Analysis
-
max time kernel
120s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
02/10/2024, 13:12
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
6eb70196c43bf0afb8307d6742aa255b47f033e0beddada6ab0cad4fa222de11N.exe
Resource
win7-20240903-en
windows7-x64
9 signatures
120 seconds
Behavioral task
behavioral2
Sample
6eb70196c43bf0afb8307d6742aa255b47f033e0beddada6ab0cad4fa222de11N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
8 signatures
120 seconds
General
-
Target
6eb70196c43bf0afb8307d6742aa255b47f033e0beddada6ab0cad4fa222de11N.exe
-
Size
608KB
-
MD5
d51408eae85c76c1649211681cfe70e0
-
SHA1
94daa018b473c9e557d9aea292590fb9f5cc82ae
-
SHA256
6eb70196c43bf0afb8307d6742aa255b47f033e0beddada6ab0cad4fa222de11
-
SHA512
83c2875ca3a9259edd321eac5c578532458873615fe42a70c3207644357ee09ad8958f17fe07bc503eefdbe989f3e75a378ccf03f62ab58a83816d470408b234
-
SSDEEP
12288:yPaIksBLxy9m0kY660fIaDZkY660f8jTK/XhdAwlt01t:6aIksBLxIFgsaDZgQjGkwlg
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bogljj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmdpejgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Njjieace.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Phklcn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcqcoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dglpdomh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkohjbah.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhleaq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ihdmld32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfdfdf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbnfmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jofdll32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfbinf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnfmhj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Clkfjman.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iocioq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckmbdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ncloha32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dlqgob32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fappgflg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lidilk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Baqhapdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dlchfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Egflml32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qchmll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Befnbd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfdmhh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jhnbklji.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pildgl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mchjjc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdoeipjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bhkghqpb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgmoob32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glijnmdj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmhhae32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llomhllh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njjieace.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fappgflg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eidchjbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jkllnn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iabcbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iafofkkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cdpdnpif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cddlpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ajdcofop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Djmknb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kikokf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Befpkmph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aonjpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fjdpgnee.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcdljghj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bogljj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfjjkhhg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Baecehhh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dihkimag.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfhikl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Naionh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Infjfblm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhfhnofg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfkfkopk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbmebgpi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gplebjbk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imcaijia.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emfbgg32.exe -
Executes dropped EXE 64 IoCs
pid Process 2820 Ddhaie32.exe 2748 Dnpebj32.exe 2728 Ejdfqogm.exe 2684 Efppqoil.exe 2912 Emjhmipi.exe 1188 Gmidlmcd.exe 1512 Gmnngl32.exe 2084 Gmqkml32.exe 2984 Hdjoii32.exe 2956 Idmlniea.exe 2876 Idohdhbo.exe 1376 Igpaec32.exe 3052 Ifengpdh.exe 2312 Iifghk32.exe 2524 Jihdnk32.exe 932 Jaeehmko.exe 612 Jmocbnop.exe 1652 Kppldhla.exe 1736 Kngekdnf.exe 2452 Lfippfej.exe 2080 Laaabo32.exe 2268 Lpfnckhe.exe 1976 Mokkegmm.exe 1592 Miclhpjp.exe 2804 Mobaef32.exe 3008 Npfjbn32.exe 2112 Ncgcdi32.exe 1040 Nfglfdeb.exe 2636 Njeelc32.exe 2868 Njhbabif.exe 1816 Odflmp32.exe 916 Okbapi32.exe 2276 Pflbpg32.exe 2908 Pbglpg32.exe 2380 Qpniokan.exe 520 Qbobaf32.exe 1072 Qlggjlep.exe 3056 Ahngomkd.exe 480 Apilcoho.exe 2396 Aiaqle32.exe 3004 Ajamfh32.exe 1720 Aejnfe32.exe 2336 Abnopj32.exe 1324 Bhkghqpb.exe 2500 Bogljj32.exe 1616 Blkmdodf.exe 824 Bedamd32.exe 1676 Befnbd32.exe 2768 Cnabffeo.exe 2676 Cgjgol32.exe 1672 Ckhpejbf.exe 1516 Cdpdnpif.exe 2972 Cojeomee.exe 1476 Chbihc32.exe 2976 Cbjnqh32.exe 428 Dcjjkkji.exe 2132 Dlboca32.exe 1248 Dglpdomh.exe 1464 Dhklna32.exe 2432 Embkbdce.exe 808 Eikimeff.exe 1764 Fcichb32.exe 3016 Famcbf32.exe 2056 Fappgflg.exe -
Loads dropped DLL 64 IoCs
pid Process 2708 6eb70196c43bf0afb8307d6742aa255b47f033e0beddada6ab0cad4fa222de11N.exe 2708 6eb70196c43bf0afb8307d6742aa255b47f033e0beddada6ab0cad4fa222de11N.exe 2820 Ddhaie32.exe 2820 Ddhaie32.exe 2748 Dnpebj32.exe 2748 Dnpebj32.exe 2728 Ejdfqogm.exe 2728 Ejdfqogm.exe 2684 Efppqoil.exe 2684 Efppqoil.exe 2912 Emjhmipi.exe 2912 Emjhmipi.exe 1188 Gmidlmcd.exe 1188 Gmidlmcd.exe 1512 Gmnngl32.exe 1512 Gmnngl32.exe 2084 Gmqkml32.exe 2084 Gmqkml32.exe 2984 Hdjoii32.exe 2984 Hdjoii32.exe 2956 Idmlniea.exe 2956 Idmlniea.exe 2876 Idohdhbo.exe 2876 Idohdhbo.exe 1376 Igpaec32.exe 1376 Igpaec32.exe 3052 Ifengpdh.exe 3052 Ifengpdh.exe 2312 Iifghk32.exe 2312 Iifghk32.exe 2524 Jihdnk32.exe 2524 Jihdnk32.exe 932 Jaeehmko.exe 932 Jaeehmko.exe 612 Jmocbnop.exe 612 Jmocbnop.exe 1652 Kppldhla.exe 1652 Kppldhla.exe 1736 Kngekdnf.exe 1736 Kngekdnf.exe 2452 Lfippfej.exe 2452 Lfippfej.exe 2080 Laaabo32.exe 2080 Laaabo32.exe 2268 Lpfnckhe.exe 2268 Lpfnckhe.exe 1976 Mokkegmm.exe 1976 Mokkegmm.exe 1592 Miclhpjp.exe 1592 Miclhpjp.exe 2804 Mobaef32.exe 2804 Mobaef32.exe 3008 Npfjbn32.exe 3008 Npfjbn32.exe 2112 Ncgcdi32.exe 2112 Ncgcdi32.exe 1040 Nfglfdeb.exe 1040 Nfglfdeb.exe 2636 Njeelc32.exe 2636 Njeelc32.exe 2868 Njhbabif.exe 2868 Njhbabif.exe 1816 Odflmp32.exe 1816 Odflmp32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Mokkegmm.exe Lpfnckhe.exe File created C:\Windows\SysWOW64\Hhfdfc32.dll Lpfnckhe.exe File created C:\Windows\SysWOW64\Oellihpf.dll Qcjoci32.exe File created C:\Windows\SysWOW64\Innbde32.exe Ieppjclf.exe File created C:\Windows\SysWOW64\Infjfblm.exe Ienfml32.exe File created C:\Windows\SysWOW64\Acnkmfoc.dll Cdpdnpif.exe File created C:\Windows\SysWOW64\Bepjjn32.exe Biiiempl.exe File opened for modification C:\Windows\SysWOW64\Enmqjq32.exe Edelakoq.exe File opened for modification C:\Windows\SysWOW64\Jongag32.exe Iddfqi32.exe File created C:\Windows\SysWOW64\Jjkiijpa.dll Olnipn32.exe File created C:\Windows\SysWOW64\Hjbemm32.dll Npieoi32.exe File opened for modification C:\Windows\SysWOW64\Plffkc32.exe Pelnniga.exe File created C:\Windows\SysWOW64\Lfceqc32.dll Ceioieei.exe File opened for modification C:\Windows\SysWOW64\Cmimif32.exe Cmgpcg32.exe File opened for modification C:\Windows\SysWOW64\Gmidlmcd.exe Emjhmipi.exe File created C:\Windows\SysWOW64\Hhchpk32.dll Okbapi32.exe File created C:\Windows\SysWOW64\Ajamfh32.exe Aiaqle32.exe File created C:\Windows\SysWOW64\Mpnngi32.exe Mhcicf32.exe File opened for modification C:\Windows\SysWOW64\Dncdqcbl.exe Dlchfp32.exe File created C:\Windows\SysWOW64\Oinpjm32.dll Egflml32.exe File opened for modification C:\Windows\SysWOW64\Hcnfjpib.exe Gfhikl32.exe File created C:\Windows\SysWOW64\Kkomepon.exe Jjlqpp32.exe File created C:\Windows\SysWOW64\Iocioq32.exe Hnmcli32.exe File created C:\Windows\SysWOW64\Qlbnja32.exe Qcjjakip.exe File opened for modification C:\Windows\SysWOW64\Hafbghhj.exe Hpgfmeag.exe File created C:\Windows\SysWOW64\Cblaaajo.dll Kabngjla.exe File created C:\Windows\SysWOW64\Mdfolo32.dll Lhapocoi.exe File opened for modification C:\Windows\SysWOW64\Kikokf32.exe Kqokgd32.exe File opened for modification C:\Windows\SysWOW64\Edelakoq.exe Dcepgh32.exe File created C:\Windows\SysWOW64\Bjallnfe.dll Ceoooj32.exe File created C:\Windows\SysWOW64\Ibnoen32.dll Bjjakg32.exe File opened for modification C:\Windows\SysWOW64\Gdbchd32.exe Gaajfi32.exe File opened for modification C:\Windows\SysWOW64\Gipqpplq.exe Gphlgk32.exe File created C:\Windows\SysWOW64\Kkckblgq.exe Kfdfdf32.exe File created C:\Windows\SysWOW64\Ocfkaone.exe Ogpjmn32.exe File created C:\Windows\SysWOW64\Kpmpjm32.exe Kahciaog.exe File created C:\Windows\SysWOW64\Olnipn32.exe Obcgaill.exe File created C:\Windows\SysWOW64\Mchjjc32.exe Mqgahh32.exe File opened for modification C:\Windows\SysWOW64\Idmlniea.exe Hdjoii32.exe File opened for modification C:\Windows\SysWOW64\Nhhqfb32.exe Nkdpmn32.exe File created C:\Windows\SysWOW64\Agenobhd.dll Gfldno32.exe File opened for modification C:\Windows\SysWOW64\Khmnio32.exe Kpbiempj.exe File opened for modification C:\Windows\SysWOW64\Jihdnk32.exe Iifghk32.exe File created C:\Windows\SysWOW64\Kfacdqhf.exe Kmiolk32.exe File created C:\Windows\SysWOW64\Cfnmqjah.dll Kmhhae32.exe File opened for modification C:\Windows\SysWOW64\Ocqhcqgk.exe Olgpff32.exe File created C:\Windows\SysWOW64\Ijjebd32.exe Ihilqi32.exe File opened for modification C:\Windows\SysWOW64\Mglpjc32.exe Lndlamke.exe File opened for modification C:\Windows\SysWOW64\Hhfmbq32.exe Heedqe32.exe File created C:\Windows\SysWOW64\Pphklnhn.dll Hhfmbq32.exe File created C:\Windows\SysWOW64\Peiaij32.exe Oheppe32.exe File opened for modification C:\Windows\SysWOW64\Obcgaill.exe Ohncdp32.exe File created C:\Windows\SysWOW64\Oegflcbj.exe Ofpmegpe.exe File opened for modification C:\Windows\SysWOW64\Gjahfkfg.exe Gddpndhp.exe File created C:\Windows\SysWOW64\Iifghk32.exe Ifengpdh.exe File opened for modification C:\Windows\SysWOW64\Pipjpj32.exe Pamlel32.exe File opened for modification C:\Windows\SysWOW64\Jjgonf32.exe Jnpoie32.exe File opened for modification C:\Windows\SysWOW64\Njhbabif.exe Njeelc32.exe File opened for modification C:\Windows\SysWOW64\Ceickb32.exe Bmnofp32.exe File opened for modification C:\Windows\SysWOW64\Befpkmph.exe Bedcembk.exe File created C:\Windows\SysWOW64\Fcoolj32.exe Fclbgj32.exe File opened for modification C:\Windows\SysWOW64\Ceoooj32.exe Cihojiok.exe File created C:\Windows\SysWOW64\Naophfnm.dll Naihdb32.exe File opened for modification C:\Windows\SysWOW64\Qchmll32.exe Pgamgken.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3088 1064 WerFault.exe 551 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdpidm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggnqfgce.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adppdckh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ceoagcld.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kelmbifm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdmhfpkg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cappnf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfippfej.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adeiobgc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eoalpaaa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmaoomld.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhggdcgh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfagemej.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ceickb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbjgbbpn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kppldhla.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdpdnpif.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Joqdfghn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcghajkq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njjieace.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okbapi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qlggjlep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmlnjcgg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfldno32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmfhjmho.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qlbnja32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fejjah32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6eb70196c43bf0afb8307d6742aa255b47f033e0beddada6ab0cad4fa222de11N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lidilk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nikkkn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbajme32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kahciaog.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qchmll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmpkal32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhcicf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmlbaqfh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipaklm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jllakpdk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehdnkh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mglpjc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phmiimlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahdkhp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abnopj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qcjoci32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acohnhab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpidai32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kokppd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kaliaphd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ankedf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhhjcmpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nqakim32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mchjjc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iafofkkf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdaabk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gddobpbe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ceoooj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfppfcmj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhlgnd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iifghk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Innbde32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcgaae32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gddpndhp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lndlamke.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mqgahh32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Laaabo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Laoekk32.dll" Hafbghhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gpeoakhc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cbnfmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hpjgdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nqakim32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ieppjclf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qbeemg32.dll" Ehlmnfeo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Imcaijia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idomll32.dll" Nmnoll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kkomepon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ljfckodo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dnpebj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hqmnfa32.dll" Kghmhegc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ialadj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cbnfmo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dggbgadf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Naihdb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nmnoll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oenmkngi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID 6eb70196c43bf0afb8307d6742aa255b47f033e0beddada6ab0cad4fa222de11N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdoaboij.dll" Eqopfbfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chagol32.dll" Cmgpcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ghqchi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gkaljdaf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gdjpcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jgmofbpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Enbapf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Enmqjq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gplebjbk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Peiaij32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cpkmehol.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fmofjj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Phhonn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lkoidcaj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Baecehhh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hmfhjmho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjmgop32.dll" Aodnfbpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Docappbm.dll" Hmheol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gmqkml32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Miaaki32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ejdaoa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fclbgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Injchoib.dll" Kfdfdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okhbco32.dll" Nkbcgnie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpbcnigl.dll" Hiabjm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Phklcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oolbcaij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qckcdj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ococgpfb.dll" Dlifcqfl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lhapocoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Plffkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbokplfi.dll" Encchoml.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gqfeom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hiabjm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bmmgbbeq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Famcbf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gipqpplq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dihkimag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gndebkii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eelgce32.dll" Jpnfdbig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jjqiok32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ehlkfn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fdggofgn.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2708 wrote to memory of 2820 2708 6eb70196c43bf0afb8307d6742aa255b47f033e0beddada6ab0cad4fa222de11N.exe 30 PID 2708 wrote to memory of 2820 2708 6eb70196c43bf0afb8307d6742aa255b47f033e0beddada6ab0cad4fa222de11N.exe 30 PID 2708 wrote to memory of 2820 2708 6eb70196c43bf0afb8307d6742aa255b47f033e0beddada6ab0cad4fa222de11N.exe 30 PID 2708 wrote to memory of 2820 2708 6eb70196c43bf0afb8307d6742aa255b47f033e0beddada6ab0cad4fa222de11N.exe 30 PID 2820 wrote to memory of 2748 2820 Ddhaie32.exe 31 PID 2820 wrote to memory of 2748 2820 Ddhaie32.exe 31 PID 2820 wrote to memory of 2748 2820 Ddhaie32.exe 31 PID 2820 wrote to memory of 2748 2820 Ddhaie32.exe 31 PID 2748 wrote to memory of 2728 2748 Dnpebj32.exe 32 PID 2748 wrote to memory of 2728 2748 Dnpebj32.exe 32 PID 2748 wrote to memory of 2728 2748 Dnpebj32.exe 32 PID 2748 wrote to memory of 2728 2748 Dnpebj32.exe 32 PID 2728 wrote to memory of 2684 2728 Ejdfqogm.exe 33 PID 2728 wrote to memory of 2684 2728 Ejdfqogm.exe 33 PID 2728 wrote to memory of 2684 2728 Ejdfqogm.exe 33 PID 2728 wrote to memory of 2684 2728 Ejdfqogm.exe 33 PID 2684 wrote to memory of 2912 2684 Efppqoil.exe 34 PID 2684 wrote to memory of 2912 2684 Efppqoil.exe 34 PID 2684 wrote to memory of 2912 2684 Efppqoil.exe 34 PID 2684 wrote to memory of 2912 2684 Efppqoil.exe 34 PID 2912 wrote to memory of 1188 2912 Emjhmipi.exe 35 PID 2912 wrote to memory of 1188 2912 Emjhmipi.exe 35 PID 2912 wrote to memory of 1188 2912 Emjhmipi.exe 35 PID 2912 wrote to memory of 1188 2912 Emjhmipi.exe 35 PID 1188 wrote to memory of 1512 1188 Gmidlmcd.exe 36 PID 1188 wrote to memory of 1512 1188 Gmidlmcd.exe 36 PID 1188 wrote to memory of 1512 1188 Gmidlmcd.exe 36 PID 1188 wrote to memory of 1512 1188 Gmidlmcd.exe 36 PID 1512 wrote to memory of 2084 1512 Gmnngl32.exe 37 PID 1512 wrote to memory of 2084 1512 Gmnngl32.exe 37 PID 1512 wrote to memory of 2084 1512 Gmnngl32.exe 37 PID 1512 wrote to memory of 2084 1512 Gmnngl32.exe 37 PID 2084 wrote to memory of 2984 2084 Gmqkml32.exe 38 PID 2084 wrote to memory of 2984 2084 Gmqkml32.exe 38 PID 2084 wrote to memory of 2984 2084 Gmqkml32.exe 38 PID 2084 wrote to memory of 2984 2084 Gmqkml32.exe 38 PID 2984 wrote to memory of 2956 2984 Hdjoii32.exe 39 PID 2984 wrote to memory of 2956 2984 Hdjoii32.exe 39 PID 2984 wrote to memory of 2956 2984 Hdjoii32.exe 39 PID 2984 wrote to memory of 2956 2984 Hdjoii32.exe 39 PID 2956 wrote to memory of 2876 2956 Idmlniea.exe 40 PID 2956 wrote to memory of 2876 2956 Idmlniea.exe 40 PID 2956 wrote to memory of 2876 2956 Idmlniea.exe 40 PID 2956 wrote to memory of 2876 2956 Idmlniea.exe 40 PID 2876 wrote to memory of 1376 2876 Idohdhbo.exe 41 PID 2876 wrote to memory of 1376 2876 Idohdhbo.exe 41 PID 2876 wrote to memory of 1376 2876 Idohdhbo.exe 41 PID 2876 wrote to memory of 1376 2876 Idohdhbo.exe 41 PID 1376 wrote to memory of 3052 1376 Igpaec32.exe 42 PID 1376 wrote to memory of 3052 1376 Igpaec32.exe 42 PID 1376 wrote to memory of 3052 1376 Igpaec32.exe 42 PID 1376 wrote to memory of 3052 1376 Igpaec32.exe 42 PID 3052 wrote to memory of 2312 3052 Ifengpdh.exe 43 PID 3052 wrote to memory of 2312 3052 Ifengpdh.exe 43 PID 3052 wrote to memory of 2312 3052 Ifengpdh.exe 43 PID 3052 wrote to memory of 2312 3052 Ifengpdh.exe 43 PID 2312 wrote to memory of 2524 2312 Iifghk32.exe 44 PID 2312 wrote to memory of 2524 2312 Iifghk32.exe 44 PID 2312 wrote to memory of 2524 2312 Iifghk32.exe 44 PID 2312 wrote to memory of 2524 2312 Iifghk32.exe 44 PID 2524 wrote to memory of 932 2524 Jihdnk32.exe 45 PID 2524 wrote to memory of 932 2524 Jihdnk32.exe 45 PID 2524 wrote to memory of 932 2524 Jihdnk32.exe 45 PID 2524 wrote to memory of 932 2524 Jihdnk32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\6eb70196c43bf0afb8307d6742aa255b47f033e0beddada6ab0cad4fa222de11N.exe"C:\Users\Admin\AppData\Local\Temp\6eb70196c43bf0afb8307d6742aa255b47f033e0beddada6ab0cad4fa222de11N.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\SysWOW64\Ddhaie32.exeC:\Windows\system32\Ddhaie32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Windows\SysWOW64\Dnpebj32.exeC:\Windows\system32\Dnpebj32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\SysWOW64\Ejdfqogm.exeC:\Windows\system32\Ejdfqogm.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\SysWOW64\Efppqoil.exeC:\Windows\system32\Efppqoil.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Windows\SysWOW64\Emjhmipi.exeC:\Windows\system32\Emjhmipi.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Windows\SysWOW64\Gmidlmcd.exeC:\Windows\system32\Gmidlmcd.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1188 -
C:\Windows\SysWOW64\Gmnngl32.exeC:\Windows\system32\Gmnngl32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1512 -
C:\Windows\SysWOW64\Gmqkml32.exeC:\Windows\system32\Gmqkml32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\Windows\SysWOW64\Hdjoii32.exeC:\Windows\system32\Hdjoii32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Windows\SysWOW64\Idmlniea.exeC:\Windows\system32\Idmlniea.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Windows\SysWOW64\Idohdhbo.exeC:\Windows\system32\Idohdhbo.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Windows\SysWOW64\Igpaec32.exeC:\Windows\system32\Igpaec32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1376 -
C:\Windows\SysWOW64\Ifengpdh.exeC:\Windows\system32\Ifengpdh.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Windows\SysWOW64\Iifghk32.exeC:\Windows\system32\Iifghk32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2312 -
C:\Windows\SysWOW64\Jihdnk32.exeC:\Windows\system32\Jihdnk32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\SysWOW64\Jaeehmko.exeC:\Windows\system32\Jaeehmko.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:932 -
C:\Windows\SysWOW64\Jmocbnop.exeC:\Windows\system32\Jmocbnop.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:612 -
C:\Windows\SysWOW64\Kppldhla.exeC:\Windows\system32\Kppldhla.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1652 -
C:\Windows\SysWOW64\Kngekdnf.exeC:\Windows\system32\Kngekdnf.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1736 -
C:\Windows\SysWOW64\Lfippfej.exeC:\Windows\system32\Lfippfej.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2452 -
C:\Windows\SysWOW64\Laaabo32.exeC:\Windows\system32\Laaabo32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2080 -
C:\Windows\SysWOW64\Lpfnckhe.exeC:\Windows\system32\Lpfnckhe.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2268 -
C:\Windows\SysWOW64\Mokkegmm.exeC:\Windows\system32\Mokkegmm.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1976 -
C:\Windows\SysWOW64\Miclhpjp.exeC:\Windows\system32\Miclhpjp.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1592 -
C:\Windows\SysWOW64\Mobaef32.exeC:\Windows\system32\Mobaef32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2804 -
C:\Windows\SysWOW64\Npfjbn32.exeC:\Windows\system32\Npfjbn32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3008 -
C:\Windows\SysWOW64\Ncgcdi32.exeC:\Windows\system32\Ncgcdi32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2112 -
C:\Windows\SysWOW64\Nfglfdeb.exeC:\Windows\system32\Nfglfdeb.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1040 -
C:\Windows\SysWOW64\Njeelc32.exeC:\Windows\system32\Njeelc32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2636 -
C:\Windows\SysWOW64\Njhbabif.exeC:\Windows\system32\Njhbabif.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2868 -
C:\Windows\SysWOW64\Odflmp32.exeC:\Windows\system32\Odflmp32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1816 -
C:\Windows\SysWOW64\Okbapi32.exeC:\Windows\system32\Okbapi32.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:916 -
C:\Windows\SysWOW64\Pflbpg32.exeC:\Windows\system32\Pflbpg32.exe34⤵
- Executes dropped EXE
PID:2276 -
C:\Windows\SysWOW64\Pbglpg32.exeC:\Windows\system32\Pbglpg32.exe35⤵
- Executes dropped EXE
PID:2908 -
C:\Windows\SysWOW64\Qpniokan.exeC:\Windows\system32\Qpniokan.exe36⤵
- Executes dropped EXE
PID:2380 -
C:\Windows\SysWOW64\Qbobaf32.exeC:\Windows\system32\Qbobaf32.exe37⤵
- Executes dropped EXE
PID:520 -
C:\Windows\SysWOW64\Qlggjlep.exeC:\Windows\system32\Qlggjlep.exe38⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1072 -
C:\Windows\SysWOW64\Ahngomkd.exeC:\Windows\system32\Ahngomkd.exe39⤵
- Executes dropped EXE
PID:3056 -
C:\Windows\SysWOW64\Apilcoho.exeC:\Windows\system32\Apilcoho.exe40⤵
- Executes dropped EXE
PID:480 -
C:\Windows\SysWOW64\Aiaqle32.exeC:\Windows\system32\Aiaqle32.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2396 -
C:\Windows\SysWOW64\Ajamfh32.exeC:\Windows\system32\Ajamfh32.exe42⤵
- Executes dropped EXE
PID:3004 -
C:\Windows\SysWOW64\Aejnfe32.exeC:\Windows\system32\Aejnfe32.exe43⤵
- Executes dropped EXE
PID:1720 -
C:\Windows\SysWOW64\Abnopj32.exeC:\Windows\system32\Abnopj32.exe44⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2336 -
C:\Windows\SysWOW64\Bhkghqpb.exeC:\Windows\system32\Bhkghqpb.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1324 -
C:\Windows\SysWOW64\Bogljj32.exeC:\Windows\system32\Bogljj32.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2500 -
C:\Windows\SysWOW64\Blkmdodf.exeC:\Windows\system32\Blkmdodf.exe47⤵
- Executes dropped EXE
PID:1616 -
C:\Windows\SysWOW64\Bedamd32.exeC:\Windows\system32\Bedamd32.exe48⤵
- Executes dropped EXE
PID:824 -
C:\Windows\SysWOW64\Befnbd32.exeC:\Windows\system32\Befnbd32.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1676 -
C:\Windows\SysWOW64\Cnabffeo.exeC:\Windows\system32\Cnabffeo.exe50⤵
- Executes dropped EXE
PID:2768 -
C:\Windows\SysWOW64\Cgjgol32.exeC:\Windows\system32\Cgjgol32.exe51⤵
- Executes dropped EXE
PID:2676 -
C:\Windows\SysWOW64\Ckhpejbf.exeC:\Windows\system32\Ckhpejbf.exe52⤵
- Executes dropped EXE
PID:1672 -
C:\Windows\SysWOW64\Cdpdnpif.exeC:\Windows\system32\Cdpdnpif.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1516 -
C:\Windows\SysWOW64\Cojeomee.exeC:\Windows\system32\Cojeomee.exe54⤵
- Executes dropped EXE
PID:2972 -
C:\Windows\SysWOW64\Chbihc32.exeC:\Windows\system32\Chbihc32.exe55⤵
- Executes dropped EXE
PID:1476 -
C:\Windows\SysWOW64\Cbjnqh32.exeC:\Windows\system32\Cbjnqh32.exe56⤵
- Executes dropped EXE
PID:2976 -
C:\Windows\SysWOW64\Dcjjkkji.exeC:\Windows\system32\Dcjjkkji.exe57⤵
- Executes dropped EXE
PID:428 -
C:\Windows\SysWOW64\Dlboca32.exeC:\Windows\system32\Dlboca32.exe58⤵
- Executes dropped EXE
PID:2132 -
C:\Windows\SysWOW64\Dglpdomh.exeC:\Windows\system32\Dglpdomh.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1248 -
C:\Windows\SysWOW64\Dhklna32.exeC:\Windows\system32\Dhklna32.exe60⤵
- Executes dropped EXE
PID:1464 -
C:\Windows\SysWOW64\Embkbdce.exeC:\Windows\system32\Embkbdce.exe61⤵
- Executes dropped EXE
PID:2432 -
C:\Windows\SysWOW64\Eikimeff.exeC:\Windows\system32\Eikimeff.exe62⤵
- Executes dropped EXE
PID:808 -
C:\Windows\SysWOW64\Fcichb32.exeC:\Windows\system32\Fcichb32.exe63⤵
- Executes dropped EXE
PID:1764 -
C:\Windows\SysWOW64\Famcbf32.exeC:\Windows\system32\Famcbf32.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:3016 -
C:\Windows\SysWOW64\Fappgflg.exeC:\Windows\system32\Fappgflg.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2056 -
C:\Windows\SysWOW64\Fmfalg32.exeC:\Windows\system32\Fmfalg32.exe66⤵PID:1932
-
C:\Windows\SysWOW64\Gfoeel32.exeC:\Windows\system32\Gfoeel32.exe67⤵PID:1928
-
C:\Windows\SysWOW64\Gpgjnbnl.exeC:\Windows\system32\Gpgjnbnl.exe68⤵PID:1472
-
C:\Windows\SysWOW64\Gefolhja.exeC:\Windows\system32\Gefolhja.exe69⤵PID:2596
-
C:\Windows\SysWOW64\Gplcia32.exeC:\Windows\system32\Gplcia32.exe70⤵PID:2368
-
C:\Windows\SysWOW64\Gidhbgag.exeC:\Windows\system32\Gidhbgag.exe71⤵PID:2660
-
C:\Windows\SysWOW64\Hocmpm32.exeC:\Windows\system32\Hocmpm32.exe72⤵PID:2604
-
C:\Windows\SysWOW64\Hpgfmeag.exeC:\Windows\system32\Hpgfmeag.exe73⤵
- Drops file in System32 directory
PID:2796 -
C:\Windows\SysWOW64\Hafbghhj.exeC:\Windows\system32\Hafbghhj.exe74⤵
- Modifies registry class
PID:1996 -
C:\Windows\SysWOW64\Hnmcli32.exeC:\Windows\system32\Hnmcli32.exe75⤵
- Drops file in System32 directory
PID:2880 -
C:\Windows\SysWOW64\Iocioq32.exeC:\Windows\system32\Iocioq32.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:832 -
C:\Windows\SysWOW64\Icabeo32.exeC:\Windows\system32\Icabeo32.exe77⤵PID:2032
-
C:\Windows\SysWOW64\Iafofkkf.exeC:\Windows\system32\Iafofkkf.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2016 -
C:\Windows\SysWOW64\Iojopp32.exeC:\Windows\system32\Iojopp32.exe79⤵PID:2160
-
C:\Windows\SysWOW64\Jqnhmgmk.exeC:\Windows\system32\Jqnhmgmk.exe80⤵PID:2428
-
C:\Windows\SysWOW64\Jnbifl32.exeC:\Windows\system32\Jnbifl32.exe81⤵PID:1184
-
C:\Windows\SysWOW64\Jfagemej.exeC:\Windows\system32\Jfagemej.exe82⤵
- System Location Discovery: System Language Discovery
PID:1208 -
C:\Windows\SysWOW64\Knohpo32.exeC:\Windows\system32\Knohpo32.exe83⤵PID:1832
-
C:\Windows\SysWOW64\Kghmhegc.exeC:\Windows\system32\Kghmhegc.exe84⤵
- Modifies registry class
PID:2316 -
C:\Windows\SysWOW64\Kelmbifm.exeC:\Windows\system32\Kelmbifm.exe85⤵
- System Location Discovery: System Language Discovery
PID:2552 -
C:\Windows\SysWOW64\Kabngjla.exeC:\Windows\system32\Kabngjla.exe86⤵
- Drops file in System32 directory
PID:1584 -
C:\Windows\SysWOW64\Kmiolk32.exeC:\Windows\system32\Kmiolk32.exe87⤵
- Drops file in System32 directory
PID:2572 -
C:\Windows\SysWOW64\Kfacdqhf.exeC:\Windows\system32\Kfacdqhf.exe88⤵PID:2088
-
C:\Windows\SysWOW64\Lhapocoi.exeC:\Windows\system32\Lhapocoi.exe89⤵
- Drops file in System32 directory
- Modifies registry class
PID:2064 -
C:\Windows\SysWOW64\Lmnhgjmp.exeC:\Windows\system32\Lmnhgjmp.exe90⤵PID:2920
-
C:\Windows\SysWOW64\Lidilk32.exeC:\Windows\system32\Lidilk32.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:468 -
C:\Windows\SysWOW64\Lmbabj32.exeC:\Windows\system32\Lmbabj32.exe92⤵PID:1804
-
C:\Windows\SysWOW64\Lfkfkopk.exeC:\Windows\system32\Lfkfkopk.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:848 -
C:\Windows\SysWOW64\Llhocfnb.exeC:\Windows\system32\Llhocfnb.exe94⤵PID:1432
-
C:\Windows\SysWOW64\Lbagpp32.exeC:\Windows\system32\Lbagpp32.exe95⤵PID:1784
-
C:\Windows\SysWOW64\Lljkif32.exeC:\Windows\system32\Lljkif32.exe96⤵PID:1132
-
C:\Windows\SysWOW64\Mkohjbah.exeC:\Windows\system32\Mkohjbah.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1568 -
C:\Windows\SysWOW64\Mhcicf32.exeC:\Windows\system32\Mhcicf32.exe98⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2688 -
C:\Windows\SysWOW64\Mpnngi32.exeC:\Windows\system32\Mpnngi32.exe99⤵PID:1576
-
C:\Windows\SysWOW64\Mheeif32.exeC:\Windows\system32\Mheeif32.exe100⤵PID:2788
-
C:\Windows\SysWOW64\Mcofid32.exeC:\Windows\system32\Mcofid32.exe101⤵PID:1524
-
C:\Windows\SysWOW64\Mgmoob32.exeC:\Windows\system32\Mgmoob32.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1580 -
C:\Windows\SysWOW64\Nikkkn32.exeC:\Windows\system32\Nikkkn32.exe103⤵
- System Location Discovery: System Language Discovery
PID:2828 -
C:\Windows\SysWOW64\Ogohdeam.exeC:\Windows\system32\Ogohdeam.exe104⤵PID:2624
-
C:\Windows\SysWOW64\Oqgmmk32.exeC:\Windows\system32\Oqgmmk32.exe105⤵PID:1992
-
C:\Windows\SysWOW64\Ochenfdn.exeC:\Windows\system32\Ochenfdn.exe106⤵PID:572
-
C:\Windows\SysWOW64\Ohengmcf.exeC:\Windows\system32\Ohengmcf.exe107⤵PID:2008
-
C:\Windows\SysWOW64\Obnbpb32.exeC:\Windows\system32\Obnbpb32.exe108⤵PID:2936
-
C:\Windows\SysWOW64\Pdnkanfg.exeC:\Windows\system32\Pdnkanfg.exe109⤵PID:2104
-
C:\Windows\SysWOW64\Pkhdnh32.exeC:\Windows\system32\Pkhdnh32.exe110⤵PID:2480
-
C:\Windows\SysWOW64\Pildgl32.exeC:\Windows\system32\Pildgl32.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:780 -
C:\Windows\SysWOW64\Pnimpcke.exeC:\Windows\system32\Pnimpcke.exe112⤵PID:760
-
C:\Windows\SysWOW64\Pgaahh32.exeC:\Windows\system32\Pgaahh32.exe113⤵PID:1864
-
C:\Windows\SysWOW64\Pchbmigj.exeC:\Windows\system32\Pchbmigj.exe114⤵PID:2860
-
C:\Windows\SysWOW64\Qcjoci32.exeC:\Windows\system32\Qcjoci32.exe115⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2448 -
C:\Windows\SysWOW64\Qmcclolh.exeC:\Windows\system32\Qmcclolh.exe116⤵PID:1796
-
C:\Windows\SysWOW64\Qfkgdd32.exeC:\Windows\system32\Qfkgdd32.exe117⤵PID:1740
-
C:\Windows\SysWOW64\Acohnhab.exeC:\Windows\system32\Acohnhab.exe118⤵
- System Location Discovery: System Language Discovery
PID:972 -
C:\Windows\SysWOW64\Ailqfooi.exeC:\Windows\system32\Ailqfooi.exe119⤵PID:1120
-
C:\Windows\SysWOW64\Apfici32.exeC:\Windows\system32\Apfici32.exe120⤵PID:2232
-
C:\Windows\SysWOW64\Ainmlomf.exeC:\Windows\system32\Ainmlomf.exe121⤵PID:1888
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-