Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
56s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
08/12/2024, 02:21
Behavioral task
behavioral1
Sample
ac3d4706446e106af71c4a04dd0362c24ed4212e812b790213e8c9a892559c60N.exe
Resource
win7-20240729-en
windows7-x64
10 signatures
120 seconds
Behavioral task
behavioral2
Sample
ac3d4706446e106af71c4a04dd0362c24ed4212e812b790213e8c9a892559c60N.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
120 seconds
General
-
Target
ac3d4706446e106af71c4a04dd0362c24ed4212e812b790213e8c9a892559c60N.exe
-
Size
428KB
-
MD5
9a9bdd63f493daedc1270acd116478d0
-
SHA1
659395fae082cbf01ce23fa861a9b2ba9f8ebb4e
-
SHA256
ac3d4706446e106af71c4a04dd0362c24ed4212e812b790213e8c9a892559c60
-
SHA512
9647f953f21e049c4d61af4028664c87f13e2b1ac8fc1224701bff0125e1927cb821f5e4591a2054f6c69887cd5c4505d2b4c00f0ffb8741603b03a9b9459df6
-
SSDEEP
6144:BgzbwbX5ZXZuKVp1fNrNF5ZXZ7SEJtKa4sFj5tPNki9HZd1sFj5tg:Bg85hjtFrNF5h0EJtws15tPWu5Ls15tg
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://tat-neftbank.ru/kkq.php
http://tat-neftbank.ru/wcmd.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agebam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Danohi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lflklaoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gllabp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgdpgqgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pahjgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pnbjca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mnlilb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lncjhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bocckoom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fkapkq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pieobaiq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jijqeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mfkebkjk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jilkbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Clkfjman.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oiljcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ahancp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfmjoe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdloab32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eoalpaaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kkaaee32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebmjihqn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phgfko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eeiggk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fjfllm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjgdfg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkelcenm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccceeqfl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkapkq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cifdmbib.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gqidme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ldlghhde.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkgelh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aflkiapg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mifmoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hbkpfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Baajji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fefpfi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcjqpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jnafop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nomphm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nlgfqldf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qhgbibgg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbkdgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pbppqf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cneiki32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fimclh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Paghojip.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipoqofjh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofpmegpe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pobgjhgh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nidhfgpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aahhoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nblaajbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Igioiacg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hbnqln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ilceog32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qpocno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oljanhmc.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 2524 Hdhnal32.exe 2944 Ifhgcgjq.exe 3068 Ileoknhh.exe 1636 Ieppjclf.exe 2860 Ihnmfoli.exe 2768 Ihcfan32.exe 1104 Jcmgal32.exe 2308 Jgkphj32.exe 1416 Jpcdqpqj.exe 3036 Jfbinf32.exe 2628 Jllakpdk.exe 2100 Kghoan32.exe 1256 Khglkqfj.exe 2240 Kqemeb32.exe 1148 Kfbemi32.exe 2356 Lmqgec32.exe 1608 Lfkhch32.exe 1816 Lijepc32.exe 2504 Leqeed32.exe 2672 Mnijnjbh.exe 1020 Mlmjgnaa.exe 992 Mhckloge.exe 2040 Mmpcdfem.exe 2788 Mdmhfpkg.exe 1572 Mfkebkjk.exe 2976 Mmemoe32.exe 2852 Nilndfgl.exe 3064 Npffaq32.exe 2724 Naionh32.exe 2748 Nomphm32.exe 2088 Nalldh32.exe 564 Nlapaapg.exe 1968 Nmbmii32.exe 2136 Omeini32.exe 1456 Oiljcj32.exe 1868 Opebpdad.exe 1224 Ollcee32.exe 2436 Ocfkaone.exe 1980 Olopjddf.exe 2248 Ocihgo32.exe 2012 Olalpdbc.exe 944 Panehkaj.exe 1660 Pobeao32.exe 1812 Pdonjf32.exe 760 Pabncj32.exe 1736 Pgogla32.exe 2664 Paekijkb.exe 1672 Pqhkdg32.exe 2776 Pkmobp32.exe 2232 Paghojip.exe 2144 Pchdfb32.exe 2868 Pgdpgqgg.exe 2728 Qmahog32.exe 2424 Qckalamk.exe 2492 Qjeihl32.exe 2128 Qmcedg32.exe 2412 Qcmnaaji.exe 784 Qfljmmjl.exe 2516 Amebjgai.exe 2408 Acpjga32.exe 2548 Afnfcl32.exe 1768 Ajibckpc.exe 2488 Akkokc32.exe 1624 Aioodg32.exe -
Loads dropped DLL 64 IoCs
pid Process 1760 ac3d4706446e106af71c4a04dd0362c24ed4212e812b790213e8c9a892559c60N.exe 1760 ac3d4706446e106af71c4a04dd0362c24ed4212e812b790213e8c9a892559c60N.exe 2524 Hdhnal32.exe 2524 Hdhnal32.exe 2944 Ifhgcgjq.exe 2944 Ifhgcgjq.exe 3068 Ileoknhh.exe 3068 Ileoknhh.exe 1636 Ieppjclf.exe 1636 Ieppjclf.exe 2860 Ihnmfoli.exe 2860 Ihnmfoli.exe 2768 Ihcfan32.exe 2768 Ihcfan32.exe 1104 Jcmgal32.exe 1104 Jcmgal32.exe 2308 Jgkphj32.exe 2308 Jgkphj32.exe 1416 Jpcdqpqj.exe 1416 Jpcdqpqj.exe 3036 Jfbinf32.exe 3036 Jfbinf32.exe 2628 Jllakpdk.exe 2628 Jllakpdk.exe 2100 Kghoan32.exe 2100 Kghoan32.exe 1256 Khglkqfj.exe 1256 Khglkqfj.exe 2240 Kqemeb32.exe 2240 Kqemeb32.exe 1148 Kfbemi32.exe 1148 Kfbemi32.exe 2356 Lmqgec32.exe 2356 Lmqgec32.exe 1608 Lfkhch32.exe 1608 Lfkhch32.exe 1816 Lijepc32.exe 1816 Lijepc32.exe 2504 Leqeed32.exe 2504 Leqeed32.exe 2672 Mnijnjbh.exe 2672 Mnijnjbh.exe 1020 Mlmjgnaa.exe 1020 Mlmjgnaa.exe 992 Mhckloge.exe 992 Mhckloge.exe 2040 Mmpcdfem.exe 2040 Mmpcdfem.exe 2788 Mdmhfpkg.exe 2788 Mdmhfpkg.exe 1572 Mfkebkjk.exe 1572 Mfkebkjk.exe 2976 Mmemoe32.exe 2976 Mmemoe32.exe 2852 Nilndfgl.exe 2852 Nilndfgl.exe 3064 Npffaq32.exe 3064 Npffaq32.exe 2724 Naionh32.exe 2724 Naionh32.exe 2748 Nomphm32.exe 2748 Nomphm32.exe 2088 Nalldh32.exe 2088 Nalldh32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Dplalb32.dll Domffn32.exe File opened for modification C:\Windows\SysWOW64\Fnkblm32.exe Fljfdd32.exe File created C:\Windows\SysWOW64\Jmbnhm32.exe Jigagocd.exe File created C:\Windows\SysWOW64\Pkkeeikj.exe Peolmb32.exe File created C:\Windows\SysWOW64\Eenckc32.exe Ebpgoh32.exe File opened for modification C:\Windows\SysWOW64\Alicahno.exe Aflkiapg.exe File created C:\Windows\SysWOW64\Ghjajqph.dll Mnaiah32.exe File opened for modification C:\Windows\SysWOW64\Eghdanac.exe Eoalpaaa.exe File created C:\Windows\SysWOW64\Gndebkii.exe Gjiibm32.exe File opened for modification C:\Windows\SysWOW64\Ifkfap32.exe Indnqb32.exe File opened for modification C:\Windows\SysWOW64\Qamleagn.exe Qbkljd32.exe File created C:\Windows\SysWOW64\Neponk32.dll Koeeoljm.exe File created C:\Windows\SysWOW64\Lcnqin32.exe Lldhldpg.exe File created C:\Windows\SysWOW64\Alfflhpa.exe Akejdp32.exe File opened for modification C:\Windows\SysWOW64\Bgqeea32.exe Bineidcj.exe File opened for modification C:\Windows\SysWOW64\Bfkobj32.exe Bclcfnih.exe File opened for modification C:\Windows\SysWOW64\Bfmlgi32.exe Bocckoom.exe File opened for modification C:\Windows\SysWOW64\Boeppomj.exe Bmgddcnf.exe File opened for modification C:\Windows\SysWOW64\Lgphke32.exe Kpeonkig.exe File created C:\Windows\SysWOW64\Hebkoj32.dll Caqfiloi.exe File opened for modification C:\Windows\SysWOW64\Mdhnnl32.exe Mmafmo32.exe File opened for modification C:\Windows\SysWOW64\Bkhjcing.exe Bjgmka32.exe File created C:\Windows\SysWOW64\Jfkbqcam.exe Jdmfdgbj.exe File opened for modification C:\Windows\SysWOW64\Mncfgh32.exe Mginjnnp.exe File created C:\Windows\SysWOW64\Pkicij32.dll Papmlmbp.exe File created C:\Windows\SysWOW64\Fianpp32.exe Process not Found File created C:\Windows\SysWOW64\Gemhpq32.exe Process not Found File created C:\Windows\SysWOW64\Jlkokm32.dll Mogcelgm.exe File created C:\Windows\SysWOW64\Mnffnd32.exe Lcpbpk32.exe File created C:\Windows\SysWOW64\Pkebgj32.exe Phgfko32.exe File created C:\Windows\SysWOW64\Hplped32.dll Dpbenpqh.exe File created C:\Windows\SysWOW64\Emqfen32.dll Qamleagn.exe File created C:\Windows\SysWOW64\Bfjijo32.dll Kfnmnojj.exe File created C:\Windows\SysWOW64\Pmnmcn32.dll Jblpge32.exe File created C:\Windows\SysWOW64\Pikohg32.exe Pdngpp32.exe File created C:\Windows\SysWOW64\Dnkcpohn.dll Anfggicl.exe File created C:\Windows\SysWOW64\Jhikhefb.exe Jblbpnhk.exe File created C:\Windows\SysWOW64\Mlfebcnd.exe Lhkiae32.exe File opened for modification C:\Windows\SysWOW64\Oafclh32.exe Onggom32.exe File created C:\Windows\SysWOW64\Anogmi32.dll Aajedn32.exe File created C:\Windows\SysWOW64\Jpigjb32.dll Process not Found File created C:\Windows\SysWOW64\Becmcind.dll Fopole32.exe File created C:\Windows\SysWOW64\Goodpb32.exe Gghloe32.exe File created C:\Windows\SysWOW64\Afhklj32.dll Popkeh32.exe File created C:\Windows\SysWOW64\Kahmln32.dll Mnakjaoc.exe File created C:\Windows\SysWOW64\Oenmkngi.exe Ofklpa32.exe File created C:\Windows\SysWOW64\Ghnaaljp.exe Process not Found File created C:\Windows\SysWOW64\Cgeopqfp.exe Cakfcfoc.exe File created C:\Windows\SysWOW64\Icblchdc.dll Fhcjilcb.exe File created C:\Windows\SysWOW64\Anbicp32.dll Joepjokm.exe File created C:\Windows\SysWOW64\Aajedn32.exe Almmlg32.exe File opened for modification C:\Windows\SysWOW64\Npffaq32.exe Nilndfgl.exe File opened for modification C:\Windows\SysWOW64\Pqhkdg32.exe Paekijkb.exe File created C:\Windows\SysWOW64\Mdcdcmai.exe Mbehgabe.exe File created C:\Windows\SysWOW64\Lllihf32.exe Lafekm32.exe File opened for modification C:\Windows\SysWOW64\Agmacgcc.exe Aoamoefh.exe File opened for modification C:\Windows\SysWOW64\Bbflkcao.exe Bohoogbk.exe File created C:\Windows\SysWOW64\Fdefgimi.exe Process not Found File created C:\Windows\SysWOW64\Npffaq32.exe Nilndfgl.exe File opened for modification C:\Windows\SysWOW64\Oafhmf32.exe Olioeoeo.exe File opened for modification C:\Windows\SysWOW64\Aqgqid32.exe Akjham32.exe File opened for modification C:\Windows\SysWOW64\Goodpb32.exe Gghloe32.exe File created C:\Windows\SysWOW64\Mbehgabe.exe Moflkfca.exe File created C:\Windows\SysWOW64\Cienge32.dll Qpocno32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4904 3584 Process not Found 1135 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olalpdbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jigagocd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dijjgegh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nkbdbbop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilpkel32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmbenc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afeold32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jblbpnhk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obakli32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmgddcnf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebghkjjc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Peooek32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akphfbbl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbcikn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kadhen32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akkokc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Foqadnpq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmbagf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgeopqfp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfngbq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccmanjch.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkplnp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnaiah32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppbkoabf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlpmndba.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Baajji32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mflgkd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfjaej32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jeofnpke.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbfcoedi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opkpme32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdapggln.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agakog32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iecaad32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nkphmc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfalaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emnelbdi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnjnolap.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chohqebq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fopole32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lncjhd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmegodpi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocihgo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bineidcj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jckkhplq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apdminod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifoljn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icbldbgi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdgane32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohbmppia.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bclcfnih.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjplao32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khjkiikl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpcdqpqj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahmehqna.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppcmhj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agonig32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifikehii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pchdfb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aokdga32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klijjnen.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aioodg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfjcjb32.dll" Qchmll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qbhpddbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pmlngdhk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ibplji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idnhngnf.dll" Lbhphdab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldamppgp.dll" Kngcbpjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qofnfp32.dll" Ljejgp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fhifmcfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfdbnlgi.dll" Hibebeqb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iabcbg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bkhjcing.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Danaqbgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmfnaj32.dll" Deahcneh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Obakli32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kciifc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fagqed32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gpccgppq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gdbchd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iabcbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enjaiiho.dll" Mhbflj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Benqjobn.dll" Aoamoefh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnghoc32.dll" Cmeffp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dajiok32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hajdniep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Npieoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfajgn32.dll" Meafpibb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kaieai32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fkbadifn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iefbpdca.dll" Hdailaib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Joceen32.dll" Llalgdbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ofcldoef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ifiilp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpcqnh32.dll" Jilkbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oiqegb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Febmfcjj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Laenqg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nqamaeii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qjeihl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Diencmcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eaegaaah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pejcab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofmhcg32.dll" Jfadoaih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcbbjffh.dll" Hbjgbbpn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aqgqid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ddqeodjj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ndbjgjqh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejdjke32.dll" Eenckc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opebop32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcfnnang.dll" Pqhkdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciidbebp.dll" Djcpqidc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fimclh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gocnjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ndpmbjbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ohncdp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Boeppomj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ckdpinhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfplmh32.dll" Hdolga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oedqakci.dll" Ajdego32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qbeemg32.dll" Fljfdd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmiggh32.dll" Bmhmgbif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fljfdd32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1760 wrote to memory of 2524 1760 ac3d4706446e106af71c4a04dd0362c24ed4212e812b790213e8c9a892559c60N.exe 30 PID 1760 wrote to memory of 2524 1760 ac3d4706446e106af71c4a04dd0362c24ed4212e812b790213e8c9a892559c60N.exe 30 PID 1760 wrote to memory of 2524 1760 ac3d4706446e106af71c4a04dd0362c24ed4212e812b790213e8c9a892559c60N.exe 30 PID 1760 wrote to memory of 2524 1760 ac3d4706446e106af71c4a04dd0362c24ed4212e812b790213e8c9a892559c60N.exe 30 PID 2524 wrote to memory of 2944 2524 Hdhnal32.exe 31 PID 2524 wrote to memory of 2944 2524 Hdhnal32.exe 31 PID 2524 wrote to memory of 2944 2524 Hdhnal32.exe 31 PID 2524 wrote to memory of 2944 2524 Hdhnal32.exe 31 PID 2944 wrote to memory of 3068 2944 Ifhgcgjq.exe 32 PID 2944 wrote to memory of 3068 2944 Ifhgcgjq.exe 32 PID 2944 wrote to memory of 3068 2944 Ifhgcgjq.exe 32 PID 2944 wrote to memory of 3068 2944 Ifhgcgjq.exe 32 PID 3068 wrote to memory of 1636 3068 Ileoknhh.exe 33 PID 3068 wrote to memory of 1636 3068 Ileoknhh.exe 33 PID 3068 wrote to memory of 1636 3068 Ileoknhh.exe 33 PID 3068 wrote to memory of 1636 3068 Ileoknhh.exe 33 PID 1636 wrote to memory of 2860 1636 Ieppjclf.exe 34 PID 1636 wrote to memory of 2860 1636 Ieppjclf.exe 34 PID 1636 wrote to memory of 2860 1636 Ieppjclf.exe 34 PID 1636 wrote to memory of 2860 1636 Ieppjclf.exe 34 PID 2860 wrote to memory of 2768 2860 Ihnmfoli.exe 35 PID 2860 wrote to memory of 2768 2860 Ihnmfoli.exe 35 PID 2860 wrote to memory of 2768 2860 Ihnmfoli.exe 35 PID 2860 wrote to memory of 2768 2860 Ihnmfoli.exe 35 PID 2768 wrote to memory of 1104 2768 Ihcfan32.exe 36 PID 2768 wrote to memory of 1104 2768 Ihcfan32.exe 36 PID 2768 wrote to memory of 1104 2768 Ihcfan32.exe 36 PID 2768 wrote to memory of 1104 2768 Ihcfan32.exe 36 PID 1104 wrote to memory of 2308 1104 Jcmgal32.exe 37 PID 1104 wrote to memory of 2308 1104 Jcmgal32.exe 37 PID 1104 wrote to memory of 2308 1104 Jcmgal32.exe 37 PID 1104 wrote to memory of 2308 1104 Jcmgal32.exe 37 PID 2308 wrote to memory of 1416 2308 Jgkphj32.exe 38 PID 2308 wrote to memory of 1416 2308 Jgkphj32.exe 38 PID 2308 wrote to memory of 1416 2308 Jgkphj32.exe 38 PID 2308 wrote to memory of 1416 2308 Jgkphj32.exe 38 PID 1416 wrote to memory of 3036 1416 Jpcdqpqj.exe 39 PID 1416 wrote to memory of 3036 1416 Jpcdqpqj.exe 39 PID 1416 wrote to memory of 3036 1416 Jpcdqpqj.exe 39 PID 1416 wrote to memory of 3036 1416 Jpcdqpqj.exe 39 PID 3036 wrote to memory of 2628 3036 Jfbinf32.exe 40 PID 3036 wrote to memory of 2628 3036 Jfbinf32.exe 40 PID 3036 wrote to memory of 2628 3036 Jfbinf32.exe 40 PID 3036 wrote to memory of 2628 3036 Jfbinf32.exe 40 PID 2628 wrote to memory of 2100 2628 Jllakpdk.exe 41 PID 2628 wrote to memory of 2100 2628 Jllakpdk.exe 41 PID 2628 wrote to memory of 2100 2628 Jllakpdk.exe 41 PID 2628 wrote to memory of 2100 2628 Jllakpdk.exe 41 PID 2100 wrote to memory of 1256 2100 Kghoan32.exe 42 PID 2100 wrote to memory of 1256 2100 Kghoan32.exe 42 PID 2100 wrote to memory of 1256 2100 Kghoan32.exe 42 PID 2100 wrote to memory of 1256 2100 Kghoan32.exe 42 PID 1256 wrote to memory of 2240 1256 Khglkqfj.exe 43 PID 1256 wrote to memory of 2240 1256 Khglkqfj.exe 43 PID 1256 wrote to memory of 2240 1256 Khglkqfj.exe 43 PID 1256 wrote to memory of 2240 1256 Khglkqfj.exe 43 PID 2240 wrote to memory of 1148 2240 Kqemeb32.exe 44 PID 2240 wrote to memory of 1148 2240 Kqemeb32.exe 44 PID 2240 wrote to memory of 1148 2240 Kqemeb32.exe 44 PID 2240 wrote to memory of 1148 2240 Kqemeb32.exe 44 PID 1148 wrote to memory of 2356 1148 Kfbemi32.exe 45 PID 1148 wrote to memory of 2356 1148 Kfbemi32.exe 45 PID 1148 wrote to memory of 2356 1148 Kfbemi32.exe 45 PID 1148 wrote to memory of 2356 1148 Kfbemi32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\ac3d4706446e106af71c4a04dd0362c24ed4212e812b790213e8c9a892559c60N.exe"C:\Users\Admin\AppData\Local\Temp\ac3d4706446e106af71c4a04dd0362c24ed4212e812b790213e8c9a892559c60N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1760 -
C:\Windows\SysWOW64\Hdhnal32.exeC:\Windows\system32\Hdhnal32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\SysWOW64\Ifhgcgjq.exeC:\Windows\system32\Ifhgcgjq.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Windows\SysWOW64\Ileoknhh.exeC:\Windows\system32\Ileoknhh.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Windows\SysWOW64\Ieppjclf.exeC:\Windows\system32\Ieppjclf.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Windows\SysWOW64\Ihnmfoli.exeC:\Windows\system32\Ihnmfoli.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\SysWOW64\Ihcfan32.exeC:\Windows\system32\Ihcfan32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Windows\SysWOW64\Jcmgal32.exeC:\Windows\system32\Jcmgal32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1104 -
C:\Windows\SysWOW64\Jgkphj32.exeC:\Windows\system32\Jgkphj32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2308 -
C:\Windows\SysWOW64\Jpcdqpqj.exeC:\Windows\system32\Jpcdqpqj.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1416 -
C:\Windows\SysWOW64\Jfbinf32.exeC:\Windows\system32\Jfbinf32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Windows\SysWOW64\Jllakpdk.exeC:\Windows\system32\Jllakpdk.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\SysWOW64\Kghoan32.exeC:\Windows\system32\Kghoan32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Windows\SysWOW64\Khglkqfj.exeC:\Windows\system32\Khglkqfj.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1256 -
C:\Windows\SysWOW64\Kqemeb32.exeC:\Windows\system32\Kqemeb32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Windows\SysWOW64\Kfbemi32.exeC:\Windows\system32\Kfbemi32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1148 -
C:\Windows\SysWOW64\Lmqgec32.exeC:\Windows\system32\Lmqgec32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2356 -
C:\Windows\SysWOW64\Lfkhch32.exeC:\Windows\system32\Lfkhch32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1608 -
C:\Windows\SysWOW64\Lijepc32.exeC:\Windows\system32\Lijepc32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1816 -
C:\Windows\SysWOW64\Leqeed32.exeC:\Windows\system32\Leqeed32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2504 -
C:\Windows\SysWOW64\Mnijnjbh.exeC:\Windows\system32\Mnijnjbh.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2672 -
C:\Windows\SysWOW64\Mlmjgnaa.exeC:\Windows\system32\Mlmjgnaa.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1020 -
C:\Windows\SysWOW64\Mhckloge.exeC:\Windows\system32\Mhckloge.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:992 -
C:\Windows\SysWOW64\Mmpcdfem.exeC:\Windows\system32\Mmpcdfem.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2040 -
C:\Windows\SysWOW64\Mdmhfpkg.exeC:\Windows\system32\Mdmhfpkg.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2788 -
C:\Windows\SysWOW64\Mfkebkjk.exeC:\Windows\system32\Mfkebkjk.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1572 -
C:\Windows\SysWOW64\Mmemoe32.exeC:\Windows\system32\Mmemoe32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2976 -
C:\Windows\SysWOW64\Nilndfgl.exeC:\Windows\system32\Nilndfgl.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2852 -
C:\Windows\SysWOW64\Npffaq32.exeC:\Windows\system32\Npffaq32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3064 -
C:\Windows\SysWOW64\Naionh32.exeC:\Windows\system32\Naionh32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2724 -
C:\Windows\SysWOW64\Nomphm32.exeC:\Windows\system32\Nomphm32.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2748 -
C:\Windows\SysWOW64\Nalldh32.exeC:\Windows\system32\Nalldh32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2088 -
C:\Windows\SysWOW64\Nlapaapg.exeC:\Windows\system32\Nlapaapg.exe33⤵
- Executes dropped EXE
PID:564 -
C:\Windows\SysWOW64\Nmbmii32.exeC:\Windows\system32\Nmbmii32.exe34⤵
- Executes dropped EXE
PID:1968 -
C:\Windows\SysWOW64\Omeini32.exeC:\Windows\system32\Omeini32.exe35⤵
- Executes dropped EXE
PID:2136 -
C:\Windows\SysWOW64\Oiljcj32.exeC:\Windows\system32\Oiljcj32.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1456 -
C:\Windows\SysWOW64\Opebpdad.exeC:\Windows\system32\Opebpdad.exe37⤵
- Executes dropped EXE
PID:1868 -
C:\Windows\SysWOW64\Ollcee32.exeC:\Windows\system32\Ollcee32.exe38⤵
- Executes dropped EXE
PID:1224 -
C:\Windows\SysWOW64\Ocfkaone.exeC:\Windows\system32\Ocfkaone.exe39⤵
- Executes dropped EXE
PID:2436 -
C:\Windows\SysWOW64\Olopjddf.exeC:\Windows\system32\Olopjddf.exe40⤵
- Executes dropped EXE
PID:1980 -
C:\Windows\SysWOW64\Ocihgo32.exeC:\Windows\system32\Ocihgo32.exe41⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2248 -
C:\Windows\SysWOW64\Olalpdbc.exeC:\Windows\system32\Olalpdbc.exe42⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2012 -
C:\Windows\SysWOW64\Panehkaj.exeC:\Windows\system32\Panehkaj.exe43⤵
- Executes dropped EXE
PID:944 -
C:\Windows\SysWOW64\Pobeao32.exeC:\Windows\system32\Pobeao32.exe44⤵
- Executes dropped EXE
PID:1660 -
C:\Windows\SysWOW64\Pdonjf32.exeC:\Windows\system32\Pdonjf32.exe45⤵
- Executes dropped EXE
PID:1812 -
C:\Windows\SysWOW64\Pabncj32.exeC:\Windows\system32\Pabncj32.exe46⤵
- Executes dropped EXE
PID:760 -
C:\Windows\SysWOW64\Pgogla32.exeC:\Windows\system32\Pgogla32.exe47⤵
- Executes dropped EXE
PID:1736 -
C:\Windows\SysWOW64\Paekijkb.exeC:\Windows\system32\Paekijkb.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2664 -
C:\Windows\SysWOW64\Pqhkdg32.exeC:\Windows\system32\Pqhkdg32.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:1672 -
C:\Windows\SysWOW64\Pkmobp32.exeC:\Windows\system32\Pkmobp32.exe50⤵
- Executes dropped EXE
PID:2776 -
C:\Windows\SysWOW64\Paghojip.exeC:\Windows\system32\Paghojip.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2232 -
C:\Windows\SysWOW64\Pchdfb32.exeC:\Windows\system32\Pchdfb32.exe52⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2144 -
C:\Windows\SysWOW64\Pgdpgqgg.exeC:\Windows\system32\Pgdpgqgg.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2868 -
C:\Windows\SysWOW64\Qmahog32.exeC:\Windows\system32\Qmahog32.exe54⤵
- Executes dropped EXE
PID:2728 -
C:\Windows\SysWOW64\Qckalamk.exeC:\Windows\system32\Qckalamk.exe55⤵
- Executes dropped EXE
PID:2424 -
C:\Windows\SysWOW64\Qjeihl32.exeC:\Windows\system32\Qjeihl32.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:2492 -
C:\Windows\SysWOW64\Qmcedg32.exeC:\Windows\system32\Qmcedg32.exe57⤵
- Executes dropped EXE
PID:2128 -
C:\Windows\SysWOW64\Qcmnaaji.exeC:\Windows\system32\Qcmnaaji.exe58⤵
- Executes dropped EXE
PID:2412 -
C:\Windows\SysWOW64\Qfljmmjl.exeC:\Windows\system32\Qfljmmjl.exe59⤵
- Executes dropped EXE
PID:784 -
C:\Windows\SysWOW64\Amebjgai.exeC:\Windows\system32\Amebjgai.exe60⤵
- Executes dropped EXE
PID:2516 -
C:\Windows\SysWOW64\Acpjga32.exeC:\Windows\system32\Acpjga32.exe61⤵
- Executes dropped EXE
PID:2408 -
C:\Windows\SysWOW64\Afnfcl32.exeC:\Windows\system32\Afnfcl32.exe62⤵
- Executes dropped EXE
PID:2548 -
C:\Windows\SysWOW64\Ajibckpc.exeC:\Windows\system32\Ajibckpc.exe63⤵
- Executes dropped EXE
PID:1768 -
C:\Windows\SysWOW64\Akkokc32.exeC:\Windows\system32\Akkokc32.exe64⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2488 -
C:\Windows\SysWOW64\Aioodg32.exeC:\Windows\system32\Aioodg32.exe65⤵
- Executes dropped EXE
- Modifies registry class
PID:1624 -
C:\Windows\SysWOW64\Akmlacdn.exeC:\Windows\system32\Akmlacdn.exe66⤵PID:2392
-
C:\Windows\SysWOW64\Ankhmncb.exeC:\Windows\system32\Ankhmncb.exe67⤵PID:1708
-
C:\Windows\SysWOW64\Aialjgbh.exeC:\Windows\system32\Aialjgbh.exe68⤵PID:2936
-
C:\Windows\SysWOW64\Akphfbbl.exeC:\Windows\system32\Akphfbbl.exe69⤵
- System Location Discovery: System Language Discovery
PID:1688 -
C:\Windows\SysWOW64\Aokdga32.exeC:\Windows\system32\Aokdga32.exe70⤵
- System Location Discovery: System Language Discovery
PID:2964 -
C:\Windows\SysWOW64\Aalaoipc.exeC:\Windows\system32\Aalaoipc.exe71⤵PID:2828
-
C:\Windows\SysWOW64\Akbelbpi.exeC:\Windows\system32\Akbelbpi.exe72⤵PID:2712
-
C:\Windows\SysWOW64\Ajdego32.exeC:\Windows\system32\Ajdego32.exe73⤵
- Modifies registry class
PID:3028 -
C:\Windows\SysWOW64\Aaondi32.exeC:\Windows\system32\Aaondi32.exe74⤵PID:1852
-
C:\Windows\SysWOW64\Bejiehfi.exeC:\Windows\system32\Bejiehfi.exe75⤵PID:3020
-
C:\Windows\SysWOW64\Bkdbab32.exeC:\Windows\system32\Bkdbab32.exe76⤵PID:1804
-
C:\Windows\SysWOW64\Bnbnnm32.exeC:\Windows\system32\Bnbnnm32.exe77⤵PID:2440
-
C:\Windows\SysWOW64\Baajji32.exeC:\Windows\system32\Baajji32.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1100 -
C:\Windows\SysWOW64\Bcoffd32.exeC:\Windows\system32\Bcoffd32.exe79⤵PID:1612
-
C:\Windows\SysWOW64\Bfncbp32.exeC:\Windows\system32\Bfncbp32.exe80⤵PID:1000
-
C:\Windows\SysWOW64\Bmhkojab.exeC:\Windows\system32\Bmhkojab.exe81⤵PID:1864
-
C:\Windows\SysWOW64\Bcackdio.exeC:\Windows\system32\Bcackdio.exe82⤵PID:1888
-
C:\Windows\SysWOW64\Bjlkhn32.exeC:\Windows\system32\Bjlkhn32.exe83⤵PID:2196
-
C:\Windows\SysWOW64\Baecehhh.exeC:\Windows\system32\Baecehhh.exe84⤵PID:876
-
C:\Windows\SysWOW64\Bjnhnn32.exeC:\Windows\system32\Bjnhnn32.exe85⤵PID:2800
-
C:\Windows\SysWOW64\Bpkqfdmp.exeC:\Windows\system32\Bpkqfdmp.exe86⤵PID:3024
-
C:\Windows\SysWOW64\Bbimbpld.exeC:\Windows\system32\Bbimbpld.exe87⤵PID:2708
-
C:\Windows\SysWOW64\Bmoaoikj.exeC:\Windows\system32\Bmoaoikj.exe88⤵PID:872
-
C:\Windows\SysWOW64\Cpmmkdkn.exeC:\Windows\system32\Cpmmkdkn.exe89⤵PID:764
-
C:\Windows\SysWOW64\Cfgehn32.exeC:\Windows\system32\Cfgehn32.exe90⤵PID:2204
-
C:\Windows\SysWOW64\Cppjadhk.exeC:\Windows\system32\Cppjadhk.exe91⤵PID:2396
-
C:\Windows\SysWOW64\Cbnfmo32.exeC:\Windows\system32\Cbnfmo32.exe92⤵PID:2244
-
C:\Windows\SysWOW64\Caqfiloi.exeC:\Windows\system32\Caqfiloi.exe93⤵
- Drops file in System32 directory
PID:2108 -
C:\Windows\SysWOW64\Clfkfeno.exeC:\Windows\system32\Clfkfeno.exe94⤵PID:852
-
C:\Windows\SysWOW64\Ceoooj32.exeC:\Windows\system32\Ceoooj32.exe95⤵PID:2668
-
C:\Windows\SysWOW64\Ckkhga32.exeC:\Windows\system32\Ckkhga32.exe96⤵PID:1712
-
C:\Windows\SysWOW64\Chohqebq.exeC:\Windows\system32\Chohqebq.exe97⤵
- System Location Discovery: System Language Discovery
PID:1668 -
C:\Windows\SysWOW64\Cmlqimph.exeC:\Windows\system32\Cmlqimph.exe98⤵PID:2192
-
C:\Windows\SysWOW64\Dfdeab32.exeC:\Windows\system32\Dfdeab32.exe99⤵PID:3008
-
C:\Windows\SysWOW64\Dajiok32.exeC:\Windows\system32\Dajiok32.exe100⤵
- Modifies registry class
PID:2804 -
C:\Windows\SysWOW64\Diencmcj.exeC:\Windows\system32\Diencmcj.exe101⤵
- Modifies registry class
PID:2992 -
C:\Windows\SysWOW64\Dpofpg32.exeC:\Windows\system32\Dpofpg32.exe102⤵PID:2716
-
C:\Windows\SysWOW64\Dpaceg32.exeC:\Windows\system32\Dpaceg32.exe103⤵PID:2224
-
C:\Windows\SysWOW64\Ddmofeam.exeC:\Windows\system32\Ddmofeam.exe104⤵PID:948
-
C:\Windows\SysWOW64\Dijgnm32.exeC:\Windows\system32\Dijgnm32.exe105⤵PID:344
-
C:\Windows\SysWOW64\Dpdpkfga.exeC:\Windows\system32\Dpdpkfga.exe106⤵PID:3012
-
C:\Windows\SysWOW64\Dcblgbfe.exeC:\Windows\system32\Dcblgbfe.exe107⤵PID:2348
-
C:\Windows\SysWOW64\Deahcneh.exeC:\Windows\system32\Deahcneh.exe108⤵
- Modifies registry class
PID:2236 -
C:\Windows\SysWOW64\Eoimlc32.exeC:\Windows\system32\Eoimlc32.exe109⤵PID:2104
-
C:\Windows\SysWOW64\Eagiho32.exeC:\Windows\system32\Eagiho32.exe110⤵PID:2588
-
C:\Windows\SysWOW64\Ekpmad32.exeC:\Windows\system32\Ekpmad32.exe111⤵PID:1808
-
C:\Windows\SysWOW64\Eajennij.exeC:\Windows\system32\Eajennij.exe112⤵PID:1740
-
C:\Windows\SysWOW64\Ehdnkh32.exeC:\Windows\system32\Ehdnkh32.exe113⤵PID:2404
-
C:\Windows\SysWOW64\Ekbjgd32.exeC:\Windows\system32\Ekbjgd32.exe114⤵PID:2592
-
C:\Windows\SysWOW64\Eehndm32.exeC:\Windows\system32\Eehndm32.exe115⤵PID:2376
-
C:\Windows\SysWOW64\Ehfkphnd.exeC:\Windows\system32\Ehfkphnd.exe116⤵PID:1576
-
C:\Windows\SysWOW64\Ekdglcmh.exeC:\Windows\system32\Ekdglcmh.exe117⤵PID:2920
-
C:\Windows\SysWOW64\Encchoml.exeC:\Windows\system32\Encchoml.exe118⤵PID:2264
-
C:\Windows\SysWOW64\Egkgad32.exeC:\Windows\system32\Egkgad32.exe119⤵PID:1948
-
C:\Windows\SysWOW64\Ejjdmp32.exeC:\Windows\system32\Ejjdmp32.exe120⤵PID:2028
-
C:\Windows\SysWOW64\Epdljjjm.exeC:\Windows\system32\Epdljjjm.exe121⤵PID:652
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-