Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
143s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
29/09/2024, 02:25
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
bf9ea7824c8760f2e18c3a5b76224cf9a2b480a91436a73576a90a6fa485a8a7.exe
Resource
win7-20240903-en
windows7-x64
9 signatures
150 seconds
Behavioral task
behavioral2
Sample
bf9ea7824c8760f2e18c3a5b76224cf9a2b480a91436a73576a90a6fa485a8a7.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
bf9ea7824c8760f2e18c3a5b76224cf9a2b480a91436a73576a90a6fa485a8a7.exe
-
Size
250KB
-
MD5
f2038ff32543cb502f116ed827d887c2
-
SHA1
169045a8408b4da0e37e081ca9f46d2cb096d3a1
-
SHA256
bf9ea7824c8760f2e18c3a5b76224cf9a2b480a91436a73576a90a6fa485a8a7
-
SHA512
02c477e60de43322e51c1092e33dc518104893dae07bd0605e21b813783d329cb7d489f0f8211bd5a96072c5e0480eb31a161299efcda246c232ecf72be8a481
-
SSDEEP
6144:knbdmJvCvfmZ7KRRRGBCvfmZ7KFpNlJTBCvfmZ7d:kbdt
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://tat-neftbank.ru/kkq.php
http://tat-neftbank.ru/wcmd.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hinqgg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npmphinm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ggicgopd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mklcadfn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdeqfhjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Afffenbp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Feddombd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hinqgg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfahomfd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghibjjnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mnaiol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ngealejo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aejlnmkm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kambcbhb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmecmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ibmgpoia.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cicalakk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Difnaqih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bacihmoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkpglbaj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbifnj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fogibnha.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbfook32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ncfalqpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bgffhkoj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpkibo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eknmhk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lngpog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Olkifaen.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcqombic.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcmdnfad.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bckjhl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pafdjmkq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Indnnfdn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qdompf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adipfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nbpeoc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jikeeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Phcilf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfmhdpnc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Niedqnen.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gnnlocgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jlqjkk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qnebjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qppkfhlc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkalhgfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qobdgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lplbjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cnmfdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbjlhpkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Glklejoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pifbjn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Peefcjlg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dafoikjb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehhdaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Emgioakg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmcjedcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oniebmda.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jimdcqom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iabhah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jkmeoa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkglnm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmmeon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmcjedcg.exe -
Executes dropped EXE 64 IoCs
pid Process 2304 Gmecmg32.exe 2288 Gaqomeke.exe 2940 Hinqgg32.exe 2308 Hnkion32.exe 2140 Hegnahjo.exe 2644 Hjdfjo32.exe 2344 Hhhgcc32.exe 2812 Hnbopmnm.exe 2720 Iabhah32.exe 2572 Ihmpobck.exe 1760 Idcacc32.exe 1144 Ifampo32.exe 1308 Ibhndp32.exe 1796 Imnbbi32.exe 2016 Ibmgpoia.exe 2764 Ielclkhe.exe 1872 Jdaqmg32.exe 1800 Jofejpmc.exe 1068 Jkmeoa32.exe 788 Jdejhfig.exe 916 Jnnnalph.exe 2372 Jplkmgol.exe 560 Jjdofm32.exe 1708 Kdjccf32.exe 3068 Kghpoa32.exe 1988 Kcopdb32.exe 1880 Khlili32.exe 2936 Kbdmeoob.exe 2420 Kjleflod.exe 1276 Kdefgj32.exe 2696 Kbigpn32.exe 2716 Khcomhbi.exe 2624 Lkakicam.exe 2440 Lghlndfa.exe 2728 Lcomce32.exe 2424 Lneaqn32.exe 1580 Ldoimh32.exe 2320 Lgmeid32.exe 1080 Lngnfnji.exe 1676 Lohjnf32.exe 1388 Lcdfnehp.exe 1992 Lqhfhigj.exe 1832 Lcfbdd32.exe 2952 Micklk32.exe 804 Mkaghg32.exe 2776 Mpmcielb.exe 1552 Mbkpeake.exe 2920 Miehak32.exe 2216 Mmadbjkk.exe 2068 Mpopnejo.exe 1600 Mbnljqic.exe 2280 Melifl32.exe 2820 Mlfacfpc.exe 1964 Mndmoaog.exe 2708 Macilmnk.exe 2648 Mijamjnm.exe 860 Mlhnifmq.exe 2500 Meabakda.exe 1148 Mhonngce.exe 2396 Mjnjjbbh.exe 1436 Nmlgfnal.exe 2032 Necogkbo.exe 2116 Ncfoch32.exe 1232 Njpgpbpf.exe -
Loads dropped DLL 64 IoCs
pid Process 2204 bf9ea7824c8760f2e18c3a5b76224cf9a2b480a91436a73576a90a6fa485a8a7.exe 2204 bf9ea7824c8760f2e18c3a5b76224cf9a2b480a91436a73576a90a6fa485a8a7.exe 2304 Gmecmg32.exe 2304 Gmecmg32.exe 2288 Gaqomeke.exe 2288 Gaqomeke.exe 2940 Hinqgg32.exe 2940 Hinqgg32.exe 2308 Hnkion32.exe 2308 Hnkion32.exe 2140 Hegnahjo.exe 2140 Hegnahjo.exe 2644 Hjdfjo32.exe 2644 Hjdfjo32.exe 2344 Hhhgcc32.exe 2344 Hhhgcc32.exe 2812 Hnbopmnm.exe 2812 Hnbopmnm.exe 2720 Iabhah32.exe 2720 Iabhah32.exe 2572 Ihmpobck.exe 2572 Ihmpobck.exe 1760 Idcacc32.exe 1760 Idcacc32.exe 1144 Ifampo32.exe 1144 Ifampo32.exe 1308 Ibhndp32.exe 1308 Ibhndp32.exe 1796 Imnbbi32.exe 1796 Imnbbi32.exe 2016 Ibmgpoia.exe 2016 Ibmgpoia.exe 2764 Ielclkhe.exe 2764 Ielclkhe.exe 1872 Jdaqmg32.exe 1872 Jdaqmg32.exe 1800 Jofejpmc.exe 1800 Jofejpmc.exe 1068 Jkmeoa32.exe 1068 Jkmeoa32.exe 788 Jdejhfig.exe 788 Jdejhfig.exe 916 Jnnnalph.exe 916 Jnnnalph.exe 2372 Jplkmgol.exe 2372 Jplkmgol.exe 560 Jjdofm32.exe 560 Jjdofm32.exe 1708 Kdjccf32.exe 1708 Kdjccf32.exe 3068 Kghpoa32.exe 3068 Kghpoa32.exe 1988 Kcopdb32.exe 1988 Kcopdb32.exe 1880 Khlili32.exe 1880 Khlili32.exe 2936 Kbdmeoob.exe 2936 Kbdmeoob.exe 2420 Kjleflod.exe 2420 Kjleflod.exe 1276 Kdefgj32.exe 1276 Kdefgj32.exe 2696 Kbigpn32.exe 2696 Kbigpn32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Mclebc32.exe Mdiefffn.exe File created C:\Windows\SysWOW64\Gdcjpncm.exe Fadndbci.exe File created C:\Windows\SysWOW64\Cpnifncd.dll Jagpdd32.exe File created C:\Windows\SysWOW64\Fcikef32.dll Miehak32.exe File opened for modification C:\Windows\SysWOW64\Eknmhk32.exe Eddeladm.exe File created C:\Windows\SysWOW64\Hjacjifm.exe Hcgjmo32.exe File created C:\Windows\SysWOW64\Gdhclbka.dll Jialfgcc.exe File opened for modification C:\Windows\SysWOW64\Llgjaeoj.exe Lfmbek32.exe File opened for modification C:\Windows\SysWOW64\Njpihk32.exe Ngbmlo32.exe File created C:\Windows\SysWOW64\Qdompf32.exe Qbnphngk.exe File opened for modification C:\Windows\SysWOW64\Khnapkjg.exe Kadica32.exe File created C:\Windows\SysWOW64\Gaqomeke.exe Gmecmg32.exe File opened for modification C:\Windows\SysWOW64\Lneaqn32.exe Lcomce32.exe File created C:\Windows\SysWOW64\Chlojnpb.dll Kigndekn.exe File opened for modification C:\Windows\SysWOW64\Cnejim32.exe Cjjnhnbl.exe File created C:\Windows\SysWOW64\Engeeehn.dll Ciokijfd.exe File created C:\Windows\SysWOW64\Niedqnen.exe Nhdhif32.exe File created C:\Windows\SysWOW64\Moohhbcf.dll Njfjnpgp.exe File created C:\Windows\SysWOW64\Bkpglbaj.exe Bdfooh32.exe File created C:\Windows\SysWOW64\Cgidfcdk.exe Ccnifd32.exe File created C:\Windows\SysWOW64\Lpfhdddb.dll Iocgfhhc.exe File created C:\Windows\SysWOW64\Hpfnbh32.dll Fleifl32.exe File opened for modification C:\Windows\SysWOW64\Lhfnkqgk.exe Legaoehg.exe File created C:\Windows\SysWOW64\Bfabnl32.exe Bcbfbp32.exe File created C:\Windows\SysWOW64\Bbgqjdce.exe Bnldjekl.exe File opened for modification C:\Windows\SysWOW64\Doecog32.exe Dkigoimd.exe File opened for modification C:\Windows\SysWOW64\Eaheeecg.exe Eoiiijcc.exe File created C:\Windows\SysWOW64\Bglbcj32.dll Ggicgopd.exe File opened for modification C:\Windows\SysWOW64\Emdmjamj.exe Elcpbigl.exe File created C:\Windows\SysWOW64\Ibhicbao.exe Ijaaae32.exe File created C:\Windows\SysWOW64\Oqelhkhc.dll Hnbaif32.exe File opened for modification C:\Windows\SysWOW64\Ibipmiek.exe Icfpbl32.exe File created C:\Windows\SysWOW64\Ecdbje32.dll Ahpbkd32.exe File created C:\Windows\SysWOW64\Niplmn32.dll Mlhnifmq.exe File created C:\Windows\SysWOW64\Manghajd.dll Qackpado.exe File created C:\Windows\SysWOW64\Hpkompgg.exe Hmmbqegc.exe File created C:\Windows\SysWOW64\Mnomjl32.exe Mjcaimgg.exe File opened for modification C:\Windows\SysWOW64\Phcilf32.exe Pdgmlhha.exe File created C:\Windows\SysWOW64\Fkgfqf32.dll Ehpcehcj.exe File created C:\Windows\SysWOW64\Hnbopmnm.exe Hhhgcc32.exe File created C:\Windows\SysWOW64\Gjmagfog.dll Qnebjc32.exe File opened for modification C:\Windows\SysWOW64\Ajpepm32.exe Afdiondb.exe File opened for modification C:\Windows\SysWOW64\Apppkekc.exe Ajehnk32.exe File created C:\Windows\SysWOW64\Opnkglik.dll Gkbcbn32.exe File created C:\Windows\SysWOW64\Pjkkpmda.dll Hcojam32.exe File created C:\Windows\SysWOW64\Mdaaomdi.dll Gaojnq32.exe File opened for modification C:\Windows\SysWOW64\Apmcefmf.exe Ajckilei.exe File created C:\Windows\SysWOW64\Bdfooh32.exe Bfcodkcb.exe File opened for modification C:\Windows\SysWOW64\Dadbdkld.exe Dbabho32.exe File created C:\Windows\SysWOW64\Amponajh.dll Ccdmnj32.exe File created C:\Windows\SysWOW64\Cdfddadf.dll Eppcmncq.exe File created C:\Windows\SysWOW64\Inlkik32.exe Ihbcmaje.exe File opened for modification C:\Windows\SysWOW64\Jpajbl32.exe Jlfnangf.exe File created C:\Windows\SysWOW64\Fdekpjbk.dll Kokmmkcm.exe File created C:\Windows\SysWOW64\Ogbogkjn.dll Ifolhann.exe File created C:\Windows\SysWOW64\Cgnadk32.dll Lcomce32.exe File created C:\Windows\SysWOW64\Einjdb32.exe Ehlmljkm.exe File opened for modification C:\Windows\SysWOW64\Homdhjai.exe Hiclkp32.exe File created C:\Windows\SysWOW64\Jlhkgm32.exe Jhmofo32.exe File opened for modification C:\Windows\SysWOW64\Ehpcehcj.exe Eeagimdf.exe File created C:\Windows\SysWOW64\Kncinl32.dll Bnqned32.exe File created C:\Windows\SysWOW64\Mlafkb32.exe Mhfjjdjf.exe File created C:\Windows\SysWOW64\Daaenlng.exe Dboeco32.exe File opened for modification C:\Windows\SysWOW64\Eblelb32.exe Eakhdj32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 9816 9756 WerFault.exe 1017 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bddbjhlp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlcibc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfbnoc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hiqoeplo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qiioon32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnkjnb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhdmph32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pciddedl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eklqcl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oococb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gagkjbaf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imggplgm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajeeeblb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnldjekl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmpbdm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fglfgd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ippdgc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jliaac32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahebaiac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kalipcmb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llmmpcfe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgffhkoj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbafdlod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehpcehcj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dokfme32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pblcbn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agpeaa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adfqgl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpjofl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jagpdd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaqomeke.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdklfe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcgqgd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iahkpg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icfpbl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbhlek32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kenoifpb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kilgoe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egmabg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnnlocgk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajehnk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmmcpi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pincfpoo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Copjdhib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdmdacnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgqocoin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijnkifgp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckjamgmk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajhddk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opfbngfb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jikeeh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eaheeecg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qmhahkdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Faonom32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kghpoa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agjobffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngbmlo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpbdmo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbmaon32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oecmogln.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmehdh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qoeamo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjdfjo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amcbankf.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Edfbaabj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Abmgjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Emgioakg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iagcpm32.dll" Mgbaml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocamldcp.dll" Nckkgp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nckkgp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hnbopmnm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ldoimh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfmgba32.dll" Hmpaom32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Phfoee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gajqbakc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gdcjpncm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bkbdabog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Imggplgm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jhenjmbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkpejiad.dll" Hegnahjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aobnniji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jliaac32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mblbnj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hcgjmo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kjokokha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bddbjhlp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Imbjcpnn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cgkocj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fggkcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldcinhie.dll" Obhdcanc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ibipmiek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeebpcpj.dll" Plpopddd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Golbnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jojfgkfk.dll" Golbnm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qbnphngk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mcjhmcok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Obhdcanc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofehob32.dll" Eijdkcgn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dphfbiem.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mcjhmcok.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ibkmchbh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnmbpf32.dll" Bdfooh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkaobghp.dll" Igceej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jgjkfi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hnbopmnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djbfplfp.dll" Lfoojj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mimgeigj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jajmjcoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhbcdh32.dll" Kilgoe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mlafkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aejlnmkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dokggo32.dll" Ehnfpifm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Macilmnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Emagacdm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jmfcop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcmkhf32.dll" Mnomjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leghmkmk.dll" Dblhmoio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dcbnpgkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abojgp32.dll" Ibmgpoia.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nhdhif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jondnnbk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ghofam32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qhkipdeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Anjnnk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dgknkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfcllk32.dll" Ikgkei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlnipl32.dll" Mndmoaog.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bnnaoe32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2204 wrote to memory of 2304 2204 bf9ea7824c8760f2e18c3a5b76224cf9a2b480a91436a73576a90a6fa485a8a7.exe 28 PID 2204 wrote to memory of 2304 2204 bf9ea7824c8760f2e18c3a5b76224cf9a2b480a91436a73576a90a6fa485a8a7.exe 28 PID 2204 wrote to memory of 2304 2204 bf9ea7824c8760f2e18c3a5b76224cf9a2b480a91436a73576a90a6fa485a8a7.exe 28 PID 2204 wrote to memory of 2304 2204 bf9ea7824c8760f2e18c3a5b76224cf9a2b480a91436a73576a90a6fa485a8a7.exe 28 PID 2304 wrote to memory of 2288 2304 Gmecmg32.exe 29 PID 2304 wrote to memory of 2288 2304 Gmecmg32.exe 29 PID 2304 wrote to memory of 2288 2304 Gmecmg32.exe 29 PID 2304 wrote to memory of 2288 2304 Gmecmg32.exe 29 PID 2288 wrote to memory of 2940 2288 Gaqomeke.exe 30 PID 2288 wrote to memory of 2940 2288 Gaqomeke.exe 30 PID 2288 wrote to memory of 2940 2288 Gaqomeke.exe 30 PID 2288 wrote to memory of 2940 2288 Gaqomeke.exe 30 PID 2940 wrote to memory of 2308 2940 Hinqgg32.exe 31 PID 2940 wrote to memory of 2308 2940 Hinqgg32.exe 31 PID 2940 wrote to memory of 2308 2940 Hinqgg32.exe 31 PID 2940 wrote to memory of 2308 2940 Hinqgg32.exe 31 PID 2308 wrote to memory of 2140 2308 Hnkion32.exe 32 PID 2308 wrote to memory of 2140 2308 Hnkion32.exe 32 PID 2308 wrote to memory of 2140 2308 Hnkion32.exe 32 PID 2308 wrote to memory of 2140 2308 Hnkion32.exe 32 PID 2140 wrote to memory of 2644 2140 Hegnahjo.exe 33 PID 2140 wrote to memory of 2644 2140 Hegnahjo.exe 33 PID 2140 wrote to memory of 2644 2140 Hegnahjo.exe 33 PID 2140 wrote to memory of 2644 2140 Hegnahjo.exe 33 PID 2644 wrote to memory of 2344 2644 Hjdfjo32.exe 34 PID 2644 wrote to memory of 2344 2644 Hjdfjo32.exe 34 PID 2644 wrote to memory of 2344 2644 Hjdfjo32.exe 34 PID 2644 wrote to memory of 2344 2644 Hjdfjo32.exe 34 PID 2344 wrote to memory of 2812 2344 Hhhgcc32.exe 35 PID 2344 wrote to memory of 2812 2344 Hhhgcc32.exe 35 PID 2344 wrote to memory of 2812 2344 Hhhgcc32.exe 35 PID 2344 wrote to memory of 2812 2344 Hhhgcc32.exe 35 PID 2812 wrote to memory of 2720 2812 Hnbopmnm.exe 36 PID 2812 wrote to memory of 2720 2812 Hnbopmnm.exe 36 PID 2812 wrote to memory of 2720 2812 Hnbopmnm.exe 36 PID 2812 wrote to memory of 2720 2812 Hnbopmnm.exe 36 PID 2720 wrote to memory of 2572 2720 Iabhah32.exe 37 PID 2720 wrote to memory of 2572 2720 Iabhah32.exe 37 PID 2720 wrote to memory of 2572 2720 Iabhah32.exe 37 PID 2720 wrote to memory of 2572 2720 Iabhah32.exe 37 PID 2572 wrote to memory of 1760 2572 Ihmpobck.exe 38 PID 2572 wrote to memory of 1760 2572 Ihmpobck.exe 38 PID 2572 wrote to memory of 1760 2572 Ihmpobck.exe 38 PID 2572 wrote to memory of 1760 2572 Ihmpobck.exe 38 PID 1760 wrote to memory of 1144 1760 Idcacc32.exe 39 PID 1760 wrote to memory of 1144 1760 Idcacc32.exe 39 PID 1760 wrote to memory of 1144 1760 Idcacc32.exe 39 PID 1760 wrote to memory of 1144 1760 Idcacc32.exe 39 PID 1144 wrote to memory of 1308 1144 Ifampo32.exe 40 PID 1144 wrote to memory of 1308 1144 Ifampo32.exe 40 PID 1144 wrote to memory of 1308 1144 Ifampo32.exe 40 PID 1144 wrote to memory of 1308 1144 Ifampo32.exe 40 PID 1308 wrote to memory of 1796 1308 Ibhndp32.exe 41 PID 1308 wrote to memory of 1796 1308 Ibhndp32.exe 41 PID 1308 wrote to memory of 1796 1308 Ibhndp32.exe 41 PID 1308 wrote to memory of 1796 1308 Ibhndp32.exe 41 PID 1796 wrote to memory of 2016 1796 Imnbbi32.exe 42 PID 1796 wrote to memory of 2016 1796 Imnbbi32.exe 42 PID 1796 wrote to memory of 2016 1796 Imnbbi32.exe 42 PID 1796 wrote to memory of 2016 1796 Imnbbi32.exe 42 PID 2016 wrote to memory of 2764 2016 Ibmgpoia.exe 43 PID 2016 wrote to memory of 2764 2016 Ibmgpoia.exe 43 PID 2016 wrote to memory of 2764 2016 Ibmgpoia.exe 43 PID 2016 wrote to memory of 2764 2016 Ibmgpoia.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\bf9ea7824c8760f2e18c3a5b76224cf9a2b480a91436a73576a90a6fa485a8a7.exe"C:\Users\Admin\AppData\Local\Temp\bf9ea7824c8760f2e18c3a5b76224cf9a2b480a91436a73576a90a6fa485a8a7.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\Windows\SysWOW64\Gmecmg32.exeC:\Windows\system32\Gmecmg32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2304 -
C:\Windows\SysWOW64\Gaqomeke.exeC:\Windows\system32\Gaqomeke.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2288 -
C:\Windows\SysWOW64\Hinqgg32.exeC:\Windows\system32\Hinqgg32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Windows\SysWOW64\Hnkion32.exeC:\Windows\system32\Hnkion32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2308 -
C:\Windows\SysWOW64\Hegnahjo.exeC:\Windows\system32\Hegnahjo.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2140 -
C:\Windows\SysWOW64\Hjdfjo32.exeC:\Windows\system32\Hjdfjo32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\SysWOW64\Hhhgcc32.exeC:\Windows\system32\Hhhgcc32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\Windows\SysWOW64\Hnbopmnm.exeC:\Windows\system32\Hnbopmnm.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Windows\SysWOW64\Iabhah32.exeC:\Windows\system32\Iabhah32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\SysWOW64\Ihmpobck.exeC:\Windows\system32\Ihmpobck.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Windows\SysWOW64\Idcacc32.exeC:\Windows\system32\Idcacc32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1760 -
C:\Windows\SysWOW64\Ifampo32.exeC:\Windows\system32\Ifampo32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1144 -
C:\Windows\SysWOW64\Ibhndp32.exeC:\Windows\system32\Ibhndp32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1308 -
C:\Windows\SysWOW64\Imnbbi32.exeC:\Windows\system32\Imnbbi32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1796 -
C:\Windows\SysWOW64\Ibmgpoia.exeC:\Windows\system32\Ibmgpoia.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Windows\SysWOW64\Ielclkhe.exeC:\Windows\system32\Ielclkhe.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2764 -
C:\Windows\SysWOW64\Jdaqmg32.exeC:\Windows\system32\Jdaqmg32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1872 -
C:\Windows\SysWOW64\Jofejpmc.exeC:\Windows\system32\Jofejpmc.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1800 -
C:\Windows\SysWOW64\Jkmeoa32.exeC:\Windows\system32\Jkmeoa32.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1068 -
C:\Windows\SysWOW64\Jdejhfig.exeC:\Windows\system32\Jdejhfig.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:788 -
C:\Windows\SysWOW64\Jnnnalph.exeC:\Windows\system32\Jnnnalph.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:916 -
C:\Windows\SysWOW64\Jplkmgol.exeC:\Windows\system32\Jplkmgol.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2372 -
C:\Windows\SysWOW64\Jjdofm32.exeC:\Windows\system32\Jjdofm32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:560 -
C:\Windows\SysWOW64\Kdjccf32.exeC:\Windows\system32\Kdjccf32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1708 -
C:\Windows\SysWOW64\Kghpoa32.exeC:\Windows\system32\Kghpoa32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3068 -
C:\Windows\SysWOW64\Kcopdb32.exeC:\Windows\system32\Kcopdb32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1988 -
C:\Windows\SysWOW64\Khlili32.exeC:\Windows\system32\Khlili32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1880 -
C:\Windows\SysWOW64\Kbdmeoob.exeC:\Windows\system32\Kbdmeoob.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2936 -
C:\Windows\SysWOW64\Kjleflod.exeC:\Windows\system32\Kjleflod.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2420 -
C:\Windows\SysWOW64\Kdefgj32.exeC:\Windows\system32\Kdefgj32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1276 -
C:\Windows\SysWOW64\Kbigpn32.exeC:\Windows\system32\Kbigpn32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2696 -
C:\Windows\SysWOW64\Khcomhbi.exeC:\Windows\system32\Khcomhbi.exe33⤵
- Executes dropped EXE
PID:2716 -
C:\Windows\SysWOW64\Lkakicam.exeC:\Windows\system32\Lkakicam.exe34⤵
- Executes dropped EXE
PID:2624 -
C:\Windows\SysWOW64\Lghlndfa.exeC:\Windows\system32\Lghlndfa.exe35⤵
- Executes dropped EXE
PID:2440 -
C:\Windows\SysWOW64\Lcomce32.exeC:\Windows\system32\Lcomce32.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2728 -
C:\Windows\SysWOW64\Lneaqn32.exeC:\Windows\system32\Lneaqn32.exe37⤵
- Executes dropped EXE
PID:2424 -
C:\Windows\SysWOW64\Ldoimh32.exeC:\Windows\system32\Ldoimh32.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:1580 -
C:\Windows\SysWOW64\Lgmeid32.exeC:\Windows\system32\Lgmeid32.exe39⤵
- Executes dropped EXE
PID:2320 -
C:\Windows\SysWOW64\Lngnfnji.exeC:\Windows\system32\Lngnfnji.exe40⤵
- Executes dropped EXE
PID:1080 -
C:\Windows\SysWOW64\Lohjnf32.exeC:\Windows\system32\Lohjnf32.exe41⤵
- Executes dropped EXE
PID:1676 -
C:\Windows\SysWOW64\Lcdfnehp.exeC:\Windows\system32\Lcdfnehp.exe42⤵
- Executes dropped EXE
PID:1388 -
C:\Windows\SysWOW64\Lqhfhigj.exeC:\Windows\system32\Lqhfhigj.exe43⤵
- Executes dropped EXE
PID:1992 -
C:\Windows\SysWOW64\Lcfbdd32.exeC:\Windows\system32\Lcfbdd32.exe44⤵
- Executes dropped EXE
PID:1832 -
C:\Windows\SysWOW64\Micklk32.exeC:\Windows\system32\Micklk32.exe45⤵
- Executes dropped EXE
PID:2952 -
C:\Windows\SysWOW64\Mkaghg32.exeC:\Windows\system32\Mkaghg32.exe46⤵
- Executes dropped EXE
PID:804 -
C:\Windows\SysWOW64\Mpmcielb.exeC:\Windows\system32\Mpmcielb.exe47⤵
- Executes dropped EXE
PID:2776 -
C:\Windows\SysWOW64\Mbkpeake.exeC:\Windows\system32\Mbkpeake.exe48⤵
- Executes dropped EXE
PID:1552 -
C:\Windows\SysWOW64\Miehak32.exeC:\Windows\system32\Miehak32.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2920 -
C:\Windows\SysWOW64\Mmadbjkk.exeC:\Windows\system32\Mmadbjkk.exe50⤵
- Executes dropped EXE
PID:2216 -
C:\Windows\SysWOW64\Mpopnejo.exeC:\Windows\system32\Mpopnejo.exe51⤵
- Executes dropped EXE
PID:2068 -
C:\Windows\SysWOW64\Mbnljqic.exeC:\Windows\system32\Mbnljqic.exe52⤵
- Executes dropped EXE
PID:1600 -
C:\Windows\SysWOW64\Melifl32.exeC:\Windows\system32\Melifl32.exe53⤵
- Executes dropped EXE
PID:2280 -
C:\Windows\SysWOW64\Mlfacfpc.exeC:\Windows\system32\Mlfacfpc.exe54⤵
- Executes dropped EXE
PID:2820 -
C:\Windows\SysWOW64\Mndmoaog.exeC:\Windows\system32\Mndmoaog.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:1964 -
C:\Windows\SysWOW64\Macilmnk.exeC:\Windows\system32\Macilmnk.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:2708 -
C:\Windows\SysWOW64\Mijamjnm.exeC:\Windows\system32\Mijamjnm.exe57⤵
- Executes dropped EXE
PID:2648 -
C:\Windows\SysWOW64\Mlhnifmq.exeC:\Windows\system32\Mlhnifmq.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:860 -
C:\Windows\SysWOW64\Meabakda.exeC:\Windows\system32\Meabakda.exe59⤵
- Executes dropped EXE
PID:2500 -
C:\Windows\SysWOW64\Mhonngce.exeC:\Windows\system32\Mhonngce.exe60⤵
- Executes dropped EXE
PID:1148 -
C:\Windows\SysWOW64\Mjnjjbbh.exeC:\Windows\system32\Mjnjjbbh.exe61⤵
- Executes dropped EXE
PID:2396 -
C:\Windows\SysWOW64\Nmlgfnal.exeC:\Windows\system32\Nmlgfnal.exe62⤵
- Executes dropped EXE
PID:1436 -
C:\Windows\SysWOW64\Necogkbo.exeC:\Windows\system32\Necogkbo.exe63⤵
- Executes dropped EXE
PID:2032 -
C:\Windows\SysWOW64\Ncfoch32.exeC:\Windows\system32\Ncfoch32.exe64⤵
- Executes dropped EXE
PID:2116 -
C:\Windows\SysWOW64\Njpgpbpf.exeC:\Windows\system32\Njpgpbpf.exe65⤵
- Executes dropped EXE
PID:1232 -
C:\Windows\SysWOW64\Nnkcpq32.exeC:\Windows\system32\Nnkcpq32.exe66⤵PID:1212
-
C:\Windows\SysWOW64\Npmphinm.exeC:\Windows\system32\Npmphinm.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2912 -
C:\Windows\SysWOW64\Nhdhif32.exeC:\Windows\system32\Nhdhif32.exe68⤵
- Drops file in System32 directory
- Modifies registry class
PID:2196 -
C:\Windows\SysWOW64\Niedqnen.exeC:\Windows\system32\Niedqnen.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2336 -
C:\Windows\SysWOW64\Nmqpam32.exeC:\Windows\system32\Nmqpam32.exe70⤵PID:2052
-
C:\Windows\SysWOW64\Nallalep.exeC:\Windows\system32\Nallalep.exe71⤵PID:1660
-
C:\Windows\SysWOW64\Ndkhngdd.exeC:\Windows\system32\Ndkhngdd.exe72⤵PID:2960
-
C:\Windows\SysWOW64\Nbniid32.exeC:\Windows\system32\Nbniid32.exe73⤵PID:1976
-
C:\Windows\SysWOW64\Njdqka32.exeC:\Windows\system32\Njdqka32.exe74⤵PID:2640
-
C:\Windows\SysWOW64\Nlfmbibo.exeC:\Windows\system32\Nlfmbibo.exe75⤵PID:2712
-
C:\Windows\SysWOW64\Npaich32.exeC:\Windows\system32\Npaich32.exe76⤵PID:2520
-
C:\Windows\SysWOW64\Nbpeoc32.exeC:\Windows\system32\Nbpeoc32.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2496 -
C:\Windows\SysWOW64\Nfkapb32.exeC:\Windows\system32\Nfkapb32.exe78⤵PID:2284
-
C:\Windows\SysWOW64\Nenakoho.exeC:\Windows\system32\Nenakoho.exe79⤵PID:2444
-
C:\Windows\SysWOW64\Nmejllia.exeC:\Windows\system32\Nmejllia.exe80⤵PID:1956
-
C:\Windows\SysWOW64\Npdfhhhe.exeC:\Windows\system32\Npdfhhhe.exe81⤵PID:1124
-
C:\Windows\SysWOW64\Nbbbdcgi.exeC:\Windows\system32\Nbbbdcgi.exe82⤵PID:2020
-
C:\Windows\SysWOW64\Neqnqofm.exeC:\Windows\system32\Neqnqofm.exe83⤵PID:2836
-
C:\Windows\SysWOW64\Ohojmjep.exeC:\Windows\system32\Ohojmjep.exe84⤵PID:640
-
C:\Windows\SysWOW64\Opfbngfb.exeC:\Windows\system32\Opfbngfb.exe85⤵
- System Location Discovery: System Language Discovery
PID:1844 -
C:\Windows\SysWOW64\Oagoep32.exeC:\Windows\system32\Oagoep32.exe86⤵PID:568
-
C:\Windows\SysWOW64\Ohagbj32.exeC:\Windows\system32\Ohagbj32.exe87⤵PID:2128
-
C:\Windows\SysWOW64\Ookpodkj.exeC:\Windows\system32\Ookpodkj.exe88⤵PID:2168
-
C:\Windows\SysWOW64\Oajlkojn.exeC:\Windows\system32\Oajlkojn.exe89⤵PID:2220
-
C:\Windows\SysWOW64\Okbpde32.exeC:\Windows\system32\Okbpde32.exe90⤵PID:1816
-
C:\Windows\SysWOW64\Oehdan32.exeC:\Windows\system32\Oehdan32.exe91⤵PID:2816
-
C:\Windows\SysWOW64\Oopijc32.exeC:\Windows\system32\Oopijc32.exe92⤵PID:3020
-
C:\Windows\SysWOW64\Opaebkmc.exeC:\Windows\system32\Opaebkmc.exe93⤵PID:2680
-
C:\Windows\SysWOW64\Ogknoe32.exeC:\Windows\system32\Ogknoe32.exe94⤵PID:2704
-
C:\Windows\SysWOW64\Oijjka32.exeC:\Windows\system32\Oijjka32.exe95⤵PID:2364
-
C:\Windows\SysWOW64\Pkifdd32.exeC:\Windows\system32\Pkifdd32.exe96⤵PID:2660
-
C:\Windows\SysWOW64\Ppfomk32.exeC:\Windows\system32\Ppfomk32.exe97⤵PID:2516
-
C:\Windows\SysWOW64\Pincfpoo.exeC:\Windows\system32\Pincfpoo.exe98⤵
- System Location Discovery: System Language Discovery
PID:848 -
C:\Windows\SysWOW64\Pnjofo32.exeC:\Windows\system32\Pnjofo32.exe99⤵PID:1296
-
C:\Windows\SysWOW64\Piqpkpml.exeC:\Windows\system32\Piqpkpml.exe100⤵PID:628
-
C:\Windows\SysWOW64\Ppkhhjei.exeC:\Windows\system32\Ppkhhjei.exe101⤵PID:2824
-
C:\Windows\SysWOW64\Pciddedl.exeC:\Windows\system32\Pciddedl.exe102⤵
- System Location Discovery: System Language Discovery
PID:484 -
C:\Windows\SysWOW64\Pegqpacp.exeC:\Windows\system32\Pegqpacp.exe103⤵PID:2456
-
C:\Windows\SysWOW64\Phfmllbd.exeC:\Windows\system32\Phfmllbd.exe104⤵PID:1612
-
C:\Windows\SysWOW64\Popeif32.exeC:\Windows\system32\Popeif32.exe105⤵PID:1352
-
C:\Windows\SysWOW64\Panaeb32.exeC:\Windows\system32\Panaeb32.exe106⤵PID:1540
-
C:\Windows\SysWOW64\Pejmfqan.exeC:\Windows\system32\Pejmfqan.exe107⤵PID:2256
-
C:\Windows\SysWOW64\Pldebkhj.exeC:\Windows\system32\Pldebkhj.exe108⤵PID:900
-
C:\Windows\SysWOW64\Qkffng32.exeC:\Windows\system32\Qkffng32.exe109⤵PID:2312
-
C:\Windows\SysWOW64\Qnebjc32.exeC:\Windows\system32\Qnebjc32.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1860 -
C:\Windows\SysWOW64\Qdojgmfe.exeC:\Windows\system32\Qdojgmfe.exe111⤵PID:2956
-
C:\Windows\SysWOW64\Qgmfchei.exeC:\Windows\system32\Qgmfchei.exe112⤵PID:2416
-
C:\Windows\SysWOW64\Qgmfchei.exeC:\Windows\system32\Qgmfchei.exe113⤵PID:2804
-
C:\Windows\SysWOW64\Qododfek.exeC:\Windows\system32\Qododfek.exe114⤵PID:2172
-
C:\Windows\SysWOW64\Qackpado.exeC:\Windows\system32\Qackpado.exe115⤵
- Drops file in System32 directory
PID:2548 -
C:\Windows\SysWOW64\Qdaglmcb.exeC:\Windows\system32\Qdaglmcb.exe116⤵PID:764
-
C:\Windows\SysWOW64\Agpcihcf.exeC:\Windows\system32\Agpcihcf.exe117⤵PID:2808
-
C:\Windows\SysWOW64\Ajnpecbj.exeC:\Windows\system32\Ajnpecbj.exe118⤵PID:1576
-
C:\Windows\SysWOW64\Anjlebjc.exeC:\Windows\system32\Anjlebjc.exe119⤵PID:1996
-
C:\Windows\SysWOW64\Adcdbl32.exeC:\Windows\system32\Adcdbl32.exe120⤵PID:2832
-
C:\Windows\SysWOW64\Agbpnh32.exeC:\Windows\system32\Agbpnh32.exe121⤵PID:2736
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-