Analysis
-
max time kernel
93s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 01:13
Static task
static1
Behavioral task
behavioral1
Sample
a36061b5a31821d936bc1dc565cf431a56fc6fd97802db0844b2d04a68156239.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
a36061b5a31821d936bc1dc565cf431a56fc6fd97802db0844b2d04a68156239.exe
Resource
win10v2004-20241007-en
General
-
Target
a36061b5a31821d936bc1dc565cf431a56fc6fd97802db0844b2d04a68156239.exe
-
Size
52KB
-
MD5
d1c5f19ec47d7f858a65f422ac47b3ef
-
SHA1
211cc0ba4f420f9937a6f76d175f179857f049b8
-
SHA256
a36061b5a31821d936bc1dc565cf431a56fc6fd97802db0844b2d04a68156239
-
SHA512
8afb53abd8e3390295cea7cfcc58435ae31e73301e054d29bb5e5bf1d7b991f6eb7c280877c61903dff7072c33a8901135e7797ddf2b452a3a5ad1ca69b28c1c
-
SSDEEP
1536:Lo+3FJYgY7Nj5DRcybH4KZF8QMQIi/95yEhr+LMAdKZ:Lp6rl5yWiLMRZ
Malware Config
Extracted
berbew
http://tat-neftbank.ru/kkq.php
http://tat-neftbank.ru/wcmd.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Mmpmnl32.exeGafmaj32.exeIdkbkl32.exeCihclh32.exeDmhand32.exeAdikdfna.exeKfnfjehl.exeLnjgfb32.exeLihfcm32.exeJdfjld32.exeMcpcdg32.exeBqilgmdg.exeQcaofebg.exeAjndioga.exeIciaqc32.exeNobdbkhf.exeKmaopfjm.exeKdbjhbbd.exeBochmn32.exeHmdlmg32.exeFmnkkg32.exeLkofdbkj.exeGfhndpol.exeLqojclne.exeQhonib32.exeGpcmga32.exeGphgbafl.exeJfpojead.exeBjlgdc32.exeIqbbpm32.exeLankbigo.exeFikbocki.exePedbahod.exeFdhcgaic.exeIahlcaol.exePflibgil.exeGgahedjn.exeHkfglb32.exeNjmhhefi.exeHifcgion.exeNaaqofgj.exeDjcoai32.exeIggjga32.exeFpodlbng.exeJhndljll.exeEciplm32.exeEnigke32.exeIoambknl.exePjbkgfej.exeKlfaapbl.exeHheoid32.exeFimodc32.exeIpoopgnf.exeLfgipd32.exeHkjjlhle.exeIlafiihp.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mmpmnl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gafmaj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idkbkl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cihclh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmhand32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Adikdfna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kfnfjehl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnjgfb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lihfcm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdfjld32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcpcdg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bqilgmdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qcaofebg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajndioga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iciaqc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nobdbkhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmaopfjm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kdbjhbbd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bochmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmdlmg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmnkkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lkofdbkj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfhndpol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lqojclne.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qhonib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gpcmga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gphgbafl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfpojead.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjlgdc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iqbbpm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lankbigo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fikbocki.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pedbahod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fdhcgaic.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iahlcaol.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pflibgil.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggahedjn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hkfglb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njmhhefi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hifcgion.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Naaqofgj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djcoai32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iggjga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fpodlbng.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhndljll.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eciplm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enigke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ioambknl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjbkgfej.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klfaapbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hheoid32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fimodc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipoopgnf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfgipd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkjjlhle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ilafiihp.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
Processes:
Bmemac32.exeChjaol32.exeCndikf32.exeCenahpha.exeCfpnph32.exeCnffqf32.exeCaebma32.exeCdcoim32.exeChokikeb.exeCnicfe32.exeCdfkolkf.exeCjpckf32.exeCeehho32.exeCffdpghg.exeCnnlaehj.exeCegdnopg.exeDhfajjoj.exeDopigd32.exeDejacond.exeDdmaok32.exeDhhnpjmh.exeDaqbip32.exeDhkjej32.exeDfnjafap.exeDmgbnq32.exeDfpgffpm.exeDmjocp32.exeDaekdooc.exeDgbdlf32.exeEecdjmfi.exeEdfdej32.exeEajeon32.exeEhdmlhcj.exeEonehbjg.exeEehnem32.exeEgijmegb.exeEopbnbhd.exeEdmjfifl.exeEkgbccni.exeEmeoooml.exeEaakpm32.exeEdpgli32.exeEgnchd32.exeEoekia32.exeFhmpagkp.exeFkllnbjc.exeFafdkmap.exeFhpmgg32.exeFknicb32.exeFnmepn32.exeFdfmlhna.exeFgeihcme.exeFnobem32.exeFdijbg32.exeFhdfbfdh.exeFkcboack.exeFnaokmco.exeFamjkl32.exeFdkggg32.exeFhgbhfbe.exeFgjccb32.exeFoqkdp32.exeFnckpmql.exeGekcaj32.exepid process 872 Bmemac32.exe 1028 Chjaol32.exe 2776 Cndikf32.exe 3360 Cenahpha.exe 2376 Cfpnph32.exe 1396 Cnffqf32.exe 3932 Caebma32.exe 660 Cdcoim32.exe 1000 Chokikeb.exe 4092 Cnicfe32.exe 2784 Cdfkolkf.exe 716 Cjpckf32.exe 216 Ceehho32.exe 4144 Cffdpghg.exe 1152 Cnnlaehj.exe 1556 Cegdnopg.exe 4376 Dhfajjoj.exe 2716 Dopigd32.exe 3064 Dejacond.exe 1328 Ddmaok32.exe 3936 Dhhnpjmh.exe 4552 Daqbip32.exe 3032 Dhkjej32.exe 3268 Dfnjafap.exe 2220 Dmgbnq32.exe 1052 Dfpgffpm.exe 4380 Dmjocp32.exe 3044 Daekdooc.exe 2096 Dgbdlf32.exe 2576 Eecdjmfi.exe 4856 Edfdej32.exe 2064 Eajeon32.exe 4080 Ehdmlhcj.exe 1184 Eonehbjg.exe 3180 Eehnem32.exe 3876 Egijmegb.exe 4452 Eopbnbhd.exe 2884 Edmjfifl.exe 2200 Ekgbccni.exe 1936 Emeoooml.exe 3124 Eaakpm32.exe 548 Edpgli32.exe 3908 Egnchd32.exe 1180 Eoekia32.exe 1644 Fhmpagkp.exe 4156 Fkllnbjc.exe 3600 Fafdkmap.exe 1268 Fhpmgg32.exe 1272 Fknicb32.exe 3696 Fnmepn32.exe 836 Fdfmlhna.exe 1996 Fgeihcme.exe 3568 Fnobem32.exe 3960 Fdijbg32.exe 1952 Fhdfbfdh.exe 936 Fkcboack.exe 1472 Fnaokmco.exe 3448 Famjkl32.exe 3816 Fdkggg32.exe 1712 Fhgbhfbe.exe 3512 Fgjccb32.exe 3720 Foqkdp32.exe 3172 Fnckpmql.exe 2772 Gekcaj32.exe -
Drops file in System32 directory 64 IoCs
Processes:
Hbjoeojc.exeImkbnf32.exeBhamkipi.exeCfqmpl32.exeNnfgcd32.exeLklbdm32.exeIoambknl.exePapfgbmg.exeGkobjpin.exeGnjjfegi.exeFfobhg32.exeHckeoeno.exeKlfaapbl.exeBhpfqcln.exeNeffpj32.exeAjhniccb.exeOemefcap.exeLikcilhh.exeHefnkkkj.exeHplbickp.exeDfjpfj32.exeCleegp32.exeKefdbo32.exeCpeohh32.exeFagjfflb.exeHdkidohn.exeMmfkhmdi.exeOcffempp.exeFkbkdkpp.exeMbighjdd.exeFpgpgfmh.exeJgonlm32.exeKbmoen32.exeCpleig32.exePoajkgnc.exeFnmepn32.exeFoqkdp32.exeCglgjeci.exeNlnkmnah.exeKpdboimg.exeCkfphc32.exeGbalopbn.exeNajceeoo.exeCfpffeaj.exeNlphbnoe.exeDfnjafap.exeLnnikdnj.exePpjgoaoj.exeBcbohigp.exeJdfjld32.exeOnpjichj.exeGjfnedho.exeMmkkmc32.exeMjahlgpf.exeHhiajmod.exeKkcfid32.exeLijlof32.exeLnjgfb32.exeDblgpl32.exeFngcmcfe.exedescription ioc process File created C:\Windows\SysWOW64\Hehkajig.exe Hbjoeojc.exe File created C:\Windows\SysWOW64\Didmdo32.dll Imkbnf32.exe File opened for modification C:\Windows\SysWOW64\Bkoigdom.exe Bhamkipi.exe File opened for modification C:\Windows\SysWOW64\Cioilg32.exe Cfqmpl32.exe File created C:\Windows\SysWOW64\Lhffmd32.dll Nnfgcd32.exe File created C:\Windows\SysWOW64\Eghghj32.dll Lklbdm32.exe File created C:\Windows\SysWOW64\Indmnh32.exe Ioambknl.exe File created C:\Windows\SysWOW64\Ockbnedp.dll Papfgbmg.exe File opened for modification C:\Windows\SysWOW64\Gnmnfkia.exe Gkobjpin.exe File created C:\Windows\SysWOW64\Ladnhcdo.dll Gnjjfegi.exe File created C:\Windows\SysWOW64\Fimodc32.exe Ffobhg32.exe File created C:\Windows\SysWOW64\Gefchq32.dll Hckeoeno.exe File opened for modification C:\Windows\SysWOW64\Kodnmkap.exe Klfaapbl.exe File created C:\Windows\SysWOW64\Aiffheej.dll Bhpfqcln.exe File opened for modification C:\Windows\SysWOW64\Nlqomd32.exe Neffpj32.exe File created C:\Windows\SysWOW64\Eoefilfc.dll Ajhniccb.exe File created C:\Windows\SysWOW64\Olgncmim.exe Oemefcap.exe File created C:\Windows\SysWOW64\Nfcabp32.exe File created C:\Windows\SysWOW64\Lbchba32.exe Likcilhh.exe File created C:\Windows\SysWOW64\Hmmfmhll.exe Hefnkkkj.exe File opened for modification C:\Windows\SysWOW64\Hbjoeojc.exe Hplbickp.exe File created C:\Windows\SysWOW64\Ipckmjqi.dll Dfjpfj32.exe File opened for modification C:\Windows\SysWOW64\Ckhecmcf.exe Cleegp32.exe File created C:\Windows\SysWOW64\Lnnikdnj.exe Kefdbo32.exe File opened for modification C:\Windows\SysWOW64\Ccqkigkp.exe Cpeohh32.exe File created C:\Windows\SysWOW64\Fdffbake.exe Fagjfflb.exe File opened for modification C:\Windows\SysWOW64\Hhfedm32.exe Hdkidohn.exe File created C:\Windows\SysWOW64\Bmgagk32.dll Mmfkhmdi.exe File opened for modification C:\Windows\SysWOW64\Pedbahod.exe Ocffempp.exe File created C:\Windows\SysWOW64\Fpodlbng.exe Fkbkdkpp.exe File created C:\Windows\SysWOW64\Micoed32.exe Mbighjdd.exe File created C:\Windows\SysWOW64\Fnipbc32.exe Fpgpgfmh.exe File created C:\Windows\SysWOW64\Ibcllpfj.dll Jgonlm32.exe File opened for modification C:\Windows\SysWOW64\Kelkaj32.exe Kbmoen32.exe File created C:\Windows\SysWOW64\Ccgajfeh.exe Cpleig32.exe File opened for modification C:\Windows\SysWOW64\Papfgbmg.exe Poajkgnc.exe File opened for modification C:\Windows\SysWOW64\Ocaebc32.exe File created C:\Windows\SysWOW64\Fdfmlhna.exe Fnmepn32.exe File opened for modification C:\Windows\SysWOW64\Fnckpmql.exe Foqkdp32.exe File opened for modification C:\Windows\SysWOW64\Cfogeb32.exe Cglgjeci.exe File opened for modification C:\Windows\SysWOW64\Nolgijpk.exe Nlnkmnah.exe File created C:\Windows\SysWOW64\Kfnkkb32.exe Kpdboimg.exe File opened for modification C:\Windows\SysWOW64\Ccmgiaig.exe Ckfphc32.exe File opened for modification C:\Windows\SysWOW64\Gikdkj32.exe Gbalopbn.exe File created C:\Windows\SysWOW64\Nhdlao32.exe Najceeoo.exe File created C:\Windows\SysWOW64\Ckmonl32.exe Cfpffeaj.exe File opened for modification C:\Windows\SysWOW64\Cdbpgl32.exe File created C:\Windows\SysWOW64\Kalhafbk.dll Nlphbnoe.exe File opened for modification C:\Windows\SysWOW64\Dmgbnq32.exe Dfnjafap.exe File opened for modification C:\Windows\SysWOW64\Lpneegel.exe Lnnikdnj.exe File created C:\Windows\SysWOW64\Dfggbllc.dll Ppjgoaoj.exe File opened for modification C:\Windows\SysWOW64\Bjlgdc32.exe Bcbohigp.exe File created C:\Windows\SysWOW64\Ejljgqdp.dll Jdfjld32.exe File opened for modification C:\Windows\SysWOW64\Oanfen32.exe Onpjichj.exe File opened for modification C:\Windows\SysWOW64\Glgjlm32.exe Gjfnedho.exe File created C:\Windows\SysWOW64\Chmbeqne.dll Mmkkmc32.exe File opened for modification C:\Windows\SysWOW64\Mmpdhboj.exe Mjahlgpf.exe File created C:\Windows\SysWOW64\Hglaej32.exe Hhiajmod.exe File opened for modification C:\Windows\SysWOW64\Kbmoen32.exe Kkcfid32.exe File opened for modification C:\Windows\SysWOW64\Ljkifn32.exe Lijlof32.exe File opened for modification C:\Windows\SysWOW64\Lokdnjkg.exe Lnjgfb32.exe File created C:\Windows\SysWOW64\Ikfghc32.dll Dblgpl32.exe File created C:\Windows\SysWOW64\Fealin32.exe Fngcmcfe.exe File created C:\Windows\SysWOW64\Palklf32.exe -
Program crash 1 IoCs
Processes:
pid pid_target process target process 8180 8092 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Elbhjp32.exeNfjola32.exeDhjckcgi.exeLikcilhh.exeIqbbpm32.exeIdhnkf32.exeIafonaao.exeJbileede.exeDmbbhkjf.exeOmegjomb.exePapfgbmg.exePdfehh32.exeIoambknl.exeBhcjqinf.exeIjcjmmil.exeKpmdfonj.exePoomegpf.exeCeehho32.exeNnbnhedj.exeNnojho32.exeGkleeplq.exeLnnikdnj.exeQlmgopjq.exeKgopidgf.exePhcomcng.exeLcjcnoej.exeFnipbc32.exeGfhndpol.exeCjpckf32.exeFhdfbfdh.exeGdafnpqh.exeHglaej32.exeDjklmo32.exeLmdemd32.exeJgkmgk32.exeHhfedm32.exeLjdceo32.exeLekmnajj.exeQaalblgi.exeCbbnpg32.exeDnmhpg32.exeCegdnopg.exeLghcocol.exeEbimgcfi.exeHgghjjid.exeHaafcb32.exeEopbnbhd.exeOocddono.exePllgnl32.exeMcqjon32.exeKpbfii32.exeJjoiil32.exeClgbmp32.exeLbchba32.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elbhjp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfjola32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhjckcgi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Likcilhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iqbbpm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idhnkf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iafonaao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbileede.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmbbhkjf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omegjomb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Papfgbmg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdfehh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ioambknl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhcjqinf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijcjmmil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpmdfonj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Poomegpf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ceehho32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnbnhedj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnojho32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkleeplq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnnikdnj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qlmgopjq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgopidgf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phcomcng.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcjcnoej.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnipbc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfhndpol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjpckf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhdfbfdh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdafnpqh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hglaej32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djklmo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmdemd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgkmgk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhfedm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljdceo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lekmnajj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qaalblgi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbbnpg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnmhpg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cegdnopg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lghcocol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebimgcfi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgghjjid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Haafcb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eopbnbhd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oocddono.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pllgnl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcqjon32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpbfii32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjoiil32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clgbmp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbchba32.exe -
Modifies registry class 64 IoCs
Processes:
Jodjhkkj.exeKpbfii32.exeGdjibj32.exeGlgjlm32.exeCjaifp32.exePllgnl32.exeCfcjfk32.exeOebflhaf.exeCmfclm32.exeBjlpjm32.exeBbnkonbd.exeFpmggb32.exeLlflea32.exeFimodc32.exeIciaqc32.exeFkllnbjc.exeLihfcm32.exeCpbbch32.exeKqnbkl32.exeNknobkje.exeBkoigdom.exeLfgipd32.exeNclbpf32.exeHjchaf32.exeGlipgf32.exeIkaggmii.exeFmlneg32.exeIplkpa32.exeFmgejhgn.exeIgcoqocb.exeMekgdl32.exeAfnnnd32.exeCkmehb32.exeFdglmkeg.exeJjlmclqa.exeIebngial.exeIfleoe32.exeQcbfakec.exeCmklglpn.exeIknmla32.exeFdijbg32.exeObjpoh32.exeIgpdfb32.exeMcqjon32.exeIeidhh32.exeKflnfcgg.exeFkbkdkpp.exeEkkkoj32.exeDdmaok32.exeAmaqjp32.exea36061b5a31821d936bc1dc565cf431a56fc6fd97802db0844b2d04a68156239.exeLnnikdnj.exePmaffnce.exeCdpjlb32.exeKgamnded.exeNhmofj32.exeFpbflg32.exeKfnfjehl.exeMmmqhl32.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jodjhkkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kpbfii32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gdjibj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Glgjlm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qkicbhla.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cjaifp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnnpaa32.dll" Pllgnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njoddaaj.dll" Cfcjfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oebflhaf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cmfclm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bjlpjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bbnkonbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fpmggb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Llflea32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fimodc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecgamkhq.dll" Iciaqc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fkllnbjc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lihfcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmloej32.dll" Cpbbch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kqnbkl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nknobkje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bkoigdom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnbdlf32.dll" Lfgipd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akfiji32.dll" Nclbpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plcpgejf.dll" Hjchaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Glipgf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ikaggmii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpihol32.dll" Fmlneg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iplkpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hifpcjin.dll" Fmgejhgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oeglpiqf.dll" Igcoqocb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mekgdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Afnnnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ckmehb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fdglmkeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmephjke.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipmcpl32.dll" Mekgdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jjlmclqa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iebngial.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ifleoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkibhn32.dll" Qcbfakec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cmklglpn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iknmla32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fdijbg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Objpoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Igpdfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mcqjon32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ieidhh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ampillfk.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kflnfcgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igbcbhgq.dll" Fkbkdkpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggqecq32.dll" Ekkkoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbjieo32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ddmaok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qiginoqd.dll" Amaqjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" a36061b5a31821d936bc1dc565cf431a56fc6fd97802db0844b2d04a68156239.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lnnikdnj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pmaffnce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cdpjlb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kgamnded.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkemhahj.dll" Nhmofj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fpbflg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kfnfjehl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mmmqhl32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
a36061b5a31821d936bc1dc565cf431a56fc6fd97802db0844b2d04a68156239.exeBmemac32.exeChjaol32.exeCndikf32.exeCenahpha.exeCfpnph32.exeCnffqf32.exeCaebma32.exeCdcoim32.exeChokikeb.exeCnicfe32.exeCdfkolkf.exeCjpckf32.exeCeehho32.exeCffdpghg.exeCnnlaehj.exeCegdnopg.exeDhfajjoj.exeDopigd32.exeDejacond.exeDdmaok32.exeDhhnpjmh.exedescription pid process target process PID 684 wrote to memory of 872 684 a36061b5a31821d936bc1dc565cf431a56fc6fd97802db0844b2d04a68156239.exe Bmemac32.exe PID 684 wrote to memory of 872 684 a36061b5a31821d936bc1dc565cf431a56fc6fd97802db0844b2d04a68156239.exe Bmemac32.exe PID 684 wrote to memory of 872 684 a36061b5a31821d936bc1dc565cf431a56fc6fd97802db0844b2d04a68156239.exe Bmemac32.exe PID 872 wrote to memory of 1028 872 Bmemac32.exe Chjaol32.exe PID 872 wrote to memory of 1028 872 Bmemac32.exe Chjaol32.exe PID 872 wrote to memory of 1028 872 Bmemac32.exe Chjaol32.exe PID 1028 wrote to memory of 2776 1028 Chjaol32.exe Cndikf32.exe PID 1028 wrote to memory of 2776 1028 Chjaol32.exe Cndikf32.exe PID 1028 wrote to memory of 2776 1028 Chjaol32.exe Cndikf32.exe PID 2776 wrote to memory of 3360 2776 Cndikf32.exe Cenahpha.exe PID 2776 wrote to memory of 3360 2776 Cndikf32.exe Cenahpha.exe PID 2776 wrote to memory of 3360 2776 Cndikf32.exe Cenahpha.exe PID 3360 wrote to memory of 2376 3360 Cenahpha.exe Cfpnph32.exe PID 3360 wrote to memory of 2376 3360 Cenahpha.exe Cfpnph32.exe PID 3360 wrote to memory of 2376 3360 Cenahpha.exe Cfpnph32.exe PID 2376 wrote to memory of 1396 2376 Cfpnph32.exe Cnffqf32.exe PID 2376 wrote to memory of 1396 2376 Cfpnph32.exe Cnffqf32.exe PID 2376 wrote to memory of 1396 2376 Cfpnph32.exe Cnffqf32.exe PID 1396 wrote to memory of 3932 1396 Cnffqf32.exe Caebma32.exe PID 1396 wrote to memory of 3932 1396 Cnffqf32.exe Caebma32.exe PID 1396 wrote to memory of 3932 1396 Cnffqf32.exe Caebma32.exe PID 3932 wrote to memory of 660 3932 Caebma32.exe Cdcoim32.exe PID 3932 wrote to memory of 660 3932 Caebma32.exe Cdcoim32.exe PID 3932 wrote to memory of 660 3932 Caebma32.exe Cdcoim32.exe PID 660 wrote to memory of 1000 660 Cdcoim32.exe Chokikeb.exe PID 660 wrote to memory of 1000 660 Cdcoim32.exe Chokikeb.exe PID 660 wrote to memory of 1000 660 Cdcoim32.exe Chokikeb.exe PID 1000 wrote to memory of 4092 1000 Chokikeb.exe Cnicfe32.exe PID 1000 wrote to memory of 4092 1000 Chokikeb.exe Cnicfe32.exe PID 1000 wrote to memory of 4092 1000 Chokikeb.exe Cnicfe32.exe PID 4092 wrote to memory of 2784 4092 Cnicfe32.exe Cdfkolkf.exe PID 4092 wrote to memory of 2784 4092 Cnicfe32.exe Cdfkolkf.exe PID 4092 wrote to memory of 2784 4092 Cnicfe32.exe Cdfkolkf.exe PID 2784 wrote to memory of 716 2784 Cdfkolkf.exe Cjpckf32.exe PID 2784 wrote to memory of 716 2784 Cdfkolkf.exe Cjpckf32.exe PID 2784 wrote to memory of 716 2784 Cdfkolkf.exe Cjpckf32.exe PID 716 wrote to memory of 216 716 Cjpckf32.exe Ceehho32.exe PID 716 wrote to memory of 216 716 Cjpckf32.exe Ceehho32.exe PID 716 wrote to memory of 216 716 Cjpckf32.exe Ceehho32.exe PID 216 wrote to memory of 4144 216 Ceehho32.exe Cffdpghg.exe PID 216 wrote to memory of 4144 216 Ceehho32.exe Cffdpghg.exe PID 216 wrote to memory of 4144 216 Ceehho32.exe Cffdpghg.exe PID 4144 wrote to memory of 1152 4144 Cffdpghg.exe Cnnlaehj.exe PID 4144 wrote to memory of 1152 4144 Cffdpghg.exe Cnnlaehj.exe PID 4144 wrote to memory of 1152 4144 Cffdpghg.exe Cnnlaehj.exe PID 1152 wrote to memory of 1556 1152 Cnnlaehj.exe Cegdnopg.exe PID 1152 wrote to memory of 1556 1152 Cnnlaehj.exe Cegdnopg.exe PID 1152 wrote to memory of 1556 1152 Cnnlaehj.exe Cegdnopg.exe PID 1556 wrote to memory of 4376 1556 Cegdnopg.exe Dhfajjoj.exe PID 1556 wrote to memory of 4376 1556 Cegdnopg.exe Dhfajjoj.exe PID 1556 wrote to memory of 4376 1556 Cegdnopg.exe Dhfajjoj.exe PID 4376 wrote to memory of 2716 4376 Dhfajjoj.exe Dopigd32.exe PID 4376 wrote to memory of 2716 4376 Dhfajjoj.exe Dopigd32.exe PID 4376 wrote to memory of 2716 4376 Dhfajjoj.exe Dopigd32.exe PID 2716 wrote to memory of 3064 2716 Dopigd32.exe Dejacond.exe PID 2716 wrote to memory of 3064 2716 Dopigd32.exe Dejacond.exe PID 2716 wrote to memory of 3064 2716 Dopigd32.exe Dejacond.exe PID 3064 wrote to memory of 1328 3064 Dejacond.exe Ddmaok32.exe PID 3064 wrote to memory of 1328 3064 Dejacond.exe Ddmaok32.exe PID 3064 wrote to memory of 1328 3064 Dejacond.exe Ddmaok32.exe PID 1328 wrote to memory of 3936 1328 Ddmaok32.exe Dhhnpjmh.exe PID 1328 wrote to memory of 3936 1328 Ddmaok32.exe Dhhnpjmh.exe PID 1328 wrote to memory of 3936 1328 Ddmaok32.exe Dhhnpjmh.exe PID 3936 wrote to memory of 4552 3936 Dhhnpjmh.exe Daqbip32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a36061b5a31821d936bc1dc565cf431a56fc6fd97802db0844b2d04a68156239.exe"C:\Users\Admin\AppData\Local\Temp\a36061b5a31821d936bc1dc565cf431a56fc6fd97802db0844b2d04a68156239.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:684 -
C:\Windows\SysWOW64\Bmemac32.exeC:\Windows\system32\Bmemac32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:872 -
C:\Windows\SysWOW64\Chjaol32.exeC:\Windows\system32\Chjaol32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1028 -
C:\Windows\SysWOW64\Cndikf32.exeC:\Windows\system32\Cndikf32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\SysWOW64\Cenahpha.exeC:\Windows\system32\Cenahpha.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3360 -
C:\Windows\SysWOW64\Cfpnph32.exeC:\Windows\system32\Cfpnph32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2376 -
C:\Windows\SysWOW64\Cnffqf32.exeC:\Windows\system32\Cnffqf32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1396 -
C:\Windows\SysWOW64\Caebma32.exeC:\Windows\system32\Caebma32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3932 -
C:\Windows\SysWOW64\Cdcoim32.exeC:\Windows\system32\Cdcoim32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:660 -
C:\Windows\SysWOW64\Chokikeb.exeC:\Windows\system32\Chokikeb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1000 -
C:\Windows\SysWOW64\Cnicfe32.exeC:\Windows\system32\Cnicfe32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4092 -
C:\Windows\SysWOW64\Cdfkolkf.exeC:\Windows\system32\Cdfkolkf.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\SysWOW64\Cjpckf32.exeC:\Windows\system32\Cjpckf32.exe13⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:716 -
C:\Windows\SysWOW64\Ceehho32.exeC:\Windows\system32\Ceehho32.exe14⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:216 -
C:\Windows\SysWOW64\Cffdpghg.exeC:\Windows\system32\Cffdpghg.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4144 -
C:\Windows\SysWOW64\Cnnlaehj.exeC:\Windows\system32\Cnnlaehj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1152 -
C:\Windows\SysWOW64\Cegdnopg.exeC:\Windows\system32\Cegdnopg.exe17⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1556 -
C:\Windows\SysWOW64\Dhfajjoj.exeC:\Windows\system32\Dhfajjoj.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4376 -
C:\Windows\SysWOW64\Dopigd32.exeC:\Windows\system32\Dopigd32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\SysWOW64\Dejacond.exeC:\Windows\system32\Dejacond.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\Windows\SysWOW64\Ddmaok32.exeC:\Windows\system32\Ddmaok32.exe21⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1328 -
C:\Windows\SysWOW64\Dhhnpjmh.exeC:\Windows\system32\Dhhnpjmh.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3936 -
C:\Windows\SysWOW64\Daqbip32.exeC:\Windows\system32\Daqbip32.exe23⤵
- Executes dropped EXE
PID:4552 -
C:\Windows\SysWOW64\Dhkjej32.exeC:\Windows\system32\Dhkjej32.exe24⤵
- Executes dropped EXE
PID:3032 -
C:\Windows\SysWOW64\Dfnjafap.exeC:\Windows\system32\Dfnjafap.exe25⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3268 -
C:\Windows\SysWOW64\Dmgbnq32.exeC:\Windows\system32\Dmgbnq32.exe26⤵
- Executes dropped EXE
PID:2220 -
C:\Windows\SysWOW64\Dfpgffpm.exeC:\Windows\system32\Dfpgffpm.exe27⤵
- Executes dropped EXE
PID:1052 -
C:\Windows\SysWOW64\Dmjocp32.exeC:\Windows\system32\Dmjocp32.exe28⤵
- Executes dropped EXE
PID:4380 -
C:\Windows\SysWOW64\Daekdooc.exeC:\Windows\system32\Daekdooc.exe29⤵
- Executes dropped EXE
PID:3044 -
C:\Windows\SysWOW64\Dgbdlf32.exeC:\Windows\system32\Dgbdlf32.exe30⤵
- Executes dropped EXE
PID:2096 -
C:\Windows\SysWOW64\Eecdjmfi.exeC:\Windows\system32\Eecdjmfi.exe31⤵
- Executes dropped EXE
PID:2576 -
C:\Windows\SysWOW64\Edfdej32.exeC:\Windows\system32\Edfdej32.exe32⤵
- Executes dropped EXE
PID:4856 -
C:\Windows\SysWOW64\Eajeon32.exeC:\Windows\system32\Eajeon32.exe33⤵
- Executes dropped EXE
PID:2064 -
C:\Windows\SysWOW64\Ehdmlhcj.exeC:\Windows\system32\Ehdmlhcj.exe34⤵
- Executes dropped EXE
PID:4080 -
C:\Windows\SysWOW64\Eonehbjg.exeC:\Windows\system32\Eonehbjg.exe35⤵
- Executes dropped EXE
PID:1184 -
C:\Windows\SysWOW64\Eehnem32.exeC:\Windows\system32\Eehnem32.exe36⤵
- Executes dropped EXE
PID:3180 -
C:\Windows\SysWOW64\Egijmegb.exeC:\Windows\system32\Egijmegb.exe37⤵
- Executes dropped EXE
PID:3876 -
C:\Windows\SysWOW64\Eopbnbhd.exeC:\Windows\system32\Eopbnbhd.exe38⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4452 -
C:\Windows\SysWOW64\Edmjfifl.exeC:\Windows\system32\Edmjfifl.exe39⤵
- Executes dropped EXE
PID:2884 -
C:\Windows\SysWOW64\Ekgbccni.exeC:\Windows\system32\Ekgbccni.exe40⤵
- Executes dropped EXE
PID:2200 -
C:\Windows\SysWOW64\Emeoooml.exeC:\Windows\system32\Emeoooml.exe41⤵
- Executes dropped EXE
PID:1936 -
C:\Windows\SysWOW64\Eaakpm32.exeC:\Windows\system32\Eaakpm32.exe42⤵
- Executes dropped EXE
PID:3124 -
C:\Windows\SysWOW64\Edpgli32.exeC:\Windows\system32\Edpgli32.exe43⤵
- Executes dropped EXE
PID:548 -
C:\Windows\SysWOW64\Egnchd32.exeC:\Windows\system32\Egnchd32.exe44⤵
- Executes dropped EXE
PID:3908 -
C:\Windows\SysWOW64\Eoekia32.exeC:\Windows\system32\Eoekia32.exe45⤵
- Executes dropped EXE
PID:1180 -
C:\Windows\SysWOW64\Eachem32.exeC:\Windows\system32\Eachem32.exe46⤵PID:4216
-
C:\Windows\SysWOW64\Fhmpagkp.exeC:\Windows\system32\Fhmpagkp.exe47⤵
- Executes dropped EXE
PID:1644 -
C:\Windows\SysWOW64\Fkllnbjc.exeC:\Windows\system32\Fkllnbjc.exe48⤵
- Executes dropped EXE
- Modifies registry class
PID:4156 -
C:\Windows\SysWOW64\Fafdkmap.exeC:\Windows\system32\Fafdkmap.exe49⤵
- Executes dropped EXE
PID:3600 -
C:\Windows\SysWOW64\Fhpmgg32.exeC:\Windows\system32\Fhpmgg32.exe50⤵
- Executes dropped EXE
PID:1268 -
C:\Windows\SysWOW64\Fknicb32.exeC:\Windows\system32\Fknicb32.exe51⤵
- Executes dropped EXE
PID:1272 -
C:\Windows\SysWOW64\Fnmepn32.exeC:\Windows\system32\Fnmepn32.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3696 -
C:\Windows\SysWOW64\Fdfmlhna.exeC:\Windows\system32\Fdfmlhna.exe53⤵
- Executes dropped EXE
PID:836 -
C:\Windows\SysWOW64\Fgeihcme.exeC:\Windows\system32\Fgeihcme.exe54⤵
- Executes dropped EXE
PID:1996 -
C:\Windows\SysWOW64\Fnobem32.exeC:\Windows\system32\Fnobem32.exe55⤵
- Executes dropped EXE
PID:3568 -
C:\Windows\SysWOW64\Fdijbg32.exeC:\Windows\system32\Fdijbg32.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:3960 -
C:\Windows\SysWOW64\Fhdfbfdh.exeC:\Windows\system32\Fhdfbfdh.exe57⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1952 -
C:\Windows\SysWOW64\Fkcboack.exeC:\Windows\system32\Fkcboack.exe58⤵
- Executes dropped EXE
PID:936 -
C:\Windows\SysWOW64\Fnaokmco.exeC:\Windows\system32\Fnaokmco.exe59⤵
- Executes dropped EXE
PID:1472 -
C:\Windows\SysWOW64\Famjkl32.exeC:\Windows\system32\Famjkl32.exe60⤵
- Executes dropped EXE
PID:3448 -
C:\Windows\SysWOW64\Fdkggg32.exeC:\Windows\system32\Fdkggg32.exe61⤵
- Executes dropped EXE
PID:3816 -
C:\Windows\SysWOW64\Fhgbhfbe.exeC:\Windows\system32\Fhgbhfbe.exe62⤵
- Executes dropped EXE
PID:1712 -
C:\Windows\SysWOW64\Fgjccb32.exeC:\Windows\system32\Fgjccb32.exe63⤵
- Executes dropped EXE
PID:3512 -
C:\Windows\SysWOW64\Foqkdp32.exeC:\Windows\system32\Foqkdp32.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3720 -
C:\Windows\SysWOW64\Fnckpmql.exeC:\Windows\system32\Fnckpmql.exe65⤵
- Executes dropped EXE
PID:3172 -
C:\Windows\SysWOW64\Gekcaj32.exeC:\Windows\system32\Gekcaj32.exe66⤵
- Executes dropped EXE
PID:2772 -
C:\Windows\SysWOW64\Ghipne32.exeC:\Windows\system32\Ghipne32.exe67⤵PID:1072
-
C:\Windows\SysWOW64\Gochjpho.exeC:\Windows\system32\Gochjpho.exe68⤵PID:1852
-
C:\Windows\SysWOW64\Gaadfkgc.exeC:\Windows\system32\Gaadfkgc.exe69⤵PID:1188
-
C:\Windows\SysWOW64\Gdppbfff.exeC:\Windows\system32\Gdppbfff.exe70⤵PID:1324
-
C:\Windows\SysWOW64\Ggnlobej.exeC:\Windows\system32\Ggnlobej.exe71⤵PID:2428
-
C:\Windows\SysWOW64\Goedpofl.exeC:\Windows\system32\Goedpofl.exe72⤵PID:3996
-
C:\Windows\SysWOW64\Gepmlimi.exeC:\Windows\system32\Gepmlimi.exe73⤵PID:2152
-
C:\Windows\SysWOW64\Ggqida32.exeC:\Windows\system32\Ggqida32.exe74⤵PID:116
-
C:\Windows\SysWOW64\Gkleeplq.exeC:\Windows\system32\Gkleeplq.exe75⤵
- System Location Discovery: System Language Discovery
PID:1872 -
C:\Windows\SysWOW64\Gafmaj32.exeC:\Windows\system32\Gafmaj32.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5076 -
C:\Windows\SysWOW64\Ggcfja32.exeC:\Windows\system32\Ggcfja32.exe77⤵PID:4832
-
C:\Windows\SysWOW64\Gkobjpin.exeC:\Windows\system32\Gkobjpin.exe78⤵
- Drops file in System32 directory
PID:2820 -
C:\Windows\SysWOW64\Gnmnfkia.exeC:\Windows\system32\Gnmnfkia.exe79⤵PID:4968
-
C:\Windows\SysWOW64\Gfdfgiid.exeC:\Windows\system32\Gfdfgiid.exe80⤵PID:3420
-
C:\Windows\SysWOW64\Gdgfce32.exeC:\Windows\system32\Gdgfce32.exe81⤵PID:4912
-
C:\Windows\SysWOW64\Ggeboaob.exeC:\Windows\system32\Ggeboaob.exe82⤵PID:4984
-
C:\Windows\SysWOW64\Goljqnpd.exeC:\Windows\system32\Goljqnpd.exe83⤵PID:536
-
C:\Windows\SysWOW64\Hakgmjoh.exeC:\Windows\system32\Hakgmjoh.exe84⤵PID:4324
-
C:\Windows\SysWOW64\Hffcmh32.exeC:\Windows\system32\Hffcmh32.exe85⤵PID:3336
-
C:\Windows\SysWOW64\Hheoid32.exeC:\Windows\system32\Hheoid32.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2404 -
C:\Windows\SysWOW64\Hghoeqmp.exeC:\Windows\system32\Hghoeqmp.exe87⤵PID:4516
-
C:\Windows\SysWOW64\Hoogfnnb.exeC:\Windows\system32\Hoogfnnb.exe88⤵PID:3000
-
C:\Windows\SysWOW64\Hbmcbime.exeC:\Windows\system32\Hbmcbime.exe89⤵PID:2700
-
C:\Windows\SysWOW64\Hfipbh32.exeC:\Windows\system32\Hfipbh32.exe90⤵PID:1920
-
C:\Windows\SysWOW64\Hhgloc32.exeC:\Windows\system32\Hhgloc32.exe91⤵PID:1916
-
C:\Windows\SysWOW64\Hgjljpkm.exeC:\Windows\system32\Hgjljpkm.exe92⤵PID:2012
-
C:\Windows\SysWOW64\Hoadkn32.exeC:\Windows\system32\Hoadkn32.exe93⤵PID:1604
-
C:\Windows\SysWOW64\Hfklhhcl.exeC:\Windows\system32\Hfklhhcl.exe94⤵PID:2788
-
C:\Windows\SysWOW64\Hglipp32.exeC:\Windows\system32\Hglipp32.exe95⤵PID:1444
-
C:\Windows\SysWOW64\Hbbmmi32.exeC:\Windows\system32\Hbbmmi32.exe96⤵PID:5100
-
C:\Windows\SysWOW64\Hgoeep32.exeC:\Windows\system32\Hgoeep32.exe97⤵PID:3128
-
C:\Windows\SysWOW64\Hfpecg32.exeC:\Windows\system32\Hfpecg32.exe98⤵PID:1128
-
C:\Windows\SysWOW64\Hhnbpb32.exeC:\Windows\system32\Hhnbpb32.exe99⤵PID:436
-
C:\Windows\SysWOW64\Iohjlmeg.exeC:\Windows\system32\Iohjlmeg.exe100⤵PID:4956
-
C:\Windows\SysWOW64\Ifbbig32.exeC:\Windows\system32\Ifbbig32.exe101⤵PID:2476
-
C:\Windows\SysWOW64\Igcoqocb.exeC:\Windows\system32\Igcoqocb.exe102⤵
- Modifies registry class
PID:5136 -
C:\Windows\SysWOW64\Ibicnh32.exeC:\Windows\system32\Ibicnh32.exe103⤵PID:5180
-
C:\Windows\SysWOW64\Idgojc32.exeC:\Windows\system32\Idgojc32.exe104⤵PID:5224
-
C:\Windows\SysWOW64\Ikaggmii.exeC:\Windows\system32\Ikaggmii.exe105⤵
- Modifies registry class
PID:5288 -
C:\Windows\SysWOW64\Inpccihl.exeC:\Windows\system32\Inpccihl.exe106⤵PID:5348
-
C:\Windows\SysWOW64\Ifgldfio.exeC:\Windows\system32\Ifgldfio.exe107⤵PID:5396
-
C:\Windows\SysWOW64\Idjlpc32.exeC:\Windows\system32\Idjlpc32.exe108⤵PID:5468
-
C:\Windows\SysWOW64\Ighhln32.exeC:\Windows\system32\Ighhln32.exe109⤵PID:5512
-
C:\Windows\SysWOW64\Ikcdlmgf.exeC:\Windows\system32\Ikcdlmgf.exe110⤵PID:5564
-
C:\Windows\SysWOW64\Inbqhhfj.exeC:\Windows\system32\Inbqhhfj.exe111⤵PID:5612
-
C:\Windows\SysWOW64\Ibnligoc.exeC:\Windows\system32\Ibnligoc.exe112⤵PID:5688
-
C:\Windows\SysWOW64\Iigdfa32.exeC:\Windows\system32\Iigdfa32.exe113⤵PID:5744
-
C:\Windows\SysWOW64\Igjeanmj.exeC:\Windows\system32\Igjeanmj.exe114⤵PID:5812
-
C:\Windows\SysWOW64\Ioambknl.exeC:\Windows\system32\Ioambknl.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:5860 -
C:\Windows\SysWOW64\Indmnh32.exeC:\Windows\system32\Indmnh32.exe116⤵PID:5912
-
C:\Windows\SysWOW64\Ifleoe32.exeC:\Windows\system32\Ifleoe32.exe117⤵
- Modifies registry class
PID:5956 -
C:\Windows\SysWOW64\Ienekbld.exeC:\Windows\system32\Ienekbld.exe118⤵PID:6008
-
C:\Windows\SysWOW64\Igmagnkg.exeC:\Windows\system32\Igmagnkg.exe119⤵PID:6052
-
C:\Windows\SysWOW64\Jodjhkkj.exeC:\Windows\system32\Jodjhkkj.exe120⤵
- Modifies registry class
PID:6112 -
C:\Windows\SysWOW64\Jngjch32.exeC:\Windows\system32\Jngjch32.exe121⤵PID:5128
-
C:\Windows\SysWOW64\Jfnbdecg.exeC:\Windows\system32\Jfnbdecg.exe122⤵PID:5192
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-