Analysis
-
max time kernel
121s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
06/03/2025, 00:36
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
46de9cbb4262359716d46e98a8d76ecf0e9a60638ef0f3aab3c2c5b698aecfe2.exe
Resource
win7-20241023-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
46de9cbb4262359716d46e98a8d76ecf0e9a60638ef0f3aab3c2c5b698aecfe2.exe
Resource
win10v2004-20250217-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
46de9cbb4262359716d46e98a8d76ecf0e9a60638ef0f3aab3c2c5b698aecfe2.exe
-
Size
112KB
-
MD5
355c20aaee661f2be3cd2dc35dfc0c5f
-
SHA1
9b4a3232c90866ce74b9a975a9893a00acbfc4d2
-
SHA256
46de9cbb4262359716d46e98a8d76ecf0e9a60638ef0f3aab3c2c5b698aecfe2
-
SHA512
83d765bbd9063b6adf60de66f3521efed51e1a2b717813c83a9af14e13f98cdcd6417110cedb13b6acf330c6b9b7a1ac98fa2975eafae11fe66b7b4f0594b99d
-
SSDEEP
3072:YSwx+4cmdjJpRSwsR2IVKT1Fhr1RhAo+ie0TZ:YhQ40YC0bhr1R6xie8Z
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlilqbgp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkefbcmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Penihe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qdlipplq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gbhbdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kpicle32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbiocd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iakino32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnkglj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dqobnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgghac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Epeoaffo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ndnmialh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehkcpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Calcpm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehjqgjmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eppcmncq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iahkpg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Felajbpg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmhbkohm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgddam32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Befmfpbi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dobgihgp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eknmhk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfekec32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgnjqe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kiecgo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Afffenbp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jaecod32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oajndh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aognbnkm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhbciaki.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Palepb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cfkloq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fadndbci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iaegpaao.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmipdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fpjaodmj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmgfqh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfngll32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jliaac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bknjfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jedehaea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Emgkhj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hhfkihon.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbmcibjp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmccqbpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dbdham32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Agbpnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nfdddm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eeiheo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fleifl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kljdkpfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kipmhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lkelpd32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 1536 Pincfpoo.exe 2496 Plmpblnb.exe 3056 Plolgk32.exe 2972 Palepb32.exe 2180 Phfmllbd.exe 2872 Pejmfqan.exe 2688 Pldebkhj.exe 2432 Qgmfchei.exe 2140 Qhmcmk32.exe 1740 Anjlebjc.exe 1868 Agbpnh32.exe 380 Amohfo32.exe 1748 Afgmodel.exe 292 Aqmamm32.exe 2928 Afjjed32.exe 2280 Aobnniji.exe 2924 Aflfjc32.exe 2780 Akiobk32.exe 1668 Aodkci32.exe 1776 Bfncpcoc.exe 764 Bofgii32.exe 3068 Becpap32.exe 916 Bgblmk32.exe 1760 Boidnh32.exe 2640 Befmfpbi.exe 1712 Bammlq32.exe 2468 Behilopf.exe 2480 Bgffhkoj.exe 580 Bmcnqama.exe 2988 Cnckjddd.exe 3000 Ccpcckck.exe 2956 Cmhglq32.exe 2704 Cacclpae.exe 2440 Cpfdhl32.exe 316 Clmdmm32.exe 1812 Cfcijf32.exe 1260 Clpabm32.exe 1672 Cehfkb32.exe 1540 Cpmjhk32.exe 2900 Dobgihgp.exe 1836 Dhkkbmnp.exe 1192 Dkigoimd.exe 1136 Dhmhhmlm.exe 1336 Dklddhka.exe 612 Dphmloih.exe 2576 Dgbeiiqe.exe 2160 Diaaeepi.exe 1496 Dahifbpk.exe 2148 Ddfebnoo.exe 2056 Dmojkc32.exe 1040 Epmfgo32.exe 2612 Edibhmml.exe 2816 Eejopecj.exe 2824 Emagacdm.exe 2936 Eppcmncq.exe 2740 Egikjh32.exe 2732 Eelkeeah.exe 1792 Ehkhaqpk.exe 1804 Epbpbnan.exe 1708 Eoepnk32.exe 2752 Eacljf32.exe 3048 Ehmdgp32.exe 2672 Elipgofb.exe 1608 Eklqcl32.exe -
Loads dropped DLL 64 IoCs
pid Process 3032 46de9cbb4262359716d46e98a8d76ecf0e9a60638ef0f3aab3c2c5b698aecfe2.exe 3032 46de9cbb4262359716d46e98a8d76ecf0e9a60638ef0f3aab3c2c5b698aecfe2.exe 1536 Pincfpoo.exe 1536 Pincfpoo.exe 2496 Plmpblnb.exe 2496 Plmpblnb.exe 3056 Plolgk32.exe 3056 Plolgk32.exe 2972 Palepb32.exe 2972 Palepb32.exe 2180 Phfmllbd.exe 2180 Phfmllbd.exe 2872 Pejmfqan.exe 2872 Pejmfqan.exe 2688 Pldebkhj.exe 2688 Pldebkhj.exe 2432 Qgmfchei.exe 2432 Qgmfchei.exe 2140 Qhmcmk32.exe 2140 Qhmcmk32.exe 1740 Anjlebjc.exe 1740 Anjlebjc.exe 1868 Agbpnh32.exe 1868 Agbpnh32.exe 380 Amohfo32.exe 380 Amohfo32.exe 1748 Afgmodel.exe 1748 Afgmodel.exe 292 Aqmamm32.exe 292 Aqmamm32.exe 2928 Afjjed32.exe 2928 Afjjed32.exe 2280 Aobnniji.exe 2280 Aobnniji.exe 2924 Aflfjc32.exe 2924 Aflfjc32.exe 2780 Akiobk32.exe 2780 Akiobk32.exe 1668 Aodkci32.exe 1668 Aodkci32.exe 1776 Bfncpcoc.exe 1776 Bfncpcoc.exe 764 Bofgii32.exe 764 Bofgii32.exe 3068 Becpap32.exe 3068 Becpap32.exe 916 Bgblmk32.exe 916 Bgblmk32.exe 1760 Boidnh32.exe 1760 Boidnh32.exe 2640 Befmfpbi.exe 2640 Befmfpbi.exe 1712 Bammlq32.exe 1712 Bammlq32.exe 2468 Behilopf.exe 2468 Behilopf.exe 2480 Bgffhkoj.exe 2480 Bgffhkoj.exe 580 Bmcnqama.exe 580 Bmcnqama.exe 2988 Cnckjddd.exe 2988 Cnckjddd.exe 3000 Ccpcckck.exe 3000 Ccpcckck.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Bjpaop32.exe Bfdenafn.exe File created C:\Windows\SysWOW64\Gmemln32.dll Hkdemk32.exe File opened for modification C:\Windows\SysWOW64\Ckmpkpbl.exe Cdchneko.exe File created C:\Windows\SysWOW64\Eomgdlji.dll Eldbkbop.exe File created C:\Windows\SysWOW64\Landhm32.dll Iokfjf32.exe File opened for modification C:\Windows\SysWOW64\Mlolnllf.exe Meecaa32.exe File created C:\Windows\SysWOW64\Cgkqcb32.dll Process not Found File created C:\Windows\SysWOW64\Dmmbge32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Fplllkdc.exe Fmnopp32.exe File opened for modification C:\Windows\SysWOW64\Imbjcpnn.exe Ijcngenj.exe File created C:\Windows\SysWOW64\Hgfooe32.exe Hfebhmbm.exe File created C:\Windows\SysWOW64\Pbglpg32.exe Process not Found File created C:\Windows\SysWOW64\Mofapq32.dll Process not Found File created C:\Windows\SysWOW64\Jeecim32.dll Gdhkfd32.exe File created C:\Windows\SysWOW64\Ojmpooah.exe Odchbe32.exe File opened for modification C:\Windows\SysWOW64\Ipjdameg.exe Imlhebfc.exe File created C:\Windows\SysWOW64\Qlemhi32.dll Jcdadhjb.exe File opened for modification C:\Windows\SysWOW64\Dcemnopj.exe Process not Found File created C:\Windows\SysWOW64\Icblnd32.dll Nhgnaehm.exe File created C:\Windows\SysWOW64\Opqoge32.exe Oiffkkbk.exe File created C:\Windows\SysWOW64\Bfabnl32.exe Bogjaamh.exe File created C:\Windows\SysWOW64\Hpdjnn32.dll Jmdgipkk.exe File created C:\Windows\SysWOW64\Mgegfk32.exe Mainndaq.exe File created C:\Windows\SysWOW64\Nbpqmfmd.exe Ngjlpmnn.exe File created C:\Windows\SysWOW64\Llhmmh32.dll Qmenhe32.exe File created C:\Windows\SysWOW64\Ebfqfpop.exe Ephdjeol.exe File opened for modification C:\Windows\SysWOW64\Objaha32.exe Oplelf32.exe File created C:\Windows\SysWOW64\Akcomepg.exe Alqnah32.exe File created C:\Windows\SysWOW64\Mlbblc32.dll Ipjdameg.exe File opened for modification C:\Windows\SysWOW64\Jpajbl32.exe Jigbebhb.exe File created C:\Windows\SysWOW64\Lffkcfke.dll Omckoi32.exe File created C:\Windows\SysWOW64\Apoahgqd.dll Pmjaohol.exe File created C:\Windows\SysWOW64\Chpmbe32.dll Hclfag32.exe File opened for modification C:\Windows\SysWOW64\Fiebnjbg.exe Fejfmk32.exe File created C:\Windows\SysWOW64\Bgblmk32.exe Becpap32.exe File opened for modification C:\Windows\SysWOW64\Ehkhaqpk.exe Eelkeeah.exe File created C:\Windows\SysWOW64\Anljck32.exe Aknngo32.exe File opened for modification C:\Windows\SysWOW64\Pdhpdq32.exe Paiche32.exe File opened for modification C:\Windows\SysWOW64\Chlgid32.exe Cfnkmi32.exe File created C:\Windows\SysWOW64\Kijmkiop.dll Fobkfqpo.exe File created C:\Windows\SysWOW64\Figocipe.exe Fbngfo32.exe File created C:\Windows\SysWOW64\Amoaeb32.dll Jgmaog32.exe File opened for modification C:\Windows\SysWOW64\Boidnh32.exe Bgblmk32.exe File opened for modification C:\Windows\SysWOW64\Gdmdacnn.exe Gqahqd32.exe File opened for modification C:\Windows\SysWOW64\Cqdfehii.exe Cmhjdiap.exe File created C:\Windows\SysWOW64\Mghckj32.exe Mdigoo32.exe File opened for modification C:\Windows\SysWOW64\Mndhnd32.exe Mcodqkbi.exe File created C:\Windows\SysWOW64\Agkako32.exe Adleoc32.exe File created C:\Windows\SysWOW64\Bgehjlpm.dll Cofofolh.exe File created C:\Windows\SysWOW64\Afmbgd32.dll Ckmpkpbl.exe File opened for modification C:\Windows\SysWOW64\Lcofio32.exe Lhiakf32.exe File created C:\Windows\SysWOW64\Alqnah32.exe Afffenbp.exe File created C:\Windows\SysWOW64\Mbnocipg.exe Mkdffoij.exe File created C:\Windows\SysWOW64\Jdjjgb32.dll Mhjcec32.exe File created C:\Windows\SysWOW64\Bghgmd32.dll Ebnabb32.exe File opened for modification C:\Windows\SysWOW64\Ieibdnnp.exe Imbjcpnn.exe File opened for modification C:\Windows\SysWOW64\Libjncnc.exe Kdeaelok.exe File created C:\Windows\SysWOW64\Dghjkpck.exe Dcmnja32.exe File created C:\Windows\SysWOW64\Bnljlm32.dll Jlnklcej.exe File created C:\Windows\SysWOW64\Bkjdndjo.exe Bccmmf32.exe File created C:\Windows\SysWOW64\Ckmnbg32.exe Cebeem32.exe File created C:\Windows\SysWOW64\Icdcllpc.exe Iaegpaao.exe File created C:\Windows\SysWOW64\Bdhleh32.exe Bolcma32.exe File created C:\Windows\SysWOW64\Fehokjjf.dll Icdeee32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3984 2356 Process not Found 1210 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajehnk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blinefnd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pepfnd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckfjjqhd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibibfa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpgobc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjaeba32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhlqjone.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Moeeelhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lolofd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehpalp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oibmpl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jojkco32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlnklcej.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djdgic32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Paaddgkj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijaaae32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldbjdj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlgimqhf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ainkcf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akdafn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imahkg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Japciodd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnmiag32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfnjne32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfhdnn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eimcjl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alodeacc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcdadhjb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egikjh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldahkaij.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alageg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbhebfck.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkhjamcf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpikik32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Piliii32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agglbp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jedehaea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojmbgh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdecoa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hljaigmo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmhglq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnaooi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnkjnb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmabjfek.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flnlkgjq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpoolael.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjdkjpkb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fglfgd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgblmk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iaegpaao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbnocipg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eihjolae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnpobefe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofilgh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfkimhhi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pljnkodm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afffenbp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agjobffl.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Heiebkoj.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hcgjmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kainfp32.dll" Aodkci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bammlq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bmnnkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hqiqjlga.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hljaigmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnfdgopc.dll" Hfebhmbm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eacljf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pldebkhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cpfdhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emfenggg.dll" Nggggoda.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Glckihcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ldbjdj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jhmofo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fpmned32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmdaehpn.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjehmbkc.dll" Hldlga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Henjfpgi.dll" Mjfnomde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhhamf32.dll" Koflgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpaphegf.dll" Mnmbme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olqhfa32.dll" Pdecoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Icdeee32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qgmfchei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjoaognb.dll" Gnkoid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cnnimkom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olqdoelc.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cabcdq32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kocmim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kgqocoin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Icfpbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eogffk32.dll" Hfhfhbce.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Deeqch32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mqpkpl32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pdeqfhjd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eodicd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfbaonni.dll" Hadcipbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Akiobk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bjdkjpkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkbnjifp.dll" Gockgdeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Loclai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kihpmnbb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bgblmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gdmdacnn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ihbcmaje.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gpggei32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dicdjqhf.dll" Qnghel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ccmpce32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Apkgpf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Akpkmo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Blinefnd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jmipdo32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3032 wrote to memory of 1536 3032 46de9cbb4262359716d46e98a8d76ecf0e9a60638ef0f3aab3c2c5b698aecfe2.exe 30 PID 3032 wrote to memory of 1536 3032 46de9cbb4262359716d46e98a8d76ecf0e9a60638ef0f3aab3c2c5b698aecfe2.exe 30 PID 3032 wrote to memory of 1536 3032 46de9cbb4262359716d46e98a8d76ecf0e9a60638ef0f3aab3c2c5b698aecfe2.exe 30 PID 3032 wrote to memory of 1536 3032 46de9cbb4262359716d46e98a8d76ecf0e9a60638ef0f3aab3c2c5b698aecfe2.exe 30 PID 1536 wrote to memory of 2496 1536 Pincfpoo.exe 31 PID 1536 wrote to memory of 2496 1536 Pincfpoo.exe 31 PID 1536 wrote to memory of 2496 1536 Pincfpoo.exe 31 PID 1536 wrote to memory of 2496 1536 Pincfpoo.exe 31 PID 2496 wrote to memory of 3056 2496 Plmpblnb.exe 32 PID 2496 wrote to memory of 3056 2496 Plmpblnb.exe 32 PID 2496 wrote to memory of 3056 2496 Plmpblnb.exe 32 PID 2496 wrote to memory of 3056 2496 Plmpblnb.exe 32 PID 3056 wrote to memory of 2972 3056 Plolgk32.exe 33 PID 3056 wrote to memory of 2972 3056 Plolgk32.exe 33 PID 3056 wrote to memory of 2972 3056 Plolgk32.exe 33 PID 3056 wrote to memory of 2972 3056 Plolgk32.exe 33 PID 2972 wrote to memory of 2180 2972 Palepb32.exe 34 PID 2972 wrote to memory of 2180 2972 Palepb32.exe 34 PID 2972 wrote to memory of 2180 2972 Palepb32.exe 34 PID 2972 wrote to memory of 2180 2972 Palepb32.exe 34 PID 2180 wrote to memory of 2872 2180 Phfmllbd.exe 35 PID 2180 wrote to memory of 2872 2180 Phfmllbd.exe 35 PID 2180 wrote to memory of 2872 2180 Phfmllbd.exe 35 PID 2180 wrote to memory of 2872 2180 Phfmllbd.exe 35 PID 2872 wrote to memory of 2688 2872 Pejmfqan.exe 36 PID 2872 wrote to memory of 2688 2872 Pejmfqan.exe 36 PID 2872 wrote to memory of 2688 2872 Pejmfqan.exe 36 PID 2872 wrote to memory of 2688 2872 Pejmfqan.exe 36 PID 2688 wrote to memory of 2432 2688 Pldebkhj.exe 37 PID 2688 wrote to memory of 2432 2688 Pldebkhj.exe 37 PID 2688 wrote to memory of 2432 2688 Pldebkhj.exe 37 PID 2688 wrote to memory of 2432 2688 Pldebkhj.exe 37 PID 2432 wrote to memory of 2140 2432 Qgmfchei.exe 38 PID 2432 wrote to memory of 2140 2432 Qgmfchei.exe 38 PID 2432 wrote to memory of 2140 2432 Qgmfchei.exe 38 PID 2432 wrote to memory of 2140 2432 Qgmfchei.exe 38 PID 2140 wrote to memory of 1740 2140 Qhmcmk32.exe 39 PID 2140 wrote to memory of 1740 2140 Qhmcmk32.exe 39 PID 2140 wrote to memory of 1740 2140 Qhmcmk32.exe 39 PID 2140 wrote to memory of 1740 2140 Qhmcmk32.exe 39 PID 1740 wrote to memory of 1868 1740 Anjlebjc.exe 40 PID 1740 wrote to memory of 1868 1740 Anjlebjc.exe 40 PID 1740 wrote to memory of 1868 1740 Anjlebjc.exe 40 PID 1740 wrote to memory of 1868 1740 Anjlebjc.exe 40 PID 1868 wrote to memory of 380 1868 Agbpnh32.exe 41 PID 1868 wrote to memory of 380 1868 Agbpnh32.exe 41 PID 1868 wrote to memory of 380 1868 Agbpnh32.exe 41 PID 1868 wrote to memory of 380 1868 Agbpnh32.exe 41 PID 380 wrote to memory of 1748 380 Amohfo32.exe 42 PID 380 wrote to memory of 1748 380 Amohfo32.exe 42 PID 380 wrote to memory of 1748 380 Amohfo32.exe 42 PID 380 wrote to memory of 1748 380 Amohfo32.exe 42 PID 1748 wrote to memory of 292 1748 Afgmodel.exe 43 PID 1748 wrote to memory of 292 1748 Afgmodel.exe 43 PID 1748 wrote to memory of 292 1748 Afgmodel.exe 43 PID 1748 wrote to memory of 292 1748 Afgmodel.exe 43 PID 292 wrote to memory of 2928 292 Aqmamm32.exe 44 PID 292 wrote to memory of 2928 292 Aqmamm32.exe 44 PID 292 wrote to memory of 2928 292 Aqmamm32.exe 44 PID 292 wrote to memory of 2928 292 Aqmamm32.exe 44 PID 2928 wrote to memory of 2280 2928 Afjjed32.exe 45 PID 2928 wrote to memory of 2280 2928 Afjjed32.exe 45 PID 2928 wrote to memory of 2280 2928 Afjjed32.exe 45 PID 2928 wrote to memory of 2280 2928 Afjjed32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\46de9cbb4262359716d46e98a8d76ecf0e9a60638ef0f3aab3c2c5b698aecfe2.exe"C:\Users\Admin\AppData\Local\Temp\46de9cbb4262359716d46e98a8d76ecf0e9a60638ef0f3aab3c2c5b698aecfe2.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Windows\SysWOW64\Pincfpoo.exeC:\Windows\system32\Pincfpoo.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1536 -
C:\Windows\SysWOW64\Plmpblnb.exeC:\Windows\system32\Plmpblnb.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2496 -
C:\Windows\SysWOW64\Plolgk32.exeC:\Windows\system32\Plolgk32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\Windows\SysWOW64\Palepb32.exeC:\Windows\system32\Palepb32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\SysWOW64\Phfmllbd.exeC:\Windows\system32\Phfmllbd.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Windows\SysWOW64\Pejmfqan.exeC:\Windows\system32\Pejmfqan.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\SysWOW64\Pldebkhj.exeC:\Windows\system32\Pldebkhj.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\SysWOW64\Qgmfchei.exeC:\Windows\system32\Qgmfchei.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Windows\SysWOW64\Qhmcmk32.exeC:\Windows\system32\Qhmcmk32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2140 -
C:\Windows\SysWOW64\Anjlebjc.exeC:\Windows\system32\Anjlebjc.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\Windows\SysWOW64\Agbpnh32.exeC:\Windows\system32\Agbpnh32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1868 -
C:\Windows\SysWOW64\Amohfo32.exeC:\Windows\system32\Amohfo32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:380 -
C:\Windows\SysWOW64\Afgmodel.exeC:\Windows\system32\Afgmodel.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Windows\SysWOW64\Aqmamm32.exeC:\Windows\system32\Aqmamm32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:292 -
C:\Windows\SysWOW64\Afjjed32.exeC:\Windows\system32\Afjjed32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Windows\SysWOW64\Aobnniji.exeC:\Windows\system32\Aobnniji.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2280 -
C:\Windows\SysWOW64\Aflfjc32.exeC:\Windows\system32\Aflfjc32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2924 -
C:\Windows\SysWOW64\Akiobk32.exeC:\Windows\system32\Akiobk32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2780 -
C:\Windows\SysWOW64\Aodkci32.exeC:\Windows\system32\Aodkci32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1668 -
C:\Windows\SysWOW64\Bfncpcoc.exeC:\Windows\system32\Bfncpcoc.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1776 -
C:\Windows\SysWOW64\Bofgii32.exeC:\Windows\system32\Bofgii32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:764 -
C:\Windows\SysWOW64\Becpap32.exeC:\Windows\system32\Becpap32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:3068 -
C:\Windows\SysWOW64\Bgblmk32.exeC:\Windows\system32\Bgblmk32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:916 -
C:\Windows\SysWOW64\Boidnh32.exeC:\Windows\system32\Boidnh32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1760 -
C:\Windows\SysWOW64\Befmfpbi.exeC:\Windows\system32\Befmfpbi.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2640 -
C:\Windows\SysWOW64\Bammlq32.exeC:\Windows\system32\Bammlq32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1712 -
C:\Windows\SysWOW64\Behilopf.exeC:\Windows\system32\Behilopf.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2468 -
C:\Windows\SysWOW64\Bgffhkoj.exeC:\Windows\system32\Bgffhkoj.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2480 -
C:\Windows\SysWOW64\Bmcnqama.exeC:\Windows\system32\Bmcnqama.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:580 -
C:\Windows\SysWOW64\Cnckjddd.exeC:\Windows\system32\Cnckjddd.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2988 -
C:\Windows\SysWOW64\Ccpcckck.exeC:\Windows\system32\Ccpcckck.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3000 -
C:\Windows\SysWOW64\Cmhglq32.exeC:\Windows\system32\Cmhglq32.exe33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2956 -
C:\Windows\SysWOW64\Cacclpae.exeC:\Windows\system32\Cacclpae.exe34⤵
- Executes dropped EXE
PID:2704 -
C:\Windows\SysWOW64\Cpfdhl32.exeC:\Windows\system32\Cpfdhl32.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:2440 -
C:\Windows\SysWOW64\Clmdmm32.exeC:\Windows\system32\Clmdmm32.exe36⤵
- Executes dropped EXE
PID:316 -
C:\Windows\SysWOW64\Cfcijf32.exeC:\Windows\system32\Cfcijf32.exe37⤵
- Executes dropped EXE
PID:1812 -
C:\Windows\SysWOW64\Clpabm32.exeC:\Windows\system32\Clpabm32.exe38⤵
- Executes dropped EXE
PID:1260 -
C:\Windows\SysWOW64\Cehfkb32.exeC:\Windows\system32\Cehfkb32.exe39⤵
- Executes dropped EXE
PID:1672 -
C:\Windows\SysWOW64\Cpmjhk32.exeC:\Windows\system32\Cpmjhk32.exe40⤵
- Executes dropped EXE
PID:1540 -
C:\Windows\SysWOW64\Dobgihgp.exeC:\Windows\system32\Dobgihgp.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2900 -
C:\Windows\SysWOW64\Dhkkbmnp.exeC:\Windows\system32\Dhkkbmnp.exe42⤵
- Executes dropped EXE
PID:1836 -
C:\Windows\SysWOW64\Dkigoimd.exeC:\Windows\system32\Dkigoimd.exe43⤵
- Executes dropped EXE
PID:1192 -
C:\Windows\SysWOW64\Dhmhhmlm.exeC:\Windows\system32\Dhmhhmlm.exe44⤵
- Executes dropped EXE
PID:1136 -
C:\Windows\SysWOW64\Dklddhka.exeC:\Windows\system32\Dklddhka.exe45⤵
- Executes dropped EXE
PID:1336 -
C:\Windows\SysWOW64\Dphmloih.exeC:\Windows\system32\Dphmloih.exe46⤵
- Executes dropped EXE
PID:612 -
C:\Windows\SysWOW64\Dgbeiiqe.exeC:\Windows\system32\Dgbeiiqe.exe47⤵
- Executes dropped EXE
PID:2576 -
C:\Windows\SysWOW64\Diaaeepi.exeC:\Windows\system32\Diaaeepi.exe48⤵
- Executes dropped EXE
PID:2160 -
C:\Windows\SysWOW64\Dahifbpk.exeC:\Windows\system32\Dahifbpk.exe49⤵
- Executes dropped EXE
PID:1496 -
C:\Windows\SysWOW64\Ddfebnoo.exeC:\Windows\system32\Ddfebnoo.exe50⤵
- Executes dropped EXE
PID:2148 -
C:\Windows\SysWOW64\Dmojkc32.exeC:\Windows\system32\Dmojkc32.exe51⤵
- Executes dropped EXE
PID:2056 -
C:\Windows\SysWOW64\Epmfgo32.exeC:\Windows\system32\Epmfgo32.exe52⤵
- Executes dropped EXE
PID:1040 -
C:\Windows\SysWOW64\Edibhmml.exeC:\Windows\system32\Edibhmml.exe53⤵
- Executes dropped EXE
PID:2612 -
C:\Windows\SysWOW64\Eejopecj.exeC:\Windows\system32\Eejopecj.exe54⤵
- Executes dropped EXE
PID:2816 -
C:\Windows\SysWOW64\Emagacdm.exeC:\Windows\system32\Emagacdm.exe55⤵
- Executes dropped EXE
PID:2824 -
C:\Windows\SysWOW64\Eppcmncq.exeC:\Windows\system32\Eppcmncq.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2936 -
C:\Windows\SysWOW64\Egikjh32.exeC:\Windows\system32\Egikjh32.exe57⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2740 -
C:\Windows\SysWOW64\Eelkeeah.exeC:\Windows\system32\Eelkeeah.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2732 -
C:\Windows\SysWOW64\Ehkhaqpk.exeC:\Windows\system32\Ehkhaqpk.exe59⤵
- Executes dropped EXE
PID:1792 -
C:\Windows\SysWOW64\Epbpbnan.exeC:\Windows\system32\Epbpbnan.exe60⤵
- Executes dropped EXE
PID:1804 -
C:\Windows\SysWOW64\Eoepnk32.exeC:\Windows\system32\Eoepnk32.exe61⤵
- Executes dropped EXE
PID:1708 -
C:\Windows\SysWOW64\Eacljf32.exeC:\Windows\system32\Eacljf32.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:2752 -
C:\Windows\SysWOW64\Ehmdgp32.exeC:\Windows\system32\Ehmdgp32.exe63⤵
- Executes dropped EXE
PID:3048 -
C:\Windows\SysWOW64\Elipgofb.exeC:\Windows\system32\Elipgofb.exe64⤵
- Executes dropped EXE
PID:2672 -
C:\Windows\SysWOW64\Eklqcl32.exeC:\Windows\system32\Eklqcl32.exe65⤵
- Executes dropped EXE
PID:1608 -
C:\Windows\SysWOW64\Eaeipfei.exeC:\Windows\system32\Eaeipfei.exe66⤵PID:2132
-
C:\Windows\SysWOW64\Ehpalp32.exeC:\Windows\system32\Ehpalp32.exe67⤵
- System Location Discovery: System Language Discovery
PID:568 -
C:\Windows\SysWOW64\Eknmhk32.exeC:\Windows\system32\Eknmhk32.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1820 -
C:\Windows\SysWOW64\Eoiiijcc.exeC:\Windows\system32\Eoiiijcc.exe69⤵PID:1616
-
C:\Windows\SysWOW64\Eecafd32.exeC:\Windows\system32\Eecafd32.exe70⤵PID:2300
-
C:\Windows\SysWOW64\Fgdnnl32.exeC:\Windows\system32\Fgdnnl32.exe71⤵PID:640
-
C:\Windows\SysWOW64\Folfoj32.exeC:\Windows\system32\Folfoj32.exe72⤵PID:2968
-
C:\Windows\SysWOW64\Fajbke32.exeC:\Windows\system32\Fajbke32.exe73⤵PID:2804
-
C:\Windows\SysWOW64\Fdiogq32.exeC:\Windows\system32\Fdiogq32.exe74⤵PID:2884
-
C:\Windows\SysWOW64\Fhdjgoha.exeC:\Windows\system32\Fhdjgoha.exe75⤵PID:2352
-
C:\Windows\SysWOW64\Fjegog32.exeC:\Windows\system32\Fjegog32.exe76⤵PID:1120
-
C:\Windows\SysWOW64\Famope32.exeC:\Windows\system32\Famope32.exe77⤵PID:1400
-
C:\Windows\SysWOW64\Fpoolael.exeC:\Windows\system32\Fpoolael.exe78⤵
- System Location Discovery: System Language Discovery
PID:1384 -
C:\Windows\SysWOW64\Fdkklp32.exeC:\Windows\system32\Fdkklp32.exe79⤵PID:2912
-
C:\Windows\SysWOW64\Fkecij32.exeC:\Windows\system32\Fkecij32.exe80⤵PID:2236
-
C:\Windows\SysWOW64\Fncpef32.exeC:\Windows\system32\Fncpef32.exe81⤵PID:1704
-
C:\Windows\SysWOW64\Fdmhbplb.exeC:\Windows\system32\Fdmhbplb.exe82⤵PID:988
-
C:\Windows\SysWOW64\Fgldnkkf.exeC:\Windows\system32\Fgldnkkf.exe83⤵PID:2008
-
C:\Windows\SysWOW64\Fjjpjgjj.exeC:\Windows\system32\Fjjpjgjj.exe84⤵PID:1268
-
C:\Windows\SysWOW64\Flhmfbim.exeC:\Windows\system32\Flhmfbim.exe85⤵PID:2364
-
C:\Windows\SysWOW64\Fogibnha.exeC:\Windows\system32\Fogibnha.exe86⤵PID:1764
-
C:\Windows\SysWOW64\Fqfemqod.exeC:\Windows\system32\Fqfemqod.exe87⤵PID:1488
-
C:\Windows\SysWOW64\Goiehm32.exeC:\Windows\system32\Goiehm32.exe88⤵PID:2832
-
C:\Windows\SysWOW64\Gbhbdi32.exeC:\Windows\system32\Gbhbdi32.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1996 -
C:\Windows\SysWOW64\Gjojef32.exeC:\Windows\system32\Gjojef32.exe90⤵PID:2360
-
C:\Windows\SysWOW64\Gmmfaa32.exeC:\Windows\system32\Gmmfaa32.exe91⤵PID:2864
-
C:\Windows\SysWOW64\Gkpfmnlb.exeC:\Windows\system32\Gkpfmnlb.exe92⤵PID:2124
-
C:\Windows\SysWOW64\Gcgnnlle.exeC:\Windows\system32\Gcgnnlle.exe93⤵PID:804
-
C:\Windows\SysWOW64\Gdhkfd32.exeC:\Windows\system32\Gdhkfd32.exe94⤵
- Drops file in System32 directory
PID:2932 -
C:\Windows\SysWOW64\Gmpcgace.exeC:\Windows\system32\Gmpcgace.exe95⤵PID:2064
-
C:\Windows\SysWOW64\Gnaooi32.exeC:\Windows\system32\Gnaooi32.exe96⤵
- System Location Discovery: System Language Discovery
PID:1352 -
C:\Windows\SysWOW64\Gkephn32.exeC:\Windows\system32\Gkephn32.exe97⤵PID:2624
-
C:\Windows\SysWOW64\Goplilpf.exeC:\Windows\system32\Goplilpf.exe98⤵PID:352
-
C:\Windows\SysWOW64\Gqahqd32.exeC:\Windows\system32\Gqahqd32.exe99⤵
- Drops file in System32 directory
PID:2108 -
C:\Windows\SysWOW64\Gdmdacnn.exeC:\Windows\system32\Gdmdacnn.exe100⤵
- Modifies registry class
PID:2264 -
C:\Windows\SysWOW64\Ggkqmoma.exeC:\Windows\system32\Ggkqmoma.exe101⤵PID:3040
-
C:\Windows\SysWOW64\Gneijien.exeC:\Windows\system32\Gneijien.exe102⤵PID:2768
-
C:\Windows\SysWOW64\Gbadjg32.exeC:\Windows\system32\Gbadjg32.exe103⤵PID:2488
-
C:\Windows\SysWOW64\Hjlioj32.exeC:\Windows\system32\Hjlioj32.exe104⤵PID:1092
-
C:\Windows\SysWOW64\Hmkeke32.exeC:\Windows\system32\Hmkeke32.exe105⤵PID:2020
-
C:\Windows\SysWOW64\Hebnlb32.exeC:\Windows\system32\Hebnlb32.exe106⤵PID:848
-
C:\Windows\SysWOW64\Hcdnhoac.exeC:\Windows\system32\Hcdnhoac.exe107⤵PID:3012
-
C:\Windows\SysWOW64\Hjofdi32.exeC:\Windows\system32\Hjofdi32.exe108⤵PID:3020
-
C:\Windows\SysWOW64\Hnjbeh32.exeC:\Windows\system32\Hnjbeh32.exe109⤵PID:1784
-
C:\Windows\SysWOW64\Hpkompgg.exeC:\Windows\system32\Hpkompgg.exe110⤵PID:2196
-
C:\Windows\SysWOW64\Hcgjmo32.exeC:\Windows\system32\Hcgjmo32.exe111⤵
- Modifies registry class
PID:1620 -
C:\Windows\SysWOW64\Hidcef32.exeC:\Windows\system32\Hidcef32.exe112⤵PID:2060
-
C:\Windows\SysWOW64\Hakkgc32.exeC:\Windows\system32\Hakkgc32.exe113⤵PID:2628
-
C:\Windows\SysWOW64\Hblgnkdh.exeC:\Windows\system32\Hblgnkdh.exe114⤵PID:2800
-
C:\Windows\SysWOW64\Hmalldcn.exeC:\Windows\system32\Hmalldcn.exe115⤵PID:872
-
C:\Windows\SysWOW64\Hldlga32.exeC:\Windows\system32\Hldlga32.exe116⤵
- Modifies registry class
PID:1948 -
C:\Windows\SysWOW64\Hboddk32.exeC:\Windows\system32\Hboddk32.exe117⤵PID:2728
-
C:\Windows\SysWOW64\Hfjpdjjo.exeC:\Windows\system32\Hfjpdjjo.exe118⤵PID:2004
-
C:\Windows\SysWOW64\Hlgimqhf.exeC:\Windows\system32\Hlgimqhf.exe119⤵
- System Location Discovery: System Language Discovery
PID:2776 -
C:\Windows\SysWOW64\Iflmjihl.exeC:\Windows\system32\Iflmjihl.exe120⤵PID:2516
-
C:\Windows\SysWOW64\Ihniaa32.exeC:\Windows\system32\Ihniaa32.exe121⤵PID:2312
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-