Analysis
-
max time kernel
93s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
06-10-2024 05:58
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
4ac8bb4cfa5be1ec05935c4376dc17961e968f7c01d63095c2b6cd708ae53a67N.exe
Resource
win7-20240903-en
windows7-x64
9 signatures
120 seconds
Behavioral task
behavioral2
Sample
4ac8bb4cfa5be1ec05935c4376dc17961e968f7c01d63095c2b6cd708ae53a67N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
8 signatures
120 seconds
General
-
Target
4ac8bb4cfa5be1ec05935c4376dc17961e968f7c01d63095c2b6cd708ae53a67N.exe
-
Size
192KB
-
MD5
fbb5f4e783e10f01bba3999e182538e0
-
SHA1
db24760e79a44d290f8a64a976e0ad743ebf5361
-
SHA256
4ac8bb4cfa5be1ec05935c4376dc17961e968f7c01d63095c2b6cd708ae53a67
-
SHA512
ec0ef98360116e1587c7bcf2725ee0e9eab211d95b7c53aa7e783a39b5273e6797984870e8f61682098f5c9b40d7959208eff17e26c5ab10c8c49b9b9c671f55
-
SSDEEP
3072:xig/Q11hbr4Pxbj0dQBw1YsyjQmZNARA1+H:RW1hbrQRY7YsRm1m
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dhhfedil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Efmmmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fmqgpgoc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qhjmdp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hifmmb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad 4ac8bb4cfa5be1ec05935c4376dc17961e968f7c01d63095c2b6cd708ae53a67N.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmkgkapm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mjmoag32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bemqih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Leenhhdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mhdckaeo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Coadnlnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Caghhk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njinmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mokmdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pnmopk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hpmhdmea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lkofdbkj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajndioga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bcahmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fbcfhibj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njfagf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dakikoom.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhplpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kijchhbo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmpqfq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qcclld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bjbfklei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aajohjon.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emoadlfo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bddcenpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lankbigo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmechmip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jpfepf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ennqfenp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kgnbdh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnnbqnjn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hglaej32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lqbncb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oeokal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Enigke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eqgmmk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfjnjcni.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnfjbdmk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igbalblk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Knooej32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdkoch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bcbohigp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qadoba32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qcclld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Efafgifc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mohidbkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nognnj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebejfk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjlmclqa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Llmhaold.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbhmbdle.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Igedlh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Akepfpcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jpegkj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Podmkm32.exe -
Executes dropped EXE 64 IoCs
pid Process 2260 Ohqbhdpj.exe 2136 Pgbbek32.exe 1100 Ploknb32.exe 816 Pomgjn32.exe 2672 Pfgogh32.exe 3888 Plagcbdn.exe 4748 Poodpmca.exe 4516 Pjehmfch.exe 4720 Ppopjp32.exe 3584 Pflibgil.exe 1780 Phjenbhp.exe 3148 Podmkm32.exe 2036 Pfnegggi.exe 2708 Plhnda32.exe 1236 Qgnbaj32.exe 784 Qjlnnemp.exe 4460 Qcdbfk32.exe 2460 Qjnkcekm.exe 392 Qlmgopjq.exe 3012 Acgolj32.exe 1772 Ahchda32.exe 3788 Aompak32.exe 1000 Agdhbi32.exe 4908 Afghneoo.exe 3816 Amaqjp32.exe 4840 Aggegh32.exe 4968 Amcmpodi.exe 4824 Aflaie32.exe 3416 Amfjeobf.exe 4912 Acpbbi32.exe 1756 Amhfkopc.exe 4844 Bcbohigp.exe 4144 Bmkcqn32.exe 4200 Bgpgng32.exe 3408 Biadeoce.exe 676 Bcghch32.exe 972 Bjaqpbkh.exe 1056 Bciehh32.exe 460 Bfhadc32.exe 3636 Bmbiamhi.exe 1996 Bppfmigl.exe 3864 Bfjnjcni.exe 2908 Bihjfnmm.exe 4152 Ccnncgmc.exe 3364 Cikglnkj.exe 2216 Ccqkigkp.exe 1204 Cimcan32.exe 2352 Ccchof32.exe 216 Caghhk32.exe 4384 Cgqqdeod.exe 696 Ccgajfeh.exe 1548 Cidjbmcp.exe 2844 Dgejpd32.exe 3844 Dannij32.exe 4620 Dhhfedil.exe 4608 Dfjgaq32.exe 1692 Diicml32.exe 2348 Dpckjfgg.exe 4280 Dikpbl32.exe 3764 Dabhdinj.exe 1456 Dhlpqc32.exe 1544 Djklmo32.exe 316 Dpgeee32.exe 1568 Dhomfc32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Fgcjfbed.exe Fajbjh32.exe File created C:\Windows\SysWOW64\Ccdihbgg.exe Process not Found File created C:\Windows\SysWOW64\Alcfei32.exe Ajdjin32.exe File created C:\Windows\SysWOW64\Pjdhhc32.dll Pefabkej.exe File created C:\Windows\SysWOW64\Aamebb32.dll Ckjknfnh.exe File opened for modification C:\Windows\SysWOW64\Pnmopk32.exe Pffgom32.exe File opened for modification C:\Windows\SysWOW64\Dhgonidg.exe Dnajppda.exe File created C:\Windows\SysWOW64\Geanfelc.exe Gaebef32.exe File created C:\Windows\SysWOW64\Cfcjfk32.exe Ccdnjp32.exe File opened for modification C:\Windows\SysWOW64\Imkbnf32.exe Igajal32.exe File opened for modification C:\Windows\SysWOW64\Kpcjgnhb.exe Knenkbio.exe File created C:\Windows\SysWOW64\Gejopl32.exe Glbjggof.exe File opened for modification C:\Windows\SysWOW64\Mogcihaj.exe Mnegbp32.exe File created C:\Windows\SysWOW64\Gfkcaoef.dll Nqpcjj32.exe File created C:\Windows\SysWOW64\Cponen32.exe Cnaaib32.exe File opened for modification C:\Windows\SysWOW64\Egohdegl.exe Edplhjhi.exe File created C:\Windows\SysWOW64\Leckbi32.dll Qlmgopjq.exe File created C:\Windows\SysWOW64\Ncndec32.dll Pcmeke32.exe File created C:\Windows\SysWOW64\Dgeofeib.dll Onnmdcjm.exe File opened for modification C:\Windows\SysWOW64\Afcmfe32.exe Process not Found File created C:\Windows\SysWOW64\Jebiel32.dll Nnfgcd32.exe File created C:\Windows\SysWOW64\Cpabibmg.dll Hlbcnd32.exe File created C:\Windows\SysWOW64\Dckahb32.dll Komhll32.exe File created C:\Windows\SysWOW64\Lhdbgapf.dll Pmiikh32.exe File created C:\Windows\SysWOW64\Hlppno32.exe Hbgkei32.exe File created C:\Windows\SysWOW64\Biadeoce.exe Bgpgng32.exe File created C:\Windows\SysWOW64\Omlokmha.dll Fdhcgaic.exe File opened for modification C:\Windows\SysWOW64\Leenhhdn.exe Knkekn32.exe File opened for modification C:\Windows\SysWOW64\Oblhcj32.exe Oonlfo32.exe File created C:\Windows\SysWOW64\Elekoe32.dll Process not Found File created C:\Windows\SysWOW64\Jaajhb32.exe Jldbpl32.exe File created C:\Windows\SysWOW64\Cicdai32.dll Jnpfop32.exe File created C:\Windows\SysWOW64\Nhmhbpmi.dll Ikkpgafg.exe File created C:\Windows\SysWOW64\Fkmjaa32.exe Fecadghc.exe File opened for modification C:\Windows\SysWOW64\Nodiqp32.exe Nmfmde32.exe File created C:\Windows\SysWOW64\Lgffic32.exe Lalnmiia.exe File opened for modification C:\Windows\SysWOW64\Ncabfkqo.exe Nabfjpak.exe File created C:\Windows\SysWOW64\Qdbdcg32.exe Qlgpod32.exe File created C:\Windows\SysWOW64\Jgnqgqan.exe Jdodkebj.exe File opened for modification C:\Windows\SysWOW64\Kgipcogp.exe Kdkdgchl.exe File opened for modification C:\Windows\SysWOW64\Dbbffdlq.exe Dodjjimm.exe File created C:\Windows\SysWOW64\Nqpcjj32.exe Njfkmphe.exe File created C:\Windows\SysWOW64\Ekonpckp.exe Edeeci32.exe File created C:\Windows\SysWOW64\Knflpoqf.exe Kgmcce32.exe File created C:\Windows\SysWOW64\Blhdmebn.dll Kageaj32.exe File created C:\Windows\SysWOW64\Lldopb32.exe Lieccf32.exe File created C:\Windows\SysWOW64\Ncpgam32.dll Llmhaold.exe File created C:\Windows\SysWOW64\Pjehmfch.exe Poodpmca.exe File created C:\Windows\SysWOW64\Dpabql32.dll Hnodaecc.exe File created C:\Windows\SysWOW64\Nlbdlk32.dll Aodogdmn.exe File opened for modification C:\Windows\SysWOW64\Jpcapp32.exe Jlgepanl.exe File created C:\Windows\SysWOW64\Eehmok32.dll Qaqegecm.exe File created C:\Windows\SysWOW64\Ciipkkdj.dll Bhblllfo.exe File created C:\Windows\SysWOW64\Jlkidpke.dll Chfegk32.exe File created C:\Windows\SysWOW64\Jojdlfeo.exe Jhplpl32.exe File created C:\Windows\SysWOW64\Bcbohigp.exe Amhfkopc.exe File created C:\Windows\SysWOW64\Ijfnmc32.exe Iggaah32.exe File opened for modification C:\Windows\SysWOW64\Bkmmaeap.exe Bhoqeibl.exe File created C:\Windows\SysWOW64\Kocgbend.exe Klekfinp.exe File opened for modification C:\Windows\SysWOW64\Aaohcj32.exe Akepfpcl.exe File opened for modification C:\Windows\SysWOW64\Dmlkhofd.exe Chqogq32.exe File created C:\Windows\SysWOW64\Idknpoad.dll Ihpcinld.exe File created C:\Windows\SysWOW64\Iaidib32.dll Ojhiogdd.exe File created C:\Windows\SysWOW64\Apmpkall.dll Process not Found -
Program crash 1 IoCs
pid pid_target Process procid_target 6176 7080 Process not Found 1179 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhmmjbkf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdfehh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aajohjon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Coohhlpe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qmgelf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnhghcki.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnkbcj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocaebc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klggli32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acfhad32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebifmm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbenoi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iajdgcab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hammhcij.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pekbga32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohcegi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mblcnj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbdjeg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocjoadei.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgejpd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlfnaicd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Boldhf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfcjfk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilmmni32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bllbaa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lflbkcll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aoioli32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omfekbdh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbnkonbd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgpcliao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccnncgmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cidjbmcp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdkpma32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mngegmbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kamjda32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkegpb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdbnjdfg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmennnni.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kocgbend.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbkqfe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojfcdnjc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pflibgil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eaqdegaj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkofdbkj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hemmac32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iogopi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhegig32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hglaej32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cimmggfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gejopl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekajec32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jklphekp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lndham32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkafmd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fqeioiam.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gijekg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cggimh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dikihe32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajhapb32.dll" Nhegig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Edemkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pffgom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ocdnln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldbhiiol.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Njedbjej.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Njjmni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bkmmaeap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Igfclkdj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jeapcq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dodebo32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejahqlpp.dll" Acpbbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lhmmjbkf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gbdoof32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Malpia32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Neclenfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcokoohi.dll" Npbceggm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hehhjm32.dll" Palklf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ggfglb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plcpgejf.dll" Hgelek32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Afkknogn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipamlopb.dll" Llnnmhfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fohhdm32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ememkjeq.dll" Knooej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmcnoekk.dll" Impliekg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jngbjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkbnla32.dll" Bnlhncgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jeapcq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Opbean32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dpckjfgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jdnoplhh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Njiegl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ejalcgkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgjhee32.dll" Nclikl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfbiemdb.dll" Nnkpnclp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Coadnlnb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eecphp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjjcdn32.dll" Fdkpma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lkofdbkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iafkld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amdcghbo.dll" Jgmjmjnb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kgkfnh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aolblopj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehojko32.dll" Bknlbhhe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ggmmlamj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnjfof32.dll" Ihkjno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiobodkp.dll" Amcmpodi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Alkijdci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Micfao32.dll" Kndojobi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iecgdnkl.dll" Bmabggdm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nceefd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Llqjbhdc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecjddk32.dll" Efmmmn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hnhghcki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckkpjkai.dll" Npgmpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bdmmeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hhaggp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gpcmga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Faaigehd.dll" Mblcnj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jpfepf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dbkqfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hbohpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lqkqhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndnljbeg.dll" Lcimdh32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2428 wrote to memory of 2260 2428 4ac8bb4cfa5be1ec05935c4376dc17961e968f7c01d63095c2b6cd708ae53a67N.exe 82 PID 2428 wrote to memory of 2260 2428 4ac8bb4cfa5be1ec05935c4376dc17961e968f7c01d63095c2b6cd708ae53a67N.exe 82 PID 2428 wrote to memory of 2260 2428 4ac8bb4cfa5be1ec05935c4376dc17961e968f7c01d63095c2b6cd708ae53a67N.exe 82 PID 2260 wrote to memory of 2136 2260 Ohqbhdpj.exe 83 PID 2260 wrote to memory of 2136 2260 Ohqbhdpj.exe 83 PID 2260 wrote to memory of 2136 2260 Ohqbhdpj.exe 83 PID 2136 wrote to memory of 1100 2136 Pgbbek32.exe 84 PID 2136 wrote to memory of 1100 2136 Pgbbek32.exe 84 PID 2136 wrote to memory of 1100 2136 Pgbbek32.exe 84 PID 1100 wrote to memory of 816 1100 Ploknb32.exe 85 PID 1100 wrote to memory of 816 1100 Ploknb32.exe 85 PID 1100 wrote to memory of 816 1100 Ploknb32.exe 85 PID 816 wrote to memory of 2672 816 Pomgjn32.exe 86 PID 816 wrote to memory of 2672 816 Pomgjn32.exe 86 PID 816 wrote to memory of 2672 816 Pomgjn32.exe 86 PID 2672 wrote to memory of 3888 2672 Pfgogh32.exe 87 PID 2672 wrote to memory of 3888 2672 Pfgogh32.exe 87 PID 2672 wrote to memory of 3888 2672 Pfgogh32.exe 87 PID 3888 wrote to memory of 4748 3888 Plagcbdn.exe 88 PID 3888 wrote to memory of 4748 3888 Plagcbdn.exe 88 PID 3888 wrote to memory of 4748 3888 Plagcbdn.exe 88 PID 4748 wrote to memory of 4516 4748 Poodpmca.exe 89 PID 4748 wrote to memory of 4516 4748 Poodpmca.exe 89 PID 4748 wrote to memory of 4516 4748 Poodpmca.exe 89 PID 4516 wrote to memory of 4720 4516 Pjehmfch.exe 90 PID 4516 wrote to memory of 4720 4516 Pjehmfch.exe 90 PID 4516 wrote to memory of 4720 4516 Pjehmfch.exe 90 PID 4720 wrote to memory of 3584 4720 Ppopjp32.exe 91 PID 4720 wrote to memory of 3584 4720 Ppopjp32.exe 91 PID 4720 wrote to memory of 3584 4720 Ppopjp32.exe 91 PID 3584 wrote to memory of 1780 3584 Pflibgil.exe 92 PID 3584 wrote to memory of 1780 3584 Pflibgil.exe 92 PID 3584 wrote to memory of 1780 3584 Pflibgil.exe 92 PID 1780 wrote to memory of 3148 1780 Phjenbhp.exe 93 PID 1780 wrote to memory of 3148 1780 Phjenbhp.exe 93 PID 1780 wrote to memory of 3148 1780 Phjenbhp.exe 93 PID 3148 wrote to memory of 2036 3148 Podmkm32.exe 94 PID 3148 wrote to memory of 2036 3148 Podmkm32.exe 94 PID 3148 wrote to memory of 2036 3148 Podmkm32.exe 94 PID 2036 wrote to memory of 2708 2036 Pfnegggi.exe 95 PID 2036 wrote to memory of 2708 2036 Pfnegggi.exe 95 PID 2036 wrote to memory of 2708 2036 Pfnegggi.exe 95 PID 2708 wrote to memory of 1236 2708 Plhnda32.exe 96 PID 2708 wrote to memory of 1236 2708 Plhnda32.exe 96 PID 2708 wrote to memory of 1236 2708 Plhnda32.exe 96 PID 1236 wrote to memory of 784 1236 Qgnbaj32.exe 97 PID 1236 wrote to memory of 784 1236 Qgnbaj32.exe 97 PID 1236 wrote to memory of 784 1236 Qgnbaj32.exe 97 PID 784 wrote to memory of 4460 784 Qjlnnemp.exe 98 PID 784 wrote to memory of 4460 784 Qjlnnemp.exe 98 PID 784 wrote to memory of 4460 784 Qjlnnemp.exe 98 PID 4460 wrote to memory of 2460 4460 Qcdbfk32.exe 99 PID 4460 wrote to memory of 2460 4460 Qcdbfk32.exe 99 PID 4460 wrote to memory of 2460 4460 Qcdbfk32.exe 99 PID 2460 wrote to memory of 392 2460 Qjnkcekm.exe 100 PID 2460 wrote to memory of 392 2460 Qjnkcekm.exe 100 PID 2460 wrote to memory of 392 2460 Qjnkcekm.exe 100 PID 392 wrote to memory of 3012 392 Qlmgopjq.exe 101 PID 392 wrote to memory of 3012 392 Qlmgopjq.exe 101 PID 392 wrote to memory of 3012 392 Qlmgopjq.exe 101 PID 3012 wrote to memory of 1772 3012 Acgolj32.exe 102 PID 3012 wrote to memory of 1772 3012 Acgolj32.exe 102 PID 3012 wrote to memory of 1772 3012 Acgolj32.exe 102 PID 1772 wrote to memory of 3788 1772 Ahchda32.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\4ac8bb4cfa5be1ec05935c4376dc17961e968f7c01d63095c2b6cd708ae53a67N.exe"C:\Users\Admin\AppData\Local\Temp\4ac8bb4cfa5be1ec05935c4376dc17961e968f7c01d63095c2b6cd708ae53a67N.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Windows\SysWOW64\Ohqbhdpj.exeC:\Windows\system32\Ohqbhdpj.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2260 -
C:\Windows\SysWOW64\Pgbbek32.exeC:\Windows\system32\Pgbbek32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2136 -
C:\Windows\SysWOW64\Ploknb32.exeC:\Windows\system32\Ploknb32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1100 -
C:\Windows\SysWOW64\Pomgjn32.exeC:\Windows\system32\Pomgjn32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:816 -
C:\Windows\SysWOW64\Pfgogh32.exeC:\Windows\system32\Pfgogh32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\SysWOW64\Plagcbdn.exeC:\Windows\system32\Plagcbdn.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3888 -
C:\Windows\SysWOW64\Poodpmca.exeC:\Windows\system32\Poodpmca.exe8⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4748 -
C:\Windows\SysWOW64\Pjehmfch.exeC:\Windows\system32\Pjehmfch.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4516 -
C:\Windows\SysWOW64\Ppopjp32.exeC:\Windows\system32\Ppopjp32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4720 -
C:\Windows\SysWOW64\Pflibgil.exeC:\Windows\system32\Pflibgil.exe11⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3584 -
C:\Windows\SysWOW64\Phjenbhp.exeC:\Windows\system32\Phjenbhp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1780 -
C:\Windows\SysWOW64\Podmkm32.exeC:\Windows\system32\Podmkm32.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3148 -
C:\Windows\SysWOW64\Pfnegggi.exeC:\Windows\system32\Pfnegggi.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\Windows\SysWOW64\Plhnda32.exeC:\Windows\system32\Plhnda32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\SysWOW64\Qgnbaj32.exeC:\Windows\system32\Qgnbaj32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1236 -
C:\Windows\SysWOW64\Qjlnnemp.exeC:\Windows\system32\Qjlnnemp.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:784 -
C:\Windows\SysWOW64\Qcdbfk32.exeC:\Windows\system32\Qcdbfk32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4460 -
C:\Windows\SysWOW64\Qjnkcekm.exeC:\Windows\system32\Qjnkcekm.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2460 -
C:\Windows\SysWOW64\Qlmgopjq.exeC:\Windows\system32\Qlmgopjq.exe20⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:392 -
C:\Windows\SysWOW64\Acgolj32.exeC:\Windows\system32\Acgolj32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Windows\SysWOW64\Ahchda32.exeC:\Windows\system32\Ahchda32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1772 -
C:\Windows\SysWOW64\Aompak32.exeC:\Windows\system32\Aompak32.exe23⤵
- Executes dropped EXE
PID:3788 -
C:\Windows\SysWOW64\Agdhbi32.exeC:\Windows\system32\Agdhbi32.exe24⤵
- Executes dropped EXE
PID:1000 -
C:\Windows\SysWOW64\Afghneoo.exeC:\Windows\system32\Afghneoo.exe25⤵
- Executes dropped EXE
PID:4908 -
C:\Windows\SysWOW64\Amaqjp32.exeC:\Windows\system32\Amaqjp32.exe26⤵
- Executes dropped EXE
PID:3816 -
C:\Windows\SysWOW64\Aggegh32.exeC:\Windows\system32\Aggegh32.exe27⤵
- Executes dropped EXE
PID:4840 -
C:\Windows\SysWOW64\Amcmpodi.exeC:\Windows\system32\Amcmpodi.exe28⤵
- Executes dropped EXE
- Modifies registry class
PID:4968 -
C:\Windows\SysWOW64\Aflaie32.exeC:\Windows\system32\Aflaie32.exe29⤵
- Executes dropped EXE
PID:4824 -
C:\Windows\SysWOW64\Amfjeobf.exeC:\Windows\system32\Amfjeobf.exe30⤵
- Executes dropped EXE
PID:3416 -
C:\Windows\SysWOW64\Acpbbi32.exeC:\Windows\system32\Acpbbi32.exe31⤵
- Executes dropped EXE
- Modifies registry class
PID:4912 -
C:\Windows\SysWOW64\Amhfkopc.exeC:\Windows\system32\Amhfkopc.exe32⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1756 -
C:\Windows\SysWOW64\Bcbohigp.exeC:\Windows\system32\Bcbohigp.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4844 -
C:\Windows\SysWOW64\Bmkcqn32.exeC:\Windows\system32\Bmkcqn32.exe34⤵
- Executes dropped EXE
PID:4144 -
C:\Windows\SysWOW64\Bgpgng32.exeC:\Windows\system32\Bgpgng32.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4200 -
C:\Windows\SysWOW64\Biadeoce.exeC:\Windows\system32\Biadeoce.exe36⤵
- Executes dropped EXE
PID:3408 -
C:\Windows\SysWOW64\Bcghch32.exeC:\Windows\system32\Bcghch32.exe37⤵
- Executes dropped EXE
PID:676 -
C:\Windows\SysWOW64\Bjaqpbkh.exeC:\Windows\system32\Bjaqpbkh.exe38⤵
- Executes dropped EXE
PID:972 -
C:\Windows\SysWOW64\Bciehh32.exeC:\Windows\system32\Bciehh32.exe39⤵
- Executes dropped EXE
PID:1056 -
C:\Windows\SysWOW64\Bfhadc32.exeC:\Windows\system32\Bfhadc32.exe40⤵
- Executes dropped EXE
PID:460 -
C:\Windows\SysWOW64\Bmbiamhi.exeC:\Windows\system32\Bmbiamhi.exe41⤵
- Executes dropped EXE
PID:3636 -
C:\Windows\SysWOW64\Bppfmigl.exeC:\Windows\system32\Bppfmigl.exe42⤵
- Executes dropped EXE
PID:1996 -
C:\Windows\SysWOW64\Bfjnjcni.exeC:\Windows\system32\Bfjnjcni.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3864 -
C:\Windows\SysWOW64\Bihjfnmm.exeC:\Windows\system32\Bihjfnmm.exe44⤵
- Executes dropped EXE
PID:2908 -
C:\Windows\SysWOW64\Ccnncgmc.exeC:\Windows\system32\Ccnncgmc.exe45⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4152 -
C:\Windows\SysWOW64\Cikglnkj.exeC:\Windows\system32\Cikglnkj.exe46⤵
- Executes dropped EXE
PID:3364 -
C:\Windows\SysWOW64\Ccqkigkp.exeC:\Windows\system32\Ccqkigkp.exe47⤵
- Executes dropped EXE
PID:2216 -
C:\Windows\SysWOW64\Cimcan32.exeC:\Windows\system32\Cimcan32.exe48⤵
- Executes dropped EXE
PID:1204 -
C:\Windows\SysWOW64\Ccchof32.exeC:\Windows\system32\Ccchof32.exe49⤵
- Executes dropped EXE
PID:2352 -
C:\Windows\SysWOW64\Caghhk32.exeC:\Windows\system32\Caghhk32.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:216 -
C:\Windows\SysWOW64\Cgqqdeod.exeC:\Windows\system32\Cgqqdeod.exe51⤵
- Executes dropped EXE
PID:4384 -
C:\Windows\SysWOW64\Ccgajfeh.exeC:\Windows\system32\Ccgajfeh.exe52⤵
- Executes dropped EXE
PID:696 -
C:\Windows\SysWOW64\Cidjbmcp.exeC:\Windows\system32\Cidjbmcp.exe53⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1548 -
C:\Windows\SysWOW64\Dgejpd32.exeC:\Windows\system32\Dgejpd32.exe54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2844 -
C:\Windows\SysWOW64\Dannij32.exeC:\Windows\system32\Dannij32.exe55⤵
- Executes dropped EXE
PID:3844 -
C:\Windows\SysWOW64\Dhhfedil.exeC:\Windows\system32\Dhhfedil.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4620 -
C:\Windows\SysWOW64\Dfjgaq32.exeC:\Windows\system32\Dfjgaq32.exe57⤵
- Executes dropped EXE
PID:4608 -
C:\Windows\SysWOW64\Diicml32.exeC:\Windows\system32\Diicml32.exe58⤵
- Executes dropped EXE
PID:1692 -
C:\Windows\SysWOW64\Dpckjfgg.exeC:\Windows\system32\Dpckjfgg.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:2348 -
C:\Windows\SysWOW64\Dikpbl32.exeC:\Windows\system32\Dikpbl32.exe60⤵
- Executes dropped EXE
PID:4280 -
C:\Windows\SysWOW64\Dabhdinj.exeC:\Windows\system32\Dabhdinj.exe61⤵
- Executes dropped EXE
PID:3764 -
C:\Windows\SysWOW64\Dhlpqc32.exeC:\Windows\system32\Dhlpqc32.exe62⤵
- Executes dropped EXE
PID:1456 -
C:\Windows\SysWOW64\Djklmo32.exeC:\Windows\system32\Djklmo32.exe63⤵
- Executes dropped EXE
PID:1544 -
C:\Windows\SysWOW64\Dpgeee32.exeC:\Windows\system32\Dpgeee32.exe64⤵
- Executes dropped EXE
PID:316 -
C:\Windows\SysWOW64\Dhomfc32.exeC:\Windows\system32\Dhomfc32.exe65⤵
- Executes dropped EXE
PID:1568 -
C:\Windows\SysWOW64\Djmibn32.exeC:\Windows\system32\Djmibn32.exe66⤵PID:4744
-
C:\Windows\SysWOW64\Epjajeqo.exeC:\Windows\system32\Epjajeqo.exe67⤵PID:748
-
C:\Windows\SysWOW64\Edemkd32.exeC:\Windows\system32\Edemkd32.exe68⤵
- Modifies registry class
PID:368 -
C:\Windows\SysWOW64\Emnbdioi.exeC:\Windows\system32\Emnbdioi.exe69⤵PID:4764
-
C:\Windows\SysWOW64\Eaindh32.exeC:\Windows\system32\Eaindh32.exe70⤵PID:5096
-
C:\Windows\SysWOW64\Edhjqc32.exeC:\Windows\system32\Edhjqc32.exe71⤵PID:4428
-
C:\Windows\SysWOW64\Eidbij32.exeC:\Windows\system32\Eidbij32.exe72⤵PID:2188
-
C:\Windows\SysWOW64\Ealkjh32.exeC:\Windows\system32\Ealkjh32.exe73⤵PID:4548
-
C:\Windows\SysWOW64\Efhcbodf.exeC:\Windows\system32\Efhcbodf.exe74⤵PID:1800
-
C:\Windows\SysWOW64\Eigonjcj.exeC:\Windows\system32\Eigonjcj.exe75⤵PID:3384
-
C:\Windows\SysWOW64\Edmclccp.exeC:\Windows\system32\Edmclccp.exe76⤵PID:3660
-
C:\Windows\SysWOW64\Efkphnbd.exeC:\Windows\system32\Efkphnbd.exe77⤵PID:3956
-
C:\Windows\SysWOW64\Eaqdegaj.exeC:\Windows\system32\Eaqdegaj.exe78⤵
- System Location Discovery: System Language Discovery
PID:2580 -
C:\Windows\SysWOW64\Epcdqd32.exeC:\Windows\system32\Epcdqd32.exe79⤵PID:1472
-
C:\Windows\SysWOW64\Efmmmn32.exeC:\Windows\system32\Efmmmn32.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3440 -
C:\Windows\SysWOW64\Fmgejhgn.exeC:\Windows\system32\Fmgejhgn.exe81⤵PID:628
-
C:\Windows\SysWOW64\Fhmigagd.exeC:\Windows\system32\Fhmigagd.exe82⤵PID:3228
-
C:\Windows\SysWOW64\Fkkeclfh.exeC:\Windows\system32\Fkkeclfh.exe83⤵PID:4520
-
C:\Windows\SysWOW64\Fphnlcdo.exeC:\Windows\system32\Fphnlcdo.exe84⤵PID:1916
-
C:\Windows\SysWOW64\Fgbfhmll.exeC:\Windows\system32\Fgbfhmll.exe85⤵PID:1644
-
C:\Windows\SysWOW64\Fagjfflb.exeC:\Windows\system32\Fagjfflb.exe86⤵PID:4160
-
C:\Windows\SysWOW64\Fdffbake.exeC:\Windows\system32\Fdffbake.exe87⤵PID:4604
-
C:\Windows\SysWOW64\Fmnkkg32.exeC:\Windows\system32\Fmnkkg32.exe88⤵PID:788
-
C:\Windows\SysWOW64\Fdhcgaic.exeC:\Windows\system32\Fdhcgaic.exe89⤵
- Drops file in System32 directory
PID:3648 -
C:\Windows\SysWOW64\Fggocmhf.exeC:\Windows\system32\Fggocmhf.exe90⤵PID:3280
-
C:\Windows\SysWOW64\Fmqgpgoc.exeC:\Windows\system32\Fmqgpgoc.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3932 -
C:\Windows\SysWOW64\Fdkpma32.exeC:\Windows\system32\Fdkpma32.exe92⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2864 -
C:\Windows\SysWOW64\Fhflnpoi.exeC:\Windows\system32\Fhflnpoi.exe93⤵PID:4928
-
C:\Windows\SysWOW64\Gmcdffmq.exeC:\Windows\system32\Gmcdffmq.exe94⤵PID:4092
-
C:\Windows\SysWOW64\Gaopfe32.exeC:\Windows\system32\Gaopfe32.exe95⤵PID:4260
-
C:\Windows\SysWOW64\Ghhhcomg.exeC:\Windows\system32\Ghhhcomg.exe96⤵PID:1332
-
C:\Windows\SysWOW64\Gijekg32.exeC:\Windows\system32\Gijekg32.exe97⤵
- System Location Discovery: System Language Discovery
PID:4336 -
C:\Windows\SysWOW64\Gpcmga32.exeC:\Windows\system32\Gpcmga32.exe98⤵
- Modifies registry class
PID:2004 -
C:\Windows\SysWOW64\Gdoihpbk.exeC:\Windows\system32\Gdoihpbk.exe99⤵PID:1412
-
C:\Windows\SysWOW64\Gkiaej32.exeC:\Windows\system32\Gkiaej32.exe100⤵PID:4816
-
C:\Windows\SysWOW64\Gacjadad.exeC:\Windows\system32\Gacjadad.exe101⤵PID:4700
-
C:\Windows\SysWOW64\Ggpbjkpl.exeC:\Windows\system32\Ggpbjkpl.exe102⤵PID:3936
-
C:\Windows\SysWOW64\Gnjjfegi.exeC:\Windows\system32\Gnjjfegi.exe103⤵PID:2940
-
C:\Windows\SysWOW64\Gaefgd32.exeC:\Windows\system32\Gaefgd32.exe104⤵PID:1912
-
C:\Windows\SysWOW64\Ggbook32.exeC:\Windows\system32\Ggbook32.exe105⤵PID:3456
-
C:\Windows\SysWOW64\Gnlgleef.exeC:\Windows\system32\Gnlgleef.exe106⤵PID:976
-
C:\Windows\SysWOW64\Gahcmd32.exeC:\Windows\system32\Gahcmd32.exe107⤵PID:2128
-
C:\Windows\SysWOW64\Gdfoio32.exeC:\Windows\system32\Gdfoio32.exe108⤵PID:3420
-
C:\Windows\SysWOW64\Hgelek32.exeC:\Windows\system32\Hgelek32.exe109⤵
- Modifies registry class
PID:1716 -
C:\Windows\SysWOW64\Hnodaecc.exeC:\Windows\system32\Hnodaecc.exe110⤵
- Drops file in System32 directory
PID:2704 -
C:\Windows\SysWOW64\Hpmpnp32.exeC:\Windows\system32\Hpmpnp32.exe111⤵PID:428
-
C:\Windows\SysWOW64\Hgghjjid.exeC:\Windows\system32\Hgghjjid.exe112⤵PID:1744
-
C:\Windows\SysWOW64\Hjedffig.exeC:\Windows\system32\Hjedffig.exe113⤵PID:4288
-
C:\Windows\SysWOW64\Hammhcij.exeC:\Windows\system32\Hammhcij.exe114⤵
- System Location Discovery: System Language Discovery
PID:3320 -
C:\Windows\SysWOW64\Hhfedm32.exeC:\Windows\system32\Hhfedm32.exe115⤵PID:760
-
C:\Windows\SysWOW64\Hjhalefe.exeC:\Windows\system32\Hjhalefe.exe116⤵PID:2684
-
C:\Windows\SysWOW64\Hncmmd32.exeC:\Windows\system32\Hncmmd32.exe117⤵PID:116
-
C:\Windows\SysWOW64\Hdmein32.exeC:\Windows\system32\Hdmein32.exe118⤵PID:4392
-
C:\Windows\SysWOW64\Hglaej32.exeC:\Windows\system32\Hglaej32.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:3032 -
C:\Windows\SysWOW64\Hnfjbdmk.exeC:\Windows\system32\Hnfjbdmk.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5136 -
C:\Windows\SysWOW64\Hpdfnolo.exeC:\Windows\system32\Hpdfnolo.exe121⤵PID:5180
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-