Analysis
-
max time kernel
94s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 01:30
Behavioral task
behavioral1
Sample
cb1ca78fdd1cea671c79f2275cf4325ab90e17931c45864a0797fc58a2ad5aa8N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
cb1ca78fdd1cea671c79f2275cf4325ab90e17931c45864a0797fc58a2ad5aa8N.exe
Resource
win10v2004-20241007-en
General
-
Target
cb1ca78fdd1cea671c79f2275cf4325ab90e17931c45864a0797fc58a2ad5aa8N.exe
-
Size
219KB
-
MD5
e9aea67583e0b3e9b4e5ab6f487b8c70
-
SHA1
7740b56f2412abcaec4d9dce63d2258df3651ff6
-
SHA256
cb1ca78fdd1cea671c79f2275cf4325ab90e17931c45864a0797fc58a2ad5aa8
-
SHA512
4012fb0a46a6933b4dc0e54babc2ed30f70a1895c9b9c3643f433a95321c2f7390631378b3928e58d0261f2dfc2bdfc5cec3976e1d5288f3d16c3fd924cfd15e
-
SSDEEP
3072:8MdJ+OeAVha2PzwuZkO0aDb/IBPCOQvU6z314EXrjvwSfYrwBt:8vdA+0zDOO0aDD4PCxdXXwSfYrwB
Malware Config
Extracted
berbew
http://tat-neftbank.ru/kkq.php
http://tat-neftbank.ru/wcmd.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Qqijje32.exeMidfokpm.exeEclmamod.exeHocqam32.exeAkcjkfij.exeHcpojd32.exeIcdheded.exePqknig32.exeOihagaji.exeAckbmcjl.exeJkimho32.exeFfddka32.exeJlpkba32.exeLiddbc32.exeGohaeo32.exeFpggamqc.exeEdbklofb.exeDhfajjoj.exePfgogh32.exeDgejpd32.exeDjhimica.exeJehhaaci.exeFhdohp32.exeHpdfnolo.exePchlpfjb.exeGigaka32.exeIemppiab.exeCmqmma32.exeQgnbaj32.exeDflmlj32.exeGljgbllj.exeCmmbbejp.exeIifokh32.exeAglemn32.exeDmgbnq32.exeDhomfc32.exeLldopb32.exeLblaabdp.exeOileggkb.exeIhnkel32.exePcmeke32.exeJknfcofa.exeGddinf32.exeHncmmd32.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qqijje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Midfokpm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eclmamod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hocqam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Akcjkfij.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcpojd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Icdheded.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pqknig32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oihagaji.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ackbmcjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkimho32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ffddka32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlpkba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Liddbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gohaeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fpggamqc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edbklofb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhfajjoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pfgogh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgejpd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djhimica.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jehhaaci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fhdohp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpdfnolo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pchlpfjb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gigaka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iemppiab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cmqmma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qgnbaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dflmlj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gljgbllj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cmmbbejp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iifokh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aglemn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmgbnq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhomfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lldopb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lblaabdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oileggkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ihnkel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pcmeke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jknfcofa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gddinf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hncmmd32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
Processes:
Cddecc32.exeCojjqlpk.exeCecbmf32.exeClnjjpod.exeCbgbgj32.exeCefoce32.exeChdkoa32.exeCkcgkldl.exeCehkhecb.exeChghdqbf.exeDbllbibl.exeDdmhja32.exeDkgqfl32.exeDaaicfgd.exeDlgmpogj.exeDadeieea.exeDhnnep32.exeDkljak32.exeDccbbhld.exeDeanodkh.exeDllfkn32.exeDceohhja.exeDdgkpp32.exeDlncan32.exeEchknh32.exeEefhjc32.exeEkcpbj32.exeEoolbinc.exeEdkdkplj.exeEkemhj32.exeEcmeig32.exeEdnaqo32.exeEkhjmiad.exeEabbjc32.exeEdpnfo32.exeEhljfnpn.exeEkjfcipa.exeEcandfpd.exeEepjpb32.exeEdbklofb.exeFljcmlfd.exeFohoigfh.exeFafkecel.exeFebgea32.exeFhqcam32.exeFkopnh32.exeFojlngce.exeFaihkbci.exeFfddka32.exeFlnlhk32.exeFomhdg32.exeFchddejl.exeFfgqqaip.exeFhemmlhc.exeFkciihgg.exeFckajehi.exeFfimfqgm.exeFhgjblfq.exeFkffog32.exeFoabofnn.exeFbpnkama.exeFhjfhl32.exeGododflk.exeGdqgmmjb.exepid process 3400 Cddecc32.exe 3956 Cojjqlpk.exe 2452 Cecbmf32.exe 5116 Clnjjpod.exe 4128 Cbgbgj32.exe 1996 Cefoce32.exe 1468 Chdkoa32.exe 1580 Ckcgkldl.exe 4588 Cehkhecb.exe 1016 Chghdqbf.exe 2160 Dbllbibl.exe 3204 Ddmhja32.exe 1956 Dkgqfl32.exe 4912 Daaicfgd.exe 1760 Dlgmpogj.exe 3332 Dadeieea.exe 880 Dhnnep32.exe 3152 Dkljak32.exe 4548 Dccbbhld.exe 4032 Deanodkh.exe 3416 Dllfkn32.exe 2728 Dceohhja.exe 3916 Ddgkpp32.exe 1992 Dlncan32.exe 3856 Echknh32.exe 2012 Eefhjc32.exe 2828 Ekcpbj32.exe 1060 Eoolbinc.exe 4880 Edkdkplj.exe 1632 Ekemhj32.exe 1344 Ecmeig32.exe 4252 Ednaqo32.exe 3412 Ekhjmiad.exe 2964 Eabbjc32.exe 2024 Edpnfo32.exe 4772 Ehljfnpn.exe 2820 Ekjfcipa.exe 4048 Ecandfpd.exe 3004 Eepjpb32.exe 1412 Edbklofb.exe 4700 Fljcmlfd.exe 4604 Fohoigfh.exe 4088 Fafkecel.exe 1744 Febgea32.exe 3012 Fhqcam32.exe 1888 Fkopnh32.exe 4852 Fojlngce.exe 2212 Faihkbci.exe 1340 Ffddka32.exe 1092 Flnlhk32.exe 2320 Fomhdg32.exe 4408 Fchddejl.exe 3800 Ffgqqaip.exe 4664 Fhemmlhc.exe 2516 Fkciihgg.exe 224 Fckajehi.exe 4116 Ffimfqgm.exe 4904 Fhgjblfq.exe 3384 Fkffog32.exe 3420 Foabofnn.exe 4336 Fbpnkama.exe 4084 Fhjfhl32.exe 4616 Gododflk.exe 4044 Gdqgmmjb.exe -
Drops file in System32 directory 64 IoCs
Processes:
Nibbqicm.exeBiogppeg.exeHhlejcpm.exeJbgoof32.exeEfafgifc.exeEaakpm32.exeCjjcfabm.exeHmnmgnoh.exeIemppiab.exeMidfokpm.exeMblkhq32.exeHkgnfhnh.exeIbmeoq32.exeAmcmpodi.exeFacqkg32.exeNihipdhl.exeAfkknogn.exeMmlpoqpg.exeIkqqlgem.exeKecabifp.exeOhghgodi.exeOkedcjcm.exeDjdflp32.exeOfqpqo32.exeJgdhgmep.exeKbbokdlk.exeBciehh32.exeFiliii32.exeMhafeb32.exeCjinkg32.exeNfjjppmm.exeKnalji32.exeDbllbibl.exeEoolbinc.exeHocqam32.exeIgcoqocb.exeCcpdoqgd.exeJiokfpph.exeJpkphjeb.exeFkllnbjc.exeCecbmf32.exeNahgoe32.exedescription ioc process File created C:\Windows\SysWOW64\Abbcakoc.dll Nibbqicm.exe File created C:\Windows\SysWOW64\Bmkcqn32.exe Biogppeg.exe File opened for modification C:\Windows\SysWOW64\Dahmfpap.exe File created C:\Windows\SysWOW64\Hkjafn32.exe Hhlejcpm.exe File created C:\Windows\SysWOW64\Lkhpjc32.dll File opened for modification C:\Windows\SysWOW64\Jeekkafl.exe Jbgoof32.exe File created C:\Windows\SysWOW64\Kbpnnj32.dll Efafgifc.exe File created C:\Windows\SysWOW64\Oeedjegm.dll File created C:\Windows\SysWOW64\Gceegdko.dll File opened for modification C:\Windows\SysWOW64\Eemgplno.exe Eaakpm32.exe File created C:\Windows\SysWOW64\Cmipblaq.exe Cjjcfabm.exe File created C:\Windows\SysWOW64\Gckoph32.dll Hmnmgnoh.exe File created C:\Windows\SysWOW64\Enpmld32.exe File created C:\Windows\SysWOW64\Modgdicm.exe File opened for modification C:\Windows\SysWOW64\Imdgqfbd.exe Iemppiab.exe File created C:\Windows\SysWOW64\Noloin32.dll Midfokpm.exe File created C:\Windows\SysWOW64\Mekgdl32.exe Mblkhq32.exe File opened for modification C:\Windows\SysWOW64\Hpdfnolo.exe Hkgnfhnh.exe File created C:\Windows\SysWOW64\Alkdoago.dll Ibmeoq32.exe File created C:\Windows\SysWOW64\Lcnmin32.exe File created C:\Windows\SysWOW64\Eopjfnlo.dll File created C:\Windows\SysWOW64\Aobilkcl.exe Amcmpodi.exe File created C:\Windows\SysWOW64\Kednfemc.dll Facqkg32.exe File opened for modification C:\Windows\SysWOW64\Nlfelogp.exe Nihipdhl.exe File opened for modification C:\Windows\SysWOW64\Ajggomog.exe Afkknogn.exe File created C:\Windows\SysWOW64\Jleijb32.exe File opened for modification C:\Windows\SysWOW64\Mpjlklok.exe Mmlpoqpg.exe File created C:\Windows\SysWOW64\Ijcahd32.exe Ikqqlgem.exe File created C:\Windows\SysWOW64\Hijjli32.dll Kecabifp.exe File created C:\Windows\SysWOW64\Hobipl32.dll Ohghgodi.exe File created C:\Windows\SysWOW64\Oblmdhdo.exe Okedcjcm.exe File opened for modification C:\Windows\SysWOW64\Mgehfkop.exe File created C:\Windows\SysWOW64\Mmalnp32.dll Hhlejcpm.exe File created C:\Windows\SysWOW64\Jghdlf32.dll Djdflp32.exe File created C:\Windows\SysWOW64\Eiahnnph.exe File opened for modification C:\Windows\SysWOW64\Mqimikfj.exe File created C:\Windows\SysWOW64\Onhhamgg.exe Ofqpqo32.exe File opened for modification C:\Windows\SysWOW64\Jpkphjeb.exe Jgdhgmep.exe File opened for modification C:\Windows\SysWOW64\Kfnkkb32.exe Kbbokdlk.exe File created C:\Windows\SysWOW64\Abmmgg32.dll Bciehh32.exe File created C:\Windows\SysWOW64\Facqkg32.exe Filiii32.exe File created C:\Windows\SysWOW64\Kjmqinmi.dll Mhafeb32.exe File created C:\Windows\SysWOW64\Cmgjgcgo.exe Cjinkg32.exe File opened for modification C:\Windows\SysWOW64\Chfegk32.exe File created C:\Windows\SysWOW64\Ckjknfnh.exe File created C:\Windows\SysWOW64\Olcbmj32.exe Nfjjppmm.exe File created C:\Windows\SysWOW64\Jhohnk32.dll Knalji32.exe File created C:\Windows\SysWOW64\Njmhhefi.exe File opened for modification C:\Windows\SysWOW64\Blqllqqa.exe File opened for modification C:\Windows\SysWOW64\Ekaapi32.exe File created C:\Windows\SysWOW64\Ddmhja32.exe Dbllbibl.exe File opened for modification C:\Windows\SysWOW64\Edkdkplj.exe Eoolbinc.exe File created C:\Windows\SysWOW64\Dbikpjdg.dll Hocqam32.exe File created C:\Windows\SysWOW64\Iokgal32.exe Igcoqocb.exe File created C:\Windows\SysWOW64\Nhjnjq32.dll Ccpdoqgd.exe File created C:\Windows\SysWOW64\Joiccj32.exe Jiokfpph.exe File opened for modification C:\Windows\SysWOW64\Jfehed32.exe Jpkphjeb.exe File opened for modification C:\Windows\SysWOW64\Nnicid32.exe File opened for modification C:\Windows\SysWOW64\Gihgfk32.exe File created C:\Windows\SysWOW64\Ljceqb32.exe File opened for modification C:\Windows\SysWOW64\Fnjhjn32.exe Fkllnbjc.exe File created C:\Windows\SysWOW64\Jfdnfdoa.dll File opened for modification C:\Windows\SysWOW64\Clnjjpod.exe Cecbmf32.exe File opened for modification C:\Windows\SysWOW64\Nhbolp32.exe Nahgoe32.exe -
Program crash 1 IoCs
Processes:
pid pid_target process target process 18596 11740 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Keqdmihc.exeJkimho32.exeKihnmohm.exeMffjcopi.exeOcdjpmac.exeJbdbjf32.exeEfmmmn32.exeLenamdem.exeEdknqiho.exeBmngqdpj.exeDdakjkqi.exeNojanpej.exeGgnedlao.exeLldopb32.exeCjliajmo.exeKimnbd32.exeOcdqjceo.exeOnjegled.exeNibbqicm.exeBjcmebie.exeHhgloc32.exePpmcdq32.exeAmaqjp32.exePcmeke32.exeCimmggfl.exeQceiaa32.exeBjagjhnc.exeInkjhi32.exeNgomin32.exeJjamia32.exeHkikkeeo.exeEoekia32.exeFdkpma32.exeGlgjlm32.exeChghdqbf.exeAjckij32.exeKgmcce32.exeLjbfpo32.exeCobkhb32.exeJblpek32.exeEefaomcg.exePlndcl32.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Keqdmihc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkimho32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kihnmohm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mffjcopi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocdjpmac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbdbjf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efmmmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lenamdem.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edknqiho.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmngqdpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddakjkqi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nojanpej.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggnedlao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lldopb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjliajmo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kimnbd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocdqjceo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onjegled.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nibbqicm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjcmebie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhgloc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppmcdq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amaqjp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcmeke32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cimmggfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qceiaa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjagjhnc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Inkjhi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngomin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjamia32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkikkeeo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eoekia32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdkpma32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glgjlm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chghdqbf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajckij32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgmcce32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljbfpo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cobkhb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jblpek32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eefaomcg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plndcl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language -
Modifies registry class 64 IoCs
Processes:
Ckkiccep.exePfillg32.exeIjcahd32.exeFhjfhl32.exeOeicejia.exeAijnep32.exeNpmagine.exeCpleig32.exeBopocbcq.exeLpqiemge.exeJiokfpph.exeGbfldf32.exeDlgmpogj.exeJmbdbd32.exeQgnbaj32.exeDpqodfij.exeBcahmb32.exeCojjqlpk.exeAqkpeopg.exeJmpgldhg.exeDmdonkgc.exeEiildjag.exeHammhcij.exeGljgbllj.exeCgndoeag.exeFjjnifbl.exeAakebqbj.exeGofkje32.exeCjomap32.exeDabhdinj.exeEalkjh32.exeFohoigfh.exeFdffbake.exeHghoeqmp.exeLdleel32.exeHhgloc32.exeHihbijhn.exeBiogppeg.exeBfchidda.exeNahgoe32.exeAcmobchj.exePflibgil.exeDhfajjoj.exeFefjfked.exeIijaka32.exeIpjedh32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebmenh32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efeichoo.dll" Ckkiccep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pfillg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddnnfbmk.dll" Ijcahd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjcgfjdk.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fenpmnno.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fhjfhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aieeeflh.dll" Oeicejia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgolif32.dll" Aijnep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmphblgf.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Npmagine.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cpleig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iecgdnkl.dll" Bopocbcq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efhaoapj.dll" Lpqiemge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jiokfpph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gbfldf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkngke32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dlgmpogj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jmbdbd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qgnbaj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dpqodfij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlgbnc32.dll" Bcahmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfdnfdoa.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cojjqlpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnbfbhoh.dll" Aqkpeopg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jmpgldhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dmdonkgc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eiildjag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hammhcij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjelhg32.dll" Gljgbllj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fomnhddq.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cgndoeag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fjjnifbl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aakebqbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gofkje32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cjomap32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dabhdinj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Occomh32.dll" Ealkjh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fohoigfh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fdffbake.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hghoeqmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ldleel32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hhgloc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odqjbebh.dll" Hihbijhn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Biogppeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idqionfg.dll" Bfchidda.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nahgoe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Acmobchj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pflibgil.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dhfajjoj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fefjfked.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iijaka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ipjedh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nflnbh32.dll" -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
cb1ca78fdd1cea671c79f2275cf4325ab90e17931c45864a0797fc58a2ad5aa8N.exeCddecc32.exeCojjqlpk.exeCecbmf32.exeClnjjpod.exeCbgbgj32.exeCefoce32.exeChdkoa32.exeCkcgkldl.exeCehkhecb.exeChghdqbf.exeDbllbibl.exeDdmhja32.exeDkgqfl32.exeDaaicfgd.exeDlgmpogj.exeDadeieea.exeDhnnep32.exeDkljak32.exeDccbbhld.exeDeanodkh.exeDllfkn32.exedescription pid process target process PID 2292 wrote to memory of 3400 2292 cb1ca78fdd1cea671c79f2275cf4325ab90e17931c45864a0797fc58a2ad5aa8N.exe Cddecc32.exe PID 2292 wrote to memory of 3400 2292 cb1ca78fdd1cea671c79f2275cf4325ab90e17931c45864a0797fc58a2ad5aa8N.exe Cddecc32.exe PID 2292 wrote to memory of 3400 2292 cb1ca78fdd1cea671c79f2275cf4325ab90e17931c45864a0797fc58a2ad5aa8N.exe Cddecc32.exe PID 3400 wrote to memory of 3956 3400 Cddecc32.exe Cojjqlpk.exe PID 3400 wrote to memory of 3956 3400 Cddecc32.exe Cojjqlpk.exe PID 3400 wrote to memory of 3956 3400 Cddecc32.exe Cojjqlpk.exe PID 3956 wrote to memory of 2452 3956 Cojjqlpk.exe Cecbmf32.exe PID 3956 wrote to memory of 2452 3956 Cojjqlpk.exe Cecbmf32.exe PID 3956 wrote to memory of 2452 3956 Cojjqlpk.exe Cecbmf32.exe PID 2452 wrote to memory of 5116 2452 Cecbmf32.exe Clnjjpod.exe PID 2452 wrote to memory of 5116 2452 Cecbmf32.exe Clnjjpod.exe PID 2452 wrote to memory of 5116 2452 Cecbmf32.exe Clnjjpod.exe PID 5116 wrote to memory of 4128 5116 Clnjjpod.exe Cbgbgj32.exe PID 5116 wrote to memory of 4128 5116 Clnjjpod.exe Cbgbgj32.exe PID 5116 wrote to memory of 4128 5116 Clnjjpod.exe Cbgbgj32.exe PID 4128 wrote to memory of 1996 4128 Cbgbgj32.exe Cefoce32.exe PID 4128 wrote to memory of 1996 4128 Cbgbgj32.exe Cefoce32.exe PID 4128 wrote to memory of 1996 4128 Cbgbgj32.exe Cefoce32.exe PID 1996 wrote to memory of 1468 1996 Cefoce32.exe Chdkoa32.exe PID 1996 wrote to memory of 1468 1996 Cefoce32.exe Chdkoa32.exe PID 1996 wrote to memory of 1468 1996 Cefoce32.exe Chdkoa32.exe PID 1468 wrote to memory of 1580 1468 Chdkoa32.exe Ckcgkldl.exe PID 1468 wrote to memory of 1580 1468 Chdkoa32.exe Ckcgkldl.exe PID 1468 wrote to memory of 1580 1468 Chdkoa32.exe Ckcgkldl.exe PID 1580 wrote to memory of 4588 1580 Ckcgkldl.exe Cehkhecb.exe PID 1580 wrote to memory of 4588 1580 Ckcgkldl.exe Cehkhecb.exe PID 1580 wrote to memory of 4588 1580 Ckcgkldl.exe Cehkhecb.exe PID 4588 wrote to memory of 1016 4588 Cehkhecb.exe Chghdqbf.exe PID 4588 wrote to memory of 1016 4588 Cehkhecb.exe Chghdqbf.exe PID 4588 wrote to memory of 1016 4588 Cehkhecb.exe Chghdqbf.exe PID 1016 wrote to memory of 2160 1016 Chghdqbf.exe Dbllbibl.exe PID 1016 wrote to memory of 2160 1016 Chghdqbf.exe Dbllbibl.exe PID 1016 wrote to memory of 2160 1016 Chghdqbf.exe Dbllbibl.exe PID 2160 wrote to memory of 3204 2160 Dbllbibl.exe Ddmhja32.exe PID 2160 wrote to memory of 3204 2160 Dbllbibl.exe Ddmhja32.exe PID 2160 wrote to memory of 3204 2160 Dbllbibl.exe Ddmhja32.exe PID 3204 wrote to memory of 1956 3204 Ddmhja32.exe Dkgqfl32.exe PID 3204 wrote to memory of 1956 3204 Ddmhja32.exe Dkgqfl32.exe PID 3204 wrote to memory of 1956 3204 Ddmhja32.exe Dkgqfl32.exe PID 1956 wrote to memory of 4912 1956 Dkgqfl32.exe Daaicfgd.exe PID 1956 wrote to memory of 4912 1956 Dkgqfl32.exe Daaicfgd.exe PID 1956 wrote to memory of 4912 1956 Dkgqfl32.exe Daaicfgd.exe PID 4912 wrote to memory of 1760 4912 Daaicfgd.exe Dlgmpogj.exe PID 4912 wrote to memory of 1760 4912 Daaicfgd.exe Dlgmpogj.exe PID 4912 wrote to memory of 1760 4912 Daaicfgd.exe Dlgmpogj.exe PID 1760 wrote to memory of 3332 1760 Dlgmpogj.exe Dadeieea.exe PID 1760 wrote to memory of 3332 1760 Dlgmpogj.exe Dadeieea.exe PID 1760 wrote to memory of 3332 1760 Dlgmpogj.exe Dadeieea.exe PID 3332 wrote to memory of 880 3332 Dadeieea.exe Dhnnep32.exe PID 3332 wrote to memory of 880 3332 Dadeieea.exe Dhnnep32.exe PID 3332 wrote to memory of 880 3332 Dadeieea.exe Dhnnep32.exe PID 880 wrote to memory of 3152 880 Dhnnep32.exe Dkljak32.exe PID 880 wrote to memory of 3152 880 Dhnnep32.exe Dkljak32.exe PID 880 wrote to memory of 3152 880 Dhnnep32.exe Dkljak32.exe PID 3152 wrote to memory of 4548 3152 Dkljak32.exe Dccbbhld.exe PID 3152 wrote to memory of 4548 3152 Dkljak32.exe Dccbbhld.exe PID 3152 wrote to memory of 4548 3152 Dkljak32.exe Dccbbhld.exe PID 4548 wrote to memory of 4032 4548 Dccbbhld.exe Deanodkh.exe PID 4548 wrote to memory of 4032 4548 Dccbbhld.exe Deanodkh.exe PID 4548 wrote to memory of 4032 4548 Dccbbhld.exe Deanodkh.exe PID 4032 wrote to memory of 3416 4032 Deanodkh.exe Dllfkn32.exe PID 4032 wrote to memory of 3416 4032 Deanodkh.exe Dllfkn32.exe PID 4032 wrote to memory of 3416 4032 Deanodkh.exe Dllfkn32.exe PID 3416 wrote to memory of 2728 3416 Dllfkn32.exe Dceohhja.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\cb1ca78fdd1cea671c79f2275cf4325ab90e17931c45864a0797fc58a2ad5aa8N.exe"C:\Users\Admin\AppData\Local\Temp\cb1ca78fdd1cea671c79f2275cf4325ab90e17931c45864a0797fc58a2ad5aa8N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2292 -
C:\Windows\SysWOW64\Cddecc32.exeC:\Windows\system32\Cddecc32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3400 -
C:\Windows\SysWOW64\Cojjqlpk.exeC:\Windows\system32\Cojjqlpk.exe3⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3956 -
C:\Windows\SysWOW64\Cecbmf32.exeC:\Windows\system32\Cecbmf32.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2452 -
C:\Windows\SysWOW64\Clnjjpod.exeC:\Windows\system32\Clnjjpod.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5116 -
C:\Windows\SysWOW64\Cbgbgj32.exeC:\Windows\system32\Cbgbgj32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4128 -
C:\Windows\SysWOW64\Cefoce32.exeC:\Windows\system32\Cefoce32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Windows\SysWOW64\Chdkoa32.exeC:\Windows\system32\Chdkoa32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1468 -
C:\Windows\SysWOW64\Ckcgkldl.exeC:\Windows\system32\Ckcgkldl.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1580 -
C:\Windows\SysWOW64\Cehkhecb.exeC:\Windows\system32\Cehkhecb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4588 -
C:\Windows\SysWOW64\Chghdqbf.exeC:\Windows\system32\Chghdqbf.exe11⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1016 -
C:\Windows\SysWOW64\Dbllbibl.exeC:\Windows\system32\Dbllbibl.exe12⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2160 -
C:\Windows\SysWOW64\Ddmhja32.exeC:\Windows\system32\Ddmhja32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3204 -
C:\Windows\SysWOW64\Dkgqfl32.exeC:\Windows\system32\Dkgqfl32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Windows\SysWOW64\Daaicfgd.exeC:\Windows\system32\Daaicfgd.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4912 -
C:\Windows\SysWOW64\Dlgmpogj.exeC:\Windows\system32\Dlgmpogj.exe16⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1760 -
C:\Windows\SysWOW64\Dadeieea.exeC:\Windows\system32\Dadeieea.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3332 -
C:\Windows\SysWOW64\Dhnnep32.exeC:\Windows\system32\Dhnnep32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:880 -
C:\Windows\SysWOW64\Dkljak32.exeC:\Windows\system32\Dkljak32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3152 -
C:\Windows\SysWOW64\Dccbbhld.exeC:\Windows\system32\Dccbbhld.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4548 -
C:\Windows\SysWOW64\Deanodkh.exeC:\Windows\system32\Deanodkh.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4032 -
C:\Windows\SysWOW64\Dllfkn32.exeC:\Windows\system32\Dllfkn32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3416 -
C:\Windows\SysWOW64\Dceohhja.exeC:\Windows\system32\Dceohhja.exe23⤵
- Executes dropped EXE
PID:2728 -
C:\Windows\SysWOW64\Ddgkpp32.exeC:\Windows\system32\Ddgkpp32.exe24⤵
- Executes dropped EXE
PID:3916 -
C:\Windows\SysWOW64\Dlncan32.exeC:\Windows\system32\Dlncan32.exe25⤵
- Executes dropped EXE
PID:1992 -
C:\Windows\SysWOW64\Echknh32.exeC:\Windows\system32\Echknh32.exe26⤵
- Executes dropped EXE
PID:3856 -
C:\Windows\SysWOW64\Eefhjc32.exeC:\Windows\system32\Eefhjc32.exe27⤵
- Executes dropped EXE
PID:2012 -
C:\Windows\SysWOW64\Ekcpbj32.exeC:\Windows\system32\Ekcpbj32.exe28⤵
- Executes dropped EXE
PID:2828 -
C:\Windows\SysWOW64\Eoolbinc.exeC:\Windows\system32\Eoolbinc.exe29⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1060 -
C:\Windows\SysWOW64\Edkdkplj.exeC:\Windows\system32\Edkdkplj.exe30⤵
- Executes dropped EXE
PID:4880 -
C:\Windows\SysWOW64\Ekemhj32.exeC:\Windows\system32\Ekemhj32.exe31⤵
- Executes dropped EXE
PID:1632 -
C:\Windows\SysWOW64\Ecmeig32.exeC:\Windows\system32\Ecmeig32.exe32⤵
- Executes dropped EXE
PID:1344 -
C:\Windows\SysWOW64\Eapedd32.exeC:\Windows\system32\Eapedd32.exe33⤵PID:4516
-
C:\Windows\SysWOW64\Ednaqo32.exeC:\Windows\system32\Ednaqo32.exe34⤵
- Executes dropped EXE
PID:4252 -
C:\Windows\SysWOW64\Ekhjmiad.exeC:\Windows\system32\Ekhjmiad.exe35⤵
- Executes dropped EXE
PID:3412 -
C:\Windows\SysWOW64\Eabbjc32.exeC:\Windows\system32\Eabbjc32.exe36⤵
- Executes dropped EXE
PID:2964 -
C:\Windows\SysWOW64\Edpnfo32.exeC:\Windows\system32\Edpnfo32.exe37⤵
- Executes dropped EXE
PID:2024 -
C:\Windows\SysWOW64\Ehljfnpn.exeC:\Windows\system32\Ehljfnpn.exe38⤵
- Executes dropped EXE
PID:4772 -
C:\Windows\SysWOW64\Ekjfcipa.exeC:\Windows\system32\Ekjfcipa.exe39⤵
- Executes dropped EXE
PID:2820 -
C:\Windows\SysWOW64\Ecandfpd.exeC:\Windows\system32\Ecandfpd.exe40⤵
- Executes dropped EXE
PID:4048 -
C:\Windows\SysWOW64\Eepjpb32.exeC:\Windows\system32\Eepjpb32.exe41⤵
- Executes dropped EXE
PID:3004 -
C:\Windows\SysWOW64\Edbklofb.exeC:\Windows\system32\Edbklofb.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1412 -
C:\Windows\SysWOW64\Fljcmlfd.exeC:\Windows\system32\Fljcmlfd.exe43⤵
- Executes dropped EXE
PID:4700 -
C:\Windows\SysWOW64\Fohoigfh.exeC:\Windows\system32\Fohoigfh.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:4604 -
C:\Windows\SysWOW64\Fafkecel.exeC:\Windows\system32\Fafkecel.exe45⤵
- Executes dropped EXE
PID:4088 -
C:\Windows\SysWOW64\Febgea32.exeC:\Windows\system32\Febgea32.exe46⤵
- Executes dropped EXE
PID:1744 -
C:\Windows\SysWOW64\Fhqcam32.exeC:\Windows\system32\Fhqcam32.exe47⤵
- Executes dropped EXE
PID:3012 -
C:\Windows\SysWOW64\Fkopnh32.exeC:\Windows\system32\Fkopnh32.exe48⤵
- Executes dropped EXE
PID:1888 -
C:\Windows\SysWOW64\Fojlngce.exeC:\Windows\system32\Fojlngce.exe49⤵
- Executes dropped EXE
PID:4852 -
C:\Windows\SysWOW64\Faihkbci.exeC:\Windows\system32\Faihkbci.exe50⤵
- Executes dropped EXE
PID:2212 -
C:\Windows\SysWOW64\Ffddka32.exeC:\Windows\system32\Ffddka32.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1340 -
C:\Windows\SysWOW64\Flnlhk32.exeC:\Windows\system32\Flnlhk32.exe52⤵
- Executes dropped EXE
PID:1092 -
C:\Windows\SysWOW64\Fomhdg32.exeC:\Windows\system32\Fomhdg32.exe53⤵
- Executes dropped EXE
PID:2320 -
C:\Windows\SysWOW64\Fchddejl.exeC:\Windows\system32\Fchddejl.exe54⤵
- Executes dropped EXE
PID:4408 -
C:\Windows\SysWOW64\Ffgqqaip.exeC:\Windows\system32\Ffgqqaip.exe55⤵
- Executes dropped EXE
PID:3800 -
C:\Windows\SysWOW64\Fhemmlhc.exeC:\Windows\system32\Fhemmlhc.exe56⤵
- Executes dropped EXE
PID:4664 -
C:\Windows\SysWOW64\Fkciihgg.exeC:\Windows\system32\Fkciihgg.exe57⤵
- Executes dropped EXE
PID:2516 -
C:\Windows\SysWOW64\Fckajehi.exeC:\Windows\system32\Fckajehi.exe58⤵
- Executes dropped EXE
PID:224 -
C:\Windows\SysWOW64\Ffimfqgm.exeC:\Windows\system32\Ffimfqgm.exe59⤵
- Executes dropped EXE
PID:4116 -
C:\Windows\SysWOW64\Fhgjblfq.exeC:\Windows\system32\Fhgjblfq.exe60⤵
- Executes dropped EXE
PID:4904 -
C:\Windows\SysWOW64\Fkffog32.exeC:\Windows\system32\Fkffog32.exe61⤵
- Executes dropped EXE
PID:3384 -
C:\Windows\SysWOW64\Foabofnn.exeC:\Windows\system32\Foabofnn.exe62⤵
- Executes dropped EXE
PID:3420 -
C:\Windows\SysWOW64\Fbpnkama.exeC:\Windows\system32\Fbpnkama.exe63⤵
- Executes dropped EXE
PID:4336 -
C:\Windows\SysWOW64\Fhjfhl32.exeC:\Windows\system32\Fhjfhl32.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:4084 -
C:\Windows\SysWOW64\Gododflk.exeC:\Windows\system32\Gododflk.exe65⤵
- Executes dropped EXE
PID:4616 -
C:\Windows\SysWOW64\Gdqgmmjb.exeC:\Windows\system32\Gdqgmmjb.exe66⤵
- Executes dropped EXE
PID:4044 -
C:\Windows\SysWOW64\Glhonj32.exeC:\Windows\system32\Glhonj32.exe67⤵PID:4016
-
C:\Windows\SysWOW64\Gofkje32.exeC:\Windows\system32\Gofkje32.exe68⤵
- Modifies registry class
PID:3540 -
C:\Windows\SysWOW64\Gfpcgpae.exeC:\Windows\system32\Gfpcgpae.exe69⤵PID:2988
-
C:\Windows\SysWOW64\Ghopckpi.exeC:\Windows\system32\Ghopckpi.exe70⤵PID:3192
-
C:\Windows\SysWOW64\Gkmlofol.exeC:\Windows\system32\Gkmlofol.exe71⤵PID:4332
-
C:\Windows\SysWOW64\Gcddpdpo.exeC:\Windows\system32\Gcddpdpo.exe72⤵PID:1356
-
C:\Windows\SysWOW64\Gfbploob.exeC:\Windows\system32\Gfbploob.exe73⤵PID:4020
-
C:\Windows\SysWOW64\Gokdeeec.exeC:\Windows\system32\Gokdeeec.exe74⤵PID:1048
-
C:\Windows\SysWOW64\Gbiaapdf.exeC:\Windows\system32\Gbiaapdf.exe75⤵PID:5108
-
C:\Windows\SysWOW64\Gicinj32.exeC:\Windows\system32\Gicinj32.exe76⤵PID:3224
-
C:\Windows\SysWOW64\Gmoeoidl.exeC:\Windows\system32\Gmoeoidl.exe77⤵PID:1592
-
C:\Windows\SysWOW64\Gomakdcp.exeC:\Windows\system32\Gomakdcp.exe78⤵PID:4156
-
C:\Windows\SysWOW64\Gfgjgo32.exeC:\Windows\system32\Gfgjgo32.exe79⤵PID:4000
-
C:\Windows\SysWOW64\Gdjjckag.exeC:\Windows\system32\Gdjjckag.exe80⤵PID:3596
-
C:\Windows\SysWOW64\Hmabdibj.exeC:\Windows\system32\Hmabdibj.exe81⤵PID:2636
-
C:\Windows\SysWOW64\Hopnqdan.exeC:\Windows\system32\Hopnqdan.exe82⤵PID:1968
-
C:\Windows\SysWOW64\Hbnjmp32.exeC:\Windows\system32\Hbnjmp32.exe83⤵PID:2884
-
C:\Windows\SysWOW64\Hihbijhn.exeC:\Windows\system32\Hihbijhn.exe84⤵
- Modifies registry class
PID:2064 -
C:\Windows\SysWOW64\Hobkfd32.exeC:\Windows\system32\Hobkfd32.exe85⤵PID:3568
-
C:\Windows\SysWOW64\Hbpgbo32.exeC:\Windows\system32\Hbpgbo32.exe86⤵PID:2736
-
C:\Windows\SysWOW64\Hijooifk.exeC:\Windows\system32\Hijooifk.exe87⤵PID:692
-
C:\Windows\SysWOW64\Hkikkeeo.exeC:\Windows\system32\Hkikkeeo.exe88⤵
- System Location Discovery: System Language Discovery
PID:5112 -
C:\Windows\SysWOW64\Hbbdholl.exeC:\Windows\system32\Hbbdholl.exe89⤵PID:1260
-
C:\Windows\SysWOW64\Himldi32.exeC:\Windows\system32\Himldi32.exe90⤵PID:592
-
C:\Windows\SysWOW64\Hofdacke.exeC:\Windows\system32\Hofdacke.exe91⤵PID:1792
-
C:\Windows\SysWOW64\Hfqlnm32.exeC:\Windows\system32\Hfqlnm32.exe92⤵PID:1552
-
C:\Windows\SysWOW64\Hmjdjgjo.exeC:\Windows\system32\Hmjdjgjo.exe93⤵PID:1116
-
C:\Windows\SysWOW64\Iefioj32.exeC:\Windows\system32\Iefioj32.exe94⤵PID:4752
-
C:\Windows\SysWOW64\Ipknlb32.exeC:\Windows\system32\Ipknlb32.exe95⤵PID:380
-
C:\Windows\SysWOW64\Ibjjhn32.exeC:\Windows\system32\Ibjjhn32.exe96⤵PID:2836
-
C:\Windows\SysWOW64\Iehfdi32.exeC:\Windows\system32\Iehfdi32.exe97⤵PID:4628
-
C:\Windows\SysWOW64\Ipnjab32.exeC:\Windows\system32\Ipnjab32.exe98⤵PID:5152
-
C:\Windows\SysWOW64\Iifokh32.exeC:\Windows\system32\Iifokh32.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5196 -
C:\Windows\SysWOW64\Ippggbck.exeC:\Windows\system32\Ippggbck.exe100⤵PID:5240
-
C:\Windows\SysWOW64\Iemppiab.exeC:\Windows\system32\Iemppiab.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5284 -
C:\Windows\SysWOW64\Imdgqfbd.exeC:\Windows\system32\Imdgqfbd.exe102⤵PID:5328
-
C:\Windows\SysWOW64\Ilghlc32.exeC:\Windows\system32\Ilghlc32.exe103⤵PID:5372
-
C:\Windows\SysWOW64\Icnpmp32.exeC:\Windows\system32\Icnpmp32.exe104⤵PID:5416
-
C:\Windows\SysWOW64\Ifllil32.exeC:\Windows\system32\Ifllil32.exe105⤵PID:5460
-
C:\Windows\SysWOW64\Imfdff32.exeC:\Windows\system32\Imfdff32.exe106⤵PID:5504
-
C:\Windows\SysWOW64\Icplcpgo.exeC:\Windows\system32\Icplcpgo.exe107⤵PID:5548
-
C:\Windows\SysWOW64\Jeaikh32.exeC:\Windows\system32\Jeaikh32.exe108⤵PID:5596
-
C:\Windows\SysWOW64\Jimekgff.exeC:\Windows\system32\Jimekgff.exe109⤵PID:5640
-
C:\Windows\SysWOW64\Jlkagbej.exeC:\Windows\system32\Jlkagbej.exe110⤵PID:5684
-
C:\Windows\SysWOW64\Jbeidl32.exeC:\Windows\system32\Jbeidl32.exe111⤵PID:5732
-
C:\Windows\SysWOW64\Jedeph32.exeC:\Windows\system32\Jedeph32.exe112⤵PID:5800
-
C:\Windows\SysWOW64\Jmknaell.exeC:\Windows\system32\Jmknaell.exe113⤵PID:5836
-
C:\Windows\SysWOW64\Jpijnqkp.exeC:\Windows\system32\Jpijnqkp.exe114⤵PID:5904
-
C:\Windows\SysWOW64\Jcefno32.exeC:\Windows\system32\Jcefno32.exe115⤵PID:5948
-
C:\Windows\SysWOW64\Jlpkba32.exeC:\Windows\system32\Jlpkba32.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5992 -
C:\Windows\SysWOW64\Jplfcpin.exeC:\Windows\system32\Jplfcpin.exe117⤵PID:6036
-
C:\Windows\SysWOW64\Jfeopj32.exeC:\Windows\system32\Jfeopj32.exe118⤵PID:6080
-
C:\Windows\SysWOW64\Jmpgldhg.exeC:\Windows\system32\Jmpgldhg.exe119⤵
- Modifies registry class
PID:6124 -
C:\Windows\SysWOW64\Jcioiood.exeC:\Windows\system32\Jcioiood.exe120⤵PID:5144
-
C:\Windows\SysWOW64\Jblpek32.exeC:\Windows\system32\Jblpek32.exe121⤵
- System Location Discovery: System Language Discovery
PID:5224 -
C:\Windows\SysWOW64\Jmbdbd32.exeC:\Windows\system32\Jmbdbd32.exe122⤵
- Modifies registry class
PID:5292 -
C:\Windows\SysWOW64\Jcllonma.exeC:\Windows\system32\Jcllonma.exe123⤵PID:5360
-
C:\Windows\SysWOW64\Kemhff32.exeC:\Windows\system32\Kemhff32.exe124⤵PID:5428
-
C:\Windows\SysWOW64\Klgqcqkl.exeC:\Windows\system32\Klgqcqkl.exe125⤵PID:5492
-
C:\Windows\SysWOW64\Kbaipkbi.exeC:\Windows\system32\Kbaipkbi.exe126⤵PID:5560
-
C:\Windows\SysWOW64\Kepelfam.exeC:\Windows\system32\Kepelfam.exe127⤵PID:5636
-
C:\Windows\SysWOW64\Kpeiioac.exeC:\Windows\system32\Kpeiioac.exe128⤵PID:5712
-
C:\Windows\SysWOW64\Kfoafi32.exeC:\Windows\system32\Kfoafi32.exe129⤵PID:5780
-
C:\Windows\SysWOW64\Kimnbd32.exeC:\Windows\system32\Kimnbd32.exe130⤵
- System Location Discovery: System Language Discovery
PID:5888 -
C:\Windows\SysWOW64\Kpgfooop.exeC:\Windows\system32\Kpgfooop.exe131⤵PID:5960
-
C:\Windows\SysWOW64\Kbfbkj32.exeC:\Windows\system32\Kbfbkj32.exe132⤵PID:6028
-
C:\Windows\SysWOW64\Kipkhdeq.exeC:\Windows\system32\Kipkhdeq.exe133⤵PID:6132
-
C:\Windows\SysWOW64\Klngdpdd.exeC:\Windows\system32\Klngdpdd.exe134⤵PID:5208
-
C:\Windows\SysWOW64\Kpjcdn32.exeC:\Windows\system32\Kpjcdn32.exe135⤵PID:5340
-
C:\Windows\SysWOW64\Kbhoqj32.exeC:\Windows\system32\Kbhoqj32.exe136⤵PID:5468
-
C:\Windows\SysWOW64\Kefkme32.exeC:\Windows\system32\Kefkme32.exe137⤵PID:5564
-
C:\Windows\SysWOW64\Kmncnb32.exeC:\Windows\system32\Kmncnb32.exe138⤵PID:5740
-
C:\Windows\SysWOW64\Klqcioba.exeC:\Windows\system32\Klqcioba.exe139⤵PID:5864
-
C:\Windows\SysWOW64\Kdgljmcd.exeC:\Windows\system32\Kdgljmcd.exe140⤵PID:4204
-
C:\Windows\SysWOW64\Lbjlfi32.exeC:\Windows\system32\Lbjlfi32.exe141⤵PID:3360
-
C:\Windows\SysWOW64\Liddbc32.exeC:\Windows\system32\Liddbc32.exe142⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6048 -
C:\Windows\SysWOW64\Llcpoo32.exeC:\Windows\system32\Llcpoo32.exe143⤵PID:5280
-
C:\Windows\SysWOW64\Ldjhpl32.exeC:\Windows\system32\Ldjhpl32.exe144⤵PID:5540
-
C:\Windows\SysWOW64\Lfhdlh32.exeC:\Windows\system32\Lfhdlh32.exe145⤵PID:5680
-
C:\Windows\SysWOW64\Lekehdgp.exeC:\Windows\system32\Lekehdgp.exe146⤵PID:3700
-
C:\Windows\SysWOW64\Lmbmibhb.exeC:\Windows\system32\Lmbmibhb.exe147⤵PID:5300
-
C:\Windows\SysWOW64\Lpqiemge.exeC:\Windows\system32\Lpqiemge.exe148⤵
- Modifies registry class
PID:5336 -
C:\Windows\SysWOW64\Ldleel32.exeC:\Windows\system32\Ldleel32.exe149⤵
- Modifies registry class
PID:5192 -
C:\Windows\SysWOW64\Lboeaifi.exeC:\Windows\system32\Lboeaifi.exe150⤵PID:5612
-
C:\Windows\SysWOW64\Lenamdem.exeC:\Windows\system32\Lenamdem.exe151⤵
- System Location Discovery: System Language Discovery
PID:5472 -
C:\Windows\SysWOW64\Lmdina32.exeC:\Windows\system32\Lmdina32.exe152⤵PID:6148
-
C:\Windows\SysWOW64\Lpcfkm32.exeC:\Windows\system32\Lpcfkm32.exe153⤵PID:6200
-
C:\Windows\SysWOW64\Lbabgh32.exeC:\Windows\system32\Lbabgh32.exe154⤵PID:6248
-
C:\Windows\SysWOW64\Lepncd32.exeC:\Windows\system32\Lepncd32.exe155⤵PID:6316
-
C:\Windows\SysWOW64\Lpebpm32.exeC:\Windows\system32\Lpebpm32.exe156⤵PID:6360
-
C:\Windows\SysWOW64\Lebkhc32.exeC:\Windows\system32\Lebkhc32.exe157⤵PID:6404
-
C:\Windows\SysWOW64\Lmiciaaj.exeC:\Windows\system32\Lmiciaaj.exe158⤵PID:6452
-
C:\Windows\SysWOW64\Lphoelqn.exeC:\Windows\system32\Lphoelqn.exe159⤵PID:6496
-
C:\Windows\SysWOW64\Mmlpoqpg.exeC:\Windows\system32\Mmlpoqpg.exe160⤵
- Drops file in System32 directory
PID:6544 -
C:\Windows\SysWOW64\Mpjlklok.exeC:\Windows\system32\Mpjlklok.exe161⤵PID:6588
-
C:\Windows\SysWOW64\Megdccmb.exeC:\Windows\system32\Megdccmb.exe162⤵PID:6632
-
C:\Windows\SysWOW64\Mdhdajea.exeC:\Windows\system32\Mdhdajea.exe163⤵PID:6676
-
C:\Windows\SysWOW64\Miemjaci.exeC:\Windows\system32\Miemjaci.exe164⤵PID:6720
-
C:\Windows\SysWOW64\Mdjagjco.exeC:\Windows\system32\Mdjagjco.exe165⤵PID:6764
-
C:\Windows\SysWOW64\Mmbfpp32.exeC:\Windows\system32\Mmbfpp32.exe166⤵PID:6808
-
C:\Windows\SysWOW64\Mgkjhe32.exeC:\Windows\system32\Mgkjhe32.exe167⤵PID:6856
-
C:\Windows\SysWOW64\Miifeq32.exeC:\Windows\system32\Miifeq32.exe168⤵PID:6900
-
C:\Windows\SysWOW64\Mlhbal32.exeC:\Windows\system32\Mlhbal32.exe169⤵PID:6944
-
C:\Windows\SysWOW64\Ncbknfed.exeC:\Windows\system32\Ncbknfed.exe170⤵PID:6988
-
C:\Windows\SysWOW64\Ngmgne32.exeC:\Windows\system32\Ngmgne32.exe171⤵PID:7032
-
C:\Windows\SysWOW64\Nngokoej.exeC:\Windows\system32\Nngokoej.exe172⤵PID:7076
-
C:\Windows\SysWOW64\Npfkgjdn.exeC:\Windows\system32\Npfkgjdn.exe173⤵PID:7120
-
C:\Windows\SysWOW64\Ncdgcf32.exeC:\Windows\system32\Ncdgcf32.exe174⤵PID:872
-
C:\Windows\SysWOW64\Njnpppkn.exeC:\Windows\system32\Njnpppkn.exe175⤵PID:6188
-
C:\Windows\SysWOW64\Nnjlpo32.exeC:\Windows\system32\Nnjlpo32.exe176⤵PID:6272
-
C:\Windows\SysWOW64\Nphhmj32.exeC:\Windows\system32\Nphhmj32.exe177⤵PID:6356
-
C:\Windows\SysWOW64\Ngbpidjh.exeC:\Windows\system32\Ngbpidjh.exe178⤵PID:6436
-
C:\Windows\SysWOW64\Njqmepik.exeC:\Windows\system32\Njqmepik.exe179⤵PID:6508
-
C:\Windows\SysWOW64\Npjebj32.exeC:\Windows\system32\Npjebj32.exe180⤵PID:6576
-
C:\Windows\SysWOW64\Ndfqbhia.exeC:\Windows\system32\Ndfqbhia.exe181⤵PID:6644
-
C:\Windows\SysWOW64\Ngdmod32.exeC:\Windows\system32\Ngdmod32.exe182⤵PID:6716
-
C:\Windows\SysWOW64\Nnneknob.exeC:\Windows\system32\Nnneknob.exe183⤵PID:6792
-
C:\Windows\SysWOW64\Npmagine.exeC:\Windows\system32\Npmagine.exe184⤵
- Modifies registry class
PID:6864 -
C:\Windows\SysWOW64\Ndhmhh32.exeC:\Windows\system32\Ndhmhh32.exe185⤵PID:6932
-
C:\Windows\SysWOW64\Nfjjppmm.exeC:\Windows\system32\Nfjjppmm.exe186⤵
- Drops file in System32 directory
PID:6432 -
C:\Windows\SysWOW64\Olcbmj32.exeC:\Windows\system32\Olcbmj32.exe187⤵PID:7000
-
C:\Windows\SysWOW64\Odkjng32.exeC:\Windows\system32\Odkjng32.exe188⤵PID:7084
-
C:\Windows\SysWOW64\Ogifjcdp.exeC:\Windows\system32\Ogifjcdp.exe189⤵PID:7152
-
C:\Windows\SysWOW64\Oflgep32.exeC:\Windows\system32\Oflgep32.exe190⤵PID:6212
-
C:\Windows\SysWOW64\Olfobjbg.exeC:\Windows\system32\Olfobjbg.exe191⤵PID:6332
-
C:\Windows\SysWOW64\Odmgcgbi.exeC:\Windows\system32\Odmgcgbi.exe192⤵PID:6424
-
C:\Windows\SysWOW64\Ogkcpbam.exeC:\Windows\system32\Ogkcpbam.exe193⤵PID:6556
-
C:\Windows\SysWOW64\Ojjolnaq.exeC:\Windows\system32\Ojjolnaq.exe194⤵PID:6668
-
C:\Windows\SysWOW64\Opdghh32.exeC:\Windows\system32\Opdghh32.exe195⤵PID:6780
-
C:\Windows\SysWOW64\Ocbddc32.exeC:\Windows\system32\Ocbddc32.exe196⤵PID:6940
-
C:\Windows\SysWOW64\Ofqpqo32.exeC:\Windows\system32\Ofqpqo32.exe197⤵
- Drops file in System32 directory
PID:5352 -
C:\Windows\SysWOW64\Onhhamgg.exeC:\Windows\system32\Onhhamgg.exe198⤵PID:7060
-
C:\Windows\SysWOW64\Oqfdnhfk.exeC:\Windows\system32\Oqfdnhfk.exe199⤵PID:7164
-
C:\Windows\SysWOW64\Ocdqjceo.exeC:\Windows\system32\Ocdqjceo.exe200⤵
- System Location Discovery: System Language Discovery
PID:6312 -
C:\Windows\SysWOW64\Ofcmfodb.exeC:\Windows\system32\Ofcmfodb.exe201⤵PID:6492
-
C:\Windows\SysWOW64\Onjegled.exeC:\Windows\system32\Onjegled.exe202⤵
- System Location Discovery: System Language Discovery
PID:6664 -
C:\Windows\SysWOW64\Oddmdf32.exeC:\Windows\system32\Oddmdf32.exe203⤵PID:6868
-
C:\Windows\SysWOW64\Ogbipa32.exeC:\Windows\system32\Ogbipa32.exe204⤵PID:6980
-
C:\Windows\SysWOW64\Ojaelm32.exeC:\Windows\system32\Ojaelm32.exe205⤵PID:7128
-
C:\Windows\SysWOW64\Pqknig32.exeC:\Windows\system32\Pqknig32.exe206⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6448 -
C:\Windows\SysWOW64\Pcijeb32.exeC:\Windows\system32\Pcijeb32.exe207⤵PID:6628
-
C:\Windows\SysWOW64\Pjcbbmif.exeC:\Windows\system32\Pjcbbmif.exe208⤵PID:6908
-
C:\Windows\SysWOW64\Pmannhhj.exeC:\Windows\system32\Pmannhhj.exe209⤵PID:7096
-
C:\Windows\SysWOW64\Pdifoehl.exeC:\Windows\system32\Pdifoehl.exe210⤵PID:6552
-
C:\Windows\SysWOW64\Pggbkagp.exeC:\Windows\system32\Pggbkagp.exe211⤵PID:6296
-
C:\Windows\SysWOW64\Pjeoglgc.exeC:\Windows\system32\Pjeoglgc.exe212⤵PID:6352
-
C:\Windows\SysWOW64\Pqpgdfnp.exeC:\Windows\system32\Pqpgdfnp.exe213⤵PID:7008
-
C:\Windows\SysWOW64\Pcncpbmd.exeC:\Windows\system32\Pcncpbmd.exe214⤵PID:6836
-
C:\Windows\SysWOW64\Pflplnlg.exeC:\Windows\system32\Pflplnlg.exe215⤵PID:7044
-
C:\Windows\SysWOW64\Pncgmkmj.exeC:\Windows\system32\Pncgmkmj.exe216⤵PID:7180
-
C:\Windows\SysWOW64\Pqbdjfln.exeC:\Windows\system32\Pqbdjfln.exe217⤵PID:7224
-
C:\Windows\SysWOW64\Pcppfaka.exeC:\Windows\system32\Pcppfaka.exe218⤵PID:7268
-
C:\Windows\SysWOW64\Pfolbmje.exeC:\Windows\system32\Pfolbmje.exe219⤵PID:7316
-
C:\Windows\SysWOW64\Pmidog32.exeC:\Windows\system32\Pmidog32.exe220⤵PID:7360
-
C:\Windows\SysWOW64\Pdpmpdbd.exeC:\Windows\system32\Pdpmpdbd.exe221⤵PID:7404
-
C:\Windows\SysWOW64\Pcbmka32.exeC:\Windows\system32\Pcbmka32.exe222⤵PID:7444
-
C:\Windows\SysWOW64\Pjmehkqk.exeC:\Windows\system32\Pjmehkqk.exe223⤵PID:7488
-
C:\Windows\SysWOW64\Qmkadgpo.exeC:\Windows\system32\Qmkadgpo.exe224⤵PID:7552
-
C:\Windows\SysWOW64\Qdbiedpa.exeC:\Windows\system32\Qdbiedpa.exe225⤵PID:7608
-
C:\Windows\SysWOW64\Qceiaa32.exeC:\Windows\system32\Qceiaa32.exe226⤵
- System Location Discovery: System Language Discovery
PID:7652 -
C:\Windows\SysWOW64\Qgqeappe.exeC:\Windows\system32\Qgqeappe.exe227⤵PID:7700
-
C:\Windows\SysWOW64\Qjoankoi.exeC:\Windows\system32\Qjoankoi.exe228⤵PID:7736
-
C:\Windows\SysWOW64\Qnjnnj32.exeC:\Windows\system32\Qnjnnj32.exe229⤵PID:7808
-
C:\Windows\SysWOW64\Qqijje32.exeC:\Windows\system32\Qqijje32.exe230⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7848 -
C:\Windows\SysWOW64\Qcgffqei.exeC:\Windows\system32\Qcgffqei.exe231⤵PID:7892
-
C:\Windows\SysWOW64\Qgcbgo32.exeC:\Windows\system32\Qgcbgo32.exe232⤵PID:7944
-
C:\Windows\SysWOW64\Ampkof32.exeC:\Windows\system32\Ampkof32.exe233⤵PID:7992
-
C:\Windows\SysWOW64\Adgbpc32.exeC:\Windows\system32\Adgbpc32.exe234⤵PID:8036
-
C:\Windows\SysWOW64\Ageolo32.exeC:\Windows\system32\Ageolo32.exe235⤵PID:8084
-
C:\Windows\SysWOW64\Ajckij32.exeC:\Windows\system32\Ajckij32.exe236⤵
- System Location Discovery: System Language Discovery
PID:8128 -
C:\Windows\SysWOW64\Aeiofcji.exeC:\Windows\system32\Aeiofcji.exe237⤵PID:8172
-
C:\Windows\SysWOW64\Afjlnk32.exeC:\Windows\system32\Afjlnk32.exe238⤵PID:7196
-
C:\Windows\SysWOW64\Anadoi32.exeC:\Windows\system32\Anadoi32.exe239⤵PID:7264
-
C:\Windows\SysWOW64\Aeklkchg.exeC:\Windows\system32\Aeklkchg.exe240⤵PID:7344
-
C:\Windows\SysWOW64\Afmhck32.exeC:\Windows\system32\Afmhck32.exe241⤵PID:7412
-
C:\Windows\SysWOW64\Andqdh32.exeC:\Windows\system32\Andqdh32.exe242⤵PID:7472