Analysis
-
max time kernel
109s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
25-12-2024 16:42
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
81ae31b8e999b06adbe912cd8ad65bce6ea89ef55a1c222fdbb5283a2a71f702.exe
Resource
win7-20241010-en
windows7-x64
9 signatures
120 seconds
Behavioral task
behavioral2
Sample
81ae31b8e999b06adbe912cd8ad65bce6ea89ef55a1c222fdbb5283a2a71f702.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
120 seconds
General
-
Target
81ae31b8e999b06adbe912cd8ad65bce6ea89ef55a1c222fdbb5283a2a71f702.exe
-
Size
136KB
-
MD5
dd01ea546c381442ced923941531e8b4
-
SHA1
50b897469f8fca578a5759ff7124e5532e80f12a
-
SHA256
81ae31b8e999b06adbe912cd8ad65bce6ea89ef55a1c222fdbb5283a2a71f702
-
SHA512
be30a72a1baa5c14461c9875b0641aa67db4a9ce774b8b2bc883990ba5ffb86f928fc053a533a5dbda8491d8609a19bd33e1acc8e18219c89b5d7e0abb783605
-
SSDEEP
3072:7Sdzi0rQQsbMqp3L6GlzdH13+EE+RaZ6r+GDZnBcE:7Sdzi00QsAs3Lzlzd5IF6rfBBcE
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hmeaaboe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ddhekfeb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkbadifn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ggekhhle.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcbcah32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmgaikep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bgbemjqh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qdlialfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ifndph32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Heedbbdb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nceeaikk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pccahc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbfeam32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hngngo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pihnqj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndhooaog.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gninpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Enmqjq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpjilj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bljeke32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oamohenq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hnpkkm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bamfloef.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfmmanif.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdjpmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lghigl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpledf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dkjkcfjc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Deahcneh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfjdfg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ipgpcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bglhcihn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kbkgig32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kplhfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ckjnfobi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dmimkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dpdpkfga.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nqdaal32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pconjjql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oooeeb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iglkoaad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Moahdd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aadbfp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llagegfb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnbpgb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmnoll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mcafbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Conmkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jkfncn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lenioenj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iceiibef.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gaffja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lblflgqk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iedmhlqf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnecag32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilfadg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmpdoffo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmpcoabe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mdaedhoh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ihehbpel.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 2596 Odfofhic.exe 2916 Oajopl32.exe 2168 Pjhpin32.exe 2304 Pnfipm32.exe 2852 Pccahc32.exe 2928 Pibgfjdh.exe 2788 Qnalcqpm.exe 1040 Aiimfi32.exe 2868 Anhbdpje.exe 2340 Afcghbgp.exe 1108 Acjdgf32.exe 2028 Bclqme32.exe 564 Bhnffi32.exe 2308 Bjoohdbd.exe 1964 Cfhlbe32.exe 1876 Cpbnaj32.exe 1164 Cllkkk32.exe 768 Cipleo32.exe 1364 Dakpiajj.exe 2400 Dkcebg32.exe 2520 Dhgelk32.exe 1204 Dekeeonn.exe 2096 Dabfjp32.exe 1820 Dkjkcfjc.exe 1528 Edelakoq.exe 2288 Enmqjq32.exe 2424 Efhenccl.exe 2040 Ekhjlioa.exe 2952 Fdblkoco.exe 2816 Fbfldc32.exe 2152 Fdgefn32.exe 2872 Fjdnne32.exe 2484 Gpjilj32.exe 3004 Glcfgk32.exe 1264 Hhjgll32.exe 2992 Hdqhambg.exe 2740 Hipmoc32.exe 452 Hbhagiem.exe 1028 Hffjng32.exe 1348 Ioaobjin.exe 2508 Ipaklm32.exe 864 Ihlpqonl.exe 1644 Idcqep32.exe 900 Ihqilnig.exe 1868 Iainddpg.exe 1572 Jakjjcnd.exe 2576 Jjgonf32.exe 1744 Jjilde32.exe 2808 Jgmlmj32.exe 2140 Jfbinf32.exe 2104 Jkobgm32.exe 760 Kbkgig32.exe 2156 Kkckblgq.exe 1756 Khglkqfj.exe 2944 Kjihci32.exe 2524 Kdnlpaln.exe 1968 Kqemeb32.exe 1784 Kninog32.exe 668 Lcffgnnc.exe 2460 Lmnkpc32.exe 2676 Lffohikd.exe 764 Lkcgapjl.exe 3008 Lelljepm.exe 2452 Lenioenj.exe -
Loads dropped DLL 64 IoCs
pid Process 2116 81ae31b8e999b06adbe912cd8ad65bce6ea89ef55a1c222fdbb5283a2a71f702.exe 2116 81ae31b8e999b06adbe912cd8ad65bce6ea89ef55a1c222fdbb5283a2a71f702.exe 2596 Odfofhic.exe 2596 Odfofhic.exe 2916 Oajopl32.exe 2916 Oajopl32.exe 2168 Pjhpin32.exe 2168 Pjhpin32.exe 2304 Pnfipm32.exe 2304 Pnfipm32.exe 2852 Pccahc32.exe 2852 Pccahc32.exe 2928 Pibgfjdh.exe 2928 Pibgfjdh.exe 2788 Qnalcqpm.exe 2788 Qnalcqpm.exe 1040 Aiimfi32.exe 1040 Aiimfi32.exe 2868 Anhbdpje.exe 2868 Anhbdpje.exe 2340 Afcghbgp.exe 2340 Afcghbgp.exe 1108 Acjdgf32.exe 1108 Acjdgf32.exe 2028 Bclqme32.exe 2028 Bclqme32.exe 564 Bhnffi32.exe 564 Bhnffi32.exe 2308 Bjoohdbd.exe 2308 Bjoohdbd.exe 1964 Cfhlbe32.exe 1964 Cfhlbe32.exe 1876 Cpbnaj32.exe 1876 Cpbnaj32.exe 1164 Cllkkk32.exe 1164 Cllkkk32.exe 768 Cipleo32.exe 768 Cipleo32.exe 1364 Dakpiajj.exe 1364 Dakpiajj.exe 2400 Dkcebg32.exe 2400 Dkcebg32.exe 2520 Dhgelk32.exe 2520 Dhgelk32.exe 1204 Dekeeonn.exe 1204 Dekeeonn.exe 2096 Dabfjp32.exe 2096 Dabfjp32.exe 1820 Dkjkcfjc.exe 1820 Dkjkcfjc.exe 1528 Edelakoq.exe 1528 Edelakoq.exe 2288 Enmqjq32.exe 2288 Enmqjq32.exe 2424 Efhenccl.exe 2424 Efhenccl.exe 2040 Ekhjlioa.exe 2040 Ekhjlioa.exe 2952 Fdblkoco.exe 2952 Fdblkoco.exe 2816 Fbfldc32.exe 2816 Fbfldc32.exe 2152 Fdgefn32.exe 2152 Fdgefn32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Nmmldbkc.dll Gglimm32.exe File opened for modification C:\Windows\SysWOW64\Ijpjik32.exe Iionacad.exe File created C:\Windows\SysWOW64\Bjnhpj32.exe Bhmonoli.exe File opened for modification C:\Windows\SysWOW64\Opbnbj32.exe Ogjjie32.exe File created C:\Windows\SysWOW64\Ifjoie32.exe Process not Found File created C:\Windows\SysWOW64\Nejdjf32.exe Nalldh32.exe File created C:\Windows\SysWOW64\Ladpqq32.dll Eopcmb32.exe File created C:\Windows\SysWOW64\Eeijpdbd.exe Edhmhl32.exe File opened for modification C:\Windows\SysWOW64\Aadbfp32.exe Adqbml32.exe File created C:\Windows\SysWOW64\Koacjg32.exe Kfioaaah.exe File created C:\Windows\SysWOW64\Eajade32.dll Hekhid32.exe File created C:\Windows\SysWOW64\Onjeinde.dll Fgpqnpjh.exe File created C:\Windows\SysWOW64\Gbpaef32.exe Gigllafc.exe File created C:\Windows\SysWOW64\Oikgjlgb.dll Dijjgegh.exe File created C:\Windows\SysWOW64\Anbckadf.dll Jcpglhpo.exe File opened for modification C:\Windows\SysWOW64\Kjbqei32.exe Knlpphnd.exe File created C:\Windows\SysWOW64\Hjdbckib.dll Jpajdi32.exe File created C:\Windows\SysWOW64\Hjhlnahk.exe Haohel32.exe File opened for modification C:\Windows\SysWOW64\Iccnmk32.exe Ifoncgpc.exe File created C:\Windows\SysWOW64\Cenhfqle.exe Ckhdihlp.exe File opened for modification C:\Windows\SysWOW64\Aapikqel.exe Qdlialfb.exe File opened for modification C:\Windows\SysWOW64\Pkajgonp.exe Pqlfjfni.exe File opened for modification C:\Windows\SysWOW64\Jijbnppi.exe Jggiah32.exe File opened for modification C:\Windows\SysWOW64\Lcjkbl32.exe Process not Found File created C:\Windows\SysWOW64\Ngobfm32.dll Lpjiik32.exe File opened for modification C:\Windows\SysWOW64\Mfkjnmje.exe Lqnbffkn.exe File opened for modification C:\Windows\SysWOW64\Cpdeghgk.exe Process not Found File created C:\Windows\SysWOW64\Ghnaaljp.exe Goemhfco.exe File opened for modification C:\Windows\SysWOW64\Docjpa32.exe Dghekobe.exe File created C:\Windows\SysWOW64\Ljehdq32.dll Hipmoc32.exe File created C:\Windows\SysWOW64\Jjgonf32.exe Jakjjcnd.exe File opened for modification C:\Windows\SysWOW64\Lddoopbi.exe Klijjnen.exe File created C:\Windows\SysWOW64\Mpeebhhf.exe Mglpjc32.exe File opened for modification C:\Windows\SysWOW64\Hdloab32.exe Hkdkhl32.exe File created C:\Windows\SysWOW64\Ajjcmj32.dll Idjjih32.exe File opened for modification C:\Windows\SysWOW64\Jhpdlm32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Pbfcoedi.exe Pinnfonh.exe File created C:\Windows\SysWOW64\Fnleqj32.exe Fqhegf32.exe File created C:\Windows\SysWOW64\Bmogkkkd.exe Process not Found File created C:\Windows\SysWOW64\Abacjd32.exe Aqpgblqh.exe File created C:\Windows\SysWOW64\Bhonin32.dll Fdblkoco.exe File created C:\Windows\SysWOW64\Hnnkbd32.exe Hajkip32.exe File opened for modification C:\Windows\SysWOW64\Ikqcgj32.exe Hnmcne32.exe File opened for modification C:\Windows\SysWOW64\Cocnanmd.exe Cleaebna.exe File opened for modification C:\Windows\SysWOW64\Idpmejag.exe Ijghmd32.exe File opened for modification C:\Windows\SysWOW64\Eagbnh32.exe Dadehh32.exe File created C:\Windows\SysWOW64\Ognoodja.dll Qpocno32.exe File opened for modification C:\Windows\SysWOW64\Fgcpkldh.exe Feccqime.exe File created C:\Windows\SysWOW64\Egqjgpom.dll Bgjknijp.exe File created C:\Windows\SysWOW64\Ghboifle.dll 81ae31b8e999b06adbe912cd8ad65bce6ea89ef55a1c222fdbb5283a2a71f702.exe File created C:\Windows\SysWOW64\Fejhdhpb.dll Jjilde32.exe File created C:\Windows\SysWOW64\Lelljepm.exe Lkcgapjl.exe File created C:\Windows\SysWOW64\Eepeng32.dll Bebjdjal.exe File created C:\Windows\SysWOW64\Diklpn32.exe Dqpgll32.exe File created C:\Windows\SysWOW64\Lgcpif32.dll Bgmolb32.exe File opened for modification C:\Windows\SysWOW64\Gdedoegh.exe Gepgni32.exe File created C:\Windows\SysWOW64\Nhjofbdk.exe Mdlfpcnd.exe File created C:\Windows\SysWOW64\Fnfekdpl.exe Fqbeapqb.exe File created C:\Windows\SysWOW64\Npmana32.exe Process not Found File created C:\Windows\SysWOW64\Gkancm32.exe Geeekf32.exe File created C:\Windows\SysWOW64\Gjoiokgo.dll Gdedoegh.exe File opened for modification C:\Windows\SysWOW64\Kamooe32.exe Process not Found File created C:\Windows\SysWOW64\Ajegbonq.dll Edkopifk.exe File created C:\Windows\SysWOW64\Gjolpkhj.exe Gnhkkjbf.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qajfmbna.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apdminod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chfadndo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldchff32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbpcbo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hekhid32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkfncn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eebnqcjl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aiimfi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmngof32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdpmljan.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbhhlo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lffohikd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnoocq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgqqcd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odjikh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Badlln32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dakpiajj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idbjkj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oepghe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aenileon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kiifjd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cleaebna.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdamhocm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pknakhig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcojbm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifoncgpc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khglkqfj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlfina32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aaeeoihj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifndph32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkcagn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojijha32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhpbcdqm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nljjqbfp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbdbml32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qfimhmlo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pacbel32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldihjo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dadehh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efdohq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oamohenq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjoohdbd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhljpmlm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmaialjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgebcj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llainlje.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eoanij32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okgpfjbo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndnncf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmaedolh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cekkaanh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iapjad32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpjilj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkimff32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gocnjn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldgnmhhj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clphjc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpgaohej.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbclfj32.dll" Andlmnki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Akdedkfl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mlikkbga.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Naeigf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jflikm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gnjehaio.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Naebmppm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gninpg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofgjhe32.dll" Gnoocq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qnpbbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfillpcn.dll" Ceeibbgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mckmpf32.dll" Icjmpd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dqpgll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cickgk32.dll" Opdkgj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hmeaaboe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgccll32.dll" Hmbbcjic.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ekbjgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bgcbja32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jlbhjkij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jlddpkgh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ankckagj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cijkaehj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ehhghdgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dhgelk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bmoaoikj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jakjjcnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgnqdb32.dll" Pojdem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cknojl32.dll" Ikhqbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocjpfnjc.dll" Copobe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dfgpnm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ibnppn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bbimbpld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnoadiak.dll" Pghjqlmi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Amgggm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kplhfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cnpknl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llomka32.dll" Qfegakmc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kqemeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fmbkfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nmaialjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjfkpa32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kbkgig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Idbjkj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hekhid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fidfbpbc.dll" Bcobdgoj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bjphff32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ipaklm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aiimfi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eidchjbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Opbnbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jidngh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Opbnbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jokbkn32.dll" Efbbba32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Idlgohcl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ibbffq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eampgb32.dll" Omjgkjof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldbjai32.dll" Mdlfpcnd.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2116 wrote to memory of 2596 2116 81ae31b8e999b06adbe912cd8ad65bce6ea89ef55a1c222fdbb5283a2a71f702.exe 30 PID 2116 wrote to memory of 2596 2116 81ae31b8e999b06adbe912cd8ad65bce6ea89ef55a1c222fdbb5283a2a71f702.exe 30 PID 2116 wrote to memory of 2596 2116 81ae31b8e999b06adbe912cd8ad65bce6ea89ef55a1c222fdbb5283a2a71f702.exe 30 PID 2116 wrote to memory of 2596 2116 81ae31b8e999b06adbe912cd8ad65bce6ea89ef55a1c222fdbb5283a2a71f702.exe 30 PID 2596 wrote to memory of 2916 2596 Odfofhic.exe 31 PID 2596 wrote to memory of 2916 2596 Odfofhic.exe 31 PID 2596 wrote to memory of 2916 2596 Odfofhic.exe 31 PID 2596 wrote to memory of 2916 2596 Odfofhic.exe 31 PID 2916 wrote to memory of 2168 2916 Oajopl32.exe 32 PID 2916 wrote to memory of 2168 2916 Oajopl32.exe 32 PID 2916 wrote to memory of 2168 2916 Oajopl32.exe 32 PID 2916 wrote to memory of 2168 2916 Oajopl32.exe 32 PID 2168 wrote to memory of 2304 2168 Pjhpin32.exe 33 PID 2168 wrote to memory of 2304 2168 Pjhpin32.exe 33 PID 2168 wrote to memory of 2304 2168 Pjhpin32.exe 33 PID 2168 wrote to memory of 2304 2168 Pjhpin32.exe 33 PID 2304 wrote to memory of 2852 2304 Pnfipm32.exe 34 PID 2304 wrote to memory of 2852 2304 Pnfipm32.exe 34 PID 2304 wrote to memory of 2852 2304 Pnfipm32.exe 34 PID 2304 wrote to memory of 2852 2304 Pnfipm32.exe 34 PID 2852 wrote to memory of 2928 2852 Pccahc32.exe 35 PID 2852 wrote to memory of 2928 2852 Pccahc32.exe 35 PID 2852 wrote to memory of 2928 2852 Pccahc32.exe 35 PID 2852 wrote to memory of 2928 2852 Pccahc32.exe 35 PID 2928 wrote to memory of 2788 2928 Pibgfjdh.exe 36 PID 2928 wrote to memory of 2788 2928 Pibgfjdh.exe 36 PID 2928 wrote to memory of 2788 2928 Pibgfjdh.exe 36 PID 2928 wrote to memory of 2788 2928 Pibgfjdh.exe 36 PID 2788 wrote to memory of 1040 2788 Qnalcqpm.exe 37 PID 2788 wrote to memory of 1040 2788 Qnalcqpm.exe 37 PID 2788 wrote to memory of 1040 2788 Qnalcqpm.exe 37 PID 2788 wrote to memory of 1040 2788 Qnalcqpm.exe 37 PID 1040 wrote to memory of 2868 1040 Aiimfi32.exe 38 PID 1040 wrote to memory of 2868 1040 Aiimfi32.exe 38 PID 1040 wrote to memory of 2868 1040 Aiimfi32.exe 38 PID 1040 wrote to memory of 2868 1040 Aiimfi32.exe 38 PID 2868 wrote to memory of 2340 2868 Anhbdpje.exe 39 PID 2868 wrote to memory of 2340 2868 Anhbdpje.exe 39 PID 2868 wrote to memory of 2340 2868 Anhbdpje.exe 39 PID 2868 wrote to memory of 2340 2868 Anhbdpje.exe 39 PID 2340 wrote to memory of 1108 2340 Afcghbgp.exe 40 PID 2340 wrote to memory of 1108 2340 Afcghbgp.exe 40 PID 2340 wrote to memory of 1108 2340 Afcghbgp.exe 40 PID 2340 wrote to memory of 1108 2340 Afcghbgp.exe 40 PID 1108 wrote to memory of 2028 1108 Acjdgf32.exe 41 PID 1108 wrote to memory of 2028 1108 Acjdgf32.exe 41 PID 1108 wrote to memory of 2028 1108 Acjdgf32.exe 41 PID 1108 wrote to memory of 2028 1108 Acjdgf32.exe 41 PID 2028 wrote to memory of 564 2028 Bclqme32.exe 42 PID 2028 wrote to memory of 564 2028 Bclqme32.exe 42 PID 2028 wrote to memory of 564 2028 Bclqme32.exe 42 PID 2028 wrote to memory of 564 2028 Bclqme32.exe 42 PID 564 wrote to memory of 2308 564 Bhnffi32.exe 43 PID 564 wrote to memory of 2308 564 Bhnffi32.exe 43 PID 564 wrote to memory of 2308 564 Bhnffi32.exe 43 PID 564 wrote to memory of 2308 564 Bhnffi32.exe 43 PID 2308 wrote to memory of 1964 2308 Bjoohdbd.exe 44 PID 2308 wrote to memory of 1964 2308 Bjoohdbd.exe 44 PID 2308 wrote to memory of 1964 2308 Bjoohdbd.exe 44 PID 2308 wrote to memory of 1964 2308 Bjoohdbd.exe 44 PID 1964 wrote to memory of 1876 1964 Cfhlbe32.exe 45 PID 1964 wrote to memory of 1876 1964 Cfhlbe32.exe 45 PID 1964 wrote to memory of 1876 1964 Cfhlbe32.exe 45 PID 1964 wrote to memory of 1876 1964 Cfhlbe32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\81ae31b8e999b06adbe912cd8ad65bce6ea89ef55a1c222fdbb5283a2a71f702.exe"C:\Users\Admin\AppData\Local\Temp\81ae31b8e999b06adbe912cd8ad65bce6ea89ef55a1c222fdbb5283a2a71f702.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2116 -
C:\Windows\SysWOW64\Odfofhic.exeC:\Windows\system32\Odfofhic.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\SysWOW64\Oajopl32.exeC:\Windows\system32\Oajopl32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Windows\SysWOW64\Pjhpin32.exeC:\Windows\system32\Pjhpin32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Windows\SysWOW64\Pnfipm32.exeC:\Windows\system32\Pnfipm32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2304 -
C:\Windows\SysWOW64\Pccahc32.exeC:\Windows\system32\Pccahc32.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Windows\SysWOW64\Pibgfjdh.exeC:\Windows\system32\Pibgfjdh.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Windows\SysWOW64\Qnalcqpm.exeC:\Windows\system32\Qnalcqpm.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Windows\SysWOW64\Aiimfi32.exeC:\Windows\system32\Aiimfi32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1040 -
C:\Windows\SysWOW64\Anhbdpje.exeC:\Windows\system32\Anhbdpje.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\SysWOW64\Afcghbgp.exeC:\Windows\system32\Afcghbgp.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Windows\SysWOW64\Acjdgf32.exeC:\Windows\system32\Acjdgf32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1108 -
C:\Windows\SysWOW64\Bclqme32.exeC:\Windows\system32\Bclqme32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Windows\SysWOW64\Bhnffi32.exeC:\Windows\system32\Bhnffi32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:564 -
C:\Windows\SysWOW64\Bjoohdbd.exeC:\Windows\system32\Bjoohdbd.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2308 -
C:\Windows\SysWOW64\Cfhlbe32.exeC:\Windows\system32\Cfhlbe32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Windows\SysWOW64\Cpbnaj32.exeC:\Windows\system32\Cpbnaj32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1876 -
C:\Windows\SysWOW64\Cllkkk32.exeC:\Windows\system32\Cllkkk32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1164 -
C:\Windows\SysWOW64\Cipleo32.exeC:\Windows\system32\Cipleo32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:768 -
C:\Windows\SysWOW64\Dakpiajj.exeC:\Windows\system32\Dakpiajj.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1364 -
C:\Windows\SysWOW64\Dkcebg32.exeC:\Windows\system32\Dkcebg32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2400 -
C:\Windows\SysWOW64\Dhgelk32.exeC:\Windows\system32\Dhgelk32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2520 -
C:\Windows\SysWOW64\Dekeeonn.exeC:\Windows\system32\Dekeeonn.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1204 -
C:\Windows\SysWOW64\Dabfjp32.exeC:\Windows\system32\Dabfjp32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2096 -
C:\Windows\SysWOW64\Dkjkcfjc.exeC:\Windows\system32\Dkjkcfjc.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1820 -
C:\Windows\SysWOW64\Edelakoq.exeC:\Windows\system32\Edelakoq.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1528 -
C:\Windows\SysWOW64\Enmqjq32.exeC:\Windows\system32\Enmqjq32.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2288 -
C:\Windows\SysWOW64\Efhenccl.exeC:\Windows\system32\Efhenccl.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2424 -
C:\Windows\SysWOW64\Ekhjlioa.exeC:\Windows\system32\Ekhjlioa.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2040 -
C:\Windows\SysWOW64\Fdblkoco.exeC:\Windows\system32\Fdblkoco.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2952 -
C:\Windows\SysWOW64\Fbfldc32.exeC:\Windows\system32\Fbfldc32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2816 -
C:\Windows\SysWOW64\Fdgefn32.exeC:\Windows\system32\Fdgefn32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2152 -
C:\Windows\SysWOW64\Fjdnne32.exeC:\Windows\system32\Fjdnne32.exe33⤵
- Executes dropped EXE
PID:2872 -
C:\Windows\SysWOW64\Gpjilj32.exeC:\Windows\system32\Gpjilj32.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2484 -
C:\Windows\SysWOW64\Glcfgk32.exeC:\Windows\system32\Glcfgk32.exe35⤵
- Executes dropped EXE
PID:3004 -
C:\Windows\SysWOW64\Hhjgll32.exeC:\Windows\system32\Hhjgll32.exe36⤵
- Executes dropped EXE
PID:1264 -
C:\Windows\SysWOW64\Hdqhambg.exeC:\Windows\system32\Hdqhambg.exe37⤵
- Executes dropped EXE
PID:2992 -
C:\Windows\SysWOW64\Hipmoc32.exeC:\Windows\system32\Hipmoc32.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2740 -
C:\Windows\SysWOW64\Hbhagiem.exeC:\Windows\system32\Hbhagiem.exe39⤵
- Executes dropped EXE
PID:452 -
C:\Windows\SysWOW64\Hffjng32.exeC:\Windows\system32\Hffjng32.exe40⤵
- Executes dropped EXE
PID:1028 -
C:\Windows\SysWOW64\Ioaobjin.exeC:\Windows\system32\Ioaobjin.exe41⤵
- Executes dropped EXE
PID:1348 -
C:\Windows\SysWOW64\Ipaklm32.exeC:\Windows\system32\Ipaklm32.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:2508 -
C:\Windows\SysWOW64\Ihlpqonl.exeC:\Windows\system32\Ihlpqonl.exe43⤵
- Executes dropped EXE
PID:864 -
C:\Windows\SysWOW64\Idcqep32.exeC:\Windows\system32\Idcqep32.exe44⤵
- Executes dropped EXE
PID:1644 -
C:\Windows\SysWOW64\Ihqilnig.exeC:\Windows\system32\Ihqilnig.exe45⤵
- Executes dropped EXE
PID:900 -
C:\Windows\SysWOW64\Iainddpg.exeC:\Windows\system32\Iainddpg.exe46⤵
- Executes dropped EXE
PID:1868 -
C:\Windows\SysWOW64\Jakjjcnd.exeC:\Windows\system32\Jakjjcnd.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1572 -
C:\Windows\SysWOW64\Jjgonf32.exeC:\Windows\system32\Jjgonf32.exe48⤵
- Executes dropped EXE
PID:2576 -
C:\Windows\SysWOW64\Jjilde32.exeC:\Windows\system32\Jjilde32.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1744 -
C:\Windows\SysWOW64\Jgmlmj32.exeC:\Windows\system32\Jgmlmj32.exe50⤵
- Executes dropped EXE
PID:2808 -
C:\Windows\SysWOW64\Jfbinf32.exeC:\Windows\system32\Jfbinf32.exe51⤵
- Executes dropped EXE
PID:2140 -
C:\Windows\SysWOW64\Jkobgm32.exeC:\Windows\system32\Jkobgm32.exe52⤵
- Executes dropped EXE
PID:2104 -
C:\Windows\SysWOW64\Kbkgig32.exeC:\Windows\system32\Kbkgig32.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:760 -
C:\Windows\SysWOW64\Kkckblgq.exeC:\Windows\system32\Kkckblgq.exe54⤵
- Executes dropped EXE
PID:2156 -
C:\Windows\SysWOW64\Khglkqfj.exeC:\Windows\system32\Khglkqfj.exe55⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1756 -
C:\Windows\SysWOW64\Kjihci32.exeC:\Windows\system32\Kjihci32.exe56⤵
- Executes dropped EXE
PID:2944 -
C:\Windows\SysWOW64\Kdnlpaln.exeC:\Windows\system32\Kdnlpaln.exe57⤵
- Executes dropped EXE
PID:2524 -
C:\Windows\SysWOW64\Kqemeb32.exeC:\Windows\system32\Kqemeb32.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:1968 -
C:\Windows\SysWOW64\Kninog32.exeC:\Windows\system32\Kninog32.exe59⤵
- Executes dropped EXE
PID:1784 -
C:\Windows\SysWOW64\Lcffgnnc.exeC:\Windows\system32\Lcffgnnc.exe60⤵
- Executes dropped EXE
PID:668 -
C:\Windows\SysWOW64\Lmnkpc32.exeC:\Windows\system32\Lmnkpc32.exe61⤵
- Executes dropped EXE
PID:2460 -
C:\Windows\SysWOW64\Lffohikd.exeC:\Windows\system32\Lffohikd.exe62⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2676 -
C:\Windows\SysWOW64\Lkcgapjl.exeC:\Windows\system32\Lkcgapjl.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:764 -
C:\Windows\SysWOW64\Lelljepm.exeC:\Windows\system32\Lelljepm.exe64⤵
- Executes dropped EXE
PID:3008 -
C:\Windows\SysWOW64\Lenioenj.exeC:\Windows\system32\Lenioenj.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2452 -
C:\Windows\SysWOW64\Lpcmlnnp.exeC:\Windows\system32\Lpcmlnnp.exe66⤵PID:2328
-
C:\Windows\SysWOW64\Mljnaocd.exeC:\Windows\system32\Mljnaocd.exe67⤵PID:2468
-
C:\Windows\SysWOW64\Mmngof32.exeC:\Windows\system32\Mmngof32.exe68⤵
- System Location Discovery: System Language Discovery
PID:1812 -
C:\Windows\SysWOW64\Mffkgl32.exeC:\Windows\system32\Mffkgl32.exe69⤵PID:1656
-
C:\Windows\SysWOW64\Mmpcdfem.exeC:\Windows\system32\Mmpcdfem.exe70⤵PID:2056
-
C:\Windows\SysWOW64\Mhfhaoec.exeC:\Windows\system32\Mhfhaoec.exe71⤵PID:544
-
C:\Windows\SysWOW64\Mmcpjfcj.exeC:\Windows\system32\Mmcpjfcj.exe72⤵PID:1256
-
C:\Windows\SysWOW64\Mjgqcj32.exeC:\Windows\system32\Mjgqcj32.exe73⤵PID:1224
-
C:\Windows\SysWOW64\Nbbegl32.exeC:\Windows\system32\Nbbegl32.exe74⤵PID:2960
-
C:\Windows\SysWOW64\Nljjqbfp.exeC:\Windows\system32\Nljjqbfp.exe75⤵
- System Location Discovery: System Language Discovery
PID:3040 -
C:\Windows\SysWOW64\Nbdbml32.exeC:\Windows\system32\Nbdbml32.exe76⤵
- System Location Discovery: System Language Discovery
PID:2800 -
C:\Windows\SysWOW64\Nlmffa32.exeC:\Windows\system32\Nlmffa32.exe77⤵PID:2564
-
C:\Windows\SysWOW64\Naionh32.exeC:\Windows\system32\Naionh32.exe78⤵PID:940
-
C:\Windows\SysWOW64\Nalldh32.exeC:\Windows\system32\Nalldh32.exe79⤵
- Drops file in System32 directory
PID:2664 -
C:\Windows\SysWOW64\Nejdjf32.exeC:\Windows\system32\Nejdjf32.exe80⤵PID:2580
-
C:\Windows\SysWOW64\Omeini32.exeC:\Windows\system32\Omeini32.exe81⤵PID:1324
-
C:\Windows\SysWOW64\Omgfdhbq.exeC:\Windows\system32\Omgfdhbq.exe82⤵PID:2196
-
C:\Windows\SysWOW64\Odanqb32.exeC:\Windows\system32\Odanqb32.exe83⤵PID:2476
-
C:\Windows\SysWOW64\Omjbihpn.exeC:\Windows\system32\Omjbihpn.exe84⤵PID:1424
-
C:\Windows\SysWOW64\Odckfb32.exeC:\Windows\system32\Odckfb32.exe85⤵PID:2000
-
C:\Windows\SysWOW64\Oipcnieb.exeC:\Windows\system32\Oipcnieb.exe86⤵PID:960
-
C:\Windows\SysWOW64\Ocihgo32.exeC:\Windows\system32\Ocihgo32.exe87⤵PID:2780
-
C:\Windows\SysWOW64\Oegdcj32.exeC:\Windows\system32\Oegdcj32.exe88⤵PID:1728
-
C:\Windows\SysWOW64\Olalpdbc.exeC:\Windows\system32\Olalpdbc.exe89⤵PID:1628
-
C:\Windows\SysWOW64\Qnnhcknd.exeC:\Windows\system32\Qnnhcknd.exe90⤵PID:2128
-
C:\Windows\SysWOW64\Qfimhmlo.exeC:\Windows\system32\Qfimhmlo.exe91⤵
- System Location Discovery: System Language Discovery
PID:2848 -
C:\Windows\SysWOW64\Qmcedg32.exeC:\Windows\system32\Qmcedg32.exe92⤵PID:2444
-
C:\Windows\SysWOW64\Qfljmmjl.exeC:\Windows\system32\Qfljmmjl.exe93⤵PID:1132
-
C:\Windows\SysWOW64\Amebjgai.exeC:\Windows\system32\Amebjgai.exe94⤵PID:2136
-
C:\Windows\SysWOW64\Acpjga32.exeC:\Windows\system32\Acpjga32.exe95⤵PID:1780
-
C:\Windows\SysWOW64\Akkokc32.exeC:\Windows\system32\Akkokc32.exe96⤵PID:696
-
C:\Windows\SysWOW64\Abeghmmn.exeC:\Windows\system32\Abeghmmn.exe97⤵PID:2216
-
C:\Windows\SysWOW64\Aioodg32.exeC:\Windows\system32\Aioodg32.exe98⤵PID:624
-
C:\Windows\SysWOW64\Aeepjh32.exeC:\Windows\system32\Aeepjh32.exe99⤵PID:1080
-
C:\Windows\SysWOW64\Anndbnao.exeC:\Windows\system32\Anndbnao.exe100⤵PID:1564
-
C:\Windows\SysWOW64\Aalaoipc.exeC:\Windows\system32\Aalaoipc.exe101⤵PID:536
-
C:\Windows\SysWOW64\Ajdego32.exeC:\Windows\system32\Ajdego32.exe102⤵PID:1668
-
C:\Windows\SysWOW64\Bcmjpd32.exeC:\Windows\system32\Bcmjpd32.exe103⤵PID:1828
-
C:\Windows\SysWOW64\Bnbnnm32.exeC:\Windows\system32\Bnbnnm32.exe104⤵PID:1624
-
C:\Windows\SysWOW64\Bemfjgdg.exeC:\Windows\system32\Bemfjgdg.exe105⤵PID:2920
-
C:\Windows\SysWOW64\Bjiobnbn.exeC:\Windows\system32\Bjiobnbn.exe106⤵PID:2824
-
C:\Windows\SysWOW64\Bmhkojab.exeC:\Windows\system32\Bmhkojab.exe107⤵PID:916
-
C:\Windows\SysWOW64\Bgmolb32.exeC:\Windows\system32\Bgmolb32.exe108⤵
- Drops file in System32 directory
PID:1436 -
C:\Windows\SysWOW64\Bmjhdi32.exeC:\Windows\system32\Bmjhdi32.exe109⤵PID:1396
-
C:\Windows\SysWOW64\Bcdpacgl.exeC:\Windows\system32\Bcdpacgl.exe110⤵PID:520
-
C:\Windows\SysWOW64\Bmldji32.exeC:\Windows\system32\Bmldji32.exe111⤵PID:2472
-
C:\Windows\SysWOW64\Bbimbpld.exeC:\Windows\system32\Bbimbpld.exe112⤵
- Modifies registry class
PID:1320 -
C:\Windows\SysWOW64\Bmoaoikj.exeC:\Windows\system32\Bmoaoikj.exe113⤵
- Modifies registry class
PID:1064 -
C:\Windows\SysWOW64\Cfgehn32.exeC:\Windows\system32\Cfgehn32.exe114⤵PID:1768
-
C:\Windows\SysWOW64\Cldnqe32.exeC:\Windows\system32\Cldnqe32.exe115⤵PID:2608
-
C:\Windows\SysWOW64\Cbnfmo32.exeC:\Windows\system32\Cbnfmo32.exe116⤵PID:2936
-
C:\Windows\SysWOW64\Cbpcbo32.exeC:\Windows\system32\Cbpcbo32.exe117⤵
- System Location Discovery: System Language Discovery
PID:2180 -
C:\Windows\SysWOW64\Chmkkf32.exeC:\Windows\system32\Chmkkf32.exe118⤵PID:2812
-
C:\Windows\SysWOW64\Cealdjcm.exeC:\Windows\system32\Cealdjcm.exe119⤵PID:1248
-
C:\Windows\SysWOW64\Coiqmp32.exeC:\Windows\system32\Coiqmp32.exe120⤵PID:3056
-
C:\Windows\SysWOW64\Cdfief32.exeC:\Windows\system32\Cdfief32.exe121⤵PID:2356
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-