Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
23-12-2024 01:59
Static task
static1
Behavioral task
behavioral1
Sample
ab9bb6c82e13e6a5d887bddffe7fe736a3850ed135e35c7b023dc57fcac3010f.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
ab9bb6c82e13e6a5d887bddffe7fe736a3850ed135e35c7b023dc57fcac3010f.exe
Resource
win10v2004-20241007-en
General
-
Target
ab9bb6c82e13e6a5d887bddffe7fe736a3850ed135e35c7b023dc57fcac3010f.exe
-
Size
243KB
-
MD5
d509d28826cf7331a0b38ab6530f063c
-
SHA1
ff135b437e589abbbf6959c89f7393664492d155
-
SHA256
ab9bb6c82e13e6a5d887bddffe7fe736a3850ed135e35c7b023dc57fcac3010f
-
SHA512
a86dadea8c44ae2e1d20be9b5278b8bd3925b386055297c4ae243b6e217c19ad43edee9094ad29e112ca5f68d07270da8945e867cbd47231e184a75accb9a4db
-
SSDEEP
6144:iNCqwnmkrxzUNaDJvZUvxrQBZg3kFz2so48J:SCDhUNaVvZhBZvz2V48J
Malware Config
Extracted
berbew
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ekmfne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oniebmda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qbafalph.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aedlhg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejdfqogm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mqklqhpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ompefj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Phcilf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mgbaml32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjcjog32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qaapcj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Keioca32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eopphehb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnchhllf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dijfch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Igmbgk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpmmfp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imbjcpnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dfbqgldn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Flcojeak.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfekec32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pebpkk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhjbqo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfnmmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iikkon32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gnphdceh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kechdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Boemlbpk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjkhdacm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hjlbdc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lnecigcp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mloiec32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oiafee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pehcij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jhoklnkg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pacajg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Codbqonk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kaholp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fimoiopk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iipejmko.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khgkpl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhfpdi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghdiokbq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cbghhj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Neiaeiii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bceibfgj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfpfdeon.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibkmchbh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dnefhpma.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgahkngh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ggiofa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghlfjq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iejiodbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Onlahm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Phfoee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gojhafnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Adleoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cjppfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 1604 Gcgnnlle.exe 2084 Gfejjgli.exe 2320 Gmpcgace.exe 2756 Gkbcbn32.exe 2768 Gncldi32.exe 3064 Gbadjg32.exe 2780 Gepafc32.exe 2660 Hebnlb32.exe 2428 Hnjbeh32.exe 2920 Hfegij32.exe 2576 Hidcef32.exe 1936 Hmalldcn.exe 1928 Hboddk32.exe 3024 Iikifegp.exe 2480 Ibcnojnp.exe 1836 Ibejdjln.exe 2876 Idgglb32.exe 1312 Idicbbpi.exe 1684 Ihdpbq32.exe 1700 Imahkg32.exe 2248 Jaoqqflp.exe 2128 Jpbalb32.exe 1036 Jikeeh32.exe 1648 Jbcjnnpl.exe 3052 Jbefcm32.exe 980 Jgabdlfb.exe 2272 Jolghndm.exe 2848 Jbhcim32.exe 2636 Jialfgcc.exe 2868 Jbjpom32.exe 2684 Koaqcn32.exe 2344 Kaompi32.exe 2960 Khielcfh.exe 1824 Kglehp32.exe 2928 Kdpfadlm.exe 2028 Kadfkhkf.exe 1000 Kpgffe32.exe 2132 Kdbbgdjj.exe 2572 Kcgphp32.exe 1096 Kgclio32.exe 984 Klpdaf32.exe 840 Lcjlnpmo.exe 2228 Ljddjj32.exe 1952 Lhfefgkg.exe 2456 Lpnmgdli.exe 1924 Lclicpkm.exe 1532 Lboiol32.exe 2520 Lfkeokjp.exe 2720 Lhiakf32.exe 2836 Locjhqpa.exe 2740 Lbafdlod.exe 788 Ldpbpgoh.exe 2736 Lkjjma32.exe 284 Lnhgim32.exe 2148 Lfoojj32.exe 2716 Lhnkffeo.exe 3000 Lklgbadb.exe 352 Lnjcomcf.exe 1108 Lddlkg32.exe 308 Lgchgb32.exe 2496 Mkndhabp.exe 304 Mjaddn32.exe 292 Mqklqhpg.exe 2156 Mcjhmcok.exe -
Loads dropped DLL 64 IoCs
pid Process 2516 ab9bb6c82e13e6a5d887bddffe7fe736a3850ed135e35c7b023dc57fcac3010f.exe 2516 ab9bb6c82e13e6a5d887bddffe7fe736a3850ed135e35c7b023dc57fcac3010f.exe 1604 Gcgnnlle.exe 1604 Gcgnnlle.exe 2084 Gfejjgli.exe 2084 Gfejjgli.exe 2320 Gmpcgace.exe 2320 Gmpcgace.exe 2756 Gkbcbn32.exe 2756 Gkbcbn32.exe 2768 Gncldi32.exe 2768 Gncldi32.exe 3064 Gbadjg32.exe 3064 Gbadjg32.exe 2780 Gepafc32.exe 2780 Gepafc32.exe 2660 Hebnlb32.exe 2660 Hebnlb32.exe 2428 Hnjbeh32.exe 2428 Hnjbeh32.exe 2920 Hfegij32.exe 2920 Hfegij32.exe 2576 Hidcef32.exe 2576 Hidcef32.exe 1936 Hmalldcn.exe 1936 Hmalldcn.exe 1928 Hboddk32.exe 1928 Hboddk32.exe 3024 Iikifegp.exe 3024 Iikifegp.exe 2480 Ibcnojnp.exe 2480 Ibcnojnp.exe 1836 Ibejdjln.exe 1836 Ibejdjln.exe 2876 Idgglb32.exe 2876 Idgglb32.exe 1312 Idicbbpi.exe 1312 Idicbbpi.exe 1684 Ihdpbq32.exe 1684 Ihdpbq32.exe 1700 Imahkg32.exe 1700 Imahkg32.exe 2248 Jaoqqflp.exe 2248 Jaoqqflp.exe 2128 Jpbalb32.exe 2128 Jpbalb32.exe 1036 Jikeeh32.exe 1036 Jikeeh32.exe 1648 Jbcjnnpl.exe 1648 Jbcjnnpl.exe 3052 Jbefcm32.exe 3052 Jbefcm32.exe 980 Jgabdlfb.exe 980 Jgabdlfb.exe 2272 Jolghndm.exe 2272 Jolghndm.exe 2848 Jbhcim32.exe 2848 Jbhcim32.exe 2636 Jialfgcc.exe 2636 Jialfgcc.exe 2868 Jbjpom32.exe 2868 Jbjpom32.exe 2684 Koaqcn32.exe 2684 Koaqcn32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Jhibakgh.dll Process not Found File opened for modification C:\Windows\SysWOW64\Ibcnojnp.exe Iikifegp.exe File opened for modification C:\Windows\SysWOW64\Cinafkkd.exe Cagienkb.exe File created C:\Windows\SysWOW64\Dcllbhdn.exe Dmbcen32.exe File opened for modification C:\Windows\SysWOW64\Noohlkpc.exe Nhepoaif.exe File created C:\Windows\SysWOW64\Inepgn32.exe Ijidfpci.exe File created C:\Windows\SysWOW64\Pjfdnp32.dll Imhqbkbm.exe File created C:\Windows\SysWOW64\Gfdeopaj.dll Lmalgq32.exe File created C:\Windows\SysWOW64\Dlmfbm32.dll Bgahkngh.exe File created C:\Windows\SysWOW64\Lgingm32.exe Ldjbkb32.exe File created C:\Windows\SysWOW64\Gocbagqd.dll Efedga32.exe File created C:\Windows\SysWOW64\Jkogobem.dll Nhepoaif.exe File opened for modification C:\Windows\SysWOW64\Oplgeoea.exe Omnkicen.exe File created C:\Windows\SysWOW64\Donojm32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Nncbdomg.exe Njhfcp32.exe File opened for modification C:\Windows\SysWOW64\Pljlbf32.exe Pdbdqh32.exe File created C:\Windows\SysWOW64\Eneegl32.dll Piliii32.exe File opened for modification C:\Windows\SysWOW64\Mneaacno.exe Process not Found File opened for modification C:\Windows\SysWOW64\Hghillnd.exe Hejmpqop.exe File created C:\Windows\SysWOW64\Oqbejojq.dll Anbmbi32.exe File created C:\Windows\SysWOW64\Moiihmhq.dll Process not Found File created C:\Windows\SysWOW64\Lkkapd32.dll Jbhcim32.exe File created C:\Windows\SysWOW64\Ihlnih32.dll Blfapfpg.exe File opened for modification C:\Windows\SysWOW64\Cchdpbog.exe Cdedde32.exe File opened for modification C:\Windows\SysWOW64\Khielcfh.exe Kaompi32.exe File opened for modification C:\Windows\SysWOW64\Dphfbiem.exe Dlljaj32.exe File created C:\Windows\SysWOW64\Jbpgka32.dll Fkhibino.exe File opened for modification C:\Windows\SysWOW64\Klmqapci.exe Kechdf32.exe File created C:\Windows\SysWOW64\Faonom32.exe Fihfnp32.exe File created C:\Windows\SysWOW64\Gagolf32.dll Plhaeofp.exe File created C:\Windows\SysWOW64\Jgkdigfa.exe Jelhmlgm.exe File created C:\Windows\SysWOW64\Lkpidd32.dll Oemgplgo.exe File opened for modification C:\Windows\SysWOW64\Pdbdqh32.exe Padhdm32.exe File opened for modification C:\Windows\SysWOW64\Bmpkqklh.exe Bjbndpmd.exe File opened for modification C:\Windows\SysWOW64\Edlafebn.exe Eldiehbk.exe File created C:\Windows\SysWOW64\Gglbfg32.exe Gdnfjl32.exe File created C:\Windows\SysWOW64\Ajhaomoi.dll Lkjjma32.exe File created C:\Windows\SysWOW64\Ajokhp32.dll Ehnfpifm.exe File created C:\Windows\SysWOW64\Nhldnm32.dll Abdbflnf.exe File created C:\Windows\SysWOW64\Ebappk32.exe Process not Found File created C:\Windows\SysWOW64\Dkolai32.dll Fplllkdc.exe File opened for modification C:\Windows\SysWOW64\Jhjbqo32.exe Jelfdc32.exe File created C:\Windows\SysWOW64\Pkkkap32.dll Mjqmig32.exe File opened for modification C:\Windows\SysWOW64\Cnfqccna.exe Ckhdggom.exe File created C:\Windows\SysWOW64\Cgnnab32.exe Cogfqe32.exe File created C:\Windows\SysWOW64\Pdnfmn32.dll Kdnkdmec.exe File created C:\Windows\SysWOW64\Mojbaham.exe Mgcjpkak.exe File created C:\Windows\SysWOW64\Aaklmhak.exe Abhlak32.exe File created C:\Windows\SysWOW64\Ejdfqogm.exe Egfjdchi.exe File created C:\Windows\SysWOW64\Bfeeehni.dll Jbefcm32.exe File opened for modification C:\Windows\SysWOW64\Bfioia32.exe Boogmgkl.exe File created C:\Windows\SysWOW64\Oijoclhk.dll Mopbgn32.exe File created C:\Windows\SysWOW64\Dblknlpo.dll Hjlemlnk.exe File opened for modification C:\Windows\SysWOW64\Phgannal.exe Process not Found File created C:\Windows\SysWOW64\Gncldi32.exe Gkbcbn32.exe File opened for modification C:\Windows\SysWOW64\Bjmeiq32.exe Bgoime32.exe File created C:\Windows\SysWOW64\Kigeamik.dll Kijkje32.exe File created C:\Windows\SysWOW64\Epjecp32.dll Process not Found File created C:\Windows\SysWOW64\Nlemad32.dll Mqnifg32.exe File opened for modification C:\Windows\SysWOW64\Fckhhgcf.exe Foolgh32.exe File created C:\Windows\SysWOW64\Pdlkggmp.dll Laleof32.exe File opened for modification C:\Windows\SysWOW64\Alihaioe.exe Qjklenpa.exe File created C:\Windows\SysWOW64\Kalhln32.dll Pnchhllf.exe File created C:\Windows\SysWOW64\Bccoeo32.exe Bpebidam.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 9752 3304 Process not Found 1250 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opqoge32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdefnjkj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lboiol32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aakjdo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jaecod32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Modlbmmn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fiqibj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mqklqhpg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgcnahoo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldpbpgoh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anljck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjnjqb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkbcbn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onlahm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbgjgomc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmohco32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Goldfelp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pebpkk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdgkjopd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlhddh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnafnopi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edlafebn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adleoc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hqnapb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjppfl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckmnbg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgcmbcih.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhcfjnhm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejfbfo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oadkej32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkahgk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhoklnkg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pacajg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmmdin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Noohlkpc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edcqjc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emifeqid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcciqi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbphgpfg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdgdji32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oaghki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oekjjl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhgppnan.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkmmlgik.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgdgpfnf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihdpbq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aedlhg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dijfch32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpfkeb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebialmjb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agpeaa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgknkf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdendpbg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfabnl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojkeah32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oplgeoea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plgolf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nijpdfhm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onqkclni.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aknngo32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nbflno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnkdfakf.dll" Eopphehb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jenbjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekamgf32.dll" Mclgklel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fiqibj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mkndhabp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bqmpdioa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Allefimb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Opaqpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nhjjgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oehiknbl.dll" Agihgp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ncmglp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Djicmk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ocefpnom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kfeaomqq.dll" Gamnhq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Peeoidik.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iakino32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddaglffo.dll" Dgknkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dijfch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gogckopd.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mjcaimgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Njhilimb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aanibhoh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpcmnaip.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ckeqga32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Icfbkded.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kcginj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Modlbmmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nmofdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iokhldhb.dll" Bnlphh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hiepfnbn.dll" Kfnnlboi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fapeic32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jgkdigfa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gaojnq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Elgfkhpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jibnop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lcohahpn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qmenhe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kbpefc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dcllbhdn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cjakccop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pbemboof.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Elgfkhpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekliqn32.dll" Glpepj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Glbaei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oepjoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnhjppcf.dll" Jgkdigfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cepipm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnmfkmah.dll" Homdhjai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acfenf32.dll" Mfjkdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lqapifjb.dll" Fijbco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nakpkfka.dll" Hcdgmimg.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2516 wrote to memory of 1604 2516 ab9bb6c82e13e6a5d887bddffe7fe736a3850ed135e35c7b023dc57fcac3010f.exe 30 PID 2516 wrote to memory of 1604 2516 ab9bb6c82e13e6a5d887bddffe7fe736a3850ed135e35c7b023dc57fcac3010f.exe 30 PID 2516 wrote to memory of 1604 2516 ab9bb6c82e13e6a5d887bddffe7fe736a3850ed135e35c7b023dc57fcac3010f.exe 30 PID 2516 wrote to memory of 1604 2516 ab9bb6c82e13e6a5d887bddffe7fe736a3850ed135e35c7b023dc57fcac3010f.exe 30 PID 1604 wrote to memory of 2084 1604 Gcgnnlle.exe 31 PID 1604 wrote to memory of 2084 1604 Gcgnnlle.exe 31 PID 1604 wrote to memory of 2084 1604 Gcgnnlle.exe 31 PID 1604 wrote to memory of 2084 1604 Gcgnnlle.exe 31 PID 2084 wrote to memory of 2320 2084 Gfejjgli.exe 32 PID 2084 wrote to memory of 2320 2084 Gfejjgli.exe 32 PID 2084 wrote to memory of 2320 2084 Gfejjgli.exe 32 PID 2084 wrote to memory of 2320 2084 Gfejjgli.exe 32 PID 2320 wrote to memory of 2756 2320 Gmpcgace.exe 33 PID 2320 wrote to memory of 2756 2320 Gmpcgace.exe 33 PID 2320 wrote to memory of 2756 2320 Gmpcgace.exe 33 PID 2320 wrote to memory of 2756 2320 Gmpcgace.exe 33 PID 2756 wrote to memory of 2768 2756 Gkbcbn32.exe 34 PID 2756 wrote to memory of 2768 2756 Gkbcbn32.exe 34 PID 2756 wrote to memory of 2768 2756 Gkbcbn32.exe 34 PID 2756 wrote to memory of 2768 2756 Gkbcbn32.exe 34 PID 2768 wrote to memory of 3064 2768 Gncldi32.exe 35 PID 2768 wrote to memory of 3064 2768 Gncldi32.exe 35 PID 2768 wrote to memory of 3064 2768 Gncldi32.exe 35 PID 2768 wrote to memory of 3064 2768 Gncldi32.exe 35 PID 3064 wrote to memory of 2780 3064 Gbadjg32.exe 36 PID 3064 wrote to memory of 2780 3064 Gbadjg32.exe 36 PID 3064 wrote to memory of 2780 3064 Gbadjg32.exe 36 PID 3064 wrote to memory of 2780 3064 Gbadjg32.exe 36 PID 2780 wrote to memory of 2660 2780 Gepafc32.exe 37 PID 2780 wrote to memory of 2660 2780 Gepafc32.exe 37 PID 2780 wrote to memory of 2660 2780 Gepafc32.exe 37 PID 2780 wrote to memory of 2660 2780 Gepafc32.exe 37 PID 2660 wrote to memory of 2428 2660 Hebnlb32.exe 38 PID 2660 wrote to memory of 2428 2660 Hebnlb32.exe 38 PID 2660 wrote to memory of 2428 2660 Hebnlb32.exe 38 PID 2660 wrote to memory of 2428 2660 Hebnlb32.exe 38 PID 2428 wrote to memory of 2920 2428 Hnjbeh32.exe 39 PID 2428 wrote to memory of 2920 2428 Hnjbeh32.exe 39 PID 2428 wrote to memory of 2920 2428 Hnjbeh32.exe 39 PID 2428 wrote to memory of 2920 2428 Hnjbeh32.exe 39 PID 2920 wrote to memory of 2576 2920 Hfegij32.exe 40 PID 2920 wrote to memory of 2576 2920 Hfegij32.exe 40 PID 2920 wrote to memory of 2576 2920 Hfegij32.exe 40 PID 2920 wrote to memory of 2576 2920 Hfegij32.exe 40 PID 2576 wrote to memory of 1936 2576 Hidcef32.exe 41 PID 2576 wrote to memory of 1936 2576 Hidcef32.exe 41 PID 2576 wrote to memory of 1936 2576 Hidcef32.exe 41 PID 2576 wrote to memory of 1936 2576 Hidcef32.exe 41 PID 1936 wrote to memory of 1928 1936 Hmalldcn.exe 42 PID 1936 wrote to memory of 1928 1936 Hmalldcn.exe 42 PID 1936 wrote to memory of 1928 1936 Hmalldcn.exe 42 PID 1936 wrote to memory of 1928 1936 Hmalldcn.exe 42 PID 1928 wrote to memory of 3024 1928 Hboddk32.exe 43 PID 1928 wrote to memory of 3024 1928 Hboddk32.exe 43 PID 1928 wrote to memory of 3024 1928 Hboddk32.exe 43 PID 1928 wrote to memory of 3024 1928 Hboddk32.exe 43 PID 3024 wrote to memory of 2480 3024 Iikifegp.exe 44 PID 3024 wrote to memory of 2480 3024 Iikifegp.exe 44 PID 3024 wrote to memory of 2480 3024 Iikifegp.exe 44 PID 3024 wrote to memory of 2480 3024 Iikifegp.exe 44 PID 2480 wrote to memory of 1836 2480 Ibcnojnp.exe 45 PID 2480 wrote to memory of 1836 2480 Ibcnojnp.exe 45 PID 2480 wrote to memory of 1836 2480 Ibcnojnp.exe 45 PID 2480 wrote to memory of 1836 2480 Ibcnojnp.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\ab9bb6c82e13e6a5d887bddffe7fe736a3850ed135e35c7b023dc57fcac3010f.exe"C:\Users\Admin\AppData\Local\Temp\ab9bb6c82e13e6a5d887bddffe7fe736a3850ed135e35c7b023dc57fcac3010f.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Windows\SysWOW64\Gcgnnlle.exeC:\Windows\system32\Gcgnnlle.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1604 -
C:\Windows\SysWOW64\Gfejjgli.exeC:\Windows\system32\Gfejjgli.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\Windows\SysWOW64\Gmpcgace.exeC:\Windows\system32\Gmpcgace.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\Windows\SysWOW64\Gkbcbn32.exeC:\Windows\system32\Gkbcbn32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\SysWOW64\Gncldi32.exeC:\Windows\system32\Gncldi32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Windows\SysWOW64\Gbadjg32.exeC:\Windows\system32\Gbadjg32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\Windows\SysWOW64\Gepafc32.exeC:\Windows\system32\Gepafc32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\SysWOW64\Hebnlb32.exeC:\Windows\system32\Hebnlb32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\SysWOW64\Hnjbeh32.exeC:\Windows\system32\Hnjbeh32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Windows\SysWOW64\Hfegij32.exeC:\Windows\system32\Hfegij32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\SysWOW64\Hidcef32.exeC:\Windows\system32\Hidcef32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\Windows\SysWOW64\Hmalldcn.exeC:\Windows\system32\Hmalldcn.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1936 -
C:\Windows\SysWOW64\Hboddk32.exeC:\Windows\system32\Hboddk32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1928 -
C:\Windows\SysWOW64\Iikifegp.exeC:\Windows\system32\Iikifegp.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3024 -
C:\Windows\SysWOW64\Ibcnojnp.exeC:\Windows\system32\Ibcnojnp.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Windows\SysWOW64\Ibejdjln.exeC:\Windows\system32\Ibejdjln.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1836 -
C:\Windows\SysWOW64\Idgglb32.exeC:\Windows\system32\Idgglb32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2876 -
C:\Windows\SysWOW64\Idicbbpi.exeC:\Windows\system32\Idicbbpi.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1312 -
C:\Windows\SysWOW64\Ihdpbq32.exeC:\Windows\system32\Ihdpbq32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1684 -
C:\Windows\SysWOW64\Imahkg32.exeC:\Windows\system32\Imahkg32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1700 -
C:\Windows\SysWOW64\Jaoqqflp.exeC:\Windows\system32\Jaoqqflp.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2248 -
C:\Windows\SysWOW64\Jpbalb32.exeC:\Windows\system32\Jpbalb32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2128 -
C:\Windows\SysWOW64\Jikeeh32.exeC:\Windows\system32\Jikeeh32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1036 -
C:\Windows\SysWOW64\Jbcjnnpl.exeC:\Windows\system32\Jbcjnnpl.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1648 -
C:\Windows\SysWOW64\Jbefcm32.exeC:\Windows\system32\Jbefcm32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:3052 -
C:\Windows\SysWOW64\Jgabdlfb.exeC:\Windows\system32\Jgabdlfb.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:980 -
C:\Windows\SysWOW64\Jolghndm.exeC:\Windows\system32\Jolghndm.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2272 -
C:\Windows\SysWOW64\Jbhcim32.exeC:\Windows\system32\Jbhcim32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2848 -
C:\Windows\SysWOW64\Jialfgcc.exeC:\Windows\system32\Jialfgcc.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2636 -
C:\Windows\SysWOW64\Jbjpom32.exeC:\Windows\system32\Jbjpom32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2868 -
C:\Windows\SysWOW64\Koaqcn32.exeC:\Windows\system32\Koaqcn32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2684 -
C:\Windows\SysWOW64\Kaompi32.exeC:\Windows\system32\Kaompi32.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2344 -
C:\Windows\SysWOW64\Khielcfh.exeC:\Windows\system32\Khielcfh.exe34⤵
- Executes dropped EXE
PID:2960 -
C:\Windows\SysWOW64\Kglehp32.exeC:\Windows\system32\Kglehp32.exe35⤵
- Executes dropped EXE
PID:1824 -
C:\Windows\SysWOW64\Kdpfadlm.exeC:\Windows\system32\Kdpfadlm.exe36⤵
- Executes dropped EXE
PID:2928 -
C:\Windows\SysWOW64\Kadfkhkf.exeC:\Windows\system32\Kadfkhkf.exe37⤵
- Executes dropped EXE
PID:2028 -
C:\Windows\SysWOW64\Kpgffe32.exeC:\Windows\system32\Kpgffe32.exe38⤵
- Executes dropped EXE
PID:1000 -
C:\Windows\SysWOW64\Kdbbgdjj.exeC:\Windows\system32\Kdbbgdjj.exe39⤵
- Executes dropped EXE
PID:2132 -
C:\Windows\SysWOW64\Kcgphp32.exeC:\Windows\system32\Kcgphp32.exe40⤵
- Executes dropped EXE
PID:2572 -
C:\Windows\SysWOW64\Kgclio32.exeC:\Windows\system32\Kgclio32.exe41⤵
- Executes dropped EXE
PID:1096 -
C:\Windows\SysWOW64\Klpdaf32.exeC:\Windows\system32\Klpdaf32.exe42⤵
- Executes dropped EXE
PID:984 -
C:\Windows\SysWOW64\Lcjlnpmo.exeC:\Windows\system32\Lcjlnpmo.exe43⤵
- Executes dropped EXE
PID:840 -
C:\Windows\SysWOW64\Ljddjj32.exeC:\Windows\system32\Ljddjj32.exe44⤵
- Executes dropped EXE
PID:2228 -
C:\Windows\SysWOW64\Lhfefgkg.exeC:\Windows\system32\Lhfefgkg.exe45⤵
- Executes dropped EXE
PID:1952 -
C:\Windows\SysWOW64\Lpnmgdli.exeC:\Windows\system32\Lpnmgdli.exe46⤵
- Executes dropped EXE
PID:2456 -
C:\Windows\SysWOW64\Lclicpkm.exeC:\Windows\system32\Lclicpkm.exe47⤵
- Executes dropped EXE
PID:1924 -
C:\Windows\SysWOW64\Lboiol32.exeC:\Windows\system32\Lboiol32.exe48⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1532 -
C:\Windows\SysWOW64\Lfkeokjp.exeC:\Windows\system32\Lfkeokjp.exe49⤵
- Executes dropped EXE
PID:2520 -
C:\Windows\SysWOW64\Lhiakf32.exeC:\Windows\system32\Lhiakf32.exe50⤵
- Executes dropped EXE
PID:2720 -
C:\Windows\SysWOW64\Locjhqpa.exeC:\Windows\system32\Locjhqpa.exe51⤵
- Executes dropped EXE
PID:2836 -
C:\Windows\SysWOW64\Lbafdlod.exeC:\Windows\system32\Lbafdlod.exe52⤵
- Executes dropped EXE
PID:2740 -
C:\Windows\SysWOW64\Ldpbpgoh.exeC:\Windows\system32\Ldpbpgoh.exe53⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:788 -
C:\Windows\SysWOW64\Lkjjma32.exeC:\Windows\system32\Lkjjma32.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2736 -
C:\Windows\SysWOW64\Lnhgim32.exeC:\Windows\system32\Lnhgim32.exe55⤵
- Executes dropped EXE
PID:284 -
C:\Windows\SysWOW64\Lfoojj32.exeC:\Windows\system32\Lfoojj32.exe56⤵
- Executes dropped EXE
PID:2148 -
C:\Windows\SysWOW64\Lhnkffeo.exeC:\Windows\system32\Lhnkffeo.exe57⤵
- Executes dropped EXE
PID:2716 -
C:\Windows\SysWOW64\Lklgbadb.exeC:\Windows\system32\Lklgbadb.exe58⤵
- Executes dropped EXE
PID:3000 -
C:\Windows\SysWOW64\Lnjcomcf.exeC:\Windows\system32\Lnjcomcf.exe59⤵
- Executes dropped EXE
PID:352 -
C:\Windows\SysWOW64\Lddlkg32.exeC:\Windows\system32\Lddlkg32.exe60⤵
- Executes dropped EXE
PID:1108 -
C:\Windows\SysWOW64\Lgchgb32.exeC:\Windows\system32\Lgchgb32.exe61⤵
- Executes dropped EXE
PID:308 -
C:\Windows\SysWOW64\Mkndhabp.exeC:\Windows\system32\Mkndhabp.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:2496 -
C:\Windows\SysWOW64\Mjaddn32.exeC:\Windows\system32\Mjaddn32.exe63⤵
- Executes dropped EXE
PID:304 -
C:\Windows\SysWOW64\Mqklqhpg.exeC:\Windows\system32\Mqklqhpg.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:292 -
C:\Windows\SysWOW64\Mcjhmcok.exeC:\Windows\system32\Mcjhmcok.exe65⤵
- Executes dropped EXE
PID:2156 -
C:\Windows\SysWOW64\Mjcaimgg.exeC:\Windows\system32\Mjcaimgg.exe66⤵
- Modifies registry class
PID:1508 -
C:\Windows\SysWOW64\Mmbmeifk.exeC:\Windows\system32\Mmbmeifk.exe67⤵PID:612
-
C:\Windows\SysWOW64\Mqnifg32.exeC:\Windows\system32\Mqnifg32.exe68⤵
- Drops file in System32 directory
PID:2748 -
C:\Windows\SysWOW64\Mggabaea.exeC:\Windows\system32\Mggabaea.exe69⤵PID:2612
-
C:\Windows\SysWOW64\Mmdjkhdh.exeC:\Windows\system32\Mmdjkhdh.exe70⤵PID:2212
-
C:\Windows\SysWOW64\Mqpflg32.exeC:\Windows\system32\Mqpflg32.exe71⤵PID:2916
-
C:\Windows\SysWOW64\Mfmndn32.exeC:\Windows\system32\Mfmndn32.exe72⤵PID:1292
-
C:\Windows\SysWOW64\Mikjpiim.exeC:\Windows\system32\Mikjpiim.exe73⤵PID:2952
-
C:\Windows\SysWOW64\Mpebmc32.exeC:\Windows\system32\Mpebmc32.exe74⤵PID:1112
-
C:\Windows\SysWOW64\Mbcoio32.exeC:\Windows\system32\Mbcoio32.exe75⤵PID:2648
-
C:\Windows\SysWOW64\Mimgeigj.exeC:\Windows\system32\Mimgeigj.exe76⤵PID:1720
-
C:\Windows\SysWOW64\Mklcadfn.exeC:\Windows\system32\Mklcadfn.exe77⤵PID:844
-
C:\Windows\SysWOW64\Mcckcbgp.exeC:\Windows\system32\Mcckcbgp.exe78⤵PID:832
-
C:\Windows\SysWOW64\Nbflno32.exeC:\Windows\system32\Nbflno32.exe79⤵
- Modifies registry class
PID:1140 -
C:\Windows\SysWOW64\Nmkplgnq.exeC:\Windows\system32\Nmkplgnq.exe80⤵PID:2064
-
C:\Windows\SysWOW64\Npjlhcmd.exeC:\Windows\system32\Npjlhcmd.exe81⤵PID:2704
-
C:\Windows\SysWOW64\Nnmlcp32.exeC:\Windows\system32\Nnmlcp32.exe82⤵PID:2260
-
C:\Windows\SysWOW64\Nfdddm32.exeC:\Windows\system32\Nfdddm32.exe83⤵PID:2424
-
C:\Windows\SysWOW64\Nibqqh32.exeC:\Windows\system32\Nibqqh32.exe84⤵PID:2856
-
C:\Windows\SysWOW64\Nplimbka.exeC:\Windows\system32\Nplimbka.exe85⤵PID:2656
-
C:\Windows\SysWOW64\Nnoiio32.exeC:\Windows\system32\Nnoiio32.exe86⤵PID:2672
-
C:\Windows\SysWOW64\Neiaeiii.exeC:\Windows\system32\Neiaeiii.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:340 -
C:\Windows\SysWOW64\Nidmfh32.exeC:\Windows\system32\Nidmfh32.exe88⤵PID:2668
-
C:\Windows\SysWOW64\Njfjnpgp.exeC:\Windows\system32\Njfjnpgp.exe89⤵PID:856
-
C:\Windows\SysWOW64\Nnafnopi.exeC:\Windows\system32\Nnafnopi.exe90⤵
- System Location Discovery: System Language Discovery
PID:1612 -
C:\Windows\SysWOW64\Napbjjom.exeC:\Windows\system32\Napbjjom.exe91⤵PID:860
-
C:\Windows\SysWOW64\Nhjjgd32.exeC:\Windows\system32\Nhjjgd32.exe92⤵
- Modifies registry class
PID:1436 -
C:\Windows\SysWOW64\Njhfcp32.exeC:\Windows\system32\Njhfcp32.exe93⤵
- Drops file in System32 directory
PID:2324 -
C:\Windows\SysWOW64\Nncbdomg.exeC:\Windows\system32\Nncbdomg.exe94⤵PID:2196
-
C:\Windows\SysWOW64\Nabopjmj.exeC:\Windows\system32\Nabopjmj.exe95⤵PID:2168
-
C:\Windows\SysWOW64\Nenkqi32.exeC:\Windows\system32\Nenkqi32.exe96⤵PID:1004
-
C:\Windows\SysWOW64\Nhlgmd32.exeC:\Windows\system32\Nhlgmd32.exe97⤵PID:496
-
C:\Windows\SysWOW64\Nfoghakb.exeC:\Windows\system32\Nfoghakb.exe98⤵PID:2336
-
C:\Windows\SysWOW64\Onfoin32.exeC:\Windows\system32\Onfoin32.exe99⤵PID:2688
-
C:\Windows\SysWOW64\Oadkej32.exeC:\Windows\system32\Oadkej32.exe100⤵
- System Location Discovery: System Language Discovery
PID:1724 -
C:\Windows\SysWOW64\Ojmpooah.exeC:\Windows\system32\Ojmpooah.exe101⤵PID:2972
-
C:\Windows\SysWOW64\Omklkkpl.exeC:\Windows\system32\Omklkkpl.exe102⤵PID:3036
-
C:\Windows\SysWOW64\Oaghki32.exeC:\Windows\system32\Oaghki32.exe103⤵
- System Location Discovery: System Language Discovery
PID:1860 -
C:\Windows\SysWOW64\Obhdcanc.exeC:\Windows\system32\Obhdcanc.exe104⤵PID:1468
-
C:\Windows\SysWOW64\Ojomdoof.exeC:\Windows\system32\Ojomdoof.exe105⤵PID:484
-
C:\Windows\SysWOW64\Omnipjni.exeC:\Windows\system32\Omnipjni.exe106⤵PID:2896
-
C:\Windows\SysWOW64\Olpilg32.exeC:\Windows\system32\Olpilg32.exe107⤵PID:2292
-
C:\Windows\SysWOW64\Odgamdef.exeC:\Windows\system32\Odgamdef.exe108⤵PID:2816
-
C:\Windows\SysWOW64\Objaha32.exeC:\Windows\system32\Objaha32.exe109⤵PID:2808
-
C:\Windows\SysWOW64\Oeindm32.exeC:\Windows\system32\Oeindm32.exe110⤵PID:1688
-
C:\Windows\SysWOW64\Ompefj32.exeC:\Windows\system32\Ompefj32.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:956 -
C:\Windows\SysWOW64\Ooabmbbe.exeC:\Windows\system32\Ooabmbbe.exe112⤵PID:2988
-
C:\Windows\SysWOW64\Obmnna32.exeC:\Windows\system32\Obmnna32.exe113⤵PID:1636
-
C:\Windows\SysWOW64\Oekjjl32.exeC:\Windows\system32\Oekjjl32.exe114⤵
- System Location Discovery: System Language Discovery
PID:1884 -
C:\Windows\SysWOW64\Oiffkkbk.exeC:\Windows\system32\Oiffkkbk.exe115⤵PID:2852
-
C:\Windows\SysWOW64\Opqoge32.exeC:\Windows\system32\Opqoge32.exe116⤵
- System Location Discovery: System Language Discovery
PID:2644 -
C:\Windows\SysWOW64\Oabkom32.exeC:\Windows\system32\Oabkom32.exe117⤵PID:2364
-
C:\Windows\SysWOW64\Oemgplgo.exeC:\Windows\system32\Oemgplgo.exe118⤵
- Drops file in System32 directory
PID:2812 -
C:\Windows\SysWOW64\Plgolf32.exeC:\Windows\system32\Plgolf32.exe119⤵
- System Location Discovery: System Language Discovery
PID:1940 -
C:\Windows\SysWOW64\Pbagipfi.exeC:\Windows\system32\Pbagipfi.exe120⤵PID:2116
-
C:\Windows\SysWOW64\Padhdm32.exeC:\Windows\system32\Padhdm32.exe121⤵
- Drops file in System32 directory
PID:280 -
C:\Windows\SysWOW64\Pdbdqh32.exeC:\Windows\system32\Pdbdqh32.exe122⤵
- Drops file in System32 directory
PID:3040
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-