Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
06/03/2025, 13:18
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e152bf6ca1e42ee5e8c828a4d4b6ac1c297f130f3d9af77cfa4795d4d23f5b37.exe
Resource
win7-20240903-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
e152bf6ca1e42ee5e8c828a4d4b6ac1c297f130f3d9af77cfa4795d4d23f5b37.exe
Resource
win10v2004-20250217-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
e152bf6ca1e42ee5e8c828a4d4b6ac1c297f130f3d9af77cfa4795d4d23f5b37.exe
-
Size
89KB
-
MD5
a7a2d62c764e5261abca92bfa587d248
-
SHA1
38d5a669bc3005dfc0206718ca21b6b44e17710d
-
SHA256
e152bf6ca1e42ee5e8c828a4d4b6ac1c297f130f3d9af77cfa4795d4d23f5b37
-
SHA512
1e22fa8873162bdffaa7f1c376987805619be79b4fb6453ba23dbb9aad6083004e214954a3546c2d89aefb4ef3cf7914f700ea9ce3aab5de186cc3158e4909f7
-
SSDEEP
1536:eIM0TH3Y/qJxPjJ4OUlt9h33DPZedMeUu2NUOZX3XXzzzPpgP5c/lExkg8Fk:o4+qJP+lbh33d5ju2NUapghc/lakgwk
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhafhe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oabkom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Agjobffl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pnopldgn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfagpiam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hegnahjo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjmeiq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjdkjpkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jabdql32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dknajh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nbflno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qppkfhlc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qfonkfqd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Loefnpnn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plgolf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cikbhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Neqnqofm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hebnlb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hfcjdkpg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opnbbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mkddnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Opfbngfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gqdefddb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lfkeokjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cdecha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ffibkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hbknkl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imokehhl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idicbbpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lcofio32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofadnq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mfdopp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oanefo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omefkplm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ddblgn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eclbcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jmfafgbd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kaajei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lgchgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bekmle32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcmoda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hapklimq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eoiiijcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Olebgfao.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibmgpoia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ndhlhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Abegfa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dejbqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gkglnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bpjkiogm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kjglkm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cacclpae.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Depbfhpe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eapfagno.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmbfggdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lhelbh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnckjddd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cheido32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hidcef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hpbdmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" e152bf6ca1e42ee5e8c828a4d4b6ac1c297f130f3d9af77cfa4795d4d23f5b37.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pkacpihj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdbhge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gfkkpmko.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 1696 Nhdocl32.exe 2896 Nplfdj32.exe 2128 Nehomq32.exe 2684 Nkegeg32.exe 2620 Nblpfepo.exe 2636 Ndnlnm32.exe 2164 Nhiholof.exe 2744 Nocpkf32.exe 2544 Nemhhpmp.exe 2924 Nhlddkmc.exe 1712 Noemqe32.exe 2292 Npgihn32.exe 540 Ohnaik32.exe 372 Oionacqo.exe 864 Opifnm32.exe 2732 Odebolpe.exe 2104 Okojkf32.exe 1880 Opkccm32.exe 1132 Odgodl32.exe 1472 Ogekpg32.exe 1508 Oidglb32.exe 300 Olbchn32.exe 876 Oghhfg32.exe 1772 Oldpnn32.exe 1752 Opplolac.exe 1032 Ooclji32.exe 2124 Oaaifdhb.exe 2572 Ohkaco32.exe 2392 Padeldeo.exe 2632 Pkljdj32.exe 2748 Pafbadcm.exe 2832 Peanbblf.exe 2628 Pgckjk32.exe 2904 Pkofjijm.exe 2612 Pqkobqhd.exe 2316 Pdgkco32.exe 1820 Pkacpihj.exe 748 Pnopldgn.exe 2056 Pclhdl32.exe 1560 Pggdejno.exe 1196 Pqphnp32.exe 1536 Pcnejk32.exe 2724 Qfmafg32.exe 688 Qndigd32.exe 680 Qoeeolig.exe 1620 Qcqaok32.exe 900 Qglmpi32.exe 1648 Qfonkfqd.exe 2324 Qinjgbpg.exe 2064 Qqdbiopj.exe 2884 Accnekon.exe 1268 Afajafoa.exe 2712 Ajmfad32.exe 2616 Amkbnp32.exe 2516 Aojojl32.exe 2000 Acekjjmk.exe 2564 Abhkfg32.exe 1036 Amnocpdk.exe 1680 Aollokco.exe 796 Anolkh32.exe 1528 Abkhkgbb.exe 2156 Affdle32.exe 2728 Aeidgbaf.exe 2460 Aggpdnpj.exe -
Loads dropped DLL 64 IoCs
pid Process 2828 e152bf6ca1e42ee5e8c828a4d4b6ac1c297f130f3d9af77cfa4795d4d23f5b37.exe 2828 e152bf6ca1e42ee5e8c828a4d4b6ac1c297f130f3d9af77cfa4795d4d23f5b37.exe 1696 Nhdocl32.exe 1696 Nhdocl32.exe 2896 Nplfdj32.exe 2896 Nplfdj32.exe 2128 Nehomq32.exe 2128 Nehomq32.exe 2684 Nkegeg32.exe 2684 Nkegeg32.exe 2620 Nblpfepo.exe 2620 Nblpfepo.exe 2636 Ndnlnm32.exe 2636 Ndnlnm32.exe 2164 Nhiholof.exe 2164 Nhiholof.exe 2744 Nocpkf32.exe 2744 Nocpkf32.exe 2544 Nemhhpmp.exe 2544 Nemhhpmp.exe 2924 Nhlddkmc.exe 2924 Nhlddkmc.exe 1712 Noemqe32.exe 1712 Noemqe32.exe 2292 Npgihn32.exe 2292 Npgihn32.exe 540 Ohnaik32.exe 540 Ohnaik32.exe 372 Oionacqo.exe 372 Oionacqo.exe 864 Opifnm32.exe 864 Opifnm32.exe 2732 Odebolpe.exe 2732 Odebolpe.exe 2104 Okojkf32.exe 2104 Okojkf32.exe 1880 Opkccm32.exe 1880 Opkccm32.exe 1132 Odgodl32.exe 1132 Odgodl32.exe 1472 Ogekpg32.exe 1472 Ogekpg32.exe 1508 Oidglb32.exe 1508 Oidglb32.exe 300 Olbchn32.exe 300 Olbchn32.exe 876 Oghhfg32.exe 876 Oghhfg32.exe 1772 Oldpnn32.exe 1772 Oldpnn32.exe 1752 Opplolac.exe 1752 Opplolac.exe 1032 Ooclji32.exe 1032 Ooclji32.exe 2124 Oaaifdhb.exe 2124 Oaaifdhb.exe 2572 Ohkaco32.exe 2572 Ohkaco32.exe 2392 Padeldeo.exe 2392 Padeldeo.exe 2632 Pkljdj32.exe 2632 Pkljdj32.exe 2748 Pafbadcm.exe 2748 Pafbadcm.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Ekhkjm32.exe Egmojnlf.exe File created C:\Windows\SysWOW64\Fnfcel32.exe Foccjood.exe File created C:\Windows\SysWOW64\Igogan32.dll Npaich32.exe File opened for modification C:\Windows\SysWOW64\Dmhdkdlg.exe Dkigoimd.exe File opened for modification C:\Windows\SysWOW64\Llbqfe32.exe Lhfefgkg.exe File created C:\Windows\SysWOW64\Lclicpkm.exe Loqmba32.exe File opened for modification C:\Windows\SysWOW64\Egjbdo32.exe Edlfhc32.exe File created C:\Windows\SysWOW64\Ajnfie32.dll Eniclh32.exe File created C:\Windows\SysWOW64\Fnipkkdl.exe Fkjdopeh.exe File created C:\Windows\SysWOW64\Gqlebf32.exe Gnmifk32.exe File opened for modification C:\Windows\SysWOW64\Ibkkjp32.exe Ioooiack.exe File opened for modification C:\Windows\SysWOW64\Nbpeoc32.exe Npaich32.exe File opened for modification C:\Windows\SysWOW64\Lkgngb32.exe Lldmleam.exe File created C:\Windows\SysWOW64\Cegoqlof.exe Process not Found File created C:\Windows\SysWOW64\Kielkojm.dll Mbbfep32.exe File created C:\Windows\SysWOW64\Gplaplgi.dll Mlkjne32.exe File created C:\Windows\SysWOW64\Pldebkhj.exe Phhjblpa.exe File created C:\Windows\SysWOW64\Ikidod32.dll Hmkeke32.exe File created C:\Windows\SysWOW64\Aoojnc32.exe Akcomepg.exe File created C:\Windows\SysWOW64\Lmajfk32.dll Cenljmgq.exe File opened for modification C:\Windows\SysWOW64\Dmbcen32.exe Process not Found File created C:\Windows\SysWOW64\Padeldeo.exe Ohkaco32.exe File created C:\Windows\SysWOW64\Abmdafpp.exe Anahqh32.exe File created C:\Windows\SysWOW64\Lhelbh32.exe Ldjpbign.exe File created C:\Windows\SysWOW64\Lcdfnehp.exe Lohjnf32.exe File opened for modification C:\Windows\SysWOW64\Aopahjll.exe Amaelomh.exe File created C:\Windows\SysWOW64\Amkbnp32.exe Ajmfad32.exe File created C:\Windows\SysWOW64\Gckemgnc.dll Jodhdp32.exe File created C:\Windows\SysWOW64\Gfmfjhcj.dll Kcmcoblm.exe File created C:\Windows\SysWOW64\Cfpecqda.dll Maefamlh.exe File created C:\Windows\SysWOW64\Cgkocj32.exe Ccpcckck.exe File created C:\Windows\SysWOW64\Gdkgkcpq.exe Gblkoham.exe File opened for modification C:\Windows\SysWOW64\Jpbalb32.exe Jaoqqflp.exe File opened for modification C:\Windows\SysWOW64\Jhbold32.exe Jedcpi32.exe File created C:\Windows\SysWOW64\Enkpahon.exe Ejpdai32.exe File created C:\Windows\SysWOW64\Fcjeon32.exe Fqlicclo.exe File created C:\Windows\SysWOW64\Ielclkhe.exe Iapgkl32.exe File created C:\Windows\SysWOW64\Dgkjaa32.dll Amcbankf.exe File created C:\Windows\SysWOW64\Ppnnai32.exe Paknelgk.exe File created C:\Windows\SysWOW64\Ijdbodng.dll Cbdgqimc.exe File created C:\Windows\SysWOW64\Fqglggcp.exe Fnipkkdl.exe File opened for modification C:\Windows\SysWOW64\Fqglggcp.exe Fnipkkdl.exe File created C:\Windows\SysWOW64\Ccbphk32.exe Cacclpae.exe File created C:\Windows\SysWOW64\Fplheofl.dll Eihgfd32.exe File created C:\Windows\SysWOW64\Kcbaab32.dll Jdpjba32.exe File created C:\Windows\SysWOW64\Bmnnkl32.exe Bfdenafn.exe File opened for modification C:\Windows\SysWOW64\Bfagpiam.exe Bgnfdm32.exe File created C:\Windows\SysWOW64\Kbdjhe32.dll Bncaekhp.exe File created C:\Windows\SysWOW64\Bddlnn32.dll Kofaicon.exe File created C:\Windows\SysWOW64\Nmcmgm32.exe Nigafnck.exe File opened for modification C:\Windows\SysWOW64\Mklcadfn.exe Mimgeigj.exe File opened for modification C:\Windows\SysWOW64\Nncbdomg.exe Nlefhcnc.exe File opened for modification C:\Windows\SysWOW64\Qkfocaki.exe Qcogbdkg.exe File opened for modification C:\Windows\SysWOW64\Cgaaah32.exe Cebeem32.exe File created C:\Windows\SysWOW64\Kmkejc32.dll Iabhah32.exe File created C:\Windows\SysWOW64\Dbifnj32.exe Dpkibo32.exe File created C:\Windows\SysWOW64\Ecbhdi32.exe Eklqcl32.exe File opened for modification C:\Windows\SysWOW64\Ijehdl32.exe Ihglhp32.exe File opened for modification C:\Windows\SysWOW64\Opnbbe32.exe Olbfagca.exe File created C:\Windows\SysWOW64\Gfhnjm32.exe Ggfnopfg.exe File created C:\Windows\SysWOW64\Aopahjll.exe Amaelomh.exe File created C:\Windows\SysWOW64\Dmdgpc32.dll Boidnh32.exe File created C:\Windows\SysWOW64\Mlfbgb32.dll Idkpganf.exe File created C:\Windows\SysWOW64\Iheegf32.dll Mjaddn32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 9836 9452 Process not Found 1067 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlefhcnc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ooclji32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Biolanld.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohnaik32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekfndmfb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kffldlne.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lclicpkm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gncldi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lqcmmjko.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfidjbdg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghdgfbkl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mggabaea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnoiio32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Napbjjom.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahgofi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fggkcl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjlmpfhg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gepafc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qqfkln32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gqlebf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iipiljgf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ieomef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjokokha.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgaiobjn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkigoimd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aknlofim.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mimgeigj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Baigca32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cakqgeoi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbeded32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fncpef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmfafgbd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgoopkgh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afjjed32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcgphp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdeqfhjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nabopjmj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agljom32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpjkiogm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iabhah32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lomgjb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgmahg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmmbqegc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgbfnngi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpcjnabn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imiigiab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hebnlb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfmbek32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jaoqqflp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhknaf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lqipkhbj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcqombic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhdocl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Maefamlh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofhjopbg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcjqdmla.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pilfpqaa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkklhjnk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Diphbfdi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fffefjmi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kljabgnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eobchk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjbmelgm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dojddmec.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okjnobhq.dll" Hjipenda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hicoaj32.dll" Pgckjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dlgnmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dmjqpdje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jkhejkcq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Koaqcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Abpcooea.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cgoelh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nfnneb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Baojapfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iomhdbkn.dll" Cjjkpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cojhejbh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eapfagno.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Filgbdfd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lgehno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkjplo32.dll" Bbjdjjdn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dmgkgeah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ihmpobck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onhlmh32.dll" Eddeladm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gkephn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hfegij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmgnph32.dll" Kadfkhkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Filgbdfd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hfpdkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ihhcbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Agpcihcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cmfkfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hcdnhoac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hhhgcc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lcfbdd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Akiobk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbdmji32.dll" Jkhejkcq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Npjlhcmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gncldi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bnfddp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cbppnbhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpkbeabf.dll" Fffefjmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Daddfpbk.dll" Ipjahd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iplnnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nogobaio.dll" Kghpoa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Elipgofb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Affdle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qnebjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aqhhanig.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iimfld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adkqmpip.dll" Idicbbpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mcqombic.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Padhdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aollokco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjddiflm.dll" Hfpdkl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pljcllqe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gncldi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mfokinhf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bgoime32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nocpkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hndlem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epnhci32.dll" Lhelbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nijnln32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ppcbgkka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nilpge32.dll" Pjcmap32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Abegfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pipnmn32.dll" Jhbold32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lghlndfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcohnaep.dll" Pilfpqaa.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2828 wrote to memory of 1696 2828 e152bf6ca1e42ee5e8c828a4d4b6ac1c297f130f3d9af77cfa4795d4d23f5b37.exe 28 PID 2828 wrote to memory of 1696 2828 e152bf6ca1e42ee5e8c828a4d4b6ac1c297f130f3d9af77cfa4795d4d23f5b37.exe 28 PID 2828 wrote to memory of 1696 2828 e152bf6ca1e42ee5e8c828a4d4b6ac1c297f130f3d9af77cfa4795d4d23f5b37.exe 28 PID 2828 wrote to memory of 1696 2828 e152bf6ca1e42ee5e8c828a4d4b6ac1c297f130f3d9af77cfa4795d4d23f5b37.exe 28 PID 1696 wrote to memory of 2896 1696 Nhdocl32.exe 29 PID 1696 wrote to memory of 2896 1696 Nhdocl32.exe 29 PID 1696 wrote to memory of 2896 1696 Nhdocl32.exe 29 PID 1696 wrote to memory of 2896 1696 Nhdocl32.exe 29 PID 2896 wrote to memory of 2128 2896 Nplfdj32.exe 30 PID 2896 wrote to memory of 2128 2896 Nplfdj32.exe 30 PID 2896 wrote to memory of 2128 2896 Nplfdj32.exe 30 PID 2896 wrote to memory of 2128 2896 Nplfdj32.exe 30 PID 2128 wrote to memory of 2684 2128 Nehomq32.exe 31 PID 2128 wrote to memory of 2684 2128 Nehomq32.exe 31 PID 2128 wrote to memory of 2684 2128 Nehomq32.exe 31 PID 2128 wrote to memory of 2684 2128 Nehomq32.exe 31 PID 2684 wrote to memory of 2620 2684 Nkegeg32.exe 32 PID 2684 wrote to memory of 2620 2684 Nkegeg32.exe 32 PID 2684 wrote to memory of 2620 2684 Nkegeg32.exe 32 PID 2684 wrote to memory of 2620 2684 Nkegeg32.exe 32 PID 2620 wrote to memory of 2636 2620 Nblpfepo.exe 33 PID 2620 wrote to memory of 2636 2620 Nblpfepo.exe 33 PID 2620 wrote to memory of 2636 2620 Nblpfepo.exe 33 PID 2620 wrote to memory of 2636 2620 Nblpfepo.exe 33 PID 2636 wrote to memory of 2164 2636 Ndnlnm32.exe 34 PID 2636 wrote to memory of 2164 2636 Ndnlnm32.exe 34 PID 2636 wrote to memory of 2164 2636 Ndnlnm32.exe 34 PID 2636 wrote to memory of 2164 2636 Ndnlnm32.exe 34 PID 2164 wrote to memory of 2744 2164 Nhiholof.exe 35 PID 2164 wrote to memory of 2744 2164 Nhiholof.exe 35 PID 2164 wrote to memory of 2744 2164 Nhiholof.exe 35 PID 2164 wrote to memory of 2744 2164 Nhiholof.exe 35 PID 2744 wrote to memory of 2544 2744 Nocpkf32.exe 36 PID 2744 wrote to memory of 2544 2744 Nocpkf32.exe 36 PID 2744 wrote to memory of 2544 2744 Nocpkf32.exe 36 PID 2744 wrote to memory of 2544 2744 Nocpkf32.exe 36 PID 2544 wrote to memory of 2924 2544 Nemhhpmp.exe 37 PID 2544 wrote to memory of 2924 2544 Nemhhpmp.exe 37 PID 2544 wrote to memory of 2924 2544 Nemhhpmp.exe 37 PID 2544 wrote to memory of 2924 2544 Nemhhpmp.exe 37 PID 2924 wrote to memory of 1712 2924 Nhlddkmc.exe 38 PID 2924 wrote to memory of 1712 2924 Nhlddkmc.exe 38 PID 2924 wrote to memory of 1712 2924 Nhlddkmc.exe 38 PID 2924 wrote to memory of 1712 2924 Nhlddkmc.exe 38 PID 1712 wrote to memory of 2292 1712 Noemqe32.exe 39 PID 1712 wrote to memory of 2292 1712 Noemqe32.exe 39 PID 1712 wrote to memory of 2292 1712 Noemqe32.exe 39 PID 1712 wrote to memory of 2292 1712 Noemqe32.exe 39 PID 2292 wrote to memory of 540 2292 Npgihn32.exe 40 PID 2292 wrote to memory of 540 2292 Npgihn32.exe 40 PID 2292 wrote to memory of 540 2292 Npgihn32.exe 40 PID 2292 wrote to memory of 540 2292 Npgihn32.exe 40 PID 540 wrote to memory of 372 540 Ohnaik32.exe 41 PID 540 wrote to memory of 372 540 Ohnaik32.exe 41 PID 540 wrote to memory of 372 540 Ohnaik32.exe 41 PID 540 wrote to memory of 372 540 Ohnaik32.exe 41 PID 372 wrote to memory of 864 372 Oionacqo.exe 42 PID 372 wrote to memory of 864 372 Oionacqo.exe 42 PID 372 wrote to memory of 864 372 Oionacqo.exe 42 PID 372 wrote to memory of 864 372 Oionacqo.exe 42 PID 864 wrote to memory of 2732 864 Opifnm32.exe 43 PID 864 wrote to memory of 2732 864 Opifnm32.exe 43 PID 864 wrote to memory of 2732 864 Opifnm32.exe 43 PID 864 wrote to memory of 2732 864 Opifnm32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\e152bf6ca1e42ee5e8c828a4d4b6ac1c297f130f3d9af77cfa4795d4d23f5b37.exe"C:\Users\Admin\AppData\Local\Temp\e152bf6ca1e42ee5e8c828a4d4b6ac1c297f130f3d9af77cfa4795d4d23f5b37.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Windows\SysWOW64\Nhdocl32.exeC:\Windows\system32\Nhdocl32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1696 -
C:\Windows\SysWOW64\Nplfdj32.exeC:\Windows\system32\Nplfdj32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Windows\SysWOW64\Nehomq32.exeC:\Windows\system32\Nehomq32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Windows\SysWOW64\Nkegeg32.exeC:\Windows\system32\Nkegeg32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Windows\SysWOW64\Nblpfepo.exeC:\Windows\system32\Nblpfepo.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Windows\SysWOW64\Ndnlnm32.exeC:\Windows\system32\Ndnlnm32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\SysWOW64\Nhiholof.exeC:\Windows\system32\Nhiholof.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Windows\SysWOW64\Nocpkf32.exeC:\Windows\system32\Nocpkf32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\SysWOW64\Nemhhpmp.exeC:\Windows\system32\Nemhhpmp.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Windows\SysWOW64\Nhlddkmc.exeC:\Windows\system32\Nhlddkmc.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Windows\SysWOW64\Noemqe32.exeC:\Windows\system32\Noemqe32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Windows\SysWOW64\Npgihn32.exeC:\Windows\system32\Npgihn32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2292 -
C:\Windows\SysWOW64\Ohnaik32.exeC:\Windows\system32\Ohnaik32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:540 -
C:\Windows\SysWOW64\Oionacqo.exeC:\Windows\system32\Oionacqo.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:372 -
C:\Windows\SysWOW64\Opifnm32.exeC:\Windows\system32\Opifnm32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:864 -
C:\Windows\SysWOW64\Odebolpe.exeC:\Windows\system32\Odebolpe.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2732 -
C:\Windows\SysWOW64\Okojkf32.exeC:\Windows\system32\Okojkf32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2104 -
C:\Windows\SysWOW64\Opkccm32.exeC:\Windows\system32\Opkccm32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1880 -
C:\Windows\SysWOW64\Odgodl32.exeC:\Windows\system32\Odgodl32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1132 -
C:\Windows\SysWOW64\Ogekpg32.exeC:\Windows\system32\Ogekpg32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1472 -
C:\Windows\SysWOW64\Oidglb32.exeC:\Windows\system32\Oidglb32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1508 -
C:\Windows\SysWOW64\Olbchn32.exeC:\Windows\system32\Olbchn32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:300 -
C:\Windows\SysWOW64\Oghhfg32.exeC:\Windows\system32\Oghhfg32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:876 -
C:\Windows\SysWOW64\Oldpnn32.exeC:\Windows\system32\Oldpnn32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1772 -
C:\Windows\SysWOW64\Opplolac.exeC:\Windows\system32\Opplolac.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1752 -
C:\Windows\SysWOW64\Ooclji32.exeC:\Windows\system32\Ooclji32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1032 -
C:\Windows\SysWOW64\Oaaifdhb.exeC:\Windows\system32\Oaaifdhb.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2124 -
C:\Windows\SysWOW64\Ohkaco32.exeC:\Windows\system32\Ohkaco32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2572 -
C:\Windows\SysWOW64\Padeldeo.exeC:\Windows\system32\Padeldeo.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2392 -
C:\Windows\SysWOW64\Pkljdj32.exeC:\Windows\system32\Pkljdj32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2632 -
C:\Windows\SysWOW64\Pafbadcm.exeC:\Windows\system32\Pafbadcm.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2748 -
C:\Windows\SysWOW64\Peanbblf.exeC:\Windows\system32\Peanbblf.exe33⤵
- Executes dropped EXE
PID:2832 -
C:\Windows\SysWOW64\Pgckjk32.exeC:\Windows\system32\Pgckjk32.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:2628 -
C:\Windows\SysWOW64\Pkofjijm.exeC:\Windows\system32\Pkofjijm.exe35⤵
- Executes dropped EXE
PID:2904 -
C:\Windows\SysWOW64\Pqkobqhd.exeC:\Windows\system32\Pqkobqhd.exe36⤵
- Executes dropped EXE
PID:2612 -
C:\Windows\SysWOW64\Pdgkco32.exeC:\Windows\system32\Pdgkco32.exe37⤵
- Executes dropped EXE
PID:2316 -
C:\Windows\SysWOW64\Pkacpihj.exeC:\Windows\system32\Pkacpihj.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1820 -
C:\Windows\SysWOW64\Pnopldgn.exeC:\Windows\system32\Pnopldgn.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:748 -
C:\Windows\SysWOW64\Pclhdl32.exeC:\Windows\system32\Pclhdl32.exe40⤵
- Executes dropped EXE
PID:2056 -
C:\Windows\SysWOW64\Pggdejno.exeC:\Windows\system32\Pggdejno.exe41⤵
- Executes dropped EXE
PID:1560 -
C:\Windows\SysWOW64\Pqphnp32.exeC:\Windows\system32\Pqphnp32.exe42⤵
- Executes dropped EXE
PID:1196 -
C:\Windows\SysWOW64\Pcnejk32.exeC:\Windows\system32\Pcnejk32.exe43⤵
- Executes dropped EXE
PID:1536 -
C:\Windows\SysWOW64\Qfmafg32.exeC:\Windows\system32\Qfmafg32.exe44⤵
- Executes dropped EXE
PID:2724 -
C:\Windows\SysWOW64\Qndigd32.exeC:\Windows\system32\Qndigd32.exe45⤵
- Executes dropped EXE
PID:688 -
C:\Windows\SysWOW64\Qoeeolig.exeC:\Windows\system32\Qoeeolig.exe46⤵
- Executes dropped EXE
PID:680 -
C:\Windows\SysWOW64\Qcqaok32.exeC:\Windows\system32\Qcqaok32.exe47⤵
- Executes dropped EXE
PID:1620 -
C:\Windows\SysWOW64\Qglmpi32.exeC:\Windows\system32\Qglmpi32.exe48⤵
- Executes dropped EXE
PID:900 -
C:\Windows\SysWOW64\Qfonkfqd.exeC:\Windows\system32\Qfonkfqd.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1648 -
C:\Windows\SysWOW64\Qinjgbpg.exeC:\Windows\system32\Qinjgbpg.exe50⤵
- Executes dropped EXE
PID:2324 -
C:\Windows\SysWOW64\Qqdbiopj.exeC:\Windows\system32\Qqdbiopj.exe51⤵
- Executes dropped EXE
PID:2064 -
C:\Windows\SysWOW64\Accnekon.exeC:\Windows\system32\Accnekon.exe52⤵
- Executes dropped EXE
PID:2884 -
C:\Windows\SysWOW64\Afajafoa.exeC:\Windows\system32\Afajafoa.exe53⤵
- Executes dropped EXE
PID:1268 -
C:\Windows\SysWOW64\Ajmfad32.exeC:\Windows\system32\Ajmfad32.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2712 -
C:\Windows\SysWOW64\Amkbnp32.exeC:\Windows\system32\Amkbnp32.exe55⤵
- Executes dropped EXE
PID:2616 -
C:\Windows\SysWOW64\Aojojl32.exeC:\Windows\system32\Aojojl32.exe56⤵
- Executes dropped EXE
PID:2516 -
C:\Windows\SysWOW64\Acekjjmk.exeC:\Windows\system32\Acekjjmk.exe57⤵
- Executes dropped EXE
PID:2000 -
C:\Windows\SysWOW64\Abhkfg32.exeC:\Windows\system32\Abhkfg32.exe58⤵
- Executes dropped EXE
PID:2564 -
C:\Windows\SysWOW64\Amnocpdk.exeC:\Windows\system32\Amnocpdk.exe59⤵
- Executes dropped EXE
PID:1036 -
C:\Windows\SysWOW64\Aollokco.exeC:\Windows\system32\Aollokco.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:1680 -
C:\Windows\SysWOW64\Anolkh32.exeC:\Windows\system32\Anolkh32.exe61⤵
- Executes dropped EXE
PID:796 -
C:\Windows\SysWOW64\Abkhkgbb.exeC:\Windows\system32\Abkhkgbb.exe62⤵
- Executes dropped EXE
PID:1528 -
C:\Windows\SysWOW64\Affdle32.exeC:\Windows\system32\Affdle32.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:2156 -
C:\Windows\SysWOW64\Aeidgbaf.exeC:\Windows\system32\Aeidgbaf.exe64⤵
- Executes dropped EXE
PID:2728 -
C:\Windows\SysWOW64\Aggpdnpj.exeC:\Windows\system32\Aggpdnpj.exe65⤵
- Executes dropped EXE
PID:2460 -
C:\Windows\SysWOW64\Akcldl32.exeC:\Windows\system32\Akcldl32.exe66⤵PID:2552
-
C:\Windows\SysWOW64\Anahqh32.exeC:\Windows\system32\Anahqh32.exe67⤵
- Drops file in System32 directory
PID:280 -
C:\Windows\SysWOW64\Abmdafpp.exeC:\Windows\system32\Abmdafpp.exe68⤵PID:1940
-
C:\Windows\SysWOW64\Aekqmbod.exeC:\Windows\system32\Aekqmbod.exe69⤵PID:1596
-
C:\Windows\SysWOW64\Akeijlfq.exeC:\Windows\system32\Akeijlfq.exe70⤵PID:1980
-
C:\Windows\SysWOW64\Ajhiei32.exeC:\Windows\system32\Ajhiei32.exe71⤵PID:1756
-
C:\Windows\SysWOW64\Ancefgfd.exeC:\Windows\system32\Ancefgfd.exe72⤵PID:2784
-
C:\Windows\SysWOW64\Aababceh.exeC:\Windows\system32\Aababceh.exe73⤵PID:2796
-
C:\Windows\SysWOW64\Acqnnndl.exeC:\Windows\system32\Acqnnndl.exe74⤵PID:2532
-
C:\Windows\SysWOW64\Agljom32.exeC:\Windows\system32\Agljom32.exe75⤵
- System Location Discovery: System Language Discovery
PID:2952 -
C:\Windows\SysWOW64\Akhfoldn.exeC:\Windows\system32\Akhfoldn.exe76⤵PID:664
-
C:\Windows\SysWOW64\Bnfblgca.exeC:\Windows\system32\Bnfblgca.exe77⤵PID:1056
-
C:\Windows\SysWOW64\Badnhbce.exeC:\Windows\system32\Badnhbce.exe78⤵PID:752
-
C:\Windows\SysWOW64\Bepjha32.exeC:\Windows\system32\Bepjha32.exe79⤵PID:1280
-
C:\Windows\SysWOW64\Bgnfdm32.exeC:\Windows\system32\Bgnfdm32.exe80⤵
- Drops file in System32 directory
PID:2336 -
C:\Windows\SysWOW64\Bfagpiam.exeC:\Windows\system32\Bfagpiam.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2720 -
C:\Windows\SysWOW64\Bnhoag32.exeC:\Windows\system32\Bnhoag32.exe82⤵PID:764
-
C:\Windows\SysWOW64\Bagkmb32.exeC:\Windows\system32\Bagkmb32.exe83⤵PID:1304
-
C:\Windows\SysWOW64\Bpjkiogm.exeC:\Windows\system32\Bpjkiogm.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2992 -
C:\Windows\SysWOW64\Bjoofhgc.exeC:\Windows\system32\Bjoofhgc.exe85⤵PID:2212
-
C:\Windows\SysWOW64\Bmnlbcfg.exeC:\Windows\system32\Bmnlbcfg.exe86⤵PID:2184
-
C:\Windows\SysWOW64\Baigca32.exeC:\Windows\system32\Baigca32.exe87⤵
- System Location Discovery: System Language Discovery
PID:2820 -
C:\Windows\SysWOW64\Bcgdom32.exeC:\Windows\system32\Bcgdom32.exe88⤵PID:2376
-
C:\Windows\SysWOW64\Bbjdjjdn.exeC:\Windows\system32\Bbjdjjdn.exe89⤵
- Modifies registry class
PID:2756 -
C:\Windows\SysWOW64\Bjallg32.exeC:\Windows\system32\Bjallg32.exe90⤵PID:1512
-
C:\Windows\SysWOW64\Bmphhc32.exeC:\Windows\system32\Bmphhc32.exe91⤵PID:1816
-
C:\Windows\SysWOW64\Bpnddn32.exeC:\Windows\system32\Bpnddn32.exe92⤵PID:1256
-
C:\Windows\SysWOW64\Bcjqdmla.exeC:\Windows\system32\Bcjqdmla.exe93⤵
- System Location Discovery: System Language Discovery
PID:2244 -
C:\Windows\SysWOW64\Bbmapj32.exeC:\Windows\system32\Bbmapj32.exe94⤵PID:1500
-
C:\Windows\SysWOW64\Bekmle32.exeC:\Windows\system32\Bekmle32.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:744 -
C:\Windows\SysWOW64\Bmbemb32.exeC:\Windows\system32\Bmbemb32.exe96⤵PID:1876
-
C:\Windows\SysWOW64\Bpqain32.exeC:\Windows\system32\Bpqain32.exe97⤵PID:3064
-
C:\Windows\SysWOW64\Bncaekhp.exeC:\Windows\system32\Bncaekhp.exe98⤵
- Drops file in System32 directory
PID:3012 -
C:\Windows\SysWOW64\Bbonei32.exeC:\Windows\system32\Bbonei32.exe99⤵PID:268
-
C:\Windows\SysWOW64\Cemjae32.exeC:\Windows\system32\Cemjae32.exe100⤵PID:2424
-
C:\Windows\SysWOW64\Ciifbchf.exeC:\Windows\system32\Ciifbchf.exe101⤵PID:2936
-
C:\Windows\SysWOW64\Chlfnp32.exeC:\Windows\system32\Chlfnp32.exe102⤵PID:3004
-
C:\Windows\SysWOW64\Cofnjj32.exeC:\Windows\system32\Cofnjj32.exe103⤵PID:2508
-
C:\Windows\SysWOW64\Cbajkiof.exeC:\Windows\system32\Cbajkiof.exe104⤵PID:2288
-
C:\Windows\SysWOW64\Cadjgf32.exeC:\Windows\system32\Cadjgf32.exe105⤵PID:2464
-
C:\Windows\SysWOW64\Cepfgdnj.exeC:\Windows\system32\Cepfgdnj.exe106⤵PID:296
-
C:\Windows\SysWOW64\Cikbhc32.exeC:\Windows\system32\Cikbhc32.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2680 -
C:\Windows\SysWOW64\Cljodo32.exeC:\Windows\system32\Cljodo32.exe108⤵PID:340
-
C:\Windows\SysWOW64\Cjmopkla.exeC:\Windows\system32\Cjmopkla.exe109⤵PID:1688
-
C:\Windows\SysWOW64\Cbdgqimc.exeC:\Windows\system32\Cbdgqimc.exe110⤵
- Drops file in System32 directory
PID:3060 -
C:\Windows\SysWOW64\Cdecha32.exeC:\Windows\system32\Cdecha32.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1812 -
C:\Windows\SysWOW64\Chqoipkk.exeC:\Windows\system32\Chqoipkk.exe112⤵PID:2072
-
C:\Windows\SysWOW64\Cllkin32.exeC:\Windows\system32\Cllkin32.exe113⤵PID:1720
-
C:\Windows\SysWOW64\Cojhejbh.exeC:\Windows\system32\Cojhejbh.exe114⤵
- Modifies registry class
PID:2768 -
C:\Windows\SysWOW64\Cojhejbh.exeC:\Windows\system32\Cojhejbh.exe115⤵PID:2488
-
C:\Windows\SysWOW64\Caidaeak.exeC:\Windows\system32\Caidaeak.exe116⤵PID:1824
-
C:\Windows\SysWOW64\Cedpbd32.exeC:\Windows\system32\Cedpbd32.exe117⤵PID:2284
-
C:\Windows\SysWOW64\Cdgpnqpo.exeC:\Windows\system32\Cdgpnqpo.exe118⤵PID:1676
-
C:\Windows\SysWOW64\Cffljlpc.exeC:\Windows\system32\Cffljlpc.exe119⤵PID:1368
-
C:\Windows\SysWOW64\Comdkipe.exeC:\Windows\system32\Comdkipe.exe120⤵PID:564
-
C:\Windows\SysWOW64\Cakqgeoi.exeC:\Windows\system32\Cakqgeoi.exe121⤵
- System Location Discovery: System Language Discovery
PID:1700
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-