Analysis
-
max time kernel
94s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
13/11/2024, 08:25
Static task
static1
Behavioral task
behavioral1
Sample
a38a094e99e14e6b2e61a3c9c84b738e43ba3fcd11448cae4a01e252e715c4c8N.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
a38a094e99e14e6b2e61a3c9c84b738e43ba3fcd11448cae4a01e252e715c4c8N.exe
Resource
win10v2004-20241007-en
General
-
Target
a38a094e99e14e6b2e61a3c9c84b738e43ba3fcd11448cae4a01e252e715c4c8N.exe
-
Size
92KB
-
MD5
9473e6884f4b2b1ba341a13df2e13a30
-
SHA1
280b08c739a725458a5ad3795476a64d0c806974
-
SHA256
a38a094e99e14e6b2e61a3c9c84b738e43ba3fcd11448cae4a01e252e715c4c8
-
SHA512
15effdabe29928e9bd1de4919dc54d3cad938b984188ce8059fe92c2475421fddb2ca988726eea1b4587b14c2f43e54ca38f3357385e4f32dd1705e7bc16cefe
-
SSDEEP
1536:UXPBTzmPSF6BwR3sWPk0AniNcKfmkWIdFBtJu2LJJ9VqDlzVxyh+CbxMQgn:y5TzH6BwHsniq81zJJ9IDlRxyhTbhgn
Malware Config
Extracted
berbew
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mmnhcb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aeaanjkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckilmcgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gpecbk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdhcgaic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kghjhemo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhafeb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Feoodn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Deagdn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agbkmijg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hnfjbdmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gflhoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iomcgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ooagno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emeoooml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qohpkf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Moobbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pjcbbmif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pgnilpah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Adgbpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ljclki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ciafbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ahgcjddh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qqfmde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jkaicd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ffobhg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aehgnied.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Blgifbil.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iepaaico.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpnbog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Neccpd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oehlkc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plbmokop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhpfqcln.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocdjpmac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ljbfpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mbighjdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fefjfked.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Efhcbodf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njiegl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbcjnilj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gdobnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ohmhmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qnjnnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hncmmd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Emanjldl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Holfoqcm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dbbffdlq.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 1452 Mlampmdo.exe 4844 Mplhql32.exe 1924 Mckemg32.exe 860 Mgfqmfde.exe 2188 Mlcifmbl.exe 3820 Mdjagjco.exe 680 Migjoaaf.exe 2988 Mlefklpj.exe 4268 Mdmnlj32.exe 4012 Mgkjhe32.exe 384 Mlhbal32.exe 3340 Ncbknfed.exe 5072 Nepgjaeg.exe 2112 Npfkgjdn.exe 1068 Ncdgcf32.exe 3928 Nebdoa32.exe 1856 Nnjlpo32.exe 1848 Ngbpidjh.exe 4660 Njqmepik.exe 5076 Nloiakho.exe 1644 Ngdmod32.exe 4916 Nnneknob.exe 1192 Nlaegk32.exe 3244 Nggjdc32.exe 3416 Nnqbanmo.exe 4276 Olcbmj32.exe 3804 Oncofm32.exe 4504 Opakbi32.exe 2064 Ogkcpbam.exe 408 Oneklm32.exe 4608 Olhlhjpd.exe 3996 Odocigqg.exe 1188 Ojllan32.exe 4968 Olkhmi32.exe 1976 Oqfdnhfk.exe 4848 Ogpmjb32.exe 5016 Onjegled.exe 2128 Oqhacgdh.exe 1956 Oddmdf32.exe 4656 Ogbipa32.exe 1732 Ofeilobp.exe 1196 Pnlaml32.exe 3932 Pqknig32.exe 1736 Pdfjifjo.exe 1824 Pgefeajb.exe 3984 Pjcbbmif.exe 4356 Pqmjog32.exe 1748 Pclgkb32.exe 1616 Pfjcgn32.exe 3088 Pjeoglgc.exe 3024 Pmdkch32.exe 772 Pdkcde32.exe 2492 Pcncpbmd.exe 5024 Pflplnlg.exe 4828 Pncgmkmj.exe 4676 Pqbdjfln.exe 5052 Pcppfaka.exe 4864 Pfolbmje.exe 2124 Pjjhbl32.exe 1228 Pmidog32.exe 1372 Pdpmpdbd.exe 4632 Pgnilpah.exe 2364 Pfaigm32.exe 1760 Pjmehkqk.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Flakaffp.dll Fpjcgm32.exe File created C:\Windows\SysWOW64\Idgojc32.exe Ikokan32.exe File created C:\Windows\SysWOW64\Jejefqaf.exe Jpmlnjco.exe File created C:\Windows\SysWOW64\Enjgeopm.dll Process not Found File created C:\Windows\SysWOW64\Lqppgj32.dll Process not Found File created C:\Windows\SysWOW64\Cglbhhga.exe Process not Found File created C:\Windows\SysWOW64\Dojqjdbl.exe Process not Found File created C:\Windows\SysWOW64\Nqobhgmh.dll Process not Found File opened for modification C:\Windows\SysWOW64\Goljqnpd.exe Ghbbcd32.exe File created C:\Windows\SysWOW64\Jnifigpa.exe Jilnqqbj.exe File created C:\Windows\SysWOW64\Hmlephen.dll Cbpajgmf.exe File created C:\Windows\SysWOW64\Lplfcf32.exe Process not Found File created C:\Windows\SysWOW64\Qhbepcmd.dll Pqmjog32.exe File created C:\Windows\SysWOW64\Linhgilm.dll Fbelcblk.exe File opened for modification C:\Windows\SysWOW64\Amnlme32.exe Process not Found File created C:\Windows\SysWOW64\Pmoiqneg.exe Pkpmdbfd.exe File created C:\Windows\SysWOW64\Mfpqjjgd.dll Kfnkkb32.exe File opened for modification C:\Windows\SysWOW64\Addaif32.exe Aeaanjkl.exe File created C:\Windows\SysWOW64\Ihbponja.exe Process not Found File created C:\Windows\SysWOW64\Gokgpogl.dll Qdbiedpa.exe File created C:\Windows\SysWOW64\Fpjcgm32.exe Fmkgkapm.exe File created C:\Windows\SysWOW64\Ohofdmkm.dll Efjbcakl.exe File created C:\Windows\SysWOW64\Feenjgfq.exe Process not Found File created C:\Windows\SysWOW64\Nplkmckj.exe Ngdfdmdi.exe File opened for modification C:\Windows\SysWOW64\Hicpgc32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Achegd32.exe Akamff32.exe File opened for modification C:\Windows\SysWOW64\Kghjhemo.exe Kqnbkl32.exe File created C:\Windows\SysWOW64\Nclikl32.exe Mmbanbmg.exe File created C:\Windows\SysWOW64\Fhpmgg32.exe Fddqghpd.exe File opened for modification C:\Windows\SysWOW64\Mniallpq.exe Mlkepaam.exe File created C:\Windows\SysWOW64\Bheffh32.exe Bfgjjm32.exe File created C:\Windows\SysWOW64\Jpmcbhlp.dll Qachgk32.exe File opened for modification C:\Windows\SysWOW64\Gnpphljo.exe Process not Found File created C:\Windows\SysWOW64\Oncmnnje.dll Pjcbbmif.exe File opened for modification C:\Windows\SysWOW64\Jehhaaci.exe Jkodhk32.exe File created C:\Windows\SysWOW64\Idqionfg.dll Bgpgng32.exe File created C:\Windows\SysWOW64\Ncgjgp32.dll Dfoiaj32.exe File created C:\Windows\SysWOW64\Fdccbl32.exe Fllkqn32.exe File created C:\Windows\SysWOW64\Ipoopgnf.exe Inqbclob.exe File created C:\Windows\SysWOW64\Ekbihd32.exe Eggmge32.exe File created C:\Windows\SysWOW64\Kbdmhm32.dll Jnkcogno.exe File created C:\Windows\SysWOW64\Inmpcc32.exe Ikndgg32.exe File opened for modification C:\Windows\SysWOW64\Gemkelcd.exe Gbnoiqdq.exe File opened for modification C:\Windows\SysWOW64\Hbldphde.exe Process not Found File created C:\Windows\SysWOW64\Ajhapb32.dll Process not Found File created C:\Windows\SysWOW64\Iohjlmeg.exe Hkmnln32.exe File created C:\Windows\SysWOW64\Amhfkopc.exe Aimkjp32.exe File created C:\Windows\SysWOW64\Dpgeee32.exe Daediilg.exe File created C:\Windows\SysWOW64\Gedobm32.dll Bkafmd32.exe File created C:\Windows\SysWOW64\Ddalgo32.dll Phaahggp.exe File created C:\Windows\SysWOW64\Ibmlia32.dll Process not Found File created C:\Windows\SysWOW64\Edknqiho.exe Ealadnik.exe File opened for modification C:\Windows\SysWOW64\Lbchba32.exe Llipehgk.exe File created C:\Windows\SysWOW64\Plagcbdn.exe Pfgogh32.exe File created C:\Windows\SysWOW64\Bchign32.dll Lekmnajj.exe File created C:\Windows\SysWOW64\Ponfka32.exe Phdnngdn.exe File created C:\Windows\SysWOW64\Iomcgl32.exe Idgojc32.exe File created C:\Windows\SysWOW64\Gpbpbecj.exe Gmdcfidg.exe File opened for modification C:\Windows\SysWOW64\Hoeieolb.exe Hpchib32.exe File created C:\Windows\SysWOW64\Bbloam32.dll Cnffqf32.exe File created C:\Windows\SysWOW64\Fimodc32.exe Ffobhg32.exe File created C:\Windows\SysWOW64\Kfcfimfi.dll Process not Found File created C:\Windows\SysWOW64\Gckdpj32.dll Emphocjj.exe File created C:\Windows\SysWOW64\Lflbkcll.exe Process not Found -
Program crash 1 IoCs
pid pid_target Process procid_target 12836 13064 Process not Found 1507 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbqqkkbo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcgnbaeo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojllan32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fielph32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qoifflkg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddadpdmn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjlpjm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogfcjm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpnihiio.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kqpoakco.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjgchm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idcepgmg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncabfkqo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bheplb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmmmfj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qnjnnj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgghjjid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okgaijaj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkkple32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdbnjdfg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpchib32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dabhdinj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eagaoh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efmmmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lldopb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qkjgegae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlambk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnadagbm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbbpmb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogpmjb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aimkjp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjaifp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhabbp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hoclopne.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfolbmje.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qqfmde32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhbfff32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnhkbfme.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mplhql32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjaqpbkh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhflnpoi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckeimm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibkpcg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpbbch32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkokcl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jilnqqbj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajcdnd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkhkjd32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kijchhbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kffonkgk.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dihlbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmhqnncg.dll" Cgcmjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oeedjegm.dll" Mkmkkjko.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dkahilkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hnfamjqg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dapgdeib.dll" Npfkgjdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnkhbo32.dll" Ngmpcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ceckcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fphppfgi.dll" Kjhcjq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dngjff32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qddfkd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ikndgg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pekbga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gipbmd32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gphqhffa.dll" Ohjlgefb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jdedak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oemefcap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Flinkojm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kamqij32.dll" Djfcaohp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bheplb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcgplk32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lgkpdcmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfdjmlhn.dll" Odocigqg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpleqmop.dll" Lbchba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ahenokjf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hbhijepa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ncbknfed.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lbinam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aleckinj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hlepcdoa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ngdfdmdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oidofh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pjpobg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnecgoki.dll" Kniieo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kkpbin32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bdickcpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jilpfgkh.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnkhmbin.dll" Mgfqmfde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibmlia32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dbbffdlq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ooqqdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hpjmnjqn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Camddhoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhkbjd32.dll" Ekkkoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpgkbmbm.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qjnkcekm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fahaplon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmiogmig.dll" Fmkgkapm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bffkij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nhbolp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qcbfakec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ckjbhmad.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1896 wrote to memory of 1452 1896 a38a094e99e14e6b2e61a3c9c84b738e43ba3fcd11448cae4a01e252e715c4c8N.exe 83 PID 1896 wrote to memory of 1452 1896 a38a094e99e14e6b2e61a3c9c84b738e43ba3fcd11448cae4a01e252e715c4c8N.exe 83 PID 1896 wrote to memory of 1452 1896 a38a094e99e14e6b2e61a3c9c84b738e43ba3fcd11448cae4a01e252e715c4c8N.exe 83 PID 1452 wrote to memory of 4844 1452 Mlampmdo.exe 84 PID 1452 wrote to memory of 4844 1452 Mlampmdo.exe 84 PID 1452 wrote to memory of 4844 1452 Mlampmdo.exe 84 PID 4844 wrote to memory of 1924 4844 Mplhql32.exe 85 PID 4844 wrote to memory of 1924 4844 Mplhql32.exe 85 PID 4844 wrote to memory of 1924 4844 Mplhql32.exe 85 PID 1924 wrote to memory of 860 1924 Mckemg32.exe 86 PID 1924 wrote to memory of 860 1924 Mckemg32.exe 86 PID 1924 wrote to memory of 860 1924 Mckemg32.exe 86 PID 860 wrote to memory of 2188 860 Mgfqmfde.exe 87 PID 860 wrote to memory of 2188 860 Mgfqmfde.exe 87 PID 860 wrote to memory of 2188 860 Mgfqmfde.exe 87 PID 2188 wrote to memory of 3820 2188 Mlcifmbl.exe 88 PID 2188 wrote to memory of 3820 2188 Mlcifmbl.exe 88 PID 2188 wrote to memory of 3820 2188 Mlcifmbl.exe 88 PID 3820 wrote to memory of 680 3820 Mdjagjco.exe 89 PID 3820 wrote to memory of 680 3820 Mdjagjco.exe 89 PID 3820 wrote to memory of 680 3820 Mdjagjco.exe 89 PID 680 wrote to memory of 2988 680 Migjoaaf.exe 90 PID 680 wrote to memory of 2988 680 Migjoaaf.exe 90 PID 680 wrote to memory of 2988 680 Migjoaaf.exe 90 PID 2988 wrote to memory of 4268 2988 Mlefklpj.exe 92 PID 2988 wrote to memory of 4268 2988 Mlefklpj.exe 92 PID 2988 wrote to memory of 4268 2988 Mlefklpj.exe 92 PID 4268 wrote to memory of 4012 4268 Mdmnlj32.exe 93 PID 4268 wrote to memory of 4012 4268 Mdmnlj32.exe 93 PID 4268 wrote to memory of 4012 4268 Mdmnlj32.exe 93 PID 4012 wrote to memory of 384 4012 Mgkjhe32.exe 94 PID 4012 wrote to memory of 384 4012 Mgkjhe32.exe 94 PID 4012 wrote to memory of 384 4012 Mgkjhe32.exe 94 PID 384 wrote to memory of 3340 384 Mlhbal32.exe 96 PID 384 wrote to memory of 3340 384 Mlhbal32.exe 96 PID 384 wrote to memory of 3340 384 Mlhbal32.exe 96 PID 3340 wrote to memory of 5072 3340 Ncbknfed.exe 97 PID 3340 wrote to memory of 5072 3340 Ncbknfed.exe 97 PID 3340 wrote to memory of 5072 3340 Ncbknfed.exe 97 PID 5072 wrote to memory of 2112 5072 Nepgjaeg.exe 98 PID 5072 wrote to memory of 2112 5072 Nepgjaeg.exe 98 PID 5072 wrote to memory of 2112 5072 Nepgjaeg.exe 98 PID 2112 wrote to memory of 1068 2112 Npfkgjdn.exe 99 PID 2112 wrote to memory of 1068 2112 Npfkgjdn.exe 99 PID 2112 wrote to memory of 1068 2112 Npfkgjdn.exe 99 PID 1068 wrote to memory of 3928 1068 Ncdgcf32.exe 100 PID 1068 wrote to memory of 3928 1068 Ncdgcf32.exe 100 PID 1068 wrote to memory of 3928 1068 Ncdgcf32.exe 100 PID 3928 wrote to memory of 1856 3928 Nebdoa32.exe 101 PID 3928 wrote to memory of 1856 3928 Nebdoa32.exe 101 PID 3928 wrote to memory of 1856 3928 Nebdoa32.exe 101 PID 1856 wrote to memory of 1848 1856 Nnjlpo32.exe 102 PID 1856 wrote to memory of 1848 1856 Nnjlpo32.exe 102 PID 1856 wrote to memory of 1848 1856 Nnjlpo32.exe 102 PID 1848 wrote to memory of 4660 1848 Ngbpidjh.exe 104 PID 1848 wrote to memory of 4660 1848 Ngbpidjh.exe 104 PID 1848 wrote to memory of 4660 1848 Ngbpidjh.exe 104 PID 4660 wrote to memory of 5076 4660 Njqmepik.exe 105 PID 4660 wrote to memory of 5076 4660 Njqmepik.exe 105 PID 4660 wrote to memory of 5076 4660 Njqmepik.exe 105 PID 5076 wrote to memory of 1644 5076 Nloiakho.exe 106 PID 5076 wrote to memory of 1644 5076 Nloiakho.exe 106 PID 5076 wrote to memory of 1644 5076 Nloiakho.exe 106 PID 1644 wrote to memory of 4916 1644 Ngdmod32.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\a38a094e99e14e6b2e61a3c9c84b738e43ba3fcd11448cae4a01e252e715c4c8N.exe"C:\Users\Admin\AppData\Local\Temp\a38a094e99e14e6b2e61a3c9c84b738e43ba3fcd11448cae4a01e252e715c4c8N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1896 -
C:\Windows\SysWOW64\Mlampmdo.exeC:\Windows\system32\Mlampmdo.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1452 -
C:\Windows\SysWOW64\Mplhql32.exeC:\Windows\system32\Mplhql32.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4844 -
C:\Windows\SysWOW64\Mckemg32.exeC:\Windows\system32\Mckemg32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1924 -
C:\Windows\SysWOW64\Mgfqmfde.exeC:\Windows\system32\Mgfqmfde.exe5⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:860 -
C:\Windows\SysWOW64\Mlcifmbl.exeC:\Windows\system32\Mlcifmbl.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Windows\SysWOW64\Mdjagjco.exeC:\Windows\system32\Mdjagjco.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3820 -
C:\Windows\SysWOW64\Migjoaaf.exeC:\Windows\system32\Migjoaaf.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:680 -
C:\Windows\SysWOW64\Mlefklpj.exeC:\Windows\system32\Mlefklpj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Windows\SysWOW64\Mdmnlj32.exeC:\Windows\system32\Mdmnlj32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4268 -
C:\Windows\SysWOW64\Mgkjhe32.exeC:\Windows\system32\Mgkjhe32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4012 -
C:\Windows\SysWOW64\Mlhbal32.exeC:\Windows\system32\Mlhbal32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:384 -
C:\Windows\SysWOW64\Ncbknfed.exeC:\Windows\system32\Ncbknfed.exe13⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3340 -
C:\Windows\SysWOW64\Nepgjaeg.exeC:\Windows\system32\Nepgjaeg.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5072 -
C:\Windows\SysWOW64\Npfkgjdn.exeC:\Windows\system32\Npfkgjdn.exe15⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Windows\SysWOW64\Ncdgcf32.exeC:\Windows\system32\Ncdgcf32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1068 -
C:\Windows\SysWOW64\Nebdoa32.exeC:\Windows\system32\Nebdoa32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3928 -
C:\Windows\SysWOW64\Nnjlpo32.exeC:\Windows\system32\Nnjlpo32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1856 -
C:\Windows\SysWOW64\Ngbpidjh.exeC:\Windows\system32\Ngbpidjh.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1848 -
C:\Windows\SysWOW64\Njqmepik.exeC:\Windows\system32\Njqmepik.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4660 -
C:\Windows\SysWOW64\Nloiakho.exeC:\Windows\system32\Nloiakho.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5076 -
C:\Windows\SysWOW64\Ngdmod32.exeC:\Windows\system32\Ngdmod32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1644 -
C:\Windows\SysWOW64\Nnneknob.exeC:\Windows\system32\Nnneknob.exe23⤵
- Executes dropped EXE
PID:4916 -
C:\Windows\SysWOW64\Nlaegk32.exeC:\Windows\system32\Nlaegk32.exe24⤵
- Executes dropped EXE
PID:1192 -
C:\Windows\SysWOW64\Nggjdc32.exeC:\Windows\system32\Nggjdc32.exe25⤵
- Executes dropped EXE
PID:3244 -
C:\Windows\SysWOW64\Nnqbanmo.exeC:\Windows\system32\Nnqbanmo.exe26⤵
- Executes dropped EXE
PID:3416 -
C:\Windows\SysWOW64\Olcbmj32.exeC:\Windows\system32\Olcbmj32.exe27⤵
- Executes dropped EXE
PID:4276 -
C:\Windows\SysWOW64\Oncofm32.exeC:\Windows\system32\Oncofm32.exe28⤵
- Executes dropped EXE
PID:3804 -
C:\Windows\SysWOW64\Opakbi32.exeC:\Windows\system32\Opakbi32.exe29⤵
- Executes dropped EXE
PID:4504 -
C:\Windows\SysWOW64\Ogkcpbam.exeC:\Windows\system32\Ogkcpbam.exe30⤵
- Executes dropped EXE
PID:2064 -
C:\Windows\SysWOW64\Oneklm32.exeC:\Windows\system32\Oneklm32.exe31⤵
- Executes dropped EXE
PID:408 -
C:\Windows\SysWOW64\Olhlhjpd.exeC:\Windows\system32\Olhlhjpd.exe32⤵
- Executes dropped EXE
PID:4608 -
C:\Windows\SysWOW64\Odocigqg.exeC:\Windows\system32\Odocigqg.exe33⤵
- Executes dropped EXE
- Modifies registry class
PID:3996 -
C:\Windows\SysWOW64\Ojllan32.exeC:\Windows\system32\Ojllan32.exe34⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1188 -
C:\Windows\SysWOW64\Olkhmi32.exeC:\Windows\system32\Olkhmi32.exe35⤵
- Executes dropped EXE
PID:4968 -
C:\Windows\SysWOW64\Oqfdnhfk.exeC:\Windows\system32\Oqfdnhfk.exe36⤵
- Executes dropped EXE
PID:1976 -
C:\Windows\SysWOW64\Ogpmjb32.exeC:\Windows\system32\Ogpmjb32.exe37⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4848 -
C:\Windows\SysWOW64\Onjegled.exeC:\Windows\system32\Onjegled.exe38⤵
- Executes dropped EXE
PID:5016 -
C:\Windows\SysWOW64\Oqhacgdh.exeC:\Windows\system32\Oqhacgdh.exe39⤵
- Executes dropped EXE
PID:2128 -
C:\Windows\SysWOW64\Oddmdf32.exeC:\Windows\system32\Oddmdf32.exe40⤵
- Executes dropped EXE
PID:1956 -
C:\Windows\SysWOW64\Ogbipa32.exeC:\Windows\system32\Ogbipa32.exe41⤵
- Executes dropped EXE
PID:4656 -
C:\Windows\SysWOW64\Ofeilobp.exeC:\Windows\system32\Ofeilobp.exe42⤵
- Executes dropped EXE
PID:1732 -
C:\Windows\SysWOW64\Pnlaml32.exeC:\Windows\system32\Pnlaml32.exe43⤵
- Executes dropped EXE
PID:1196 -
C:\Windows\SysWOW64\Pqknig32.exeC:\Windows\system32\Pqknig32.exe44⤵
- Executes dropped EXE
PID:3932 -
C:\Windows\SysWOW64\Pdfjifjo.exeC:\Windows\system32\Pdfjifjo.exe45⤵
- Executes dropped EXE
PID:1736 -
C:\Windows\SysWOW64\Pgefeajb.exeC:\Windows\system32\Pgefeajb.exe46⤵
- Executes dropped EXE
PID:1824 -
C:\Windows\SysWOW64\Pjcbbmif.exeC:\Windows\system32\Pjcbbmif.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:3984 -
C:\Windows\SysWOW64\Pqmjog32.exeC:\Windows\system32\Pqmjog32.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4356 -
C:\Windows\SysWOW64\Pclgkb32.exeC:\Windows\system32\Pclgkb32.exe49⤵
- Executes dropped EXE
PID:1748 -
C:\Windows\SysWOW64\Pfjcgn32.exeC:\Windows\system32\Pfjcgn32.exe50⤵
- Executes dropped EXE
PID:1616 -
C:\Windows\SysWOW64\Pjeoglgc.exeC:\Windows\system32\Pjeoglgc.exe51⤵
- Executes dropped EXE
PID:3088 -
C:\Windows\SysWOW64\Pmdkch32.exeC:\Windows\system32\Pmdkch32.exe52⤵
- Executes dropped EXE
PID:3024 -
C:\Windows\SysWOW64\Pdkcde32.exeC:\Windows\system32\Pdkcde32.exe53⤵
- Executes dropped EXE
PID:772 -
C:\Windows\SysWOW64\Pcncpbmd.exeC:\Windows\system32\Pcncpbmd.exe54⤵
- Executes dropped EXE
PID:2492 -
C:\Windows\SysWOW64\Pflplnlg.exeC:\Windows\system32\Pflplnlg.exe55⤵
- Executes dropped EXE
PID:5024 -
C:\Windows\SysWOW64\Pncgmkmj.exeC:\Windows\system32\Pncgmkmj.exe56⤵
- Executes dropped EXE
PID:4828 -
C:\Windows\SysWOW64\Pqbdjfln.exeC:\Windows\system32\Pqbdjfln.exe57⤵
- Executes dropped EXE
PID:4676 -
C:\Windows\SysWOW64\Pcppfaka.exeC:\Windows\system32\Pcppfaka.exe58⤵
- Executes dropped EXE
PID:5052 -
C:\Windows\SysWOW64\Pfolbmje.exeC:\Windows\system32\Pfolbmje.exe59⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4864 -
C:\Windows\SysWOW64\Pjjhbl32.exeC:\Windows\system32\Pjjhbl32.exe60⤵
- Executes dropped EXE
PID:2124 -
C:\Windows\SysWOW64\Pmidog32.exeC:\Windows\system32\Pmidog32.exe61⤵
- Executes dropped EXE
PID:1228 -
C:\Windows\SysWOW64\Pdpmpdbd.exeC:\Windows\system32\Pdpmpdbd.exe62⤵
- Executes dropped EXE
PID:1372 -
C:\Windows\SysWOW64\Pgnilpah.exeC:\Windows\system32\Pgnilpah.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4632 -
C:\Windows\SysWOW64\Pfaigm32.exeC:\Windows\system32\Pfaigm32.exe64⤵
- Executes dropped EXE
PID:2364 -
C:\Windows\SysWOW64\Pjmehkqk.exeC:\Windows\system32\Pjmehkqk.exe65⤵
- Executes dropped EXE
PID:1760 -
C:\Windows\SysWOW64\Qqfmde32.exeC:\Windows\system32\Qqfmde32.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2900 -
C:\Windows\SysWOW64\Qdbiedpa.exeC:\Windows\system32\Qdbiedpa.exe67⤵
- Drops file in System32 directory
PID:2340 -
C:\Windows\SysWOW64\Qfcfml32.exeC:\Windows\system32\Qfcfml32.exe68⤵PID:1184
-
C:\Windows\SysWOW64\Qnjnnj32.exeC:\Windows\system32\Qnjnnj32.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:4260 -
C:\Windows\SysWOW64\Qddfkd32.exeC:\Windows\system32\Qddfkd32.exe70⤵
- Modifies registry class
PID:5040 -
C:\Windows\SysWOW64\Qffbbldm.exeC:\Windows\system32\Qffbbldm.exe71⤵PID:3092
-
C:\Windows\SysWOW64\Adgbpc32.exeC:\Windows\system32\Adgbpc32.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4112 -
C:\Windows\SysWOW64\Ageolo32.exeC:\Windows\system32\Ageolo32.exe73⤵PID:672
-
C:\Windows\SysWOW64\Anogiicl.exeC:\Windows\system32\Anogiicl.exe74⤵PID:1744
-
C:\Windows\SysWOW64\Aclpap32.exeC:\Windows\system32\Aclpap32.exe75⤵PID:4908
-
C:\Windows\SysWOW64\Ajfhnjhq.exeC:\Windows\system32\Ajfhnjhq.exe76⤵PID:1676
-
C:\Windows\SysWOW64\Amddjegd.exeC:\Windows\system32\Amddjegd.exe77⤵PID:4760
-
C:\Windows\SysWOW64\Aeklkchg.exeC:\Windows\system32\Aeklkchg.exe78⤵PID:1592
-
C:\Windows\SysWOW64\Afmhck32.exeC:\Windows\system32\Afmhck32.exe79⤵PID:3656
-
C:\Windows\SysWOW64\Andqdh32.exeC:\Windows\system32\Andqdh32.exe80⤵PID:4636
-
C:\Windows\SysWOW64\Acqimo32.exeC:\Windows\system32\Acqimo32.exe81⤵PID:1300
-
C:\Windows\SysWOW64\Aglemn32.exeC:\Windows\system32\Aglemn32.exe82⤵PID:4368
-
C:\Windows\SysWOW64\Aminee32.exeC:\Windows\system32\Aminee32.exe83⤵PID:952
-
C:\Windows\SysWOW64\Accfbokl.exeC:\Windows\system32\Accfbokl.exe84⤵PID:1552
-
C:\Windows\SysWOW64\Bnhjohkb.exeC:\Windows\system32\Bnhjohkb.exe85⤵PID:116
-
C:\Windows\SysWOW64\Bebblb32.exeC:\Windows\system32\Bebblb32.exe86⤵PID:4972
-
C:\Windows\SysWOW64\Bganhm32.exeC:\Windows\system32\Bganhm32.exe87⤵PID:4384
-
C:\Windows\SysWOW64\Bmngqdpj.exeC:\Windows\system32\Bmngqdpj.exe88⤵PID:5132
-
C:\Windows\SysWOW64\Bchomn32.exeC:\Windows\system32\Bchomn32.exe89⤵PID:5176
-
C:\Windows\SysWOW64\Bffkij32.exeC:\Windows\system32\Bffkij32.exe90⤵
- Modifies registry class
PID:5220 -
C:\Windows\SysWOW64\Bnmcjg32.exeC:\Windows\system32\Bnmcjg32.exe91⤵PID:5264
-
C:\Windows\SysWOW64\Bmpcfdmg.exeC:\Windows\system32\Bmpcfdmg.exe92⤵PID:5304
-
C:\Windows\SysWOW64\Beglgani.exeC:\Windows\system32\Beglgani.exe93⤵PID:5356
-
C:\Windows\SysWOW64\Bcjlcn32.exeC:\Windows\system32\Bcjlcn32.exe94⤵PID:5400
-
C:\Windows\SysWOW64\Bfhhoi32.exeC:\Windows\system32\Bfhhoi32.exe95⤵PID:5448
-
C:\Windows\SysWOW64\Bnpppgdj.exeC:\Windows\system32\Bnpppgdj.exe96⤵PID:5492
-
C:\Windows\SysWOW64\Banllbdn.exeC:\Windows\system32\Banllbdn.exe97⤵PID:5536
-
C:\Windows\SysWOW64\Bclhhnca.exeC:\Windows\system32\Bclhhnca.exe98⤵PID:5580
-
C:\Windows\SysWOW64\Bhhdil32.exeC:\Windows\system32\Bhhdil32.exe99⤵PID:5624
-
C:\Windows\SysWOW64\Bjfaeh32.exeC:\Windows\system32\Bjfaeh32.exe100⤵PID:5668
-
C:\Windows\SysWOW64\Bnbmefbg.exeC:\Windows\system32\Bnbmefbg.exe101⤵PID:5712
-
C:\Windows\SysWOW64\Bapiabak.exeC:\Windows\system32\Bapiabak.exe102⤵PID:5756
-
C:\Windows\SysWOW64\Bcoenmao.exeC:\Windows\system32\Bcoenmao.exe103⤵PID:5800
-
C:\Windows\SysWOW64\Cndikf32.exeC:\Windows\system32\Cndikf32.exe104⤵PID:5868
-
C:\Windows\SysWOW64\Cmgjgcgo.exeC:\Windows\system32\Cmgjgcgo.exe105⤵PID:5928
-
C:\Windows\SysWOW64\Cenahpha.exeC:\Windows\system32\Cenahpha.exe106⤵PID:5992
-
C:\Windows\SysWOW64\Chmndlge.exeC:\Windows\system32\Chmndlge.exe107⤵PID:6044
-
C:\Windows\SysWOW64\Cfpnph32.exeC:\Windows\system32\Cfpnph32.exe108⤵PID:6084
-
C:\Windows\SysWOW64\Cnffqf32.exeC:\Windows\system32\Cnffqf32.exe109⤵
- Drops file in System32 directory
PID:5140 -
C:\Windows\SysWOW64\Cmiflbel.exeC:\Windows\system32\Cmiflbel.exe110⤵PID:5216
-
C:\Windows\SysWOW64\Ceqnmpfo.exeC:\Windows\system32\Ceqnmpfo.exe111⤵PID:5324
-
C:\Windows\SysWOW64\Cdcoim32.exeC:\Windows\system32\Cdcoim32.exe112⤵PID:5392
-
C:\Windows\SysWOW64\Cfbkeh32.exeC:\Windows\system32\Cfbkeh32.exe113⤵PID:5476
-
C:\Windows\SysWOW64\Cjmgfgdf.exeC:\Windows\system32\Cjmgfgdf.exe114⤵PID:5544
-
C:\Windows\SysWOW64\Cnicfe32.exeC:\Windows\system32\Cnicfe32.exe115⤵PID:5596
-
C:\Windows\SysWOW64\Ceckcp32.exeC:\Windows\system32\Ceckcp32.exe116⤵
- Modifies registry class
PID:5708 -
C:\Windows\SysWOW64\Chagok32.exeC:\Windows\system32\Chagok32.exe117⤵PID:5764
-
C:\Windows\SysWOW64\Cfdhkhjj.exeC:\Windows\system32\Cfdhkhjj.exe118⤵PID:5856
-
C:\Windows\SysWOW64\Cjpckf32.exeC:\Windows\system32\Cjpckf32.exe119⤵PID:5936
-
C:\Windows\SysWOW64\Cajlhqjp.exeC:\Windows\system32\Cajlhqjp.exe120⤵PID:6072
-
C:\Windows\SysWOW64\Chcddk32.exeC:\Windows\system32\Chcddk32.exe121⤵PID:5124
-
C:\Windows\SysWOW64\Calhnpgn.exeC:\Windows\system32\Calhnpgn.exe122⤵PID:5296
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-