Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
09/12/2024, 22:13
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
672733d551894ca31d204a05b136d984006cea3704620788eb3f69899a5b6b63.exe
Resource
win7-20240903-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
672733d551894ca31d204a05b136d984006cea3704620788eb3f69899a5b6b63.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
672733d551894ca31d204a05b136d984006cea3704620788eb3f69899a5b6b63.exe
-
Size
552KB
-
MD5
fe385263c94eac4e44f79720d539e196
-
SHA1
d2db64a3b879d8021abd0b311febe250b427473b
-
SHA256
672733d551894ca31d204a05b136d984006cea3704620788eb3f69899a5b6b63
-
SHA512
21f2ed73d62cdfe7465fed6cc811e69f5689f33b8490cdc163e48bd183d17d794eea7241ea40dc5daeceb6b1dc9f203847ff8bb35ea3b17361b89f0babd1d59d
-
SSDEEP
6144:FgdKnhXHwMLU8SeNpgdyuH1lZfRo0V8JcgE+ezpg1xrloBNTNxaaqX:FyahXH1I87g7/VycgE81lgxaa8
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://viruslist.com/wcmd.txt
http://viruslist.com/ppslog.php
http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dejbqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Egikjh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfcnegnk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggicgopd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpphhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bejfao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cjgoje32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfnoogbo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njfjnpgp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnkjnb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gifclb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcdnhoac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kjmnjkjd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfoghakb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Objaha32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgcnghpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cicalakk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Goplilpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Knfndjdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pjcmap32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddpobo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fhdjgoha.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dldkmlhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lcofio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Omklkkpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oaghki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ahebaiac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Omefkplm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pljcllqe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cmfkfa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nidmfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ppkhhjei.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjbeofpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jolghndm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jehlkhig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mqpflg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pkaehb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alnalh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Calcpm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omcifpnp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkecij32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijnbcmkk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oeindm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgcmbcih.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfdenafn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpmjhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fkecij32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbohehoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gkglnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mdiefffn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nmqpam32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omefkplm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bmcnqama.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pidfdofi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Piicpk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahebaiac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cjjkpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kadfkhkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lgchgb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Palepb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Iihiphln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Locjhqpa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qppkfhlc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enlidg32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 2912 Mfdopp32.exe 2088 Mmogmjmn.exe 2428 Mihdgkpp.exe 2704 Mgmahg32.exe 2616 Mccbmh32.exe 2624 Mlkjne32.exe 2672 Nmnclmoj.exe 2580 Niedqnen.exe 2960 Nmqpam32.exe 2324 Ndmecgba.exe 1620 Oiljam32.exe 1256 Olmcchlg.exe 1344 Odhhgkib.exe 2948 Oonldcih.exe 2020 Omcifpnp.exe 2232 Omefkplm.exe 1616 Ppcbgkka.exe 1176 Pljcllqe.exe 1444 Pcdkif32.exe 908 Pecgea32.exe 2828 Plmpblnb.exe 1988 Peedka32.exe 2432 Phcpgm32.exe 2080 Ppkhhjei.exe 2132 Palepb32.exe 1640 Pjcmap32.exe 864 Pejmfqan.exe 2792 Phhjblpa.exe 2468 Qnebjc32.exe 2708 Qfljkp32.exe 2612 Qhjfgl32.exe 1968 Qngopb32.exe 2620 Agpcihcf.exe 2504 Akkoig32.exe 2244 Anjlebjc.exe 1612 Adcdbl32.exe 2300 Ajqljc32.exe 1872 Amohfo32.exe 1876 Ajcipc32.exe 2496 Amaelomh.exe 2728 Ajeeeblb.exe 408 Amcbankf.exe 2164 Acnjnh32.exe 3060 Ajgbkbjp.exe 876 Amfognic.exe 3052 Aodkci32.exe 1600 Bfncpcoc.exe 2348 Bimoloog.exe 1520 Bmhkmm32.exe 2120 Bofgii32.exe 1948 Bnihdemo.exe 3020 Bfqpecma.exe 2600 Becpap32.exe 3016 Boidnh32.exe 2740 Biaign32.exe 1096 Bkpeci32.exe 2248 Bjbeofpp.exe 2264 Bbjmpcab.exe 288 Bammlq32.exe 860 Bckjhl32.exe 2812 Bnqned32.exe 2256 Bmcnqama.exe 2604 Bejfao32.exe 1700 Bcmfmlen.exe -
Loads dropped DLL 64 IoCs
pid Process 2112 672733d551894ca31d204a05b136d984006cea3704620788eb3f69899a5b6b63.exe 2112 672733d551894ca31d204a05b136d984006cea3704620788eb3f69899a5b6b63.exe 2912 Mfdopp32.exe 2912 Mfdopp32.exe 2088 Mmogmjmn.exe 2088 Mmogmjmn.exe 2428 Mihdgkpp.exe 2428 Mihdgkpp.exe 2704 Mgmahg32.exe 2704 Mgmahg32.exe 2616 Mccbmh32.exe 2616 Mccbmh32.exe 2624 Mlkjne32.exe 2624 Mlkjne32.exe 2672 Nmnclmoj.exe 2672 Nmnclmoj.exe 2580 Niedqnen.exe 2580 Niedqnen.exe 2960 Nmqpam32.exe 2960 Nmqpam32.exe 2324 Ndmecgba.exe 2324 Ndmecgba.exe 1620 Oiljam32.exe 1620 Oiljam32.exe 1256 Olmcchlg.exe 1256 Olmcchlg.exe 1344 Odhhgkib.exe 1344 Odhhgkib.exe 2948 Oonldcih.exe 2948 Oonldcih.exe 2020 Omcifpnp.exe 2020 Omcifpnp.exe 2232 Omefkplm.exe 2232 Omefkplm.exe 1616 Ppcbgkka.exe 1616 Ppcbgkka.exe 1176 Pljcllqe.exe 1176 Pljcllqe.exe 1444 Pcdkif32.exe 1444 Pcdkif32.exe 908 Pecgea32.exe 908 Pecgea32.exe 2828 Plmpblnb.exe 2828 Plmpblnb.exe 1988 Peedka32.exe 1988 Peedka32.exe 2432 Phcpgm32.exe 2432 Phcpgm32.exe 2080 Ppkhhjei.exe 2080 Ppkhhjei.exe 2132 Palepb32.exe 2132 Palepb32.exe 1640 Pjcmap32.exe 1640 Pjcmap32.exe 864 Pejmfqan.exe 864 Pejmfqan.exe 2792 Phhjblpa.exe 2792 Phhjblpa.exe 2468 Qnebjc32.exe 2468 Qnebjc32.exe 2708 Qfljkp32.exe 2708 Qfljkp32.exe 2612 Qhjfgl32.exe 2612 Qhjfgl32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Cdjpfaqc.dll Bammlq32.exe File created C:\Windows\SysWOW64\Pkjjaebl.dll Fgldnkkf.exe File opened for modification C:\Windows\SysWOW64\Ijclol32.exe Idicbbpi.exe File created C:\Windows\SysWOW64\Kcecbq32.exe Kpgffe32.exe File opened for modification C:\Windows\SysWOW64\Bmcnqama.exe Bnqned32.exe File opened for modification C:\Windows\SysWOW64\Fdkklp32.exe Fjegog32.exe File created C:\Windows\SysWOW64\Kheoph32.dll Nfahomfd.exe File created C:\Windows\SysWOW64\Nbklpemb.dll Ofhjopbg.exe File created C:\Windows\SysWOW64\Lkfalipj.dll Eecafd32.exe File created C:\Windows\SysWOW64\Cljoegei.dll Lnjcomcf.exe File created C:\Windows\SysWOW64\Ncnngfna.exe Napbjjom.exe File created C:\Windows\SysWOW64\Lnjcomcf.exe Lgqkbb32.exe File created C:\Windows\SysWOW64\Mqklqhpg.exe Mbhlek32.exe File created C:\Windows\SysWOW64\Pljcllqe.exe Ppcbgkka.exe File created C:\Windows\SysWOW64\Bbjmpcab.exe Bjbeofpp.exe File opened for modification C:\Windows\SysWOW64\Dicnkdnf.exe Dgeaoinb.exe File created C:\Windows\SysWOW64\Gafalh32.dll Dgeaoinb.exe File opened for modification C:\Windows\SysWOW64\Mihdgkpp.exe Mmogmjmn.exe File created C:\Windows\SysWOW64\Ckmqbj32.dll Nmqpam32.exe File created C:\Windows\SysWOW64\Bbmqhd32.dll Gfcnegnk.exe File created C:\Windows\SysWOW64\Palepb32.exe Ppkhhjei.exe File created C:\Windows\SysWOW64\Qhadqf32.dll Amfognic.exe File created C:\Windows\SysWOW64\Dmjqpdje.exe Dfphcj32.exe File opened for modification C:\Windows\SysWOW64\Alihaioe.exe Qeppdo32.exe File created C:\Windows\SysWOW64\Cgcnghpl.exe Ceebklai.exe File created C:\Windows\SysWOW64\Hdbnfqia.dll Pcdkif32.exe File opened for modification C:\Windows\SysWOW64\Biaign32.exe Boidnh32.exe File opened for modification C:\Windows\SysWOW64\Gkbcbn32.exe Ghdgfbkl.exe File created C:\Windows\SysWOW64\Npbdcgjh.dll Nlcibc32.exe File opened for modification C:\Windows\SysWOW64\Palepb32.exe Ppkhhjei.exe File opened for modification C:\Windows\SysWOW64\Ciaefa32.exe Cfcijf32.exe File opened for modification C:\Windows\SysWOW64\Hjofdi32.exe Hcdnhoac.exe File created C:\Windows\SysWOW64\Kjmnjkjd.exe Kdpfadlm.exe File opened for modification C:\Windows\SysWOW64\Bdcifi32.exe Bjmeiq32.exe File created C:\Windows\SysWOW64\Egpkbn32.dll Jmfafgbd.exe File opened for modification C:\Windows\SysWOW64\Mdiefffn.exe Mnomjl32.exe File created C:\Windows\SysWOW64\Paodbg32.dll Ncnngfna.exe File created C:\Windows\SysWOW64\Jendoajo.dll Afffenbp.exe File created C:\Windows\SysWOW64\Bblhki32.dll Mccbmh32.exe File opened for modification C:\Windows\SysWOW64\Dejbqb32.exe Daofpchf.exe File created C:\Windows\SysWOW64\Kagflkia.dll Nlnpgd32.exe File created C:\Windows\SysWOW64\Ajmijmnn.exe Aebmjo32.exe File created C:\Windows\SysWOW64\Pkdhln32.dll Aakjdo32.exe File created C:\Windows\SysWOW64\Ecbbbh32.dll Cmfkfa32.exe File created C:\Windows\SysWOW64\Ggicgopd.exe Gifclb32.exe File created C:\Windows\SysWOW64\Hjofdi32.exe Hcdnhoac.exe File created C:\Windows\SysWOW64\Oggfcl32.dll Hldlga32.exe File opened for modification C:\Windows\SysWOW64\Cfnoogbo.exe Caaggpdh.exe File created C:\Windows\SysWOW64\Bflbhgjm.dll Cfcijf32.exe File created C:\Windows\SysWOW64\Blangfdh.dll Njfjnpgp.exe File created C:\Windows\SysWOW64\Pfqgfg32.dll Qppkfhlc.exe File opened for modification C:\Windows\SysWOW64\Aodkci32.exe Amfognic.exe File opened for modification C:\Windows\SysWOW64\Bnqned32.exe Bckjhl32.exe File created C:\Windows\SysWOW64\Ihkcje32.dll Folfoj32.exe File created C:\Windows\SysWOW64\Pfkhoe32.dll Bkpeci32.exe File opened for modification C:\Windows\SysWOW64\Jpgjgboe.exe Jlkngc32.exe File opened for modification C:\Windows\SysWOW64\Amfognic.exe Ajgbkbjp.exe File opened for modification C:\Windows\SysWOW64\Fkecij32.exe Fgigil32.exe File opened for modification C:\Windows\SysWOW64\Jgabdlfb.exe Jbefcm32.exe File created C:\Windows\SysWOW64\Fjegog32.exe Fhdjgoha.exe File opened for modification C:\Windows\SysWOW64\Lnjcomcf.exe Lgqkbb32.exe File created C:\Windows\SysWOW64\Qndkpmkm.exe Qppkfhlc.exe File created C:\Windows\SysWOW64\Alqnah32.exe Ahebaiac.exe File created C:\Windows\SysWOW64\Bmffciep.dll Cjgoje32.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\system32†Edggmg32.¾ll Dpapaj32.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Peedka32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmicfh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oidiekdn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofhjopbg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnheohcl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlgimqhf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlphbbbg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Loefnpnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oaghki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qndkpmkm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bofgii32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kaajei32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lonpma32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aoojnc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mihdgkpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlkngc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onfoin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Piicpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abpcooea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfmhdpnc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apgagg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amfognic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bammlq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chfbgn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjegog32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnjbeh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgjnhaco.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojmpooah.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajmijmnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfnoogbo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlfgcl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iamdkfnc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnjcomcf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mggabaea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjhjdm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpgjgboe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbefcm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bejfao32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjjkpe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dldkmlhl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmjqpdje.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gifclb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihglhp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdcifi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgoelh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmjdaqgi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iedfqeka.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kadfkhkf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llgjaeoj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agolnbok.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aaimopli.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfoojj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bckjhl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cicalakk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elajgpmj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmfafgbd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jajcdjca.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knfndjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmnclmoj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phcpgm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Locjhqpa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anjlebjc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajqljc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdiefffn.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Biaign32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bgibnj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hpphhp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Knfndjdp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Qhjfgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cljoegei.dll" Lnjcomcf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Objaha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dlfgcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ladpkl32.dll" Mjhjdm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bmnnkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nfahomfd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bjmeiq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mihdgkpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmmnnh32.dll" Jlkngc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jehlkhig.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mmicfh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dhpemm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Eldglp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkfnnoge.dll" Pgcmbcih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcghbo32.dll" Injndk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlcgpm32.dll" Mbhlek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Oiljam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Moanlj32.dll" Enlidg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hkiicmdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hfjpdjjo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Oonldcih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ajqljc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bmhkmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkfope32.dll" Iafnjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CL‰ID\ÿs\I´Pro¹Ser¬er3è\ = "C:\\Windows\\system32†Edggmg32.¾ll" Dpapaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naejdn32.dll" Nncbdomg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ofhjopbg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dknajh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjhmbnfb.dll" Cnckjddd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Clmdmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odlhoigp.dll" Odgamdef.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Becpap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cnimiblo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dicnkdnf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jeafjiop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Godonkii.dll" Bfdenafn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Iimfld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kadfkhkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Giddhc32.dll" Ojmpooah.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pepcelel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cnkjnb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Acfmcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alecllfh.dll" Boljgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cgoelh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ppkhhjei.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Elajgpmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhhgcm32.dll" Ieomef32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Llbqfe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Allefimb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gmmfaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aebmjo32.dll" Hjacjifm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dejdjfjb.dll" Hbaaik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmgghnmp.dll" Oidiekdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijppackl.dll" Clmdmm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ihniaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bkegah32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CL‰ID Dpapaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blangfdh.dll" Njfjnpgp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ojmpooah.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2112 wrote to memory of 2912 2112 672733d551894ca31d204a05b136d984006cea3704620788eb3f69899a5b6b63.exe 30 PID 2112 wrote to memory of 2912 2112 672733d551894ca31d204a05b136d984006cea3704620788eb3f69899a5b6b63.exe 30 PID 2112 wrote to memory of 2912 2112 672733d551894ca31d204a05b136d984006cea3704620788eb3f69899a5b6b63.exe 30 PID 2112 wrote to memory of 2912 2112 672733d551894ca31d204a05b136d984006cea3704620788eb3f69899a5b6b63.exe 30 PID 2912 wrote to memory of 2088 2912 Mfdopp32.exe 31 PID 2912 wrote to memory of 2088 2912 Mfdopp32.exe 31 PID 2912 wrote to memory of 2088 2912 Mfdopp32.exe 31 PID 2912 wrote to memory of 2088 2912 Mfdopp32.exe 31 PID 2088 wrote to memory of 2428 2088 Mmogmjmn.exe 32 PID 2088 wrote to memory of 2428 2088 Mmogmjmn.exe 32 PID 2088 wrote to memory of 2428 2088 Mmogmjmn.exe 32 PID 2088 wrote to memory of 2428 2088 Mmogmjmn.exe 32 PID 2428 wrote to memory of 2704 2428 Mihdgkpp.exe 33 PID 2428 wrote to memory of 2704 2428 Mihdgkpp.exe 33 PID 2428 wrote to memory of 2704 2428 Mihdgkpp.exe 33 PID 2428 wrote to memory of 2704 2428 Mihdgkpp.exe 33 PID 2704 wrote to memory of 2616 2704 Mgmahg32.exe 34 PID 2704 wrote to memory of 2616 2704 Mgmahg32.exe 34 PID 2704 wrote to memory of 2616 2704 Mgmahg32.exe 34 PID 2704 wrote to memory of 2616 2704 Mgmahg32.exe 34 PID 2616 wrote to memory of 2624 2616 Mccbmh32.exe 35 PID 2616 wrote to memory of 2624 2616 Mccbmh32.exe 35 PID 2616 wrote to memory of 2624 2616 Mccbmh32.exe 35 PID 2616 wrote to memory of 2624 2616 Mccbmh32.exe 35 PID 2624 wrote to memory of 2672 2624 Mlkjne32.exe 36 PID 2624 wrote to memory of 2672 2624 Mlkjne32.exe 36 PID 2624 wrote to memory of 2672 2624 Mlkjne32.exe 36 PID 2624 wrote to memory of 2672 2624 Mlkjne32.exe 36 PID 2672 wrote to memory of 2580 2672 Nmnclmoj.exe 37 PID 2672 wrote to memory of 2580 2672 Nmnclmoj.exe 37 PID 2672 wrote to memory of 2580 2672 Nmnclmoj.exe 37 PID 2672 wrote to memory of 2580 2672 Nmnclmoj.exe 37 PID 2580 wrote to memory of 2960 2580 Niedqnen.exe 38 PID 2580 wrote to memory of 2960 2580 Niedqnen.exe 38 PID 2580 wrote to memory of 2960 2580 Niedqnen.exe 38 PID 2580 wrote to memory of 2960 2580 Niedqnen.exe 38 PID 2960 wrote to memory of 2324 2960 Nmqpam32.exe 39 PID 2960 wrote to memory of 2324 2960 Nmqpam32.exe 39 PID 2960 wrote to memory of 2324 2960 Nmqpam32.exe 39 PID 2960 wrote to memory of 2324 2960 Nmqpam32.exe 39 PID 2324 wrote to memory of 1620 2324 Ndmecgba.exe 40 PID 2324 wrote to memory of 1620 2324 Ndmecgba.exe 40 PID 2324 wrote to memory of 1620 2324 Ndmecgba.exe 40 PID 2324 wrote to memory of 1620 2324 Ndmecgba.exe 40 PID 1620 wrote to memory of 1256 1620 Oiljam32.exe 41 PID 1620 wrote to memory of 1256 1620 Oiljam32.exe 41 PID 1620 wrote to memory of 1256 1620 Oiljam32.exe 41 PID 1620 wrote to memory of 1256 1620 Oiljam32.exe 41 PID 1256 wrote to memory of 1344 1256 Olmcchlg.exe 42 PID 1256 wrote to memory of 1344 1256 Olmcchlg.exe 42 PID 1256 wrote to memory of 1344 1256 Olmcchlg.exe 42 PID 1256 wrote to memory of 1344 1256 Olmcchlg.exe 42 PID 1344 wrote to memory of 2948 1344 Odhhgkib.exe 43 PID 1344 wrote to memory of 2948 1344 Odhhgkib.exe 43 PID 1344 wrote to memory of 2948 1344 Odhhgkib.exe 43 PID 1344 wrote to memory of 2948 1344 Odhhgkib.exe 43 PID 2948 wrote to memory of 2020 2948 Oonldcih.exe 44 PID 2948 wrote to memory of 2020 2948 Oonldcih.exe 44 PID 2948 wrote to memory of 2020 2948 Oonldcih.exe 44 PID 2948 wrote to memory of 2020 2948 Oonldcih.exe 44 PID 2020 wrote to memory of 2232 2020 Omcifpnp.exe 45 PID 2020 wrote to memory of 2232 2020 Omcifpnp.exe 45 PID 2020 wrote to memory of 2232 2020 Omcifpnp.exe 45 PID 2020 wrote to memory of 2232 2020 Omcifpnp.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\672733d551894ca31d204a05b136d984006cea3704620788eb3f69899a5b6b63.exe"C:\Users\Admin\AppData\Local\Temp\672733d551894ca31d204a05b136d984006cea3704620788eb3f69899a5b6b63.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Windows\SysWOW64\Mfdopp32.exeC:\Windows\system32\Mfdopp32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Windows\SysWOW64\Mmogmjmn.exeC:\Windows\system32\Mmogmjmn.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Windows\SysWOW64\Mihdgkpp.exeC:\Windows\system32\Mihdgkpp.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Windows\SysWOW64\Mgmahg32.exeC:\Windows\system32\Mgmahg32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\SysWOW64\Mccbmh32.exeC:\Windows\system32\Mccbmh32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\SysWOW64\Mlkjne32.exeC:\Windows\system32\Mlkjne32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Windows\SysWOW64\Nmnclmoj.exeC:\Windows\system32\Nmnclmoj.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\SysWOW64\Niedqnen.exeC:\Windows\system32\Niedqnen.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Windows\SysWOW64\Nmqpam32.exeC:\Windows\system32\Nmqpam32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Windows\SysWOW64\Ndmecgba.exeC:\Windows\system32\Ndmecgba.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Windows\SysWOW64\Oiljam32.exeC:\Windows\system32\Oiljam32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Windows\SysWOW64\Olmcchlg.exeC:\Windows\system32\Olmcchlg.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1256 -
C:\Windows\SysWOW64\Odhhgkib.exeC:\Windows\system32\Odhhgkib.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1344 -
C:\Windows\SysWOW64\Oonldcih.exeC:\Windows\system32\Oonldcih.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\Windows\SysWOW64\Omcifpnp.exeC:\Windows\system32\Omcifpnp.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Windows\SysWOW64\Omefkplm.exeC:\Windows\system32\Omefkplm.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2232 -
C:\Windows\SysWOW64\Ppcbgkka.exeC:\Windows\system32\Ppcbgkka.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1616 -
C:\Windows\SysWOW64\Pljcllqe.exeC:\Windows\system32\Pljcllqe.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1176 -
C:\Windows\SysWOW64\Pcdkif32.exeC:\Windows\system32\Pcdkif32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1444 -
C:\Windows\SysWOW64\Pecgea32.exeC:\Windows\system32\Pecgea32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:908 -
C:\Windows\SysWOW64\Plmpblnb.exeC:\Windows\system32\Plmpblnb.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2828 -
C:\Windows\SysWOW64\Peedka32.exeC:\Windows\system32\Peedka32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1988 -
C:\Windows\SysWOW64\Phcpgm32.exeC:\Windows\system32\Phcpgm32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2432 -
C:\Windows\SysWOW64\Ppkhhjei.exeC:\Windows\system32\Ppkhhjei.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2080 -
C:\Windows\SysWOW64\Palepb32.exeC:\Windows\system32\Palepb32.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2132 -
C:\Windows\SysWOW64\Pjcmap32.exeC:\Windows\system32\Pjcmap32.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1640 -
C:\Windows\SysWOW64\Pejmfqan.exeC:\Windows\system32\Pejmfqan.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:864 -
C:\Windows\SysWOW64\Phhjblpa.exeC:\Windows\system32\Phhjblpa.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2792 -
C:\Windows\SysWOW64\Qnebjc32.exeC:\Windows\system32\Qnebjc32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2468 -
C:\Windows\SysWOW64\Qfljkp32.exeC:\Windows\system32\Qfljkp32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2708 -
C:\Windows\SysWOW64\Qhjfgl32.exeC:\Windows\system32\Qhjfgl32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2612 -
C:\Windows\SysWOW64\Qngopb32.exeC:\Windows\system32\Qngopb32.exe33⤵
- Executes dropped EXE
PID:1968 -
C:\Windows\SysWOW64\Agpcihcf.exeC:\Windows\system32\Agpcihcf.exe34⤵
- Executes dropped EXE
PID:2620 -
C:\Windows\SysWOW64\Akkoig32.exeC:\Windows\system32\Akkoig32.exe35⤵
- Executes dropped EXE
PID:2504 -
C:\Windows\SysWOW64\Anjlebjc.exeC:\Windows\system32\Anjlebjc.exe36⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2244 -
C:\Windows\SysWOW64\Adcdbl32.exeC:\Windows\system32\Adcdbl32.exe37⤵
- Executes dropped EXE
PID:1612 -
C:\Windows\SysWOW64\Ajqljc32.exeC:\Windows\system32\Ajqljc32.exe38⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2300 -
C:\Windows\SysWOW64\Amohfo32.exeC:\Windows\system32\Amohfo32.exe39⤵
- Executes dropped EXE
PID:1872 -
C:\Windows\SysWOW64\Ajcipc32.exeC:\Windows\system32\Ajcipc32.exe40⤵
- Executes dropped EXE
PID:1876 -
C:\Windows\SysWOW64\Amaelomh.exeC:\Windows\system32\Amaelomh.exe41⤵
- Executes dropped EXE
PID:2496 -
C:\Windows\SysWOW64\Ajeeeblb.exeC:\Windows\system32\Ajeeeblb.exe42⤵
- Executes dropped EXE
PID:2728 -
C:\Windows\SysWOW64\Amcbankf.exeC:\Windows\system32\Amcbankf.exe43⤵
- Executes dropped EXE
PID:408 -
C:\Windows\SysWOW64\Acnjnh32.exeC:\Windows\system32\Acnjnh32.exe44⤵
- Executes dropped EXE
PID:2164 -
C:\Windows\SysWOW64\Ajgbkbjp.exeC:\Windows\system32\Ajgbkbjp.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3060 -
C:\Windows\SysWOW64\Amfognic.exeC:\Windows\system32\Amfognic.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:876 -
C:\Windows\SysWOW64\Aodkci32.exeC:\Windows\system32\Aodkci32.exe47⤵
- Executes dropped EXE
PID:3052 -
C:\Windows\SysWOW64\Bfncpcoc.exeC:\Windows\system32\Bfncpcoc.exe48⤵
- Executes dropped EXE
PID:1600 -
C:\Windows\SysWOW64\Bimoloog.exeC:\Windows\system32\Bimoloog.exe49⤵
- Executes dropped EXE
PID:2348 -
C:\Windows\SysWOW64\Bmhkmm32.exeC:\Windows\system32\Bmhkmm32.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:1520 -
C:\Windows\SysWOW64\Bofgii32.exeC:\Windows\system32\Bofgii32.exe51⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2120 -
C:\Windows\SysWOW64\Bnihdemo.exeC:\Windows\system32\Bnihdemo.exe52⤵
- Executes dropped EXE
PID:1948 -
C:\Windows\SysWOW64\Bfqpecma.exeC:\Windows\system32\Bfqpecma.exe53⤵
- Executes dropped EXE
PID:3020 -
C:\Windows\SysWOW64\Becpap32.exeC:\Windows\system32\Becpap32.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:2600 -
C:\Windows\SysWOW64\Boidnh32.exeC:\Windows\system32\Boidnh32.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3016 -
C:\Windows\SysWOW64\Biaign32.exeC:\Windows\system32\Biaign32.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:2740 -
C:\Windows\SysWOW64\Bkpeci32.exeC:\Windows\system32\Bkpeci32.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1096 -
C:\Windows\SysWOW64\Bjbeofpp.exeC:\Windows\system32\Bjbeofpp.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2248 -
C:\Windows\SysWOW64\Bbjmpcab.exeC:\Windows\system32\Bbjmpcab.exe59⤵
- Executes dropped EXE
PID:2264 -
C:\Windows\SysWOW64\Bammlq32.exeC:\Windows\system32\Bammlq32.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:288 -
C:\Windows\SysWOW64\Bckjhl32.exeC:\Windows\system32\Bckjhl32.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:860 -
C:\Windows\SysWOW64\Bnqned32.exeC:\Windows\system32\Bnqned32.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2812 -
C:\Windows\SysWOW64\Bmcnqama.exeC:\Windows\system32\Bmcnqama.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2256 -
C:\Windows\SysWOW64\Bejfao32.exeC:\Windows\system32\Bejfao32.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2604 -
C:\Windows\SysWOW64\Bcmfmlen.exeC:\Windows\system32\Bcmfmlen.exe65⤵
- Executes dropped EXE
PID:1700 -
C:\Windows\SysWOW64\Bgibnj32.exeC:\Windows\system32\Bgibnj32.exe66⤵
- Modifies registry class
PID:1932 -
C:\Windows\SysWOW64\Cjgoje32.exeC:\Windows\system32\Cjgoje32.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1772 -
C:\Windows\SysWOW64\Cnckjddd.exeC:\Windows\system32\Cnckjddd.exe68⤵
- Modifies registry class
PID:1412 -
C:\Windows\SysWOW64\Cmfkfa32.exeC:\Windows\system32\Cmfkfa32.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1864 -
C:\Windows\SysWOW64\Caaggpdh.exeC:\Windows\system32\Caaggpdh.exe70⤵
- Drops file in System32 directory
PID:1660 -
C:\Windows\SysWOW64\Cfnoogbo.exeC:\Windows\system32\Cfnoogbo.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2392 -
C:\Windows\SysWOW64\Cjjkpe32.exeC:\Windows\system32\Cjjkpe32.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2760 -
C:\Windows\SysWOW64\Cfpldf32.exeC:\Windows\system32\Cfpldf32.exe73⤵PID:2720
-
C:\Windows\SysWOW64\Cmjdaqgi.exeC:\Windows\system32\Cmjdaqgi.exe74⤵
- System Location Discovery: System Language Discovery
PID:3028 -
C:\Windows\SysWOW64\Clmdmm32.exeC:\Windows\system32\Clmdmm32.exe75⤵
- Modifies registry class
PID:1180 -
C:\Windows\SysWOW64\Cpiqmlfm.exeC:\Windows\system32\Cpiqmlfm.exe76⤵PID:1300
-
C:\Windows\SysWOW64\Cbgmigeq.exeC:\Windows\system32\Cbgmigeq.exe77⤵PID:3032
-
C:\Windows\SysWOW64\Cfcijf32.exeC:\Windows\system32\Cfcijf32.exe78⤵
- Drops file in System32 directory
PID:1032 -
C:\Windows\SysWOW64\Ciaefa32.exeC:\Windows\system32\Ciaefa32.exe79⤵PID:2532
-
C:\Windows\SysWOW64\Clpabm32.exeC:\Windows\system32\Clpabm32.exe80⤵PID:2692
-
C:\Windows\SysWOW64\Cnnnnh32.exeC:\Windows\system32\Cnnnnh32.exe81⤵PID:2044
-
C:\Windows\SysWOW64\Cfeepelg.exeC:\Windows\system32\Cfeepelg.exe82⤵PID:1916
-
C:\Windows\SysWOW64\Cicalakk.exeC:\Windows\system32\Cicalakk.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:236 -
C:\Windows\SysWOW64\Chfbgn32.exeC:\Windows\system32\Chfbgn32.exe84⤵
- System Location Discovery: System Language Discovery
PID:484 -
C:\Windows\SysWOW64\Cpmjhk32.exeC:\Windows\system32\Cpmjhk32.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2412 -
C:\Windows\SysWOW64\Daofpchf.exeC:\Windows\system32\Daofpchf.exe86⤵
- Drops file in System32 directory
PID:1832 -
C:\Windows\SysWOW64\Dejbqb32.exeC:\Windows\system32\Dejbqb32.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2664 -
C:\Windows\SysWOW64\Dldkmlhl.exeC:\Windows\system32\Dldkmlhl.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2752 -
C:\Windows\SysWOW64\Dbncjf32.exeC:\Windows\system32\Dbncjf32.exe89⤵PID:1460
-
C:\Windows\SysWOW64\Ddpobo32.exeC:\Windows\system32\Ddpobo32.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2284 -
C:\Windows\SysWOW64\Dlfgcl32.exeC:\Windows\system32\Dlfgcl32.exe91⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2744 -
C:\Windows\SysWOW64\Dmhdkdlg.exeC:\Windows\system32\Dmhdkdlg.exe92⤵PID:1408
-
C:\Windows\SysWOW64\Dacpkc32.exeC:\Windows\system32\Dacpkc32.exe93⤵PID:2700
-
C:\Windows\SysWOW64\Dfphcj32.exeC:\Windows\system32\Dfphcj32.exe94⤵
- Drops file in System32 directory
PID:2380 -
C:\Windows\SysWOW64\Dmjqpdje.exeC:\Windows\system32\Dmjqpdje.exe95⤵
- System Location Discovery: System Language Discovery
PID:1304 -
C:\Windows\SysWOW64\Dhpemm32.exeC:\Windows\system32\Dhpemm32.exe96⤵
- Modifies registry class
PID:1656 -
C:\Windows\SysWOW64\Dknajh32.exeC:\Windows\system32\Dknajh32.exe97⤵
- Modifies registry class
PID:328 -
C:\Windows\SysWOW64\Dahifbpk.exeC:\Windows\system32\Dahifbpk.exe98⤵PID:2268
-
C:\Windows\SysWOW64\Dpkibo32.exeC:\Windows\system32\Dpkibo32.exe99⤵PID:1856
-
C:\Windows\SysWOW64\Dbifnj32.exeC:\Windows\system32\Dbifnj32.exe100⤵PID:2952
-
C:\Windows\SysWOW64\Dgeaoinb.exeC:\Windows\system32\Dgeaoinb.exe101⤵
- Drops file in System32 directory
PID:2204 -
C:\Windows\SysWOW64\Dicnkdnf.exeC:\Windows\system32\Dicnkdnf.exe102⤵
- Modifies registry class
PID:2188 -
C:\Windows\SysWOW64\Elajgpmj.exeC:\Windows\system32\Elajgpmj.exe103⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1120 -
C:\Windows\SysWOW64\Eejopecj.exeC:\Windows\system32\Eejopecj.exe104⤵PID:2172
-
C:\Windows\SysWOW64\Emagacdm.exeC:\Windows\system32\Emagacdm.exe105⤵PID:1844
-
C:\Windows\SysWOW64\Eldglp32.exeC:\Windows\system32\Eldglp32.exe106⤵
- Modifies registry class
PID:832 -
C:\Windows\SysWOW64\Egikjh32.exeC:\Windows\system32\Egikjh32.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2376 -
C:\Windows\SysWOW64\Ecploipa.exeC:\Windows\system32\Ecploipa.exe108⤵PID:1252
-
C:\Windows\SysWOW64\Eijdkcgn.exeC:\Windows\system32\Eijdkcgn.exe109⤵PID:1528
-
C:\Windows\SysWOW64\Elipgofb.exeC:\Windows\system32\Elipgofb.exe110⤵PID:380
-
C:\Windows\SysWOW64\Eogmcjef.exeC:\Windows\system32\Eogmcjef.exe111⤵PID:2208
-
C:\Windows\SysWOW64\Eeaepd32.exeC:\Windows\system32\Eeaepd32.exe112⤵PID:1884
-
C:\Windows\SysWOW64\Ehpalp32.exeC:\Windows\system32\Ehpalp32.exe113⤵PID:2440
-
C:\Windows\SysWOW64\Enlidg32.exeC:\Windows\system32\Enlidg32.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2776 -
C:\Windows\SysWOW64\Eecafd32.exeC:\Windows\system32\Eecafd32.exe115⤵
- Drops file in System32 directory
PID:1744 -
C:\Windows\SysWOW64\Folfoj32.exeC:\Windows\system32\Folfoj32.exe116⤵
- Drops file in System32 directory
PID:2528 -
C:\Windows\SysWOW64\Fpmbfbgo.exeC:\Windows\system32\Fpmbfbgo.exe117⤵PID:2944
-
C:\Windows\SysWOW64\Fhdjgoha.exeC:\Windows\system32\Fhdjgoha.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2876 -
C:\Windows\SysWOW64\Fjegog32.exeC:\Windows\system32\Fjegog32.exe119⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2832 -
C:\Windows\SysWOW64\Fdkklp32.exeC:\Windows\system32\Fdkklp32.exe120⤵PID:2280
-
C:\Windows\SysWOW64\Fgigil32.exeC:\Windows\system32\Fgigil32.exe121⤵
- Drops file in System32 directory
PID:2804
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-