Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
22/12/2024, 13:56
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
f26ff568ebe5174a70a652ed0c9debbe03f221d3a7e4b07b0501e4955822acb4N.exe
Resource
win7-20241010-en
windows7-x64
10 signatures
120 seconds
Behavioral task
behavioral2
Sample
f26ff568ebe5174a70a652ed0c9debbe03f221d3a7e4b07b0501e4955822acb4N.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
120 seconds
General
-
Target
f26ff568ebe5174a70a652ed0c9debbe03f221d3a7e4b07b0501e4955822acb4N.exe
-
Size
249KB
-
MD5
c25b2be93f83885769f87649b158b310
-
SHA1
57b41928018fdb2f3a2877b2752e28712d921468
-
SHA256
f26ff568ebe5174a70a652ed0c9debbe03f221d3a7e4b07b0501e4955822acb4
-
SHA512
c408cdfb51039217da79621127492a1891a8c87bd3801be8c21f39dd23065e76302e765bb8620c1b1b18a135e30c053450103a80c38a2209f10632a4311f79a8
-
SSDEEP
3072:mokPfrruMhomejUEdmjRrz3TIUV4BKxAcL5CY2VePI8C3U/XYMJ2okZk:+29gEdGTBki5CYtI8TAokZ
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://viruslist.com/wcmd.txt
http://viruslist.com/ppslog.php
http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlnpgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Njpgpbpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hmalldcn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijnbcmkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Loefnpnn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmbmeifk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjmbqhif.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Danmmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nfidjbdg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkhhhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hhcmhdke.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbcoio32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhgoji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mikhgqbi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdnolfon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hibjbgbh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jikeeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fqajihle.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Inafbooe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Inafbooe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjkgjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ahebaiac.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcghof32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mobfgdcl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oippjl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aababceh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdecha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dmgkgeah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fkmqdpce.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkoncdcp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gqahqd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igijkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Iihfgp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hjdfjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Omqlpp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omcifpnp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Leammn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgebdipp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Noacef32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhafhe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knkgpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ljnnko32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehpalp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pafdjmkq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mmdgbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nbhfke32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agljom32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckolek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jabdql32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imoilo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnfomn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ciohqa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iihiphln.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjdkjpkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Meffhnal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gqnbhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gifclb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hboddk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Iefcfe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgldnkkf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apgagg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mbcmpfhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nefbga32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nplfdj32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 2780 Egiiapci.exe 3048 Ebcjamoh.exe 2936 Eogjka32.exe 2736 Ehoocgeb.exe 2796 Ehakigbo.exe 2152 Fidhof32.exe 2244 Fcmiod32.exe 2016 Fqajihle.exe 2036 Ffnbaojm.exe 2316 Fbgpkpnn.exe 1468 Gfehan32.exe 1200 Gfgegnbb.exe 776 Gbnflo32.exe 2208 Gnefapmj.exe 1284 Gligjd32.exe 1116 Gmjcblbb.exe 1336 Hnjplo32.exe 1768 Hjqqap32.exe 1660 Hdiejfej.exe 836 Hjcmgp32.exe 2068 Hmaick32.exe 2608 Hoebpc32.exe 1988 Hflkaq32.exe 2588 Iogoec32.exe 1992 Ieagbm32.exe 2820 Ioilkblq.exe 2888 Iahhgnkd.exe 2972 Imoilo32.exe 2776 Iefamlak.exe 2912 Inafbooe.exe 2752 Ihfjognl.exe 844 Igijkd32.exe 2216 Iihfgp32.exe 2980 Jkgcab32.exe 2360 Jnfomn32.exe 2964 Jeadap32.exe 1956 Jnhlbn32.exe 2576 Joihjfnl.exe 564 Jjomgo32.exe 2200 Jlmicj32.exe 2232 Jcgapdeb.exe 2248 Jkbfdfbm.exe 1584 Jblnaq32.exe 1536 Jlbboiip.exe 1352 Kopokehd.exe 1944 Kbokgpgg.exe 2132 Kdmgclfk.exe 2624 Kglcogeo.exe 872 Kbaglpee.exe 1572 Kdpcikdi.exe 584 Kgnpeg32.exe 2568 Knhhaaki.exe 1960 Kdbpnk32.exe 2128 Kceqjhiq.exe 1120 Kjoifb32.exe 2580 Kgbipf32.exe 2744 Kfeikcfa.exe 2020 Kmobhmnn.exe 2572 Kcijeg32.exe 1256 Kgefefnd.exe 2000 Lifbmn32.exe 436 Lqmjnk32.exe 1204 Lbogfcjc.exe 3068 Lihobnap.exe -
Loads dropped DLL 64 IoCs
pid Process 1996 f26ff568ebe5174a70a652ed0c9debbe03f221d3a7e4b07b0501e4955822acb4N.exe 1996 f26ff568ebe5174a70a652ed0c9debbe03f221d3a7e4b07b0501e4955822acb4N.exe 2780 Egiiapci.exe 2780 Egiiapci.exe 3048 Ebcjamoh.exe 3048 Ebcjamoh.exe 2936 Eogjka32.exe 2936 Eogjka32.exe 2736 Ehoocgeb.exe 2736 Ehoocgeb.exe 2796 Ehakigbo.exe 2796 Ehakigbo.exe 2152 Fidhof32.exe 2152 Fidhof32.exe 2244 Fcmiod32.exe 2244 Fcmiod32.exe 2016 Fqajihle.exe 2016 Fqajihle.exe 2036 Ffnbaojm.exe 2036 Ffnbaojm.exe 2316 Fbgpkpnn.exe 2316 Fbgpkpnn.exe 1468 Gfehan32.exe 1468 Gfehan32.exe 1200 Gfgegnbb.exe 1200 Gfgegnbb.exe 776 Gbnflo32.exe 776 Gbnflo32.exe 2208 Gnefapmj.exe 2208 Gnefapmj.exe 1284 Gligjd32.exe 1284 Gligjd32.exe 1116 Gmjcblbb.exe 1116 Gmjcblbb.exe 1336 Hnjplo32.exe 1336 Hnjplo32.exe 1768 Hjqqap32.exe 1768 Hjqqap32.exe 1660 Hdiejfej.exe 1660 Hdiejfej.exe 836 Hjcmgp32.exe 836 Hjcmgp32.exe 2068 Hmaick32.exe 2068 Hmaick32.exe 2608 Hoebpc32.exe 2608 Hoebpc32.exe 1988 Hflkaq32.exe 1988 Hflkaq32.exe 2588 Iogoec32.exe 2588 Iogoec32.exe 1992 Ieagbm32.exe 1992 Ieagbm32.exe 2820 Ioilkblq.exe 2820 Ioilkblq.exe 2888 Iahhgnkd.exe 2888 Iahhgnkd.exe 2972 Imoilo32.exe 2972 Imoilo32.exe 2776 Iefamlak.exe 2776 Iefamlak.exe 2912 Inafbooe.exe 2912 Inafbooe.exe 2752 Ihfjognl.exe 2752 Ihfjognl.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Ieeeljdp.dll Agljom32.exe File opened for modification C:\Windows\SysWOW64\Cakqgeoi.exe Ckahkk32.exe File created C:\Windows\SysWOW64\Ehkhaqpk.exe Eelkeeah.exe File opened for modification C:\Windows\SysWOW64\Lhiakf32.exe Lboiol32.exe File opened for modification C:\Windows\SysWOW64\Opqoge32.exe Ohiffh32.exe File created C:\Windows\SysWOW64\Iampmmne.dll Gfgegnbb.exe File created C:\Windows\SysWOW64\Ghddel32.dll Jjomgo32.exe File opened for modification C:\Windows\SysWOW64\Dmhdkdlg.exe Dhkkbmnp.exe File opened for modification C:\Windows\SysWOW64\Dphmloih.exe Dogpdg32.exe File opened for modification C:\Windows\SysWOW64\Nipdkieg.exe Mcckcbgp.exe File created C:\Windows\SysWOW64\Hcohnaep.dll Pilfpqaa.exe File created C:\Windows\SysWOW64\Eiapeffl.dll Oadkej32.exe File opened for modification C:\Windows\SysWOW64\Achjibcl.exe Ahbekjcf.exe File created C:\Windows\SysWOW64\Oemegc32.exe Opplolac.exe File opened for modification C:\Windows\SysWOW64\Cpnaca32.exe Cakqgeoi.exe File opened for modification C:\Windows\SysWOW64\Hfbaql32.exe Hebdfind.exe File created C:\Windows\SysWOW64\Pldebkhj.exe Pdmnam32.exe File opened for modification C:\Windows\SysWOW64\Jlnklcej.exe Jedcpi32.exe File opened for modification C:\Windows\SysWOW64\Lcncpfaf.exe Lobgoh32.exe File created C:\Windows\SysWOW64\Pakllc32.exe Pjcckf32.exe File created C:\Windows\SysWOW64\Peedka32.exe Pcghof32.exe File created C:\Windows\SysWOW64\Ldmffpom.dll Amaelomh.exe File opened for modification C:\Windows\SysWOW64\Fbgpkpnn.exe Ffnbaojm.exe File created C:\Windows\SysWOW64\Cgieebbp.dll Ngneph32.exe File created C:\Windows\SysWOW64\Figicd32.dll Phbgcnig.exe File created C:\Windows\SysWOW64\Lneaqn32.exe Lkfddc32.exe File created C:\Windows\SysWOW64\Ipbgkbdb.dll Mjnjjbbh.exe File created C:\Windows\SysWOW64\Mkaohl32.dll Gdhkfd32.exe File created C:\Windows\SysWOW64\Dfefmpeo.dll Bqijljfd.exe File opened for modification C:\Windows\SysWOW64\Ogcnkgoh.exe Odebolpe.exe File created C:\Windows\SysWOW64\Fbfnjhdd.dll Bepjha32.exe File created C:\Windows\SysWOW64\Omnipjni.exe Ojomdoof.exe File opened for modification C:\Windows\SysWOW64\Cadjgf32.exe Clgbno32.exe File created C:\Windows\SysWOW64\Ahebaiac.exe Achjibcl.exe File opened for modification C:\Windows\SysWOW64\Lpedeg32.exe Lmfhil32.exe File opened for modification C:\Windows\SysWOW64\Mfglep32.exe Mpmcielb.exe File opened for modification C:\Windows\SysWOW64\Gepafc32.exe Gneijien.exe File created C:\Windows\SysWOW64\Nmhmlbkk.exe Ngneph32.exe File opened for modification C:\Windows\SysWOW64\Gnpflj32.exe Ggfnopfg.exe File opened for modification C:\Windows\SysWOW64\Aflfjc32.exe Aobnniji.exe File opened for modification C:\Windows\SysWOW64\Fncpef32.exe Fcnkhmdp.exe File created C:\Windows\SysWOW64\Hnjplo32.exe Gmjcblbb.exe File created C:\Windows\SysWOW64\Akcldl32.exe Aidphq32.exe File opened for modification C:\Windows\SysWOW64\Bmibgd32.exe Ajjfkh32.exe File created C:\Windows\SysWOW64\Neghkn32.dll Jefpeh32.exe File created C:\Windows\SysWOW64\Ifhckf32.dll Mkqqnq32.exe File opened for modification C:\Windows\SysWOW64\Pkoicb32.exe Pdeqfhjd.exe File opened for modification C:\Windows\SysWOW64\Lhelbh32.exe Lblcfnhj.exe File created C:\Windows\SysWOW64\Fklkbele.dll Clbnhmjo.exe File created C:\Windows\SysWOW64\Lkpidd32.dll Oemgplgo.exe File created C:\Windows\SysWOW64\Adhffc32.dll Kfeikcfa.exe File created C:\Windows\SysWOW64\Gcmoda32.exe Gqnbhf32.exe File created C:\Windows\SysWOW64\Jkbojpna.exe Jgfcja32.exe File created C:\Windows\SysWOW64\Nmqpam32.exe Nfghdcfj.exe File created C:\Windows\SysWOW64\Dldkmlhl.exe Difnaqih.exe File opened for modification C:\Windows\SysWOW64\Cgoelh32.exe Cepipm32.exe File opened for modification C:\Windows\SysWOW64\Djdgic32.exe Cfhkhd32.exe File created C:\Windows\SysWOW64\Gmjcblbb.exe Gligjd32.exe File created C:\Windows\SysWOW64\Ohidmoaa.exe Oekhacbn.exe File opened for modification C:\Windows\SysWOW64\Jhafhe32.exe Jdejhfig.exe File created C:\Windows\SysWOW64\Edaimkbc.dll Lifbmn32.exe File opened for modification C:\Windows\SysWOW64\Ogqaehak.exe Npgihn32.exe File opened for modification C:\Windows\SysWOW64\Ekfndmfb.exe Ehgbhbgn.exe File created C:\Windows\SysWOW64\Cfcijf32.exe Clmdmm32.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\system32†Delgfamk.¾ll Dpapaj32.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npijoj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Goplilpf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kekiphge.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohncbdbd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehakigbo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbcpac32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgpiij32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pecgea32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhlgmd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mimemp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmgkgeah.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifampo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ieigfk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lngnfnji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pciddedl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcnkhmdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nenkqi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfejjgli.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipeaco32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lifbmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjmopkla.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lqejbiim.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Najpll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifgpnmom.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nefbga32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lomgjb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aobnniji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Meffhnal.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkmhnjlh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pofkha32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhiholof.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdldnomh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcjeon32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Maefamlh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmejllia.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgeaoinb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agjmim32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggcaiqhj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gifclb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnefapmj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdiejfej.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bigimdjh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnmeen32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmeolj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnbdko32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qkfocaki.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qjklenpa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlbgikia.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cadjgf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnaiol32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdcifi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjomgo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hibjbgbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjmbqhif.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhpemm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mobfgdcl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhjjgd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhjlli32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjbndpmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opplolac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cedpbd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgmeid32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omcifpnp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qppkfhlc.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ohiffh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mbcmpfhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Labehg32.dll" Mimemp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nnmlcp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node f26ff568ebe5174a70a652ed0c9debbe03f221d3a7e4b07b0501e4955822acb4N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID f26ff568ebe5174a70a652ed0c9debbe03f221d3a7e4b07b0501e4955822acb4N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Qqbecp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lqhfhigj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aaddjiql.dll" Agbpnh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Amaelomh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lifbmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbpiog32.dll" Hdoghdmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddlfji32.dll" Jepmgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Incjbkig.dll" Ahpifj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kdbpnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ifdjeoep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fgdnnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fpmbfbgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lhnkffeo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pofkha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgbgkabo.dll" Hhcmhdke.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fgldnkkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hneeilgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfjgop32.dll" Lgpiij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebfbbc32.dll" Aababceh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bidlgdlk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cbdgqimc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcnfobob.dll" Lklgbadb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldcinhie.dll" Obhdcanc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aqgkdo32.dll" Jabdql32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llkcqmgj.dll" Nbpeoc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lklgbadb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmajfk32.dll" Cbppnbhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gnefapmj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Akcldl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ijklknbn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Eiekpd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fjjpjgjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Idgglb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mnomjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Oemgplgo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cdecha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahcjenki.dll" Iplnnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkkcoogp.dll" Nigafnck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Depbfhpe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nagbgl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cpfdhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Niebgj32.dll" Clojhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gfgegnbb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Clgbno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cdecha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pgnjde32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ibcnojnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bflbigdb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkiofep.dll" Bkjdndjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ajjfkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljnnefda.dll" Khlili32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqnfackh.dll" Njpgpbpf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Iikifegp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgcchb32.dll" Nabopjmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lomlhpoi.dll" Lgoboc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ndmecgba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdjpfaqc.dll" Behilopf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qjeeidhg.dll" Objaha32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1996 wrote to memory of 2780 1996 f26ff568ebe5174a70a652ed0c9debbe03f221d3a7e4b07b0501e4955822acb4N.exe 30 PID 1996 wrote to memory of 2780 1996 f26ff568ebe5174a70a652ed0c9debbe03f221d3a7e4b07b0501e4955822acb4N.exe 30 PID 1996 wrote to memory of 2780 1996 f26ff568ebe5174a70a652ed0c9debbe03f221d3a7e4b07b0501e4955822acb4N.exe 30 PID 1996 wrote to memory of 2780 1996 f26ff568ebe5174a70a652ed0c9debbe03f221d3a7e4b07b0501e4955822acb4N.exe 30 PID 2780 wrote to memory of 3048 2780 Egiiapci.exe 31 PID 2780 wrote to memory of 3048 2780 Egiiapci.exe 31 PID 2780 wrote to memory of 3048 2780 Egiiapci.exe 31 PID 2780 wrote to memory of 3048 2780 Egiiapci.exe 31 PID 3048 wrote to memory of 2936 3048 Ebcjamoh.exe 32 PID 3048 wrote to memory of 2936 3048 Ebcjamoh.exe 32 PID 3048 wrote to memory of 2936 3048 Ebcjamoh.exe 32 PID 3048 wrote to memory of 2936 3048 Ebcjamoh.exe 32 PID 2936 wrote to memory of 2736 2936 Eogjka32.exe 33 PID 2936 wrote to memory of 2736 2936 Eogjka32.exe 33 PID 2936 wrote to memory of 2736 2936 Eogjka32.exe 33 PID 2936 wrote to memory of 2736 2936 Eogjka32.exe 33 PID 2736 wrote to memory of 2796 2736 Ehoocgeb.exe 34 PID 2736 wrote to memory of 2796 2736 Ehoocgeb.exe 34 PID 2736 wrote to memory of 2796 2736 Ehoocgeb.exe 34 PID 2736 wrote to memory of 2796 2736 Ehoocgeb.exe 34 PID 2796 wrote to memory of 2152 2796 Ehakigbo.exe 35 PID 2796 wrote to memory of 2152 2796 Ehakigbo.exe 35 PID 2796 wrote to memory of 2152 2796 Ehakigbo.exe 35 PID 2796 wrote to memory of 2152 2796 Ehakigbo.exe 35 PID 2152 wrote to memory of 2244 2152 Fidhof32.exe 36 PID 2152 wrote to memory of 2244 2152 Fidhof32.exe 36 PID 2152 wrote to memory of 2244 2152 Fidhof32.exe 36 PID 2152 wrote to memory of 2244 2152 Fidhof32.exe 36 PID 2244 wrote to memory of 2016 2244 Fcmiod32.exe 37 PID 2244 wrote to memory of 2016 2244 Fcmiod32.exe 37 PID 2244 wrote to memory of 2016 2244 Fcmiod32.exe 37 PID 2244 wrote to memory of 2016 2244 Fcmiod32.exe 37 PID 2016 wrote to memory of 2036 2016 Fqajihle.exe 38 PID 2016 wrote to memory of 2036 2016 Fqajihle.exe 38 PID 2016 wrote to memory of 2036 2016 Fqajihle.exe 38 PID 2016 wrote to memory of 2036 2016 Fqajihle.exe 38 PID 2036 wrote to memory of 2316 2036 Ffnbaojm.exe 39 PID 2036 wrote to memory of 2316 2036 Ffnbaojm.exe 39 PID 2036 wrote to memory of 2316 2036 Ffnbaojm.exe 39 PID 2036 wrote to memory of 2316 2036 Ffnbaojm.exe 39 PID 2316 wrote to memory of 1468 2316 Fbgpkpnn.exe 40 PID 2316 wrote to memory of 1468 2316 Fbgpkpnn.exe 40 PID 2316 wrote to memory of 1468 2316 Fbgpkpnn.exe 40 PID 2316 wrote to memory of 1468 2316 Fbgpkpnn.exe 40 PID 1468 wrote to memory of 1200 1468 Gfehan32.exe 41 PID 1468 wrote to memory of 1200 1468 Gfehan32.exe 41 PID 1468 wrote to memory of 1200 1468 Gfehan32.exe 41 PID 1468 wrote to memory of 1200 1468 Gfehan32.exe 41 PID 1200 wrote to memory of 776 1200 Gfgegnbb.exe 42 PID 1200 wrote to memory of 776 1200 Gfgegnbb.exe 42 PID 1200 wrote to memory of 776 1200 Gfgegnbb.exe 42 PID 1200 wrote to memory of 776 1200 Gfgegnbb.exe 42 PID 776 wrote to memory of 2208 776 Gbnflo32.exe 43 PID 776 wrote to memory of 2208 776 Gbnflo32.exe 43 PID 776 wrote to memory of 2208 776 Gbnflo32.exe 43 PID 776 wrote to memory of 2208 776 Gbnflo32.exe 43 PID 2208 wrote to memory of 1284 2208 Gnefapmj.exe 44 PID 2208 wrote to memory of 1284 2208 Gnefapmj.exe 44 PID 2208 wrote to memory of 1284 2208 Gnefapmj.exe 44 PID 2208 wrote to memory of 1284 2208 Gnefapmj.exe 44 PID 1284 wrote to memory of 1116 1284 Gligjd32.exe 45 PID 1284 wrote to memory of 1116 1284 Gligjd32.exe 45 PID 1284 wrote to memory of 1116 1284 Gligjd32.exe 45 PID 1284 wrote to memory of 1116 1284 Gligjd32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\f26ff568ebe5174a70a652ed0c9debbe03f221d3a7e4b07b0501e4955822acb4N.exe"C:\Users\Admin\AppData\Local\Temp\f26ff568ebe5174a70a652ed0c9debbe03f221d3a7e4b07b0501e4955822acb4N.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Windows\SysWOW64\Egiiapci.exeC:\Windows\system32\Egiiapci.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\SysWOW64\Ebcjamoh.exeC:\Windows\system32\Ebcjamoh.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Windows\SysWOW64\Eogjka32.exeC:\Windows\system32\Eogjka32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Windows\SysWOW64\Ehoocgeb.exeC:\Windows\system32\Ehoocgeb.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\SysWOW64\Ehakigbo.exeC:\Windows\system32\Ehakigbo.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Windows\SysWOW64\Fidhof32.exeC:\Windows\system32\Fidhof32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2152 -
C:\Windows\SysWOW64\Fcmiod32.exeC:\Windows\system32\Fcmiod32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Windows\SysWOW64\Fqajihle.exeC:\Windows\system32\Fqajihle.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Windows\SysWOW64\Ffnbaojm.exeC:\Windows\system32\Ffnbaojm.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\Windows\SysWOW64\Fbgpkpnn.exeC:\Windows\system32\Fbgpkpnn.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Windows\SysWOW64\Gfehan32.exeC:\Windows\system32\Gfehan32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1468 -
C:\Windows\SysWOW64\Gfgegnbb.exeC:\Windows\system32\Gfgegnbb.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1200 -
C:\Windows\SysWOW64\Gbnflo32.exeC:\Windows\system32\Gbnflo32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:776 -
C:\Windows\SysWOW64\Gnefapmj.exeC:\Windows\system32\Gnefapmj.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Windows\SysWOW64\Gligjd32.exeC:\Windows\system32\Gligjd32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1284 -
C:\Windows\SysWOW64\Gmjcblbb.exeC:\Windows\system32\Gmjcblbb.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1116 -
C:\Windows\SysWOW64\Hnjplo32.exeC:\Windows\system32\Hnjplo32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1336 -
C:\Windows\SysWOW64\Hjqqap32.exeC:\Windows\system32\Hjqqap32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1768 -
C:\Windows\SysWOW64\Hdiejfej.exeC:\Windows\system32\Hdiejfej.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1660 -
C:\Windows\SysWOW64\Hjcmgp32.exeC:\Windows\system32\Hjcmgp32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:836 -
C:\Windows\SysWOW64\Hmaick32.exeC:\Windows\system32\Hmaick32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2068 -
C:\Windows\SysWOW64\Hoebpc32.exeC:\Windows\system32\Hoebpc32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2608 -
C:\Windows\SysWOW64\Hflkaq32.exeC:\Windows\system32\Hflkaq32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1988 -
C:\Windows\SysWOW64\Iogoec32.exeC:\Windows\system32\Iogoec32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2588 -
C:\Windows\SysWOW64\Ieagbm32.exeC:\Windows\system32\Ieagbm32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1992 -
C:\Windows\SysWOW64\Ioilkblq.exeC:\Windows\system32\Ioilkblq.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2820 -
C:\Windows\SysWOW64\Iahhgnkd.exeC:\Windows\system32\Iahhgnkd.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2888 -
C:\Windows\SysWOW64\Imoilo32.exeC:\Windows\system32\Imoilo32.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2972 -
C:\Windows\SysWOW64\Iefamlak.exeC:\Windows\system32\Iefamlak.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2776 -
C:\Windows\SysWOW64\Inafbooe.exeC:\Windows\system32\Inafbooe.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2912 -
C:\Windows\SysWOW64\Ihfjognl.exeC:\Windows\system32\Ihfjognl.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2752 -
C:\Windows\SysWOW64\Igijkd32.exeC:\Windows\system32\Igijkd32.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:844 -
C:\Windows\SysWOW64\Iihfgp32.exeC:\Windows\system32\Iihfgp32.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2216 -
C:\Windows\SysWOW64\Jkgcab32.exeC:\Windows\system32\Jkgcab32.exe35⤵
- Executes dropped EXE
PID:2980 -
C:\Windows\SysWOW64\Jnfomn32.exeC:\Windows\system32\Jnfomn32.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2360 -
C:\Windows\SysWOW64\Jeadap32.exeC:\Windows\system32\Jeadap32.exe37⤵
- Executes dropped EXE
PID:2964 -
C:\Windows\SysWOW64\Jnhlbn32.exeC:\Windows\system32\Jnhlbn32.exe38⤵
- Executes dropped EXE
PID:1956 -
C:\Windows\SysWOW64\Joihjfnl.exeC:\Windows\system32\Joihjfnl.exe39⤵
- Executes dropped EXE
PID:2576 -
C:\Windows\SysWOW64\Jjomgo32.exeC:\Windows\system32\Jjomgo32.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:564 -
C:\Windows\SysWOW64\Jlmicj32.exeC:\Windows\system32\Jlmicj32.exe41⤵
- Executes dropped EXE
PID:2200 -
C:\Windows\SysWOW64\Jcgapdeb.exeC:\Windows\system32\Jcgapdeb.exe42⤵
- Executes dropped EXE
PID:2232 -
C:\Windows\SysWOW64\Jkbfdfbm.exeC:\Windows\system32\Jkbfdfbm.exe43⤵
- Executes dropped EXE
PID:2248 -
C:\Windows\SysWOW64\Jblnaq32.exeC:\Windows\system32\Jblnaq32.exe44⤵
- Executes dropped EXE
PID:1584 -
C:\Windows\SysWOW64\Jlbboiip.exeC:\Windows\system32\Jlbboiip.exe45⤵
- Executes dropped EXE
PID:1536 -
C:\Windows\SysWOW64\Kopokehd.exeC:\Windows\system32\Kopokehd.exe46⤵
- Executes dropped EXE
PID:1352 -
C:\Windows\SysWOW64\Kbokgpgg.exeC:\Windows\system32\Kbokgpgg.exe47⤵
- Executes dropped EXE
PID:1944 -
C:\Windows\SysWOW64\Kdmgclfk.exeC:\Windows\system32\Kdmgclfk.exe48⤵
- Executes dropped EXE
PID:2132 -
C:\Windows\SysWOW64\Kglcogeo.exeC:\Windows\system32\Kglcogeo.exe49⤵
- Executes dropped EXE
PID:2624 -
C:\Windows\SysWOW64\Kbaglpee.exeC:\Windows\system32\Kbaglpee.exe50⤵
- Executes dropped EXE
PID:872 -
C:\Windows\SysWOW64\Kdpcikdi.exeC:\Windows\system32\Kdpcikdi.exe51⤵
- Executes dropped EXE
PID:1572 -
C:\Windows\SysWOW64\Kgnpeg32.exeC:\Windows\system32\Kgnpeg32.exe52⤵
- Executes dropped EXE
PID:584 -
C:\Windows\SysWOW64\Knhhaaki.exeC:\Windows\system32\Knhhaaki.exe53⤵
- Executes dropped EXE
PID:2568 -
C:\Windows\SysWOW64\Kdbpnk32.exeC:\Windows\system32\Kdbpnk32.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:1960 -
C:\Windows\SysWOW64\Kceqjhiq.exeC:\Windows\system32\Kceqjhiq.exe55⤵
- Executes dropped EXE
PID:2128 -
C:\Windows\SysWOW64\Kjoifb32.exeC:\Windows\system32\Kjoifb32.exe56⤵
- Executes dropped EXE
PID:1120 -
C:\Windows\SysWOW64\Kgbipf32.exeC:\Windows\system32\Kgbipf32.exe57⤵
- Executes dropped EXE
PID:2580 -
C:\Windows\SysWOW64\Kfeikcfa.exeC:\Windows\system32\Kfeikcfa.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2744 -
C:\Windows\SysWOW64\Kmobhmnn.exeC:\Windows\system32\Kmobhmnn.exe59⤵
- Executes dropped EXE
PID:2020 -
C:\Windows\SysWOW64\Kcijeg32.exeC:\Windows\system32\Kcijeg32.exe60⤵
- Executes dropped EXE
PID:2572 -
C:\Windows\SysWOW64\Kgefefnd.exeC:\Windows\system32\Kgefefnd.exe61⤵
- Executes dropped EXE
PID:1256 -
C:\Windows\SysWOW64\Lifbmn32.exeC:\Windows\system32\Lifbmn32.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2000 -
C:\Windows\SysWOW64\Lqmjnk32.exeC:\Windows\system32\Lqmjnk32.exe63⤵
- Executes dropped EXE
PID:436 -
C:\Windows\SysWOW64\Lbogfcjc.exeC:\Windows\system32\Lbogfcjc.exe64⤵
- Executes dropped EXE
PID:1204 -
C:\Windows\SysWOW64\Lihobnap.exeC:\Windows\system32\Lihobnap.exe65⤵
- Executes dropped EXE
PID:3068 -
C:\Windows\SysWOW64\Lkgkoiqc.exeC:\Windows\system32\Lkgkoiqc.exe66⤵PID:2236
-
C:\Windows\SysWOW64\Lobgoh32.exeC:\Windows\system32\Lobgoh32.exe67⤵
- Drops file in System32 directory
PID:2368 -
C:\Windows\SysWOW64\Lcncpfaf.exeC:\Windows\system32\Lcncpfaf.exe68⤵PID:864
-
C:\Windows\SysWOW64\Lmfhil32.exeC:\Windows\system32\Lmfhil32.exe69⤵
- Drops file in System32 directory
PID:1756 -
C:\Windows\SysWOW64\Lpedeg32.exeC:\Windows\system32\Lpedeg32.exe70⤵PID:1548
-
C:\Windows\SysWOW64\Lbcpac32.exeC:\Windows\system32\Lbcpac32.exe71⤵
- System Location Discovery: System Language Discovery
PID:1424 -
C:\Windows\SysWOW64\Leammn32.exeC:\Windows\system32\Leammn32.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2788 -
C:\Windows\SysWOW64\Lgpiij32.exeC:\Windows\system32\Lgpiij32.exe73⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2704 -
C:\Windows\SysWOW64\Lpgajgeg.exeC:\Windows\system32\Lpgajgeg.exe74⤵PID:2692
-
C:\Windows\SysWOW64\Lbemfbdk.exeC:\Windows\system32\Lbemfbdk.exe75⤵PID:768
-
C:\Windows\SysWOW64\Lipecm32.exeC:\Windows\system32\Lipecm32.exe76⤵PID:2948
-
C:\Windows\SysWOW64\Lnlnlc32.exeC:\Windows\system32\Lnlnlc32.exe77⤵PID:1440
-
C:\Windows\SysWOW64\Meffhnal.exeC:\Windows\system32\Meffhnal.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1608 -
C:\Windows\SysWOW64\Mgebdipp.exeC:\Windows\system32\Mgebdipp.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1260 -
C:\Windows\SysWOW64\Mmakmp32.exeC:\Windows\system32\Mmakmp32.exe80⤵PID:2632
-
C:\Windows\SysWOW64\Mclcijfd.exeC:\Windows\system32\Mclcijfd.exe81⤵PID:1108
-
C:\Windows\SysWOW64\Mhgoji32.exeC:\Windows\system32\Mhgoji32.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1716 -
C:\Windows\SysWOW64\Mmdgbp32.exeC:\Windows\system32\Mmdgbp32.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:904 -
C:\Windows\SysWOW64\Mcnpojca.exeC:\Windows\system32\Mcnpojca.exe84⤵PID:924
-
C:\Windows\SysWOW64\Mikhgqbi.exeC:\Windows\system32\Mikhgqbi.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1952 -
C:\Windows\SysWOW64\Mabphn32.exeC:\Windows\system32\Mabphn32.exe86⤵PID:1664
-
C:\Windows\SysWOW64\Mbcmpfhi.exeC:\Windows\system32\Mbcmpfhi.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1560 -
C:\Windows\SysWOW64\Mimemp32.exeC:\Windows\system32\Mimemp32.exe88⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2876 -
C:\Windows\SysWOW64\Mpgmijgc.exeC:\Windows\system32\Mpgmijgc.exe89⤵PID:2896
-
C:\Windows\SysWOW64\Mdbiji32.exeC:\Windows\system32\Mdbiji32.exe90⤵PID:2836
-
C:\Windows\SysWOW64\Npijoj32.exeC:\Windows\system32\Npijoj32.exe91⤵
- System Location Discovery: System Language Discovery
PID:1860 -
C:\Windows\SysWOW64\Nbhfke32.exeC:\Windows\system32\Nbhfke32.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1600 -
C:\Windows\SysWOW64\Nefbga32.exeC:\Windows\system32\Nefbga32.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2996 -
C:\Windows\SysWOW64\Nhdocl32.exeC:\Windows\system32\Nhdocl32.exe94⤵PID:1156
-
C:\Windows\SysWOW64\Nplfdj32.exeC:\Windows\system32\Nplfdj32.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2516 -
C:\Windows\SysWOW64\Nbjcqe32.exeC:\Windows\system32\Nbjcqe32.exe96⤵PID:1804
-
C:\Windows\SysWOW64\Nidkmojn.exeC:\Windows\system32\Nidkmojn.exe97⤵PID:2440
-
C:\Windows\SysWOW64\Nlbgikia.exeC:\Windows\system32\Nlbgikia.exe98⤵
- System Location Discovery: System Language Discovery
PID:1784 -
C:\Windows\SysWOW64\Noacef32.exeC:\Windows\system32\Noacef32.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1832 -
C:\Windows\SysWOW64\Nblpfepo.exeC:\Windows\system32\Nblpfepo.exe100⤵PID:1948
-
C:\Windows\SysWOW64\Neklbppb.exeC:\Windows\system32\Neklbppb.exe101⤵PID:2900
-
C:\Windows\SysWOW64\Nhiholof.exeC:\Windows\system32\Nhiholof.exe102⤵
- System Location Discovery: System Language Discovery
PID:2696 -
C:\Windows\SysWOW64\Nkhdkgnj.exeC:\Windows\system32\Nkhdkgnj.exe103⤵PID:2732
-
C:\Windows\SysWOW64\Nmfqgbmm.exeC:\Windows\system32\Nmfqgbmm.exe104⤵PID:888
-
C:\Windows\SysWOW64\Nhlddkmc.exeC:\Windows\system32\Nhlddkmc.exe105⤵PID:1796
-
C:\Windows\SysWOW64\Ngneph32.exeC:\Windows\system32\Ngneph32.exe106⤵
- Drops file in System32 directory
PID:320 -
C:\Windows\SysWOW64\Nmhmlbkk.exeC:\Windows\system32\Nmhmlbkk.exe107⤵PID:2652
-
C:\Windows\SysWOW64\Npgihn32.exeC:\Windows\system32\Npgihn32.exe108⤵
- Drops file in System32 directory
PID:2156 -
C:\Windows\SysWOW64\Ogqaehak.exeC:\Windows\system32\Ogqaehak.exe109⤵PID:2224
-
C:\Windows\SysWOW64\Oklnff32.exeC:\Windows\system32\Oklnff32.exe110⤵PID:396
-
C:\Windows\SysWOW64\Oaffbqaa.exeC:\Windows\system32\Oaffbqaa.exe111⤵PID:352
-
C:\Windows\SysWOW64\Odebolpe.exeC:\Windows\system32\Odebolpe.exe112⤵
- Drops file in System32 directory
PID:2340 -
C:\Windows\SysWOW64\Ogcnkgoh.exeC:\Windows\system32\Ogcnkgoh.exe113⤵PID:1008
-
C:\Windows\SysWOW64\Oiakgcnl.exeC:\Windows\system32\Oiakgcnl.exe114⤵PID:1688
-
C:\Windows\SysWOW64\Odgodl32.exeC:\Windows\system32\Odgodl32.exe115⤵PID:3008
-
C:\Windows\SysWOW64\Ogekpg32.exeC:\Windows\system32\Ogekpg32.exe116⤵PID:2848
-
C:\Windows\SysWOW64\Oidglb32.exeC:\Windows\system32\Oidglb32.exe117⤵PID:2380
-
C:\Windows\SysWOW64\Opnpimdf.exeC:\Windows\system32\Opnpimdf.exe118⤵PID:2284
-
C:\Windows\SysWOW64\Ocllehcj.exeC:\Windows\system32\Ocllehcj.exe119⤵PID:1028
-
C:\Windows\SysWOW64\Oekhacbn.exeC:\Windows\system32\Oekhacbn.exe120⤵
- Drops file in System32 directory
PID:548 -
C:\Windows\SysWOW64\Ohidmoaa.exeC:\Windows\system32\Ohidmoaa.exe121⤵PID:1976
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-