Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
08/03/2025, 05:31
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
9a996d4352325f8558c21a3bdaffee9965dd36498ace518de8c8f4d21b111c9d.exe
Resource
win7-20241010-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
9a996d4352325f8558c21a3bdaffee9965dd36498ace518de8c8f4d21b111c9d.exe
Resource
win10v2004-20250217-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
9a996d4352325f8558c21a3bdaffee9965dd36498ace518de8c8f4d21b111c9d.exe
-
Size
45KB
-
MD5
8ba166af3c93ae7eef2ea646dd3f1953
-
SHA1
fe47b67ee60a813ff1f30f273fb407c6782139c7
-
SHA256
9a996d4352325f8558c21a3bdaffee9965dd36498ace518de8c8f4d21b111c9d
-
SHA512
a273f830751b1649a70394e3d68df294e0b7fd53132821e523d23d1149a1a7fc415741646deea85f8244230db945e72b93baf925d928a1d9dd2c05aee663d16a
-
SSDEEP
768:87hfanrDlD1m4/YkJn8yV+80vCatGmunTr6K/1H5f:LBFNVbatGmO2Ql
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://tat-neftbank.ru/kkq.php
http://tat-neftbank.ru/wcmd.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eqpgol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jgojpjem.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkmcfhkc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npccpo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnaocmmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chpmpg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dojald32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Egllae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oomjlk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Odlojanh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfnmfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Onbgmg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajecmj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fagjnn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ginnnooi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iccbqh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipjoplgo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idnaoohk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jhngjmlo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oaiibg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cohigamf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hgmalg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Linphc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Balkchpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ipgbjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iefhhbef.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifkacb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fnhnbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" 9a996d4352325f8558c21a3bdaffee9965dd36498ace518de8c8f4d21b111c9d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gfjhgdck.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Meppiblm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndemjoae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lnbbbffj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lgjfkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oalfhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pqjfoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aecaidjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aajbne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bpfeppop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Icmegf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckoilb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkaiqk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pcibkm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akmjfn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnkbam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hanlnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ipjoplgo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odjbdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pnimnfpc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pqhijbog.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knmhgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Laegiq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnimnfpc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfffnn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjakmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ieidmbcc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jqgoiokm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojigbhlp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dojald32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kaldcb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kkaiqk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojigbhlp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlngpjlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhloponc.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 2892 Ccahbp32.exe 2772 Cadhnmnm.exe 2748 Cohigamf.exe 2684 Chpmpg32.exe 2272 Ckoilb32.exe 660 Cpkbdiqb.exe 2192 Chbjffad.exe 2104 Cnobnmpl.exe 1872 Cpnojioo.exe 1932 Cghggc32.exe 576 Cnaocmmi.exe 1920 Dgjclbdi.exe 1584 Doehqead.exe 2092 Dfoqmo32.exe 1264 Djklnnaj.exe 680 Dogefd32.exe 1480 Dbfabp32.exe 1604 Dojald32.exe 1472 Dbhnhp32.exe 1656 Dhbfdjdp.exe 1356 Dolnad32.exe 908 Dfffnn32.exe 1476 Dggcffhg.exe 316 Enakbp32.exe 848 Eqpgol32.exe 2960 Edkcojga.exe 2872 Endhhp32.exe 2452 Egllae32.exe 1128 Enfenplo.exe 2864 Ejmebq32.exe 1692 Emkaol32.exe 2376 Emnndlod.exe 2924 Eplkpgnh.exe 2936 Fjaonpnn.exe 1972 Fcjcfe32.exe 2248 Ffhpbacb.exe 1268 Figlolbf.exe 2436 Fbopgb32.exe 236 Fenmdm32.exe 1104 Fiihdlpc.exe 1788 Fadminnn.exe 1388 Fnhnbb32.exe 2188 Fagjnn32.exe 1324 Febfomdd.exe 2012 Fhqbkhch.exe 1672 Ghcoqh32.exe 2116 Gjakmc32.exe 2572 Gnmgmbhb.exe 2744 Gakcimgf.exe 2780 Gdjpeifj.exe 2152 Ghelfg32.exe 352 Gfhladfn.exe 356 Gifhnpea.exe 2944 Ganpomec.exe 1724 Gdllkhdg.exe 2976 Gfjhgdck.exe 1572 Gjfdhbld.exe 2348 Giieco32.exe 2068 Glgaok32.exe 2408 Gbaileio.exe 1092 Gikaio32.exe 780 Gmgninie.exe 1036 Gpejeihi.exe 2416 Gbcfadgl.exe -
Loads dropped DLL 64 IoCs
pid Process 2804 9a996d4352325f8558c21a3bdaffee9965dd36498ace518de8c8f4d21b111c9d.exe 2804 9a996d4352325f8558c21a3bdaffee9965dd36498ace518de8c8f4d21b111c9d.exe 2892 Ccahbp32.exe 2892 Ccahbp32.exe 2772 Cadhnmnm.exe 2772 Cadhnmnm.exe 2748 Cohigamf.exe 2748 Cohigamf.exe 2684 Chpmpg32.exe 2684 Chpmpg32.exe 2272 Ckoilb32.exe 2272 Ckoilb32.exe 660 Cpkbdiqb.exe 660 Cpkbdiqb.exe 2192 Chbjffad.exe 2192 Chbjffad.exe 2104 Cnobnmpl.exe 2104 Cnobnmpl.exe 1872 Cpnojioo.exe 1872 Cpnojioo.exe 1932 Cghggc32.exe 1932 Cghggc32.exe 576 Cnaocmmi.exe 576 Cnaocmmi.exe 1920 Dgjclbdi.exe 1920 Dgjclbdi.exe 1584 Doehqead.exe 1584 Doehqead.exe 2092 Dfoqmo32.exe 2092 Dfoqmo32.exe 1264 Djklnnaj.exe 1264 Djklnnaj.exe 680 Dogefd32.exe 680 Dogefd32.exe 1480 Dbfabp32.exe 1480 Dbfabp32.exe 1604 Dojald32.exe 1604 Dojald32.exe 1472 Dbhnhp32.exe 1472 Dbhnhp32.exe 1656 Dhbfdjdp.exe 1656 Dhbfdjdp.exe 1356 Dolnad32.exe 1356 Dolnad32.exe 908 Dfffnn32.exe 908 Dfffnn32.exe 1476 Dggcffhg.exe 1476 Dggcffhg.exe 316 Enakbp32.exe 316 Enakbp32.exe 848 Eqpgol32.exe 848 Eqpgol32.exe 2960 Edkcojga.exe 2960 Edkcojga.exe 2872 Endhhp32.exe 2872 Endhhp32.exe 2452 Egllae32.exe 2452 Egllae32.exe 1128 Enfenplo.exe 1128 Enfenplo.exe 2864 Ejmebq32.exe 2864 Ejmebq32.exe 1692 Emkaol32.exe 1692 Emkaol32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Aijpnfif.exe Afkdakjb.exe File created C:\Windows\SysWOW64\Bbdallnd.exe Bpfeppop.exe File created C:\Windows\SysWOW64\Fhqbkhch.exe Febfomdd.exe File opened for modification C:\Windows\SysWOW64\Icmegf32.exe Ioaifhid.exe File created C:\Windows\SysWOW64\Ljkomfjl.exe Lcagpl32.exe File created C:\Windows\SysWOW64\Nlekia32.exe Nigome32.exe File created C:\Windows\SysWOW64\Aaloddnn.exe Annbhi32.exe File created C:\Windows\SysWOW64\Cifmcd32.dll Becnhgmg.exe File opened for modification C:\Windows\SysWOW64\Bajomhbl.exe Bnkbam32.exe File created C:\Windows\SysWOW64\Hhijaf32.dll Enakbp32.exe File opened for modification C:\Windows\SysWOW64\Jabbhcfe.exe Jocflgga.exe File created C:\Windows\SysWOW64\Hloopaak.dll Keednado.exe File opened for modification C:\Windows\SysWOW64\Nilhhdga.exe Nadpgggp.exe File created C:\Windows\SysWOW64\Pihgic32.exe Pdlkiepd.exe File created C:\Windows\SysWOW64\Nacehmno.dll Qeohnd32.exe File created C:\Windows\SysWOW64\Elmnchif.dll Aecaidjl.exe File created C:\Windows\SysWOW64\Bdkgocpm.exe Balkchpi.exe File created C:\Windows\SysWOW64\Gjakmc32.exe Ghcoqh32.exe File opened for modification C:\Windows\SysWOW64\Gjfdhbld.exe Gfjhgdck.exe File created C:\Windows\SysWOW64\Fibmmd32.dll Hedocp32.exe File created C:\Windows\SysWOW64\Cfgheegc.dll Bdkgocpm.exe File created C:\Windows\SysWOW64\Qbgpffch.dll Cnaocmmi.exe File created C:\Windows\SysWOW64\Dfoqmo32.exe Doehqead.exe File created C:\Windows\SysWOW64\Ffhpbacb.exe Fcjcfe32.exe File opened for modification C:\Windows\SysWOW64\Figlolbf.exe Ffhpbacb.exe File created C:\Windows\SysWOW64\Ginnnooi.exe Gbcfadgl.exe File created C:\Windows\SysWOW64\Fbldmm32.dll Iheddndj.exe File opened for modification C:\Windows\SysWOW64\Jgcdki32.exe Jqilooij.exe File created C:\Windows\SysWOW64\Jpfppg32.dll Lnbbbffj.exe File created C:\Windows\SysWOW64\Linphc32.exe Ljkomfjl.exe File created C:\Windows\SysWOW64\Gneolbel.dll Picnndmb.exe File created C:\Windows\SysWOW64\Blkahecm.dll Pmagdbci.exe File created C:\Windows\SysWOW64\Ecjdib32.dll Alhmjbhj.exe File opened for modification C:\Windows\SysWOW64\Bejdiffp.exe Baohhgnf.exe File created C:\Windows\SysWOW64\Cpkbdiqb.exe Ckoilb32.exe File created C:\Windows\SysWOW64\Inegme32.dll Emkaol32.exe File created C:\Windows\SysWOW64\Fmhbhf32.dll Hoamgd32.exe File created C:\Windows\SysWOW64\Fffdil32.dll Icfofg32.exe File opened for modification C:\Windows\SysWOW64\Idnaoohk.exe Ifkacb32.exe File created C:\Windows\SysWOW64\Kcpnnfqg.dll Nplmop32.exe File opened for modification C:\Windows\SysWOW64\Ajecmj32.exe Agfgqo32.exe File opened for modification C:\Windows\SysWOW64\Ghcoqh32.exe Fhqbkhch.exe File created C:\Windows\SysWOW64\Pgegdo32.dll Hgjefg32.exe File opened for modification C:\Windows\SysWOW64\Ilcmjl32.exe Ieidmbcc.exe File opened for modification C:\Windows\SysWOW64\Jnpinc32.exe Jgfqaiod.exe File created C:\Windows\SysWOW64\Gpbgnedh.dll Mlcbenjb.exe File opened for modification C:\Windows\SysWOW64\Nlcnda32.exe Niebhf32.exe File created C:\Windows\SysWOW64\Dnlbnp32.dll Ngkogj32.exe File created C:\Windows\SysWOW64\Qbplbi32.exe Pihgic32.exe File created C:\Windows\SysWOW64\Inifnq32.exe Iimjmbae.exe File created C:\Windows\SysWOW64\Dkqahbgm.dll Ifkacb32.exe File created C:\Windows\SysWOW64\Allepo32.dll Kegqdqbl.exe File opened for modification C:\Windows\SysWOW64\Laegiq32.exe Linphc32.exe File created C:\Windows\SysWOW64\Pcibkm32.exe Pqjfoa32.exe File opened for modification C:\Windows\SysWOW64\Aaloddnn.exe Annbhi32.exe File created C:\Windows\SysWOW64\Becnhgmg.exe Bbdallnd.exe File created C:\Windows\SysWOW64\Abacpl32.dll Blobjaba.exe File created C:\Windows\SysWOW64\Djklnnaj.exe Dfoqmo32.exe File opened for modification C:\Windows\SysWOW64\Iccbqh32.exe Habfipdj.exe File created C:\Windows\SysWOW64\Gabqfggi.dll Lmgocb32.exe File opened for modification C:\Windows\SysWOW64\Meppiblm.exe Mmihhelk.exe File created C:\Windows\SysWOW64\Nplmop32.exe Nmnace32.exe File created C:\Windows\SysWOW64\Kjbgng32.dll Npojdpef.exe File opened for modification C:\Windows\SysWOW64\Odjbdb32.exe Oalfhf32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3708 3804 WerFault.exe 308 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Legmbd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcibkm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emnndlod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acpdko32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnicmdli.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kconkibf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oagmmgdm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9a996d4352325f8558c21a3bdaffee9965dd36498ace518de8c8f4d21b111c9d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kofopj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mholen32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cohigamf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dojald32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgjefg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilcmjl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ileiplhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Modkfi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oomjlk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aaloddnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnobnmpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifkacb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmlhnagm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Migbnb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akmjfn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Biafnecn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jabbhcfe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Linphc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nilhhdga.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afkdakjb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhbfdjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eqpgol32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnkpbcjg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkhofjoj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npojdpef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgmalg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nplmop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nigome32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffhpbacb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbaileio.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iamimc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmldme32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npagjpcd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ollajp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apoooa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnimnfpc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdjpeifj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enakbp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icmegf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Moanaiie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlekia32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Becnhgmg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gifhnpea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jqgoiokm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bphbeplm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cacacg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dggcffhg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egllae32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ichllgfb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlcnda32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nadpgggp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Homclekn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kilfcpqm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Keednado.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glgaok32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkolkk32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Habfipdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lcfqkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogjgkqaa.dll" Niebhf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oagmmgdm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Okdkal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Heglio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpbplnnk.dll" Mapjmehi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhpjaq32.dll" Ojigbhlp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fbopgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hlljjjnm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jnkpbcjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mmihhelk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Apoooa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Abbeflpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bajomhbl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Blaopqpo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jqilooij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Llcefjgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Linphc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bphbeplm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Boplllob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pefgcifd.dll" Fhqbkhch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ipjoplgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdlhejlj.dll" Jgojpjem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kmefooki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kincipnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Malllmgi.dll" Knpemf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lbiqfied.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mooaljkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iohmol32.dll" Fjaonpnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kegqdqbl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ncbplk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Odeiibdq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmqalo32.dll" Pdaheq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qbplbi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qodlkm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emfmdo32.dll" Aaheie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fenmdm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ghcoqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Odjbdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ajecmj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Afkdakjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Momeefin.dll" Bpfeppop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcohbnpe.dll" Balkchpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Boplllob.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dojald32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dfffnn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Emnndlod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Idnaoohk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ljkomfjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Niikceid.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Amcpie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Acpdko32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Egllae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahoanjcc.dll" Emnndlod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obknqjig.dll" Gjakmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmeelpbm.dll" Jqgoiokm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjngcolf.dll" Lccdel32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nckjkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Onbgmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqfjpj32.dll" Abbeflpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Djklnnaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fjaonpnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjjppa32.dll" Fbopgb32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2804 wrote to memory of 2892 2804 9a996d4352325f8558c21a3bdaffee9965dd36498ace518de8c8f4d21b111c9d.exe 30 PID 2804 wrote to memory of 2892 2804 9a996d4352325f8558c21a3bdaffee9965dd36498ace518de8c8f4d21b111c9d.exe 30 PID 2804 wrote to memory of 2892 2804 9a996d4352325f8558c21a3bdaffee9965dd36498ace518de8c8f4d21b111c9d.exe 30 PID 2804 wrote to memory of 2892 2804 9a996d4352325f8558c21a3bdaffee9965dd36498ace518de8c8f4d21b111c9d.exe 30 PID 2892 wrote to memory of 2772 2892 Ccahbp32.exe 31 PID 2892 wrote to memory of 2772 2892 Ccahbp32.exe 31 PID 2892 wrote to memory of 2772 2892 Ccahbp32.exe 31 PID 2892 wrote to memory of 2772 2892 Ccahbp32.exe 31 PID 2772 wrote to memory of 2748 2772 Cadhnmnm.exe 32 PID 2772 wrote to memory of 2748 2772 Cadhnmnm.exe 32 PID 2772 wrote to memory of 2748 2772 Cadhnmnm.exe 32 PID 2772 wrote to memory of 2748 2772 Cadhnmnm.exe 32 PID 2748 wrote to memory of 2684 2748 Cohigamf.exe 33 PID 2748 wrote to memory of 2684 2748 Cohigamf.exe 33 PID 2748 wrote to memory of 2684 2748 Cohigamf.exe 33 PID 2748 wrote to memory of 2684 2748 Cohigamf.exe 33 PID 2684 wrote to memory of 2272 2684 Chpmpg32.exe 34 PID 2684 wrote to memory of 2272 2684 Chpmpg32.exe 34 PID 2684 wrote to memory of 2272 2684 Chpmpg32.exe 34 PID 2684 wrote to memory of 2272 2684 Chpmpg32.exe 34 PID 2272 wrote to memory of 660 2272 Ckoilb32.exe 35 PID 2272 wrote to memory of 660 2272 Ckoilb32.exe 35 PID 2272 wrote to memory of 660 2272 Ckoilb32.exe 35 PID 2272 wrote to memory of 660 2272 Ckoilb32.exe 35 PID 660 wrote to memory of 2192 660 Cpkbdiqb.exe 36 PID 660 wrote to memory of 2192 660 Cpkbdiqb.exe 36 PID 660 wrote to memory of 2192 660 Cpkbdiqb.exe 36 PID 660 wrote to memory of 2192 660 Cpkbdiqb.exe 36 PID 2192 wrote to memory of 2104 2192 Chbjffad.exe 37 PID 2192 wrote to memory of 2104 2192 Chbjffad.exe 37 PID 2192 wrote to memory of 2104 2192 Chbjffad.exe 37 PID 2192 wrote to memory of 2104 2192 Chbjffad.exe 37 PID 2104 wrote to memory of 1872 2104 Cnobnmpl.exe 38 PID 2104 wrote to memory of 1872 2104 Cnobnmpl.exe 38 PID 2104 wrote to memory of 1872 2104 Cnobnmpl.exe 38 PID 2104 wrote to memory of 1872 2104 Cnobnmpl.exe 38 PID 1872 wrote to memory of 1932 1872 Cpnojioo.exe 39 PID 1872 wrote to memory of 1932 1872 Cpnojioo.exe 39 PID 1872 wrote to memory of 1932 1872 Cpnojioo.exe 39 PID 1872 wrote to memory of 1932 1872 Cpnojioo.exe 39 PID 1932 wrote to memory of 576 1932 Cghggc32.exe 40 PID 1932 wrote to memory of 576 1932 Cghggc32.exe 40 PID 1932 wrote to memory of 576 1932 Cghggc32.exe 40 PID 1932 wrote to memory of 576 1932 Cghggc32.exe 40 PID 576 wrote to memory of 1920 576 Cnaocmmi.exe 41 PID 576 wrote to memory of 1920 576 Cnaocmmi.exe 41 PID 576 wrote to memory of 1920 576 Cnaocmmi.exe 41 PID 576 wrote to memory of 1920 576 Cnaocmmi.exe 41 PID 1920 wrote to memory of 1584 1920 Dgjclbdi.exe 42 PID 1920 wrote to memory of 1584 1920 Dgjclbdi.exe 42 PID 1920 wrote to memory of 1584 1920 Dgjclbdi.exe 42 PID 1920 wrote to memory of 1584 1920 Dgjclbdi.exe 42 PID 1584 wrote to memory of 2092 1584 Doehqead.exe 43 PID 1584 wrote to memory of 2092 1584 Doehqead.exe 43 PID 1584 wrote to memory of 2092 1584 Doehqead.exe 43 PID 1584 wrote to memory of 2092 1584 Doehqead.exe 43 PID 2092 wrote to memory of 1264 2092 Dfoqmo32.exe 44 PID 2092 wrote to memory of 1264 2092 Dfoqmo32.exe 44 PID 2092 wrote to memory of 1264 2092 Dfoqmo32.exe 44 PID 2092 wrote to memory of 1264 2092 Dfoqmo32.exe 44 PID 1264 wrote to memory of 680 1264 Djklnnaj.exe 45 PID 1264 wrote to memory of 680 1264 Djklnnaj.exe 45 PID 1264 wrote to memory of 680 1264 Djklnnaj.exe 45 PID 1264 wrote to memory of 680 1264 Djklnnaj.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\9a996d4352325f8558c21a3bdaffee9965dd36498ace518de8c8f4d21b111c9d.exe"C:\Users\Admin\AppData\Local\Temp\9a996d4352325f8558c21a3bdaffee9965dd36498ace518de8c8f4d21b111c9d.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Windows\SysWOW64\Ccahbp32.exeC:\Windows\system32\Ccahbp32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Windows\SysWOW64\Cadhnmnm.exeC:\Windows\system32\Cadhnmnm.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\SysWOW64\Cohigamf.exeC:\Windows\system32\Cohigamf.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\SysWOW64\Chpmpg32.exeC:\Windows\system32\Chpmpg32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Windows\SysWOW64\Ckoilb32.exeC:\Windows\system32\Ckoilb32.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2272 -
C:\Windows\SysWOW64\Cpkbdiqb.exeC:\Windows\system32\Cpkbdiqb.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:660 -
C:\Windows\SysWOW64\Chbjffad.exeC:\Windows\system32\Chbjffad.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Windows\SysWOW64\Cnobnmpl.exeC:\Windows\system32\Cnobnmpl.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Windows\SysWOW64\Cpnojioo.exeC:\Windows\system32\Cpnojioo.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1872 -
C:\Windows\SysWOW64\Cghggc32.exeC:\Windows\system32\Cghggc32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1932 -
C:\Windows\SysWOW64\Cnaocmmi.exeC:\Windows\system32\Cnaocmmi.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:576 -
C:\Windows\SysWOW64\Dgjclbdi.exeC:\Windows\system32\Dgjclbdi.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1920 -
C:\Windows\SysWOW64\Doehqead.exeC:\Windows\system32\Doehqead.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1584 -
C:\Windows\SysWOW64\Dfoqmo32.exeC:\Windows\system32\Dfoqmo32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2092 -
C:\Windows\SysWOW64\Djklnnaj.exeC:\Windows\system32\Djklnnaj.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1264 -
C:\Windows\SysWOW64\Dogefd32.exeC:\Windows\system32\Dogefd32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:680 -
C:\Windows\SysWOW64\Dbfabp32.exeC:\Windows\system32\Dbfabp32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1480 -
C:\Windows\SysWOW64\Dojald32.exeC:\Windows\system32\Dojald32.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1604 -
C:\Windows\SysWOW64\Dbhnhp32.exeC:\Windows\system32\Dbhnhp32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1472 -
C:\Windows\SysWOW64\Dhbfdjdp.exeC:\Windows\system32\Dhbfdjdp.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1656 -
C:\Windows\SysWOW64\Dolnad32.exeC:\Windows\system32\Dolnad32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1356 -
C:\Windows\SysWOW64\Dfffnn32.exeC:\Windows\system32\Dfffnn32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:908 -
C:\Windows\SysWOW64\Dggcffhg.exeC:\Windows\system32\Dggcffhg.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1476 -
C:\Windows\SysWOW64\Enakbp32.exeC:\Windows\system32\Enakbp32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:316 -
C:\Windows\SysWOW64\Eqpgol32.exeC:\Windows\system32\Eqpgol32.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:848 -
C:\Windows\SysWOW64\Edkcojga.exeC:\Windows\system32\Edkcojga.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2960 -
C:\Windows\SysWOW64\Endhhp32.exeC:\Windows\system32\Endhhp32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2872 -
C:\Windows\SysWOW64\Egllae32.exeC:\Windows\system32\Egllae32.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2452 -
C:\Windows\SysWOW64\Enfenplo.exeC:\Windows\system32\Enfenplo.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1128 -
C:\Windows\SysWOW64\Ejmebq32.exeC:\Windows\system32\Ejmebq32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2864 -
C:\Windows\SysWOW64\Emkaol32.exeC:\Windows\system32\Emkaol32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1692 -
C:\Windows\SysWOW64\Emnndlod.exeC:\Windows\system32\Emnndlod.exe33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2376 -
C:\Windows\SysWOW64\Eplkpgnh.exeC:\Windows\system32\Eplkpgnh.exe34⤵
- Executes dropped EXE
PID:2924 -
C:\Windows\SysWOW64\Fjaonpnn.exeC:\Windows\system32\Fjaonpnn.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:2936 -
C:\Windows\SysWOW64\Fcjcfe32.exeC:\Windows\system32\Fcjcfe32.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1972 -
C:\Windows\SysWOW64\Ffhpbacb.exeC:\Windows\system32\Ffhpbacb.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2248 -
C:\Windows\SysWOW64\Figlolbf.exeC:\Windows\system32\Figlolbf.exe38⤵
- Executes dropped EXE
PID:1268 -
C:\Windows\SysWOW64\Fbopgb32.exeC:\Windows\system32\Fbopgb32.exe39⤵
- Executes dropped EXE
- Modifies registry class
PID:2436 -
C:\Windows\SysWOW64\Fenmdm32.exeC:\Windows\system32\Fenmdm32.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:236 -
C:\Windows\SysWOW64\Fiihdlpc.exeC:\Windows\system32\Fiihdlpc.exe41⤵
- Executes dropped EXE
PID:1104 -
C:\Windows\SysWOW64\Fadminnn.exeC:\Windows\system32\Fadminnn.exe42⤵
- Executes dropped EXE
PID:1788 -
C:\Windows\SysWOW64\Fnhnbb32.exeC:\Windows\system32\Fnhnbb32.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1388 -
C:\Windows\SysWOW64\Fagjnn32.exeC:\Windows\system32\Fagjnn32.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2188 -
C:\Windows\SysWOW64\Febfomdd.exeC:\Windows\system32\Febfomdd.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1324 -
C:\Windows\SysWOW64\Fhqbkhch.exeC:\Windows\system32\Fhqbkhch.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2012 -
C:\Windows\SysWOW64\Ghcoqh32.exeC:\Windows\system32\Ghcoqh32.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1672 -
C:\Windows\SysWOW64\Gjakmc32.exeC:\Windows\system32\Gjakmc32.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2116 -
C:\Windows\SysWOW64\Gnmgmbhb.exeC:\Windows\system32\Gnmgmbhb.exe49⤵
- Executes dropped EXE
PID:2572 -
C:\Windows\SysWOW64\Gakcimgf.exeC:\Windows\system32\Gakcimgf.exe50⤵
- Executes dropped EXE
PID:2744 -
C:\Windows\SysWOW64\Gdjpeifj.exeC:\Windows\system32\Gdjpeifj.exe51⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2780 -
C:\Windows\SysWOW64\Ghelfg32.exeC:\Windows\system32\Ghelfg32.exe52⤵
- Executes dropped EXE
PID:2152 -
C:\Windows\SysWOW64\Gfhladfn.exeC:\Windows\system32\Gfhladfn.exe53⤵
- Executes dropped EXE
PID:352 -
C:\Windows\SysWOW64\Gifhnpea.exeC:\Windows\system32\Gifhnpea.exe54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:356 -
C:\Windows\SysWOW64\Ganpomec.exeC:\Windows\system32\Ganpomec.exe55⤵
- Executes dropped EXE
PID:2944 -
C:\Windows\SysWOW64\Gdllkhdg.exeC:\Windows\system32\Gdllkhdg.exe56⤵
- Executes dropped EXE
PID:1724 -
C:\Windows\SysWOW64\Gfjhgdck.exeC:\Windows\system32\Gfjhgdck.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2976 -
C:\Windows\SysWOW64\Gjfdhbld.exeC:\Windows\system32\Gjfdhbld.exe58⤵
- Executes dropped EXE
PID:1572 -
C:\Windows\SysWOW64\Giieco32.exeC:\Windows\system32\Giieco32.exe59⤵
- Executes dropped EXE
PID:2348 -
C:\Windows\SysWOW64\Glgaok32.exeC:\Windows\system32\Glgaok32.exe60⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2068 -
C:\Windows\SysWOW64\Gbaileio.exeC:\Windows\system32\Gbaileio.exe61⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2408 -
C:\Windows\SysWOW64\Gikaio32.exeC:\Windows\system32\Gikaio32.exe62⤵
- Executes dropped EXE
PID:1092 -
C:\Windows\SysWOW64\Gmgninie.exeC:\Windows\system32\Gmgninie.exe63⤵
- Executes dropped EXE
PID:780 -
C:\Windows\SysWOW64\Gpejeihi.exeC:\Windows\system32\Gpejeihi.exe64⤵
- Executes dropped EXE
PID:1036 -
C:\Windows\SysWOW64\Gbcfadgl.exeC:\Windows\system32\Gbcfadgl.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2416 -
C:\Windows\SysWOW64\Ginnnooi.exeC:\Windows\system32\Ginnnooi.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1616 -
C:\Windows\SysWOW64\Hlljjjnm.exeC:\Windows\system32\Hlljjjnm.exe67⤵
- Modifies registry class
PID:280 -
C:\Windows\SysWOW64\Hbfbgd32.exeC:\Windows\system32\Hbfbgd32.exe68⤵PID:2656
-
C:\Windows\SysWOW64\Hedocp32.exeC:\Windows\system32\Hedocp32.exe69⤵
- Drops file in System32 directory
PID:2608 -
C:\Windows\SysWOW64\Hlngpjlj.exeC:\Windows\system32\Hlngpjlj.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2648 -
C:\Windows\SysWOW64\Homclekn.exeC:\Windows\system32\Homclekn.exe71⤵
- System Location Discovery: System Language Discovery
PID:2096 -
C:\Windows\SysWOW64\Heglio32.exeC:\Windows\system32\Heglio32.exe72⤵
- Modifies registry class
PID:2964 -
C:\Windows\SysWOW64\Hkcdafqb.exeC:\Windows\system32\Hkcdafqb.exe73⤵PID:1748
-
C:\Windows\SysWOW64\Hanlnp32.exeC:\Windows\system32\Hanlnp32.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2360 -
C:\Windows\SysWOW64\Hdlhjl32.exeC:\Windows\system32\Hdlhjl32.exe75⤵PID:1756
-
C:\Windows\SysWOW64\Hgjefg32.exeC:\Windows\system32\Hgjefg32.exe76⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2432 -
C:\Windows\SysWOW64\Hoamgd32.exeC:\Windows\system32\Hoamgd32.exe77⤵
- Drops file in System32 directory
PID:2380 -
C:\Windows\SysWOW64\Hhjapjmi.exeC:\Windows\system32\Hhjapjmi.exe78⤵PID:852
-
C:\Windows\SysWOW64\Hgmalg32.exeC:\Windows\system32\Hgmalg32.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1444 -
C:\Windows\SysWOW64\Hmfjha32.exeC:\Windows\system32\Hmfjha32.exe80⤵PID:1284
-
C:\Windows\SysWOW64\Habfipdj.exeC:\Windows\system32\Habfipdj.exe81⤵
- Drops file in System32 directory
- Modifies registry class
PID:1896 -
C:\Windows\SysWOW64\Iccbqh32.exeC:\Windows\system32\Iccbqh32.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2252 -
C:\Windows\SysWOW64\Iimjmbae.exeC:\Windows\system32\Iimjmbae.exe83⤵
- Drops file in System32 directory
PID:1640 -
C:\Windows\SysWOW64\Inifnq32.exeC:\Windows\system32\Inifnq32.exe84⤵PID:892
-
C:\Windows\SysWOW64\Ipgbjl32.exeC:\Windows\system32\Ipgbjl32.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:716 -
C:\Windows\SysWOW64\Icfofg32.exeC:\Windows\system32\Icfofg32.exe86⤵
- Drops file in System32 directory
PID:1064 -
C:\Windows\SysWOW64\Iedkbc32.exeC:\Windows\system32\Iedkbc32.exe87⤵PID:1956
-
C:\Windows\SysWOW64\Iipgcaob.exeC:\Windows\system32\Iipgcaob.exe88⤵PID:2596
-
C:\Windows\SysWOW64\Ipjoplgo.exeC:\Windows\system32\Ipjoplgo.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2120 -
C:\Windows\SysWOW64\Iompkh32.exeC:\Windows\system32\Iompkh32.exe90⤵PID:3040
-
C:\Windows\SysWOW64\Ichllgfb.exeC:\Windows\system32\Ichllgfb.exe91⤵
- System Location Discovery: System Language Discovery
PID:2412 -
C:\Windows\SysWOW64\Iefhhbef.exeC:\Windows\system32\Iefhhbef.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1488 -
C:\Windows\SysWOW64\Iheddndj.exeC:\Windows\system32\Iheddndj.exe93⤵
- Drops file in System32 directory
PID:1980 -
C:\Windows\SysWOW64\Ipllekdl.exeC:\Windows\system32\Ipllekdl.exe94⤵PID:2352
-
C:\Windows\SysWOW64\Ioolqh32.exeC:\Windows\system32\Ioolqh32.exe95⤵PID:1652
-
C:\Windows\SysWOW64\Iamimc32.exeC:\Windows\system32\Iamimc32.exe96⤵
- System Location Discovery: System Language Discovery
PID:2604 -
C:\Windows\SysWOW64\Ieidmbcc.exeC:\Windows\system32\Ieidmbcc.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:968 -
C:\Windows\SysWOW64\Ilcmjl32.exeC:\Windows\system32\Ilcmjl32.exe98⤵
- System Location Discovery: System Language Discovery
PID:1428 -
C:\Windows\SysWOW64\Ikfmfi32.exeC:\Windows\system32\Ikfmfi32.exe99⤵PID:340
-
C:\Windows\SysWOW64\Ioaifhid.exeC:\Windows\system32\Ioaifhid.exe100⤵
- Drops file in System32 directory
PID:1744 -
C:\Windows\SysWOW64\Icmegf32.exeC:\Windows\system32\Icmegf32.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1588 -
C:\Windows\SysWOW64\Ifkacb32.exeC:\Windows\system32\Ifkacb32.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2940 -
C:\Windows\SysWOW64\Idnaoohk.exeC:\Windows\system32\Idnaoohk.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1460 -
C:\Windows\SysWOW64\Ihjnom32.exeC:\Windows\system32\Ihjnom32.exe104⤵PID:2356
-
C:\Windows\SysWOW64\Ileiplhn.exeC:\Windows\system32\Ileiplhn.exe105⤵
- System Location Discovery: System Language Discovery
PID:620 -
C:\Windows\SysWOW64\Jocflgga.exeC:\Windows\system32\Jocflgga.exe106⤵
- Drops file in System32 directory
PID:2332 -
C:\Windows\SysWOW64\Jabbhcfe.exeC:\Windows\system32\Jabbhcfe.exe107⤵
- System Location Discovery: System Language Discovery
PID:2628 -
C:\Windows\SysWOW64\Jdpndnei.exeC:\Windows\system32\Jdpndnei.exe108⤵PID:332
-
C:\Windows\SysWOW64\Jhljdm32.exeC:\Windows\system32\Jhljdm32.exe109⤵PID:2920
-
C:\Windows\SysWOW64\Jgojpjem.exeC:\Windows\system32\Jgojpjem.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2988 -
C:\Windows\SysWOW64\Jofbag32.exeC:\Windows\system32\Jofbag32.exe111⤵PID:324
-
C:\Windows\SysWOW64\Jnicmdli.exeC:\Windows\system32\Jnicmdli.exe112⤵
- System Location Discovery: System Language Discovery
PID:1676 -
C:\Windows\SysWOW64\Jqgoiokm.exeC:\Windows\system32\Jqgoiokm.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1580 -
C:\Windows\SysWOW64\Jhngjmlo.exeC:\Windows\system32\Jhngjmlo.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2176 -
C:\Windows\SysWOW64\Jgagfi32.exeC:\Windows\system32\Jgagfi32.exe115⤵PID:700
-
C:\Windows\SysWOW64\Jkmcfhkc.exeC:\Windows\system32\Jkmcfhkc.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2636 -
C:\Windows\SysWOW64\Jnkpbcjg.exeC:\Windows\system32\Jnkpbcjg.exe117⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2444 -
C:\Windows\SysWOW64\Jqilooij.exeC:\Windows\system32\Jqilooij.exe118⤵
- Drops file in System32 directory
- Modifies registry class
PID:1764 -
C:\Windows\SysWOW64\Jgcdki32.exeC:\Windows\system32\Jgcdki32.exe119⤵PID:2084
-
C:\Windows\SysWOW64\Jjbpgd32.exeC:\Windows\system32\Jjbpgd32.exe120⤵PID:2512
-
C:\Windows\SysWOW64\Jgfqaiod.exeC:\Windows\system32\Jgfqaiod.exe121⤵
- Drops file in System32 directory
PID:2480
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-