Bclqme32.exe 1908 Bhnffi32.exe 588 Bimbql32.exe 2272 Blnkbg32.exe 2996 Cfjihdcc.exe 2260 Clinfk32.exe 2192 Clnhajlc.exe 2776 Dchpnd32.exe 2888 Dibhjokm.exe 2880 Dlbaljhn.exe 2936 Dhlogjko.exe 1732 Dpgckm32.exe 2328 Ejadibmh.exe 2316 Eclfhgaf.exe 2856 Ekhjlioa.exe 1624 Ebabicfn.exe 940 Fkoqmhii.exe 1312 Fdgefn32.exe 2604 Ffmkhe32.exe 2340 Gcakbjpl.exe 1884 Gindjqnc.exe 1984 Gfadcemm.exe 900 Gpjilj32.exe 1768 Ghenamai.exe 2708 Giejkp32.exe 1992 Gbmoceol.exe 1736 Hlecmkel.exe 2124 Hhlcal32.exe 1476 Hmiljb32.exe 1464 Hipmoc32.exe 880 Hbhagiem.exe 2268 Hbknmicj.exe 1724 Heijidbn.exe 2808 Ioaobjin.exe 2912 Ihjcko32.exe 1996 Iiipeb32.exe 2932 Iljifm32.exe 2540 Imkeneja.exe 2432 Iokahhac.exe 2560 Ihcfan32.exe 2088 Jnpoie32.exe 1780 Jnbkodci.exe 2336 Jndhddaf.exe 772 Jfpmifoa.exe 108 Jpeafo32.exe -
Loads dropped DLL 64 IoCs
pid Process 1232 02c9a2f7fe3075cbfe1b75cde0616e48dd22d2e8202d47a421e7bc181d84383f.exe 1232 02c9a2f7fe3075cbfe1b75cde0616e48dd22d2e8202d47a421e7bc181d84383f.exe 2208 Kmhhae32.exe 2208 Kmhhae32.exe 3056 Lknebaba.exe 3056 Lknebaba.exe 2096 Lggbmbfc.exe 2096 Lggbmbfc.exe 2940 Lekcffem.exe 2940 Lekcffem.exe 2772 Lpddgd32.exe 2772 Lpddgd32.exe 2752 Mpimbcnf.exe 2752 Mpimbcnf.exe 1060 Mkggnp32.exe 1060 Mkggnp32.exe 264 Nmmjjk32.exe 264 Nmmjjk32.exe 2436 Ngencpel.exe 2436 Ngencpel.exe 2128 Nldcagaq.exe 2128 Nldcagaq.exe 1740 Ohmalgeb.exe 1740 Ohmalgeb.exe 944 Ohbjgg32.exe 944 Ohbjgg32.exe 2468 Oqmokioh.exe 2468 Oqmokioh.exe 1988 Pjjmonac.exe 1988 Pjjmonac.exe 1956 Poibmdmh.exe 1956 Poibmdmh.exe 840 Pmmcfi32.exe 840 Pmmcfi32.exe 1132 Acbnggjo.exe 1132 Acbnggjo.exe 1576 Aafnpkii.exe 1576 Aafnpkii.exe 2472 Ajapoqmf.exe 2472 Ajapoqmf.exe 1272 Bclqme32.exe 1272 Bclqme32.exe 1908 Bhnffi32.exe 1908 Bhnffi32.exe 588 Bimbql32.exe 588 Bimbql32.exe 2272 Blnkbg32.exe 2272 Blnkbg32.exe 2996 Cfjihdcc.exe 2996 Cfjihdcc.exe 2260 Clinfk32.exe 2260 Clinfk32.exe 2192 Clnhajlc.exe 2192 Clnhajlc.exe 2776 Dchpnd32.exe 2776 Dchpnd32.exe 2888 Dibhjokm.exe 2888 Dibhjokm.exe 2880 Dlbaljhn.exe 2880 Dlbaljhn.exe 2936 Dhlogjko.exe 2936 Dhlogjko.exe 1732 Dpgckm32.exe 1732 Dpgckm32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Jbhkngcd.exe Iccnmk32.exe File created C:\Windows\SysWOW64\Iceohloo.dll Fffabman.exe File opened for modification C:\Windows\SysWOW64\Lcolpe32.exe Kjfhgp32.exe File created C:\Windows\SysWOW64\Kabljfoi.dll Process not Found File opened for modification C:\Windows\SysWOW64\Dpjfjalp.exe Cfaaalep.exe File opened for modification C:\Windows\SysWOW64\Ecibjn32.exe Ejqmahdn.exe File created C:\Windows\SysWOW64\Bibagmhk.exe Bknani32.exe File created C:\Windows\SysWOW64\Efkfbp32.exe Process not Found File created C:\Windows\SysWOW64\Oiglfm32.exe Njaoeq32.exe File created C:\Windows\SysWOW64\Fgdfmhfo.dll Pcgqoech.exe File opened for modification C:\Windows\SysWOW64\Ehbgbngm.exe Ekofijic.exe File created C:\Windows\SysWOW64\Mmjlfgml.exe Process not Found File created C:\Windows\SysWOW64\Fhhbffkk.exe Process not Found File opened for modification C:\Windows\SysWOW64\Ilpkel32.exe Ipijpkei.exe File opened for modification C:\Windows\SysWOW64\Jaffca32.exe Jnhnmckc.exe File created C:\Windows\SysWOW64\Epjbienl.exe Ehonebqq.exe File opened for modification C:\Windows\SysWOW64\Abcngkmp.exe Aikine32.exe File created C:\Windows\SysWOW64\Ilnamhfg.dll Aomdpj32.exe File created C:\Windows\SysWOW64\Kbfajqai.dll Process not Found File opened for modification C:\Windows\SysWOW64\Fffabman.exe Fibqhibd.exe File created C:\Windows\SysWOW64\Japfphle.exe Process not Found File created C:\Windows\SysWOW64\Gooealak.dll Process not Found File created C:\Windows\SysWOW64\Foefccmp.dll Phjjkefd.exe File created C:\Windows\SysWOW64\Occcgm32.dll Qakmghbm.exe File opened for modification C:\Windows\SysWOW64\Qdkpomkb.exe Qckcdj32.exe File created C:\Windows\SysWOW64\Lgjcdc32.exe Lnaokn32.exe File created C:\Windows\SysWOW64\Jfffhk32.dll Fomndhng.exe File created C:\Windows\SysWOW64\Fmggdm32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Gjqfmb32.exe Gnjehaio.exe File created C:\Windows\SysWOW64\Lbaefjef.dll Conpdm32.exe File opened for modification C:\Windows\SysWOW64\Kffpcilf.exe Kplhfo32.exe File opened for modification C:\Windows\SysWOW64\Nalnmahf.exe Niaihojk.exe File created C:\Windows\SysWOW64\Hpbhip32.dll Obfiijia.exe File opened for modification C:\Windows\SysWOW64\Pnpfckmc.exe Pjbnmm32.exe File opened for modification C:\Windows\SysWOW64\Lfgbmf32.exe Lehfcc32.exe File opened for modification C:\Windows\SysWOW64\Bhdpjaga.exe Anlkakqa.exe File created C:\Windows\SysWOW64\Keicbcqp.exe Process not Found File created C:\Windows\SysWOW64\Cahmik32.exe Cfbhlb32.exe File opened for modification C:\Windows\SysWOW64\Pqdend32.exe Pobhfl32.exe File created C:\Windows\SysWOW64\Qoonqmqf.exe Qakmghbm.exe File created C:\Windows\SysWOW64\Ndekok32.exe Ngajeg32.exe File created C:\Windows\SysWOW64\Pcgqoech.exe Plnhbk32.exe File opened for modification C:\Windows\SysWOW64\Gddppp32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Ngencpel.exe Nmmjjk32.exe File created C:\Windows\SysWOW64\Bpchof32.dll Kjhahb32.exe File opened for modification C:\Windows\SysWOW64\Ofaaghom.exe Onelbfab.exe File created C:\Windows\SysWOW64\Hmiljb32.exe Hhlcal32.exe File opened for modification C:\Windows\SysWOW64\Kngcbpjc.exe Khjkiikl.exe File opened for modification C:\Windows\SysWOW64\Pgjgapaa.exe Ppcoqbao.exe File created C:\Windows\SysWOW64\Nhjofbdk.exe Mamjchoa.exe File opened for modification C:\Windows\SysWOW64\Pbfehn32.exe Pjkpckob.exe File opened for modification C:\Windows\SysWOW64\Mhbakmgg.exe Mmlmmdga.exe File created C:\Windows\SysWOW64\Nonlon32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Kpjoel32.exe Process not Found File created C:\Windows\SysWOW64\Mekmbk32.dll Ngkaaolf.exe File opened for modification C:\Windows\SysWOW64\Jmbnhm32.exe Jonqfq32.exe File created C:\Windows\SysWOW64\Lbqhmkhq.dll Cjiiim32.exe File created C:\Windows\SysWOW64\Mbpolb32.dll Dkookd32.exe File opened for modification C:\Windows\SysWOW64\Pgpjpnhk.exe Pafacd32.exe File opened for modification C:\Windows\SysWOW64\Dlbanfbo.exe Dfhial32.exe File created C:\Windows\SysWOW64\Oekbje32.dll Afolpb32.exe File opened for modification C:\Windows\SysWOW64\Dlkfli32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Dpgckm32.exe Dhlogjko.exe File opened for modification C:\Windows\SysWOW64\Kiojqfdp.exe Jilmkffb.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihgcof32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdpcep32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcimop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egbffj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iokahhac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dglkba32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qckcdj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgcdcjpf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckebbgoj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oqfeda32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbdiabcg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjikaa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eehndm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kphpdhdh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jehbfjia.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebcqicem.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmbnhm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Noighakn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qoonqmqf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngajeg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efgnfi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okailkhd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ceoagcld.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adnegldo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocpfmd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogadkajl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldgikklb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlqniihl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlljiklc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkancm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qfimhmlo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfkkam32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbpdmp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enajgllm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eojpqpih.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckamihfm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oqmokioh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clnhajlc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dibhjokm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okolfkjg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enijcn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbjlnd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agonig32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kiojqfdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbljmd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhekodik.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jojnglco.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbodpo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpbkca32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjeholco.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofdkpo32.dll" Jddfbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kjhajo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcmnaapo.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lighjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Debmplbf.dll" Gdedoegh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmodfa32.dll" Milagp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmgiqkpb.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lldkem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciekbj32.dll" Ikhlaaif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cobcmk32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hakenglg.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amncmd32.dll" Qfimhmlo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jdmfdgbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bncpffdn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mamjchoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Acncngpl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nknifeba.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cfaaalep.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Paldmbmq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pjjmonac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odecpkqa.dll" Iokdaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aqkaef32.dll" Onbkle32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jlnadiko.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bilkhbcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhodlfmj.dll" Kdhlmhgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fofekp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bnfodojp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mddclbkb.dll" Ikembicd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hhfqejoh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Okefjcle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gqkqbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Giakoc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fdkheh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kahjdm32.dll" Fdgefn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Obfiijia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pgjgapaa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jiinmnaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgfjie32.dll" Jbhkngcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Likbpceb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eopbooqb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emfhbdbc.dll" Iiablido.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hdapggln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bilkhbcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jocfacia.dll" Aafnpkii.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Efdmohmm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iddacacc.dll" Jojnglco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Niaihojk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Enokidgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Glefpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhcgnj32.dll" Pfmclold.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Chhbpfhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ghagjj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pjlbld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okhjcncb.dll" Gbmoceol.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Inqhhc32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1232 wrote to memory of 2208 1232 02c9a2f7fe3075cbfe1b75cde0616e48dd22d2e8202d47a421e7bc181d84383f.exe 30 PID 1232 wrote to memory of 2208 1232 02c9a2f7fe3075cbfe1b75cde0616e48dd22d2e8202d47a421e7bc181d84383f.exe 30 PID 1232 wrote to memory of 2208 1232 02c9a2f7fe3075cbfe1b75cde0616e48dd22d2e8202d47a421e7bc181d84383f.exe 30 PID 1232 wrote to memory of 2208 1232 02c9a2f7fe3075cbfe1b75cde0616e48dd22d2e8202d47a421e7bc181d84383f.exe 30 PID 2208 wrote to memory of 3056 2208 Kmhhae32.exe 31 PID 2208 wrote to memory of 3056 2208 Kmhhae32.exe 31 PID 2208 wrote to memory of 3056 2208 Kmhhae32.exe 31 PID 2208 wrote to memory of 3056 2208 Kmhhae32.exe 31 PID 3056 wrote to memory of 2096 3056 Lknebaba.exe 32 PID 3056 wrote to memory of 2096 3056 Lknebaba.exe 32 PID 3056 wrote to memory of 2096 3056 Lknebaba.exe 32 PID 3056 wrote to memory of 2096 3056 Lknebaba.exe 32 PID 2096 wrote to memory of 2940 2096 Lggbmbfc.exe 33 PID 2096 wrote to memory of 2940 2096 Lggbmbfc.exe 33 PID 2096 wrote to memory of 2940 2096 Lggbmbfc.exe 33 PID 2096 wrote to memory of 2940 2096 Lggbmbfc.exe 33 PID 2940 wrote to memory of 2772 2940 Lekcffem.exe 34 PID 2940 wrote to memory of 2772 2940 Lekcffem.exe 34 PID 2940 wrote to memory of 2772 2940 Lekcffem.exe 34 PID 2940 wrote to memory of 2772 2940 Lekcffem.exe 34 PID 2772 wrote to memory of 2752 2772 Lpddgd32.exe 35 PID 2772 wrote to memory of 2752 2772 Lpddgd32.exe 35 PID 2772 wrote to memory of 2752 2772 Lpddgd32.exe 35 PID 2772 wrote to memory of 2752 2772 Lpddgd32.exe 35 PID 2752 wrote to memory of 1060 2752 Mpimbcnf.exe 36 PID 2752 wrote to memory of 1060 2752 Mpimbcnf.exe 36 PID 2752 wrote to memory of 1060 2752 Mpimbcnf.exe 36 PID 2752 wrote to memory of 1060 2752 Mpimbcnf.exe 36 PID 1060 wrote to memory of 264 1060 Mkggnp32.exe 37 PID 1060 wrote to memory of 264 1060 Mkggnp32.exe 37 PID 1060 wrote to memory of 264 1060 Mkggnp32.exe 37 PID 1060 wrote to memory of 264 1060 Mkggnp32.exe 37 PID 264 wrote to memory of 2436 264 Nmmjjk32.exe 38 PID 264 wrote to memory of 2436 264 Nmmjjk32.exe 38 PID 264 wrote to memory of 2436 264 Nmmjjk32.exe 38 PID 264 wrote to memory of 2436 264 Nmmjjk32.exe 38 PID 2436 wrote to memory of 2128 2436 Ngencpel.exe 39 PID 2436 wrote to memory of 2128 2436 Ngencpel.exe 39 PID 2436 wrote to memory of 2128 2436 Ngencpel.exe 39 PID 2436 wrote to memory of 2128 2436 Ngencpel.exe 39 PID 2128 wrote to memory of 1740 2128 Nldcagaq.exe 40 PID 2128 wrote to memory of 1740 2128 Nldcagaq.exe 40 PID 2128 wrote to memory of 1740 2128 Nldcagaq.exe 40 PID 2128 wrote to memory of 1740 2128 Nldcagaq.exe 40 PID 1740 wrote to memory of 944 1740 Ohmalgeb.exe 41 PID 1740 wrote to memory of 944 1740 Ohmalgeb.exe 41 PID 1740 wrote to memory of 944 1740 Ohmalgeb.exe 41 PID 1740 wrote to memory of 944 1740 Ohmalgeb.exe 41 PID 944 wrote to memory of 2468 944 Ohbjgg32.exe 42 PID 944 wrote to memory of 2468 944 Ohbjgg32.exe 42 PID 944 wrote to memory of 2468 944 Ohbjgg32.exe 42 PID 944 wrote to memory of 2468 944 Ohbjgg32.exe 42 PID 2468 wrote to memory of 1988 2468 Oqmokioh.exe 43 PID 2468 wrote to memory of 1988 2468 Oqmokioh.exe 43 PID 2468 wrote to memory of 1988 2468 Oqmokioh.exe 43 PID 2468 wrote to memory of 1988 2468 Oqmokioh.exe 43 PID 1988 wrote to memory of 1956 1988 Pjjmonac.exe 44 PID 1988 wrote to memory of 1956 1988 Pjjmonac.exe 44 PID 1988 wrote to memory of 1956 1988 Pjjmonac.exe 44 PID 1988 wrote to memory of 1956 1988 Pjjmonac.exe 44 PID 1956 wrote to memory of 840 1956 Poibmdmh.exe 45 PID 1956 wrote to memory of 840 1956 Poibmdmh.exe 45 PID 1956 wrote to memory of 840 1956 Poibmdmh.exe 45 PID 1956 wrote to memory of 840 1956 Poibmdmh.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\02c9a2f7fe3075cbfe1b75cde0616e48dd22d2e8202d47a421e7bc181d84383f.exe"C:\Users\Admin\AppData\Local\Temp\02c9a2f7fe3075cbfe1b75cde0616e48dd22d2e8202d47a421e7bc181d84383f.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1232 -
C:\Windows\SysWOW64\Kmhhae32.exeC:\Windows\system32\Kmhhae32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Windows\SysWOW64\Lknebaba.exeC:\Windows\system32\Lknebaba.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\Windows\SysWOW64\Lggbmbfc.exeC:\Windows\system32\Lggbmbfc.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2096 -
C:\Windows\SysWOW64\Lekcffem.exeC:\Windows\system32\Lekcffem.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Windows\SysWOW64\Lpddgd32.exeC:\Windows\system32\Lpddgd32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\SysWOW64\Mpimbcnf.exeC:\Windows\system32\Mpimbcnf.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\SysWOW64\Mkggnp32.exeC:\Windows\system32\Mkggnp32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1060 -
C:\Windows\SysWOW64\Nmmjjk32.exeC:\Windows\system32\Nmmjjk32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:264 -
C:\Windows\SysWOW64\Ngencpel.exeC:\Windows\system32\Ngencpel.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2436 -
C:\Windows\SysWOW64\Nldcagaq.exeC:\Windows\system32\Nldcagaq.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Windows\SysWOW64\Ohmalgeb.exeC:\Windows\system32\Ohmalgeb.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\Windows\SysWOW64\Ohbjgg32.exeC:\Windows\system32\Ohbjgg32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:944 -
C:\Windows\SysWOW64\Oqmokioh.exeC:\Windows\system32\Oqmokioh.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Windows\SysWOW64\Pjjmonac.exeC:\Windows\system32\Pjjmonac.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\Windows\SysWOW64\Poibmdmh.exeC:\Windows\system32\Poibmdmh.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Windows\SysWOW64\Pmmcfi32.exeC:\Windows\system32\Pmmcfi32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:840 -
C:\Windows\SysWOW64\Acbnggjo.exeC:\Windows\system32\Acbnggjo.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1132 -
C:\Windows\SysWOW64\Aafnpkii.exeC:\Windows\system32\Aafnpkii.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1576 -
C:\Windows\SysWOW64\Ajapoqmf.exeC:\Windows\system32\Ajapoqmf.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2472 -
C:\Windows\SysWOW64\Bclqme32.exeC:\Windows\system32\Bclqme32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1272 -
C:\Windows\SysWOW64\Bhnffi32.exeC:\Windows\system32\Bhnffi32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1908 -
C:\Windows\SysWOW64\Bimbql32.exeC:\Windows\system32\Bimbql32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:588 -
C:\Windows\SysWOW64\Blnkbg32.exeC:\Windows\system32\Blnkbg32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2272 -
C:\Windows\SysWOW64\Cfjihdcc.exeC:\Windows\system32\Cfjihdcc.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2996 -
C:\Windows\SysWOW64\Clinfk32.exeC:\Windows\system32\Clinfk32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2260 -
C:\Windows\SysWOW64\Clnhajlc.exeC:\Windows\system32\Clnhajlc.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2192 -
C:\Windows\SysWOW64\Dchpnd32.exeC:\Windows\system32\Dchpnd32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2776 -
C:\Windows\SysWOW64\Dibhjokm.exeC:\Windows\system32\Dibhjokm.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2888 -
C:\Windows\SysWOW64\Dlbaljhn.exeC:\Windows\system32\Dlbaljhn.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2880 -
C:\Windows\SysWOW64\Dhlogjko.exeC:\Windows\system32\Dhlogjko.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2936 -
C:\Windows\SysWOW64\Dpgckm32.exeC:\Windows\system32\Dpgckm32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1732 -
C:\Windows\SysWOW64\Ejadibmh.exeC:\Windows\system32\Ejadibmh.exe33⤵
- Executes dropped EXE
PID:2328 -
C:\Windows\SysWOW64\Eclfhgaf.exeC:\Windows\system32\Eclfhgaf.exe34⤵
- Executes dropped EXE
PID:2316 -
C:\Windows\SysWOW64\Ekhjlioa.exeC:\Windows\system32\Ekhjlioa.exe35⤵
- Executes dropped EXE
PID:2856 -
C:\Windows\SysWOW64\Ebabicfn.exeC:\Windows\system32\Ebabicfn.exe36⤵
- Executes dropped EXE
PID:1624 -
C:\Windows\SysWOW64\Fkoqmhii.exeC:\Windows\system32\Fkoqmhii.exe37⤵
- Executes dropped EXE
PID:940 -
C:\Windows\SysWOW64\Fdgefn32.exeC:\Windows\system32\Fdgefn32.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1312 -
C:\Windows\SysWOW64\Ffmkhe32.exeC:\Windows\system32\Ffmkhe32.exe39⤵
- Executes dropped EXE
PID:2604 -
C:\Windows\SysWOW64\Gcakbjpl.exeC:\Windows\system32\Gcakbjpl.exe40⤵
- Executes dropped EXE
PID:2340 -
C:\Windows\SysWOW64\Gindjqnc.exeC:\Windows\system32\Gindjqnc.exe41⤵
- Executes dropped EXE
PID:1884 -
C:\Windows\SysWOW64\Gfadcemm.exeC:\Windows\system32\Gfadcemm.exe42⤵
- Executes dropped EXE
PID:1984 -
C:\Windows\SysWOW64\Gpjilj32.exeC:\Windows\system32\Gpjilj32.exe43⤵
- Executes dropped EXE
PID:900 -
C:\Windows\SysWOW64\Ghenamai.exeC:\Windows\system32\Ghenamai.exe44⤵
- Executes dropped EXE
PID:1768 -
C:\Windows\SysWOW64\Giejkp32.exeC:\Windows\system32\Giejkp32.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2708 -
C:\Windows\SysWOW64\Gbmoceol.exeC:\Windows\system32\Gbmoceol.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:1992 -
C:\Windows\SysWOW64\Hlecmkel.exeC:\Windows\system32\Hlecmkel.exe47⤵
- Executes dropped EXE
PID:1736 -
C:\Windows\SysWOW64\Hhlcal32.exeC:\Windows\system32\Hhlcal32.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2124 -
C:\Windows\SysWOW64\Hmiljb32.exeC:\Windows\system32\Hmiljb32.exe49⤵
- Executes dropped EXE
PID:1476 -
C:\Windows\SysWOW64\Hipmoc32.exeC:\Windows\system32\Hipmoc32.exe50⤵
- Executes dropped EXE
PID:1464 -
C:\Windows\SysWOW64\Hbhagiem.exeC:\Windows\system32\Hbhagiem.exe51⤵
- Executes dropped EXE
PID:880 -
C:\Windows\SysWOW64\Hbknmicj.exeC:\Windows\system32\Hbknmicj.exe52⤵
- Executes dropped EXE
PID:2268 -
C:\Windows\SysWOW64\Heijidbn.exeC:\Windows\system32\Heijidbn.exe53⤵
- Executes dropped EXE
PID:1724 -
C:\Windows\SysWOW64\Ioaobjin.exeC:\Windows\system32\Ioaobjin.exe54⤵
- Executes dropped EXE
PID:2808 -
C:\Windows\SysWOW64\Ihjcko32.exeC:\Windows\system32\Ihjcko32.exe55⤵
- Executes dropped EXE
PID:2912 -
C:\Windows\SysWOW64\Iiipeb32.exeC:\Windows\system32\Iiipeb32.exe56⤵
- Executes dropped EXE
PID:1996 -
C:\Windows\SysWOW64\Iljifm32.exeC:\Windows\system32\Iljifm32.exe57⤵
- Executes dropped EXE
PID:2932 -
C:\Windows\SysWOW64\Imkeneja.exeC:\Windows\system32\Imkeneja.exe58⤵
- Executes dropped EXE
PID:2540 -
C:\Windows\SysWOW64\Iokahhac.exeC:\Windows\system32\Iokahhac.exe59⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2432 -
C:\Windows\SysWOW64\Ihcfan32.exeC:\Windows\system32\Ihcfan32.exe60⤵
- Executes dropped EXE
PID:2560 -
C:\Windows\SysWOW64\Jnpoie32.exeC:\Windows\system32\Jnpoie32.exe61⤵
- Executes dropped EXE
PID:2088 -
C:\Windows\SysWOW64\Jnbkodci.exeC:\Windows\system32\Jnbkodci.exe62⤵
- Executes dropped EXE
PID:1780 -
C:\Windows\SysWOW64\Jndhddaf.exeC:\Windows\system32\Jndhddaf.exe63⤵
- Executes dropped EXE
PID:2336 -
C:\Windows\SysWOW64\Jfpmifoa.exeC:\Windows\system32\Jfpmifoa.exe64⤵
- Executes dropped EXE
PID:772 -
C:\Windows\SysWOW64\Jpeafo32.exeC:\Windows\system32\Jpeafo32.exe65⤵
- Executes dropped EXE
PID:108 -
C:\Windows\SysWOW64\Jjneoeeh.exeC:\Windows\system32\Jjneoeeh.exe66⤵PID:1080
-
C:\Windows\SysWOW64\Jojnglco.exeC:\Windows\system32\Jojnglco.exe67⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:236 -
C:\Windows\SysWOW64\Komjmk32.exeC:\Windows\system32\Komjmk32.exe68⤵PID:580
-
C:\Windows\SysWOW64\Kfgcieii.exeC:\Windows\system32\Kfgcieii.exe69⤵PID:2484
-
C:\Windows\SysWOW64\Kdlpkb32.exeC:\Windows\system32\Kdlpkb32.exe70⤵PID:2004
-
C:\Windows\SysWOW64\Kbppdfmk.exeC:\Windows\system32\Kbppdfmk.exe71⤵PID:3060
-
C:\Windows\SysWOW64\Loocanbe.exeC:\Windows\system32\Loocanbe.exe72⤵PID:2364
-
C:\Windows\SysWOW64\Lighjd32.exeC:\Windows\system32\Lighjd32.exe73⤵
- Modifies registry class
PID:3068 -
C:\Windows\SysWOW64\Lndqbk32.exeC:\Windows\system32\Lndqbk32.exe74⤵PID:2516
-
C:\Windows\SysWOW64\Mcfbfaao.exeC:\Windows\system32\Mcfbfaao.exe75⤵PID:2800
-
C:\Windows\SysWOW64\Majcoepi.exeC:\Windows\system32\Majcoepi.exe76⤵PID:892
-
C:\Windows\SysWOW64\Mnncii32.exeC:\Windows\system32\Mnncii32.exe77⤵PID:1520
-
C:\Windows\SysWOW64\Malpee32.exeC:\Windows\system32\Malpee32.exe78⤵PID:2344
-
C:\Windows\SysWOW64\Mbpibm32.exeC:\Windows\system32\Mbpibm32.exe79⤵PID:324
-
C:\Windows\SysWOW64\Mlhmkbhb.exeC:\Windows\system32\Mlhmkbhb.exe80⤵PID:1336
-
C:\Windows\SysWOW64\Nbdbml32.exeC:\Windows\system32\Nbdbml32.exe81⤵PID:2496
-
C:\Windows\SysWOW64\Nokcbm32.exeC:\Windows\system32\Nokcbm32.exe82⤵PID:2360
-
C:\Windows\SysWOW64\Niqgof32.exeC:\Windows\system32\Niqgof32.exe83⤵PID:472
-
C:\Windows\SysWOW64\Nbilhkig.exeC:\Windows\system32\Nbilhkig.exe84⤵PID:2608
-
C:\Windows\SysWOW64\Nejdjf32.exeC:\Windows\system32\Nejdjf32.exe85⤵PID:2676
-
C:\Windows\SysWOW64\Ngkaaolf.exeC:\Windows\system32\Ngkaaolf.exe86⤵
- Drops file in System32 directory
PID:2052 -
C:\Windows\SysWOW64\Okijhmcm.exeC:\Windows\system32\Okijhmcm.exe87⤵PID:1444
-
C:\Windows\SysWOW64\Oingii32.exeC:\Windows\system32\Oingii32.exe88⤵PID:1524
-
C:\Windows\SysWOW64\Onlooh32.exeC:\Windows\system32\Onlooh32.exe89⤵PID:832
-
C:\Windows\SysWOW64\Oibpdico.exeC:\Windows\system32\Oibpdico.exe90⤵PID:1112
-
C:\Windows\SysWOW64\Panehkaj.exeC:\Windows\system32\Panehkaj.exe91⤵PID:1508
-
C:\Windows\SysWOW64\Papank32.exeC:\Windows\system32\Papank32.exe92⤵PID:432
-
C:\Windows\SysWOW64\Phjjkefd.exeC:\Windows\system32\Phjjkefd.exe93⤵
- Drops file in System32 directory
PID:2792 -
C:\Windows\SysWOW64\Pabncj32.exeC:\Windows\system32\Pabncj32.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1680 -
C:\Windows\SysWOW64\Pdcgeejf.exeC:\Windows\system32\Pdcgeejf.exe95⤵PID:2144
-
C:\Windows\SysWOW64\Paghojip.exeC:\Windows\system32\Paghojip.exe96⤵PID:1664
-
C:\Windows\SysWOW64\Pjblcl32.exeC:\Windows\system32\Pjblcl32.exe97⤵PID:2600
-
C:\Windows\SysWOW64\Qfimhmlo.exeC:\Windows\system32\Qfimhmlo.exe98⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2548 -
C:\Windows\SysWOW64\Ajgfnk32.exeC:\Windows\system32\Ajgfnk32.exe99⤵PID:2276
-
C:\Windows\SysWOW64\Acpjga32.exeC:\Windows\system32\Acpjga32.exe100⤵PID:1672
-
C:\Windows\SysWOW64\Afpchl32.exeC:\Windows\system32\Afpchl32.exe101⤵PID:1644
-
C:\Windows\SysWOW64\Baajji32.exeC:\Windows\system32\Baajji32.exe102⤵PID:2320
-
C:\Windows\SysWOW64\Bjlkhn32.exeC:\Windows\system32\Bjlkhn32.exe103⤵PID:1972
-
C:\Windows\SysWOW64\Bphdpe32.exeC:\Windows\system32\Bphdpe32.exe104⤵PID:1952
-
C:\Windows\SysWOW64\Bfeibo32.exeC:\Windows\system32\Bfeibo32.exe105⤵PID:2448
-
C:\Windows\SysWOW64\Claake32.exeC:\Windows\system32\Claake32.exe106⤵PID:1304
-
C:\Windows\SysWOW64\Chhbpfhi.exeC:\Windows\system32\Chhbpfhi.exe107⤵
- Modifies registry class
PID:1760 -
C:\Windows\SysWOW64\Cbnfmo32.exeC:\Windows\system32\Cbnfmo32.exe108⤵PID:1468
-
C:\Windows\SysWOW64\Cjikaa32.exeC:\Windows\system32\Cjikaa32.exe109⤵
- System Location Discovery: System Language Discovery
PID:1632 -
C:\Windows\SysWOW64\Caepdk32.exeC:\Windows\system32\Caepdk32.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1600 -
C:\Windows\SysWOW64\Cfbhlb32.exeC:\Windows\system32\Cfbhlb32.exe111⤵
- Drops file in System32 directory
PID:2876 -
C:\Windows\SysWOW64\Cahmik32.exeC:\Windows\system32\Cahmik32.exe112⤵PID:1452
-
C:\Windows\SysWOW64\Dicann32.exeC:\Windows\system32\Dicann32.exe113⤵PID:2824
-
C:\Windows\SysWOW64\Dpmjjhmi.exeC:\Windows\system32\Dpmjjhmi.exe114⤵PID:2056
-
C:\Windows\SysWOW64\Diencmcj.exeC:\Windows\system32\Diencmcj.exe115⤵PID:2236
-
C:\Windows\SysWOW64\Ddkbqfcp.exeC:\Windows\system32\Ddkbqfcp.exe116⤵PID:1076
-
C:\Windows\SysWOW64\Dlfgehqk.exeC:\Windows\system32\Dlfgehqk.exe117⤵PID:1320
-
C:\Windows\SysWOW64\Dglkba32.exeC:\Windows\system32\Dglkba32.exe118⤵
- System Location Discovery: System Language Discovery
PID:808 -
C:\Windows\SysWOW64\Dpdpkfga.exeC:\Windows\system32\Dpdpkfga.exe119⤵PID:2300
-
C:\Windows\SysWOW64\Ekpmad32.exeC:\Windows\system32\Ekpmad32.exe120⤵PID:1056
-
C:\Windows\SysWOW64\Eonfgbhc.exeC:\Windows\system32\Eonfgbhc.exe121⤵PID:2012
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-