Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
08/10/2024, 22:56
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
6bb14f4d8138652823c10cb733207fc6bb40f6d2eddcc62c90bc4f2c679ba240.exe
Resource
win7-20240903-en
windows7-x64
9 signatures
150 seconds
Behavioral task
behavioral2
Sample
6bb14f4d8138652823c10cb733207fc6bb40f6d2eddcc62c90bc4f2c679ba240.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
6bb14f4d8138652823c10cb733207fc6bb40f6d2eddcc62c90bc4f2c679ba240.exe
-
Size
96KB
-
MD5
039265c9b1c76a3724e8a77304f02823
-
SHA1
472a25ae6340d0e27e77458b37587b0c6e27e008
-
SHA256
6bb14f4d8138652823c10cb733207fc6bb40f6d2eddcc62c90bc4f2c679ba240
-
SHA512
66909978d9f4022af27d92e66b4589b03abcdcc8b7b95af713f6099cf255e3e55a87ad47a51fec63e3e41c2a3d59904e5793c35bec617a68d3d4cb0f680af7f5
-
SSDEEP
1536:81O4CsS298UgkJoHSvKDF9bNFk5eO7+822tn74S7V+5pUMv84WMRw8Dkqq:EpCl2plvKDNI2i74Sp+7H7wWkqq
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mciabmlo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mneohj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fakdcnhh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijcngenj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gqlhkofn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hmpaom32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jimdcqom.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qlfdac32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfoaho32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkdmfe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elkofg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qlfdac32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mciabmlo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oefjdgjk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pioeoi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agpeaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dnhbmpkn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elcpbigl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkkmgncb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgocmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mqjefamk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dlifadkk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ieponofk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Klcgpkhh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llepen32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kigndekn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fennoa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbchni32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncinap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Anjnnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bacihmoo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkqlgc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llgljn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fiepea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oeaqig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dgnjqe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ghibjjnk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lifcib32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehlmljkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qdompf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajehnk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbkqdepm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hejmpqop.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnlgbnbp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcdgmimg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nbpghl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oecmogln.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aclpaali.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Goqnae32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbeedh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ijphofem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lcohahpn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad 6bb14f4d8138652823c10cb733207fc6bb40f6d2eddcc62c90bc4f2c679ba240.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Apkgpf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iediin32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfieigio.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icfpbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ajckilei.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghofam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Igoomk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajckilei.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anadojlo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dadbdkld.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eppefg32.exe -
Executes dropped EXE 64 IoCs
pid Process 2776 Cnimiblo.exe 2792 Cagienkb.exe 2992 Cinafkkd.exe 2572 Ckmnbg32.exe 1648 Cgcnghpl.exe 1064 Cnmfdb32.exe 1500 Cegoqlof.exe 1676 Dnpciaef.exe 2948 Danpemej.exe 2752 Diidjpbe.exe 324 Daplkmbg.exe 2908 Dbaice32.exe 1928 Dilapopb.exe 2360 Dpeiligo.exe 2176 Dbdehdfc.exe 444 Dlljaj32.exe 2448 Dokfme32.exe 2524 Dipjkn32.exe 904 Dhckfkbh.exe 2372 Dbiocd32.exe 1700 Eegkpo32.exe 1528 Eopphehb.exe 1880 Eeiheo32.exe 868 Elcpbigl.exe 2780 Ekfpmf32.exe 1592 Emdmjamj.exe 2704 Edoefl32.exe 2684 Ehlmljkm.exe 2680 Einjdb32.exe 820 Ecfnmh32.exe 1840 Ekmfne32.exe 1108 Eipgjaoi.exe 2988 Flocfmnl.exe 3040 Flapkmlj.exe 3012 Foolgh32.exe 2292 Feiddbbj.exe 2852 Fiepea32.exe 1784 Felajbpg.exe 2344 Fhjmfnok.exe 2100 Fennoa32.exe 2140 Fhljkm32.exe 680 Fofbhgde.exe 1664 Fepjea32.exe 1808 Ghofam32.exe 1088 Gagkjbaf.exe 1552 Gpjkeoha.exe 1052 Ggdcbi32.exe 804 Gjbpne32.exe 2708 Gnnlocgk.exe 2764 Gqlhkofn.exe 2868 Ggfpgi32.exe 2368 Gkalhgfd.exe 2640 Gnphdceh.exe 2580 Glchpp32.exe 2168 Gdjqamme.exe 1832 Gghmmilh.exe 1096 Gfkmie32.exe 2832 Gjgiidkl.exe 2452 Gmeeepjp.exe 2516 Godaakic.exe 1432 Ggkibhjf.exe 1976 Gjifodii.exe 632 Ghlfjq32.exe 1740 Gqcnln32.exe -
Loads dropped DLL 64 IoCs
pid Process 1152 6bb14f4d8138652823c10cb733207fc6bb40f6d2eddcc62c90bc4f2c679ba240.exe 1152 6bb14f4d8138652823c10cb733207fc6bb40f6d2eddcc62c90bc4f2c679ba240.exe 2776 Cnimiblo.exe 2776 Cnimiblo.exe 2792 Cagienkb.exe 2792 Cagienkb.exe 2992 Cinafkkd.exe 2992 Cinafkkd.exe 2572 Ckmnbg32.exe 2572 Ckmnbg32.exe 1648 Cgcnghpl.exe 1648 Cgcnghpl.exe 1064 Cnmfdb32.exe 1064 Cnmfdb32.exe 1500 Cegoqlof.exe 1500 Cegoqlof.exe 1676 Dnpciaef.exe 1676 Dnpciaef.exe 2948 Danpemej.exe 2948 Danpemej.exe 2752 Diidjpbe.exe 2752 Diidjpbe.exe 324 Daplkmbg.exe 324 Daplkmbg.exe 2908 Dbaice32.exe 2908 Dbaice32.exe 1928 Dilapopb.exe 1928 Dilapopb.exe 2360 Dpeiligo.exe 2360 Dpeiligo.exe 2176 Dbdehdfc.exe 2176 Dbdehdfc.exe 444 Dlljaj32.exe 444 Dlljaj32.exe 2448 Dokfme32.exe 2448 Dokfme32.exe 2524 Dipjkn32.exe 2524 Dipjkn32.exe 904 Dhckfkbh.exe 904 Dhckfkbh.exe 2372 Dbiocd32.exe 2372 Dbiocd32.exe 1700 Eegkpo32.exe 1700 Eegkpo32.exe 1528 Eopphehb.exe 1528 Eopphehb.exe 1880 Eeiheo32.exe 1880 Eeiheo32.exe 868 Elcpbigl.exe 868 Elcpbigl.exe 2780 Ekfpmf32.exe 2780 Ekfpmf32.exe 1592 Emdmjamj.exe 1592 Emdmjamj.exe 2704 Edoefl32.exe 2704 Edoefl32.exe 2684 Ehlmljkm.exe 2684 Ehlmljkm.exe 2680 Einjdb32.exe 2680 Einjdb32.exe 820 Ecfnmh32.exe 820 Ecfnmh32.exe 1840 Ekmfne32.exe 1840 Ekmfne32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Iacjjacb.exe Indnnfdn.exe File created C:\Windows\SysWOW64\Inppon32.dll Bbjpil32.exe File opened for modification C:\Windows\SysWOW64\Inhdgdmk.exe Ikjhki32.exe File created C:\Windows\SysWOW64\Iebldo32.exe Ifolhann.exe File opened for modification C:\Windows\SysWOW64\Gpjkeoha.exe Gagkjbaf.exe File created C:\Windows\SysWOW64\Jacfidem.exe Jndjmifj.exe File opened for modification C:\Windows\SysWOW64\Gncnmane.exe Goqnae32.exe File opened for modification C:\Windows\SysWOW64\Jlqjkk32.exe Jhenjmbb.exe File created C:\Windows\SysWOW64\Pkbnjifp.dll Gockgdeh.exe File opened for modification C:\Windows\SysWOW64\Dbaice32.exe Daplkmbg.exe File created C:\Windows\SysWOW64\Mfjaekpm.dll Jagpdd32.exe File created C:\Windows\SysWOW64\Kaglcgdc.exe Koipglep.exe File created C:\Windows\SysWOW64\Pdlkggmp.dll Laleof32.exe File created C:\Windows\SysWOW64\Mqehjecl.exe Mbchni32.exe File opened for modification C:\Windows\SysWOW64\Nqokpd32.exe Nihcog32.exe File created C:\Windows\SysWOW64\Aligmfnp.dll Aejlnmkm.exe File created C:\Windows\SysWOW64\Ifolhann.exe Inhdgdmk.exe File created C:\Windows\SysWOW64\Chpenm32.dll Hiclkp32.exe File created C:\Windows\SysWOW64\Fhkhip32.dll Mciabmlo.exe File created C:\Windows\SysWOW64\Nldhfnkd.dll Pmhejhao.exe File opened for modification C:\Windows\SysWOW64\Ajckilei.exe Akpkmo32.exe File opened for modification C:\Windows\SysWOW64\Fkcilc32.exe Fhdmph32.exe File created C:\Windows\SysWOW64\Ipbkjl32.dll Kgcnahoo.exe File created C:\Windows\SysWOW64\Jhogdg32.dll Cinafkkd.exe File created C:\Windows\SysWOW64\Gjifodii.exe Ggkibhjf.exe File created C:\Windows\SysWOW64\Mfnqeb32.dll Iacjjacb.exe File opened for modification C:\Windows\SysWOW64\Fhgifgnb.exe Fdkmeiei.exe File opened for modification C:\Windows\SysWOW64\Hnkdnqhm.exe Hjohmbpd.exe File opened for modification C:\Windows\SysWOW64\Iinhdmma.exe Iebldo32.exe File created C:\Windows\SysWOW64\Pobghn32.dll 6bb14f4d8138652823c10cb733207fc6bb40f6d2eddcc62c90bc4f2c679ba240.exe File opened for modification C:\Windows\SysWOW64\Lkbmbl32.exe Lhcafa32.exe File opened for modification C:\Windows\SysWOW64\Anjnnk32.exe Aognbnkm.exe File created C:\Windows\SysWOW64\Khadpa32.exe Kechdf32.exe File created C:\Windows\SysWOW64\Dnhbmpkn.exe Dlifadkk.exe File opened for modification C:\Windows\SysWOW64\Dnpciaef.exe Cegoqlof.exe File created C:\Windows\SysWOW64\Lncfcgeb.exe Lkdjglfo.exe File created C:\Windows\SysWOW64\Qdlojdbk.dll Lncfcgeb.exe File created C:\Windows\SysWOW64\Nekkhdgo.dll Ndfnecgp.exe File created C:\Windows\SysWOW64\Jnpojnle.dll Pdppqbkn.exe File created C:\Windows\SysWOW64\Fccglehn.exe Fdpgph32.exe File created C:\Windows\SysWOW64\Keioca32.exe Kambcbhb.exe File created C:\Windows\SysWOW64\Fpcgndfi.dll Gjbpne32.exe File opened for modification C:\Windows\SysWOW64\Gkalhgfd.exe Ggfpgi32.exe File created C:\Windows\SysWOW64\Pmmneg32.exe Peefcjlg.exe File created C:\Windows\SysWOW64\Hfenefej.dll Efhqmadd.exe File created C:\Windows\SysWOW64\Fcqjfeja.exe Fpbnjjkm.exe File created C:\Windows\SysWOW64\Leoebflm.dll Icifjk32.exe File opened for modification C:\Windows\SysWOW64\Jipaip32.exe Jedehaea.exe File opened for modification C:\Windows\SysWOW64\Kbbobkol.exe Kofcbl32.exe File opened for modification C:\Windows\SysWOW64\Nlilqbgp.exe Nijpdfhm.exe File opened for modification C:\Windows\SysWOW64\Dblhmoio.exe Dpnladjl.exe File created C:\Windows\SysWOW64\Eldiehbk.exe Eifmimch.exe File opened for modification C:\Windows\SysWOW64\Hqgddm32.exe Hnhgha32.exe File created C:\Windows\SysWOW64\Lpmbdjfi.dll Fhljkm32.exe File opened for modification C:\Windows\SysWOW64\Jagpdd32.exe Jjnhhjjk.exe File created C:\Windows\SysWOW64\Mdaaomdi.dll Gekfnoog.exe File created C:\Windows\SysWOW64\Ljnfmlph.dll Jgjkfi32.exe File created C:\Windows\SysWOW64\Eickphoo.dll Gcjmmdbf.exe File opened for modification C:\Windows\SysWOW64\Gjifodii.exe Ggkibhjf.exe File created C:\Windows\SysWOW64\Iejiodbl.exe Ifgicg32.exe File created C:\Windows\SysWOW64\Lnjldf32.exe Ljnqdhga.exe File created C:\Windows\SysWOW64\Mimpkcdn.exe Mqehjecl.exe File created C:\Windows\SysWOW64\Mahildbb.dll Qiflohqk.exe File opened for modification C:\Windows\SysWOW64\Cmfmojcb.exe Ckeqga32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5380 5132 WerFault.exe 566 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eikfdl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmhkin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lngpog32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mflgih32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oefjdgjk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfpibn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apppkekc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlgjldnm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gqdgom32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpepkk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gagkjbaf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcmklh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgpdglhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkhbgbkc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkdjglfo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnkdnqhm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmbndmkb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Indnnfdn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhjbqo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oeaqig32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Popgboae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Baefnmml.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icifjk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khldkllj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dokfme32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Keeeje32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nkkmgncb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njpihk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adaiee32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnmiag32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjgehgnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdmkoepk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldmopa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjkkbjln.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Laleof32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibacbcgg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdjqamme.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdkjdl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Heliepmn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phklaacg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aclpaali.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggkibhjf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nqokpd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdppqbkn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmhejhao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plmbkd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhgifgnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fccglehn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gekfnoog.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhcafa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojbbmnhc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qoeamo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djocbqpb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efhqmadd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mphiqbon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohfcfb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acicla32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Honnki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dipjkn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eemnnn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eogolc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gncnmane.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hqnjek32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kapohbfp.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmmbhhfg.dll" Dokfme32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gnphdceh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hmjoqo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lkdjglfo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pfbfhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Plbkfdba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kgcnahoo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717} 6bb14f4d8138652823c10cb733207fc6bb40f6d2eddcc62c90bc4f2c679ba240.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Coicfd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gdkjdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aonalffc.dll" Ikgkei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldeiojhn.dll" Ibfmmb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iakino32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cgcnghpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Monoflqe.dll" Dilapopb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fennoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Icafgmbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Omckoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhcgiiek.dll" Qldhkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Efhqmadd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmdpgmhn.dll" Mkipao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oehiknbl.dll" Acnlgajg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bbjpil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlhbje32.dll" Cmfmojcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eckfklnl.dll" Dboeco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gicaikhj.dll" Fccglehn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ijaaae32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kmimcbja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncekdcqn.dll" Dbaice32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fennoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjkeingq.dll" Jfieigio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Diijaiep.dll" Jokqnhpa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lncfcgeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mopbgn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nbeedh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffbpca32.dll" Icncgf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dnpciaef.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dilapopb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hbkqdepm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bolcma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Igebkiof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmegnj32.dll" Kbmome32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lgfjggll.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gdjqamme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hgflflqg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nqokpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nijjkf32.dll" Oecmogln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qaapcj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lgfjggll.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fiepea32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ciagojda.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hmdkjmip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbehjc32.dll" Dnpciaef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lkdjglfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hnhgha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hnkdnqhm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Klcgpkhh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kokmmkcm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hffpebmm.dll" Anjnnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eppefg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkifia32.dll" Eihjolae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljnfmlph.dll" Jgjkfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hcdgmimg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfglkheo.dll" Hbkqdepm.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1152 wrote to memory of 2776 1152 6bb14f4d8138652823c10cb733207fc6bb40f6d2eddcc62c90bc4f2c679ba240.exe 31 PID 1152 wrote to memory of 2776 1152 6bb14f4d8138652823c10cb733207fc6bb40f6d2eddcc62c90bc4f2c679ba240.exe 31 PID 1152 wrote to memory of 2776 1152 6bb14f4d8138652823c10cb733207fc6bb40f6d2eddcc62c90bc4f2c679ba240.exe 31 PID 1152 wrote to memory of 2776 1152 6bb14f4d8138652823c10cb733207fc6bb40f6d2eddcc62c90bc4f2c679ba240.exe 31 PID 2776 wrote to memory of 2792 2776 Cnimiblo.exe 32 PID 2776 wrote to memory of 2792 2776 Cnimiblo.exe 32 PID 2776 wrote to memory of 2792 2776 Cnimiblo.exe 32 PID 2776 wrote to memory of 2792 2776 Cnimiblo.exe 32 PID 2792 wrote to memory of 2992 2792 Cagienkb.exe 33 PID 2792 wrote to memory of 2992 2792 Cagienkb.exe 33 PID 2792 wrote to memory of 2992 2792 Cagienkb.exe 33 PID 2792 wrote to memory of 2992 2792 Cagienkb.exe 33 PID 2992 wrote to memory of 2572 2992 Cinafkkd.exe 34 PID 2992 wrote to memory of 2572 2992 Cinafkkd.exe 34 PID 2992 wrote to memory of 2572 2992 Cinafkkd.exe 34 PID 2992 wrote to memory of 2572 2992 Cinafkkd.exe 34 PID 2572 wrote to memory of 1648 2572 Ckmnbg32.exe 35 PID 2572 wrote to memory of 1648 2572 Ckmnbg32.exe 35 PID 2572 wrote to memory of 1648 2572 Ckmnbg32.exe 35 PID 2572 wrote to memory of 1648 2572 Ckmnbg32.exe 35 PID 1648 wrote to memory of 1064 1648 Cgcnghpl.exe 36 PID 1648 wrote to memory of 1064 1648 Cgcnghpl.exe 36 PID 1648 wrote to memory of 1064 1648 Cgcnghpl.exe 36 PID 1648 wrote to memory of 1064 1648 Cgcnghpl.exe 36 PID 1064 wrote to memory of 1500 1064 Cnmfdb32.exe 37 PID 1064 wrote to memory of 1500 1064 Cnmfdb32.exe 37 PID 1064 wrote to memory of 1500 1064 Cnmfdb32.exe 37 PID 1064 wrote to memory of 1500 1064 Cnmfdb32.exe 37 PID 1500 wrote to memory of 1676 1500 Cegoqlof.exe 38 PID 1500 wrote to memory of 1676 1500 Cegoqlof.exe 38 PID 1500 wrote to memory of 1676 1500 Cegoqlof.exe 38 PID 1500 wrote to memory of 1676 1500 Cegoqlof.exe 38 PID 1676 wrote to memory of 2948 1676 Dnpciaef.exe 39 PID 1676 wrote to memory of 2948 1676 Dnpciaef.exe 39 PID 1676 wrote to memory of 2948 1676 Dnpciaef.exe 39 PID 1676 wrote to memory of 2948 1676 Dnpciaef.exe 39 PID 2948 wrote to memory of 2752 2948 Danpemej.exe 40 PID 2948 wrote to memory of 2752 2948 Danpemej.exe 40 PID 2948 wrote to memory of 2752 2948 Danpemej.exe 40 PID 2948 wrote to memory of 2752 2948 Danpemej.exe 40 PID 2752 wrote to memory of 324 2752 Diidjpbe.exe 41 PID 2752 wrote to memory of 324 2752 Diidjpbe.exe 41 PID 2752 wrote to memory of 324 2752 Diidjpbe.exe 41 PID 2752 wrote to memory of 324 2752 Diidjpbe.exe 41 PID 324 wrote to memory of 2908 324 Daplkmbg.exe 42 PID 324 wrote to memory of 2908 324 Daplkmbg.exe 42 PID 324 wrote to memory of 2908 324 Daplkmbg.exe 42 PID 324 wrote to memory of 2908 324 Daplkmbg.exe 42 PID 2908 wrote to memory of 1928 2908 Dbaice32.exe 43 PID 2908 wrote to memory of 1928 2908 Dbaice32.exe 43 PID 2908 wrote to memory of 1928 2908 Dbaice32.exe 43 PID 2908 wrote to memory of 1928 2908 Dbaice32.exe 43 PID 1928 wrote to memory of 2360 1928 Dilapopb.exe 44 PID 1928 wrote to memory of 2360 1928 Dilapopb.exe 44 PID 1928 wrote to memory of 2360 1928 Dilapopb.exe 44 PID 1928 wrote to memory of 2360 1928 Dilapopb.exe 44 PID 2360 wrote to memory of 2176 2360 Dpeiligo.exe 45 PID 2360 wrote to memory of 2176 2360 Dpeiligo.exe 45 PID 2360 wrote to memory of 2176 2360 Dpeiligo.exe 45 PID 2360 wrote to memory of 2176 2360 Dpeiligo.exe 45 PID 2176 wrote to memory of 444 2176 Dbdehdfc.exe 46 PID 2176 wrote to memory of 444 2176 Dbdehdfc.exe 46 PID 2176 wrote to memory of 444 2176 Dbdehdfc.exe 46 PID 2176 wrote to memory of 444 2176 Dbdehdfc.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\6bb14f4d8138652823c10cb733207fc6bb40f6d2eddcc62c90bc4f2c679ba240.exe"C:\Users\Admin\AppData\Local\Temp\6bb14f4d8138652823c10cb733207fc6bb40f6d2eddcc62c90bc4f2c679ba240.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1152 -
C:\Windows\SysWOW64\Cnimiblo.exeC:\Windows\system32\Cnimiblo.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\SysWOW64\Cagienkb.exeC:\Windows\system32\Cagienkb.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\SysWOW64\Cinafkkd.exeC:\Windows\system32\Cinafkkd.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\Windows\SysWOW64\Ckmnbg32.exeC:\Windows\system32\Ckmnbg32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Windows\SysWOW64\Cgcnghpl.exeC:\Windows\system32\Cgcnghpl.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1648 -
C:\Windows\SysWOW64\Cnmfdb32.exeC:\Windows\system32\Cnmfdb32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1064 -
C:\Windows\SysWOW64\Cegoqlof.exeC:\Windows\system32\Cegoqlof.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1500 -
C:\Windows\SysWOW64\Dnpciaef.exeC:\Windows\system32\Dnpciaef.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1676 -
C:\Windows\SysWOW64\Danpemej.exeC:\Windows\system32\Danpemej.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\Windows\SysWOW64\Diidjpbe.exeC:\Windows\system32\Diidjpbe.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\SysWOW64\Daplkmbg.exeC:\Windows\system32\Daplkmbg.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:324 -
C:\Windows\SysWOW64\Dbaice32.exeC:\Windows\system32\Dbaice32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Windows\SysWOW64\Dilapopb.exeC:\Windows\system32\Dilapopb.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1928 -
C:\Windows\SysWOW64\Dpeiligo.exeC:\Windows\system32\Dpeiligo.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Windows\SysWOW64\Dbdehdfc.exeC:\Windows\system32\Dbdehdfc.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2176 -
C:\Windows\SysWOW64\Dlljaj32.exeC:\Windows\system32\Dlljaj32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:444 -
C:\Windows\SysWOW64\Dokfme32.exeC:\Windows\system32\Dokfme32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2448 -
C:\Windows\SysWOW64\Dipjkn32.exeC:\Windows\system32\Dipjkn32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2524 -
C:\Windows\SysWOW64\Dhckfkbh.exeC:\Windows\system32\Dhckfkbh.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:904 -
C:\Windows\SysWOW64\Dbiocd32.exeC:\Windows\system32\Dbiocd32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2372 -
C:\Windows\SysWOW64\Eegkpo32.exeC:\Windows\system32\Eegkpo32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1700 -
C:\Windows\SysWOW64\Eopphehb.exeC:\Windows\system32\Eopphehb.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1528 -
C:\Windows\SysWOW64\Eeiheo32.exeC:\Windows\system32\Eeiheo32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1880 -
C:\Windows\SysWOW64\Elcpbigl.exeC:\Windows\system32\Elcpbigl.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:868 -
C:\Windows\SysWOW64\Ekfpmf32.exeC:\Windows\system32\Ekfpmf32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2780 -
C:\Windows\SysWOW64\Emdmjamj.exeC:\Windows\system32\Emdmjamj.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1592 -
C:\Windows\SysWOW64\Edoefl32.exeC:\Windows\system32\Edoefl32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2704 -
C:\Windows\SysWOW64\Ehlmljkm.exeC:\Windows\system32\Ehlmljkm.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2684 -
C:\Windows\SysWOW64\Einjdb32.exeC:\Windows\system32\Einjdb32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2680 -
C:\Windows\SysWOW64\Ecfnmh32.exeC:\Windows\system32\Ecfnmh32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:820 -
C:\Windows\SysWOW64\Ekmfne32.exeC:\Windows\system32\Ekmfne32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1840 -
C:\Windows\SysWOW64\Eipgjaoi.exeC:\Windows\system32\Eipgjaoi.exe33⤵
- Executes dropped EXE
PID:1108 -
C:\Windows\SysWOW64\Flocfmnl.exeC:\Windows\system32\Flocfmnl.exe34⤵
- Executes dropped EXE
PID:2988 -
C:\Windows\SysWOW64\Flapkmlj.exeC:\Windows\system32\Flapkmlj.exe35⤵
- Executes dropped EXE
PID:3040 -
C:\Windows\SysWOW64\Foolgh32.exeC:\Windows\system32\Foolgh32.exe36⤵
- Executes dropped EXE
PID:3012 -
C:\Windows\SysWOW64\Feiddbbj.exeC:\Windows\system32\Feiddbbj.exe37⤵
- Executes dropped EXE
PID:2292 -
C:\Windows\SysWOW64\Fiepea32.exeC:\Windows\system32\Fiepea32.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2852 -
C:\Windows\SysWOW64\Felajbpg.exeC:\Windows\system32\Felajbpg.exe39⤵
- Executes dropped EXE
PID:1784 -
C:\Windows\SysWOW64\Fhjmfnok.exeC:\Windows\system32\Fhjmfnok.exe40⤵
- Executes dropped EXE
PID:2344 -
C:\Windows\SysWOW64\Fennoa32.exeC:\Windows\system32\Fennoa32.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2100 -
C:\Windows\SysWOW64\Fhljkm32.exeC:\Windows\system32\Fhljkm32.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2140 -
C:\Windows\SysWOW64\Fofbhgde.exeC:\Windows\system32\Fofbhgde.exe43⤵
- Executes dropped EXE
PID:680 -
C:\Windows\SysWOW64\Fepjea32.exeC:\Windows\system32\Fepjea32.exe44⤵
- Executes dropped EXE
PID:1664 -
C:\Windows\SysWOW64\Ghofam32.exeC:\Windows\system32\Ghofam32.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1808 -
C:\Windows\SysWOW64\Gagkjbaf.exeC:\Windows\system32\Gagkjbaf.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1088 -
C:\Windows\SysWOW64\Gpjkeoha.exeC:\Windows\system32\Gpjkeoha.exe47⤵
- Executes dropped EXE
PID:1552 -
C:\Windows\SysWOW64\Ggdcbi32.exeC:\Windows\system32\Ggdcbi32.exe48⤵
- Executes dropped EXE
PID:1052 -
C:\Windows\SysWOW64\Gjbpne32.exeC:\Windows\system32\Gjbpne32.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:804 -
C:\Windows\SysWOW64\Gnnlocgk.exeC:\Windows\system32\Gnnlocgk.exe50⤵
- Executes dropped EXE
PID:2708 -
C:\Windows\SysWOW64\Gqlhkofn.exeC:\Windows\system32\Gqlhkofn.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2764 -
C:\Windows\SysWOW64\Ggfpgi32.exeC:\Windows\system32\Ggfpgi32.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2868 -
C:\Windows\SysWOW64\Gkalhgfd.exeC:\Windows\system32\Gkalhgfd.exe53⤵
- Executes dropped EXE
PID:2368 -
C:\Windows\SysWOW64\Gnphdceh.exeC:\Windows\system32\Gnphdceh.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:2640 -
C:\Windows\SysWOW64\Glchpp32.exeC:\Windows\system32\Glchpp32.exe55⤵
- Executes dropped EXE
PID:2580 -
C:\Windows\SysWOW64\Gdjqamme.exeC:\Windows\system32\Gdjqamme.exe56⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2168 -
C:\Windows\SysWOW64\Gghmmilh.exeC:\Windows\system32\Gghmmilh.exe57⤵
- Executes dropped EXE
PID:1832 -
C:\Windows\SysWOW64\Gfkmie32.exeC:\Windows\system32\Gfkmie32.exe58⤵
- Executes dropped EXE
PID:1096 -
C:\Windows\SysWOW64\Gjgiidkl.exeC:\Windows\system32\Gjgiidkl.exe59⤵
- Executes dropped EXE
PID:2832 -
C:\Windows\SysWOW64\Gmeeepjp.exeC:\Windows\system32\Gmeeepjp.exe60⤵
- Executes dropped EXE
PID:2452 -
C:\Windows\SysWOW64\Godaakic.exeC:\Windows\system32\Godaakic.exe61⤵
- Executes dropped EXE
PID:2516 -
C:\Windows\SysWOW64\Ggkibhjf.exeC:\Windows\system32\Ggkibhjf.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1432 -
C:\Windows\SysWOW64\Gjifodii.exeC:\Windows\system32\Gjifodii.exe63⤵
- Executes dropped EXE
PID:1976 -
C:\Windows\SysWOW64\Ghlfjq32.exeC:\Windows\system32\Ghlfjq32.exe64⤵
- Executes dropped EXE
PID:632 -
C:\Windows\SysWOW64\Gqcnln32.exeC:\Windows\system32\Gqcnln32.exe65⤵
- Executes dropped EXE
PID:1740 -
C:\Windows\SysWOW64\Hcajhi32.exeC:\Windows\system32\Hcajhi32.exe66⤵PID:1720
-
C:\Windows\SysWOW64\Hfpfdeon.exeC:\Windows\system32\Hfpfdeon.exe67⤵PID:2020
-
C:\Windows\SysWOW64\Hinbppna.exeC:\Windows\system32\Hinbppna.exe68⤵PID:2236
-
C:\Windows\SysWOW64\Hmjoqo32.exeC:\Windows\system32\Hmjoqo32.exe69⤵
- Modifies registry class
PID:2604 -
C:\Windows\SysWOW64\Hcdgmimg.exeC:\Windows\system32\Hcdgmimg.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3068 -
C:\Windows\SysWOW64\Hbggif32.exeC:\Windows\system32\Hbggif32.exe71⤵PID:2728
-
C:\Windows\SysWOW64\Hfbcidmk.exeC:\Windows\system32\Hfbcidmk.exe72⤵PID:2600
-
C:\Windows\SysWOW64\Hiqoeplo.exeC:\Windows\system32\Hiqoeplo.exe73⤵PID:1636
-
C:\Windows\SysWOW64\Hkolakkb.exeC:\Windows\system32\Hkolakkb.exe74⤵PID:2920
-
C:\Windows\SysWOW64\Hnnhngjf.exeC:\Windows\system32\Hnnhngjf.exe75⤵PID:3044
-
C:\Windows\SysWOW64\Hiclkp32.exeC:\Windows\system32\Hiclkp32.exe76⤵
- Drops file in System32 directory
PID:2940 -
C:\Windows\SysWOW64\Hgflflqg.exeC:\Windows\system32\Hgflflqg.exe77⤵
- Modifies registry class
PID:3060 -
C:\Windows\SysWOW64\Homdhjai.exeC:\Windows\system32\Homdhjai.exe78⤵PID:536
-
C:\Windows\SysWOW64\Hbkqdepm.exeC:\Windows\system32\Hbkqdepm.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2364 -
C:\Windows\SysWOW64\Hejmpqop.exeC:\Windows\system32\Hejmpqop.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2984 -
C:\Windows\SysWOW64\Hghillnd.exeC:\Windows\system32\Hghillnd.exe81⤵PID:1884
-
C:\Windows\SysWOW64\Hjgehgnh.exeC:\Windows\system32\Hjgehgnh.exe82⤵
- System Location Discovery: System Language Discovery
PID:860 -
C:\Windows\SysWOW64\Hnbaif32.exeC:\Windows\system32\Hnbaif32.exe83⤵PID:948
-
C:\Windows\SysWOW64\Heliepmn.exeC:\Windows\system32\Heliepmn.exe84⤵
- System Location Discovery: System Language Discovery
PID:2216 -
C:\Windows\SysWOW64\Hgkfal32.exeC:\Windows\system32\Hgkfal32.exe85⤵PID:2156
-
C:\Windows\SysWOW64\Ijibng32.exeC:\Windows\system32\Ijibng32.exe86⤵PID:2876
-
C:\Windows\SysWOW64\Indnnfdn.exeC:\Windows\system32\Indnnfdn.exe87⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2772 -
C:\Windows\SysWOW64\Iacjjacb.exeC:\Windows\system32\Iacjjacb.exe88⤵
- Drops file in System32 directory
PID:2484 -
C:\Windows\SysWOW64\Icafgmbe.exeC:\Windows\system32\Icafgmbe.exe89⤵
- Modifies registry class
PID:980 -
C:\Windows\SysWOW64\Ifpcchai.exeC:\Windows\system32\Ifpcchai.exe90⤵PID:3024
-
C:\Windows\SysWOW64\Ingkdeak.exeC:\Windows\system32\Ingkdeak.exe91⤵PID:2956
-
C:\Windows\SysWOW64\Iaegpaao.exeC:\Windows\system32\Iaegpaao.exe92⤵PID:2816
-
C:\Windows\SysWOW64\Icdcllpc.exeC:\Windows\system32\Icdcllpc.exe93⤵PID:988
-
C:\Windows\SysWOW64\Igoomk32.exeC:\Windows\system32\Igoomk32.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:668 -
C:\Windows\SysWOW64\Ijnkifgp.exeC:\Windows\system32\Ijnkifgp.exe95⤵PID:1932
-
C:\Windows\SysWOW64\Iahceq32.exeC:\Windows\system32\Iahceq32.exe96⤵PID:952
-
C:\Windows\SysWOW64\Icfpbl32.exeC:\Windows\system32\Icfpbl32.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1936 -
C:\Windows\SysWOW64\Ifdlng32.exeC:\Windows\system32\Ifdlng32.exe98⤵PID:1712
-
C:\Windows\SysWOW64\Ijphofem.exeC:\Windows\system32\Ijphofem.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:316 -
C:\Windows\SysWOW64\Iladfn32.exeC:\Windows\system32\Iladfn32.exe100⤵PID:2632
-
C:\Windows\SysWOW64\Ipmqgmcd.exeC:\Windows\system32\Ipmqgmcd.exe101⤵PID:1872
-
C:\Windows\SysWOW64\Ifgicg32.exeC:\Windows\system32\Ifgicg32.exe102⤵
- Drops file in System32 directory
PID:2528 -
C:\Windows\SysWOW64\Iejiodbl.exeC:\Windows\system32\Iejiodbl.exe103⤵PID:2180
-
C:\Windows\SysWOW64\Imaapa32.exeC:\Windows\system32\Imaapa32.exe104⤵PID:3004
-
C:\Windows\SysWOW64\Jbnjhh32.exeC:\Windows\system32\Jbnjhh32.exe105⤵PID:3032
-
C:\Windows\SysWOW64\Jfieigio.exeC:\Windows\system32\Jfieigio.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1816 -
C:\Windows\SysWOW64\Jigbebhb.exeC:\Windows\system32\Jigbebhb.exe107⤵PID:2376
-
C:\Windows\SysWOW64\Jhjbqo32.exeC:\Windows\system32\Jhjbqo32.exe108⤵
- System Location Discovery: System Language Discovery
PID:1672 -
C:\Windows\SysWOW64\Jpajbl32.exeC:\Windows\system32\Jpajbl32.exe109⤵PID:1744
-
C:\Windows\SysWOW64\Jndjmifj.exeC:\Windows\system32\Jndjmifj.exe110⤵
- Drops file in System32 directory
PID:2716 -
C:\Windows\SysWOW64\Jacfidem.exeC:\Windows\system32\Jacfidem.exe111⤵PID:1224
-
C:\Windows\SysWOW64\Jhmofo32.exeC:\Windows\system32\Jhmofo32.exe112⤵PID:2532
-
C:\Windows\SysWOW64\Jjkkbjln.exeC:\Windows\system32\Jjkkbjln.exe113⤵
- System Location Discovery: System Language Discovery
PID:2740 -
C:\Windows\SysWOW64\Joggci32.exeC:\Windows\system32\Joggci32.exe114⤵PID:2588
-
C:\Windows\SysWOW64\Jeqopcld.exeC:\Windows\system32\Jeqopcld.exe115⤵PID:1608
-
C:\Windows\SysWOW64\Jlkglm32.exeC:\Windows\system32\Jlkglm32.exe116⤵PID:2928
-
C:\Windows\SysWOW64\Jjnhhjjk.exeC:\Windows\system32\Jjnhhjjk.exe117⤵
- Drops file in System32 directory
PID:2936 -
C:\Windows\SysWOW64\Jagpdd32.exeC:\Windows\system32\Jagpdd32.exe118⤵
- Drops file in System32 directory
PID:2836 -
C:\Windows\SysWOW64\Jdflqo32.exeC:\Windows\system32\Jdflqo32.exe119⤵PID:2432
-
C:\Windows\SysWOW64\Jjpdmi32.exeC:\Windows\system32\Jjpdmi32.exe120⤵PID:1100
-
C:\Windows\SysWOW64\Jokqnhpa.exeC:\Windows\system32\Jokqnhpa.exe121⤵
- Modifies registry class
PID:1752
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-