Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
24/01/2025, 17:46
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
8c3ce0a13921ae33826152ca6e073bc8851536ee40d678d62aa4b28801d5c62dN.exe
Resource
win7-20241010-en
windows7-x64
12 signatures
120 seconds
Behavioral task
behavioral2
Sample
8c3ce0a13921ae33826152ca6e073bc8851536ee40d678d62aa4b28801d5c62dN.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
14 signatures
120 seconds
General
-
Target
8c3ce0a13921ae33826152ca6e073bc8851536ee40d678d62aa4b28801d5c62dN.exe
-
Size
163KB
-
MD5
ffd7436e1d5d05d628710ce2ec2b8370
-
SHA1
ff4979499e5189c6b14149616cdf61b33f500b56
-
SHA256
8c3ce0a13921ae33826152ca6e073bc8851536ee40d678d62aa4b28801d5c62d
-
SHA512
015703569458f3f4273b7444b3243f0e7cfd1443095ec4998a8034420d9617f261813485deadeebd4233ce7f2f7a1c7b0ce39bc057dbe0833b829ca92baef1a0
-
SSDEEP
1536:Plarpar3CnfYysTYpG8AsMYsJsRlProNVU4qNVUrk/9QbfBr+7GwKrPAsqNVU:UFi3CgZVdrJsRltOrWKDBr+yJb
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://master-x.com/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://crutop.ru/index.php
http://kaspersky.ru/index.php
http://color-bank.ru/index.php
http://adult-empire.com/index.php
http://virus-list.com/index.php
http://trojan.ru/index.php
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://fethard.biz/index.htm
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://kaspersky.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knbgnhfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Knbgnhfd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eeiggk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qoqhncgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Agccbenc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Amjkefmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Acdfki32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjkmfn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agakog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iionacad.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omfnnnhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kaekljjo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcnfjpib.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbagdq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmphpc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hohfmi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijmfiefj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Miapbpmb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bedcembk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nmkpnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jcikog32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfodmhbk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nalldh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnjhjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dkpabqoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ijghmd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbkffc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghmohcbl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jeenfd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcaahofh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfeljlqh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckilmfke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ealbcngg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oemjbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgigpgkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Emailhfb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flmidkmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fhfgokap.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpbiempj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njmejaqb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbqbioeb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldgpea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Knikfnih.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcfbfaao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmlkhk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgigpgkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Khhpmbeb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhalngad.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfdhck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Akjfhdka.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Legmpdga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Khjkiikl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kgqcam32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikfdkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kbqgolpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmkiobge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gibmep32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amjkefmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bnqcaffa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcikog32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebabicfn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmjhdi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nplhooec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aphehidc.exe -
Berbew family
-
Brute Ratel C4
A customized command and control framework for red teaming and adversary simulation.
-
Bruteratel family
-
Detect BruteRatel badger 3 IoCs
resource yara_rule behavioral1/files/0x000400000001d9a1-2001.dat family_bruteratel behavioral1/files/0x000400000001da9a-2244.dat family_bruteratel behavioral1/files/0x0003000000020d8e-7635.dat family_bruteratel -
Executes dropped EXE 64 IoCs
pid Process 2180 Hijhhl32.exe 2748 Hofqpc32.exe 1736 Hkpnjd32.exe 1712 Hqochjnk.exe 2688 Ikfdkc32.exe 820 Ifpelq32.exe 2224 Iqhfnifq.exe 1728 Imogcj32.exe 2704 Jihdnk32.exe 1120 Jnifaajh.exe 2136 Jcikog32.exe 1748 Kppldhla.exe 1184 Kngekdnf.exe 1692 Klmbjh32.exe 1360 Lalhgogb.exe 1672 Lglmefcg.exe 1812 Ldbjdj32.exe 2716 Miapbpmb.exe 1040 Mlahdkjc.exe 2276 Mldeik32.exe 1732 Mgnfji32.exe 1028 Ngpcohbm.exe 1256 Nphghn32.exe 1032 Nladco32.exe 2788 Nobndj32.exe 2912 Omfnnnhj.exe 1600 Oiokholk.exe 2636 Pjhnqfla.exe 2708 Piohgbng.exe 2232 Qekbgbpf.exe 2020 Apilcoho.exe 2140 Ammmlcgi.exe 2336 Apnfno32.exe 2884 Ablbjj32.exe 2964 Appbcn32.exe 1992 Baclaf32.exe 2148 Bikcbc32.exe 2100 Beadgdli.exe 2508 Bceeqi32.exe 2560 Bdinnqon.exe 872 Ckecpjdh.exe 936 Cjjpag32.exe 1868 Cjmmffgn.exe 280 Cojeomee.exe 3004 Cjoilfek.exe 324 Cffjagko.exe 2312 Dlpbna32.exe 2352 Dbmkfh32.exe 868 Dlboca32.exe 2840 Dnckki32.exe 2780 Dfkclf32.exe 1596 Dochelmj.exe 2640 Dqddmd32.exe 2588 Dgnminke.exe 1696 Dnhefh32.exe 548 Ddbmcb32.exe 2920 Dklepmal.exe 2416 Dmmbge32.exe 1900 Ecgjdong.exe 2356 Ejabqi32.exe 1960 Empomd32.exe 388 Egebjmdn.exe 848 Embkbdce.exe 2536 Eclcon32.exe -
Loads dropped DLL 64 IoCs
pid Process 2204 8c3ce0a13921ae33826152ca6e073bc8851536ee40d678d62aa4b28801d5c62dN.exe 2204 8c3ce0a13921ae33826152ca6e073bc8851536ee40d678d62aa4b28801d5c62dN.exe 2180 Hijhhl32.exe 2180 Hijhhl32.exe 2748 Hofqpc32.exe 2748 Hofqpc32.exe 1736 Hkpnjd32.exe 1736 Hkpnjd32.exe 1712 Hqochjnk.exe 1712 Hqochjnk.exe 2688 Ikfdkc32.exe 2688 Ikfdkc32.exe 820 Ifpelq32.exe 820 Ifpelq32.exe 2224 Iqhfnifq.exe 2224 Iqhfnifq.exe 1728 Imogcj32.exe 1728 Imogcj32.exe 2704 Jihdnk32.exe 2704 Jihdnk32.exe 1120 Jnifaajh.exe 1120 Jnifaajh.exe 2136 Jcikog32.exe 2136 Jcikog32.exe 1748 Kppldhla.exe 1748 Kppldhla.exe 1184 Kngekdnf.exe 1184 Kngekdnf.exe 1692 Klmbjh32.exe 1692 Klmbjh32.exe 1360 Lalhgogb.exe 1360 Lalhgogb.exe 1672 Lglmefcg.exe 1672 Lglmefcg.exe 1812 Ldbjdj32.exe 1812 Ldbjdj32.exe 2716 Miapbpmb.exe 2716 Miapbpmb.exe 1040 Mlahdkjc.exe 1040 Mlahdkjc.exe 2276 Mldeik32.exe 2276 Mldeik32.exe 1732 Mgnfji32.exe 1732 Mgnfji32.exe 1028 Ngpcohbm.exe 1028 Ngpcohbm.exe 1256 Nphghn32.exe 1256 Nphghn32.exe 1032 Nladco32.exe 1032 Nladco32.exe 2788 Nobndj32.exe 2788 Nobndj32.exe 2912 Omfnnnhj.exe 2912 Omfnnnhj.exe 1600 Oiokholk.exe 1600 Oiokholk.exe 2636 Pjhnqfla.exe 2636 Pjhnqfla.exe 2708 Piohgbng.exe 2708 Piohgbng.exe 2232 Qekbgbpf.exe 2232 Qekbgbpf.exe 2020 Apilcoho.exe 2020 Apilcoho.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Ghdehmnj.dll Inajql32.exe File opened for modification C:\Windows\SysWOW64\Bhjngnod.exe Bpnibl32.exe File opened for modification C:\Windows\SysWOW64\Aihjpman.exe Aamekk32.exe File created C:\Windows\SysWOW64\Fjdpgnee.exe Fplknh32.exe File created C:\Windows\SysWOW64\Imekmp32.dll Elpldp32.exe File created C:\Windows\SysWOW64\Mkpijm32.dll Lqmliqfj.exe File created C:\Windows\SysWOW64\Blcikifh.dll Mogcelgm.exe File created C:\Windows\SysWOW64\Dnhgifal.dll Dhekodik.exe File created C:\Windows\SysWOW64\Idegal32.dll Jafilj32.exe File opened for modification C:\Windows\SysWOW64\Hqemlbqi.exe Hdolga32.exe File opened for modification C:\Windows\SysWOW64\Kcjqlm32.exe Kmphpc32.exe File opened for modification C:\Windows\SysWOW64\Ncloha32.exe Nlbgkgcc.exe File created C:\Windows\SysWOW64\Jpnoahlk.dll Eaalom32.exe File opened for modification C:\Windows\SysWOW64\Jjqiok32.exe Jddqgdii.exe File created C:\Windows\SysWOW64\Naionh32.exe Nphbfplf.exe File created C:\Windows\SysWOW64\Lomidgkl.exe Lcfhpf32.exe File created C:\Windows\SysWOW64\Kccmfg32.dll Bnicddki.exe File opened for modification C:\Windows\SysWOW64\Cgfqii32.exe Cbihpbpl.exe File created C:\Windows\SysWOW64\Mlanmb32.dll Cjoilfek.exe File created C:\Windows\SysWOW64\Ebappk32.exe Ejfllhao.exe File created C:\Windows\SysWOW64\Joicje32.exe Jepoao32.exe File created C:\Windows\SysWOW64\Cjngej32.exe Cbcbag32.exe File opened for modification C:\Windows\SysWOW64\Fcgdjmlo.exe Feccqime.exe File created C:\Windows\SysWOW64\Fcjqpm32.exe Fcgdjmlo.exe File created C:\Windows\SysWOW64\Cfjijn32.dll Hhhblgim.exe File created C:\Windows\SysWOW64\Ghndbeeo.dll Dpjhcj32.exe File opened for modification C:\Windows\SysWOW64\Cojeomee.exe Cjmmffgn.exe File opened for modification C:\Windows\SysWOW64\Bbhfgj32.exe Bbfibj32.exe File created C:\Windows\SysWOW64\Imccab32.exe Imaglc32.exe File created C:\Windows\SysWOW64\Eaihlf32.dll Gfmmanif.exe File opened for modification C:\Windows\SysWOW64\Mpaoojjb.exe Mnneabff.exe File opened for modification C:\Windows\SysWOW64\Kfkjnh32.exe Kjdiigbm.exe File created C:\Windows\SysWOW64\Fbhfajia.exe Fhbbcail.exe File opened for modification C:\Windows\SysWOW64\Hdqhambg.exe Habkeacd.exe File created C:\Windows\SysWOW64\Lgdfgbhf.exe Lefikg32.exe File opened for modification C:\Windows\SysWOW64\Pamlel32.exe Oggghc32.exe File opened for modification C:\Windows\SysWOW64\Mmpcdfem.exe Mnkfcjqe.exe File created C:\Windows\SysWOW64\Djnbkg32.dll Dogpfc32.exe File created C:\Windows\SysWOW64\Eannjf32.dll Cabldeik.exe File created C:\Windows\SysWOW64\Ibdclp32.exe Infjfblm.exe File created C:\Windows\SysWOW64\Qgfkchmp.exe Pmqffonj.exe File created C:\Windows\SysWOW64\Keappgmg.exe Kodghqop.exe File created C:\Windows\SysWOW64\Mmdigbbj.dll Fhlogo32.exe File created C:\Windows\SysWOW64\Gledgkfn.exe Fblpnepn.exe File opened for modification C:\Windows\SysWOW64\Ghmohcbl.exe Gemfghek.exe File created C:\Windows\SysWOW64\Eighpgge.dll Nqkgbkdj.exe File created C:\Windows\SysWOW64\Fkficd32.dll Hcfenn32.exe File opened for modification C:\Windows\SysWOW64\Egpena32.exe Ebcmfj32.exe File created C:\Windows\SysWOW64\Clbclk32.dll Kanfgofa.exe File opened for modification C:\Windows\SysWOW64\Dkpabqoa.exe Dhaefepn.exe File created C:\Windows\SysWOW64\Bhjngnod.exe Bpnibl32.exe File created C:\Windows\SysWOW64\Ncffihci.dll Meojkide.exe File created C:\Windows\SysWOW64\Moikinib.exe Mhobldaf.exe File created C:\Windows\SysWOW64\Eheblj32.exe Eedijo32.exe File created C:\Windows\SysWOW64\Kcabebjh.dll Hdgkkppm.exe File created C:\Windows\SysWOW64\Cinefnpo.dll Gekhgh32.exe File created C:\Windows\SysWOW64\Ikoehj32.exe Ihqilnig.exe File created C:\Windows\SysWOW64\Kdgfnh32.dll Aphehidc.exe File created C:\Windows\SysWOW64\Aegkfpah.exe Aiqjao32.exe File opened for modification C:\Windows\SysWOW64\Pnfipm32.exe Pcqebd32.exe File created C:\Windows\SysWOW64\Mhjbbblb.dll Gmnlog32.exe File opened for modification C:\Windows\SysWOW64\Agakog32.exe Aniffaim.exe File created C:\Windows\SysWOW64\Hcdkmafl.dll Nphghn32.exe File created C:\Windows\SysWOW64\Ohengmcf.exe Oomjng32.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnjagdlj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkelcenm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Keekeg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Legcjjjm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcfbfaao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljgkom32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpqekkob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bqciha32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgppmpjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbplciof.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhlbbg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oedqcdim.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pppihdha.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebcqicem.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghekhd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpeafo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmkpnd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qfganb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgnfji32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qmcedg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkaihkih.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dapnfb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcaahofh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihlpqonl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Joekimld.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbkdgn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mqhhbn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amfcfk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jigmeagl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lofkoamf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egpena32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhadgakg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aafnpkii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jempcgad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Effidg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ammmlcgi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anhdmh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eganqo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncpgeh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcikog32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnicoh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdlqjf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qnagbc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nphghn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbpfpd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkgfgl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qaqlbmbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bemfjgdg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eaalom32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kobfqc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfekkgla.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Galfpgpg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jibcja32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kffpcilf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imogcj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hndoifdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmpcdfem.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Naionh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgjgepqm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Injlkf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgdiho32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gqendf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kiifjd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekfaij32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cipnng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bgkeol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aidpiiop.dll" Ckgmon32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nbegonmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcpabfbj.dll" Occeip32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nalldh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Claake32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ekdglcmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbpfll32.dll" Hnppaill.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gfdhck32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Imcfjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ieeqpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hjcoaeol.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oakaheoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qkicgd32.dll" Fplknh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Higiih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oddbqhkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncndladm.dll" Ebofcd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bemfjgdg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gnjhaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blajkq32.dll" Gdmbhnjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pffjpg32.dll" Qbkljd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiajmgka.dll" Eibikc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgnoehoj.dll" Ahbqliap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hndoifdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Akpkok32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Opicgenj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Chmlfj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lkkfdmpq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eapcjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ddkbqfcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ibdclp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Keodflee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Khhpmbeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajolkncp.dll" Dkfcqo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bnemlf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Facfgahm.dll" Jkcllmhb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lcppgbjd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kpbiempj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebhbna32.dll" Mpllpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okefloqc.dll" Cllmdcej.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dbmkfh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eecgafkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgmhld32.dll" Colegflh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hondclnf.dll" Dbfaopqo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lqnmhm32.dll" Kmjaddii.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kngcbpjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cngjeack.dll" Biakbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gemfghek.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kdincdcl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iionacad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jigmeagl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pibgfjdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gngiba32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lkngkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oimpnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lddagi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbdkhhcq.dll" Gfiaojkq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egknpp32.dll" Elpqemll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dcpoab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cjdkllec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dqddmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bbfibj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obckihng.dll" Ncpgeh32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2204 wrote to memory of 2180 2204 8c3ce0a13921ae33826152ca6e073bc8851536ee40d678d62aa4b28801d5c62dN.exe 30 PID 2204 wrote to memory of 2180 2204 8c3ce0a13921ae33826152ca6e073bc8851536ee40d678d62aa4b28801d5c62dN.exe 30 PID 2204 wrote to memory of 2180 2204 8c3ce0a13921ae33826152ca6e073bc8851536ee40d678d62aa4b28801d5c62dN.exe 30 PID 2204 wrote to memory of 2180 2204 8c3ce0a13921ae33826152ca6e073bc8851536ee40d678d62aa4b28801d5c62dN.exe 30 PID 2180 wrote to memory of 2748 2180 Hijhhl32.exe 31 PID 2180 wrote to memory of 2748 2180 Hijhhl32.exe 31 PID 2180 wrote to memory of 2748 2180 Hijhhl32.exe 31 PID 2180 wrote to memory of 2748 2180 Hijhhl32.exe 31 PID 2748 wrote to memory of 1736 2748 Hofqpc32.exe 32 PID 2748 wrote to memory of 1736 2748 Hofqpc32.exe 32 PID 2748 wrote to memory of 1736 2748 Hofqpc32.exe 32 PID 2748 wrote to memory of 1736 2748 Hofqpc32.exe 32 PID 1736 wrote to memory of 1712 1736 Hkpnjd32.exe 33 PID 1736 wrote to memory of 1712 1736 Hkpnjd32.exe 33 PID 1736 wrote to memory of 1712 1736 Hkpnjd32.exe 33 PID 1736 wrote to memory of 1712 1736 Hkpnjd32.exe 33 PID 1712 wrote to memory of 2688 1712 Hqochjnk.exe 34 PID 1712 wrote to memory of 2688 1712 Hqochjnk.exe 34 PID 1712 wrote to memory of 2688 1712 Hqochjnk.exe 34 PID 1712 wrote to memory of 2688 1712 Hqochjnk.exe 34 PID 2688 wrote to memory of 820 2688 Ikfdkc32.exe 35 PID 2688 wrote to memory of 820 2688 Ikfdkc32.exe 35 PID 2688 wrote to memory of 820 2688 Ikfdkc32.exe 35 PID 2688 wrote to memory of 820 2688 Ikfdkc32.exe 35 PID 820 wrote to memory of 2224 820 Ifpelq32.exe 36 PID 820 wrote to memory of 2224 820 Ifpelq32.exe 36 PID 820 wrote to memory of 2224 820 Ifpelq32.exe 36 PID 820 wrote to memory of 2224 820 Ifpelq32.exe 36 PID 2224 wrote to memory of 1728 2224 Iqhfnifq.exe 37 PID 2224 wrote to memory of 1728 2224 Iqhfnifq.exe 37 PID 2224 wrote to memory of 1728 2224 Iqhfnifq.exe 37 PID 2224 wrote to memory of 1728 2224 Iqhfnifq.exe 37 PID 1728 wrote to memory of 2704 1728 Imogcj32.exe 38 PID 1728 wrote to memory of 2704 1728 Imogcj32.exe 38 PID 1728 wrote to memory of 2704 1728 Imogcj32.exe 38 PID 1728 wrote to memory of 2704 1728 Imogcj32.exe 38 PID 2704 wrote to memory of 1120 2704 Jihdnk32.exe 39 PID 2704 wrote to memory of 1120 2704 Jihdnk32.exe 39 PID 2704 wrote to memory of 1120 2704 Jihdnk32.exe 39 PID 2704 wrote to memory of 1120 2704 Jihdnk32.exe 39 PID 1120 wrote to memory of 2136 1120 Jnifaajh.exe 40 PID 1120 wrote to memory of 2136 1120 Jnifaajh.exe 40 PID 1120 wrote to memory of 2136 1120 Jnifaajh.exe 40 PID 1120 wrote to memory of 2136 1120 Jnifaajh.exe 40 PID 2136 wrote to memory of 1748 2136 Jcikog32.exe 41 PID 2136 wrote to memory of 1748 2136 Jcikog32.exe 41 PID 2136 wrote to memory of 1748 2136 Jcikog32.exe 41 PID 2136 wrote to memory of 1748 2136 Jcikog32.exe 41 PID 1748 wrote to memory of 1184 1748 Kppldhla.exe 42 PID 1748 wrote to memory of 1184 1748 Kppldhla.exe 42 PID 1748 wrote to memory of 1184 1748 Kppldhla.exe 42 PID 1748 wrote to memory of 1184 1748 Kppldhla.exe 42 PID 1184 wrote to memory of 1692 1184 Kngekdnf.exe 43 PID 1184 wrote to memory of 1692 1184 Kngekdnf.exe 43 PID 1184 wrote to memory of 1692 1184 Kngekdnf.exe 43 PID 1184 wrote to memory of 1692 1184 Kngekdnf.exe 43 PID 1692 wrote to memory of 1360 1692 Klmbjh32.exe 44 PID 1692 wrote to memory of 1360 1692 Klmbjh32.exe 44 PID 1692 wrote to memory of 1360 1692 Klmbjh32.exe 44 PID 1692 wrote to memory of 1360 1692 Klmbjh32.exe 44 PID 1360 wrote to memory of 1672 1360 Lalhgogb.exe 45 PID 1360 wrote to memory of 1672 1360 Lalhgogb.exe 45 PID 1360 wrote to memory of 1672 1360 Lalhgogb.exe 45 PID 1360 wrote to memory of 1672 1360 Lalhgogb.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\8c3ce0a13921ae33826152ca6e073bc8851536ee40d678d62aa4b28801d5c62dN.exe"C:\Users\Admin\AppData\Local\Temp\8c3ce0a13921ae33826152ca6e073bc8851536ee40d678d62aa4b28801d5c62dN.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\Windows\SysWOW64\Hijhhl32.exeC:\Windows\system32\Hijhhl32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Windows\SysWOW64\Hofqpc32.exeC:\Windows\system32\Hofqpc32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\SysWOW64\Hkpnjd32.exeC:\Windows\system32\Hkpnjd32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1736 -
C:\Windows\SysWOW64\Hqochjnk.exeC:\Windows\system32\Hqochjnk.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Windows\SysWOW64\Ikfdkc32.exeC:\Windows\system32\Ikfdkc32.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\SysWOW64\Ifpelq32.exeC:\Windows\system32\Ifpelq32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:820 -
C:\Windows\SysWOW64\Iqhfnifq.exeC:\Windows\system32\Iqhfnifq.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\Windows\SysWOW64\Imogcj32.exeC:\Windows\system32\Imogcj32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Windows\SysWOW64\Jihdnk32.exeC:\Windows\system32\Jihdnk32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\SysWOW64\Jnifaajh.exeC:\Windows\system32\Jnifaajh.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1120 -
C:\Windows\SysWOW64\Jcikog32.exeC:\Windows\system32\Jcikog32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2136 -
C:\Windows\SysWOW64\Kppldhla.exeC:\Windows\system32\Kppldhla.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Windows\SysWOW64\Kngekdnf.exeC:\Windows\system32\Kngekdnf.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1184 -
C:\Windows\SysWOW64\Klmbjh32.exeC:\Windows\system32\Klmbjh32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1692 -
C:\Windows\SysWOW64\Lalhgogb.exeC:\Windows\system32\Lalhgogb.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1360 -
C:\Windows\SysWOW64\Lglmefcg.exeC:\Windows\system32\Lglmefcg.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1672 -
C:\Windows\SysWOW64\Ldbjdj32.exeC:\Windows\system32\Ldbjdj32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1812 -
C:\Windows\SysWOW64\Miapbpmb.exeC:\Windows\system32\Miapbpmb.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2716 -
C:\Windows\SysWOW64\Mlahdkjc.exeC:\Windows\system32\Mlahdkjc.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1040 -
C:\Windows\SysWOW64\Mldeik32.exeC:\Windows\system32\Mldeik32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2276 -
C:\Windows\SysWOW64\Mgnfji32.exeC:\Windows\system32\Mgnfji32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1732 -
C:\Windows\SysWOW64\Ngpcohbm.exeC:\Windows\system32\Ngpcohbm.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1028 -
C:\Windows\SysWOW64\Nphghn32.exeC:\Windows\system32\Nphghn32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1256 -
C:\Windows\SysWOW64\Nladco32.exeC:\Windows\system32\Nladco32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1032 -
C:\Windows\SysWOW64\Nobndj32.exeC:\Windows\system32\Nobndj32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2788 -
C:\Windows\SysWOW64\Omfnnnhj.exeC:\Windows\system32\Omfnnnhj.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2912 -
C:\Windows\SysWOW64\Oiokholk.exeC:\Windows\system32\Oiokholk.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1600 -
C:\Windows\SysWOW64\Pjhnqfla.exeC:\Windows\system32\Pjhnqfla.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2636 -
C:\Windows\SysWOW64\Piohgbng.exeC:\Windows\system32\Piohgbng.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2708 -
C:\Windows\SysWOW64\Qekbgbpf.exeC:\Windows\system32\Qekbgbpf.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2232 -
C:\Windows\SysWOW64\Apilcoho.exeC:\Windows\system32\Apilcoho.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2020 -
C:\Windows\SysWOW64\Ammmlcgi.exeC:\Windows\system32\Ammmlcgi.exe33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2140 -
C:\Windows\SysWOW64\Apnfno32.exeC:\Windows\system32\Apnfno32.exe34⤵
- Executes dropped EXE
PID:2336 -
C:\Windows\SysWOW64\Ablbjj32.exeC:\Windows\system32\Ablbjj32.exe35⤵
- Executes dropped EXE
PID:2884 -
C:\Windows\SysWOW64\Appbcn32.exeC:\Windows\system32\Appbcn32.exe36⤵
- Executes dropped EXE
PID:2964 -
C:\Windows\SysWOW64\Baclaf32.exeC:\Windows\system32\Baclaf32.exe37⤵
- Executes dropped EXE
PID:1992 -
C:\Windows\SysWOW64\Bikcbc32.exeC:\Windows\system32\Bikcbc32.exe38⤵
- Executes dropped EXE
PID:2148 -
C:\Windows\SysWOW64\Beadgdli.exeC:\Windows\system32\Beadgdli.exe39⤵
- Executes dropped EXE
PID:2100 -
C:\Windows\SysWOW64\Bceeqi32.exeC:\Windows\system32\Bceeqi32.exe40⤵
- Executes dropped EXE
PID:2508 -
C:\Windows\SysWOW64\Bdinnqon.exeC:\Windows\system32\Bdinnqon.exe41⤵
- Executes dropped EXE
PID:2560 -
C:\Windows\SysWOW64\Ckecpjdh.exeC:\Windows\system32\Ckecpjdh.exe42⤵
- Executes dropped EXE
PID:872 -
C:\Windows\SysWOW64\Cjjpag32.exeC:\Windows\system32\Cjjpag32.exe43⤵
- Executes dropped EXE
PID:936 -
C:\Windows\SysWOW64\Cjmmffgn.exeC:\Windows\system32\Cjmmffgn.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1868 -
C:\Windows\SysWOW64\Cojeomee.exeC:\Windows\system32\Cojeomee.exe45⤵
- Executes dropped EXE
PID:280 -
C:\Windows\SysWOW64\Cjoilfek.exeC:\Windows\system32\Cjoilfek.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3004 -
C:\Windows\SysWOW64\Cffjagko.exeC:\Windows\system32\Cffjagko.exe47⤵
- Executes dropped EXE
PID:324 -
C:\Windows\SysWOW64\Dlpbna32.exeC:\Windows\system32\Dlpbna32.exe48⤵
- Executes dropped EXE
PID:2312 -
C:\Windows\SysWOW64\Dbmkfh32.exeC:\Windows\system32\Dbmkfh32.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:2352 -
C:\Windows\SysWOW64\Dlboca32.exeC:\Windows\system32\Dlboca32.exe50⤵
- Executes dropped EXE
PID:868 -
C:\Windows\SysWOW64\Dnckki32.exeC:\Windows\system32\Dnckki32.exe51⤵
- Executes dropped EXE
PID:2840 -
C:\Windows\SysWOW64\Dfkclf32.exeC:\Windows\system32\Dfkclf32.exe52⤵
- Executes dropped EXE
PID:2780 -
C:\Windows\SysWOW64\Dochelmj.exeC:\Windows\system32\Dochelmj.exe53⤵
- Executes dropped EXE
PID:1596 -
C:\Windows\SysWOW64\Dqddmd32.exeC:\Windows\system32\Dqddmd32.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:2640 -
C:\Windows\SysWOW64\Dgnminke.exeC:\Windows\system32\Dgnminke.exe55⤵
- Executes dropped EXE
PID:2588 -
C:\Windows\SysWOW64\Dnhefh32.exeC:\Windows\system32\Dnhefh32.exe56⤵
- Executes dropped EXE
PID:1696 -
C:\Windows\SysWOW64\Ddbmcb32.exeC:\Windows\system32\Ddbmcb32.exe57⤵
- Executes dropped EXE
PID:548 -
C:\Windows\SysWOW64\Dklepmal.exeC:\Windows\system32\Dklepmal.exe58⤵
- Executes dropped EXE
PID:2920 -
C:\Windows\SysWOW64\Dmmbge32.exeC:\Windows\system32\Dmmbge32.exe59⤵
- Executes dropped EXE
PID:2416 -
C:\Windows\SysWOW64\Ecgjdong.exeC:\Windows\system32\Ecgjdong.exe60⤵
- Executes dropped EXE
PID:1900 -
C:\Windows\SysWOW64\Ejabqi32.exeC:\Windows\system32\Ejabqi32.exe61⤵
- Executes dropped EXE
PID:2356 -
C:\Windows\SysWOW64\Empomd32.exeC:\Windows\system32\Empomd32.exe62⤵
- Executes dropped EXE
PID:1960 -
C:\Windows\SysWOW64\Egebjmdn.exeC:\Windows\system32\Egebjmdn.exe63⤵
- Executes dropped EXE
PID:388 -
C:\Windows\SysWOW64\Embkbdce.exeC:\Windows\system32\Embkbdce.exe64⤵
- Executes dropped EXE
PID:848 -
C:\Windows\SysWOW64\Eclcon32.exeC:\Windows\system32\Eclcon32.exe65⤵
- Executes dropped EXE
PID:2536 -
C:\Windows\SysWOW64\Ejfllhao.exeC:\Windows\system32\Ejfllhao.exe66⤵
- Drops file in System32 directory
PID:2408 -
C:\Windows\SysWOW64\Ebappk32.exeC:\Windows\system32\Ebappk32.exe67⤵PID:1676
-
C:\Windows\SysWOW64\Eepmlf32.exeC:\Windows\system32\Eepmlf32.exe68⤵PID:1784
-
C:\Windows\SysWOW64\Ebcmfj32.exeC:\Windows\system32\Ebcmfj32.exe69⤵
- Drops file in System32 directory
PID:2472 -
C:\Windows\SysWOW64\Egpena32.exeC:\Windows\system32\Egpena32.exe70⤵
- System Location Discovery: System Language Discovery
PID:2764 -
C:\Windows\SysWOW64\Fedfgejh.exeC:\Windows\system32\Fedfgejh.exe71⤵PID:2664
-
C:\Windows\SysWOW64\Fhbbcail.exeC:\Windows\system32\Fhbbcail.exe72⤵
- Drops file in System32 directory
PID:2392 -
C:\Windows\SysWOW64\Fbhfajia.exeC:\Windows\system32\Fbhfajia.exe73⤵PID:2848
-
C:\Windows\SysWOW64\Fjckelfm.exeC:\Windows\system32\Fjckelfm.exe74⤵PID:1148
-
C:\Windows\SysWOW64\Feipbefb.exeC:\Windows\system32\Feipbefb.exe75⤵PID:2624
-
C:\Windows\SysWOW64\Fhglop32.exeC:\Windows\system32\Fhglop32.exe76⤵PID:1948
-
C:\Windows\SysWOW64\Fappgflg.exeC:\Windows\system32\Fappgflg.exe77⤵PID:2172
-
C:\Windows\SysWOW64\Fjhdpk32.exeC:\Windows\system32\Fjhdpk32.exe78⤵PID:2004
-
C:\Windows\SysWOW64\Fabmmejd.exeC:\Windows\system32\Fabmmejd.exe79⤵PID:2572
-
C:\Windows\SysWOW64\Gbcien32.exeC:\Windows\system32\Gbcien32.exe80⤵PID:2660
-
C:\Windows\SysWOW64\Gllnnc32.exeC:\Windows\system32\Gllnnc32.exe81⤵PID:2440
-
C:\Windows\SysWOW64\Gbffjmmp.exeC:\Windows\system32\Gbffjmmp.exe82⤵PID:1340
-
C:\Windows\SysWOW64\Gedbfimc.exeC:\Windows\system32\Gedbfimc.exe83⤵PID:2540
-
C:\Windows\SysWOW64\Gmkjgfmf.exeC:\Windows\system32\Gmkjgfmf.exe84⤵PID:1708
-
C:\Windows\SysWOW64\Golgon32.exeC:\Windows\system32\Golgon32.exe85⤵PID:2720
-
C:\Windows\SysWOW64\Ghekhd32.exeC:\Windows\system32\Ghekhd32.exe86⤵
- System Location Discovery: System Language Discovery
PID:2736 -
C:\Windows\SysWOW64\Gbjpem32.exeC:\Windows\system32\Gbjpem32.exe87⤵PID:2908
-
C:\Windows\SysWOW64\Geilah32.exeC:\Windows\system32\Geilah32.exe88⤵PID:2684
-
C:\Windows\SysWOW64\Gkedjo32.exeC:\Windows\system32\Gkedjo32.exe89⤵PID:1980
-
C:\Windows\SysWOW64\Gekhgh32.exeC:\Windows\system32\Gekhgh32.exe90⤵
- Drops file in System32 directory
PID:432 -
C:\Windows\SysWOW64\Gkhaooec.exeC:\Windows\system32\Gkhaooec.exe91⤵PID:1928
-
C:\Windows\SysWOW64\Hmfmkjdf.exeC:\Windows\system32\Hmfmkjdf.exe92⤵PID:3036
-
C:\Windows\SysWOW64\Hememgdi.exeC:\Windows\system32\Hememgdi.exe93⤵PID:2616
-
C:\Windows\SysWOW64\Hkjnenbp.exeC:\Windows\system32\Hkjnenbp.exe94⤵PID:2452
-
C:\Windows\SysWOW64\Hmijajbd.exeC:\Windows\system32\Hmijajbd.exe95⤵PID:2192
-
C:\Windows\SysWOW64\Hhnnnbaj.exeC:\Windows\system32\Hhnnnbaj.exe96⤵PID:1908
-
C:\Windows\SysWOW64\Hganjo32.exeC:\Windows\system32\Hganjo32.exe97⤵PID:1952
-
C:\Windows\SysWOW64\Hpicbe32.exeC:\Windows\system32\Hpicbe32.exe98⤵PID:1852
-
C:\Windows\SysWOW64\Hgckoofa.exeC:\Windows\system32\Hgckoofa.exe99⤵PID:2032
-
C:\Windows\SysWOW64\Hibgkjee.exeC:\Windows\system32\Hibgkjee.exe100⤵PID:2316
-
C:\Windows\SysWOW64\Hdgkicek.exeC:\Windows\system32\Hdgkicek.exe101⤵PID:1008
-
C:\Windows\SysWOW64\Hnppaill.exeC:\Windows\system32\Hnppaill.exe102⤵
- Modifies registry class
PID:2632 -
C:\Windows\SysWOW64\Hekefkig.exeC:\Windows\system32\Hekefkig.exe103⤵PID:2256
-
C:\Windows\SysWOW64\Ihiabfhk.exeC:\Windows\system32\Ihiabfhk.exe104⤵PID:1308
-
C:\Windows\SysWOW64\Iemalkgd.exeC:\Windows\system32\Iemalkgd.exe105⤵PID:2952
-
C:\Windows\SysWOW64\Ilgjhena.exeC:\Windows\system32\Ilgjhena.exe106⤵PID:2068
-
C:\Windows\SysWOW64\Ihnjmf32.exeC:\Windows\system32\Ihnjmf32.exe107⤵PID:1936
-
C:\Windows\SysWOW64\Kmnlhg32.exeC:\Windows\system32\Kmnlhg32.exe108⤵PID:2024
-
C:\Windows\SysWOW64\Kiemmh32.exeC:\Windows\system32\Kiemmh32.exe109⤵PID:1288
-
C:\Windows\SysWOW64\Knaeeo32.exeC:\Windows\system32\Knaeeo32.exe110⤵PID:1768
-
C:\Windows\SysWOW64\Kkefoc32.exeC:\Windows\system32\Kkefoc32.exe111⤵PID:556
-
C:\Windows\SysWOW64\Kaekljjo.exeC:\Windows\system32\Kaekljjo.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2592 -
C:\Windows\SysWOW64\Knikfnih.exeC:\Windows\system32\Knikfnih.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2456 -
C:\Windows\SysWOW64\Lffmpp32.exeC:\Windows\system32\Lffmpp32.exe114⤵PID:2656
-
C:\Windows\SysWOW64\Lmpeljkm.exeC:\Windows\system32\Lmpeljkm.exe115⤵PID:2692
-
C:\Windows\SysWOW64\Lfhiepbn.exeC:\Windows\system32\Lfhiepbn.exe116⤵PID:336
-
C:\Windows\SysWOW64\Lpanne32.exeC:\Windows\system32\Lpanne32.exe117⤵PID:1320
-
C:\Windows\SysWOW64\Lhlbbg32.exeC:\Windows\system32\Lhlbbg32.exe118⤵
- System Location Discovery: System Language Discovery
PID:2984 -
C:\Windows\SysWOW64\Lofkoamf.exeC:\Windows\system32\Lofkoamf.exe119⤵
- System Location Discovery: System Language Discovery
PID:544 -
C:\Windows\SysWOW64\Lkmldbcj.exeC:\Windows\system32\Lkmldbcj.exe120⤵PID:2144
-
C:\Windows\SysWOW64\Mhalngad.exeC:\Windows\system32\Mhalngad.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2740
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-