Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
39s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
25/12/2024, 15:54
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
c0202687115fd8d85aa0b02f5f05238fc2219830538248483b677855b1808623N.exe
Resource
win7-20240903-en
windows7-x64
10 signatures
120 seconds
Behavioral task
behavioral2
Sample
c0202687115fd8d85aa0b02f5f05238fc2219830538248483b677855b1808623N.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
120 seconds
General
-
Target
c0202687115fd8d85aa0b02f5f05238fc2219830538248483b677855b1808623N.exe
-
Size
72KB
-
MD5
556dadbce99246b12214b5dfeee5ae40
-
SHA1
3f8986983574ebb1aab08d9696ea9331035bb769
-
SHA256
c0202687115fd8d85aa0b02f5f05238fc2219830538248483b677855b1808623
-
SHA512
2b56633ac8bcf4f89ff6692aaa4ae4a34b73b628f0b2a19bb68b1c6c22118958365196cc447ead9f98da82429b0aa73c52285b2c7fbe369a009a321cb5820434
-
SSDEEP
1536:/U+tgyYCzbYjXgZTWpymjQ2hVS9xS4lDKg/aJdm9NEmRVK31FIzLH7Un8:SyYCzbcXWWUGQGwDlEdMG0H7U8
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfnoogbo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgbeiiqe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmpcgace.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dilapopb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iaegpaao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bhbkpgbf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcnbhb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gnbejb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bfoeil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eejopecj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hifpke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jdpjba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Knfndjdp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkjphcff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ageompfe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phnpagdp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gnkoid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bnqned32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Olmcchlg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Folfoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hpbdmo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bqgmfkhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hejmpqop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lhcafa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mejlalji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nfnneb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cbgmigeq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkigoimd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nplimbka.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oococb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mokilo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfglep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Abpjjeim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eclbcj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gonocmbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hbaaik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lnecigcp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hakkgc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Opglafab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fckhhgcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fkhibino.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Omhhke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nfahomfd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njfjnpgp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjmeiq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmedlk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfbfhm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjpkqonj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mjpkqonj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmjqpdje.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjmnjkjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bmpkqklh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppinkcnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 3040 Hmjlhfof.exe 2580 Hllmcc32.exe 2728 Hphidanj.exe 2908 Heealhla.exe 2624 Hnmeen32.exe 2644 Hibjbgbh.exe 2628 Hlafnbal.exe 3052 Hanogipc.exe 1700 Hdlkcdog.exe 2064 Hmeolj32.exe 2156 Helgmg32.exe 1772 Hjipenda.exe 1908 Hmglajcd.exe 1612 Ifoqjo32.exe 2116 Iinmfk32.exe 1872 Iphecepe.exe 840 Idcacc32.exe 1036 Ifampo32.exe 348 Iipiljgf.exe 1328 Ipjahd32.exe 2464 Ibhndp32.exe 108 Iibfajdc.exe 2256 Imnbbi32.exe 2392 Iplnnd32.exe 2084 Ibkkjp32.exe 1752 Ieigfk32.exe 2204 Ipokcdjn.exe 2764 Iigpli32.exe 2752 Jlelhe32.exe 2912 Jodhdp32.exe 2792 Jenpajfb.exe 2688 Jofejpmc.exe 1676 Jaeafklf.exe 1804 Jkmeoa32.exe 1708 Joiappkp.exe 1868 Jnkakl32.exe 604 Jdejhfig.exe 2932 Jgdfdbhk.exe 2676 Jaijak32.exe 1324 Jkbojpna.exe 1940 Jnpkflne.exe 1420 Kjglkm32.exe 1332 Klehgh32.exe 2828 Kgkleabc.exe 1284 Kfnmpn32.exe 2816 Kpcqnf32.exe 2080 Kcamjb32.exe 2004 Kbdmeoob.exe 2404 Kjleflod.exe 2020 Khoebi32.exe 2368 Kljabgnh.exe 2776 Kcdjoaee.exe 2504 Kbgjkn32.exe 2664 Khabghdl.exe 2668 Kllnhg32.exe 704 Kkoncdcp.exe 1220 Kokjdb32.exe 1540 Kbigpn32.exe 1944 Kdhcli32.exe 2684 Khcomhbi.exe 1748 Lkakicam.exe 2840 Lomgjb32.exe 1516 Lblcfnhj.exe 2304 Ldjpbign.exe -
Loads dropped DLL 64 IoCs
pid Process 2696 c0202687115fd8d85aa0b02f5f05238fc2219830538248483b677855b1808623N.exe 2696 c0202687115fd8d85aa0b02f5f05238fc2219830538248483b677855b1808623N.exe 3040 Hmjlhfof.exe 3040 Hmjlhfof.exe 2580 Hllmcc32.exe 2580 Hllmcc32.exe 2728 Hphidanj.exe 2728 Hphidanj.exe 2908 Heealhla.exe 2908 Heealhla.exe 2624 Hnmeen32.exe 2624 Hnmeen32.exe 2644 Hibjbgbh.exe 2644 Hibjbgbh.exe 2628 Hlafnbal.exe 2628 Hlafnbal.exe 3052 Hanogipc.exe 3052 Hanogipc.exe 1700 Hdlkcdog.exe 1700 Hdlkcdog.exe 2064 Hmeolj32.exe 2064 Hmeolj32.exe 2156 Helgmg32.exe 2156 Helgmg32.exe 1772 Hjipenda.exe 1772 Hjipenda.exe 1908 Hmglajcd.exe 1908 Hmglajcd.exe 1612 Ifoqjo32.exe 1612 Ifoqjo32.exe 2116 Iinmfk32.exe 2116 Iinmfk32.exe 1872 Iphecepe.exe 1872 Iphecepe.exe 840 Idcacc32.exe 840 Idcacc32.exe 1036 Ifampo32.exe 1036 Ifampo32.exe 348 Iipiljgf.exe 348 Iipiljgf.exe 1328 Ipjahd32.exe 1328 Ipjahd32.exe 2464 Ibhndp32.exe 2464 Ibhndp32.exe 108 Iibfajdc.exe 108 Iibfajdc.exe 2256 Imnbbi32.exe 2256 Imnbbi32.exe 2392 Iplnnd32.exe 2392 Iplnnd32.exe 2084 Ibkkjp32.exe 2084 Ibkkjp32.exe 1752 Ieigfk32.exe 1752 Ieigfk32.exe 2204 Ipokcdjn.exe 2204 Ipokcdjn.exe 2764 Iigpli32.exe 2764 Iigpli32.exe 2752 Jlelhe32.exe 2752 Jlelhe32.exe 2912 Jodhdp32.exe 2912 Jodhdp32.exe 2792 Jenpajfb.exe 2792 Jenpajfb.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Bcmfmlen.exe Bejfao32.exe File created C:\Windows\SysWOW64\Agjobffl.exe Ahgofi32.exe File created C:\Windows\SysWOW64\Jjmeignj.dll Bhjlli32.exe File created C:\Windows\SysWOW64\Gnfkba32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Dmjqpdje.exe Dogpdg32.exe File created C:\Windows\SysWOW64\Jlkngc32.exe Jmhnkfpa.exe File created C:\Windows\SysWOW64\Njfjnpgp.exe Nhgnaehm.exe File opened for modification C:\Windows\SysWOW64\Jfdhmk32.exe Jhahanie.exe File created C:\Windows\SysWOW64\Mmfejo32.dll Lanbdf32.exe File created C:\Windows\SysWOW64\Opobfpee.dll Bnfddp32.exe File created C:\Windows\SysWOW64\Nkkmgncb.exe Mimpkcdn.exe File created C:\Windows\SysWOW64\Ohqngjgk.dll Ofnpnkgf.exe File created C:\Windows\SysWOW64\Agpcihcf.exe Qdaglmcb.exe File created C:\Windows\SysWOW64\Nlhhkjkc.dll Acfdnihk.exe File created C:\Windows\SysWOW64\Ifkmqd32.dll Process not Found File created C:\Windows\SysWOW64\Hfqbqqjl.dll Hllmcc32.exe File opened for modification C:\Windows\SysWOW64\Dbiocd32.exe Dpjbgh32.exe File created C:\Windows\SysWOW64\Lgfeei32.dll Jlphbbbg.exe File created C:\Windows\SysWOW64\Beodlmdk.dll Edaalk32.exe File created C:\Windows\SysWOW64\Pdjiflem.dll Process not Found File created C:\Windows\SysWOW64\Ndjcbk32.dll Lbnpkmfg.exe File created C:\Windows\SysWOW64\Dhiomn32.exe Dejbqb32.exe File created C:\Windows\SysWOW64\Hboddk32.exe Hpphhp32.exe File created C:\Windows\SysWOW64\Lnebcjoe.dll Picojhcm.exe File opened for modification C:\Windows\SysWOW64\Bmnnkl32.exe Bjpaop32.exe File opened for modification C:\Windows\SysWOW64\Aahfdihn.exe Anljck32.exe File created C:\Windows\SysWOW64\Cmhlga32.dll Jgdfdbhk.exe File created C:\Windows\SysWOW64\Oqfopomn.dll Process not Found File opened for modification C:\Windows\SysWOW64\Ahebaiac.exe Afffenbp.exe File created C:\Windows\SysWOW64\Ipbkjl32.dll Process not Found File created C:\Windows\SysWOW64\Fgokeion.dll Imokehhl.exe File created C:\Windows\SysWOW64\Lmajfk32.dll Cenljmgq.exe File created C:\Windows\SysWOW64\Einjdb32.exe Ekkjheja.exe File created C:\Windows\SysWOW64\Nqjaeeog.exe Nmofdf32.exe File created C:\Windows\SysWOW64\Ehpcehcj.exe Process not Found File created C:\Windows\SysWOW64\Lqqpgj32.exe Lbnpkmfg.exe File created C:\Windows\SysWOW64\Gkglnm32.exe Ggkqmoma.exe File opened for modification C:\Windows\SysWOW64\Hibjbgbh.exe Hnmeen32.exe File opened for modification C:\Windows\SysWOW64\Adcdbl32.exe Abegfa32.exe File created C:\Windows\SysWOW64\Ohiffh32.exe Oiffkkbk.exe File opened for modification C:\Windows\SysWOW64\Nagbgl32.exe Nmlgfnal.exe File created C:\Windows\SysWOW64\Cpkmcldj.exe Clpabm32.exe File created C:\Windows\SysWOW64\Gfhnop32.dll Dhmhhmlm.exe File created C:\Windows\SysWOW64\Gqahqd32.exe Gncldi32.exe File created C:\Windows\SysWOW64\Nokhie32.dll Njgpij32.exe File created C:\Windows\SysWOW64\Maojpk32.dll Lcomce32.exe File created C:\Windows\SysWOW64\Kgbioq32.dll Mbcoio32.exe File opened for modification C:\Windows\SysWOW64\Aficjnpm.exe Abmgjo32.exe File created C:\Windows\SysWOW64\Pccohd32.dll Process not Found File created C:\Windows\SysWOW64\Ajnpecbj.exe Agpcihcf.exe File opened for modification C:\Windows\SysWOW64\Eejopecj.exe Eclbcj32.exe File opened for modification C:\Windows\SysWOW64\Kkjnnn32.exe Kgnbnpkp.exe File created C:\Windows\SysWOW64\Kojgdjqe.dll Eodicd32.exe File created C:\Windows\SysWOW64\Blohcn32.dll Fkkfgi32.exe File opened for modification C:\Windows\SysWOW64\Ibhndp32.exe Ipjahd32.exe File opened for modification C:\Windows\SysWOW64\Npolmh32.exe Nallalep.exe File created C:\Windows\SysWOW64\Ngdjmc32.dll Kdbbgdjj.exe File created C:\Windows\SysWOW64\Mjcjog32.exe Mfgnnhkc.exe File created C:\Windows\SysWOW64\Ddaglffo.dll Process not Found File opened for modification C:\Windows\SysWOW64\Ebckmaec.exe Process not Found File created C:\Windows\SysWOW64\Fkaamgeg.dll Process not Found File created C:\Windows\SysWOW64\Ldmikj32.dll Najpll32.exe File created C:\Windows\SysWOW64\Dljdnm32.dll Kaompi32.exe File opened for modification C:\Windows\SysWOW64\Ikfbbjdj.exe Hcojam32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 11772 11780 Process not Found 1285 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Addfkeid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfnoogbo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcbecl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgnbnpkp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lanbdf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Najpll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fogibnha.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dipjkn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edaalk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aoojnc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkalhgfd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nknimnap.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgdkkc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qcachc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjmeiq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjonncab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbiocd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbniid32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oeckfndj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fncpef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qkielpdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkmbmh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfbcidmk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qdompf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hifpke32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhknaf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhpglecl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cileqlmg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbaaik32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggkibhjf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjnhhjjk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgdfdbhk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njbdea32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oopijc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eecafd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cillkbac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpiqmlfm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhonjg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mndmoaog.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eldglp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eeaepd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nedhjj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bqlfaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhljkm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnihdemo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elfcbo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Inlkik32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mqklqhpg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hanogipc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipeaco32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Deenjpcd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgngbmjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkoicb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aomnhd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhoklnkg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbpbmkan.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lidqce32.dll" Lkakicam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glgcpc32.dll" Bcbfbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ijclol32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Njfjnpgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qdncmgbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hibjbgbh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ipjahd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ljnnko32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jeafjiop.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bqeqqk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ohipla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkhkagoh.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Klehgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apldjp32.dll" Gnaooi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fffgkhmc.dll" Mqklqhpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qjeeidhg.dll" Offmipej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cfmhdpnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkfmcc32.dll" Gbadjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icmongda.dll" Ihpfgalh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Agjobffl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nppofado.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pfbfhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Deenjpcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aclpaali.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fodebh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hdecea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lkakicam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkppib32.dll" Aojabdlf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ibkmchbh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fiepea32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lhcafa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mcckcbgp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fibcoalf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nekkhdgo.dll" Nqjaeeog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnfdih32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Njgpij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Codebccd.dll" Qaapcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npneccok.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Npolmh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ijnbcmkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcenjk32.dll" Jbefcm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kjokokha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbbnekdd.dll" Qiioon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekhnnojb.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccbpgj32.dll" c0202687115fd8d85aa0b02f5f05238fc2219830538248483b677855b1808623N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpdonf32.dll" Kgnbnpkp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gedaglad.dll" Hdlkcdog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qpmcjc32.dll" Dhkkbmnp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gnbejb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mopbgn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bdfooh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olfknedh.dll" Hokhbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hphidanj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nedohngn.dll" Kllnhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qododfek.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2696 wrote to memory of 3040 2696 c0202687115fd8d85aa0b02f5f05238fc2219830538248483b677855b1808623N.exe 30 PID 2696 wrote to memory of 3040 2696 c0202687115fd8d85aa0b02f5f05238fc2219830538248483b677855b1808623N.exe 30 PID 2696 wrote to memory of 3040 2696 c0202687115fd8d85aa0b02f5f05238fc2219830538248483b677855b1808623N.exe 30 PID 2696 wrote to memory of 3040 2696 c0202687115fd8d85aa0b02f5f05238fc2219830538248483b677855b1808623N.exe 30 PID 3040 wrote to memory of 2580 3040 Hmjlhfof.exe 31 PID 3040 wrote to memory of 2580 3040 Hmjlhfof.exe 31 PID 3040 wrote to memory of 2580 3040 Hmjlhfof.exe 31 PID 3040 wrote to memory of 2580 3040 Hmjlhfof.exe 31 PID 2580 wrote to memory of 2728 2580 Hllmcc32.exe 32 PID 2580 wrote to memory of 2728 2580 Hllmcc32.exe 32 PID 2580 wrote to memory of 2728 2580 Hllmcc32.exe 32 PID 2580 wrote to memory of 2728 2580 Hllmcc32.exe 32 PID 2728 wrote to memory of 2908 2728 Hphidanj.exe 33 PID 2728 wrote to memory of 2908 2728 Hphidanj.exe 33 PID 2728 wrote to memory of 2908 2728 Hphidanj.exe 33 PID 2728 wrote to memory of 2908 2728 Hphidanj.exe 33 PID 2908 wrote to memory of 2624 2908 Heealhla.exe 34 PID 2908 wrote to memory of 2624 2908 Heealhla.exe 34 PID 2908 wrote to memory of 2624 2908 Heealhla.exe 34 PID 2908 wrote to memory of 2624 2908 Heealhla.exe 34 PID 2624 wrote to memory of 2644 2624 Hnmeen32.exe 35 PID 2624 wrote to memory of 2644 2624 Hnmeen32.exe 35 PID 2624 wrote to memory of 2644 2624 Hnmeen32.exe 35 PID 2624 wrote to memory of 2644 2624 Hnmeen32.exe 35 PID 2644 wrote to memory of 2628 2644 Hibjbgbh.exe 36 PID 2644 wrote to memory of 2628 2644 Hibjbgbh.exe 36 PID 2644 wrote to memory of 2628 2644 Hibjbgbh.exe 36 PID 2644 wrote to memory of 2628 2644 Hibjbgbh.exe 36 PID 2628 wrote to memory of 3052 2628 Hlafnbal.exe 37 PID 2628 wrote to memory of 3052 2628 Hlafnbal.exe 37 PID 2628 wrote to memory of 3052 2628 Hlafnbal.exe 37 PID 2628 wrote to memory of 3052 2628 Hlafnbal.exe 37 PID 3052 wrote to memory of 1700 3052 Hanogipc.exe 38 PID 3052 wrote to memory of 1700 3052 Hanogipc.exe 38 PID 3052 wrote to memory of 1700 3052 Hanogipc.exe 38 PID 3052 wrote to memory of 1700 3052 Hanogipc.exe 38 PID 1700 wrote to memory of 2064 1700 Hdlkcdog.exe 39 PID 1700 wrote to memory of 2064 1700 Hdlkcdog.exe 39 PID 1700 wrote to memory of 2064 1700 Hdlkcdog.exe 39 PID 1700 wrote to memory of 2064 1700 Hdlkcdog.exe 39 PID 2064 wrote to memory of 2156 2064 Hmeolj32.exe 40 PID 2064 wrote to memory of 2156 2064 Hmeolj32.exe 40 PID 2064 wrote to memory of 2156 2064 Hmeolj32.exe 40 PID 2064 wrote to memory of 2156 2064 Hmeolj32.exe 40 PID 2156 wrote to memory of 1772 2156 Helgmg32.exe 41 PID 2156 wrote to memory of 1772 2156 Helgmg32.exe 41 PID 2156 wrote to memory of 1772 2156 Helgmg32.exe 41 PID 2156 wrote to memory of 1772 2156 Helgmg32.exe 41 PID 1772 wrote to memory of 1908 1772 Hjipenda.exe 42 PID 1772 wrote to memory of 1908 1772 Hjipenda.exe 42 PID 1772 wrote to memory of 1908 1772 Hjipenda.exe 42 PID 1772 wrote to memory of 1908 1772 Hjipenda.exe 42 PID 1908 wrote to memory of 1612 1908 Hmglajcd.exe 43 PID 1908 wrote to memory of 1612 1908 Hmglajcd.exe 43 PID 1908 wrote to memory of 1612 1908 Hmglajcd.exe 43 PID 1908 wrote to memory of 1612 1908 Hmglajcd.exe 43 PID 1612 wrote to memory of 2116 1612 Ifoqjo32.exe 44 PID 1612 wrote to memory of 2116 1612 Ifoqjo32.exe 44 PID 1612 wrote to memory of 2116 1612 Ifoqjo32.exe 44 PID 1612 wrote to memory of 2116 1612 Ifoqjo32.exe 44 PID 2116 wrote to memory of 1872 2116 Iinmfk32.exe 45 PID 2116 wrote to memory of 1872 2116 Iinmfk32.exe 45 PID 2116 wrote to memory of 1872 2116 Iinmfk32.exe 45 PID 2116 wrote to memory of 1872 2116 Iinmfk32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\c0202687115fd8d85aa0b02f5f05238fc2219830538248483b677855b1808623N.exe"C:\Users\Admin\AppData\Local\Temp\c0202687115fd8d85aa0b02f5f05238fc2219830538248483b677855b1808623N.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Windows\SysWOW64\Hmjlhfof.exeC:\Windows\system32\Hmjlhfof.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Windows\SysWOW64\Hllmcc32.exeC:\Windows\system32\Hllmcc32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Windows\SysWOW64\Hphidanj.exeC:\Windows\system32\Hphidanj.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\SysWOW64\Heealhla.exeC:\Windows\system32\Heealhla.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Windows\SysWOW64\Hnmeen32.exeC:\Windows\system32\Hnmeen32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Windows\SysWOW64\Hibjbgbh.exeC:\Windows\system32\Hibjbgbh.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\SysWOW64\Hlafnbal.exeC:\Windows\system32\Hlafnbal.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\SysWOW64\Hanogipc.exeC:\Windows\system32\Hanogipc.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Windows\SysWOW64\Hdlkcdog.exeC:\Windows\system32\Hdlkcdog.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Windows\SysWOW64\Hmeolj32.exeC:\Windows\system32\Hmeolj32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Windows\SysWOW64\Helgmg32.exeC:\Windows\system32\Helgmg32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Windows\SysWOW64\Hjipenda.exeC:\Windows\system32\Hjipenda.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1772 -
C:\Windows\SysWOW64\Hmglajcd.exeC:\Windows\system32\Hmglajcd.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1908 -
C:\Windows\SysWOW64\Ifoqjo32.exeC:\Windows\system32\Ifoqjo32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1612 -
C:\Windows\SysWOW64\Iinmfk32.exeC:\Windows\system32\Iinmfk32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2116 -
C:\Windows\SysWOW64\Iphecepe.exeC:\Windows\system32\Iphecepe.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1872 -
C:\Windows\SysWOW64\Idcacc32.exeC:\Windows\system32\Idcacc32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:840 -
C:\Windows\SysWOW64\Ifampo32.exeC:\Windows\system32\Ifampo32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1036 -
C:\Windows\SysWOW64\Iipiljgf.exeC:\Windows\system32\Iipiljgf.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:348 -
C:\Windows\SysWOW64\Ipjahd32.exeC:\Windows\system32\Ipjahd32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1328 -
C:\Windows\SysWOW64\Ibhndp32.exeC:\Windows\system32\Ibhndp32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2464 -
C:\Windows\SysWOW64\Iibfajdc.exeC:\Windows\system32\Iibfajdc.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:108 -
C:\Windows\SysWOW64\Imnbbi32.exeC:\Windows\system32\Imnbbi32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2256 -
C:\Windows\SysWOW64\Iplnnd32.exeC:\Windows\system32\Iplnnd32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2392 -
C:\Windows\SysWOW64\Ibkkjp32.exeC:\Windows\system32\Ibkkjp32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2084 -
C:\Windows\SysWOW64\Ieigfk32.exeC:\Windows\system32\Ieigfk32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1752 -
C:\Windows\SysWOW64\Ipokcdjn.exeC:\Windows\system32\Ipokcdjn.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2204 -
C:\Windows\SysWOW64\Iigpli32.exeC:\Windows\system32\Iigpli32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2764 -
C:\Windows\SysWOW64\Jlelhe32.exeC:\Windows\system32\Jlelhe32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2752 -
C:\Windows\SysWOW64\Jodhdp32.exeC:\Windows\system32\Jodhdp32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2912 -
C:\Windows\SysWOW64\Jenpajfb.exeC:\Windows\system32\Jenpajfb.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2792 -
C:\Windows\SysWOW64\Jofejpmc.exeC:\Windows\system32\Jofejpmc.exe33⤵
- Executes dropped EXE
PID:2688 -
C:\Windows\SysWOW64\Jaeafklf.exeC:\Windows\system32\Jaeafklf.exe34⤵
- Executes dropped EXE
PID:1676 -
C:\Windows\SysWOW64\Jkmeoa32.exeC:\Windows\system32\Jkmeoa32.exe35⤵
- Executes dropped EXE
PID:1804 -
C:\Windows\SysWOW64\Joiappkp.exeC:\Windows\system32\Joiappkp.exe36⤵
- Executes dropped EXE
PID:1708 -
C:\Windows\SysWOW64\Jnkakl32.exeC:\Windows\system32\Jnkakl32.exe37⤵
- Executes dropped EXE
PID:1868 -
C:\Windows\SysWOW64\Jdejhfig.exeC:\Windows\system32\Jdejhfig.exe38⤵
- Executes dropped EXE
PID:604 -
C:\Windows\SysWOW64\Jgdfdbhk.exeC:\Windows\system32\Jgdfdbhk.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2932 -
C:\Windows\SysWOW64\Jaijak32.exeC:\Windows\system32\Jaijak32.exe40⤵
- Executes dropped EXE
PID:2676 -
C:\Windows\SysWOW64\Jkbojpna.exeC:\Windows\system32\Jkbojpna.exe41⤵
- Executes dropped EXE
PID:1324 -
C:\Windows\SysWOW64\Jnpkflne.exeC:\Windows\system32\Jnpkflne.exe42⤵
- Executes dropped EXE
PID:1940 -
C:\Windows\SysWOW64\Kjglkm32.exeC:\Windows\system32\Kjglkm32.exe43⤵
- Executes dropped EXE
PID:1420 -
C:\Windows\SysWOW64\Klehgh32.exeC:\Windows\system32\Klehgh32.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:1332 -
C:\Windows\SysWOW64\Kgkleabc.exeC:\Windows\system32\Kgkleabc.exe45⤵
- Executes dropped EXE
PID:2828 -
C:\Windows\SysWOW64\Kfnmpn32.exeC:\Windows\system32\Kfnmpn32.exe46⤵
- Executes dropped EXE
PID:1284 -
C:\Windows\SysWOW64\Kpcqnf32.exeC:\Windows\system32\Kpcqnf32.exe47⤵
- Executes dropped EXE
PID:2816 -
C:\Windows\SysWOW64\Kcamjb32.exeC:\Windows\system32\Kcamjb32.exe48⤵
- Executes dropped EXE
PID:2080 -
C:\Windows\SysWOW64\Kbdmeoob.exeC:\Windows\system32\Kbdmeoob.exe49⤵
- Executes dropped EXE
PID:2004 -
C:\Windows\SysWOW64\Kjleflod.exeC:\Windows\system32\Kjleflod.exe50⤵
- Executes dropped EXE
PID:2404 -
C:\Windows\SysWOW64\Khoebi32.exeC:\Windows\system32\Khoebi32.exe51⤵
- Executes dropped EXE
PID:2020 -
C:\Windows\SysWOW64\Kljabgnh.exeC:\Windows\system32\Kljabgnh.exe52⤵
- Executes dropped EXE
PID:2368 -
C:\Windows\SysWOW64\Kcdjoaee.exeC:\Windows\system32\Kcdjoaee.exe53⤵
- Executes dropped EXE
PID:2776 -
C:\Windows\SysWOW64\Kbgjkn32.exeC:\Windows\system32\Kbgjkn32.exe54⤵
- Executes dropped EXE
PID:2504 -
C:\Windows\SysWOW64\Khabghdl.exeC:\Windows\system32\Khabghdl.exe55⤵
- Executes dropped EXE
PID:2664 -
C:\Windows\SysWOW64\Kllnhg32.exeC:\Windows\system32\Kllnhg32.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:2668 -
C:\Windows\SysWOW64\Kkoncdcp.exeC:\Windows\system32\Kkoncdcp.exe57⤵
- Executes dropped EXE
PID:704 -
C:\Windows\SysWOW64\Kokjdb32.exeC:\Windows\system32\Kokjdb32.exe58⤵
- Executes dropped EXE
PID:1220 -
C:\Windows\SysWOW64\Kbigpn32.exeC:\Windows\system32\Kbigpn32.exe59⤵
- Executes dropped EXE
PID:1540 -
C:\Windows\SysWOW64\Kdhcli32.exeC:\Windows\system32\Kdhcli32.exe60⤵
- Executes dropped EXE
PID:1944 -
C:\Windows\SysWOW64\Khcomhbi.exeC:\Windows\system32\Khcomhbi.exe61⤵
- Executes dropped EXE
PID:2684 -
C:\Windows\SysWOW64\Lkakicam.exeC:\Windows\system32\Lkakicam.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:1748 -
C:\Windows\SysWOW64\Lomgjb32.exeC:\Windows\system32\Lomgjb32.exe63⤵
- Executes dropped EXE
PID:2840 -
C:\Windows\SysWOW64\Lblcfnhj.exeC:\Windows\system32\Lblcfnhj.exe64⤵
- Executes dropped EXE
PID:1516 -
C:\Windows\SysWOW64\Ldjpbign.exeC:\Windows\system32\Ldjpbign.exe65⤵
- Executes dropped EXE
PID:2304 -
C:\Windows\SysWOW64\Lghlndfa.exeC:\Windows\system32\Lghlndfa.exe66⤵PID:2284
-
C:\Windows\SysWOW64\Ljghjpfe.exeC:\Windows\system32\Ljghjpfe.exe67⤵PID:2180
-
C:\Windows\SysWOW64\Lbnpkmfg.exeC:\Windows\system32\Lbnpkmfg.exe68⤵
- Drops file in System32 directory
PID:2240 -
C:\Windows\SysWOW64\Lqqpgj32.exeC:\Windows\system32\Lqqpgj32.exe69⤵PID:1500
-
C:\Windows\SysWOW64\Lcomce32.exeC:\Windows\system32\Lcomce32.exe70⤵
- Drops file in System32 directory
PID:2772 -
C:\Windows\SysWOW64\Lgkhdddo.exeC:\Windows\system32\Lgkhdddo.exe71⤵PID:2976
-
C:\Windows\SysWOW64\Ljieppcb.exeC:\Windows\system32\Ljieppcb.exe72⤵PID:2616
-
C:\Windows\SysWOW64\Ljieppcb.exeC:\Windows\system32\Ljieppcb.exe73⤵PID:2648
-
C:\Windows\SysWOW64\Lneaqn32.exeC:\Windows\system32\Lneaqn32.exe74⤵PID:2072
-
C:\Windows\SysWOW64\Lqcmmjko.exeC:\Windows\system32\Lqcmmjko.exe75⤵PID:1724
-
C:\Windows\SysWOW64\Lcaiiejc.exeC:\Windows\system32\Lcaiiejc.exe76⤵PID:1876
-
C:\Windows\SysWOW64\Lfpeeqig.exeC:\Windows\system32\Lfpeeqig.exe77⤵PID:1060
-
C:\Windows\SysWOW64\Lngnfnji.exeC:\Windows\system32\Lngnfnji.exe78⤵PID:1920
-
C:\Windows\SysWOW64\Lmjnak32.exeC:\Windows\system32\Lmjnak32.exe79⤵PID:2952
-
C:\Windows\SysWOW64\Lohjnf32.exeC:\Windows\system32\Lohjnf32.exe80⤵PID:868
-
C:\Windows\SysWOW64\Lcdfnehp.exeC:\Windows\system32\Lcdfnehp.exe81⤵PID:2996
-
C:\Windows\SysWOW64\Lcdfnehp.exeC:\Windows\system32\Lcdfnehp.exe82⤵PID:324
-
C:\Windows\SysWOW64\Ljnnko32.exeC:\Windows\system32\Ljnnko32.exe83⤵
- Modifies registry class
PID:1192 -
C:\Windows\SysWOW64\Liqoflfh.exeC:\Windows\system32\Liqoflfh.exe84⤵PID:1728
-
C:\Windows\SysWOW64\Lmljgj32.exeC:\Windows\system32\Lmljgj32.exe85⤵PID:620
-
C:\Windows\SysWOW64\Lokgcf32.exeC:\Windows\system32\Lokgcf32.exe86⤵PID:2900
-
C:\Windows\SysWOW64\Mjpkqonj.exeC:\Windows\system32\Mjpkqonj.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2520 -
C:\Windows\SysWOW64\Micklk32.exeC:\Windows\system32\Micklk32.exe88⤵PID:2924
-
C:\Windows\SysWOW64\Mkaghg32.exeC:\Windows\system32\Mkaghg32.exe89⤵PID:2852
-
C:\Windows\SysWOW64\Mpmcielb.exeC:\Windows\system32\Mpmcielb.exe90⤵PID:684
-
C:\Windows\SysWOW64\Mfglep32.exeC:\Windows\system32\Mfglep32.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:388 -
C:\Windows\SysWOW64\Mejlalji.exeC:\Windows\system32\Mejlalji.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2052 -
C:\Windows\SysWOW64\Mmadbjkk.exeC:\Windows\system32\Mmadbjkk.exe93⤵PID:1488
-
C:\Windows\SysWOW64\Mkddnf32.exeC:\Windows\system32\Mkddnf32.exe94⤵PID:2320
-
C:\Windows\SysWOW64\Mnbpjb32.exeC:\Windows\system32\Mnbpjb32.exe95⤵PID:1720
-
C:\Windows\SysWOW64\Mbnljqic.exeC:\Windows\system32\Mbnljqic.exe96⤵PID:1232
-
C:\Windows\SysWOW64\Melifl32.exeC:\Windows\system32\Melifl32.exe97⤵PID:2532
-
C:\Windows\SysWOW64\Mgjebg32.exeC:\Windows\system32\Mgjebg32.exe98⤵PID:2452
-
C:\Windows\SysWOW64\Mndmoaog.exeC:\Windows\system32\Mndmoaog.exe99⤵
- System Location Discovery: System Language Discovery
PID:2260 -
C:\Windows\SysWOW64\Macilmnk.exeC:\Windows\system32\Macilmnk.exe100⤵PID:2652
-
C:\Windows\SysWOW64\Mijamjnm.exeC:\Windows\system32\Mijamjnm.exe101⤵PID:2200
-
C:\Windows\SysWOW64\Mgmahg32.exeC:\Windows\system32\Mgmahg32.exe102⤵PID:1648
-
C:\Windows\SysWOW64\Mjkndb32.exeC:\Windows\system32\Mjkndb32.exe103⤵PID:2588
-
C:\Windows\SysWOW64\Mbbfep32.exeC:\Windows\system32\Mbbfep32.exe104⤵PID:2876
-
C:\Windows\SysWOW64\Maefamlh.exeC:\Windows\system32\Maefamlh.exe105⤵PID:2584
-
C:\Windows\SysWOW64\Mccbmh32.exeC:\Windows\system32\Mccbmh32.exe106⤵PID:2272
-
C:\Windows\SysWOW64\Mlkjne32.exeC:\Windows\system32\Mlkjne32.exe107⤵PID:1928
-
C:\Windows\SysWOW64\Mjnjjbbh.exeC:\Windows\system32\Mjnjjbbh.exe108⤵PID:2448
-
C:\Windows\SysWOW64\Nmlgfnal.exeC:\Windows\system32\Nmlgfnal.exe109⤵
- Drops file in System32 directory
PID:1856 -
C:\Windows\SysWOW64\Nagbgl32.exeC:\Windows\system32\Nagbgl32.exe110⤵PID:1496
-
C:\Windows\SysWOW64\Ncfoch32.exeC:\Windows\system32\Ncfoch32.exe111⤵PID:2780
-
C:\Windows\SysWOW64\Nhakcfab.exeC:\Windows\system32\Nhakcfab.exe112⤵PID:2740
-
C:\Windows\SysWOW64\Njpgpbpf.exeC:\Windows\system32\Njpgpbpf.exe113⤵PID:944
-
C:\Windows\SysWOW64\Nmnclmoj.exeC:\Windows\system32\Nmnclmoj.exe114⤵PID:1528
-
C:\Windows\SysWOW64\Najpll32.exeC:\Windows\system32\Najpll32.exe115⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1880 -
C:\Windows\SysWOW64\Ndhlhg32.exeC:\Windows\system32\Ndhlhg32.exe116⤵PID:2960
-
C:\Windows\SysWOW64\Nhdhif32.exeC:\Windows\system32\Nhdhif32.exe117⤵PID:3000
-
C:\Windows\SysWOW64\Njbdea32.exeC:\Windows\system32\Njbdea32.exe118⤵
- System Location Discovery: System Language Discovery
PID:352 -
C:\Windows\SysWOW64\Niedqnen.exeC:\Windows\system32\Niedqnen.exe119⤵PID:1744
-
C:\Windows\SysWOW64\Nallalep.exeC:\Windows\system32\Nallalep.exe120⤵
- Drops file in System32 directory
PID:2904 -
C:\Windows\SysWOW64\Npolmh32.exeC:\Windows\system32\Npolmh32.exe121⤵
- Modifies registry class
PID:2620
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-