Analysis
-
max time kernel
45s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
10/10/2024, 09:05
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
535a002200ccecf700f65f54aa8dd1b139a99f0dc42a5b26c2f7a91e3b4288bbN.exe
Resource
win7-20240903-en
windows7-x64
9 signatures
120 seconds
Behavioral task
behavioral2
Sample
535a002200ccecf700f65f54aa8dd1b139a99f0dc42a5b26c2f7a91e3b4288bbN.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
8 signatures
120 seconds
General
-
Target
535a002200ccecf700f65f54aa8dd1b139a99f0dc42a5b26c2f7a91e3b4288bbN.exe
-
Size
96KB
-
MD5
d6f39120af8c15b29a612ed8471c4300
-
SHA1
e222b803484f4d5d56df8c9712386211315df506
-
SHA256
535a002200ccecf700f65f54aa8dd1b139a99f0dc42a5b26c2f7a91e3b4288bb
-
SHA512
593fa3ed12584cfdc73faac4033ee4942231481a224a98c535b9092817b47194953c17316c284a4bc88f17f4adc7d45b2bb7e47396a78f2256c14fe5aa3d353f
-
SSDEEP
3072:83DH5FQ3PxD0WdQRktiQTTEQfZEiHjnd69jc0v:8z8BjtiQTAQfZEMnd6NV
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hblgnkdh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bcgdom32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjjkpe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihglhp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Keeeje32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eogmcjef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fqalaa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odhhgkib.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmhglq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlelhe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nijnln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jdejhfig.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odjdmjgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bjbeofpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kpfplo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bmkomchi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmecmg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dlofgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oajlkojn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iafnjg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajpepm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fmlbjq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" 535a002200ccecf700f65f54aa8dd1b139a99f0dc42a5b26c2f7a91e3b4288bbN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dpqnhadq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qkfocaki.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iiqldc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jacfidem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aopahjll.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gncldi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mikjpiim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Odedge32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nmfqgbmm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gqahqd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gjifodii.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dldkmlhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dbiocd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okdmjdol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pgcmbcih.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fabaocfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kkpqlm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bjallg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lcaiiejc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kdbbgdjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bhjlli32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bchfhfeh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkhibino.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgegok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lohjnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ikfbbjdj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found -
Executes dropped EXE 64 IoCs
pid Process 1772 Nhdocl32.exe 3004 Nbjcqe32.exe 2988 Nlbgikia.exe 2768 Naopaa32.exe 2632 Ndnlnm32.exe 2180 Nkhdkgnj.exe 1720 Nmfqgbmm.exe 1788 Nemhhpmp.exe 2508 Ngneph32.exe 1908 Nadimacd.exe 660 Odbeilbg.exe 2936 Oklnff32.exe 1100 Oaffbqaa.exe 908 Ocgbji32.exe 2460 Okojkf32.exe 752 Ommfga32.exe 1800 Odgodl32.exe 1680 Oehklddp.exe 1376 Onocmadb.exe 1544 Opnpimdf.exe 1688 Ooqpdj32.exe 560 Oifdbb32.exe 2984 Oldpnn32.exe 2072 Ocohkh32.exe 1740 Oaaifdhb.exe 2732 Olgmcmgh.exe 2060 Padeldeo.exe 2616 Pkljdj32.exe 2288 Pafbadcm.exe 1836 Pgckjk32.exe 1804 Pojbkh32.exe 2504 Pdgkco32.exe 2780 Pgegok32.exe 1904 Pakllc32.exe 2920 Pdihiook.exe 2964 Pkcpei32.exe 1748 Pdldnomh.exe 688 Qfmafg32.exe 2248 Qmgibqjc.exe 1080 Qoeeolig.exe 1480 Qjkjle32.exe 2008 Qinjgbpg.exe 1536 Qogbdl32.exe 1684 Accnekon.exe 880 Abfnpg32.exe 988 Ajmfad32.exe 2148 Aipfmane.exe 1692 Amkbnp32.exe 2904 Akncimmh.exe 2620 Aojojl32.exe 2232 Abhkfg32.exe 2888 Afdgfelo.exe 2004 Aeggbbci.exe 1312 Aibcba32.exe 2124 Amnocpdk.exe 1900 Aollokco.exe 2436 Anolkh32.exe 3000 Affdle32.exe 2184 Aeidgbaf.exe 1784 Aidphq32.exe 2400 Akcldl32.exe 2212 Aoohekal.exe 628 Abmdafpp.exe 2152 Aapemc32.exe -
Loads dropped DLL 64 IoCs
pid Process 2316 535a002200ccecf700f65f54aa8dd1b139a99f0dc42a5b26c2f7a91e3b4288bbN.exe 2316 535a002200ccecf700f65f54aa8dd1b139a99f0dc42a5b26c2f7a91e3b4288bbN.exe 1772 Nhdocl32.exe 1772 Nhdocl32.exe 3004 Nbjcqe32.exe 3004 Nbjcqe32.exe 2988 Nlbgikia.exe 2988 Nlbgikia.exe 2768 Naopaa32.exe 2768 Naopaa32.exe 2632 Ndnlnm32.exe 2632 Ndnlnm32.exe 2180 Nkhdkgnj.exe 2180 Nkhdkgnj.exe 1720 Nmfqgbmm.exe 1720 Nmfqgbmm.exe 1788 Nemhhpmp.exe 1788 Nemhhpmp.exe 2508 Ngneph32.exe 2508 Ngneph32.exe 1908 Nadimacd.exe 1908 Nadimacd.exe 660 Odbeilbg.exe 660 Odbeilbg.exe 2936 Oklnff32.exe 2936 Oklnff32.exe 1100 Oaffbqaa.exe 1100 Oaffbqaa.exe 908 Ocgbji32.exe 908 Ocgbji32.exe 2460 Okojkf32.exe 2460 Okojkf32.exe 752 Ommfga32.exe 752 Ommfga32.exe 1800 Odgodl32.exe 1800 Odgodl32.exe 1680 Oehklddp.exe 1680 Oehklddp.exe 1376 Onocmadb.exe 1376 Onocmadb.exe 1544 Opnpimdf.exe 1544 Opnpimdf.exe 1688 Ooqpdj32.exe 1688 Ooqpdj32.exe 560 Oifdbb32.exe 560 Oifdbb32.exe 2984 Oldpnn32.exe 2984 Oldpnn32.exe 2072 Ocohkh32.exe 2072 Ocohkh32.exe 1740 Oaaifdhb.exe 1740 Oaaifdhb.exe 2732 Olgmcmgh.exe 2732 Olgmcmgh.exe 2060 Padeldeo.exe 2060 Padeldeo.exe 2616 Pkljdj32.exe 2616 Pkljdj32.exe 2288 Pafbadcm.exe 2288 Pafbadcm.exe 1836 Pgckjk32.exe 1836 Pgckjk32.exe 1804 Pojbkh32.exe 1804 Pojbkh32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Bgikembl.dll Process not Found File created C:\Windows\SysWOW64\Bnlgbnbp.exe Process not Found File created C:\Windows\SysWOW64\Elibpg32.exe Process not Found File created C:\Windows\SysWOW64\Eeiead32.dll Ljkaeo32.exe File created C:\Windows\SysWOW64\Oanefo32.exe Omcifpnp.exe File created C:\Windows\SysWOW64\Jbfghckb.dll Kdmban32.exe File created C:\Windows\SysWOW64\Ajpepm32.exe Afdiondb.exe File opened for modification C:\Windows\SysWOW64\Iinhdmma.exe Process not Found File created C:\Windows\SysWOW64\Affdle32.exe Anolkh32.exe File created C:\Windows\SysWOW64\Mggljj32.dll Gbohehoj.exe File opened for modification C:\Windows\SysWOW64\Nfdddm32.exe Nnmlcp32.exe File opened for modification C:\Windows\SysWOW64\Nflchkii.exe Process not Found File opened for modification C:\Windows\SysWOW64\Cogfqe32.exe Process not Found File created C:\Windows\SysWOW64\Pnalcc32.dll Process not Found File created C:\Windows\SysWOW64\Ieponofk.exe Process not Found File created C:\Windows\SysWOW64\Kncinl32.dll Bjebdfnn.exe File created C:\Windows\SysWOW64\Cacclpae.exe Cmhglq32.exe File created C:\Windows\SysWOW64\Pcdhbgoc.dll Cpiqmlfm.exe File created C:\Windows\SysWOW64\Lknocpdc.dll Process not Found File created C:\Windows\SysWOW64\Koflgf32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Ldllgiek.exe Lqqpgj32.exe File created C:\Windows\SysWOW64\Kkjnnn32.exe Khkbbc32.exe File opened for modification C:\Windows\SysWOW64\Opfegp32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Lncfcgeb.exe Lkdjglfo.exe File opened for modification C:\Windows\SysWOW64\Afliclij.exe Process not Found File opened for modification C:\Windows\SysWOW64\Hjfcpo32.exe Hhhgcc32.exe File created C:\Windows\SysWOW64\Hnbopmnm.exe Hjfcpo32.exe File created C:\Windows\SysWOW64\Nokhie32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Jpgmpk32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Bnhoag32.exe Bfagpiam.exe File created C:\Windows\SysWOW64\Pfapejnp.dll Pomhcg32.exe File created C:\Windows\SysWOW64\Damocb32.dll Pejmfqan.exe File created C:\Windows\SysWOW64\Dejdjfjb.dll Hbaaik32.exe File created C:\Windows\SysWOW64\Bgoime32.exe Bdqlajbb.exe File created C:\Windows\SysWOW64\Knmdeioh.exe Kjahej32.exe File opened for modification C:\Windows\SysWOW64\Aebmjo32.exe Accqnc32.exe File created C:\Windows\SysWOW64\Gjgiidkl.exe Gfkmie32.exe File created C:\Windows\SysWOW64\Onlahm32.exe Process not Found File created C:\Windows\SysWOW64\Clakmm32.dll Jjdofm32.exe File created C:\Windows\SysWOW64\Elilld32.dll Eelkeeah.exe File created C:\Windows\SysWOW64\Fggkcl32.exe Edfbaabj.exe File opened for modification C:\Windows\SysWOW64\Kfodfh32.exe Process not Found File created C:\Windows\SysWOW64\Binoil32.dll Qinjgbpg.exe File created C:\Windows\SysWOW64\Afgmodel.exe Aciqcifh.exe File opened for modification C:\Windows\SysWOW64\Nqjaeeog.exe Process not Found File opened for modification C:\Windows\SysWOW64\Olpbaa32.exe Process not Found File created C:\Windows\SysWOW64\Agljom32.exe Aennba32.exe File created C:\Windows\SysWOW64\Phhjblpa.exe Pejmfqan.exe File created C:\Windows\SysWOW64\Nabopjmj.exe Nncbdomg.exe File opened for modification C:\Windows\SysWOW64\Bmcnqama.exe Bjebdfnn.exe File created C:\Windows\SysWOW64\Aplpbjee.dll Iimfld32.exe File created C:\Windows\SysWOW64\Mkpdghaq.dll Process not Found File created C:\Windows\SysWOW64\Eadbpdla.dll Process not Found File opened for modification C:\Windows\SysWOW64\Ldjpbign.exe Lblcfnhj.exe File created C:\Windows\SysWOW64\Hdojinhb.dll Ljieppcb.exe File opened for modification C:\Windows\SysWOW64\Bbbgod32.exe Aodkci32.exe File created C:\Windows\SysWOW64\Ehfenf32.dll Process not Found File created C:\Windows\SysWOW64\Pcdapknb.dll Process not Found File opened for modification C:\Windows\SysWOW64\Hghillnd.exe Hejmpqop.exe File created C:\Windows\SysWOW64\Nhknco32.dll Jhmofo32.exe File created C:\Windows\SysWOW64\Iibigbjj.dll Process not Found File opened for modification C:\Windows\SysWOW64\Pbgjgomc.exe Process not Found File opened for modification C:\Windows\SysWOW64\Dgoopkgh.exe Dohgomgf.exe File created C:\Windows\SysWOW64\Apedah32.exe Alihaioe.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3268 3548 Process not Found 1415 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfncpcoc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Biaign32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gifclb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijqoilii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eanldqgf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amkbnp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlelhe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knbhlkkc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljghjpfe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eheglk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lqcmmjko.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pepcelel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbppnbhm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nadimacd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qfmafg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jenpajfb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knkgpi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmecmg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khghgchk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Koaqcn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Felajbpg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kijkje32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajhiei32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcfbdd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdmban32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnifja32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgoime32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmeeepjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qqfkln32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jimbkh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gqlhkofn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcmamj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkbaci32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnpciaef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lohjnf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oioggmmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppfomk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfqpecma.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjjkpe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nedhjj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aapemc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajjfkh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjgoje32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oemgplgo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akcomepg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kilgoe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmjoqo32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eogmcjef.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jacfidem.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bgnfdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dmepkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fmlbjq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Allefimb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lqipkhbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mkndhabp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icblnd32.dll" Nidmfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Danpemej.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cocajj32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Abhkfg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jckgicnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fqdiga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldcinhie.dll" Obhdcanc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olfknedh.dll" Hokhbj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Accnekon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdjpfaqc.dll" Bammlq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alinabdk.dll" Dedlag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnbnfb32.dll" Qhmcmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffbafegj.dll" Aopahjll.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dmjqpdje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmjplobo.dll" Ibkmchbh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Amkbnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcibhnqq.dll" Joidhh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Piqpkpml.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gqiimfam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Moanlj32.dll" Eaheeecg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Akcldl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kgfoie32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Epmfgo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cpfmmf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jokqnhpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohpbbo32.dll" Jhafhe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kllnhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkjjaebl.dll" Fgldnkkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjpbcokk.dll" Oibmpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eaphjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hfbcidmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lifaid32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Elqaca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekliqn32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fcmben32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mapecq32.dll" Oanefo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dpeiligo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enoopc32.dll" Fiepea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogmkng32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qmgibqjc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imjhqh32.dll" Gjifodii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhhamf32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ljieppcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pegqpacp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2316 wrote to memory of 1772 2316 535a002200ccecf700f65f54aa8dd1b139a99f0dc42a5b26c2f7a91e3b4288bbN.exe 30 PID 2316 wrote to memory of 1772 2316 535a002200ccecf700f65f54aa8dd1b139a99f0dc42a5b26c2f7a91e3b4288bbN.exe 30 PID 2316 wrote to memory of 1772 2316 535a002200ccecf700f65f54aa8dd1b139a99f0dc42a5b26c2f7a91e3b4288bbN.exe 30 PID 2316 wrote to memory of 1772 2316 535a002200ccecf700f65f54aa8dd1b139a99f0dc42a5b26c2f7a91e3b4288bbN.exe 30 PID 1772 wrote to memory of 3004 1772 Nhdocl32.exe 31 PID 1772 wrote to memory of 3004 1772 Nhdocl32.exe 31 PID 1772 wrote to memory of 3004 1772 Nhdocl32.exe 31 PID 1772 wrote to memory of 3004 1772 Nhdocl32.exe 31 PID 3004 wrote to memory of 2988 3004 Nbjcqe32.exe 32 PID 3004 wrote to memory of 2988 3004 Nbjcqe32.exe 32 PID 3004 wrote to memory of 2988 3004 Nbjcqe32.exe 32 PID 3004 wrote to memory of 2988 3004 Nbjcqe32.exe 32 PID 2988 wrote to memory of 2768 2988 Nlbgikia.exe 33 PID 2988 wrote to memory of 2768 2988 Nlbgikia.exe 33 PID 2988 wrote to memory of 2768 2988 Nlbgikia.exe 33 PID 2988 wrote to memory of 2768 2988 Nlbgikia.exe 33 PID 2768 wrote to memory of 2632 2768 Naopaa32.exe 34 PID 2768 wrote to memory of 2632 2768 Naopaa32.exe 34 PID 2768 wrote to memory of 2632 2768 Naopaa32.exe 34 PID 2768 wrote to memory of 2632 2768 Naopaa32.exe 34 PID 2632 wrote to memory of 2180 2632 Ndnlnm32.exe 35 PID 2632 wrote to memory of 2180 2632 Ndnlnm32.exe 35 PID 2632 wrote to memory of 2180 2632 Ndnlnm32.exe 35 PID 2632 wrote to memory of 2180 2632 Ndnlnm32.exe 35 PID 2180 wrote to memory of 1720 2180 Nkhdkgnj.exe 36 PID 2180 wrote to memory of 1720 2180 Nkhdkgnj.exe 36 PID 2180 wrote to memory of 1720 2180 Nkhdkgnj.exe 36 PID 2180 wrote to memory of 1720 2180 Nkhdkgnj.exe 36 PID 1720 wrote to memory of 1788 1720 Nmfqgbmm.exe 37 PID 1720 wrote to memory of 1788 1720 Nmfqgbmm.exe 37 PID 1720 wrote to memory of 1788 1720 Nmfqgbmm.exe 37 PID 1720 wrote to memory of 1788 1720 Nmfqgbmm.exe 37 PID 1788 wrote to memory of 2508 1788 Nemhhpmp.exe 38 PID 1788 wrote to memory of 2508 1788 Nemhhpmp.exe 38 PID 1788 wrote to memory of 2508 1788 Nemhhpmp.exe 38 PID 1788 wrote to memory of 2508 1788 Nemhhpmp.exe 38 PID 2508 wrote to memory of 1908 2508 Ngneph32.exe 39 PID 2508 wrote to memory of 1908 2508 Ngneph32.exe 39 PID 2508 wrote to memory of 1908 2508 Ngneph32.exe 39 PID 2508 wrote to memory of 1908 2508 Ngneph32.exe 39 PID 1908 wrote to memory of 660 1908 Nadimacd.exe 40 PID 1908 wrote to memory of 660 1908 Nadimacd.exe 40 PID 1908 wrote to memory of 660 1908 Nadimacd.exe 40 PID 1908 wrote to memory of 660 1908 Nadimacd.exe 40 PID 660 wrote to memory of 2936 660 Odbeilbg.exe 41 PID 660 wrote to memory of 2936 660 Odbeilbg.exe 41 PID 660 wrote to memory of 2936 660 Odbeilbg.exe 41 PID 660 wrote to memory of 2936 660 Odbeilbg.exe 41 PID 2936 wrote to memory of 1100 2936 Oklnff32.exe 42 PID 2936 wrote to memory of 1100 2936 Oklnff32.exe 42 PID 2936 wrote to memory of 1100 2936 Oklnff32.exe 42 PID 2936 wrote to memory of 1100 2936 Oklnff32.exe 42 PID 1100 wrote to memory of 908 1100 Oaffbqaa.exe 43 PID 1100 wrote to memory of 908 1100 Oaffbqaa.exe 43 PID 1100 wrote to memory of 908 1100 Oaffbqaa.exe 43 PID 1100 wrote to memory of 908 1100 Oaffbqaa.exe 43 PID 908 wrote to memory of 2460 908 Ocgbji32.exe 44 PID 908 wrote to memory of 2460 908 Ocgbji32.exe 44 PID 908 wrote to memory of 2460 908 Ocgbji32.exe 44 PID 908 wrote to memory of 2460 908 Ocgbji32.exe 44 PID 2460 wrote to memory of 752 2460 Okojkf32.exe 45 PID 2460 wrote to memory of 752 2460 Okojkf32.exe 45 PID 2460 wrote to memory of 752 2460 Okojkf32.exe 45 PID 2460 wrote to memory of 752 2460 Okojkf32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\535a002200ccecf700f65f54aa8dd1b139a99f0dc42a5b26c2f7a91e3b4288bbN.exe"C:\Users\Admin\AppData\Local\Temp\535a002200ccecf700f65f54aa8dd1b139a99f0dc42a5b26c2f7a91e3b4288bbN.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Windows\SysWOW64\Nhdocl32.exeC:\Windows\system32\Nhdocl32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1772 -
C:\Windows\SysWOW64\Nbjcqe32.exeC:\Windows\system32\Nbjcqe32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Windows\SysWOW64\Nlbgikia.exeC:\Windows\system32\Nlbgikia.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Windows\SysWOW64\Naopaa32.exeC:\Windows\system32\Naopaa32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Windows\SysWOW64\Ndnlnm32.exeC:\Windows\system32\Ndnlnm32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\SysWOW64\Nkhdkgnj.exeC:\Windows\system32\Nkhdkgnj.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Windows\SysWOW64\Nmfqgbmm.exeC:\Windows\system32\Nmfqgbmm.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1720 -
C:\Windows\SysWOW64\Nemhhpmp.exeC:\Windows\system32\Nemhhpmp.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1788 -
C:\Windows\SysWOW64\Ngneph32.exeC:\Windows\system32\Ngneph32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Windows\SysWOW64\Nadimacd.exeC:\Windows\system32\Nadimacd.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1908 -
C:\Windows\SysWOW64\Odbeilbg.exeC:\Windows\system32\Odbeilbg.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:660 -
C:\Windows\SysWOW64\Oklnff32.exeC:\Windows\system32\Oklnff32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Windows\SysWOW64\Oaffbqaa.exeC:\Windows\system32\Oaffbqaa.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1100 -
C:\Windows\SysWOW64\Ocgbji32.exeC:\Windows\system32\Ocgbji32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:908 -
C:\Windows\SysWOW64\Okojkf32.exeC:\Windows\system32\Okojkf32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2460 -
C:\Windows\SysWOW64\Ommfga32.exeC:\Windows\system32\Ommfga32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:752 -
C:\Windows\SysWOW64\Odgodl32.exeC:\Windows\system32\Odgodl32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1800 -
C:\Windows\SysWOW64\Oehklddp.exeC:\Windows\system32\Oehklddp.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1680 -
C:\Windows\SysWOW64\Onocmadb.exeC:\Windows\system32\Onocmadb.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1376 -
C:\Windows\SysWOW64\Opnpimdf.exeC:\Windows\system32\Opnpimdf.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1544 -
C:\Windows\SysWOW64\Ooqpdj32.exeC:\Windows\system32\Ooqpdj32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1688 -
C:\Windows\SysWOW64\Oifdbb32.exeC:\Windows\system32\Oifdbb32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:560 -
C:\Windows\SysWOW64\Oldpnn32.exeC:\Windows\system32\Oldpnn32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2984 -
C:\Windows\SysWOW64\Ocohkh32.exeC:\Windows\system32\Ocohkh32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2072 -
C:\Windows\SysWOW64\Oaaifdhb.exeC:\Windows\system32\Oaaifdhb.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1740 -
C:\Windows\SysWOW64\Olgmcmgh.exeC:\Windows\system32\Olgmcmgh.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2732 -
C:\Windows\SysWOW64\Padeldeo.exeC:\Windows\system32\Padeldeo.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2060 -
C:\Windows\SysWOW64\Pkljdj32.exeC:\Windows\system32\Pkljdj32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2616 -
C:\Windows\SysWOW64\Pafbadcm.exeC:\Windows\system32\Pafbadcm.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2288 -
C:\Windows\SysWOW64\Pgckjk32.exeC:\Windows\system32\Pgckjk32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1836 -
C:\Windows\SysWOW64\Pojbkh32.exeC:\Windows\system32\Pojbkh32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1804 -
C:\Windows\SysWOW64\Pdgkco32.exeC:\Windows\system32\Pdgkco32.exe33⤵
- Executes dropped EXE
PID:2504 -
C:\Windows\SysWOW64\Pgegok32.exeC:\Windows\system32\Pgegok32.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2780 -
C:\Windows\SysWOW64\Pakllc32.exeC:\Windows\system32\Pakllc32.exe35⤵
- Executes dropped EXE
PID:1904 -
C:\Windows\SysWOW64\Pdihiook.exeC:\Windows\system32\Pdihiook.exe36⤵
- Executes dropped EXE
PID:2920 -
C:\Windows\SysWOW64\Pkcpei32.exeC:\Windows\system32\Pkcpei32.exe37⤵
- Executes dropped EXE
PID:2964 -
C:\Windows\SysWOW64\Pdldnomh.exeC:\Windows\system32\Pdldnomh.exe38⤵
- Executes dropped EXE
PID:1748 -
C:\Windows\SysWOW64\Qfmafg32.exeC:\Windows\system32\Qfmafg32.exe39⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:688 -
C:\Windows\SysWOW64\Qmgibqjc.exeC:\Windows\system32\Qmgibqjc.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:2248 -
C:\Windows\SysWOW64\Qoeeolig.exeC:\Windows\system32\Qoeeolig.exe41⤵
- Executes dropped EXE
PID:1080 -
C:\Windows\SysWOW64\Qjkjle32.exeC:\Windows\system32\Qjkjle32.exe42⤵
- Executes dropped EXE
PID:1480 -
C:\Windows\SysWOW64\Qinjgbpg.exeC:\Windows\system32\Qinjgbpg.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2008 -
C:\Windows\SysWOW64\Qogbdl32.exeC:\Windows\system32\Qogbdl32.exe44⤵
- Executes dropped EXE
PID:1536 -
C:\Windows\SysWOW64\Accnekon.exeC:\Windows\system32\Accnekon.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:1684 -
C:\Windows\SysWOW64\Abfnpg32.exeC:\Windows\system32\Abfnpg32.exe46⤵
- Executes dropped EXE
PID:880 -
C:\Windows\SysWOW64\Ajmfad32.exeC:\Windows\system32\Ajmfad32.exe47⤵
- Executes dropped EXE
PID:988 -
C:\Windows\SysWOW64\Aipfmane.exeC:\Windows\system32\Aipfmane.exe48⤵
- Executes dropped EXE
PID:2148 -
C:\Windows\SysWOW64\Amkbnp32.exeC:\Windows\system32\Amkbnp32.exe49⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1692 -
C:\Windows\SysWOW64\Akncimmh.exeC:\Windows\system32\Akncimmh.exe50⤵
- Executes dropped EXE
PID:2904 -
C:\Windows\SysWOW64\Aojojl32.exeC:\Windows\system32\Aojojl32.exe51⤵
- Executes dropped EXE
PID:2620 -
C:\Windows\SysWOW64\Abhkfg32.exeC:\Windows\system32\Abhkfg32.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:2232 -
C:\Windows\SysWOW64\Afdgfelo.exeC:\Windows\system32\Afdgfelo.exe53⤵
- Executes dropped EXE
PID:2888 -
C:\Windows\SysWOW64\Aeggbbci.exeC:\Windows\system32\Aeggbbci.exe54⤵
- Executes dropped EXE
PID:2004 -
C:\Windows\SysWOW64\Aibcba32.exeC:\Windows\system32\Aibcba32.exe55⤵
- Executes dropped EXE
PID:1312 -
C:\Windows\SysWOW64\Amnocpdk.exeC:\Windows\system32\Amnocpdk.exe56⤵
- Executes dropped EXE
PID:2124 -
C:\Windows\SysWOW64\Aollokco.exeC:\Windows\system32\Aollokco.exe57⤵
- Executes dropped EXE
PID:1900 -
C:\Windows\SysWOW64\Anolkh32.exeC:\Windows\system32\Anolkh32.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2436 -
C:\Windows\SysWOW64\Affdle32.exeC:\Windows\system32\Affdle32.exe59⤵
- Executes dropped EXE
PID:3000 -
C:\Windows\SysWOW64\Aeidgbaf.exeC:\Windows\system32\Aeidgbaf.exe60⤵
- Executes dropped EXE
PID:2184 -
C:\Windows\SysWOW64\Aidphq32.exeC:\Windows\system32\Aidphq32.exe61⤵
- Executes dropped EXE
PID:1784 -
C:\Windows\SysWOW64\Akcldl32.exeC:\Windows\system32\Akcldl32.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:2400 -
C:\Windows\SysWOW64\Aoohekal.exeC:\Windows\system32\Aoohekal.exe63⤵
- Executes dropped EXE
PID:2212 -
C:\Windows\SysWOW64\Abmdafpp.exeC:\Windows\system32\Abmdafpp.exe64⤵
- Executes dropped EXE
PID:628 -
C:\Windows\SysWOW64\Aapemc32.exeC:\Windows\system32\Aapemc32.exe65⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2152 -
C:\Windows\SysWOW64\Aekqmbod.exeC:\Windows\system32\Aekqmbod.exe66⤵PID:2876
-
C:\Windows\SysWOW64\Agjmim32.exeC:\Windows\system32\Agjmim32.exe67⤵PID:2716
-
C:\Windows\SysWOW64\Akeijlfq.exeC:\Windows\system32\Akeijlfq.exe68⤵PID:2736
-
C:\Windows\SysWOW64\Ajhiei32.exeC:\Windows\system32\Ajhiei32.exe69⤵
- System Location Discovery: System Language Discovery
PID:2644 -
C:\Windows\SysWOW64\Aboaff32.exeC:\Windows\system32\Aboaff32.exe70⤵PID:2352
-
C:\Windows\SysWOW64\Aababceh.exeC:\Windows\system32\Aababceh.exe71⤵PID:2000
-
C:\Windows\SysWOW64\Aennba32.exeC:\Windows\system32\Aennba32.exe72⤵
- Drops file in System32 directory
PID:2896 -
C:\Windows\SysWOW64\Agljom32.exeC:\Windows\system32\Agljom32.exe73⤵PID:2116
-
C:\Windows\SysWOW64\Akhfoldn.exeC:\Windows\system32\Akhfoldn.exe74⤵PID:1608
-
C:\Windows\SysWOW64\Ajjfkh32.exeC:\Windows\system32\Ajjfkh32.exe75⤵
- System Location Discovery: System Language Discovery
PID:2424 -
C:\Windows\SysWOW64\Bmibgd32.exeC:\Windows\system32\Bmibgd32.exe76⤵PID:3012
-
C:\Windows\SysWOW64\Badnhbce.exeC:\Windows\system32\Badnhbce.exe77⤵PID:2244
-
C:\Windows\SysWOW64\Bepjha32.exeC:\Windows\system32\Bepjha32.exe78⤵PID:676
-
C:\Windows\SysWOW64\Bgnfdm32.exeC:\Windows\system32\Bgnfdm32.exe79⤵
- Modifies registry class
PID:2192 -
C:\Windows\SysWOW64\Bfagpiam.exeC:\Windows\system32\Bfagpiam.exe80⤵
- Drops file in System32 directory
PID:2216 -
C:\Windows\SysWOW64\Bnhoag32.exeC:\Windows\system32\Bnhoag32.exe81⤵PID:2956
-
C:\Windows\SysWOW64\Bmkomchi.exeC:\Windows\system32\Bmkomchi.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2760 -
C:\Windows\SysWOW64\Bagkmb32.exeC:\Windows\system32\Bagkmb32.exe83⤵PID:2604
-
C:\Windows\SysWOW64\Bcegin32.exeC:\Windows\system32\Bcegin32.exe84⤵PID:1572
-
C:\Windows\SysWOW64\Bgqcjlhp.exeC:\Windows\system32\Bgqcjlhp.exe85⤵PID:2256
-
C:\Windows\SysWOW64\Bjoofhgc.exeC:\Windows\system32\Bjoofhgc.exe86⤵PID:2368
-
C:\Windows\SysWOW64\Bibpad32.exeC:\Windows\system32\Bibpad32.exe87⤵PID:2952
-
C:\Windows\SysWOW64\Bmnlbcfg.exeC:\Windows\system32\Bmnlbcfg.exe88⤵PID:980
-
C:\Windows\SysWOW64\Bplhnoej.exeC:\Windows\system32\Bplhnoej.exe89⤵PID:2260
-
C:\Windows\SysWOW64\Bcgdom32.exeC:\Windows\system32\Bcgdom32.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1964 -
C:\Windows\SysWOW64\Bffpki32.exeC:\Windows\system32\Bffpki32.exe91⤵PID:1640
-
C:\Windows\SysWOW64\Bjallg32.exeC:\Windows\system32\Bjallg32.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1848 -
C:\Windows\SysWOW64\Bmphhc32.exeC:\Windows\system32\Bmphhc32.exe93⤵PID:1940
-
C:\Windows\SysWOW64\Blchcpko.exeC:\Windows\system32\Blchcpko.exe94⤵PID:2728
-
C:\Windows\SysWOW64\Bcjqdmla.exeC:\Windows\system32\Bcjqdmla.exe95⤵PID:1728
-
C:\Windows\SysWOW64\Bbmapj32.exeC:\Windows\system32\Bbmapj32.exe96⤵PID:1656
-
C:\Windows\SysWOW64\Bekmle32.exeC:\Windows\system32\Bekmle32.exe97⤵PID:1644
-
C:\Windows\SysWOW64\Bigimdjh.exeC:\Windows\system32\Bigimdjh.exe98⤵PID:1992
-
C:\Windows\SysWOW64\Chlfnp32.exeC:\Windows\system32\Chlfnp32.exe99⤵PID:2224
-
C:\Windows\SysWOW64\Cbajkiof.exeC:\Windows\system32\Cbajkiof.exe100⤵PID:1896
-
C:\Windows\SysWOW64\Chnbcpmn.exeC:\Windows\system32\Chnbcpmn.exe101⤵PID:544
-
C:\Windows\SysWOW64\Cljodo32.exeC:\Windows\system32\Cljodo32.exe102⤵PID:2444
-
C:\Windows\SysWOW64\Cafgle32.exeC:\Windows\system32\Cafgle32.exe103⤵PID:1944
-
C:\Windows\SysWOW64\Cdecha32.exeC:\Windows\system32\Cdecha32.exe104⤵PID:1396
-
C:\Windows\SysWOW64\Ckolek32.exeC:\Windows\system32\Ckolek32.exe105⤵PID:1616
-
C:\Windows\SysWOW64\Cojhejbh.exeC:\Windows\system32\Cojhejbh.exe106⤵PID:2976
-
C:\Windows\SysWOW64\Caidaeak.exeC:\Windows\system32\Caidaeak.exe107⤵PID:1576
-
C:\Windows\SysWOW64\Cedpbd32.exeC:\Windows\system32\Cedpbd32.exe108⤵PID:2336
-
C:\Windows\SysWOW64\Cffljlpc.exeC:\Windows\system32\Cffljlpc.exe109⤵PID:320
-
C:\Windows\SysWOW64\Comdkipe.exeC:\Windows\system32\Comdkipe.exe110⤵PID:1924
-
C:\Windows\SysWOW64\Cakqgeoi.exeC:\Windows\system32\Cakqgeoi.exe111⤵PID:2032
-
C:\Windows\SysWOW64\Cdjmcpnl.exeC:\Windows\system32\Cdjmcpnl.exe112⤵PID:580
-
C:\Windows\SysWOW64\Cfhiplmp.exeC:\Windows\system32\Cfhiplmp.exe113⤵PID:2432
-
C:\Windows\SysWOW64\Cifelgmd.exeC:\Windows\system32\Cifelgmd.exe114⤵PID:1708
-
C:\Windows\SysWOW64\Dpqnhadq.exeC:\Windows\system32\Dpqnhadq.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2872 -
C:\Windows\SysWOW64\Ddliip32.exeC:\Windows\system32\Ddliip32.exe116⤵PID:2156
-
C:\Windows\SysWOW64\Dgjfek32.exeC:\Windows\system32\Dgjfek32.exe117⤵PID:2676
-
C:\Windows\SysWOW64\Dkfbfjdf.exeC:\Windows\system32\Dkfbfjdf.exe118⤵PID:2572
-
C:\Windows\SysWOW64\Dlgnmb32.exeC:\Windows\system32\Dlgnmb32.exe119⤵PID:1928
-
C:\Windows\SysWOW64\Ddnfop32.exeC:\Windows\system32\Ddnfop32.exe120⤵PID:1768
-
C:\Windows\SysWOW64\Dbafjlaa.exeC:\Windows\system32\Dbafjlaa.exe121⤵PID:2792
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-