Analysis
-
max time kernel
33s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
05/10/2024, 12:12
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
707f27de317c34900a5d76230fe781be3ac2f12beda913cd3573b10b21edb594N.exe
Resource
win7-20240903-en
windows7-x64
9 signatures
120 seconds
Behavioral task
behavioral2
Sample
707f27de317c34900a5d76230fe781be3ac2f12beda913cd3573b10b21edb594N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
8 signatures
120 seconds
General
-
Target
707f27de317c34900a5d76230fe781be3ac2f12beda913cd3573b10b21edb594N.exe
-
Size
97KB
-
MD5
6e79947e8b804a5def7bda8c450c1f70
-
SHA1
105cc7efc12bb9bfe203655b656d56ffaa825bbe
-
SHA256
707f27de317c34900a5d76230fe781be3ac2f12beda913cd3573b10b21edb594
-
SHA512
ad9fbf9d1845e15518a5e43ed2c428ef78586dbeb18ae9b153483e65909fe6d488b4640be03593c5501923310afe114bb22dd9a8a3d7c1ba3bb8c086e5616305
-
SSDEEP
1536:rDbiX0HmJEHm+jztXc9KuRreT/5TXnmusqsb0bnzFvJXeYZ6:/bhAEHLztXcEu8Jmuzsb0bnZJXeK6
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pdgkco32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkpfmnlb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcgphp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbhhdnlh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdgkco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gnkmqkbi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jepmgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jbqmhnbo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjaimn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Leammn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oklnff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ibhndp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fcbecl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kdpfadlm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jajala32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbhlek32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odchbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kjaelaok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mdpldi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ommfga32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Foojop32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dphmloih.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgnadkic.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qiioon32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lqmjnk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilcoce32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Panaeb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpphhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oococb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olgmcmgh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plijimee.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcbncfjd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjbeofpp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Famope32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gblkoham.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aaimopli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nkhdkgnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gbdhjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ibkkjp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kghpoa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dacpkc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aojabdlf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckahkk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eoepnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ihpfgalh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jikeeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nipdkieg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nblpfepo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nlhjhi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eejopecj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcldhnkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kglehp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbcoio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lbogfcjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mfjoeeeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dinklffl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hahnac32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lqipkhbj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmkplgnq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kfjggo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Comdkipe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fofpoo32.exe -
Executes dropped EXE 64 IoCs
pid Process 2100 Jnhlbn32.exe 2316 Jpfhoi32.exe 2140 Jpfhoi32.exe 1840 Joihjfnl.exe 2816 Jcedkd32.exe 2748 Jpiedieo.exe 2804 Jajala32.exe 2604 Jjaimn32.exe 2292 Jblnaq32.exe 792 Jhffnk32.exe 2900 Kopokehd.exe 2328 Kfjggo32.exe 3000 Kkgopf32.exe 816 Knekla32.exe 1820 Kdpcikdi.exe 536 Kkileele.exe 484 Kbcdbp32.exe 1064 Kdbpnk32.exe 624 Kgpmjf32.exe 1372 Kklikejc.exe 912 Knjegqif.exe 1488 Kddmdk32.exe 600 Kcgmoggn.exe 968 Kjaelaok.exe 1428 Kqknil32.exe 2340 Kcijeg32.exe 2484 Ljcbaamh.exe 2772 Lqmjnk32.exe 1884 Lbogfcjc.exe 2780 Ljfogake.exe 2872 Lkgkoiqc.exe 2752 Lcncpfaf.exe 2664 Lbackc32.exe 2156 Lmfhil32.exe 732 Lkihdioa.exe 1116 Lpedeg32.exe 1984 Leammn32.exe 1252 Lklejh32.exe 2888 Lpgajgeg.exe 2472 Lbemfbdk.exe 2072 Llnaoh32.exe 2084 Lnlnlc32.exe 2052 Meffhnal.exe 1148 Mgebdipp.exe 1140 Mlpneh32.exe 1212 Mnojacgm.exe 2180 Mamgmofp.exe 568 Mhgoji32.exe 1684 Mfjoeeeh.exe 2016 Mnaggcej.exe 1864 Mapccndn.exe 1792 Mcnpojca.exe 2716 Mjhhld32.exe 2624 Mmfdhojb.exe 2592 Mabphn32.exe 644 Mdpldi32.exe 880 Mfoiqe32.exe 1852 Mjjdacik.exe 2884 Mlkail32.exe 316 Mpgmijgc.exe 2212 Mbeiefff.exe 2236 Medeaaej.exe 2568 Nmkncofl.exe 1632 Noljjglk.exe -
Loads dropped DLL 64 IoCs
pid Process 2500 707f27de317c34900a5d76230fe781be3ac2f12beda913cd3573b10b21edb594N.exe 2500 707f27de317c34900a5d76230fe781be3ac2f12beda913cd3573b10b21edb594N.exe 2100 Jnhlbn32.exe 2100 Jnhlbn32.exe 2316 Jpfhoi32.exe 2316 Jpfhoi32.exe 2140 Jpfhoi32.exe 2140 Jpfhoi32.exe 1840 Joihjfnl.exe 1840 Joihjfnl.exe 2816 Jcedkd32.exe 2816 Jcedkd32.exe 2748 Jpiedieo.exe 2748 Jpiedieo.exe 2804 Jajala32.exe 2804 Jajala32.exe 2604 Jjaimn32.exe 2604 Jjaimn32.exe 2292 Jblnaq32.exe 2292 Jblnaq32.exe 792 Jhffnk32.exe 792 Jhffnk32.exe 2900 Kopokehd.exe 2900 Kopokehd.exe 2328 Kfjggo32.exe 2328 Kfjggo32.exe 3000 Kkgopf32.exe 3000 Kkgopf32.exe 816 Knekla32.exe 816 Knekla32.exe 1820 Kdpcikdi.exe 1820 Kdpcikdi.exe 536 Kkileele.exe 536 Kkileele.exe 484 Kbcdbp32.exe 484 Kbcdbp32.exe 1064 Kdbpnk32.exe 1064 Kdbpnk32.exe 624 Kgpmjf32.exe 624 Kgpmjf32.exe 1372 Kklikejc.exe 1372 Kklikejc.exe 912 Knjegqif.exe 912 Knjegqif.exe 1488 Kddmdk32.exe 1488 Kddmdk32.exe 600 Kcgmoggn.exe 600 Kcgmoggn.exe 968 Kjaelaok.exe 968 Kjaelaok.exe 1428 Kqknil32.exe 1428 Kqknil32.exe 2340 Kcijeg32.exe 2340 Kcijeg32.exe 2484 Ljcbaamh.exe 2484 Ljcbaamh.exe 2772 Lqmjnk32.exe 2772 Lqmjnk32.exe 1884 Lbogfcjc.exe 1884 Lbogfcjc.exe 2780 Ljfogake.exe 2780 Ljfogake.exe 2872 Lkgkoiqc.exe 2872 Lkgkoiqc.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Flnlpo32.dll Jaoqqflp.exe File opened for modification C:\Windows\SysWOW64\Kglehp32.exe Kdnild32.exe File created C:\Windows\SysWOW64\Cenljmgq.exe Process not Found File opened for modification C:\Windows\SysWOW64\Akhfoldn.exe Aboaff32.exe File created C:\Windows\SysWOW64\Ilbnonio.dll Akhfoldn.exe File opened for modification C:\Windows\SysWOW64\Ddiibc32.exe Degiggjm.exe File created C:\Windows\SysWOW64\Hbiaemkk.exe Hpjeialg.exe File created C:\Windows\SysWOW64\Agacqb32.dll Hegnahjo.exe File created C:\Windows\SysWOW64\Cbdiia32.exe Process not Found File created C:\Windows\SysWOW64\Enfgfh32.exe Ekhkjm32.exe File created C:\Windows\SysWOW64\Imlmlm32.dll Nmejllia.exe File created C:\Windows\SysWOW64\Mdignc32.dll Aflfjc32.exe File opened for modification C:\Windows\SysWOW64\Jmfafgbd.exe Jikeeh32.exe File opened for modification C:\Windows\SysWOW64\Jnhlbn32.exe 707f27de317c34900a5d76230fe781be3ac2f12beda913cd3573b10b21edb594N.exe File created C:\Windows\SysWOW64\Ajfgpl32.dll Deollamj.exe File opened for modification C:\Windows\SysWOW64\Adifpk32.exe Aakjdo32.exe File created C:\Windows\SysWOW64\Ogdjhp32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Lnbdko32.exe Ljghjpfe.exe File created C:\Windows\SysWOW64\Lmljgj32.exe Ljnnko32.exe File opened for modification C:\Windows\SysWOW64\Cpfdhl32.exe Cmhglq32.exe File opened for modification C:\Windows\SysWOW64\Lldmleam.exe Lfkeokjp.exe File created C:\Windows\SysWOW64\Ddaafojo.dll Oidiekdn.exe File opened for modification C:\Windows\SysWOW64\Ijnbcmkk.exe Ihpfgalh.exe File opened for modification C:\Windows\SysWOW64\Ijehdl32.exe Ifjlcmmj.exe File opened for modification C:\Windows\SysWOW64\Pmmeon32.exe Pojecajj.exe File opened for modification C:\Windows\SysWOW64\Dchmkkkj.exe Domqjm32.exe File opened for modification C:\Windows\SysWOW64\Hipmmg32.exe Heealhla.exe File created C:\Windows\SysWOW64\Agngji32.dll Kpcqnf32.exe File opened for modification C:\Windows\SysWOW64\Dhmhhmlm.exe Deollamj.exe File opened for modification C:\Windows\SysWOW64\Hidcef32.exe Hjacjifm.exe File opened for modification C:\Windows\SysWOW64\Clojhf32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Fheabelm.exe Fffefjmi.exe File created C:\Windows\SysWOW64\Epphbb32.dll Khcomhbi.exe File created C:\Windows\SysWOW64\Hidcef32.exe Hjacjifm.exe File created C:\Windows\SysWOW64\Mgedmb32.exe Mcjhmcok.exe File opened for modification C:\Windows\SysWOW64\Aqbdkk32.exe Process not Found File created C:\Windows\SysWOW64\Kcjjof32.dll Elfcbo32.exe File created C:\Windows\SysWOW64\Iikifegp.exe Iflmjihl.exe File opened for modification C:\Windows\SysWOW64\Lfkeokjp.exe Lboiol32.exe File created C:\Windows\SysWOW64\Kgpmjf32.exe Kdbpnk32.exe File created C:\Windows\SysWOW64\Ammmql32.dll Olbchn32.exe File created C:\Windows\SysWOW64\Qifmdk32.dll Pahogc32.exe File created C:\Windows\SysWOW64\Opakbgif.dll Clgbno32.exe File created C:\Windows\SysWOW64\Ajqljc32.exe Agbpnh32.exe File opened for modification C:\Windows\SysWOW64\Khcomhbi.exe Kdhcli32.exe File created C:\Windows\SysWOW64\Nbngca32.dll Pjcmap32.exe File created C:\Windows\SysWOW64\Aobnniji.exe Amcbankf.exe File opened for modification C:\Windows\SysWOW64\Lpgajgeg.exe Lklejh32.exe File opened for modification C:\Windows\SysWOW64\Opifnm32.exe Oaffbqaa.exe File created C:\Windows\SysWOW64\Anciko32.dll Epecbd32.exe File created C:\Windows\SysWOW64\Nmnaak32.dll Klehgh32.exe File opened for modification C:\Windows\SysWOW64\Kfpifm32.exe Kbdmeoob.exe File created C:\Windows\SysWOW64\Lcpkhoab.dll Fdkklp32.exe File opened for modification C:\Windows\SysWOW64\Hnheohcl.exe Hkiicmdh.exe File created C:\Windows\SysWOW64\Cinafkkd.exe Process not Found File opened for modification C:\Windows\SysWOW64\Ipjahd32.exe Ilofhffj.exe File created C:\Windows\SysWOW64\Lbicoamh.exe Lcfbdd32.exe File created C:\Windows\SysWOW64\Qlomqkmp.dll Inhanl32.exe File created C:\Windows\SysWOW64\Femijbfb.dll Mgedmb32.exe File created C:\Windows\SysWOW64\Omnipjni.exe Omnipjni.exe File created C:\Windows\SysWOW64\Ciihklpj.exe Process not Found File created C:\Windows\SysWOW64\Labehg32.dll Mlkail32.exe File created C:\Windows\SysWOW64\Ellcac32.dll Gpabcbdb.exe File created C:\Windows\SysWOW64\Dmhgjdli.dll Hidcef32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 10396 10348 Process not Found 1118 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okdmjdol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbhcim32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kklikejc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Baigca32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Geeemeif.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkifdd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aggiigmn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ciohqa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfofol32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oococb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpedeg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfccei32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ieigfk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkiicmdh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpcjnabn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Daacecfc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcbecl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pplaki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kadfkhkf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opqoge32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dllhhaep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Piqpkpml.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmgkgeah.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gghkdp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffodjh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdjjag32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Joihjfnl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nefbga32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjallg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpogbgmi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dklddhka.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihpfgalh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofadnq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcgmoggn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpmcielb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bajqfq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bofgii32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eaheeecg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aakjdo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmkncofl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnmifk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohcdhi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qppkfhlc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmoofdea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfhcoj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knfndjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmmbqegc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpjeialg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnpgeopa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Copjdhib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgigil32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpnkbpdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oidiekdn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Offmipej.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfjoeeeh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pohfehdi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffkoai32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oaqbln32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkjnnn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afdiondb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akabgebj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhlddkmc.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Boegfb32.dll" Namclbil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cijcglcj.dll" Ckolek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljlmgnqj.dll" Llgjaeoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aaddfb32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qphcohgi.dll" Mmfdhojb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qjkjle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aapemc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gfkkpmko.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ljghjpfe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bajqfq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jlnklcej.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pdgmlhha.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Namclbil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Caidaeak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgmaomdn.dll" Pkifdd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pecgea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkkapd32.dll" Jajcdjca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qkdhopfa.dll" Jbjpom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajhaomoi.dll" Lkjjma32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pddnnp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Anahqh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ejmhkiig.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Agbpnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bmhkmm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bgblmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfigpahm.dll" Dmhdkdlg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dkqnoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohbamn32.dll" Jbhcim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Decfggnn.dll" Oococb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qdlggg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgokokhf.dll" Pcnejk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Boidnh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lqipkhbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npbdcgjh.dll" Nlcibc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nnafnopi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egmmgd32.dll" Mjjdacik.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Flqmbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fnfcel32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hinqgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkaohl32.dll" Gmpcgace.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jblnaq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Knekla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbgffb32.dll" Kbcdbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kjihalag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekndacia.dll" Aohdmdoh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Micklk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Goiehm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ofcqcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iidobe32.dll" Pdbdqh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qdlggg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jliflphb.dll" Lkihdioa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mfglep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dkqnoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Elkmmodo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ijclol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jbhcim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Knekla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Neqnqofm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fjlmpfhg.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2500 wrote to memory of 2100 2500 707f27de317c34900a5d76230fe781be3ac2f12beda913cd3573b10b21edb594N.exe 30 PID 2500 wrote to memory of 2100 2500 707f27de317c34900a5d76230fe781be3ac2f12beda913cd3573b10b21edb594N.exe 30 PID 2500 wrote to memory of 2100 2500 707f27de317c34900a5d76230fe781be3ac2f12beda913cd3573b10b21edb594N.exe 30 PID 2500 wrote to memory of 2100 2500 707f27de317c34900a5d76230fe781be3ac2f12beda913cd3573b10b21edb594N.exe 30 PID 2100 wrote to memory of 2316 2100 Jnhlbn32.exe 31 PID 2100 wrote to memory of 2316 2100 Jnhlbn32.exe 31 PID 2100 wrote to memory of 2316 2100 Jnhlbn32.exe 31 PID 2100 wrote to memory of 2316 2100 Jnhlbn32.exe 31 PID 2316 wrote to memory of 2140 2316 Jpfhoi32.exe 32 PID 2316 wrote to memory of 2140 2316 Jpfhoi32.exe 32 PID 2316 wrote to memory of 2140 2316 Jpfhoi32.exe 32 PID 2316 wrote to memory of 2140 2316 Jpfhoi32.exe 32 PID 2140 wrote to memory of 1840 2140 Jpfhoi32.exe 33 PID 2140 wrote to memory of 1840 2140 Jpfhoi32.exe 33 PID 2140 wrote to memory of 1840 2140 Jpfhoi32.exe 33 PID 2140 wrote to memory of 1840 2140 Jpfhoi32.exe 33 PID 1840 wrote to memory of 2816 1840 Joihjfnl.exe 34 PID 1840 wrote to memory of 2816 1840 Joihjfnl.exe 34 PID 1840 wrote to memory of 2816 1840 Joihjfnl.exe 34 PID 1840 wrote to memory of 2816 1840 Joihjfnl.exe 34 PID 2816 wrote to memory of 2748 2816 Jcedkd32.exe 35 PID 2816 wrote to memory of 2748 2816 Jcedkd32.exe 35 PID 2816 wrote to memory of 2748 2816 Jcedkd32.exe 35 PID 2816 wrote to memory of 2748 2816 Jcedkd32.exe 35 PID 2748 wrote to memory of 2804 2748 Jpiedieo.exe 36 PID 2748 wrote to memory of 2804 2748 Jpiedieo.exe 36 PID 2748 wrote to memory of 2804 2748 Jpiedieo.exe 36 PID 2748 wrote to memory of 2804 2748 Jpiedieo.exe 36 PID 2804 wrote to memory of 2604 2804 Jajala32.exe 37 PID 2804 wrote to memory of 2604 2804 Jajala32.exe 37 PID 2804 wrote to memory of 2604 2804 Jajala32.exe 37 PID 2804 wrote to memory of 2604 2804 Jajala32.exe 37 PID 2604 wrote to memory of 2292 2604 Jjaimn32.exe 38 PID 2604 wrote to memory of 2292 2604 Jjaimn32.exe 38 PID 2604 wrote to memory of 2292 2604 Jjaimn32.exe 38 PID 2604 wrote to memory of 2292 2604 Jjaimn32.exe 38 PID 2292 wrote to memory of 792 2292 Jblnaq32.exe 39 PID 2292 wrote to memory of 792 2292 Jblnaq32.exe 39 PID 2292 wrote to memory of 792 2292 Jblnaq32.exe 39 PID 2292 wrote to memory of 792 2292 Jblnaq32.exe 39 PID 792 wrote to memory of 2900 792 Jhffnk32.exe 40 PID 792 wrote to memory of 2900 792 Jhffnk32.exe 40 PID 792 wrote to memory of 2900 792 Jhffnk32.exe 40 PID 792 wrote to memory of 2900 792 Jhffnk32.exe 40 PID 2900 wrote to memory of 2328 2900 Kopokehd.exe 41 PID 2900 wrote to memory of 2328 2900 Kopokehd.exe 41 PID 2900 wrote to memory of 2328 2900 Kopokehd.exe 41 PID 2900 wrote to memory of 2328 2900 Kopokehd.exe 41 PID 2328 wrote to memory of 3000 2328 Kfjggo32.exe 42 PID 2328 wrote to memory of 3000 2328 Kfjggo32.exe 42 PID 2328 wrote to memory of 3000 2328 Kfjggo32.exe 42 PID 2328 wrote to memory of 3000 2328 Kfjggo32.exe 42 PID 3000 wrote to memory of 816 3000 Kkgopf32.exe 43 PID 3000 wrote to memory of 816 3000 Kkgopf32.exe 43 PID 3000 wrote to memory of 816 3000 Kkgopf32.exe 43 PID 3000 wrote to memory of 816 3000 Kkgopf32.exe 43 PID 816 wrote to memory of 1820 816 Knekla32.exe 44 PID 816 wrote to memory of 1820 816 Knekla32.exe 44 PID 816 wrote to memory of 1820 816 Knekla32.exe 44 PID 816 wrote to memory of 1820 816 Knekla32.exe 44 PID 1820 wrote to memory of 536 1820 Kdpcikdi.exe 45 PID 1820 wrote to memory of 536 1820 Kdpcikdi.exe 45 PID 1820 wrote to memory of 536 1820 Kdpcikdi.exe 45 PID 1820 wrote to memory of 536 1820 Kdpcikdi.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\707f27de317c34900a5d76230fe781be3ac2f12beda913cd3573b10b21edb594N.exe"C:\Users\Admin\AppData\Local\Temp\707f27de317c34900a5d76230fe781be3ac2f12beda913cd3573b10b21edb594N.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Windows\SysWOW64\Jnhlbn32.exeC:\Windows\system32\Jnhlbn32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Windows\SysWOW64\Jpfhoi32.exeC:\Windows\system32\Jpfhoi32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Windows\SysWOW64\Jpfhoi32.exeC:\Windows\system32\Jpfhoi32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2140 -
C:\Windows\SysWOW64\Joihjfnl.exeC:\Windows\system32\Joihjfnl.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1840 -
C:\Windows\SysWOW64\Jcedkd32.exeC:\Windows\system32\Jcedkd32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Windows\SysWOW64\Jpiedieo.exeC:\Windows\system32\Jpiedieo.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\SysWOW64\Jajala32.exeC:\Windows\system32\Jajala32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Windows\SysWOW64\Jjaimn32.exeC:\Windows\system32\Jjaimn32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Windows\SysWOW64\Jblnaq32.exeC:\Windows\system32\Jblnaq32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2292 -
C:\Windows\SysWOW64\Jhffnk32.exeC:\Windows\system32\Jhffnk32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:792 -
C:\Windows\SysWOW64\Kopokehd.exeC:\Windows\system32\Kopokehd.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Windows\SysWOW64\Kfjggo32.exeC:\Windows\system32\Kfjggo32.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2328 -
C:\Windows\SysWOW64\Kkgopf32.exeC:\Windows\system32\Kkgopf32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Windows\SysWOW64\Knekla32.exeC:\Windows\system32\Knekla32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:816 -
C:\Windows\SysWOW64\Kdpcikdi.exeC:\Windows\system32\Kdpcikdi.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1820 -
C:\Windows\SysWOW64\Kkileele.exeC:\Windows\system32\Kkileele.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:536 -
C:\Windows\SysWOW64\Kbcdbp32.exeC:\Windows\system32\Kbcdbp32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:484 -
C:\Windows\SysWOW64\Kdbpnk32.exeC:\Windows\system32\Kdbpnk32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1064 -
C:\Windows\SysWOW64\Kgpmjf32.exeC:\Windows\system32\Kgpmjf32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:624 -
C:\Windows\SysWOW64\Kklikejc.exeC:\Windows\system32\Kklikejc.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1372 -
C:\Windows\SysWOW64\Knjegqif.exeC:\Windows\system32\Knjegqif.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:912 -
C:\Windows\SysWOW64\Kddmdk32.exeC:\Windows\system32\Kddmdk32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1488 -
C:\Windows\SysWOW64\Kcgmoggn.exeC:\Windows\system32\Kcgmoggn.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:600 -
C:\Windows\SysWOW64\Kjaelaok.exeC:\Windows\system32\Kjaelaok.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:968 -
C:\Windows\SysWOW64\Kqknil32.exeC:\Windows\system32\Kqknil32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1428 -
C:\Windows\SysWOW64\Kcijeg32.exeC:\Windows\system32\Kcijeg32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2340 -
C:\Windows\SysWOW64\Ljcbaamh.exeC:\Windows\system32\Ljcbaamh.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2484 -
C:\Windows\SysWOW64\Lqmjnk32.exeC:\Windows\system32\Lqmjnk32.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2772 -
C:\Windows\SysWOW64\Lbogfcjc.exeC:\Windows\system32\Lbogfcjc.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1884 -
C:\Windows\SysWOW64\Ljfogake.exeC:\Windows\system32\Ljfogake.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2780 -
C:\Windows\SysWOW64\Lkgkoiqc.exeC:\Windows\system32\Lkgkoiqc.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2872 -
C:\Windows\SysWOW64\Lcncpfaf.exeC:\Windows\system32\Lcncpfaf.exe33⤵
- Executes dropped EXE
PID:2752 -
C:\Windows\SysWOW64\Lbackc32.exeC:\Windows\system32\Lbackc32.exe34⤵
- Executes dropped EXE
PID:2664 -
C:\Windows\SysWOW64\Lmfhil32.exeC:\Windows\system32\Lmfhil32.exe35⤵
- Executes dropped EXE
PID:2156 -
C:\Windows\SysWOW64\Lkihdioa.exeC:\Windows\system32\Lkihdioa.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:732 -
C:\Windows\SysWOW64\Lpedeg32.exeC:\Windows\system32\Lpedeg32.exe37⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1116 -
C:\Windows\SysWOW64\Leammn32.exeC:\Windows\system32\Leammn32.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1984 -
C:\Windows\SysWOW64\Lklejh32.exeC:\Windows\system32\Lklejh32.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1252 -
C:\Windows\SysWOW64\Lpgajgeg.exeC:\Windows\system32\Lpgajgeg.exe40⤵
- Executes dropped EXE
PID:2888 -
C:\Windows\SysWOW64\Lbemfbdk.exeC:\Windows\system32\Lbemfbdk.exe41⤵
- Executes dropped EXE
PID:2472 -
C:\Windows\SysWOW64\Llnaoh32.exeC:\Windows\system32\Llnaoh32.exe42⤵
- Executes dropped EXE
PID:2072 -
C:\Windows\SysWOW64\Lnlnlc32.exeC:\Windows\system32\Lnlnlc32.exe43⤵
- Executes dropped EXE
PID:2084 -
C:\Windows\SysWOW64\Meffhnal.exeC:\Windows\system32\Meffhnal.exe44⤵
- Executes dropped EXE
PID:2052 -
C:\Windows\SysWOW64\Mgebdipp.exeC:\Windows\system32\Mgebdipp.exe45⤵
- Executes dropped EXE
PID:1148 -
C:\Windows\SysWOW64\Mlpneh32.exeC:\Windows\system32\Mlpneh32.exe46⤵
- Executes dropped EXE
PID:1140 -
C:\Windows\SysWOW64\Mnojacgm.exeC:\Windows\system32\Mnojacgm.exe47⤵
- Executes dropped EXE
PID:1212 -
C:\Windows\SysWOW64\Mamgmofp.exeC:\Windows\system32\Mamgmofp.exe48⤵
- Executes dropped EXE
PID:2180 -
C:\Windows\SysWOW64\Mhgoji32.exeC:\Windows\system32\Mhgoji32.exe49⤵
- Executes dropped EXE
PID:568 -
C:\Windows\SysWOW64\Mfjoeeeh.exeC:\Windows\system32\Mfjoeeeh.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1684 -
C:\Windows\SysWOW64\Mnaggcej.exeC:\Windows\system32\Mnaggcej.exe51⤵
- Executes dropped EXE
PID:2016 -
C:\Windows\SysWOW64\Mapccndn.exeC:\Windows\system32\Mapccndn.exe52⤵
- Executes dropped EXE
PID:1864 -
C:\Windows\SysWOW64\Mcnpojca.exeC:\Windows\system32\Mcnpojca.exe53⤵
- Executes dropped EXE
PID:1792 -
C:\Windows\SysWOW64\Mjhhld32.exeC:\Windows\system32\Mjhhld32.exe54⤵
- Executes dropped EXE
PID:2716 -
C:\Windows\SysWOW64\Mmfdhojb.exeC:\Windows\system32\Mmfdhojb.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:2624 -
C:\Windows\SysWOW64\Mabphn32.exeC:\Windows\system32\Mabphn32.exe56⤵
- Executes dropped EXE
PID:2592 -
C:\Windows\SysWOW64\Mdpldi32.exeC:\Windows\system32\Mdpldi32.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:644 -
C:\Windows\SysWOW64\Mfoiqe32.exeC:\Windows\system32\Mfoiqe32.exe58⤵
- Executes dropped EXE
PID:880 -
C:\Windows\SysWOW64\Mjjdacik.exeC:\Windows\system32\Mjjdacik.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:1852 -
C:\Windows\SysWOW64\Mlkail32.exeC:\Windows\system32\Mlkail32.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2884 -
C:\Windows\SysWOW64\Mpgmijgc.exeC:\Windows\system32\Mpgmijgc.exe61⤵
- Executes dropped EXE
PID:316 -
C:\Windows\SysWOW64\Mbeiefff.exeC:\Windows\system32\Mbeiefff.exe62⤵
- Executes dropped EXE
PID:2212 -
C:\Windows\SysWOW64\Medeaaej.exeC:\Windows\system32\Medeaaej.exe63⤵
- Executes dropped EXE
PID:2236 -
C:\Windows\SysWOW64\Nmkncofl.exeC:\Windows\system32\Nmkncofl.exe64⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2568 -
C:\Windows\SysWOW64\Noljjglk.exeC:\Windows\system32\Noljjglk.exe65⤵
- Executes dropped EXE
PID:1632 -
C:\Windows\SysWOW64\Nfcbldmm.exeC:\Windows\system32\Nfcbldmm.exe66⤵PID:1564
-
C:\Windows\SysWOW64\Nefbga32.exeC:\Windows\system32\Nefbga32.exe67⤵
- System Location Discovery: System Language Discovery
PID:1732 -
C:\Windows\SysWOW64\Nhdocl32.exeC:\Windows\system32\Nhdocl32.exe68⤵PID:1752
-
C:\Windows\SysWOW64\Nlpkdkkd.exeC:\Windows\system32\Nlpkdkkd.exe69⤵PID:2012
-
C:\Windows\SysWOW64\Noogpfjh.exeC:\Windows\system32\Noogpfjh.exe70⤵PID:2300
-
C:\Windows\SysWOW64\Namclbil.exeC:\Windows\system32\Namclbil.exe71⤵
- Modifies registry class
PID:2696 -
C:\Windows\SysWOW64\Nidkmojn.exeC:\Windows\system32\Nidkmojn.exe72⤵PID:2880
-
C:\Windows\SysWOW64\Nlbgikia.exeC:\Windows\system32\Nlbgikia.exe73⤵PID:2632
-
C:\Windows\SysWOW64\Nkegeg32.exeC:\Windows\system32\Nkegeg32.exe74⤵PID:1836
-
C:\Windows\SysWOW64\Nblpfepo.exeC:\Windows\system32\Nblpfepo.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3024 -
C:\Windows\SysWOW64\Neklbppb.exeC:\Windows\system32\Neklbppb.exe76⤵PID:2436
-
C:\Windows\SysWOW64\Ndnlnm32.exeC:\Windows\system32\Ndnlnm32.exe77⤵PID:2000
-
C:\Windows\SysWOW64\Nhiholof.exeC:\Windows\system32\Nhiholof.exe78⤵PID:2916
-
C:\Windows\SysWOW64\Nkhdkgnj.exeC:\Windows\system32\Nkhdkgnj.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:288 -
C:\Windows\SysWOW64\Naalga32.exeC:\Windows\system32\Naalga32.exe80⤵PID:2280
-
C:\Windows\SysWOW64\Nemhhpmp.exeC:\Windows\system32\Nemhhpmp.exe81⤵PID:2108
-
C:\Windows\SysWOW64\Nhlddkmc.exeC:\Windows\system32\Nhlddkmc.exe82⤵
- System Location Discovery: System Language Discovery
PID:2480 -
C:\Windows\SysWOW64\Ngneph32.exeC:\Windows\system32\Ngneph32.exe83⤵PID:300
-
C:\Windows\SysWOW64\Noemqe32.exeC:\Windows\system32\Noemqe32.exe84⤵PID:1548
-
C:\Windows\SysWOW64\Nmhmlbkk.exeC:\Windows\system32\Nmhmlbkk.exe85⤵PID:2408
-
C:\Windows\SysWOW64\Nadimacd.exeC:\Windows\system32\Nadimacd.exe86⤵PID:888
-
C:\Windows\SysWOW64\Npgihn32.exeC:\Windows\system32\Npgihn32.exe87⤵PID:2548
-
C:\Windows\SysWOW64\Ohnaik32.exeC:\Windows\system32\Ohnaik32.exe88⤵PID:2852
-
C:\Windows\SysWOW64\Oklnff32.exeC:\Windows\system32\Oklnff32.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2588 -
C:\Windows\SysWOW64\Oionacqo.exeC:\Windows\system32\Oionacqo.exe90⤵PID:3016
-
C:\Windows\SysWOW64\Oaffbqaa.exeC:\Windows\system32\Oaffbqaa.exe91⤵
- Drops file in System32 directory
PID:1976 -
C:\Windows\SysWOW64\Opifnm32.exeC:\Windows\system32\Opifnm32.exe92⤵PID:2764
-
C:\Windows\SysWOW64\Ocgbji32.exeC:\Windows\system32\Ocgbji32.exe93⤵PID:1300
-
C:\Windows\SysWOW64\Okojkf32.exeC:\Windows\system32\Okojkf32.exe94⤵PID:1272
-
C:\Windows\SysWOW64\Ommfga32.exeC:\Windows\system32\Ommfga32.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2956 -
C:\Windows\SysWOW64\Opkccm32.exeC:\Windows\system32\Opkccm32.exe96⤵PID:1376
-
C:\Windows\SysWOW64\Ocjophem.exeC:\Windows\system32\Ocjophem.exe97⤵PID:2960
-
C:\Windows\SysWOW64\Ogekpg32.exeC:\Windows\system32\Ogekpg32.exe98⤵PID:1760
-
C:\Windows\SysWOW64\Onocmadb.exeC:\Windows\system32\Onocmadb.exe99⤵PID:2164
-
C:\Windows\SysWOW64\Olbchn32.exeC:\Windows\system32\Olbchn32.exe100⤵
- Drops file in System32 directory
PID:2312 -
C:\Windows\SysWOW64\Ooqpdj32.exeC:\Windows\system32\Ooqpdj32.exe101⤵PID:2616
-
C:\Windows\SysWOW64\Ocllehcj.exeC:\Windows\system32\Ocllehcj.exe102⤵PID:2700
-
C:\Windows\SysWOW64\Oekhacbn.exeC:\Windows\system32\Oekhacbn.exe103⤵PID:1664
-
C:\Windows\SysWOW64\Oifdbb32.exeC:\Windows\system32\Oifdbb32.exe104⤵PID:1932
-
C:\Windows\SysWOW64\Opplolac.exeC:\Windows\system32\Opplolac.exe105⤵PID:2904
-
C:\Windows\SysWOW64\Ocohkh32.exeC:\Windows\system32\Ocohkh32.exe106⤵PID:1292
-
C:\Windows\SysWOW64\Oemegc32.exeC:\Windows\system32\Oemegc32.exe107⤵PID:824
-
C:\Windows\SysWOW64\Oihqgbhd.exeC:\Windows\system32\Oihqgbhd.exe108⤵PID:1780
-
C:\Windows\SysWOW64\Olgmcmgh.exeC:\Windows\system32\Olgmcmgh.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:748 -
C:\Windows\SysWOW64\Pcaepg32.exeC:\Windows\system32\Pcaepg32.exe110⤵PID:2552
-
C:\Windows\SysWOW64\Padeldeo.exeC:\Windows\system32\Padeldeo.exe111⤵PID:2596
-
C:\Windows\SysWOW64\Pdbahpec.exeC:\Windows\system32\Pdbahpec.exe112⤵PID:2848
-
C:\Windows\SysWOW64\Plijimee.exeC:\Windows\system32\Plijimee.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2612 -
C:\Windows\SysWOW64\Pkljdj32.exeC:\Windows\system32\Pkljdj32.exe114⤵PID:2688
-
C:\Windows\SysWOW64\Pohfehdi.exeC:\Windows\system32\Pohfehdi.exe115⤵
- System Location Discovery: System Language Discovery
PID:1060 -
C:\Windows\SysWOW64\Pnjfae32.exeC:\Windows\system32\Pnjfae32.exe116⤵PID:2524
-
C:\Windows\SysWOW64\Pafbadcm.exeC:\Windows\system32\Pafbadcm.exe117⤵PID:2572
-
C:\Windows\SysWOW64\Pddnnp32.exeC:\Windows\system32\Pddnnp32.exe118⤵
- Modifies registry class
PID:2984 -
C:\Windows\SysWOW64\Phpjnnki.exeC:\Windows\system32\Phpjnnki.exe119⤵PID:1828
-
C:\Windows\SysWOW64\Pojbkh32.exeC:\Windows\system32\Pojbkh32.exe120⤵PID:2784
-
C:\Windows\SysWOW64\Pnmcfeia.exeC:\Windows\system32\Pnmcfeia.exe121⤵PID:2876
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-