Analysis
-
max time kernel
118s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
20/11/2024, 03:01
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ba57040d0de164e855a1139fde60bddeb5d247c29e7c6214fe0747fc24917ee1.exe
Resource
win7-20240708-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
ba57040d0de164e855a1139fde60bddeb5d247c29e7c6214fe0747fc24917ee1.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
ba57040d0de164e855a1139fde60bddeb5d247c29e7c6214fe0747fc24917ee1.exe
-
Size
96KB
-
MD5
b0ba42b8d59cd8492ea08ad093897407
-
SHA1
785303883576569b939a505dafaf8161bb796480
-
SHA256
ba57040d0de164e855a1139fde60bddeb5d247c29e7c6214fe0747fc24917ee1
-
SHA512
25c1d7443e0f7a5672942317cf865446da82124f88403bb98897a8cbb5839d95eeab666437e324bc4dcae7635eb2bef17aed439ad1cd0f594086185b52900a28
-
SSDEEP
1536:6evaaIFbhC5P3XWgHZ9/bnLs85t2Q4OdLkgJaAjWbjtKBvU:6eqhIWgHZxLs7Q11koVwtCU
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngjoif32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Midqiaih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cllmdcej.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gqendf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gghloe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnpbgbdd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cffjagko.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igeddb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nmeohnil.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fcmdpcle.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clfhml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hmpbja32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncfmjc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkjdpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eghdanac.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojgokflc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Acjdgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cjikaa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffboohnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pnfipm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbjejojn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lamkllea.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcfgoadd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkohjbah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mpaoojjb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcegdnna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Afbnec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nknnnoph.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okolfkjg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qkeofnfk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ceioieei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hmefad32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omjbihpn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cogdhpkp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dpodgocb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fbfldc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ccgnelll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fqpbpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jifhdphd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gjkfglom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Difplf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Laidgi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pajeanhf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihjcko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oobiclmh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdodjlda.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gnmdfi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iabcbg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmnlhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lcncbc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghddnnfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bjalndpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jehpna32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpkcdn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccaipaho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nbddfe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Laidgi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pofldf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pahjgb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbengc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Niaihojk.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 2700 Ccgnelll.exe 2844 Cffjagko.exe 2924 Dhgccbhp.exe 2608 Dglpdomh.exe 2072 Dqddmd32.exe 2948 Dgqion32.exe 3008 Empomd32.exe 1160 Eclcon32.exe 2012 Epcddopf.exe 2316 Fnjnkkbk.exe 796 Fhbbcail.exe 2148 Fcichb32.exe 2124 Fjckelfm.exe 1660 Famcbf32.exe 996 Ffjljmla.exe 1376 Fappgflg.exe 2728 Fjhdpk32.exe 2512 Fpemhb32.exe 1676 Gminbfoh.exe 2204 Gdcfoq32.exe 848 Glnkcc32.exe 896 Gbhcpmkm.exe 2060 Glpgibbn.exe 1620 Geilah32.exe 2780 Gkedjo32.exe 2848 Gekhgh32.exe 2928 Ghidcceo.exe 2776 Gkhaooec.exe 2596 Hdpehd32.exe 1212 Hkjnenbp.exe 1568 Hadfah32.exe 2384 Hnkffi32.exe 2900 Hgckoofa.exe 2368 Hlpchfdi.exe 1512 Hgfheodo.exe 2424 Hlbpme32.exe 2332 Hghdjn32.exe 352 Ihiabfhk.exe 556 Icoepohq.exe 2116 Iemalkgd.exe 264 Ikjjda32.exe 1972 Ifpnaj32.exe 3000 Iklfia32.exe 2388 Iafofkkf.exe 1060 Igcgnbim.exe 1812 Idghhf32.exe 2704 Igeddb32.exe 1224 Ibkhak32.exe 2712 Jdidmf32.exe 2588 Jkcmjpma.exe 764 Jmdiahco.exe 2892 Jcoanb32.exe 700 Jjijkmbi.exe 2640 Jqbbhg32.exe 2208 Jgmjdaqb.exe 2472 Jqeomfgc.exe 2816 Jcckibfg.exe 2468 Jkopndcb.exe 480 Jcfgoadd.exe 2188 Jfddkmch.exe 908 Kmnlhg32.exe 596 Kbkdpnil.exe 2024 Keiqlihp.exe 836 Knaeeo32.exe -
Loads dropped DLL 64 IoCs
pid Process 2160 ba57040d0de164e855a1139fde60bddeb5d247c29e7c6214fe0747fc24917ee1.exe 2160 ba57040d0de164e855a1139fde60bddeb5d247c29e7c6214fe0747fc24917ee1.exe 2700 Ccgnelll.exe 2700 Ccgnelll.exe 2844 Cffjagko.exe 2844 Cffjagko.exe 2924 Dhgccbhp.exe 2924 Dhgccbhp.exe 2608 Dglpdomh.exe 2608 Dglpdomh.exe 2072 Dqddmd32.exe 2072 Dqddmd32.exe 2948 Dgqion32.exe 2948 Dgqion32.exe 3008 Empomd32.exe 3008 Empomd32.exe 1160 Eclcon32.exe 1160 Eclcon32.exe 2012 Epcddopf.exe 2012 Epcddopf.exe 2316 Fnjnkkbk.exe 2316 Fnjnkkbk.exe 796 Fhbbcail.exe 796 Fhbbcail.exe 2148 Fcichb32.exe 2148 Fcichb32.exe 2124 Fjckelfm.exe 2124 Fjckelfm.exe 1660 Famcbf32.exe 1660 Famcbf32.exe 996 Ffjljmla.exe 996 Ffjljmla.exe 1376 Fappgflg.exe 1376 Fappgflg.exe 2728 Fjhdpk32.exe 2728 Fjhdpk32.exe 2512 Fpemhb32.exe 2512 Fpemhb32.exe 1676 Gminbfoh.exe 1676 Gminbfoh.exe 2204 Gdcfoq32.exe 2204 Gdcfoq32.exe 848 Glnkcc32.exe 848 Glnkcc32.exe 896 Gbhcpmkm.exe 896 Gbhcpmkm.exe 2060 Glpgibbn.exe 2060 Glpgibbn.exe 1620 Geilah32.exe 1620 Geilah32.exe 2780 Gkedjo32.exe 2780 Gkedjo32.exe 2848 Gekhgh32.exe 2848 Gekhgh32.exe 2928 Ghidcceo.exe 2928 Ghidcceo.exe 2776 Gkhaooec.exe 2776 Gkhaooec.exe 2596 Hdpehd32.exe 2596 Hdpehd32.exe 1212 Hkjnenbp.exe 1212 Hkjnenbp.exe 1568 Hadfah32.exe 1568 Hadfah32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Agjlmh32.dll Iimenapo.exe File created C:\Windows\SysWOW64\Fcmdpcle.exe Fnplgl32.exe File created C:\Windows\SysWOW64\Joeioaao.dll Npfhjifm.exe File opened for modification C:\Windows\SysWOW64\Dpphipbk.exe Difplf32.exe File opened for modification C:\Windows\SysWOW64\Fappgflg.exe Ffjljmla.exe File opened for modification C:\Windows\SysWOW64\Egchmfnd.exe Edelakoq.exe File created C:\Windows\SysWOW64\Doeljaja.dll Oacbdg32.exe File opened for modification C:\Windows\SysWOW64\Afbpnlcd.exe Aoihaa32.exe File created C:\Windows\SysWOW64\Fcgdjmlo.exe Fmjkbfnh.exe File created C:\Windows\SysWOW64\Admljpij.dll Nhnemdbf.exe File created C:\Windows\SysWOW64\Aoihaa32.exe Amjkefmd.exe File created C:\Windows\SysWOW64\Mmkcmk32.dll Gmaoomld.exe File opened for modification C:\Windows\SysWOW64\Edenjc32.exe Eagbnh32.exe File opened for modification C:\Windows\SysWOW64\Dhleaq32.exe Dgkiih32.exe File created C:\Windows\SysWOW64\Jfhmehji.exe Iciaim32.exe File created C:\Windows\SysWOW64\Jknicnpf.exe Jcgqbq32.exe File created C:\Windows\SysWOW64\Miokdmmk.dll Mpimbcnf.exe File created C:\Windows\SysWOW64\Glhbolin.dll Jinghn32.exe File opened for modification C:\Windows\SysWOW64\Deonff32.exe Dpbenpqh.exe File created C:\Windows\SysWOW64\Bipaodah.exe Bbfibj32.exe File created C:\Windows\SysWOW64\Kjlgaa32.exe Kdooij32.exe File created C:\Windows\SysWOW64\Jkolkfab.dll Ejfnda32.exe File opened for modification C:\Windows\SysWOW64\Jkdoci32.exe Jdjgfomh.exe File created C:\Windows\SysWOW64\Ebhbna32.dll Midqiaih.exe File created C:\Windows\SysWOW64\Npldppbn.dll Ajoebigm.exe File opened for modification C:\Windows\SysWOW64\Ffjljmla.exe Famcbf32.exe File created C:\Windows\SysWOW64\Nqmice32.dll Ikjjda32.exe File created C:\Windows\SysWOW64\Opgcne32.dll Ogmngn32.exe File created C:\Windows\SysWOW64\Jaffca32.exe Jdbfjm32.exe File created C:\Windows\SysWOW64\Jinqgg32.dll Fdgefn32.exe File created C:\Windows\SysWOW64\Adncoc32.exe Qkeofnfk.exe File created C:\Windows\SysWOW64\Ldepenep.dll Khhndi32.exe File created C:\Windows\SysWOW64\Hjeace32.dll Kdooij32.exe File opened for modification C:\Windows\SysWOW64\Geilah32.exe Glpgibbn.exe File opened for modification C:\Windows\SysWOW64\Honiikpa.exe Heedqe32.exe File opened for modification C:\Windows\SysWOW64\Ljcbcngi.exe Liaeleak.exe File created C:\Windows\SysWOW64\Fnmmidhm.exe Fkoqmhii.exe File opened for modification C:\Windows\SysWOW64\Phklcn32.exe Paqdgcfl.exe File opened for modification C:\Windows\SysWOW64\Fgfckbfa.exe Fnnobl32.exe File opened for modification C:\Windows\SysWOW64\Ggmjkapi.exe Gqcaoghl.exe File created C:\Windows\SysWOW64\Lgnefm32.dll Paqdgcfl.exe File opened for modification C:\Windows\SysWOW64\Jfddkmch.exe Jcfgoadd.exe File created C:\Windows\SysWOW64\Piihaccl.dll Lilomj32.exe File created C:\Windows\SysWOW64\Jflgph32.exe Jneoojeb.exe File opened for modification C:\Windows\SysWOW64\Omjbihpn.exe Ocdnloph.exe File opened for modification C:\Windows\SysWOW64\Agloko32.exe Adncoc32.exe File opened for modification C:\Windows\SysWOW64\Cmapna32.exe Cfghagio.exe File created C:\Windows\SysWOW64\Fjckelfm.exe Fcichb32.exe File created C:\Windows\SysWOW64\Jmdiahco.exe Jkcmjpma.exe File created C:\Windows\SysWOW64\Fqpbpo32.exe Fclbgj32.exe File created C:\Windows\SysWOW64\Klijjnen.exe Kfobmc32.exe File created C:\Windows\SysWOW64\Lgbhffog.dll Knaeeo32.exe File created C:\Windows\SysWOW64\Agdlfd32.exe Afbpnlcd.exe File created C:\Windows\SysWOW64\Paemac32.exe Pkkeeikj.exe File created C:\Windows\SysWOW64\Efghmkeb.dll Gfhikl32.exe File created C:\Windows\SysWOW64\Mffgfo32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Oggghc32.exe Oqmokioh.exe File created C:\Windows\SysWOW64\Cneqpc32.dll Edhbjjhn.exe File opened for modification C:\Windows\SysWOW64\Kldaon32.exe Kgghgg32.exe File created C:\Windows\SysWOW64\Ekjeio32.dll Bjgdfg32.exe File created C:\Windows\SysWOW64\Nddeae32.exe Nmjmekan.exe File created C:\Windows\SysWOW64\Fdgefn32.exe Fnmmidhm.exe File opened for modification C:\Windows\SysWOW64\Ndjhpcoe.exe Nomphm32.exe File created C:\Windows\SysWOW64\Dpofpg32.exe Dmajdl32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4704 4836 Process not Found 1087 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opbopn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eaangfjf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibkhak32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgdiho32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpgdnp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qonlhd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgfjjh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dglpdomh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdoccg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fladmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dammoahg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmhdph32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Miaaki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pncljmko.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcndag32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mehbpjjk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbfhcf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfghagio.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkgbioee.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aoihaa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjephakn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phklcn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkkeeikj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amjkefmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lqbfdp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khcdijac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkeedo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knaeeo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lojclibo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbmebgpi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnnkbd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccolja32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eonhpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jofdll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anmnhhmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bklaepbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edenjc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjmoeo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Celpqbon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enbapf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfiaojkq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cenmfbml.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knbgnhfd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpmjjhmi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkemli32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Docjne32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmpbja32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpoppadq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Midqiaih.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okolfkjg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Baealp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhadgakg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bqambacb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpbenpqh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epbamc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibpjaagi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jljgni32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mchadifq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phabdmgq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnbmoi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnjhjj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckajqo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilceog32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hlpchfdi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nejkdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mibdcakk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blndhdgi.dll" Eaoaafli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhibidgh.dll" Dgqion32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qmepanje.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Edhpaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Glaiak32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Biceoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Omhhma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhalelik.dll" Oaaghp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bongfjgo.dll" Bopknhjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lpapgnpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmoiepan.dll" Hamgno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Immkiodb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kheaoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Npkaei32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fpkchm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iijfoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpdkel32.dll" Iilocklc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcflig32.dll" Bdklnq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gknhjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chndfp32.dll" Hjcajn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jaaoakmc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Glpgibbn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Egmbnkie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qonlhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eoimlc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Npkaei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gkgbioee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nohefjhb.dll" Pqgilnji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mifmoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pjpicfdb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Faonqiod.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kbkdpnil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfmpgd32.dll" Nakikpin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbagfo32.dll" Jknicnpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Joapmk32.dll" Jpqgkpcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdnkcibn.dll" Opkndldc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ofefqf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kcpcho32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bafkookd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hpjgdf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lkhcdhmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mbhlgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmlbgc32.dll" Anngkg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kbkdpnil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hehafe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beofli32.dll" Kmabqf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfoefi32.dll" Iaddid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aoihaa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Edhbjjhn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Odoakckp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pelnniga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pofldf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aebakp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aaikfkgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nmbmii32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Docjne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epkglngn.dll" Dgoobg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lkkckdhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Baojfoqh.dll" Cjngej32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2160 wrote to memory of 2700 2160 ba57040d0de164e855a1139fde60bddeb5d247c29e7c6214fe0747fc24917ee1.exe 30 PID 2160 wrote to memory of 2700 2160 ba57040d0de164e855a1139fde60bddeb5d247c29e7c6214fe0747fc24917ee1.exe 30 PID 2160 wrote to memory of 2700 2160 ba57040d0de164e855a1139fde60bddeb5d247c29e7c6214fe0747fc24917ee1.exe 30 PID 2160 wrote to memory of 2700 2160 ba57040d0de164e855a1139fde60bddeb5d247c29e7c6214fe0747fc24917ee1.exe 30 PID 2700 wrote to memory of 2844 2700 Ccgnelll.exe 31 PID 2700 wrote to memory of 2844 2700 Ccgnelll.exe 31 PID 2700 wrote to memory of 2844 2700 Ccgnelll.exe 31 PID 2700 wrote to memory of 2844 2700 Ccgnelll.exe 31 PID 2844 wrote to memory of 2924 2844 Cffjagko.exe 32 PID 2844 wrote to memory of 2924 2844 Cffjagko.exe 32 PID 2844 wrote to memory of 2924 2844 Cffjagko.exe 32 PID 2844 wrote to memory of 2924 2844 Cffjagko.exe 32 PID 2924 wrote to memory of 2608 2924 Dhgccbhp.exe 33 PID 2924 wrote to memory of 2608 2924 Dhgccbhp.exe 33 PID 2924 wrote to memory of 2608 2924 Dhgccbhp.exe 33 PID 2924 wrote to memory of 2608 2924 Dhgccbhp.exe 33 PID 2608 wrote to memory of 2072 2608 Dglpdomh.exe 34 PID 2608 wrote to memory of 2072 2608 Dglpdomh.exe 34 PID 2608 wrote to memory of 2072 2608 Dglpdomh.exe 34 PID 2608 wrote to memory of 2072 2608 Dglpdomh.exe 34 PID 2072 wrote to memory of 2948 2072 Dqddmd32.exe 35 PID 2072 wrote to memory of 2948 2072 Dqddmd32.exe 35 PID 2072 wrote to memory of 2948 2072 Dqddmd32.exe 35 PID 2072 wrote to memory of 2948 2072 Dqddmd32.exe 35 PID 2948 wrote to memory of 3008 2948 Dgqion32.exe 36 PID 2948 wrote to memory of 3008 2948 Dgqion32.exe 36 PID 2948 wrote to memory of 3008 2948 Dgqion32.exe 36 PID 2948 wrote to memory of 3008 2948 Dgqion32.exe 36 PID 3008 wrote to memory of 1160 3008 Empomd32.exe 37 PID 3008 wrote to memory of 1160 3008 Empomd32.exe 37 PID 3008 wrote to memory of 1160 3008 Empomd32.exe 37 PID 3008 wrote to memory of 1160 3008 Empomd32.exe 37 PID 1160 wrote to memory of 2012 1160 Eclcon32.exe 38 PID 1160 wrote to memory of 2012 1160 Eclcon32.exe 38 PID 1160 wrote to memory of 2012 1160 Eclcon32.exe 38 PID 1160 wrote to memory of 2012 1160 Eclcon32.exe 38 PID 2012 wrote to memory of 2316 2012 Epcddopf.exe 39 PID 2012 wrote to memory of 2316 2012 Epcddopf.exe 39 PID 2012 wrote to memory of 2316 2012 Epcddopf.exe 39 PID 2012 wrote to memory of 2316 2012 Epcddopf.exe 39 PID 2316 wrote to memory of 796 2316 Fnjnkkbk.exe 40 PID 2316 wrote to memory of 796 2316 Fnjnkkbk.exe 40 PID 2316 wrote to memory of 796 2316 Fnjnkkbk.exe 40 PID 2316 wrote to memory of 796 2316 Fnjnkkbk.exe 40 PID 796 wrote to memory of 2148 796 Fhbbcail.exe 41 PID 796 wrote to memory of 2148 796 Fhbbcail.exe 41 PID 796 wrote to memory of 2148 796 Fhbbcail.exe 41 PID 796 wrote to memory of 2148 796 Fhbbcail.exe 41 PID 2148 wrote to memory of 2124 2148 Fcichb32.exe 42 PID 2148 wrote to memory of 2124 2148 Fcichb32.exe 42 PID 2148 wrote to memory of 2124 2148 Fcichb32.exe 42 PID 2148 wrote to memory of 2124 2148 Fcichb32.exe 42 PID 2124 wrote to memory of 1660 2124 Fjckelfm.exe 43 PID 2124 wrote to memory of 1660 2124 Fjckelfm.exe 43 PID 2124 wrote to memory of 1660 2124 Fjckelfm.exe 43 PID 2124 wrote to memory of 1660 2124 Fjckelfm.exe 43 PID 1660 wrote to memory of 996 1660 Famcbf32.exe 44 PID 1660 wrote to memory of 996 1660 Famcbf32.exe 44 PID 1660 wrote to memory of 996 1660 Famcbf32.exe 44 PID 1660 wrote to memory of 996 1660 Famcbf32.exe 44 PID 996 wrote to memory of 1376 996 Ffjljmla.exe 45 PID 996 wrote to memory of 1376 996 Ffjljmla.exe 45 PID 996 wrote to memory of 1376 996 Ffjljmla.exe 45 PID 996 wrote to memory of 1376 996 Ffjljmla.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\ba57040d0de164e855a1139fde60bddeb5d247c29e7c6214fe0747fc24917ee1.exe"C:\Users\Admin\AppData\Local\Temp\ba57040d0de164e855a1139fde60bddeb5d247c29e7c6214fe0747fc24917ee1.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2160 -
C:\Windows\SysWOW64\Ccgnelll.exeC:\Windows\system32\Ccgnelll.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Windows\SysWOW64\Cffjagko.exeC:\Windows\system32\Cffjagko.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\SysWOW64\Dhgccbhp.exeC:\Windows\system32\Dhgccbhp.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Windows\SysWOW64\Dglpdomh.exeC:\Windows\system32\Dglpdomh.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Windows\SysWOW64\Dqddmd32.exeC:\Windows\system32\Dqddmd32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2072 -
C:\Windows\SysWOW64\Dgqion32.exeC:\Windows\system32\Dgqion32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\Windows\SysWOW64\Empomd32.exeC:\Windows\system32\Empomd32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Windows\SysWOW64\Eclcon32.exeC:\Windows\system32\Eclcon32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1160 -
C:\Windows\SysWOW64\Epcddopf.exeC:\Windows\system32\Epcddopf.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Windows\SysWOW64\Fnjnkkbk.exeC:\Windows\system32\Fnjnkkbk.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Windows\SysWOW64\Fhbbcail.exeC:\Windows\system32\Fhbbcail.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:796 -
C:\Windows\SysWOW64\Fcichb32.exeC:\Windows\system32\Fcichb32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Windows\SysWOW64\Fjckelfm.exeC:\Windows\system32\Fjckelfm.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Windows\SysWOW64\Famcbf32.exeC:\Windows\system32\Famcbf32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1660 -
C:\Windows\SysWOW64\Ffjljmla.exeC:\Windows\system32\Ffjljmla.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:996 -
C:\Windows\SysWOW64\Fappgflg.exeC:\Windows\system32\Fappgflg.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1376 -
C:\Windows\SysWOW64\Fjhdpk32.exeC:\Windows\system32\Fjhdpk32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2728 -
C:\Windows\SysWOW64\Fpemhb32.exeC:\Windows\system32\Fpemhb32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2512 -
C:\Windows\SysWOW64\Gminbfoh.exeC:\Windows\system32\Gminbfoh.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1676 -
C:\Windows\SysWOW64\Gdcfoq32.exeC:\Windows\system32\Gdcfoq32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2204 -
C:\Windows\SysWOW64\Glnkcc32.exeC:\Windows\system32\Glnkcc32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:848 -
C:\Windows\SysWOW64\Gbhcpmkm.exeC:\Windows\system32\Gbhcpmkm.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:896 -
C:\Windows\SysWOW64\Glpgibbn.exeC:\Windows\system32\Glpgibbn.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2060 -
C:\Windows\SysWOW64\Geilah32.exeC:\Windows\system32\Geilah32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1620 -
C:\Windows\SysWOW64\Gkedjo32.exeC:\Windows\system32\Gkedjo32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2780 -
C:\Windows\SysWOW64\Gekhgh32.exeC:\Windows\system32\Gekhgh32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2848 -
C:\Windows\SysWOW64\Ghidcceo.exeC:\Windows\system32\Ghidcceo.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2928 -
C:\Windows\SysWOW64\Gkhaooec.exeC:\Windows\system32\Gkhaooec.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2776 -
C:\Windows\SysWOW64\Hdpehd32.exeC:\Windows\system32\Hdpehd32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2596 -
C:\Windows\SysWOW64\Hkjnenbp.exeC:\Windows\system32\Hkjnenbp.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1212 -
C:\Windows\SysWOW64\Hadfah32.exeC:\Windows\system32\Hadfah32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1568 -
C:\Windows\SysWOW64\Hnkffi32.exeC:\Windows\system32\Hnkffi32.exe33⤵
- Executes dropped EXE
PID:2384 -
C:\Windows\SysWOW64\Hgckoofa.exeC:\Windows\system32\Hgckoofa.exe34⤵
- Executes dropped EXE
PID:2900 -
C:\Windows\SysWOW64\Hlpchfdi.exeC:\Windows\system32\Hlpchfdi.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:2368 -
C:\Windows\SysWOW64\Hgfheodo.exeC:\Windows\system32\Hgfheodo.exe36⤵
- Executes dropped EXE
PID:1512 -
C:\Windows\SysWOW64\Hlbpme32.exeC:\Windows\system32\Hlbpme32.exe37⤵
- Executes dropped EXE
PID:2424 -
C:\Windows\SysWOW64\Hghdjn32.exeC:\Windows\system32\Hghdjn32.exe38⤵
- Executes dropped EXE
PID:2332 -
C:\Windows\SysWOW64\Ihiabfhk.exeC:\Windows\system32\Ihiabfhk.exe39⤵
- Executes dropped EXE
PID:352 -
C:\Windows\SysWOW64\Icoepohq.exeC:\Windows\system32\Icoepohq.exe40⤵
- Executes dropped EXE
PID:556 -
C:\Windows\SysWOW64\Iemalkgd.exeC:\Windows\system32\Iemalkgd.exe41⤵
- Executes dropped EXE
PID:2116 -
C:\Windows\SysWOW64\Ikjjda32.exeC:\Windows\system32\Ikjjda32.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:264 -
C:\Windows\SysWOW64\Ifpnaj32.exeC:\Windows\system32\Ifpnaj32.exe43⤵
- Executes dropped EXE
PID:1972 -
C:\Windows\SysWOW64\Iklfia32.exeC:\Windows\system32\Iklfia32.exe44⤵
- Executes dropped EXE
PID:3000 -
C:\Windows\SysWOW64\Iafofkkf.exeC:\Windows\system32\Iafofkkf.exe45⤵
- Executes dropped EXE
PID:2388 -
C:\Windows\SysWOW64\Igcgnbim.exeC:\Windows\system32\Igcgnbim.exe46⤵
- Executes dropped EXE
PID:1060 -
C:\Windows\SysWOW64\Idghhf32.exeC:\Windows\system32\Idghhf32.exe47⤵
- Executes dropped EXE
PID:1812 -
C:\Windows\SysWOW64\Igeddb32.exeC:\Windows\system32\Igeddb32.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2704 -
C:\Windows\SysWOW64\Ibkhak32.exeC:\Windows\system32\Ibkhak32.exe49⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1224 -
C:\Windows\SysWOW64\Jdidmf32.exeC:\Windows\system32\Jdidmf32.exe50⤵
- Executes dropped EXE
PID:2712 -
C:\Windows\SysWOW64\Jkcmjpma.exeC:\Windows\system32\Jkcmjpma.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2588 -
C:\Windows\SysWOW64\Jmdiahco.exeC:\Windows\system32\Jmdiahco.exe52⤵
- Executes dropped EXE
PID:764 -
C:\Windows\SysWOW64\Jcoanb32.exeC:\Windows\system32\Jcoanb32.exe53⤵
- Executes dropped EXE
PID:2892 -
C:\Windows\SysWOW64\Jjijkmbi.exeC:\Windows\system32\Jjijkmbi.exe54⤵
- Executes dropped EXE
PID:700 -
C:\Windows\SysWOW64\Jqbbhg32.exeC:\Windows\system32\Jqbbhg32.exe55⤵
- Executes dropped EXE
PID:2640 -
C:\Windows\SysWOW64\Jgmjdaqb.exeC:\Windows\system32\Jgmjdaqb.exe56⤵
- Executes dropped EXE
PID:2208 -
C:\Windows\SysWOW64\Jqeomfgc.exeC:\Windows\system32\Jqeomfgc.exe57⤵
- Executes dropped EXE
PID:2472 -
C:\Windows\SysWOW64\Jcckibfg.exeC:\Windows\system32\Jcckibfg.exe58⤵
- Executes dropped EXE
PID:2816 -
C:\Windows\SysWOW64\Jkopndcb.exeC:\Windows\system32\Jkopndcb.exe59⤵
- Executes dropped EXE
PID:2468 -
C:\Windows\SysWOW64\Jcfgoadd.exeC:\Windows\system32\Jcfgoadd.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:480 -
C:\Windows\SysWOW64\Jfddkmch.exeC:\Windows\system32\Jfddkmch.exe61⤵
- Executes dropped EXE
PID:2188 -
C:\Windows\SysWOW64\Kmnlhg32.exeC:\Windows\system32\Kmnlhg32.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:908 -
C:\Windows\SysWOW64\Kbkdpnil.exeC:\Windows\system32\Kbkdpnil.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:596 -
C:\Windows\SysWOW64\Keiqlihp.exeC:\Windows\system32\Keiqlihp.exe64⤵
- Executes dropped EXE
PID:2024 -
C:\Windows\SysWOW64\Knaeeo32.exeC:\Windows\system32\Knaeeo32.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:836 -
C:\Windows\SysWOW64\Kapaaj32.exeC:\Windows\system32\Kapaaj32.exe66⤵PID:2888
-
C:\Windows\SysWOW64\Kbpnkm32.exeC:\Windows\system32\Kbpnkm32.exe67⤵PID:1880
-
C:\Windows\SysWOW64\Kglfcd32.exeC:\Windows\system32\Kglfcd32.exe68⤵PID:1564
-
C:\Windows\SysWOW64\Knfopnkk.exeC:\Windows\system32\Knfopnkk.exe69⤵PID:924
-
C:\Windows\SysWOW64\Kjmoeo32.exeC:\Windows\system32\Kjmoeo32.exe70⤵
- System Location Discovery: System Language Discovery
PID:2164 -
C:\Windows\SysWOW64\Kaggbihl.exeC:\Windows\system32\Kaggbihl.exe71⤵PID:2020
-
C:\Windows\SysWOW64\Lfdpjp32.exeC:\Windows\system32\Lfdpjp32.exe72⤵PID:2576
-
C:\Windows\SysWOW64\Laidgi32.exeC:\Windows\system32\Laidgi32.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2600 -
C:\Windows\SysWOW64\Lbkaoalg.exeC:\Windows\system32\Lbkaoalg.exe74⤵PID:2908
-
C:\Windows\SysWOW64\Lmpeljkm.exeC:\Windows\system32\Lmpeljkm.exe75⤵PID:2744
-
C:\Windows\SysWOW64\Ldjmidcj.exeC:\Windows\system32\Ldjmidcj.exe76⤵PID:3012
-
C:\Windows\SysWOW64\Lekjal32.exeC:\Windows\system32\Lekjal32.exe77⤵PID:1100
-
C:\Windows\SysWOW64\Lpanne32.exeC:\Windows\system32\Lpanne32.exe78⤵PID:2988
-
C:\Windows\SysWOW64\Liibgkoo.exeC:\Windows\system32\Liibgkoo.exe79⤵PID:1876
-
C:\Windows\SysWOW64\Llhocfnb.exeC:\Windows\system32\Llhocfnb.exe80⤵PID:2504
-
C:\Windows\SysWOW64\Ladgkmlj.exeC:\Windows\system32\Ladgkmlj.exe81⤵PID:2276
-
C:\Windows\SysWOW64\Lilomj32.exeC:\Windows\system32\Lilomj32.exe82⤵
- Drops file in System32 directory
PID:2736 -
C:\Windows\SysWOW64\Magdam32.exeC:\Windows\system32\Magdam32.exe83⤵PID:2440
-
C:\Windows\SysWOW64\Mkohjbah.exeC:\Windows\system32\Mkohjbah.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1824 -
C:\Windows\SysWOW64\Mdgmbhgh.exeC:\Windows\system32\Mdgmbhgh.exe85⤵PID:1820
-
C:\Windows\SysWOW64\Mkaeob32.exeC:\Windows\system32\Mkaeob32.exe86⤵PID:1396
-
C:\Windows\SysWOW64\Malmllfb.exeC:\Windows\system32\Malmllfb.exe87⤵PID:2000
-
C:\Windows\SysWOW64\Migbpocm.exeC:\Windows\system32\Migbpocm.exe88⤵PID:2876
-
C:\Windows\SysWOW64\Mcofid32.exeC:\Windows\system32\Mcofid32.exe89⤵PID:1364
-
C:\Windows\SysWOW64\Miiofn32.exeC:\Windows\system32\Miiofn32.exe90⤵PID:2992
-
C:\Windows\SysWOW64\Mdoccg32.exeC:\Windows\system32\Mdoccg32.exe91⤵
- System Location Discovery: System Language Discovery
PID:2548 -
C:\Windows\SysWOW64\Nepokogo.exeC:\Windows\system32\Nepokogo.exe92⤵PID:2960
-
C:\Windows\SysWOW64\Npechhgd.exeC:\Windows\system32\Npechhgd.exe93⤵PID:2756
-
C:\Windows\SysWOW64\Ngoleb32.exeC:\Windows\system32\Ngoleb32.exe94⤵PID:2912
-
C:\Windows\SysWOW64\Nlldmimi.exeC:\Windows\system32\Nlldmimi.exe95⤵PID:2884
-
C:\Windows\SysWOW64\Ncfmjc32.exeC:\Windows\system32\Ncfmjc32.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2120 -
C:\Windows\SysWOW64\Nkaane32.exeC:\Windows\system32\Nkaane32.exe97⤵PID:2808
-
C:\Windows\SysWOW64\Nakikpin.exeC:\Windows\system32\Nakikpin.exe98⤵
- Modifies registry class
PID:2100 -
C:\Windows\SysWOW64\Nlanhh32.exeC:\Windows\system32\Nlanhh32.exe99⤵PID:760
-
C:\Windows\SysWOW64\Nanfqo32.exeC:\Windows\system32\Nanfqo32.exe100⤵PID:2184
-
C:\Windows\SysWOW64\Ngjoif32.exeC:\Windows\system32\Ngjoif32.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2068 -
C:\Windows\SysWOW64\Nndgeplo.exeC:\Windows\system32\Nndgeplo.exe102⤵PID:1780
-
C:\Windows\SysWOW64\Okhgod32.exeC:\Windows\system32\Okhgod32.exe103⤵PID:1612
-
C:\Windows\SysWOW64\Oabplobe.exeC:\Windows\system32\Oabplobe.exe104⤵PID:1996
-
C:\Windows\SysWOW64\Okkddd32.exeC:\Windows\system32\Okkddd32.exe105⤵PID:648
-
C:\Windows\SysWOW64\Ocfiif32.exeC:\Windows\system32\Ocfiif32.exe106⤵PID:3064
-
C:\Windows\SysWOW64\Omnmal32.exeC:\Windows\system32\Omnmal32.exe107⤵PID:2176
-
C:\Windows\SysWOW64\Ochenfdn.exeC:\Windows\system32\Ochenfdn.exe108⤵PID:2868
-
C:\Windows\SysWOW64\Ohengmcf.exeC:\Windows\system32\Ohengmcf.exe109⤵PID:2108
-
C:\Windows\SysWOW64\Oqlfhjch.exeC:\Windows\system32\Oqlfhjch.exe110⤵PID:2788
-
C:\Windows\SysWOW64\Ofiopaap.exeC:\Windows\system32\Ofiopaap.exe111⤵PID:2296
-
C:\Windows\SysWOW64\Pmcgmkil.exeC:\Windows\system32\Pmcgmkil.exe112⤵PID:2972
-
C:\Windows\SysWOW64\Pcmoie32.exeC:\Windows\system32\Pcmoie32.exe113⤵PID:2064
-
C:\Windows\SysWOW64\Pkhdnh32.exeC:\Windows\system32\Pkhdnh32.exe114⤵PID:2284
-
C:\Windows\SysWOW64\Pbblkaea.exeC:\Windows\system32\Pbblkaea.exe115⤵PID:1080
-
C:\Windows\SysWOW64\Pildgl32.exeC:\Windows\system32\Pildgl32.exe116⤵PID:1992
-
C:\Windows\SysWOW64\Pofldf32.exeC:\Windows\system32\Pofldf32.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2672 -
C:\Windows\SysWOW64\Pqgilnji.exeC:\Windows\system32\Pqgilnji.exe118⤵
- Modifies registry class
PID:1008 -
C:\Windows\SysWOW64\Pjpmdd32.exeC:\Windows\system32\Pjpmdd32.exe119⤵PID:3068
-
C:\Windows\SysWOW64\Pajeanhf.exeC:\Windows\system32\Pajeanhf.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2128 -
C:\Windows\SysWOW64\Pchbmigj.exeC:\Windows\system32\Pchbmigj.exe121⤵PID:1044
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-