Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
07/12/2024, 11:19
Behavioral task
behavioral1
Sample
233a51a1f75c40096e75158d01cd77dee4ff008e95d72aca8e41f26de941bd6cN.exe
Resource
win7-20240708-en
windows7-x64
10 signatures
120 seconds
Behavioral task
behavioral2
Sample
233a51a1f75c40096e75158d01cd77dee4ff008e95d72aca8e41f26de941bd6cN.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
120 seconds
General
-
Target
233a51a1f75c40096e75158d01cd77dee4ff008e95d72aca8e41f26de941bd6cN.exe
-
Size
285KB
-
MD5
81f6438155b551bb713508a4dd096d80
-
SHA1
e0b0ba404cab1cd0ff2f8c24a890c1291b5c65fc
-
SHA256
233a51a1f75c40096e75158d01cd77dee4ff008e95d72aca8e41f26de941bd6c
-
SHA512
ba1a77165dc717ff1e9f46bcfcf8a48bdfda22a4db60ad7ef8e2fd8d2837a6aad4ebc1e7c4f53721774538344bbae27ed7ae375a75549cbe7508894fa2118aa6
-
SSDEEP
3072:Z8Tj+FzIGkPUDaeLKVcbMloVRr3uMg0kAqSxYiJ2QM4GKcb:Z8TCFzI4LKQIoi7tWu
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://viruslist.com/wcmd.txt
http://viruslist.com/ppslog.php
http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fohphgce.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gabofn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dljngoea.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnnndl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gekkpqnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nhcgkbja.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmbmii32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhleaq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eplmflde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oomlfpdi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bknfeege.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbagpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gnicoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fjdnne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kjmoeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Olimlf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oddbqhkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gabofn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekbhnkhf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahcjmkbo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Geilah32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iohbjpkb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdndggcl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbjkop32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mecbjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fheoiqgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nphbfplf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okkddd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcnhmdli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Efmoib32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmlglb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpkchm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ddbolkac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Baqhapdj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmdofebo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bnhncclq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cmaeoo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfjfik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Enbapf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdplfflp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dabfjp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lijepc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mchokq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhqhmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ohpnag32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oiljcj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdmjfe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fihalb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mhfoleio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gpjilj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mhckloge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dpaqmnap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aankkqfl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Neekogkm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocdnloph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Iphhgb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkefoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Doijcjde.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gnicoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lggbmbfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Anhbdpje.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gekhgh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nickoldp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acejlfhl.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 2696 Cdngip32.exe 2676 Clilmbhd.exe 2840 Ccgnelll.exe 2608 Ddkgbc32.exe 2084 Doqkpl32.exe 2948 Dkjhjm32.exe 1308 Dgqion32.exe 2136 Efffpjmk.exe 2868 Efjpkj32.exe 2360 Eikimeff.exe 1688 Enhaeldn.exe 352 Fjaoplho.exe 2228 Fheoiqgi.exe 2124 Ffmipmjn.exe 2180 Gjjafkpe.exe 1108 Gmkjgfmf.exe 1552 Gbhcpmkm.exe 884 Goocenaa.exe 780 Geilah32.exe 2028 Gekhgh32.exe 2612 Hocmpm32.exe 2204 Hdpehd32.exe 1496 Hofjem32.exe 1008 Hdbbnd32.exe 3056 Hnkffi32.exe 1620 Hchoop32.exe 2768 Hplphd32.exe 2864 Hehhqk32.exe 2812 Hghdjn32.exe 2720 Ipqicdim.exe 2564 Ihlnhffh.exe 2972 Iohbjpkb.exe 1096 Idekbgji.exe 1956 Iojopp32.exe 2880 Ihbdhepp.exe 2896 Inplqlng.exe 2904 Jcleiclo.exe 2916 Jjijkmbi.exe 1044 Joebccpp.exe 1768 Jjkfqlpf.exe 2252 Jbfkeo32.exe 1884 Jkopndcb.exe 1716 Jfddkmch.exe 2448 Knohpo32.exe 1560 Keiqlihp.exe 1984 Kpoejbhe.exe 2984 Kapaaj32.exe 1072 Kkefoc32.exe 2068 Kenjgi32.exe 1080 Kjkbpp32.exe 2692 Kepgmh32.exe 2780 Kjmoeo32.exe 2668 Kaggbihl.exe 2724 Lhapocoi.exe 1896 Laidgi32.exe 2280 Ljbipolj.exe 2912 Lpoaheja.exe 2012 Lbmnea32.exe 2460 Lmbabj32.exe 2816 Lpanne32.exe 532 Lhlbbg32.exe 2184 Lbagpp32.exe 2508 Lhoohgdg.exe 768 Mohhea32.exe -
Loads dropped DLL 64 IoCs
pid Process 2644 233a51a1f75c40096e75158d01cd77dee4ff008e95d72aca8e41f26de941bd6cN.exe 2644 233a51a1f75c40096e75158d01cd77dee4ff008e95d72aca8e41f26de941bd6cN.exe 2696 Cdngip32.exe 2696 Cdngip32.exe 2676 Clilmbhd.exe 2676 Clilmbhd.exe 2840 Ccgnelll.exe 2840 Ccgnelll.exe 2608 Ddkgbc32.exe 2608 Ddkgbc32.exe 2084 Doqkpl32.exe 2084 Doqkpl32.exe 2948 Dkjhjm32.exe 2948 Dkjhjm32.exe 1308 Dgqion32.exe 1308 Dgqion32.exe 2136 Efffpjmk.exe 2136 Efffpjmk.exe 2868 Efjpkj32.exe 2868 Efjpkj32.exe 2360 Eikimeff.exe 2360 Eikimeff.exe 1688 Enhaeldn.exe 1688 Enhaeldn.exe 352 Fjaoplho.exe 352 Fjaoplho.exe 2228 Fheoiqgi.exe 2228 Fheoiqgi.exe 2124 Ffmipmjn.exe 2124 Ffmipmjn.exe 2180 Gjjafkpe.exe 2180 Gjjafkpe.exe 1108 Gmkjgfmf.exe 1108 Gmkjgfmf.exe 1552 Gbhcpmkm.exe 1552 Gbhcpmkm.exe 884 Goocenaa.exe 884 Goocenaa.exe 780 Geilah32.exe 780 Geilah32.exe 2028 Gekhgh32.exe 2028 Gekhgh32.exe 2612 Hocmpm32.exe 2612 Hocmpm32.exe 2204 Hdpehd32.exe 2204 Hdpehd32.exe 1496 Hofjem32.exe 1496 Hofjem32.exe 1008 Hdbbnd32.exe 1008 Hdbbnd32.exe 3056 Hnkffi32.exe 3056 Hnkffi32.exe 1620 Hchoop32.exe 1620 Hchoop32.exe 2768 Hplphd32.exe 2768 Hplphd32.exe 2864 Hehhqk32.exe 2864 Hehhqk32.exe 2812 Hghdjn32.exe 2812 Hghdjn32.exe 2720 Ipqicdim.exe 2720 Ipqicdim.exe 2564 Ihlnhffh.exe 2564 Ihlnhffh.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Monann32.dll Kapaaj32.exe File created C:\Windows\SysWOW64\Befddlni.dll Caenkc32.exe File created C:\Windows\SysWOW64\Milaecdp.exe Laeidfdn.exe File created C:\Windows\SysWOW64\Fmdfppkb.exe Fclbgj32.exe File created C:\Windows\SysWOW64\Ngjhfg32.dll Milaecdp.exe File opened for modification C:\Windows\SysWOW64\Clilmbhd.exe Cdngip32.exe File created C:\Windows\SysWOW64\Fgpcof32.dll Jjijkmbi.exe File created C:\Windows\SysWOW64\Onapdmma.exe Okcchbnn.exe File created C:\Windows\SysWOW64\Acdlnnal.dll Beldao32.exe File created C:\Windows\SysWOW64\Icbkhnan.exe Inebpgbf.exe File created C:\Windows\SysWOW64\Ihdmld32.exe Icgdcm32.exe File created C:\Windows\SysWOW64\Lqgjkbop.exe Kccian32.exe File opened for modification C:\Windows\SysWOW64\Ddkgbc32.exe Ccgnelll.exe File created C:\Windows\SysWOW64\Qnpcpa32.exe Pmqffonj.exe File created C:\Windows\SysWOW64\Admgglep.exe Aankkqfl.exe File created C:\Windows\SysWOW64\Aankkqfl.exe Ajdcofop.exe File created C:\Windows\SysWOW64\Hmiljb32.exe Hdqhambg.exe File opened for modification C:\Windows\SysWOW64\Lgmekpmn.exe Lijepc32.exe File created C:\Windows\SysWOW64\Ccgnelll.exe Clilmbhd.exe File created C:\Windows\SysWOW64\Cadbgifg.dll Jkgbcofn.exe File created C:\Windows\SysWOW64\Lhklha32.exe Laackgka.exe File created C:\Windows\SysWOW64\Eoajgh32.exe Ehgaknbp.exe File created C:\Windows\SysWOW64\Hlecmkel.exe Gekkpqnp.exe File opened for modification C:\Windows\SysWOW64\Nhcgkbja.exe Neekogkm.exe File created C:\Windows\SysWOW64\Aackfj32.dll Hdpehd32.exe File created C:\Windows\SysWOW64\Doijcjde.exe Dljngoea.exe File created C:\Windows\SysWOW64\Hlhfmqge.exe Gdmbhnjj.exe File opened for modification C:\Windows\SysWOW64\Odfofhic.exe Oahbjmjp.exe File created C:\Windows\SysWOW64\Mklago32.dll Bhnffi32.exe File created C:\Windows\SysWOW64\Ckiiiine.exe Capdpcge.exe File opened for modification C:\Windows\SysWOW64\Kdfmlc32.exe Jknicnpf.exe File opened for modification C:\Windows\SysWOW64\Kfjfik32.exe Kjcedj32.exe File opened for modification C:\Windows\SysWOW64\Bebfpm32.exe Bnhncclq.exe File created C:\Windows\SysWOW64\Bdipfi32.exe Bmohjooe.exe File created C:\Windows\SysWOW64\Knohpo32.exe Jfddkmch.exe File created C:\Windows\SysWOW64\Djiiddfd.dll Apclnj32.exe File created C:\Windows\SysWOW64\Eobohl32.dll Aankkqfl.exe File opened for modification C:\Windows\SysWOW64\Ehgaknbp.exe Egeecf32.exe File created C:\Windows\SysWOW64\Moeodd32.dll Lgabgl32.exe File created C:\Windows\SysWOW64\Pfimoh32.dll Cikbjpqd.exe File created C:\Windows\SysWOW64\Jdeadmlb.dll Lqgjkbop.exe File created C:\Windows\SysWOW64\Gabmfl32.dll Dpcnbn32.exe File created C:\Windows\SysWOW64\Fagimi32.dll Facfpddd.exe File opened for modification C:\Windows\SysWOW64\Hhdqma32.exe Holldk32.exe File created C:\Windows\SysWOW64\Bemmenhb.exe Ambhpljg.exe File opened for modification C:\Windows\SysWOW64\Abgaeddg.exe Almihjlj.exe File created C:\Windows\SysWOW64\Bnddck32.dll Kkkhmadd.exe File opened for modification C:\Windows\SysWOW64\Onapdmma.exe Okcchbnn.exe File opened for modification C:\Windows\SysWOW64\Nhpabdqd.exe Npiiafpa.exe File created C:\Windows\SysWOW64\Laeidfdn.exe Lgmekpmn.exe File opened for modification C:\Windows\SysWOW64\Milaecdp.exe Laeidfdn.exe File created C:\Windows\SysWOW64\Qmpebb32.dll Kenjgi32.exe File opened for modification C:\Windows\SysWOW64\Oabplobe.exe Ohjkcile.exe File created C:\Windows\SysWOW64\Binikb32.exe Bhmmcjjd.exe File opened for modification C:\Windows\SysWOW64\Coldmfkf.exe Cipleo32.exe File opened for modification C:\Windows\SysWOW64\Jpqgkpcl.exe Jnbkodci.exe File created C:\Windows\SysWOW64\Ffngbf32.dll Nphbfplf.exe File opened for modification C:\Windows\SysWOW64\Hofjem32.exe Hdpehd32.exe File created C:\Windows\SysWOW64\Dhompmdf.dll Doijcjde.exe File created C:\Windows\SysWOW64\Lmdekl32.dll Gnicoh32.exe File created C:\Windows\SysWOW64\Gphlgk32.exe Gjkcod32.exe File created C:\Windows\SysWOW64\Leaohdkk.dll Gmkjgfmf.exe File created C:\Windows\SysWOW64\Moafnqhk.dll Hdbbnd32.exe File created C:\Windows\SysWOW64\Mdepmh32.exe Mohhea32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5908 5884 WerFault.exe 489 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okkddd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcilnl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnofng32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlcbfnjk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Docjne32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enhaeldn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hofjem32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Almihjlj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aglmbfdk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 233a51a1f75c40096e75158d01cd77dee4ff008e95d72aca8e41f26de941bd6cN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhehfk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qonlhd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdipfi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpqjmh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icgdcm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkgbcofn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nogmin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Binikb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Inebpgbf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjoohdbd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcleiclo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gngfjicn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdkebolm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oemhjlha.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Caenkc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egeecf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjjafkpe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oomjng32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipaklm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgjlgm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lijepc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Laidgi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nahfkigd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlbaljhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlecmkel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhopgkin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjilde32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aankkqfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkdfmoha.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjcedj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcncbc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlmaad32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odcimipf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Capdpcge.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkfdfo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbfnchfb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpcnbn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmmnkglp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qkbpgeai.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aaikfkgf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbijcgbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjkbpp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnkiebib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cobhdhha.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dajgfboj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efffpjmk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nkfkidmk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pglacbbo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebofcd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nilndfgl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnkffi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmqffonj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igpdnlgd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdplfflp.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pcnhmdli.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ebofcd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oeoedmpg.dll" Ndoelpid.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ogpjmn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Opccallb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Beldao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hakhbifq.dll" Cofaog32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nejkdm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jcfjhj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Opcejd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nljhhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nchipb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdkcbpni.dll" Qpaohjkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Odcimipf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Aglmbfdk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gjkcod32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hofjem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ihlnhffh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imlkdf32.dll" Laidgi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nhhominh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jhfjadim.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pibgfjdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dammoahg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hmpbja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Laeidfdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fofdcm32.dll" Dfpfke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odffndaf.dll" Emjjfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbfinf32.dll" Ipabfcdm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjchkfnl.dll" Jgppmpjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gibcam32.dll" Mhikae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hchoop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mdepmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ohjkcile.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Qonlhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppicjm32.dll" Manljd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Doqkpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiefbk32.dll" Oabplobe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mbopon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ipaklm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cokdhpcc.dll" Knddcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejhoapqd.dll" Fmlglb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Laackgka.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jhniebne.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mecbjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dkjhjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nepokogo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkfggj32.dll" Cggcofkf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Oogiha32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Oddbqhkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhjdcghg.dll" Ollqllod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Doijgpba.dll" Pqgilnji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nacmpj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Onapdmma.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hdqhambg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nipefmkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geiabo32.dll" Jjnlikic.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jddqgdii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elmabenf.dll" Ihcfan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jjkfqlpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjhhabcc.dll" Lnnndl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Oaciom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afakja32.dll" Qkelme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Iigcobid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Miiofn32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2644 wrote to memory of 2696 2644 233a51a1f75c40096e75158d01cd77dee4ff008e95d72aca8e41f26de941bd6cN.exe 30 PID 2644 wrote to memory of 2696 2644 233a51a1f75c40096e75158d01cd77dee4ff008e95d72aca8e41f26de941bd6cN.exe 30 PID 2644 wrote to memory of 2696 2644 233a51a1f75c40096e75158d01cd77dee4ff008e95d72aca8e41f26de941bd6cN.exe 30 PID 2644 wrote to memory of 2696 2644 233a51a1f75c40096e75158d01cd77dee4ff008e95d72aca8e41f26de941bd6cN.exe 30 PID 2696 wrote to memory of 2676 2696 Cdngip32.exe 31 PID 2696 wrote to memory of 2676 2696 Cdngip32.exe 31 PID 2696 wrote to memory of 2676 2696 Cdngip32.exe 31 PID 2696 wrote to memory of 2676 2696 Cdngip32.exe 31 PID 2676 wrote to memory of 2840 2676 Clilmbhd.exe 32 PID 2676 wrote to memory of 2840 2676 Clilmbhd.exe 32 PID 2676 wrote to memory of 2840 2676 Clilmbhd.exe 32 PID 2676 wrote to memory of 2840 2676 Clilmbhd.exe 32 PID 2840 wrote to memory of 2608 2840 Ccgnelll.exe 33 PID 2840 wrote to memory of 2608 2840 Ccgnelll.exe 33 PID 2840 wrote to memory of 2608 2840 Ccgnelll.exe 33 PID 2840 wrote to memory of 2608 2840 Ccgnelll.exe 33 PID 2608 wrote to memory of 2084 2608 Ddkgbc32.exe 34 PID 2608 wrote to memory of 2084 2608 Ddkgbc32.exe 34 PID 2608 wrote to memory of 2084 2608 Ddkgbc32.exe 34 PID 2608 wrote to memory of 2084 2608 Ddkgbc32.exe 34 PID 2084 wrote to memory of 2948 2084 Doqkpl32.exe 35 PID 2084 wrote to memory of 2948 2084 Doqkpl32.exe 35 PID 2084 wrote to memory of 2948 2084 Doqkpl32.exe 35 PID 2084 wrote to memory of 2948 2084 Doqkpl32.exe 35 PID 2948 wrote to memory of 1308 2948 Dkjhjm32.exe 36 PID 2948 wrote to memory of 1308 2948 Dkjhjm32.exe 36 PID 2948 wrote to memory of 1308 2948 Dkjhjm32.exe 36 PID 2948 wrote to memory of 1308 2948 Dkjhjm32.exe 36 PID 1308 wrote to memory of 2136 1308 Dgqion32.exe 37 PID 1308 wrote to memory of 2136 1308 Dgqion32.exe 37 PID 1308 wrote to memory of 2136 1308 Dgqion32.exe 37 PID 1308 wrote to memory of 2136 1308 Dgqion32.exe 37 PID 2136 wrote to memory of 2868 2136 Efffpjmk.exe 38 PID 2136 wrote to memory of 2868 2136 Efffpjmk.exe 38 PID 2136 wrote to memory of 2868 2136 Efffpjmk.exe 38 PID 2136 wrote to memory of 2868 2136 Efffpjmk.exe 38 PID 2868 wrote to memory of 2360 2868 Efjpkj32.exe 39 PID 2868 wrote to memory of 2360 2868 Efjpkj32.exe 39 PID 2868 wrote to memory of 2360 2868 Efjpkj32.exe 39 PID 2868 wrote to memory of 2360 2868 Efjpkj32.exe 39 PID 2360 wrote to memory of 1688 2360 Eikimeff.exe 40 PID 2360 wrote to memory of 1688 2360 Eikimeff.exe 40 PID 2360 wrote to memory of 1688 2360 Eikimeff.exe 40 PID 2360 wrote to memory of 1688 2360 Eikimeff.exe 40 PID 1688 wrote to memory of 352 1688 Enhaeldn.exe 41 PID 1688 wrote to memory of 352 1688 Enhaeldn.exe 41 PID 1688 wrote to memory of 352 1688 Enhaeldn.exe 41 PID 1688 wrote to memory of 352 1688 Enhaeldn.exe 41 PID 352 wrote to memory of 2228 352 Fjaoplho.exe 42 PID 352 wrote to memory of 2228 352 Fjaoplho.exe 42 PID 352 wrote to memory of 2228 352 Fjaoplho.exe 42 PID 352 wrote to memory of 2228 352 Fjaoplho.exe 42 PID 2228 wrote to memory of 2124 2228 Fheoiqgi.exe 43 PID 2228 wrote to memory of 2124 2228 Fheoiqgi.exe 43 PID 2228 wrote to memory of 2124 2228 Fheoiqgi.exe 43 PID 2228 wrote to memory of 2124 2228 Fheoiqgi.exe 43 PID 2124 wrote to memory of 2180 2124 Ffmipmjn.exe 44 PID 2124 wrote to memory of 2180 2124 Ffmipmjn.exe 44 PID 2124 wrote to memory of 2180 2124 Ffmipmjn.exe 44 PID 2124 wrote to memory of 2180 2124 Ffmipmjn.exe 44 PID 2180 wrote to memory of 1108 2180 Gjjafkpe.exe 45 PID 2180 wrote to memory of 1108 2180 Gjjafkpe.exe 45 PID 2180 wrote to memory of 1108 2180 Gjjafkpe.exe 45 PID 2180 wrote to memory of 1108 2180 Gjjafkpe.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\233a51a1f75c40096e75158d01cd77dee4ff008e95d72aca8e41f26de941bd6cN.exe"C:\Users\Admin\AppData\Local\Temp\233a51a1f75c40096e75158d01cd77dee4ff008e95d72aca8e41f26de941bd6cN.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\SysWOW64\Cdngip32.exeC:\Windows\system32\Cdngip32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Windows\SysWOW64\Clilmbhd.exeC:\Windows\system32\Clilmbhd.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Windows\SysWOW64\Ccgnelll.exeC:\Windows\system32\Ccgnelll.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Windows\SysWOW64\Ddkgbc32.exeC:\Windows\system32\Ddkgbc32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Windows\SysWOW64\Doqkpl32.exeC:\Windows\system32\Doqkpl32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\Windows\SysWOW64\Dkjhjm32.exeC:\Windows\system32\Dkjhjm32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\Windows\SysWOW64\Dgqion32.exeC:\Windows\system32\Dgqion32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1308 -
C:\Windows\SysWOW64\Efffpjmk.exeC:\Windows\system32\Efffpjmk.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2136 -
C:\Windows\SysWOW64\Efjpkj32.exeC:\Windows\system32\Efjpkj32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\SysWOW64\Eikimeff.exeC:\Windows\system32\Eikimeff.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Windows\SysWOW64\Enhaeldn.exeC:\Windows\system32\Enhaeldn.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Windows\SysWOW64\Fjaoplho.exeC:\Windows\system32\Fjaoplho.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:352 -
C:\Windows\SysWOW64\Fheoiqgi.exeC:\Windows\system32\Fheoiqgi.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2228 -
C:\Windows\SysWOW64\Ffmipmjn.exeC:\Windows\system32\Ffmipmjn.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Windows\SysWOW64\Gjjafkpe.exeC:\Windows\system32\Gjjafkpe.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Windows\SysWOW64\Gmkjgfmf.exeC:\Windows\system32\Gmkjgfmf.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1108 -
C:\Windows\SysWOW64\Gbhcpmkm.exeC:\Windows\system32\Gbhcpmkm.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1552 -
C:\Windows\SysWOW64\Goocenaa.exeC:\Windows\system32\Goocenaa.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:884 -
C:\Windows\SysWOW64\Geilah32.exeC:\Windows\system32\Geilah32.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:780 -
C:\Windows\SysWOW64\Gekhgh32.exeC:\Windows\system32\Gekhgh32.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2028 -
C:\Windows\SysWOW64\Hocmpm32.exeC:\Windows\system32\Hocmpm32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2612 -
C:\Windows\SysWOW64\Hdpehd32.exeC:\Windows\system32\Hdpehd32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2204 -
C:\Windows\SysWOW64\Hofjem32.exeC:\Windows\system32\Hofjem32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1496 -
C:\Windows\SysWOW64\Hdbbnd32.exeC:\Windows\system32\Hdbbnd32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1008 -
C:\Windows\SysWOW64\Hnkffi32.exeC:\Windows\system32\Hnkffi32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3056 -
C:\Windows\SysWOW64\Hchoop32.exeC:\Windows\system32\Hchoop32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1620 -
C:\Windows\SysWOW64\Hplphd32.exeC:\Windows\system32\Hplphd32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2768 -
C:\Windows\SysWOW64\Hehhqk32.exeC:\Windows\system32\Hehhqk32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2864 -
C:\Windows\SysWOW64\Hghdjn32.exeC:\Windows\system32\Hghdjn32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2812 -
C:\Windows\SysWOW64\Ipqicdim.exeC:\Windows\system32\Ipqicdim.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2720 -
C:\Windows\SysWOW64\Ihlnhffh.exeC:\Windows\system32\Ihlnhffh.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2564 -
C:\Windows\SysWOW64\Iohbjpkb.exeC:\Windows\system32\Iohbjpkb.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2972 -
C:\Windows\SysWOW64\Idekbgji.exeC:\Windows\system32\Idekbgji.exe34⤵
- Executes dropped EXE
PID:1096 -
C:\Windows\SysWOW64\Iojopp32.exeC:\Windows\system32\Iojopp32.exe35⤵
- Executes dropped EXE
PID:1956 -
C:\Windows\SysWOW64\Ihbdhepp.exeC:\Windows\system32\Ihbdhepp.exe36⤵
- Executes dropped EXE
PID:2880 -
C:\Windows\SysWOW64\Inplqlng.exeC:\Windows\system32\Inplqlng.exe37⤵
- Executes dropped EXE
PID:2896 -
C:\Windows\SysWOW64\Jcleiclo.exeC:\Windows\system32\Jcleiclo.exe38⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2904 -
C:\Windows\SysWOW64\Jjijkmbi.exeC:\Windows\system32\Jjijkmbi.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2916 -
C:\Windows\SysWOW64\Joebccpp.exeC:\Windows\system32\Joebccpp.exe40⤵
- Executes dropped EXE
PID:1044 -
C:\Windows\SysWOW64\Jjkfqlpf.exeC:\Windows\system32\Jjkfqlpf.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:1768 -
C:\Windows\SysWOW64\Jbfkeo32.exeC:\Windows\system32\Jbfkeo32.exe42⤵
- Executes dropped EXE
PID:2252 -
C:\Windows\SysWOW64\Jkopndcb.exeC:\Windows\system32\Jkopndcb.exe43⤵
- Executes dropped EXE
PID:1884 -
C:\Windows\SysWOW64\Jfddkmch.exeC:\Windows\system32\Jfddkmch.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1716 -
C:\Windows\SysWOW64\Knohpo32.exeC:\Windows\system32\Knohpo32.exe45⤵
- Executes dropped EXE
PID:2448 -
C:\Windows\SysWOW64\Keiqlihp.exeC:\Windows\system32\Keiqlihp.exe46⤵
- Executes dropped EXE
PID:1560 -
C:\Windows\SysWOW64\Kpoejbhe.exeC:\Windows\system32\Kpoejbhe.exe47⤵
- Executes dropped EXE
PID:1984 -
C:\Windows\SysWOW64\Kapaaj32.exeC:\Windows\system32\Kapaaj32.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2984 -
C:\Windows\SysWOW64\Kkefoc32.exeC:\Windows\system32\Kkefoc32.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1072 -
C:\Windows\SysWOW64\Kenjgi32.exeC:\Windows\system32\Kenjgi32.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2068 -
C:\Windows\SysWOW64\Kjkbpp32.exeC:\Windows\system32\Kjkbpp32.exe51⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1080 -
C:\Windows\SysWOW64\Kepgmh32.exeC:\Windows\system32\Kepgmh32.exe52⤵
- Executes dropped EXE
PID:2692 -
C:\Windows\SysWOW64\Kjmoeo32.exeC:\Windows\system32\Kjmoeo32.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2780 -
C:\Windows\SysWOW64\Kaggbihl.exeC:\Windows\system32\Kaggbihl.exe54⤵
- Executes dropped EXE
PID:2668 -
C:\Windows\SysWOW64\Lhapocoi.exeC:\Windows\system32\Lhapocoi.exe55⤵
- Executes dropped EXE
PID:2724 -
C:\Windows\SysWOW64\Laidgi32.exeC:\Windows\system32\Laidgi32.exe56⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1896 -
C:\Windows\SysWOW64\Ljbipolj.exeC:\Windows\system32\Ljbipolj.exe57⤵
- Executes dropped EXE
PID:2280 -
C:\Windows\SysWOW64\Lpoaheja.exeC:\Windows\system32\Lpoaheja.exe58⤵
- Executes dropped EXE
PID:2912 -
C:\Windows\SysWOW64\Lbmnea32.exeC:\Windows\system32\Lbmnea32.exe59⤵
- Executes dropped EXE
PID:2012 -
C:\Windows\SysWOW64\Lmbabj32.exeC:\Windows\system32\Lmbabj32.exe60⤵
- Executes dropped EXE
PID:2460 -
C:\Windows\SysWOW64\Lpanne32.exeC:\Windows\system32\Lpanne32.exe61⤵
- Executes dropped EXE
PID:2816 -
C:\Windows\SysWOW64\Lhlbbg32.exeC:\Windows\system32\Lhlbbg32.exe62⤵
- Executes dropped EXE
PID:532 -
C:\Windows\SysWOW64\Lbagpp32.exeC:\Windows\system32\Lbagpp32.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2184 -
C:\Windows\SysWOW64\Lhoohgdg.exeC:\Windows\system32\Lhoohgdg.exe64⤵
- Executes dropped EXE
PID:2508 -
C:\Windows\SysWOW64\Mohhea32.exeC:\Windows\system32\Mohhea32.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:768 -
C:\Windows\SysWOW64\Mdepmh32.exeC:\Windows\system32\Mdepmh32.exe66⤵
- Modifies registry class
PID:1376 -
C:\Windows\SysWOW64\Mkohjbah.exeC:\Windows\system32\Mkohjbah.exe67⤵PID:1604
-
C:\Windows\SysWOW64\Meemgk32.exeC:\Windows\system32\Meemgk32.exe68⤵PID:1464
-
C:\Windows\SysWOW64\Mgfiocfl.exeC:\Windows\system32\Mgfiocfl.exe69⤵PID:3064
-
C:\Windows\SysWOW64\Mmpakm32.exeC:\Windows\system32\Mmpakm32.exe70⤵PID:1916
-
C:\Windows\SysWOW64\Mheeif32.exeC:\Windows\system32\Mheeif32.exe71⤵PID:2160
-
C:\Windows\SysWOW64\Mmbnam32.exeC:\Windows\system32\Mmbnam32.exe72⤵PID:2836
-
C:\Windows\SysWOW64\Mpqjmh32.exeC:\Windows\system32\Mpqjmh32.exe73⤵
- System Location Discovery: System Language Discovery
PID:2988 -
C:\Windows\SysWOW64\Miiofn32.exeC:\Windows\system32\Miiofn32.exe74⤵
- Modifies registry class
PID:1704 -
C:\Windows\SysWOW64\Mpcgbhig.exeC:\Windows\system32\Mpcgbhig.exe75⤵PID:276
-
C:\Windows\SysWOW64\Mcacochk.exeC:\Windows\system32\Mcacochk.exe76⤵PID:2400
-
C:\Windows\SysWOW64\Nepokogo.exeC:\Windows\system32\Nepokogo.exe77⤵
- Modifies registry class
PID:3008 -
C:\Windows\SysWOW64\Nljhhi32.exeC:\Windows\system32\Nljhhi32.exe78⤵
- Modifies registry class
PID:2416 -
C:\Windows\SysWOW64\Neblqoel.exeC:\Windows\system32\Neblqoel.exe79⤵PID:2208
-
C:\Windows\SysWOW64\Nhqhmj32.exeC:\Windows\system32\Nhqhmj32.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1864 -
C:\Windows\SysWOW64\Nphpng32.exeC:\Windows\system32\Nphpng32.exe81⤵PID:1156
-
C:\Windows\SysWOW64\Naimepkp.exeC:\Windows\system32\Naimepkp.exe82⤵PID:2192
-
C:\Windows\SysWOW64\Nipefmkb.exeC:\Windows\system32\Nipefmkb.exe83⤵
- Modifies registry class
PID:2440 -
C:\Windows\SysWOW64\Nchipb32.exeC:\Windows\system32\Nchipb32.exe84⤵
- Modifies registry class
PID:1648 -
C:\Windows\SysWOW64\Negeln32.exeC:\Windows\system32\Negeln32.exe85⤵PID:1972
-
C:\Windows\SysWOW64\Nkdndeon.exeC:\Windows\system32\Nkdndeon.exe86⤵PID:2652
-
C:\Windows\SysWOW64\Neibanod.exeC:\Windows\system32\Neibanod.exe87⤵PID:1728
-
C:\Windows\SysWOW64\Nhhominh.exeC:\Windows\system32\Nhhominh.exe88⤵
- Modifies registry class
PID:1516 -
C:\Windows\SysWOW64\Nkfkidmk.exeC:\Windows\system32\Nkfkidmk.exe89⤵
- System Location Discovery: System Language Discovery
PID:2772 -
C:\Windows\SysWOW64\Opccallb.exeC:\Windows\system32\Opccallb.exe90⤵
- Modifies registry class
PID:2856 -
C:\Windows\SysWOW64\Ohjkcile.exeC:\Windows\system32\Ohjkcile.exe91⤵
- Drops file in System32 directory
- Modifies registry class
PID:2628 -
C:\Windows\SysWOW64\Oabplobe.exeC:\Windows\system32\Oabplobe.exe92⤵
- Modifies registry class
PID:2624 -
C:\Windows\SysWOW64\Odqlhjbi.exeC:\Windows\system32\Odqlhjbi.exe93⤵PID:2496
-
C:\Windows\SysWOW64\Okkddd32.exeC:\Windows\system32\Okkddd32.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2884 -
C:\Windows\SysWOW64\Ollqllod.exeC:\Windows\system32\Ollqllod.exe95⤵
- Modifies registry class
PID:776 -
C:\Windows\SysWOW64\Odcimipf.exeC:\Windows\system32\Odcimipf.exe96⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2108 -
C:\Windows\SysWOW64\Onkmfofg.exeC:\Windows\system32\Onkmfofg.exe97⤵PID:1748
-
C:\Windows\SysWOW64\Oomjng32.exeC:\Windows\system32\Oomjng32.exe98⤵
- System Location Discovery: System Language Discovery
PID:924 -
C:\Windows\SysWOW64\Ofgbkacb.exeC:\Windows\system32\Ofgbkacb.exe99⤵PID:1824
-
C:\Windows\SysWOW64\Ooofcg32.exeC:\Windows\system32\Ooofcg32.exe100⤵PID:2636
-
C:\Windows\SysWOW64\Obnbpb32.exeC:\Windows\system32\Obnbpb32.exe101⤵PID:1500
-
C:\Windows\SysWOW64\Pmcgmkil.exeC:\Windows\system32\Pmcgmkil.exe102⤵PID:1520
-
C:\Windows\SysWOW64\Pbpoebgc.exeC:\Windows\system32\Pbpoebgc.exe103⤵PID:2704
-
C:\Windows\SysWOW64\Pijgbl32.exeC:\Windows\system32\Pijgbl32.exe104⤵PID:1632
-
C:\Windows\SysWOW64\Pkhdnh32.exeC:\Windows\system32\Pkhdnh32.exe105⤵PID:444
-
C:\Windows\SysWOW64\Peqhgmdd.exeC:\Windows\system32\Peqhgmdd.exe106⤵PID:3068
-
C:\Windows\SysWOW64\Pkjqcg32.exeC:\Windows\system32\Pkjqcg32.exe107⤵PID:2352
-
C:\Windows\SysWOW64\Pqgilnji.exeC:\Windows\system32\Pqgilnji.exe108⤵
- Modifies registry class
PID:2328 -
C:\Windows\SysWOW64\Pioamlkk.exeC:\Windows\system32\Pioamlkk.exe109⤵PID:548
-
C:\Windows\SysWOW64\Pnkiebib.exeC:\Windows\system32\Pnkiebib.exe110⤵
- System Location Discovery: System Language Discovery
PID:1320 -
C:\Windows\SysWOW64\Pajeanhf.exeC:\Windows\system32\Pajeanhf.exe111⤵PID:684
-
C:\Windows\SysWOW64\Pchbmigj.exeC:\Windows\system32\Pchbmigj.exe112⤵PID:1304
-
C:\Windows\SysWOW64\Pjbjjc32.exeC:\Windows\system32\Pjbjjc32.exe113⤵PID:1968
-
C:\Windows\SysWOW64\Pmqffonj.exeC:\Windows\system32\Pmqffonj.exe114⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1700 -
C:\Windows\SysWOW64\Qnpcpa32.exeC:\Windows\system32\Qnpcpa32.exe115⤵PID:1588
-
C:\Windows\SysWOW64\Qpaohjkk.exeC:\Windows\system32\Qpaohjkk.exe116⤵
- Modifies registry class
PID:2432 -
C:\Windows\SysWOW64\Qjgcecja.exeC:\Windows\system32\Qjgcecja.exe117⤵PID:2844
-
C:\Windows\SysWOW64\Apclnj32.exeC:\Windows\system32\Apclnj32.exe118⤵
- Drops file in System32 directory
PID:1904 -
C:\Windows\SysWOW64\Afndjdpe.exeC:\Windows\system32\Afndjdpe.exe119⤵PID:2348
-
C:\Windows\SysWOW64\Amglgn32.exeC:\Windows\system32\Amglgn32.exe120⤵PID:2532
-
C:\Windows\SysWOW64\Abdeoe32.exeC:\Windows\system32\Abdeoe32.exe121⤵PID:2808
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-