Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
114s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
22/12/2024, 13:16
Behavioral task
behavioral1
Sample
9eab482419f29b8c24841e46c9c48ee4a01b4bf271790c9aa4b255cf6c4e6a79.exe
Resource
win7-20240708-en
windows7-x64
9 signatures
120 seconds
Behavioral task
behavioral2
Sample
9eab482419f29b8c24841e46c9c48ee4a01b4bf271790c9aa4b255cf6c4e6a79.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
120 seconds
General
-
Target
9eab482419f29b8c24841e46c9c48ee4a01b4bf271790c9aa4b255cf6c4e6a79.exe
-
Size
428KB
-
MD5
1ba9331da709f5ef2f16248674688b27
-
SHA1
f429eeff53477f2e0b6a228790098ee078264312
-
SHA256
9eab482419f29b8c24841e46c9c48ee4a01b4bf271790c9aa4b255cf6c4e6a79
-
SHA512
4fd7f64fbc49d24c38615500919486ca7c88f2ab54e2106bf7424d2d028e265dfe2215051ac0dac1db9b75c4a5302e2857ac70ca5c7251eae0ce9837eba5ad4d
-
SSDEEP
3072:j8dOsh1SZ8mnaoPav8Wz24ho1mtye3lFDrFDHZtO8jJkiUi8ChpBhx5Zd424ho19:aOsh85ba4sFj5tPNki9HZd1sFj5tw
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://tat-neftbank.ru/kkq.php
http://tat-neftbank.ru/wcmd.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iphecepe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihbcmaje.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdnild32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ciihklpj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjgoje32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Goiehm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iimfld32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nidmfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bqijljfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Clefdcog.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad 9eab482419f29b8c24841e46c9c48ee4a01b4bf271790c9aa4b255cf6c4e6a79.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pcibkm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpicodoj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gejebk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmmcpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nbjeinje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fennoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fhbpkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Emgkhj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hnmeen32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcnbhb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ehjqgjmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fopnpaba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pjfpafmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dpqnhadq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fjbafi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acekjjmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jlelhe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dlljaj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Accnekon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bgdibkam.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djgkii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gnfkba32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efcomkcl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gnkmqkbi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Daofpchf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aljjjb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bbikgk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mqklqhpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cnfqccna.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emgioakg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ecnoijbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Napbjjom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cnimiblo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgcjpkak.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibehla32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clalod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jlphbbbg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 2784 Nhllob32.exe 2472 Nofdklgl.exe 2896 Neplhf32.exe 2632 Nljddpfe.exe 1256 Okdkal32.exe 844 Oappcfmb.exe 580 Pmlmic32.exe 2188 Pcibkm32.exe 2636 Pdlkiepd.exe 1420 Qqeicede.exe 2892 Qiladcdh.exe 1944 Aajbne32.exe 2944 Apalea32.exe 804 Afnagk32.exe 2244 Bmhideol.exe 1088 Bonoflae.exe 2436 Bbikgk32.exe 976 Bmeimhdj.exe 940 Cpceidcn.exe 828 Cmgechbh.exe 880 Cinfhigl.exe 2656 Clmbddgp.exe 2980 Cbgjqo32.exe 1800 Clalod32.exe 2396 Cpmhpbkc.exe 1592 Cophko32.exe 2904 Ddomif32.exe 2928 Dlfejcoe.exe 2740 Dhmfod32.exe 2588 Dnjngk32.exe 536 Dddfdejn.exe 548 Dlahng32.exe 1492 Ddhpod32.exe 2116 Egglkp32.exe 2196 Efjlgmlf.exe 1188 Enqdhj32.exe 2676 Eodnebpd.exe 1708 Ebcjamoh.exe 1820 Elhnof32.exe 1972 Ebefgm32.exe 2448 Efqbglen.exe 2276 Enlglnci.exe 1788 Efcomkcl.exe 624 Efcomkcl.exe 2368 Ehakigbo.exe 2284 Fgfhjcgg.exe 1376 Fjeefofk.exe 2024 Fblmglgm.exe 2996 Fpffje32.exe 2400 Fpicodoj.exe 2720 Gpkpedmh.exe 2124 Gfehan32.exe 2940 Gmoqnhla.exe 2580 Gejebk32.exe 1652 Ghiaof32.exe 2648 Gppipc32.exe 3020 Gbnflo32.exe 1416 Gaafhloq.exe 1616 Gnefapmj.exe 1924 Geoonjeg.exe 2016 Gjlgfaco.exe 2948 Gmjcblbb.exe 768 Heakcjcd.exe 1016 Hddlof32.exe -
Loads dropped DLL 64 IoCs
pid Process 2160 9eab482419f29b8c24841e46c9c48ee4a01b4bf271790c9aa4b255cf6c4e6a79.exe 2160 9eab482419f29b8c24841e46c9c48ee4a01b4bf271790c9aa4b255cf6c4e6a79.exe 2784 Nhllob32.exe 2784 Nhllob32.exe 2472 Nofdklgl.exe 2472 Nofdklgl.exe 2896 Neplhf32.exe 2896 Neplhf32.exe 2632 Nljddpfe.exe 2632 Nljddpfe.exe 1256 Okdkal32.exe 1256 Okdkal32.exe 844 Oappcfmb.exe 844 Oappcfmb.exe 580 Pmlmic32.exe 580 Pmlmic32.exe 2188 Pcibkm32.exe 2188 Pcibkm32.exe 2636 Pdlkiepd.exe 2636 Pdlkiepd.exe 1420 Qqeicede.exe 1420 Qqeicede.exe 2892 Qiladcdh.exe 2892 Qiladcdh.exe 1944 Aajbne32.exe 1944 Aajbne32.exe 2944 Apalea32.exe 2944 Apalea32.exe 804 Afnagk32.exe 804 Afnagk32.exe 2244 Bmhideol.exe 2244 Bmhideol.exe 1088 Bonoflae.exe 1088 Bonoflae.exe 2436 Bbikgk32.exe 2436 Bbikgk32.exe 976 Bmeimhdj.exe 976 Bmeimhdj.exe 940 Cpceidcn.exe 940 Cpceidcn.exe 828 Cmgechbh.exe 828 Cmgechbh.exe 880 Cinfhigl.exe 880 Cinfhigl.exe 2656 Clmbddgp.exe 2656 Clmbddgp.exe 2980 Cbgjqo32.exe 2980 Cbgjqo32.exe 1800 Clalod32.exe 1800 Clalod32.exe 2396 Cpmhpbkc.exe 2396 Cpmhpbkc.exe 1592 Cophko32.exe 1592 Cophko32.exe 2904 Ddomif32.exe 2904 Ddomif32.exe 2928 Dlfejcoe.exe 2928 Dlfejcoe.exe 2740 Dhmfod32.exe 2740 Dhmfod32.exe 2588 Dnjngk32.exe 2588 Dnjngk32.exe 536 Dddfdejn.exe 536 Dddfdejn.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Pbigmn32.exe Plpopddd.exe File created C:\Windows\SysWOW64\Pocdjfob.dll Dkdmfe32.exe File created C:\Windows\SysWOW64\Dqgchlio.dll Process not Found File created C:\Windows\SysWOW64\Hfgjcq32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Bncaekhp.exe Bmbemb32.exe File created C:\Windows\SysWOW64\Kcmcoblm.exe Jnpkflne.exe File created C:\Windows\SysWOW64\Hcajhi32.exe Gmhbkohm.exe File created C:\Windows\SysWOW64\Baneak32.exe Bckefnki.exe File opened for modification C:\Windows\SysWOW64\Plolgk32.exe Piqpkpml.exe File created C:\Windows\SysWOW64\Gcmobfna.dll Gdjqamme.exe File created C:\Windows\SysWOW64\Kpojkp32.exe Jieaofmp.exe File created C:\Windows\SysWOW64\Lbmnea32.exe Process not Found File created C:\Windows\SysWOW64\Pfpfldpo.dll Clalod32.exe File opened for modification C:\Windows\SysWOW64\Kidjdpie.exe Jnofgg32.exe File created C:\Windows\SysWOW64\Mgcjpkak.exe Mhqjen32.exe File opened for modification C:\Windows\SysWOW64\Dnjngk32.exe Dhmfod32.exe File opened for modification C:\Windows\SysWOW64\Elibpg32.exe Efljhq32.exe File opened for modification C:\Windows\SysWOW64\Ijidfpci.exe Process not Found File created C:\Windows\SysWOW64\Fnogfk32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Gjlgfaco.exe Geoonjeg.exe File created C:\Windows\SysWOW64\Oemgplgo.exe Olebgfao.exe File created C:\Windows\SysWOW64\Gdhdkn32.exe Ggdcbi32.exe File created C:\Windows\SysWOW64\Bdcifi32.exe Bmlael32.exe File opened for modification C:\Windows\SysWOW64\Jmlddeio.exe Jjnhhjjk.exe File created C:\Windows\SysWOW64\Ipjkcehe.dll Obeacl32.exe File created C:\Windows\SysWOW64\Gelafcdj.dll Clefdcog.exe File created C:\Windows\SysWOW64\Kckido32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Hldjnhce.exe Hifmbmda.exe File opened for modification C:\Windows\SysWOW64\Qinjgbpg.exe Qfonkfqd.exe File created C:\Windows\SysWOW64\Hpdelj32.dll Hndlem32.exe File created C:\Windows\SysWOW64\Bldainid.dll Process not Found File created C:\Windows\SysWOW64\Mpioba32.dll Pkjphcff.exe File created C:\Windows\SysWOW64\Edclib32.exe Eniclh32.exe File opened for modification C:\Windows\SysWOW64\Pilfpqaa.exe Pgnjde32.exe File opened for modification C:\Windows\SysWOW64\Lclicpkm.exe Lpnmgdli.exe File created C:\Windows\SysWOW64\Nmfbpk32.exe Nncbdomg.exe File created C:\Windows\SysWOW64\Kfeaomqq.dll Gamnhq32.exe File created C:\Windows\SysWOW64\Ccmkid32.dll Jabponba.exe File opened for modification C:\Windows\SysWOW64\Cbbomjnn.exe Clefdcog.exe File opened for modification C:\Windows\SysWOW64\Oghhfg32.exe Olbchn32.exe File created C:\Windows\SysWOW64\Iennnogo.dll Pomhcg32.exe File created C:\Windows\SysWOW64\Hofjjbcd.dll Hkolakkb.exe File created C:\Windows\SysWOW64\Pondgbkk.dll Bgdibkam.exe File opened for modification C:\Windows\SysWOW64\Ggdcbi32.exe Goiongbc.exe File created C:\Windows\SysWOW64\Hpcpdfhj.exe Process not Found File created C:\Windows\SysWOW64\Hnmaip32.dll Hijgml32.exe File created C:\Windows\SysWOW64\Ekdmib32.dll Process not Found File created C:\Windows\SysWOW64\Dpnladjl.exe Cehhdkjf.exe File created C:\Windows\SysWOW64\Ihcbim32.dll Process not Found File created C:\Windows\SysWOW64\Nommodjj.exe Process not Found File opened for modification C:\Windows\SysWOW64\Pcibkm32.exe Pmlmic32.exe File created C:\Windows\SysWOW64\Fnipkkdl.exe Filgbdfd.exe File created C:\Windows\SysWOW64\Ikgeel32.dll Mcnbhb32.exe File created C:\Windows\SysWOW64\Lgkkmm32.exe Lanbdf32.exe File created C:\Windows\SysWOW64\Pbajbi32.exe Piieicgl.exe File created C:\Windows\SysWOW64\Ckmpkpbl.exe Cgadja32.exe File opened for modification C:\Windows\SysWOW64\Iklfia32.exe Process not Found File created C:\Windows\SysWOW64\Jnnnalph.exe Jhafhe32.exe File created C:\Windows\SysWOW64\Dafqii32.dll Olbfagca.exe File created C:\Windows\SysWOW64\Llbconkd.exe Ldgnklmi.exe File opened for modification C:\Windows\SysWOW64\Eodnebpd.exe Enqdhj32.exe File created C:\Windows\SysWOW64\Hddgloho.dll Mgmdapml.exe File opened for modification C:\Windows\SysWOW64\Glnhjjml.exe Gecpnp32.exe File created C:\Windows\SysWOW64\Ohojmjep.exe Nbbbdcgi.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phobjp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abfoll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idfdcijh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdkjnl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkhldafl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Famope32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aakjdo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hifmbmda.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Godaakic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iknafhjb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdnncfoe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbnflo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fennoa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mobomnoq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbabho32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obmpgjbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmlmic32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Accnekon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ieofkp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blnpddeo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Allefimb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkebjf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glnhjjml.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khldkllj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oldpnn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddiibc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbigmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmakmp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olebgfao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppinkcnp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgbeoibb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hahnac32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfcabd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdnkdmec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lohelidp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjojef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmpkqklh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iphgln32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnhgha32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ioohokoo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alnalh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikldqile.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbbomjnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onnnml32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Picojhcm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epfhde32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjapamid.dll" Ggfnopfg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iiecgjba.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bdfooh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pppgjnfc.dll" Okhefl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ncnngfna.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghibjjfb.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekpbgbme.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aiaoclgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iacoff32.dll" Goqnae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfmgba32.dll" Hgciff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Deeqch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iinalc32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjfgpjhf.dll" Cljodo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fahhnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cohibp32.dll" Kmobhmnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ccbphk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hqmnfa32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kjllab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alinabdk.dll" Dojddmec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmhlga32.dll" Jnnnalph.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ggicgopd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onmnmm32.dll" Fibcoalf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ahchdb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pdldnomh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gmmfaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ioiepeog.dll" Mjkndb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fofbhgde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ebnabb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hqbdjfbm.dll" Bgokfnij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kglcogeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgepiehf.dll" Accnekon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikkkijnk.dll" Aljjjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aengebaf.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kaimoj32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Akhfoldn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ccpcckck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oomgdcce.dll" Njjcip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkcbkhnk.dll" Cdqkifmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akkiob32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epflllfi.dll" Mhfjjdjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohmkac32.dll" Floeof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnflbh32.dll" Hdfhdfgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jikhnaao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhjpke32.dll" Jdcmbgkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jbfilffm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Elaeeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hmeolj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ciohqa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Addfkeid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhhamf32.dll" Koflgf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mlelda32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oibohdmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cfkloq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eogolc32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2160 wrote to memory of 2784 2160 9eab482419f29b8c24841e46c9c48ee4a01b4bf271790c9aa4b255cf6c4e6a79.exe 30 PID 2160 wrote to memory of 2784 2160 9eab482419f29b8c24841e46c9c48ee4a01b4bf271790c9aa4b255cf6c4e6a79.exe 30 PID 2160 wrote to memory of 2784 2160 9eab482419f29b8c24841e46c9c48ee4a01b4bf271790c9aa4b255cf6c4e6a79.exe 30 PID 2160 wrote to memory of 2784 2160 9eab482419f29b8c24841e46c9c48ee4a01b4bf271790c9aa4b255cf6c4e6a79.exe 30 PID 2784 wrote to memory of 2472 2784 Nhllob32.exe 31 PID 2784 wrote to memory of 2472 2784 Nhllob32.exe 31 PID 2784 wrote to memory of 2472 2784 Nhllob32.exe 31 PID 2784 wrote to memory of 2472 2784 Nhllob32.exe 31 PID 2472 wrote to memory of 2896 2472 Nofdklgl.exe 32 PID 2472 wrote to memory of 2896 2472 Nofdklgl.exe 32 PID 2472 wrote to memory of 2896 2472 Nofdklgl.exe 32 PID 2472 wrote to memory of 2896 2472 Nofdklgl.exe 32 PID 2896 wrote to memory of 2632 2896 Neplhf32.exe 33 PID 2896 wrote to memory of 2632 2896 Neplhf32.exe 33 PID 2896 wrote to memory of 2632 2896 Neplhf32.exe 33 PID 2896 wrote to memory of 2632 2896 Neplhf32.exe 33 PID 2632 wrote to memory of 1256 2632 Nljddpfe.exe 34 PID 2632 wrote to memory of 1256 2632 Nljddpfe.exe 34 PID 2632 wrote to memory of 1256 2632 Nljddpfe.exe 34 PID 2632 wrote to memory of 1256 2632 Nljddpfe.exe 34 PID 1256 wrote to memory of 844 1256 Okdkal32.exe 35 PID 1256 wrote to memory of 844 1256 Okdkal32.exe 35 PID 1256 wrote to memory of 844 1256 Okdkal32.exe 35 PID 1256 wrote to memory of 844 1256 Okdkal32.exe 35 PID 844 wrote to memory of 580 844 Oappcfmb.exe 36 PID 844 wrote to memory of 580 844 Oappcfmb.exe 36 PID 844 wrote to memory of 580 844 Oappcfmb.exe 36 PID 844 wrote to memory of 580 844 Oappcfmb.exe 36 PID 580 wrote to memory of 2188 580 Pmlmic32.exe 37 PID 580 wrote to memory of 2188 580 Pmlmic32.exe 37 PID 580 wrote to memory of 2188 580 Pmlmic32.exe 37 PID 580 wrote to memory of 2188 580 Pmlmic32.exe 37 PID 2188 wrote to memory of 2636 2188 Pcibkm32.exe 38 PID 2188 wrote to memory of 2636 2188 Pcibkm32.exe 38 PID 2188 wrote to memory of 2636 2188 Pcibkm32.exe 38 PID 2188 wrote to memory of 2636 2188 Pcibkm32.exe 38 PID 2636 wrote to memory of 1420 2636 Pdlkiepd.exe 39 PID 2636 wrote to memory of 1420 2636 Pdlkiepd.exe 39 PID 2636 wrote to memory of 1420 2636 Pdlkiepd.exe 39 PID 2636 wrote to memory of 1420 2636 Pdlkiepd.exe 39 PID 1420 wrote to memory of 2892 1420 Qqeicede.exe 40 PID 1420 wrote to memory of 2892 1420 Qqeicede.exe 40 PID 1420 wrote to memory of 2892 1420 Qqeicede.exe 40 PID 1420 wrote to memory of 2892 1420 Qqeicede.exe 40 PID 2892 wrote to memory of 1944 2892 Qiladcdh.exe 41 PID 2892 wrote to memory of 1944 2892 Qiladcdh.exe 41 PID 2892 wrote to memory of 1944 2892 Qiladcdh.exe 41 PID 2892 wrote to memory of 1944 2892 Qiladcdh.exe 41 PID 1944 wrote to memory of 2944 1944 Aajbne32.exe 42 PID 1944 wrote to memory of 2944 1944 Aajbne32.exe 42 PID 1944 wrote to memory of 2944 1944 Aajbne32.exe 42 PID 1944 wrote to memory of 2944 1944 Aajbne32.exe 42 PID 2944 wrote to memory of 804 2944 Apalea32.exe 43 PID 2944 wrote to memory of 804 2944 Apalea32.exe 43 PID 2944 wrote to memory of 804 2944 Apalea32.exe 43 PID 2944 wrote to memory of 804 2944 Apalea32.exe 43 PID 804 wrote to memory of 2244 804 Afnagk32.exe 44 PID 804 wrote to memory of 2244 804 Afnagk32.exe 44 PID 804 wrote to memory of 2244 804 Afnagk32.exe 44 PID 804 wrote to memory of 2244 804 Afnagk32.exe 44 PID 2244 wrote to memory of 1088 2244 Bmhideol.exe 45 PID 2244 wrote to memory of 1088 2244 Bmhideol.exe 45 PID 2244 wrote to memory of 1088 2244 Bmhideol.exe 45 PID 2244 wrote to memory of 1088 2244 Bmhideol.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\9eab482419f29b8c24841e46c9c48ee4a01b4bf271790c9aa4b255cf6c4e6a79.exe"C:\Users\Admin\AppData\Local\Temp\9eab482419f29b8c24841e46c9c48ee4a01b4bf271790c9aa4b255cf6c4e6a79.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2160 -
C:\Windows\SysWOW64\Nhllob32.exeC:\Windows\system32\Nhllob32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\SysWOW64\Nofdklgl.exeC:\Windows\system32\Nofdklgl.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Windows\SysWOW64\Neplhf32.exeC:\Windows\system32\Neplhf32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Windows\SysWOW64\Nljddpfe.exeC:\Windows\system32\Nljddpfe.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\SysWOW64\Okdkal32.exeC:\Windows\system32\Okdkal32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1256 -
C:\Windows\SysWOW64\Oappcfmb.exeC:\Windows\system32\Oappcfmb.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:844 -
C:\Windows\SysWOW64\Pmlmic32.exeC:\Windows\system32\Pmlmic32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:580 -
C:\Windows\SysWOW64\Pcibkm32.exeC:\Windows\system32\Pcibkm32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Windows\SysWOW64\Pdlkiepd.exeC:\Windows\system32\Pdlkiepd.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\SysWOW64\Qqeicede.exeC:\Windows\system32\Qqeicede.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1420 -
C:\Windows\SysWOW64\Qiladcdh.exeC:\Windows\system32\Qiladcdh.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Windows\SysWOW64\Aajbne32.exeC:\Windows\system32\Aajbne32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1944 -
C:\Windows\SysWOW64\Apalea32.exeC:\Windows\system32\Apalea32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Windows\SysWOW64\Afnagk32.exeC:\Windows\system32\Afnagk32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:804 -
C:\Windows\SysWOW64\Bmhideol.exeC:\Windows\system32\Bmhideol.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Windows\SysWOW64\Bonoflae.exeC:\Windows\system32\Bonoflae.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1088 -
C:\Windows\SysWOW64\Bbikgk32.exeC:\Windows\system32\Bbikgk32.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2436 -
C:\Windows\SysWOW64\Bmeimhdj.exeC:\Windows\system32\Bmeimhdj.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:976 -
C:\Windows\SysWOW64\Cpceidcn.exeC:\Windows\system32\Cpceidcn.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:940 -
C:\Windows\SysWOW64\Cmgechbh.exeC:\Windows\system32\Cmgechbh.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:828 -
C:\Windows\SysWOW64\Cinfhigl.exeC:\Windows\system32\Cinfhigl.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:880 -
C:\Windows\SysWOW64\Clmbddgp.exeC:\Windows\system32\Clmbddgp.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2656 -
C:\Windows\SysWOW64\Cbgjqo32.exeC:\Windows\system32\Cbgjqo32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2980 -
C:\Windows\SysWOW64\Clalod32.exeC:\Windows\system32\Clalod32.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1800 -
C:\Windows\SysWOW64\Cpmhpbkc.exeC:\Windows\system32\Cpmhpbkc.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2396 -
C:\Windows\SysWOW64\Cophko32.exeC:\Windows\system32\Cophko32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1592 -
C:\Windows\SysWOW64\Ddomif32.exeC:\Windows\system32\Ddomif32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2904 -
C:\Windows\SysWOW64\Dlfejcoe.exeC:\Windows\system32\Dlfejcoe.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2928 -
C:\Windows\SysWOW64\Dhmfod32.exeC:\Windows\system32\Dhmfod32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2740 -
C:\Windows\SysWOW64\Dnjngk32.exeC:\Windows\system32\Dnjngk32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2588 -
C:\Windows\SysWOW64\Dddfdejn.exeC:\Windows\system32\Dddfdejn.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:536 -
C:\Windows\SysWOW64\Dlahng32.exeC:\Windows\system32\Dlahng32.exe33⤵
- Executes dropped EXE
PID:548 -
C:\Windows\SysWOW64\Ddhpod32.exeC:\Windows\system32\Ddhpod32.exe34⤵
- Executes dropped EXE
PID:1492 -
C:\Windows\SysWOW64\Egglkp32.exeC:\Windows\system32\Egglkp32.exe35⤵
- Executes dropped EXE
PID:2116 -
C:\Windows\SysWOW64\Efjlgmlf.exeC:\Windows\system32\Efjlgmlf.exe36⤵
- Executes dropped EXE
PID:2196 -
C:\Windows\SysWOW64\Enqdhj32.exeC:\Windows\system32\Enqdhj32.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1188 -
C:\Windows\SysWOW64\Eodnebpd.exeC:\Windows\system32\Eodnebpd.exe38⤵
- Executes dropped EXE
PID:2676 -
C:\Windows\SysWOW64\Ebcjamoh.exeC:\Windows\system32\Ebcjamoh.exe39⤵
- Executes dropped EXE
PID:1708 -
C:\Windows\SysWOW64\Elhnof32.exeC:\Windows\system32\Elhnof32.exe40⤵
- Executes dropped EXE
PID:1820 -
C:\Windows\SysWOW64\Ebefgm32.exeC:\Windows\system32\Ebefgm32.exe41⤵
- Executes dropped EXE
PID:1972 -
C:\Windows\SysWOW64\Efqbglen.exeC:\Windows\system32\Efqbglen.exe42⤵
- Executes dropped EXE
PID:2448 -
C:\Windows\SysWOW64\Enlglnci.exeC:\Windows\system32\Enlglnci.exe43⤵
- Executes dropped EXE
PID:2276 -
C:\Windows\SysWOW64\Efcomkcl.exeC:\Windows\system32\Efcomkcl.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1788 -
C:\Windows\SysWOW64\Efcomkcl.exeC:\Windows\system32\Efcomkcl.exe45⤵
- Executes dropped EXE
PID:624 -
C:\Windows\SysWOW64\Ehakigbo.exeC:\Windows\system32\Ehakigbo.exe46⤵
- Executes dropped EXE
PID:2368 -
C:\Windows\SysWOW64\Fgfhjcgg.exeC:\Windows\system32\Fgfhjcgg.exe47⤵
- Executes dropped EXE
PID:2284 -
C:\Windows\SysWOW64\Fjeefofk.exeC:\Windows\system32\Fjeefofk.exe48⤵
- Executes dropped EXE
PID:1376 -
C:\Windows\SysWOW64\Fblmglgm.exeC:\Windows\system32\Fblmglgm.exe49⤵
- Executes dropped EXE
PID:2024 -
C:\Windows\SysWOW64\Fpffje32.exeC:\Windows\system32\Fpffje32.exe50⤵
- Executes dropped EXE
PID:2996 -
C:\Windows\SysWOW64\Fpicodoj.exeC:\Windows\system32\Fpicodoj.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2400 -
C:\Windows\SysWOW64\Gpkpedmh.exeC:\Windows\system32\Gpkpedmh.exe52⤵
- Executes dropped EXE
PID:2720 -
C:\Windows\SysWOW64\Gfehan32.exeC:\Windows\system32\Gfehan32.exe53⤵
- Executes dropped EXE
PID:2124 -
C:\Windows\SysWOW64\Gmoqnhla.exeC:\Windows\system32\Gmoqnhla.exe54⤵
- Executes dropped EXE
PID:2940 -
C:\Windows\SysWOW64\Gejebk32.exeC:\Windows\system32\Gejebk32.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2580 -
C:\Windows\SysWOW64\Ghiaof32.exeC:\Windows\system32\Ghiaof32.exe56⤵
- Executes dropped EXE
PID:1652 -
C:\Windows\SysWOW64\Gppipc32.exeC:\Windows\system32\Gppipc32.exe57⤵
- Executes dropped EXE
PID:2648 -
C:\Windows\SysWOW64\Gbnflo32.exeC:\Windows\system32\Gbnflo32.exe58⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3020 -
C:\Windows\SysWOW64\Gaafhloq.exeC:\Windows\system32\Gaafhloq.exe59⤵
- Executes dropped EXE
PID:1416 -
C:\Windows\SysWOW64\Gnefapmj.exeC:\Windows\system32\Gnefapmj.exe60⤵
- Executes dropped EXE
PID:1616 -
C:\Windows\SysWOW64\Geoonjeg.exeC:\Windows\system32\Geoonjeg.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1924 -
C:\Windows\SysWOW64\Gjlgfaco.exeC:\Windows\system32\Gjlgfaco.exe62⤵
- Executes dropped EXE
PID:2016 -
C:\Windows\SysWOW64\Gmjcblbb.exeC:\Windows\system32\Gmjcblbb.exe63⤵
- Executes dropped EXE
PID:2948 -
C:\Windows\SysWOW64\Heakcjcd.exeC:\Windows\system32\Heakcjcd.exe64⤵
- Executes dropped EXE
PID:768 -
C:\Windows\SysWOW64\Hddlof32.exeC:\Windows\system32\Hddlof32.exe65⤵
- Executes dropped EXE
PID:1016 -
C:\Windows\SysWOW64\Hjndlqal.exeC:\Windows\system32\Hjndlqal.exe66⤵PID:2216
-
C:\Windows\SysWOW64\Hahlhkhi.exeC:\Windows\system32\Hahlhkhi.exe67⤵PID:1736
-
C:\Windows\SysWOW64\Hdfhdfgl.exeC:\Windows\system32\Hdfhdfgl.exe68⤵
- Modifies registry class
PID:892 -
C:\Windows\SysWOW64\Hfedqagp.exeC:\Windows\system32\Hfedqagp.exe69⤵PID:2256
-
C:\Windows\SysWOW64\Hajinjff.exeC:\Windows\system32\Hajinjff.exe70⤵PID:1600
-
C:\Windows\SysWOW64\Hifmbmda.exeC:\Windows\system32\Hifmbmda.exe71⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1764 -
C:\Windows\SysWOW64\Hldjnhce.exeC:\Windows\system32\Hldjnhce.exe72⤵PID:2044
-
C:\Windows\SysWOW64\Hdkape32.exeC:\Windows\system32\Hdkape32.exe73⤵PID:2576
-
C:\Windows\SysWOW64\Hfjnla32.exeC:\Windows\system32\Hfjnla32.exe74⤵PID:296
-
C:\Windows\SysWOW64\Hihjhl32.exeC:\Windows\system32\Hihjhl32.exe75⤵PID:1160
-
C:\Windows\SysWOW64\Hpbbdfik.exeC:\Windows\system32\Hpbbdfik.exe76⤵PID:2156
-
C:\Windows\SysWOW64\Heokmmgb.exeC:\Windows\system32\Heokmmgb.exe77⤵PID:1076
-
C:\Windows\SysWOW64\Hijgml32.exeC:\Windows\system32\Hijgml32.exe78⤵
- Drops file in System32 directory
PID:3000 -
C:\Windows\SysWOW64\Ilicig32.exeC:\Windows\system32\Ilicig32.exe79⤵PID:1452
-
C:\Windows\SysWOW64\Ieagbm32.exeC:\Windows\system32\Ieagbm32.exe80⤵PID:2960
-
C:\Windows\SysWOW64\Ihpdoh32.exeC:\Windows\system32\Ihpdoh32.exe81⤵PID:1352
-
C:\Windows\SysWOW64\Ioilkblq.exeC:\Windows\system32\Ioilkblq.exe82⤵PID:2480
-
C:\Windows\SysWOW64\Ibehla32.exeC:\Windows\system32\Ibehla32.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1612 -
C:\Windows\SysWOW64\Idfdcijh.exeC:\Windows\system32\Idfdcijh.exe84⤵
- System Location Discovery: System Language Discovery
PID:1364 -
C:\Windows\SysWOW64\Ilnmdgkj.exeC:\Windows\system32\Ilnmdgkj.exe85⤵PID:1752
-
C:\Windows\SysWOW64\Ikpmpc32.exeC:\Windows\system32\Ikpmpc32.exe86⤵PID:1540
-
C:\Windows\SysWOW64\Iajemnia.exeC:\Windows\system32\Iajemnia.exe87⤵PID:2512
-
C:\Windows\SysWOW64\Iefamlak.exeC:\Windows\system32\Iefamlak.exe88⤵PID:2752
-
C:\Windows\SysWOW64\Iggned32.exeC:\Windows\system32\Iggned32.exe89⤵PID:2776
-
C:\Windows\SysWOW64\Iamabm32.exeC:\Windows\system32\Iamabm32.exe90⤵PID:2748
-
C:\Windows\SysWOW64\Igijkd32.exeC:\Windows\system32\Igijkd32.exe91⤵PID:484
-
C:\Windows\SysWOW64\Iihfgp32.exeC:\Windows\system32\Iihfgp32.exe92⤵PID:1952
-
C:\Windows\SysWOW64\Iaonhm32.exeC:\Windows\system32\Iaonhm32.exe93⤵PID:1760
-
C:\Windows\SysWOW64\Idmkdh32.exeC:\Windows\system32\Idmkdh32.exe94⤵PID:1856
-
C:\Windows\SysWOW64\Jnfomn32.exeC:\Windows\system32\Jnfomn32.exe95⤵PID:2140
-
C:\Windows\SysWOW64\Jliohkak.exeC:\Windows\system32\Jliohkak.exe96⤵PID:1092
-
C:\Windows\SysWOW64\Jdpgjhbm.exeC:\Windows\system32\Jdpgjhbm.exe97⤵PID:356
-
C:\Windows\SysWOW64\Jnhlbn32.exeC:\Windows\system32\Jnhlbn32.exe98⤵PID:1680
-
C:\Windows\SysWOW64\Jgqpkc32.exeC:\Windows\system32\Jgqpkc32.exe99⤵PID:1084
-
C:\Windows\SysWOW64\Jhamckel.exeC:\Windows\system32\Jhamckel.exe100⤵PID:1716
-
C:\Windows\SysWOW64\Jfemlpdf.exeC:\Windows\system32\Jfemlpdf.exe101⤵PID:2660
-
C:\Windows\SysWOW64\Jhdihkcj.exeC:\Windows\system32\Jhdihkcj.exe102⤵PID:2364
-
C:\Windows\SysWOW64\Jblnaq32.exeC:\Windows\system32\Jblnaq32.exe103⤵PID:2836
-
C:\Windows\SysWOW64\Jdkjnl32.exeC:\Windows\system32\Jdkjnl32.exe104⤵
- System Location Discovery: System Language Discovery
PID:1564 -
C:\Windows\SysWOW64\Jkebjf32.exeC:\Windows\system32\Jkebjf32.exe105⤵
- System Location Discovery: System Language Discovery
PID:2724 -
C:\Windows\SysWOW64\Kglcogeo.exeC:\Windows\system32\Kglcogeo.exe106⤵
- Modifies registry class
PID:2832 -
C:\Windows\SysWOW64\Kdpcikdi.exeC:\Windows\system32\Kdpcikdi.exe107⤵PID:944
-
C:\Windows\SysWOW64\Kjllab32.exeC:\Windows\system32\Kjllab32.exe108⤵
- Modifies registry class
PID:2680 -
C:\Windows\SysWOW64\Kdbpnk32.exeC:\Windows\system32\Kdbpnk32.exe109⤵PID:3012
-
C:\Windows\SysWOW64\Kgpmjf32.exeC:\Windows\system32\Kgpmjf32.exe110⤵PID:2768
-
C:\Windows\SysWOW64\Knjegqif.exeC:\Windows\system32\Knjegqif.exe111⤵PID:2268
-
C:\Windows\SysWOW64\Kddmdk32.exeC:\Windows\system32\Kddmdk32.exe112⤵PID:1980
-
C:\Windows\SysWOW64\Kmobhmnn.exeC:\Windows\system32\Kmobhmnn.exe113⤵
- Modifies registry class
PID:1744 -
C:\Windows\SysWOW64\Kcijeg32.exeC:\Windows\system32\Kcijeg32.exe114⤵PID:2456
-
C:\Windows\SysWOW64\Lifbmn32.exeC:\Windows\system32\Lifbmn32.exe115⤵PID:2192
-
C:\Windows\SysWOW64\Lqmjnk32.exeC:\Windows\system32\Lqmjnk32.exe116⤵PID:1484
-
C:\Windows\SysWOW64\Lihobnap.exeC:\Windows\system32\Lihobnap.exe117⤵PID:896
-
C:\Windows\SysWOW64\Lobgoh32.exeC:\Windows\system32\Lobgoh32.exe118⤵PID:2504
-
C:\Windows\SysWOW64\Lmfhil32.exeC:\Windows\system32\Lmfhil32.exe119⤵PID:2796
-
C:\Windows\SysWOW64\Lbcpac32.exeC:\Windows\system32\Lbcpac32.exe120⤵PID:2332
-
C:\Windows\SysWOW64\Leammn32.exeC:\Windows\system32\Leammn32.exe121⤵PID:2716
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-