Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
93s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20250217-en -
resource tags
arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system -
submitted
05/03/2025, 09:01
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
c28e25edda1717c6cb683db7c31bd168d81b6af6fd226d005c69e33a2f4391af.exe
Resource
win7-20240903-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
c28e25edda1717c6cb683db7c31bd168d81b6af6fd226d005c69e33a2f4391af.exe
Resource
win10v2004-20250217-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
c28e25edda1717c6cb683db7c31bd168d81b6af6fd226d005c69e33a2f4391af.exe
-
Size
93KB
-
MD5
7c9699b4ec99a9a64818064e36af9b55
-
SHA1
0dfb001fedda561ff4ecb2003b2320575ee55652
-
SHA256
c28e25edda1717c6cb683db7c31bd168d81b6af6fd226d005c69e33a2f4391af
-
SHA512
99342a3bda2e4fe7d5eb378dc3202a31cc9c8106bdafdcc341696de2d8408778235d1a8c264e69d6e3591a5c69887f73bfb98f36c3f9fa1909a8878b5135da08
-
SSDEEP
1536:nrav6xFGZoc6SLYJEplXxKYnwf5k1O53q52IrFzTXMtDhGJ5taRFkt:rakQU9JghKC1g3q/haRA
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://master-x.com/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://crutop.ru/index.php
http://kaspersky.ru/index.php
http://color-bank.ru/index.php
http://adult-empire.com/index.php
http://virus-list.com/index.php
http://trojan.ru/index.php
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://fethard.biz/index.htm
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://kaspersky.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmlfqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hnlodjpa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfnamjhk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmbnnn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcgnbaeo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfglfdkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pccahbmn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eklajcmc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eplgeokq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hiiggoaf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akglloai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jniood32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ocgbld32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chfegk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Caojpaij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hppeim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ljdceo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oohgdhfn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cijpahho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Apjkcadp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llqjbhdc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmkofa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pafkgphl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhcjqinf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hbhijepa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbpedjnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bboffejp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iqmidndd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mkohaj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpmpnp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgmcce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dpkmal32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nqfbpb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjoppf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjaleemj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mbbagk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gidnkkpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jidinqpb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofegni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pbhgoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhldpj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nckkfp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcbnnpka.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klpakj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmfeidbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkhkjd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Meepdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Enpmld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fbpchb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jebfng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Knqepc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Npgmpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bigbmpco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pojcjh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fplpll32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fngcmcfe.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 4732 Eplnpeol.exe 4616 Ejbbmnnb.exe 3448 Ealkjh32.exe 1244 Efhcbodf.exe 3224 Embkoi32.exe 4860 Epagkd32.exe 1312 Efkphnbd.exe 3772 Emehdh32.exe 2532 Epcdqd32.exe 3236 Fkihnmhj.exe 2360 Fmgejhgn.exe 4588 Fhmigagd.exe 532 Fineoi32.exe 1688 Fphnlcdo.exe 2920 Fknbil32.exe 1716 Gmeakf32.exe 2420 Gpcmga32.exe 368 Gdoihpbk.exe 3308 Gkiaej32.exe 1016 Gacjadad.exe 4076 Gdafnpqh.exe 3100 Ggpbjkpl.exe 4128 Ginnfgop.exe 1576 Ggbook32.exe 4344 Gknkpjfb.exe 4112 Gpkchqdj.exe 5092 Hkpheidp.exe 4700 Hjchaf32.exe 4268 Hpmpnp32.exe 3352 Hgghjjid.exe 208 Hjedffig.exe 4396 Hpomcp32.exe 4748 Hhfedm32.exe 3948 Hkeaqi32.exe 4840 Hncmmd32.exe 4172 Hdmein32.exe 3668 Hkgnfhnh.exe 3644 Haafcb32.exe 3520 Hdpbon32.exe 4160 Hgnoki32.exe 2592 Hkjjlhle.exe 1040 Hnhghcki.exe 968 Idbodn32.exe 4252 Iklgah32.exe 4872 Ijogmdqm.exe 4704 Injcmc32.exe 1912 Iqipio32.exe 1252 Igchfiof.exe 3844 Ijadbdoj.exe 5116 Iahlcaol.exe 3856 Igedlh32.exe 4248 Ijcahd32.exe 3416 Iqmidndd.exe 3272 Ihdafkdg.exe 5024 Ibmeoq32.exe 5048 Ihgnkkbd.exe 3056 Ikejgf32.exe 4804 Indfca32.exe 1132 Ibobdqid.exe 1432 Jglklggl.exe 3628 Jbaojpgb.exe 1888 Jhlgfj32.exe 2480 Jnhpoamf.exe 436 Jqglkmlj.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Hapfpelh.dll Khiofk32.exe File created C:\Windows\SysWOW64\Fbbnpn32.dll Mpeiie32.exe File opened for modification C:\Windows\SysWOW64\Pbhgoh32.exe Pcegclgp.exe File opened for modification C:\Windows\SysWOW64\Madbagif.exe Process not Found File created C:\Windows\SysWOW64\Jjjpnlbd.exe Jgkdbacp.exe File opened for modification C:\Windows\SysWOW64\Ofhknodl.exe Ocjoadei.exe File created C:\Windows\SysWOW64\Hodbhp32.dll Ngqagcag.exe File created C:\Windows\SysWOW64\Ppcbba32.dll Phcgcqab.exe File created C:\Windows\SysWOW64\Kngekilj.dll Ilkoim32.exe File opened for modification C:\Windows\SysWOW64\Kapfiqoj.exe Koajmepf.exe File created C:\Windows\SysWOW64\Mmddqemj.dll Olfghg32.exe File created C:\Windows\SysWOW64\Plgdqf32.dll Fofilp32.exe File opened for modification C:\Windows\SysWOW64\Kiejmi32.exe Jnpfop32.exe File created C:\Windows\SysWOW64\Allpejfe.exe Qaflgago.exe File opened for modification C:\Windows\SysWOW64\Elbhjp32.exe Eidlnd32.exe File opened for modification C:\Windows\SysWOW64\Pdenmbkk.exe Pmlfqh32.exe File opened for modification C:\Windows\SysWOW64\Noblkqca.exe Nhhdnf32.exe File created C:\Windows\SysWOW64\Caqpkjcl.exe Cmedjl32.exe File created C:\Windows\SysWOW64\Mghekd32.dll Process not Found File created C:\Windows\SysWOW64\Injcmc32.exe Ijogmdqm.exe File created C:\Windows\SysWOW64\Gigmlgok.dll Ijadbdoj.exe File created C:\Windows\SysWOW64\Enndkpea.dll Hppeim32.exe File opened for modification C:\Windows\SysWOW64\Aadghn32.exe Abcgjg32.exe File opened for modification C:\Windows\SysWOW64\Cgklmacf.exe Ccppmc32.exe File opened for modification C:\Windows\SysWOW64\Nmigoagp.exe Njkkbehl.exe File created C:\Windows\SysWOW64\Hiplgm32.dll Hnlodjpa.exe File opened for modification C:\Windows\SysWOW64\Fdpnda32.exe Process not Found File created C:\Windows\SysWOW64\Mdfggeba.dll Eiaoid32.exe File opened for modification C:\Windows\SysWOW64\Fpejlmcf.exe Fikbocki.exe File opened for modification C:\Windows\SysWOW64\Mccfdmmo.exe Madjhb32.exe File created C:\Windows\SysWOW64\Gldglf32.exe Gejopl32.exe File created C:\Windows\SysWOW64\Nhhlki32.dll Qdoacabq.exe File created C:\Windows\SysWOW64\Aphnnafb.exe Aogbfi32.exe File opened for modification C:\Windows\SysWOW64\Ibegfglj.exe Iojkeh32.exe File created C:\Windows\SysWOW64\Cmedjl32.exe Ckggnp32.exe File opened for modification C:\Windows\SysWOW64\Jgbchj32.exe Jokkgl32.exe File created C:\Windows\SysWOW64\Mcgiefen.exe Mqimikfj.exe File opened for modification C:\Windows\SysWOW64\Jafdcbge.exe Jlikkkhn.exe File created C:\Windows\SysWOW64\Mpnmig32.dll Jeapcq32.exe File created C:\Windows\SysWOW64\Gmkock32.dll Process not Found File created C:\Windows\SysWOW64\Kpoalo32.exe Knqepc32.exe File created C:\Windows\SysWOW64\Pbljoafi.exe Process not Found File created C:\Windows\SysWOW64\Aknifq32.exe Aafemk32.exe File opened for modification C:\Windows\SysWOW64\Gojiiafp.exe Gmimai32.exe File created C:\Windows\SysWOW64\Mjbaohka.dll Process not Found File created C:\Windows\SysWOW64\Nlkgmh32.exe Nccokk32.exe File opened for modification C:\Windows\SysWOW64\Ckgohf32.exe Chiblk32.exe File created C:\Windows\SysWOW64\Jicchk32.dll Llnnmhfe.exe File opened for modification C:\Windows\SysWOW64\Hkeaqi32.exe Hhfedm32.exe File opened for modification C:\Windows\SysWOW64\Fbaahf32.exe Process not Found File created C:\Windows\SysWOW64\Kfcfimfi.dll Pnkbkk32.exe File created C:\Windows\SysWOW64\Filapfbo.exe Fbbicl32.exe File created C:\Windows\SysWOW64\Hppeim32.exe Hejqldci.exe File created C:\Windows\SysWOW64\Damlpgkc.dll Nhegig32.exe File created C:\Windows\SysWOW64\Ljhefhha.exe Lekmnajj.exe File created C:\Windows\SysWOW64\Lnedgk32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Ohcmpn32.exe Process not Found File created C:\Windows\SysWOW64\Hjchaf32.exe Hkpheidp.exe File created C:\Windows\SysWOW64\Jqlefl32.exe Jnmijq32.exe File opened for modification C:\Windows\SysWOW64\Eeelnp32.exe Enkdaepb.exe File created C:\Windows\SysWOW64\Kdjfee32.dll Eokqkh32.exe File opened for modification C:\Windows\SysWOW64\Niojoeel.exe Nfqnbjfi.exe File created C:\Windows\SysWOW64\Lfdqcn32.dll Pfandnla.exe File created C:\Windows\SysWOW64\Mbgeqmjp.exe Mcdeeq32.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Meamcg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enkdaepb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnlmhc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkndie32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdocph32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfnjpfcl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmblagmf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hemmac32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbnpcj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbjoeojc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgiiiidd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Poimpapp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Biklho32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgeenfog.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikbfgppo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aplaoj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bckkca32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpgnjo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cammjakm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iijfhbhl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncbafoge.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpejlmcf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgnqgqan.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfpell32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppgomnai.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epcdqd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbbagk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlfnaicd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hblkjo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jafdcbge.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpclce32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfnamjhk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhblllfo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfagighf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igchfiof.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Neoieenp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpnkdq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Leopnglc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qhngolpo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmmbbejp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efgemb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccppmc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nklbmllg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkeldnpi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhkbdmbg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbhildae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fphnlcdo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpqjglii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lqbncb32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Blgifbil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fpgpgfmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jhkbdmbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcoejf32.dll" Mlhqcgnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbfbkfaa.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eplnpeol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emmoafdl.dll" Iqipio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pocfpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qohpkf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Afinioip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bhamkipi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nqmfdj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oajgdm32.dll" Pjlcjf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Idhnkf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jgnqgqan.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qacameaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gihpkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hiplgm32.dll" Hnlodjpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cohddjgl.dll" Pbhgoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpagekkf.dll" Cmedjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lajbnn32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Leenhhdn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hhfpbpdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Likhem32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cacmpj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nhkikq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ejchhgid.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pefabkej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nmaciefp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncloojfj.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjnafk32.dll" Mlpokp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fgoakc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kamjda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amoppdld.dll" Bipecnkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ebjcajjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpcelk32.dll" Gfokoelp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gmdcfidg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Keimof32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lljklo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kadpdp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ppgomnai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbenoa32.dll" Clgbmp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ocjoadei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pccahbmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odlkfe32.dll" Hpkknmgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkpemq32.dll" Jikoopij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fhmigagd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Emkndc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dkceokii.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kpanan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eleqaiga.dll" Mgeakekd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nnhmnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flpoofmk.dll" Gbiockdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Coffgmig.dll" Gpaihooo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngqpijkf.dll" Ccpdoqgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dccledea.dll" Cjnffjkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jjjpnlbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anaemfem.dll" Jcgnbaeo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jilfifme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ckgohf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mhjhmhhd.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2760 wrote to memory of 4732 2760 c28e25edda1717c6cb683db7c31bd168d81b6af6fd226d005c69e33a2f4391af.exe 87 PID 2760 wrote to memory of 4732 2760 c28e25edda1717c6cb683db7c31bd168d81b6af6fd226d005c69e33a2f4391af.exe 87 PID 2760 wrote to memory of 4732 2760 c28e25edda1717c6cb683db7c31bd168d81b6af6fd226d005c69e33a2f4391af.exe 87 PID 4732 wrote to memory of 4616 4732 Eplnpeol.exe 88 PID 4732 wrote to memory of 4616 4732 Eplnpeol.exe 88 PID 4732 wrote to memory of 4616 4732 Eplnpeol.exe 88 PID 4616 wrote to memory of 3448 4616 Ejbbmnnb.exe 90 PID 4616 wrote to memory of 3448 4616 Ejbbmnnb.exe 90 PID 4616 wrote to memory of 3448 4616 Ejbbmnnb.exe 90 PID 3448 wrote to memory of 1244 3448 Ealkjh32.exe 91 PID 3448 wrote to memory of 1244 3448 Ealkjh32.exe 91 PID 3448 wrote to memory of 1244 3448 Ealkjh32.exe 91 PID 1244 wrote to memory of 3224 1244 Efhcbodf.exe 92 PID 1244 wrote to memory of 3224 1244 Efhcbodf.exe 92 PID 1244 wrote to memory of 3224 1244 Efhcbodf.exe 92 PID 3224 wrote to memory of 4860 3224 Embkoi32.exe 93 PID 3224 wrote to memory of 4860 3224 Embkoi32.exe 93 PID 3224 wrote to memory of 4860 3224 Embkoi32.exe 93 PID 4860 wrote to memory of 1312 4860 Epagkd32.exe 94 PID 4860 wrote to memory of 1312 4860 Epagkd32.exe 94 PID 4860 wrote to memory of 1312 4860 Epagkd32.exe 94 PID 1312 wrote to memory of 3772 1312 Efkphnbd.exe 95 PID 1312 wrote to memory of 3772 1312 Efkphnbd.exe 95 PID 1312 wrote to memory of 3772 1312 Efkphnbd.exe 95 PID 3772 wrote to memory of 2532 3772 Emehdh32.exe 96 PID 3772 wrote to memory of 2532 3772 Emehdh32.exe 96 PID 3772 wrote to memory of 2532 3772 Emehdh32.exe 96 PID 2532 wrote to memory of 3236 2532 Epcdqd32.exe 97 PID 2532 wrote to memory of 3236 2532 Epcdqd32.exe 97 PID 2532 wrote to memory of 3236 2532 Epcdqd32.exe 97 PID 3236 wrote to memory of 2360 3236 Fkihnmhj.exe 99 PID 3236 wrote to memory of 2360 3236 Fkihnmhj.exe 99 PID 3236 wrote to memory of 2360 3236 Fkihnmhj.exe 99 PID 2360 wrote to memory of 4588 2360 Fmgejhgn.exe 100 PID 2360 wrote to memory of 4588 2360 Fmgejhgn.exe 100 PID 2360 wrote to memory of 4588 2360 Fmgejhgn.exe 100 PID 4588 wrote to memory of 532 4588 Fhmigagd.exe 101 PID 4588 wrote to memory of 532 4588 Fhmigagd.exe 101 PID 4588 wrote to memory of 532 4588 Fhmigagd.exe 101 PID 532 wrote to memory of 1688 532 Fineoi32.exe 102 PID 532 wrote to memory of 1688 532 Fineoi32.exe 102 PID 532 wrote to memory of 1688 532 Fineoi32.exe 102 PID 1688 wrote to memory of 2920 1688 Fphnlcdo.exe 103 PID 1688 wrote to memory of 2920 1688 Fphnlcdo.exe 103 PID 1688 wrote to memory of 2920 1688 Fphnlcdo.exe 103 PID 2920 wrote to memory of 1716 2920 Fknbil32.exe 104 PID 2920 wrote to memory of 1716 2920 Fknbil32.exe 104 PID 2920 wrote to memory of 1716 2920 Fknbil32.exe 104 PID 1716 wrote to memory of 2420 1716 Gmeakf32.exe 105 PID 1716 wrote to memory of 2420 1716 Gmeakf32.exe 105 PID 1716 wrote to memory of 2420 1716 Gmeakf32.exe 105 PID 2420 wrote to memory of 368 2420 Gpcmga32.exe 106 PID 2420 wrote to memory of 368 2420 Gpcmga32.exe 106 PID 2420 wrote to memory of 368 2420 Gpcmga32.exe 106 PID 368 wrote to memory of 3308 368 Gdoihpbk.exe 107 PID 368 wrote to memory of 3308 368 Gdoihpbk.exe 107 PID 368 wrote to memory of 3308 368 Gdoihpbk.exe 107 PID 3308 wrote to memory of 1016 3308 Gkiaej32.exe 108 PID 3308 wrote to memory of 1016 3308 Gkiaej32.exe 108 PID 3308 wrote to memory of 1016 3308 Gkiaej32.exe 108 PID 1016 wrote to memory of 4076 1016 Gacjadad.exe 109 PID 1016 wrote to memory of 4076 1016 Gacjadad.exe 109 PID 1016 wrote to memory of 4076 1016 Gacjadad.exe 109 PID 4076 wrote to memory of 3100 4076 Gdafnpqh.exe 110
Processes
-
C:\Users\Admin\AppData\Local\Temp\c28e25edda1717c6cb683db7c31bd168d81b6af6fd226d005c69e33a2f4391af.exe"C:\Users\Admin\AppData\Local\Temp\c28e25edda1717c6cb683db7c31bd168d81b6af6fd226d005c69e33a2f4391af.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\SysWOW64\Eplnpeol.exeC:\Windows\system32\Eplnpeol.exe2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4732 -
C:\Windows\SysWOW64\Ejbbmnnb.exeC:\Windows\system32\Ejbbmnnb.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4616 -
C:\Windows\SysWOW64\Ealkjh32.exeC:\Windows\system32\Ealkjh32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3448 -
C:\Windows\SysWOW64\Efhcbodf.exeC:\Windows\system32\Efhcbodf.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1244 -
C:\Windows\SysWOW64\Embkoi32.exeC:\Windows\system32\Embkoi32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3224 -
C:\Windows\SysWOW64\Epagkd32.exeC:\Windows\system32\Epagkd32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4860 -
C:\Windows\SysWOW64\Efkphnbd.exeC:\Windows\system32\Efkphnbd.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1312 -
C:\Windows\SysWOW64\Emehdh32.exeC:\Windows\system32\Emehdh32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3772 -
C:\Windows\SysWOW64\Epcdqd32.exeC:\Windows\system32\Epcdqd32.exe10⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\Windows\SysWOW64\Fkihnmhj.exeC:\Windows\system32\Fkihnmhj.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3236 -
C:\Windows\SysWOW64\Fmgejhgn.exeC:\Windows\system32\Fmgejhgn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Windows\SysWOW64\Fhmigagd.exeC:\Windows\system32\Fhmigagd.exe13⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4588 -
C:\Windows\SysWOW64\Fineoi32.exeC:\Windows\system32\Fineoi32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:532 -
C:\Windows\SysWOW64\Fphnlcdo.exeC:\Windows\system32\Fphnlcdo.exe15⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Windows\SysWOW64\Fknbil32.exeC:\Windows\system32\Fknbil32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\SysWOW64\Gmeakf32.exeC:\Windows\system32\Gmeakf32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1716 -
C:\Windows\SysWOW64\Gpcmga32.exeC:\Windows\system32\Gpcmga32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Windows\SysWOW64\Gdoihpbk.exeC:\Windows\system32\Gdoihpbk.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:368 -
C:\Windows\SysWOW64\Gkiaej32.exeC:\Windows\system32\Gkiaej32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3308 -
C:\Windows\SysWOW64\Gacjadad.exeC:\Windows\system32\Gacjadad.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1016 -
C:\Windows\SysWOW64\Gdafnpqh.exeC:\Windows\system32\Gdafnpqh.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4076 -
C:\Windows\SysWOW64\Ggpbjkpl.exeC:\Windows\system32\Ggpbjkpl.exe23⤵
- Executes dropped EXE
PID:3100 -
C:\Windows\SysWOW64\Ginnfgop.exeC:\Windows\system32\Ginnfgop.exe24⤵
- Executes dropped EXE
PID:4128 -
C:\Windows\SysWOW64\Ggbook32.exeC:\Windows\system32\Ggbook32.exe25⤵
- Executes dropped EXE
PID:1576 -
C:\Windows\SysWOW64\Gknkpjfb.exeC:\Windows\system32\Gknkpjfb.exe26⤵
- Executes dropped EXE
PID:4344 -
C:\Windows\SysWOW64\Gpkchqdj.exeC:\Windows\system32\Gpkchqdj.exe27⤵
- Executes dropped EXE
PID:4112 -
C:\Windows\SysWOW64\Hkpheidp.exeC:\Windows\system32\Hkpheidp.exe28⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5092 -
C:\Windows\SysWOW64\Hjchaf32.exeC:\Windows\system32\Hjchaf32.exe29⤵
- Executes dropped EXE
PID:4700 -
C:\Windows\SysWOW64\Hpmpnp32.exeC:\Windows\system32\Hpmpnp32.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4268 -
C:\Windows\SysWOW64\Hgghjjid.exeC:\Windows\system32\Hgghjjid.exe31⤵
- Executes dropped EXE
PID:3352 -
C:\Windows\SysWOW64\Hjedffig.exeC:\Windows\system32\Hjedffig.exe32⤵
- Executes dropped EXE
PID:208 -
C:\Windows\SysWOW64\Hpomcp32.exeC:\Windows\system32\Hpomcp32.exe33⤵
- Executes dropped EXE
PID:4396 -
C:\Windows\SysWOW64\Hhfedm32.exeC:\Windows\system32\Hhfedm32.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4748 -
C:\Windows\SysWOW64\Hkeaqi32.exeC:\Windows\system32\Hkeaqi32.exe35⤵
- Executes dropped EXE
PID:3948 -
C:\Windows\SysWOW64\Hncmmd32.exeC:\Windows\system32\Hncmmd32.exe36⤵
- Executes dropped EXE
PID:4840 -
C:\Windows\SysWOW64\Hdmein32.exeC:\Windows\system32\Hdmein32.exe37⤵
- Executes dropped EXE
PID:4172 -
C:\Windows\SysWOW64\Hkgnfhnh.exeC:\Windows\system32\Hkgnfhnh.exe38⤵
- Executes dropped EXE
PID:3668 -
C:\Windows\SysWOW64\Haafcb32.exeC:\Windows\system32\Haafcb32.exe39⤵
- Executes dropped EXE
PID:3644 -
C:\Windows\SysWOW64\Hdpbon32.exeC:\Windows\system32\Hdpbon32.exe40⤵
- Executes dropped EXE
PID:3520 -
C:\Windows\SysWOW64\Hgnoki32.exeC:\Windows\system32\Hgnoki32.exe41⤵
- Executes dropped EXE
PID:4160 -
C:\Windows\SysWOW64\Hkjjlhle.exeC:\Windows\system32\Hkjjlhle.exe42⤵
- Executes dropped EXE
PID:2592 -
C:\Windows\SysWOW64\Hnhghcki.exeC:\Windows\system32\Hnhghcki.exe43⤵
- Executes dropped EXE
PID:1040 -
C:\Windows\SysWOW64\Idbodn32.exeC:\Windows\system32\Idbodn32.exe44⤵
- Executes dropped EXE
PID:968 -
C:\Windows\SysWOW64\Iklgah32.exeC:\Windows\system32\Iklgah32.exe45⤵
- Executes dropped EXE
PID:4252 -
C:\Windows\SysWOW64\Ijogmdqm.exeC:\Windows\system32\Ijogmdqm.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4872 -
C:\Windows\SysWOW64\Injcmc32.exeC:\Windows\system32\Injcmc32.exe47⤵
- Executes dropped EXE
PID:4704 -
C:\Windows\SysWOW64\Iqipio32.exeC:\Windows\system32\Iqipio32.exe48⤵
- Executes dropped EXE
- Modifies registry class
PID:1912 -
C:\Windows\SysWOW64\Igchfiof.exeC:\Windows\system32\Igchfiof.exe49⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1252 -
C:\Windows\SysWOW64\Ijadbdoj.exeC:\Windows\system32\Ijadbdoj.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3844 -
C:\Windows\SysWOW64\Iahlcaol.exeC:\Windows\system32\Iahlcaol.exe51⤵
- Executes dropped EXE
PID:5116 -
C:\Windows\SysWOW64\Igedlh32.exeC:\Windows\system32\Igedlh32.exe52⤵
- Executes dropped EXE
PID:3856 -
C:\Windows\SysWOW64\Ijcahd32.exeC:\Windows\system32\Ijcahd32.exe53⤵
- Executes dropped EXE
PID:4248 -
C:\Windows\SysWOW64\Iqmidndd.exeC:\Windows\system32\Iqmidndd.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3416 -
C:\Windows\SysWOW64\Ihdafkdg.exeC:\Windows\system32\Ihdafkdg.exe55⤵
- Executes dropped EXE
PID:3272 -
C:\Windows\SysWOW64\Ibmeoq32.exeC:\Windows\system32\Ibmeoq32.exe56⤵
- Executes dropped EXE
PID:5024 -
C:\Windows\SysWOW64\Ihgnkkbd.exeC:\Windows\system32\Ihgnkkbd.exe57⤵
- Executes dropped EXE
PID:5048 -
C:\Windows\SysWOW64\Ikejgf32.exeC:\Windows\system32\Ikejgf32.exe58⤵
- Executes dropped EXE
PID:3056 -
C:\Windows\SysWOW64\Indfca32.exeC:\Windows\system32\Indfca32.exe59⤵
- Executes dropped EXE
PID:4804 -
C:\Windows\SysWOW64\Ibobdqid.exeC:\Windows\system32\Ibobdqid.exe60⤵
- Executes dropped EXE
PID:1132 -
C:\Windows\SysWOW64\Jglklggl.exeC:\Windows\system32\Jglklggl.exe61⤵
- Executes dropped EXE
PID:1432 -
C:\Windows\SysWOW64\Jbaojpgb.exeC:\Windows\system32\Jbaojpgb.exe62⤵
- Executes dropped EXE
PID:3628 -
C:\Windows\SysWOW64\Jhlgfj32.exeC:\Windows\system32\Jhlgfj32.exe63⤵
- Executes dropped EXE
PID:1888 -
C:\Windows\SysWOW64\Jnhpoamf.exeC:\Windows\system32\Jnhpoamf.exe64⤵
- Executes dropped EXE
PID:2480 -
C:\Windows\SysWOW64\Jqglkmlj.exeC:\Windows\system32\Jqglkmlj.exe65⤵
- Executes dropped EXE
PID:436 -
C:\Windows\SysWOW64\Jgadgf32.exeC:\Windows\system32\Jgadgf32.exe66⤵PID:4364
-
C:\Windows\SysWOW64\Jjopcb32.exeC:\Windows\system32\Jjopcb32.exe67⤵PID:1976
-
C:\Windows\SysWOW64\Jqiipljg.exeC:\Windows\system32\Jqiipljg.exe68⤵PID:680
-
C:\Windows\SysWOW64\Jgcamf32.exeC:\Windows\system32\Jgcamf32.exe69⤵PID:4204
-
C:\Windows\SysWOW64\Jnmijq32.exeC:\Windows\system32\Jnmijq32.exe70⤵
- Drops file in System32 directory
PID:4760 -
C:\Windows\SysWOW64\Jqlefl32.exeC:\Windows\system32\Jqlefl32.exe71⤵PID:2516
-
C:\Windows\SysWOW64\Jgenbfoa.exeC:\Windows\system32\Jgenbfoa.exe72⤵PID:5100
-
C:\Windows\SysWOW64\Jnpfop32.exeC:\Windows\system32\Jnpfop32.exe73⤵
- Drops file in System32 directory
PID:4336 -
C:\Windows\SysWOW64\Kiejmi32.exeC:\Windows\system32\Kiejmi32.exe74⤵PID:5036
-
C:\Windows\SysWOW64\Kgjgne32.exeC:\Windows\system32\Kgjgne32.exe75⤵PID:2560
-
C:\Windows\SysWOW64\Kndojobi.exeC:\Windows\system32\Kndojobi.exe76⤵PID:2488
-
C:\Windows\SysWOW64\Kbpkkn32.exeC:\Windows\system32\Kbpkkn32.exe77⤵PID:3760
-
C:\Windows\SysWOW64\Kgmcce32.exeC:\Windows\system32\Kgmcce32.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4292 -
C:\Windows\SysWOW64\Kjkpoq32.exeC:\Windows\system32\Kjkpoq32.exe79⤵PID:4636
-
C:\Windows\SysWOW64\Kbbhqn32.exeC:\Windows\system32\Kbbhqn32.exe80⤵PID:3804
-
C:\Windows\SysWOW64\Kilpmh32.exeC:\Windows\system32\Kilpmh32.exe81⤵PID:1600
-
C:\Windows\SysWOW64\Kniieo32.exeC:\Windows\system32\Kniieo32.exe82⤵PID:5124
-
C:\Windows\SysWOW64\Kecabifp.exeC:\Windows\system32\Kecabifp.exe83⤵PID:5184
-
C:\Windows\SysWOW64\Kjpijpdg.exeC:\Windows\system32\Kjpijpdg.exe84⤵PID:5232
-
C:\Windows\SysWOW64\Leenhhdn.exeC:\Windows\system32\Leenhhdn.exe85⤵
- Modifies registry class
PID:5304 -
C:\Windows\SysWOW64\Lgcjdd32.exeC:\Windows\system32\Lgcjdd32.exe86⤵PID:5388
-
C:\Windows\SysWOW64\Lnnbqnjn.exeC:\Windows\system32\Lnnbqnjn.exe87⤵PID:5432
-
C:\Windows\SysWOW64\Licfngjd.exeC:\Windows\system32\Licfngjd.exe88⤵PID:5488
-
C:\Windows\SysWOW64\Ljdceo32.exeC:\Windows\system32\Ljdceo32.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5532 -
C:\Windows\SysWOW64\Lankbigo.exeC:\Windows\system32\Lankbigo.exe90⤵PID:5576
-
C:\Windows\SysWOW64\Lieccf32.exeC:\Windows\system32\Lieccf32.exe91⤵PID:5636
-
C:\Windows\SysWOW64\Lldopb32.exeC:\Windows\system32\Lldopb32.exe92⤵PID:5680
-
C:\Windows\SysWOW64\Ljgpkonp.exeC:\Windows\system32\Ljgpkonp.exe93⤵PID:5724
-
C:\Windows\SysWOW64\Laqhhi32.exeC:\Windows\system32\Laqhhi32.exe94⤵PID:5768
-
C:\Windows\SysWOW64\Lelchgne.exeC:\Windows\system32\Lelchgne.exe95⤵PID:5812
-
C:\Windows\SysWOW64\Lgkpdcmi.exeC:\Windows\system32\Lgkpdcmi.exe96⤵PID:5856
-
C:\Windows\SysWOW64\Lndham32.exeC:\Windows\system32\Lndham32.exe97⤵PID:5900
-
C:\Windows\SysWOW64\Leopnglc.exeC:\Windows\system32\Leopnglc.exe98⤵
- System Location Discovery: System Language Discovery
PID:5944 -
C:\Windows\SysWOW64\Lhmmjbkf.exeC:\Windows\system32\Lhmmjbkf.exe99⤵PID:5984
-
C:\Windows\SysWOW64\Ljkifn32.exeC:\Windows\system32\Ljkifn32.exe100⤵PID:6028
-
C:\Windows\SysWOW64\Mbbagk32.exeC:\Windows\system32\Mbbagk32.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:6072 -
C:\Windows\SysWOW64\Meamcg32.exeC:\Windows\system32\Meamcg32.exe102⤵
- System Location Discovery: System Language Discovery
PID:6116 -
C:\Windows\SysWOW64\Mhoipb32.exeC:\Windows\system32\Mhoipb32.exe103⤵PID:5132
-
C:\Windows\SysWOW64\Mniallpq.exeC:\Windows\system32\Mniallpq.exe104⤵PID:5224
-
C:\Windows\SysWOW64\Mecjif32.exeC:\Windows\system32\Mecjif32.exe105⤵PID:5316
-
C:\Windows\SysWOW64\Mlmbfqoj.exeC:\Windows\system32\Mlmbfqoj.exe106⤵PID:5424
-
C:\Windows\SysWOW64\Mjpbam32.exeC:\Windows\system32\Mjpbam32.exe107⤵PID:1808
-
C:\Windows\SysWOW64\Meefofek.exeC:\Windows\system32\Meefofek.exe108⤵PID:5568
-
C:\Windows\SysWOW64\Mlpokp32.exeC:\Windows\system32\Mlpokp32.exe109⤵
- Modifies registry class
PID:5644 -
C:\Windows\SysWOW64\Malgcg32.exeC:\Windows\system32\Malgcg32.exe110⤵PID:5704
-
C:\Windows\SysWOW64\Micoed32.exeC:\Windows\system32\Micoed32.exe111⤵PID:5788
-
C:\Windows\SysWOW64\Mjellmbp.exeC:\Windows\system32\Mjellmbp.exe112⤵PID:5852
-
C:\Windows\SysWOW64\Maodigil.exeC:\Windows\system32\Maodigil.exe113⤵PID:5928
-
C:\Windows\SysWOW64\Mhilfa32.exeC:\Windows\system32\Mhilfa32.exe114⤵PID:5996
-
C:\Windows\SysWOW64\Njghbl32.exeC:\Windows\system32\Njghbl32.exe115⤵PID:6056
-
C:\Windows\SysWOW64\Nbnpcj32.exeC:\Windows\system32\Nbnpcj32.exe116⤵
- System Location Discovery: System Language Discovery
PID:6136 -
C:\Windows\SysWOW64\Nemmoe32.exeC:\Windows\system32\Nemmoe32.exe117⤵PID:5220
-
C:\Windows\SysWOW64\Nhkikq32.exeC:\Windows\system32\Nhkikq32.exe118⤵
- Modifies registry class
PID:5420 -
C:\Windows\SysWOW64\Njiegl32.exeC:\Windows\system32\Njiegl32.exe119⤵PID:5520
-
C:\Windows\SysWOW64\Noeahkfc.exeC:\Windows\system32\Noeahkfc.exe120⤵PID:5628
-
C:\Windows\SysWOW64\Neoieenp.exeC:\Windows\system32\Neoieenp.exe121⤵
- System Location Discovery: System Language Discovery
PID:5756
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-