Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
08/12/2024, 01:08
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e6681c9cb39f233952cb3c722bcdfcaa5cb6ee3e25f520c161eb12f2ccbacf2bN.exe
Resource
win7-20241010-en
windows7-x64
10 signatures
120 seconds
Behavioral task
behavioral2
Sample
e6681c9cb39f233952cb3c722bcdfcaa5cb6ee3e25f520c161eb12f2ccbacf2bN.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
120 seconds
General
-
Target
e6681c9cb39f233952cb3c722bcdfcaa5cb6ee3e25f520c161eb12f2ccbacf2bN.exe
-
Size
72KB
-
MD5
8bbd6925d09b61fe343842dc11730400
-
SHA1
2a554704bdfb8c050946fe0bef31b3b4b04ed58d
-
SHA256
e6681c9cb39f233952cb3c722bcdfcaa5cb6ee3e25f520c161eb12f2ccbacf2b
-
SHA512
0de5bf0e4a0fba70596c8aaf764017c694f4e5c20c477c3e0e730f8dbead4c35c101e0c4fc09da134f6d21818c95588d4391bef6003864ca15e67168728594d3
-
SSDEEP
768:3joGa4DU78TzLCCyky1SUbpxsr/VZ1djL6itGsuadbD7/z2p/1H5TXdnh4xg84x+:3sh4Y78TPykhysLL2Oz2Lj6+lWCWQ+
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcmben32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pincfpoo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkhhhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dgoopkgh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lkdhoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lfbbjpgd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhakcfab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjjkpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ieajkfmd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lklgbadb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgoime32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hpjeialg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jlckbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Amfognic.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijclol32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpcnonob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gfkkpmko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbdhjm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdejhfig.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnpgeopa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Doecog32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjlioj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Objaha32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elnqmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hnpbjnpo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llgjaeoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmmeon32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbpdeogo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Illbhp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dojddmec.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnpbjnpo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odjdmjgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cgkocj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfcnegnk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phqmgg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Halbai32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlhjhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajeeeblb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkejcq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gcheib32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmnclmoj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Loqmba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ejmhkiig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Filgbdfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mnifja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Goplilpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gjjmijme.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kncaojfb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Piicpk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbfepmmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qdojgmfe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bimoloog.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmmbqegc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbcoio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nmnclmoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Olophhjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aknlofim.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eoepnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nnmlcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jhoice32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kpadhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eoepnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hboddk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kkjnnn32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 1224 Bleeioil.exe 2184 Bfkifhib.exe 2784 Cpcnonob.exe 2740 Cadjgf32.exe 2868 Cljodo32.exe 2908 Cebcmdlg.exe 2640 Cllkin32.exe 2712 Cedpbd32.exe 1748 Cffljlpc.exe 2272 Cheido32.exe 1544 Danmmd32.exe 1644 Dkfbfjdf.exe 1944 Dmdnbecj.exe 2940 Depbfhpe.exe 2208 Dljkcb32.exe 2336 Dgoopkgh.exe 3000 Dinklffl.exe 332 Dojddmec.exe 1764 Dcfpel32.exe 920 Dhbhmb32.exe 1716 Dkadjn32.exe 1684 Domqjm32.exe 604 Degiggjm.exe 1028 Elqaca32.exe 1924 Eoompl32.exe 2552 Eamilh32.exe 2964 Egjbdo32.exe 2736 Eabcggll.exe 2796 Eccpoo32.exe 2724 Ejmhkiig.exe 2812 Edclib32.exe 2616 Elnqmd32.exe 3064 Eqjmncna.exe 3052 Fgcejm32.exe 1588 Fjbafi32.exe 1984 Foojop32.exe 1124 Fbmfkkbm.exe 2012 Fkejcq32.exe 1712 Fcmben32.exe 2132 Fbpbpkpj.exe 2156 Fdnolfon.exe 2576 Filgbdfd.exe 976 Fkjdopeh.exe 1308 Fgadda32.exe 1784 Fkmqdpce.exe 888 Gnkmqkbi.exe 2480 Gcheib32.exe 2140 Ggcaiqhj.exe 2384 Gkomjo32.exe 2368 Gfhnjm32.exe 2232 Gnpflj32.exe 2992 Gmbfggdo.exe 2880 Gpabcbdb.exe 2932 Gfkkpmko.exe 2668 Gjfgqk32.exe 2032 Gpcoib32.exe 1564 Gbaken32.exe 1612 Gfmgelil.exe 2768 Gjicfk32.exe 2180 Gmgpbf32.exe 1076 Gljpncgc.exe 1032 Gpelnb32.exe 1680 Gbdhjm32.exe 316 Hebdfind.exe -
Loads dropped DLL 64 IoCs
pid Process 2920 e6681c9cb39f233952cb3c722bcdfcaa5cb6ee3e25f520c161eb12f2ccbacf2bN.exe 2920 e6681c9cb39f233952cb3c722bcdfcaa5cb6ee3e25f520c161eb12f2ccbacf2bN.exe 1224 Bleeioil.exe 1224 Bleeioil.exe 2184 Bfkifhib.exe 2184 Bfkifhib.exe 2784 Cpcnonob.exe 2784 Cpcnonob.exe 2740 Cadjgf32.exe 2740 Cadjgf32.exe 2868 Cljodo32.exe 2868 Cljodo32.exe 2908 Cebcmdlg.exe 2908 Cebcmdlg.exe 2640 Cllkin32.exe 2640 Cllkin32.exe 2712 Cedpbd32.exe 2712 Cedpbd32.exe 1748 Cffljlpc.exe 1748 Cffljlpc.exe 2272 Cheido32.exe 2272 Cheido32.exe 1544 Danmmd32.exe 1544 Danmmd32.exe 1644 Dkfbfjdf.exe 1644 Dkfbfjdf.exe 1944 Dmdnbecj.exe 1944 Dmdnbecj.exe 2940 Depbfhpe.exe 2940 Depbfhpe.exe 2208 Dljkcb32.exe 2208 Dljkcb32.exe 2336 Dgoopkgh.exe 2336 Dgoopkgh.exe 3000 Dinklffl.exe 3000 Dinklffl.exe 332 Dojddmec.exe 332 Dojddmec.exe 1764 Dcfpel32.exe 1764 Dcfpel32.exe 920 Dhbhmb32.exe 920 Dhbhmb32.exe 1716 Dkadjn32.exe 1716 Dkadjn32.exe 1684 Domqjm32.exe 1684 Domqjm32.exe 604 Degiggjm.exe 604 Degiggjm.exe 1028 Elqaca32.exe 1028 Elqaca32.exe 1924 Eoompl32.exe 1924 Eoompl32.exe 2552 Eamilh32.exe 2552 Eamilh32.exe 2964 Egjbdo32.exe 2964 Egjbdo32.exe 2736 Eabcggll.exe 2736 Eabcggll.exe 2796 Eccpoo32.exe 2796 Eccpoo32.exe 2724 Ejmhkiig.exe 2724 Ejmhkiig.exe 2812 Edclib32.exe 2812 Edclib32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Akgddhmc.dll Hkiicmdh.exe File created C:\Windows\SysWOW64\Jabfljee.dll Dljkcb32.exe File opened for modification C:\Windows\SysWOW64\Hbfepmmn.exe Hphidanj.exe File opened for modification C:\Windows\SysWOW64\Qackpado.exe Qngopb32.exe File opened for modification C:\Windows\SysWOW64\Eklqcl32.exe Ehmdgp32.exe File opened for modification C:\Windows\SysWOW64\Lgchgb32.exe Lddlkg32.exe File created C:\Windows\SysWOW64\Pdoomf32.dll Foojop32.exe File opened for modification C:\Windows\SysWOW64\Fkecij32.exe Fcnkhmdp.exe File created C:\Windows\SysWOW64\Olbkdn32.dll Qgmpibam.exe File created C:\Windows\SysWOW64\Cbkipjbh.dll Iafnjg32.exe File created C:\Windows\SysWOW64\Nlhjhi32.exe Nfkapb32.exe File created C:\Windows\SysWOW64\Deollamj.exe Doecog32.exe File created C:\Windows\SysWOW64\Jpbalb32.exe Iihiphln.exe File opened for modification C:\Windows\SysWOW64\Hmeolj32.exe Hjfcpo32.exe File created C:\Windows\SysWOW64\Fbaepf32.dll Kohnoc32.exe File created C:\Windows\SysWOW64\Lqilpbfo.dll Eijdkcgn.exe File created C:\Windows\SysWOW64\Nbklpemb.dll Oiffkkbk.exe File created C:\Windows\SysWOW64\Fpkbeabf.dll Fgcejm32.exe File created C:\Windows\SysWOW64\Ehlenfjb.dll Hhjcic32.exe File created C:\Windows\SysWOW64\Jaeafklf.exe Jofejpmc.exe File created C:\Windows\SysWOW64\Nnafnopi.exe Nlcibc32.exe File opened for modification C:\Windows\SysWOW64\Ccdmnj32.exe Cpiqmlfm.exe File opened for modification C:\Windows\SysWOW64\Eddeladm.exe Ecbhdi32.exe File created C:\Windows\SysWOW64\Ibhndp32.exe Ipjahd32.exe File created C:\Windows\SysWOW64\Kcmcoblm.exe Kdjccf32.exe File opened for modification C:\Windows\SysWOW64\Mkaghg32.exe Mmogmjmn.exe File created C:\Windows\SysWOW64\Kqojbd32.dll Hakkgc32.exe File opened for modification C:\Windows\SysWOW64\Mfmndn32.exe Mgjnhaco.exe File opened for modification C:\Windows\SysWOW64\Fkmqdpce.exe Fgadda32.exe File created C:\Windows\SysWOW64\Macilmnk.exe Mgjebg32.exe File created C:\Windows\SysWOW64\Cofdbf32.dll Pcljmdmj.exe File created C:\Windows\SysWOW64\Iiecgjba.exe Ifffkncm.exe File opened for modification C:\Windows\SysWOW64\Oajlkojn.exe Okpcoe32.exe File created C:\Windows\SysWOW64\Kncaojfb.exe Klbdgb32.exe File opened for modification C:\Windows\SysWOW64\Mmgfqh32.exe Mfmndn32.exe File opened for modification C:\Windows\SysWOW64\Kfebambf.exe Kbigpn32.exe File created C:\Windows\SysWOW64\Lfhhjklc.exe Lcjlnpmo.exe File created C:\Windows\SysWOW64\Mkqqnq32.exe Mcjhmcok.exe File created C:\Windows\SysWOW64\Nlcibc32.exe Nidmfh32.exe File opened for modification C:\Windows\SysWOW64\Bkmhnjlh.exe Biolanld.exe File opened for modification C:\Windows\SysWOW64\Jmhnkfpa.exe Jfofol32.exe File created C:\Windows\SysWOW64\Oemgplgo.exe Oococb32.exe File created C:\Windows\SysWOW64\Cfibop32.dll Pdeqfhjd.exe File opened for modification C:\Windows\SysWOW64\Gfhnjm32.exe Gkomjo32.exe File opened for modification C:\Windows\SysWOW64\Dddimn32.exe Dafmqb32.exe File opened for modification C:\Windows\SysWOW64\Iamdkfnc.exe Imahkg32.exe File opened for modification C:\Windows\SysWOW64\Mccbmh32.exe Mjkndb32.exe File opened for modification C:\Windows\SysWOW64\Nhakcfab.exe Nmlgfnal.exe File opened for modification C:\Windows\SysWOW64\Eecafd32.exe Enlidg32.exe File opened for modification C:\Windows\SysWOW64\Fncpef32.exe Fkecij32.exe File created C:\Windows\SysWOW64\Jpebhied.dll Bchfhfeh.exe File created C:\Windows\SysWOW64\Ghjggnbo.dll Joiappkp.exe File created C:\Windows\SysWOW64\Ccdmnj32.exe Cpiqmlfm.exe File opened for modification C:\Windows\SysWOW64\Jhbold32.exe Jioopgef.exe File created C:\Windows\SysWOW64\Obmnna32.exe Opnbbe32.exe File opened for modification C:\Windows\SysWOW64\Pdbdqh32.exe Padhdm32.exe File opened for modification C:\Windows\SysWOW64\Jjdofm32.exe Jdhgnf32.exe File created C:\Windows\SysWOW64\Dhkkbmnp.exe Ddpobo32.exe File created C:\Windows\SysWOW64\Eoepnk32.exe Ehkhaqpk.exe File opened for modification C:\Windows\SysWOW64\Iliebpfc.exe Ihniaa32.exe File opened for modification C:\Windows\SysWOW64\Mgjnhaco.exe Mobfgdcl.exe File created C:\Windows\SysWOW64\Ieocod32.dll Nlefhcnc.exe File opened for modification C:\Windows\SysWOW64\Obmnna32.exe Opnbbe32.exe File created C:\Windows\SysWOW64\Fjegog32.exe Fhdjgoha.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 6500 6424 WerFault.exe 629 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njbdea32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcbncfjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmfkfa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dklddhka.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgjnhaco.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lneaqn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbqmhnbo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghajacmo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hebnlb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iiecgjba.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhakcfab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgbdodnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Behilopf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fajbke32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjegog32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfhhjklc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkqqnq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibhndp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpdgbm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gceailog.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aakjdo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jaeafklf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmgfqh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afffenbp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elqaca32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkdhoc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhdlad32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnmpdlac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncnngfna.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Popeif32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knfndjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llbqfe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgaebe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Piqpkpml.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qackpado.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ciohqa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkpjnkig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcjhmcok.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnomjl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmeolj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Liqoflfh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgjebg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aqjdgmgd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aqmamm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Copjdhib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfmndn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lddlkg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nplimbka.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdhcli32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npmphinm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fogibnha.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijqoilii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kglehp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkgahoel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phcilf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkjdndjo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbpbpkpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmbmeifk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aebmjo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ceebklai.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hldlga32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hllmcc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jabdql32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohfqmi32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inaqlm32.dll" Cllkin32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bcmfmlen.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Famope32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jmhnkfpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nnafnopi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jmhnkfpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cedpbd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Idadnd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ibmgpoia.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jjdofm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Almdmc32.dll" Lfbbjpgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmhadf32.dll" Dknajh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ehpalp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oeindm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jlelhe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anloijlk.dll" Lokgcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aciqcifh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cicalakk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mqbbagjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pdgmlhha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bchfhfeh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cinafkkd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hcgjmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iplfej32.dll" Hihlqeib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbaihlkd.dll" Ilcoce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chdkak32.dll" Ibmgpoia.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Khoebi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdbfnoac.dll" Lcaiiejc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qfljkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbmqhd32.dll" Ghajacmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alppmhnm.dll" Anbkipok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lghakg32.dll" Mnifja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpeqncja.dll" Hebnlb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ecploipa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iphecepe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hldlga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edgeao32.dll" Ecploipa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gnaooi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Acfmcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cinafkkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ijmipn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mibnje32.dll" Ipokcdjn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dblifk32.dll" Aknlofim.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hcldhnkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gchfle32.dll" Jmhnkfpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fffgkhmc.dll" Mdghaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibcihh32.dll" Bqlfaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jhoice32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mfdopp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kkoncdcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pknedeoi.dll" Dhiomn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Giipab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hihlqeib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jbcjnnpl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fkjdopeh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lnbdko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdlmgo32.dll" Mmgfqh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eabcggll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abigipko.dll" Cbiiog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fohlogok.dll" Hahnac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkbfgoak.dll" Hpjeialg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hjdfjo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aodkci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqimphik.dll" Hifpke32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2920 wrote to memory of 1224 2920 e6681c9cb39f233952cb3c722bcdfcaa5cb6ee3e25f520c161eb12f2ccbacf2bN.exe 30 PID 2920 wrote to memory of 1224 2920 e6681c9cb39f233952cb3c722bcdfcaa5cb6ee3e25f520c161eb12f2ccbacf2bN.exe 30 PID 2920 wrote to memory of 1224 2920 e6681c9cb39f233952cb3c722bcdfcaa5cb6ee3e25f520c161eb12f2ccbacf2bN.exe 30 PID 2920 wrote to memory of 1224 2920 e6681c9cb39f233952cb3c722bcdfcaa5cb6ee3e25f520c161eb12f2ccbacf2bN.exe 30 PID 1224 wrote to memory of 2184 1224 Bleeioil.exe 31 PID 1224 wrote to memory of 2184 1224 Bleeioil.exe 31 PID 1224 wrote to memory of 2184 1224 Bleeioil.exe 31 PID 1224 wrote to memory of 2184 1224 Bleeioil.exe 31 PID 2184 wrote to memory of 2784 2184 Bfkifhib.exe 32 PID 2184 wrote to memory of 2784 2184 Bfkifhib.exe 32 PID 2184 wrote to memory of 2784 2184 Bfkifhib.exe 32 PID 2184 wrote to memory of 2784 2184 Bfkifhib.exe 32 PID 2784 wrote to memory of 2740 2784 Cpcnonob.exe 33 PID 2784 wrote to memory of 2740 2784 Cpcnonob.exe 33 PID 2784 wrote to memory of 2740 2784 Cpcnonob.exe 33 PID 2784 wrote to memory of 2740 2784 Cpcnonob.exe 33 PID 2740 wrote to memory of 2868 2740 Cadjgf32.exe 34 PID 2740 wrote to memory of 2868 2740 Cadjgf32.exe 34 PID 2740 wrote to memory of 2868 2740 Cadjgf32.exe 34 PID 2740 wrote to memory of 2868 2740 Cadjgf32.exe 34 PID 2868 wrote to memory of 2908 2868 Cljodo32.exe 35 PID 2868 wrote to memory of 2908 2868 Cljodo32.exe 35 PID 2868 wrote to memory of 2908 2868 Cljodo32.exe 35 PID 2868 wrote to memory of 2908 2868 Cljodo32.exe 35 PID 2908 wrote to memory of 2640 2908 Cebcmdlg.exe 36 PID 2908 wrote to memory of 2640 2908 Cebcmdlg.exe 36 PID 2908 wrote to memory of 2640 2908 Cebcmdlg.exe 36 PID 2908 wrote to memory of 2640 2908 Cebcmdlg.exe 36 PID 2640 wrote to memory of 2712 2640 Cllkin32.exe 37 PID 2640 wrote to memory of 2712 2640 Cllkin32.exe 37 PID 2640 wrote to memory of 2712 2640 Cllkin32.exe 37 PID 2640 wrote to memory of 2712 2640 Cllkin32.exe 37 PID 2712 wrote to memory of 1748 2712 Cedpbd32.exe 38 PID 2712 wrote to memory of 1748 2712 Cedpbd32.exe 38 PID 2712 wrote to memory of 1748 2712 Cedpbd32.exe 38 PID 2712 wrote to memory of 1748 2712 Cedpbd32.exe 38 PID 1748 wrote to memory of 2272 1748 Cffljlpc.exe 39 PID 1748 wrote to memory of 2272 1748 Cffljlpc.exe 39 PID 1748 wrote to memory of 2272 1748 Cffljlpc.exe 39 PID 1748 wrote to memory of 2272 1748 Cffljlpc.exe 39 PID 2272 wrote to memory of 1544 2272 Cheido32.exe 40 PID 2272 wrote to memory of 1544 2272 Cheido32.exe 40 PID 2272 wrote to memory of 1544 2272 Cheido32.exe 40 PID 2272 wrote to memory of 1544 2272 Cheido32.exe 40 PID 1544 wrote to memory of 1644 1544 Danmmd32.exe 41 PID 1544 wrote to memory of 1644 1544 Danmmd32.exe 41 PID 1544 wrote to memory of 1644 1544 Danmmd32.exe 41 PID 1544 wrote to memory of 1644 1544 Danmmd32.exe 41 PID 1644 wrote to memory of 1944 1644 Dkfbfjdf.exe 42 PID 1644 wrote to memory of 1944 1644 Dkfbfjdf.exe 42 PID 1644 wrote to memory of 1944 1644 Dkfbfjdf.exe 42 PID 1644 wrote to memory of 1944 1644 Dkfbfjdf.exe 42 PID 1944 wrote to memory of 2940 1944 Dmdnbecj.exe 43 PID 1944 wrote to memory of 2940 1944 Dmdnbecj.exe 43 PID 1944 wrote to memory of 2940 1944 Dmdnbecj.exe 43 PID 1944 wrote to memory of 2940 1944 Dmdnbecj.exe 43 PID 2940 wrote to memory of 2208 2940 Depbfhpe.exe 44 PID 2940 wrote to memory of 2208 2940 Depbfhpe.exe 44 PID 2940 wrote to memory of 2208 2940 Depbfhpe.exe 44 PID 2940 wrote to memory of 2208 2940 Depbfhpe.exe 44 PID 2208 wrote to memory of 2336 2208 Dljkcb32.exe 45 PID 2208 wrote to memory of 2336 2208 Dljkcb32.exe 45 PID 2208 wrote to memory of 2336 2208 Dljkcb32.exe 45 PID 2208 wrote to memory of 2336 2208 Dljkcb32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\e6681c9cb39f233952cb3c722bcdfcaa5cb6ee3e25f520c161eb12f2ccbacf2bN.exe"C:\Users\Admin\AppData\Local\Temp\e6681c9cb39f233952cb3c722bcdfcaa5cb6ee3e25f520c161eb12f2ccbacf2bN.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\SysWOW64\Bleeioil.exeC:\Windows\system32\Bleeioil.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1224 -
C:\Windows\SysWOW64\Bfkifhib.exeC:\Windows\system32\Bfkifhib.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Windows\SysWOW64\Cpcnonob.exeC:\Windows\system32\Cpcnonob.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\SysWOW64\Cadjgf32.exeC:\Windows\system32\Cadjgf32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Windows\SysWOW64\Cljodo32.exeC:\Windows\system32\Cljodo32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\SysWOW64\Cebcmdlg.exeC:\Windows\system32\Cebcmdlg.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Windows\SysWOW64\Cllkin32.exeC:\Windows\system32\Cllkin32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\SysWOW64\Cedpbd32.exeC:\Windows\system32\Cedpbd32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\SysWOW64\Cffljlpc.exeC:\Windows\system32\Cffljlpc.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Windows\SysWOW64\Cheido32.exeC:\Windows\system32\Cheido32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2272 -
C:\Windows\SysWOW64\Danmmd32.exeC:\Windows\system32\Danmmd32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1544 -
C:\Windows\SysWOW64\Dkfbfjdf.exeC:\Windows\system32\Dkfbfjdf.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1644 -
C:\Windows\SysWOW64\Dmdnbecj.exeC:\Windows\system32\Dmdnbecj.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1944 -
C:\Windows\SysWOW64\Depbfhpe.exeC:\Windows\system32\Depbfhpe.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Windows\SysWOW64\Dljkcb32.exeC:\Windows\system32\Dljkcb32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Windows\SysWOW64\Dgoopkgh.exeC:\Windows\system32\Dgoopkgh.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2336 -
C:\Windows\SysWOW64\Dinklffl.exeC:\Windows\system32\Dinklffl.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3000 -
C:\Windows\SysWOW64\Dojddmec.exeC:\Windows\system32\Dojddmec.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:332 -
C:\Windows\SysWOW64\Dcfpel32.exeC:\Windows\system32\Dcfpel32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1764 -
C:\Windows\SysWOW64\Dhbhmb32.exeC:\Windows\system32\Dhbhmb32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:920 -
C:\Windows\SysWOW64\Dkadjn32.exeC:\Windows\system32\Dkadjn32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1716 -
C:\Windows\SysWOW64\Domqjm32.exeC:\Windows\system32\Domqjm32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1684 -
C:\Windows\SysWOW64\Degiggjm.exeC:\Windows\system32\Degiggjm.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:604 -
C:\Windows\SysWOW64\Elqaca32.exeC:\Windows\system32\Elqaca32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1028 -
C:\Windows\SysWOW64\Eoompl32.exeC:\Windows\system32\Eoompl32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1924 -
C:\Windows\SysWOW64\Eamilh32.exeC:\Windows\system32\Eamilh32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2552 -
C:\Windows\SysWOW64\Egjbdo32.exeC:\Windows\system32\Egjbdo32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2964 -
C:\Windows\SysWOW64\Eabcggll.exeC:\Windows\system32\Eabcggll.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2736 -
C:\Windows\SysWOW64\Eccpoo32.exeC:\Windows\system32\Eccpoo32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2796 -
C:\Windows\SysWOW64\Ejmhkiig.exeC:\Windows\system32\Ejmhkiig.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2724 -
C:\Windows\SysWOW64\Edclib32.exeC:\Windows\system32\Edclib32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2812 -
C:\Windows\SysWOW64\Elnqmd32.exeC:\Windows\system32\Elnqmd32.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2616 -
C:\Windows\SysWOW64\Eqjmncna.exeC:\Windows\system32\Eqjmncna.exe34⤵
- Executes dropped EXE
PID:3064 -
C:\Windows\SysWOW64\Fgcejm32.exeC:\Windows\system32\Fgcejm32.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3052 -
C:\Windows\SysWOW64\Fjbafi32.exeC:\Windows\system32\Fjbafi32.exe36⤵
- Executes dropped EXE
PID:1588 -
C:\Windows\SysWOW64\Foojop32.exeC:\Windows\system32\Foojop32.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1984 -
C:\Windows\SysWOW64\Fbmfkkbm.exeC:\Windows\system32\Fbmfkkbm.exe38⤵
- Executes dropped EXE
PID:1124 -
C:\Windows\SysWOW64\Fkejcq32.exeC:\Windows\system32\Fkejcq32.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2012 -
C:\Windows\SysWOW64\Fcmben32.exeC:\Windows\system32\Fcmben32.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1712 -
C:\Windows\SysWOW64\Fbpbpkpj.exeC:\Windows\system32\Fbpbpkpj.exe41⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2132 -
C:\Windows\SysWOW64\Fdnolfon.exeC:\Windows\system32\Fdnolfon.exe42⤵
- Executes dropped EXE
PID:2156 -
C:\Windows\SysWOW64\Filgbdfd.exeC:\Windows\system32\Filgbdfd.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2576 -
C:\Windows\SysWOW64\Fkjdopeh.exeC:\Windows\system32\Fkjdopeh.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:976 -
C:\Windows\SysWOW64\Fgadda32.exeC:\Windows\system32\Fgadda32.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1308 -
C:\Windows\SysWOW64\Fkmqdpce.exeC:\Windows\system32\Fkmqdpce.exe46⤵
- Executes dropped EXE
PID:1784 -
C:\Windows\SysWOW64\Gnkmqkbi.exeC:\Windows\system32\Gnkmqkbi.exe47⤵
- Executes dropped EXE
PID:888 -
C:\Windows\SysWOW64\Gcheib32.exeC:\Windows\system32\Gcheib32.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2480 -
C:\Windows\SysWOW64\Ggcaiqhj.exeC:\Windows\system32\Ggcaiqhj.exe49⤵
- Executes dropped EXE
PID:2140 -
C:\Windows\SysWOW64\Gkomjo32.exeC:\Windows\system32\Gkomjo32.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2384 -
C:\Windows\SysWOW64\Gfhnjm32.exeC:\Windows\system32\Gfhnjm32.exe51⤵
- Executes dropped EXE
PID:2368 -
C:\Windows\SysWOW64\Gnpflj32.exeC:\Windows\system32\Gnpflj32.exe52⤵
- Executes dropped EXE
PID:2232 -
C:\Windows\SysWOW64\Gmbfggdo.exeC:\Windows\system32\Gmbfggdo.exe53⤵
- Executes dropped EXE
PID:2992 -
C:\Windows\SysWOW64\Gpabcbdb.exeC:\Windows\system32\Gpabcbdb.exe54⤵
- Executes dropped EXE
PID:2880 -
C:\Windows\SysWOW64\Gfkkpmko.exeC:\Windows\system32\Gfkkpmko.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2932 -
C:\Windows\SysWOW64\Gjfgqk32.exeC:\Windows\system32\Gjfgqk32.exe56⤵
- Executes dropped EXE
PID:2668 -
C:\Windows\SysWOW64\Gpcoib32.exeC:\Windows\system32\Gpcoib32.exe57⤵
- Executes dropped EXE
PID:2032 -
C:\Windows\SysWOW64\Gbaken32.exeC:\Windows\system32\Gbaken32.exe58⤵
- Executes dropped EXE
PID:1564 -
C:\Windows\SysWOW64\Gfmgelil.exeC:\Windows\system32\Gfmgelil.exe59⤵
- Executes dropped EXE
PID:1612 -
C:\Windows\SysWOW64\Gjicfk32.exeC:\Windows\system32\Gjicfk32.exe60⤵
- Executes dropped EXE
PID:2768 -
C:\Windows\SysWOW64\Gmgpbf32.exeC:\Windows\system32\Gmgpbf32.exe61⤵
- Executes dropped EXE
PID:2180 -
C:\Windows\SysWOW64\Gljpncgc.exeC:\Windows\system32\Gljpncgc.exe62⤵
- Executes dropped EXE
PID:1076 -
C:\Windows\SysWOW64\Gpelnb32.exeC:\Windows\system32\Gpelnb32.exe63⤵
- Executes dropped EXE
PID:1032 -
C:\Windows\SysWOW64\Gbdhjm32.exeC:\Windows\system32\Gbdhjm32.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1680 -
C:\Windows\SysWOW64\Hebdfind.exeC:\Windows\system32\Hebdfind.exe65⤵
- Executes dropped EXE
PID:316 -
C:\Windows\SysWOW64\Hllmcc32.exeC:\Windows\system32\Hllmcc32.exe66⤵
- System Location Discovery: System Language Discovery
PID:828 -
C:\Windows\SysWOW64\Hphidanj.exeC:\Windows\system32\Hphidanj.exe67⤵
- Drops file in System32 directory
PID:684 -
C:\Windows\SysWOW64\Hbfepmmn.exeC:\Windows\system32\Hbfepmmn.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1788 -
C:\Windows\SysWOW64\Hfbaql32.exeC:\Windows\system32\Hfbaql32.exe69⤵PID:636
-
C:\Windows\SysWOW64\Hhcmhdke.exeC:\Windows\system32\Hhcmhdke.exe70⤵PID:2512
-
C:\Windows\SysWOW64\Hloiib32.exeC:\Windows\system32\Hloiib32.exe71⤵PID:2904
-
C:\Windows\SysWOW64\Hpjeialg.exeC:\Windows\system32\Hpjeialg.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2356 -
C:\Windows\SysWOW64\Halbai32.exeC:\Windows\system32\Halbai32.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3048 -
C:\Windows\SysWOW64\Hegnahjo.exeC:\Windows\system32\Hegnahjo.exe74⤵PID:2644
-
C:\Windows\SysWOW64\Hibjbgbh.exeC:\Windows\system32\Hibjbgbh.exe75⤵PID:984
-
C:\Windows\SysWOW64\Hjdfjo32.exeC:\Windows\system32\Hjdfjo32.exe76⤵
- Modifies registry class
PID:1628 -
C:\Windows\SysWOW64\Hnpbjnpo.exeC:\Windows\system32\Hnpbjnpo.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2020 -
C:\Windows\SysWOW64\Hanogipc.exeC:\Windows\system32\Hanogipc.exe78⤵PID:1832
-
C:\Windows\SysWOW64\Heikgh32.exeC:\Windows\system32\Heikgh32.exe79⤵PID:2092
-
C:\Windows\SysWOW64\Hhhgcc32.exeC:\Windows\system32\Hhhgcc32.exe80⤵PID:1616
-
C:\Windows\SysWOW64\Hjfcpo32.exeC:\Windows\system32\Hjfcpo32.exe81⤵
- Drops file in System32 directory
PID:1432 -
C:\Windows\SysWOW64\Hmeolj32.exeC:\Windows\system32\Hmeolj32.exe82⤵
- System Location Discovery: System Language Discovery
PID:2176 -
C:\Windows\SysWOW64\Helgmg32.exeC:\Windows\system32\Helgmg32.exe83⤵PID:1692
-
C:\Windows\SysWOW64\Hhjcic32.exeC:\Windows\system32\Hhjcic32.exe84⤵
- Drops file in System32 directory
PID:1872 -
C:\Windows\SysWOW64\Hmglajcd.exeC:\Windows\system32\Hmglajcd.exe85⤵PID:3040
-
C:\Windows\SysWOW64\Iabhah32.exeC:\Windows\system32\Iabhah32.exe86⤵PID:2556
-
C:\Windows\SysWOW64\Idadnd32.exeC:\Windows\system32\Idadnd32.exe87⤵
- Modifies registry class
PID:2888 -
C:\Windows\SysWOW64\Ihmpobck.exeC:\Windows\system32\Ihmpobck.exe88⤵PID:2600
-
C:\Windows\SysWOW64\Ijklknbn.exeC:\Windows\system32\Ijklknbn.exe89⤵PID:2780
-
C:\Windows\SysWOW64\Imiigiab.exeC:\Windows\system32\Imiigiab.exe90⤵PID:1268
-
C:\Windows\SysWOW64\Iaeegh32.exeC:\Windows\system32\Iaeegh32.exe91⤵PID:1376
-
C:\Windows\SysWOW64\Iphecepe.exeC:\Windows\system32\Iphecepe.exe92⤵
- Modifies registry class
PID:1328 -
C:\Windows\SysWOW64\Ifampo32.exeC:\Windows\system32\Ifampo32.exe93⤵PID:2252
-
C:\Windows\SysWOW64\Ijmipn32.exeC:\Windows\system32\Ijmipn32.exe94⤵
- Modifies registry class
PID:1492 -
C:\Windows\SysWOW64\Ipjahd32.exeC:\Windows\system32\Ipjahd32.exe95⤵
- Drops file in System32 directory
PID:952 -
C:\Windows\SysWOW64\Ibhndp32.exeC:\Windows\system32\Ibhndp32.exe96⤵
- System Location Discovery: System Language Discovery
PID:564 -
C:\Windows\SysWOW64\Iegjqk32.exeC:\Windows\system32\Iegjqk32.exe97⤵PID:3044
-
C:\Windows\SysWOW64\Iibfajdc.exeC:\Windows\system32\Iibfajdc.exe98⤵PID:548
-
C:\Windows\SysWOW64\Ilabmedg.exeC:\Windows\system32\Ilabmedg.exe99⤵PID:2388
-
C:\Windows\SysWOW64\Iplnnd32.exeC:\Windows\system32\Iplnnd32.exe100⤵PID:2976
-
C:\Windows\SysWOW64\Ioooiack.exeC:\Windows\system32\Ioooiack.exe101⤵PID:2628
-
C:\Windows\SysWOW64\Ifffkncm.exeC:\Windows\system32\Ifffkncm.exe102⤵
- Drops file in System32 directory
PID:2160 -
C:\Windows\SysWOW64\Iiecgjba.exeC:\Windows\system32\Iiecgjba.exe103⤵
- System Location Discovery: System Language Discovery
PID:1648 -
C:\Windows\SysWOW64\Ilcoce32.exeC:\Windows\system32\Ilcoce32.exe104⤵
- Modifies registry class
PID:1212 -
C:\Windows\SysWOW64\Ipokcdjn.exeC:\Windows\system32\Ipokcdjn.exe105⤵
- Modifies registry class
PID:2112 -
C:\Windows\SysWOW64\Ioakoq32.exeC:\Windows\system32\Ioakoq32.exe106⤵PID:1952
-
C:\Windows\SysWOW64\Ibmgpoia.exeC:\Windows\system32\Ibmgpoia.exe107⤵
- Modifies registry class
PID:2420 -
C:\Windows\SysWOW64\Iigpli32.exeC:\Windows\system32\Iigpli32.exe108⤵PID:1220
-
C:\Windows\SysWOW64\Jlelhe32.exeC:\Windows\system32\Jlelhe32.exe109⤵
- Modifies registry class
PID:2400 -
C:\Windows\SysWOW64\Jbpdeogo.exeC:\Windows\system32\Jbpdeogo.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3024 -
C:\Windows\SysWOW64\Jabdql32.exeC:\Windows\system32\Jabdql32.exe111⤵
- System Location Discovery: System Language Discovery
PID:2732 -
C:\Windows\SysWOW64\Jlhhndno.exeC:\Windows\system32\Jlhhndno.exe112⤵PID:2752
-
C:\Windows\SysWOW64\Jkkija32.exeC:\Windows\system32\Jkkija32.exe113⤵PID:2900
-
C:\Windows\SysWOW64\Jofejpmc.exeC:\Windows\system32\Jofejpmc.exe114⤵
- Drops file in System32 directory
PID:2632 -
C:\Windows\SysWOW64\Jaeafklf.exeC:\Windows\system32\Jaeafklf.exe115⤵
- System Location Discovery: System Language Discovery
PID:2592 -
C:\Windows\SysWOW64\Jdcmbgkj.exeC:\Windows\system32\Jdcmbgkj.exe116⤵PID:1408
-
C:\Windows\SysWOW64\Jhoice32.exeC:\Windows\system32\Jhoice32.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2952 -
C:\Windows\SysWOW64\Jkmeoa32.exeC:\Windows\system32\Jkmeoa32.exe118⤵PID:2080
-
C:\Windows\SysWOW64\Joiappkp.exeC:\Windows\system32\Joiappkp.exe119⤵
- Drops file in System32 directory
PID:1876 -
C:\Windows\SysWOW64\Jagnlkjd.exeC:\Windows\system32\Jagnlkjd.exe120⤵PID:2064
-
C:\Windows\SysWOW64\Jdejhfig.exeC:\Windows\system32\Jdejhfig.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2808
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-