Analysis
-
max time kernel
93s -
max time network
102s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
13-11-2024 18:46
Static task
static1
Behavioral task
behavioral1
Sample
075e350a3c6d4655a92a9beb66adf51306e170496f65356ebc410a070da0b078.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
075e350a3c6d4655a92a9beb66adf51306e170496f65356ebc410a070da0b078.exe
Resource
win10v2004-20241007-en
General
-
Target
075e350a3c6d4655a92a9beb66adf51306e170496f65356ebc410a070da0b078.exe
-
Size
88KB
-
MD5
fe6c8ceab2e7c4d7a94ae1bba3fe0acd
-
SHA1
d657462aa98f08b8147c0fdde2c64fae5e37642f
-
SHA256
075e350a3c6d4655a92a9beb66adf51306e170496f65356ebc410a070da0b078
-
SHA512
ddf439a2424a69450317768b768df274b71160abd969497f08b522396778853a695d318e3cb26cc215805a7bc75c5ec5f919da27ad734e3c017a708d6aa6449c
-
SSDEEP
1536:ILzBeklfOfPT85PjgvYD5aCZHwFL8QOVXtE1ukVd71rFZO7+90vJ:AzBekMf785PjJ5ZILi9EIIJ15ZO7Vx
Malware Config
Extracted
berbew
http://tat-neftbank.ru/kkq.php
http://tat-neftbank.ru/wcmd.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Oileggkb.exeDfoplpla.exeDfiildio.exeOcamjm32.exeJgadgf32.exeMblcnj32.exeCkilmcgb.exeAmhfkopc.exeBoklbi32.exeFkihnmhj.exeMjmoag32.exeCkjbhmad.exeOkchnk32.exeLekmnajj.exeOgfcjm32.exeOcopdn32.exeIbmeoq32.exeLalnmiia.exeIbkpcg32.exeLankbigo.exeLkchelci.exeEmjgim32.exePhedhmhi.exeMiofjepg.exeAbponp32.exeHnddgjbj.exeEmnbdioi.exeLiqihglg.exeAnaomkdb.exeAanbhp32.exeDflmlj32.exeOmjpeo32.exeCkmonl32.exeKpdboimg.exePpjgoaoj.exeAihaoqlp.exeOadfkdgd.exeHhnbpb32.exeCcmgiaig.exeFbcfhibj.exeJnpmjf32.exeJpfepf32.exeOdhifjkg.exeOloahhki.exeBnfihkqm.exeCbpajgmf.exeFknicb32.exeIdkbkl32.exeOkgaijaj.exeNhmofj32.exeEfpomccg.exeIgbalblk.exeIqklon32.exeBblnindg.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oileggkb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfoplpla.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfiildio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ocamjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jgadgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mblcnj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckilmcgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Amhfkopc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Boklbi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkihnmhj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjmoag32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckjbhmad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Okchnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lekmnajj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogfcjm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocopdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ibmeoq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lalnmiia.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibkpcg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lankbigo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkchelci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Emjgim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Phedhmhi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Miofjepg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abponp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hnddgjbj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emnbdioi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Liqihglg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Anaomkdb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aanbhp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dflmlj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Omjpeo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckmonl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpdboimg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppjgoaoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aihaoqlp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oadfkdgd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhnbpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ccmgiaig.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbcfhibj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnpmjf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpfepf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Odhifjkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oloahhki.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnfihkqm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbpajgmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fknicb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idkbkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Okgaijaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhmofj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efpomccg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Igbalblk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iqklon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bblnindg.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
Processes:
Cjpckf32.exeCajlhqjp.exeCeehho32.exeChcddk32.exeCnnlaehj.exeCalhnpgn.exeDhfajjoj.exeDjdmffnn.exeDmcibama.exeDdmaok32.exeDfknkg32.exeDmefhako.exeDelnin32.exeDfnjafap.exeDodbbdbb.exeDaconoae.exeDhmgki32.exeDkkcge32.exeDogogcpo.exeDaekdooc.exeDddhpjof.exeDhocqigp.exeDoilmc32.exeDahhio32.exeEdfdej32.exeEhapfiem.exeEolhbc32.exeEmoinpcd.exeEefaomcg.exeEhdmlhcj.exeEkbihd32.exeEonehbjg.exeEehnem32.exeEhfjah32.exeEkefmc32.exeEopbnbhd.exeEejjjl32.exeEglgbdep.exeEobocb32.exeEaakpm32.exeEdpgli32.exeEhkclgmb.exeEoekia32.exeEmhldnkj.exeFeocelll.exeFhmpagkp.exeFkllnbjc.exeFafdkmap.exeFeapkk32.exeFhpmgg32.exeFknicb32.exeFnmepn32.exeFedmqk32.exeFgeihcme.exeFolaiqng.exeFefjfked.exeFhdfbfdh.exeFggfnc32.exeFonnop32.exeFnaokmco.exeFehfljca.exeFgjccb32.exeFoqkdp32.exeGaogak32.exepid Process 4436 Cjpckf32.exe 2864 Cajlhqjp.exe 2932 Ceehho32.exe 4080 Chcddk32.exe 1412 Cnnlaehj.exe 4132 Calhnpgn.exe 4652 Dhfajjoj.exe 2028 Djdmffnn.exe 3224 Dmcibama.exe 4740 Ddmaok32.exe 4808 Dfknkg32.exe 3116 Dmefhako.exe 804 Delnin32.exe 4840 Dfnjafap.exe 220 Dodbbdbb.exe 1180 Daconoae.exe 5052 Dhmgki32.exe 5084 Dkkcge32.exe 1764 Dogogcpo.exe 3032 Daekdooc.exe 1968 Dddhpjof.exe 2824 Dhocqigp.exe 4640 Doilmc32.exe 5008 Dahhio32.exe 4220 Edfdej32.exe 448 Ehapfiem.exe 4720 Eolhbc32.exe 4296 Emoinpcd.exe 1688 Eefaomcg.exe 3652 Ehdmlhcj.exe 3928 Ekbihd32.exe 1712 Eonehbjg.exe 3964 Eehnem32.exe 4428 Ehfjah32.exe 4752 Ekefmc32.exe 2296 Eopbnbhd.exe 1248 Eejjjl32.exe 2468 Eglgbdep.exe 4760 Eobocb32.exe 1344 Eaakpm32.exe 1740 Edpgli32.exe 2848 Ehkclgmb.exe 2532 Eoekia32.exe 404 Emhldnkj.exe 2904 Feocelll.exe 4248 Fhmpagkp.exe 2812 Fkllnbjc.exe 3696 Fafdkmap.exe 3764 Feapkk32.exe 4528 Fhpmgg32.exe 5048 Fknicb32.exe 4228 Fnmepn32.exe 3408 Fedmqk32.exe 4976 Fgeihcme.exe 456 Folaiqng.exe 1540 Fefjfked.exe 1176 Fhdfbfdh.exe 1640 Fggfnc32.exe 4884 Fonnop32.exe 3172 Fnaokmco.exe 4272 Fehfljca.exe 2796 Fgjccb32.exe 1512 Foqkdp32.exe 2704 Gaogak32.exe -
Drops file in System32 directory 64 IoCs
Processes:
Bkoigdom.exeFmcjpl32.exeEhapfiem.exeHjedffig.exeKiggbhda.exeEciplm32.exeFjadje32.exeBochmn32.exeOhiemobf.exeGbmingjo.exeAednci32.exeDbkqfe32.exeMnpabe32.exeCkjbhmad.exeEehnem32.exeFhdfbfdh.exeCaienjfd.exeDcjnoece.exeNjghbl32.exeFkllnbjc.exeCcpdoqgd.exeJnhidk32.exeHfcnpn32.exeLhkgoiqe.exeNolgijpk.exeOeaoab32.exeFhmpagkp.exeHglaej32.exeMeamcg32.exeNjkkbehl.exePjbkgfej.exeAqoiqn32.exeAglnbhal.exeNahgoe32.exeKcpahpmd.exeEolhbc32.exeEejjjl32.exeJgenbfoa.exeAeddnp32.exeJbdbjf32.exePcepkfld.exeBcahmb32.exePkbjjbda.exeFkihnmhj.exeQcaofebg.exeEpikpo32.exeEmoinpcd.exeDeqcbpld.exedescription ioc Process File created C:\Windows\SysWOW64\Bcfahbpo.exe Bkoigdom.exe File opened for modification C:\Windows\SysWOW64\Fpbflg32.exe Fmcjpl32.exe File created C:\Windows\SysWOW64\Fmplqd32.dll File created C:\Windows\SysWOW64\Kgflcifg.exe File opened for modification C:\Windows\SysWOW64\Eolhbc32.exe Ehapfiem.exe File created C:\Windows\SysWOW64\Kpdahg32.dll Hjedffig.exe File created C:\Windows\SysWOW64\Cqnnno32.dll Kiggbhda.exe File created C:\Windows\SysWOW64\Jcoong32.dll Eciplm32.exe File created C:\Windows\SysWOW64\Fmpqfq32.exe Fjadje32.exe File opened for modification C:\Windows\SysWOW64\Bnfihkqm.exe Bochmn32.exe File opened for modification C:\Windows\SysWOW64\Okgaijaj.exe Ohiemobf.exe File opened for modification C:\Windows\SysWOW64\Gjdaodja.exe Gbmingjo.exe File created C:\Windows\SysWOW64\Oddfcg32.dll Aednci32.exe File created C:\Windows\SysWOW64\Omdppiif.exe File opened for modification C:\Windows\SysWOW64\Ddjmba32.exe Dbkqfe32.exe File opened for modification C:\Windows\SysWOW64\Adcjop32.exe File created C:\Windows\SysWOW64\Bomfgoah.dll Mnpabe32.exe File created C:\Windows\SysWOW64\Cnindhpg.exe Ckjbhmad.exe File opened for modification C:\Windows\SysWOW64\Ehfjah32.exe Eehnem32.exe File opened for modification C:\Windows\SysWOW64\Fggfnc32.exe Fhdfbfdh.exe File opened for modification C:\Windows\SysWOW64\Ccgajfeh.exe Caienjfd.exe File created C:\Windows\SysWOW64\Dgejpd32.exe Dcjnoece.exe File created C:\Windows\SysWOW64\Oifdaage.dll Njghbl32.exe File created C:\Windows\SysWOW64\Fafdkmap.exe Fkllnbjc.exe File opened for modification C:\Windows\SysWOW64\Cbbdjm32.exe Ccpdoqgd.exe File opened for modification C:\Windows\SysWOW64\Jpfepf32.exe Jnhidk32.exe File opened for modification C:\Windows\SysWOW64\Hibjli32.exe Hfcnpn32.exe File created C:\Windows\SysWOW64\Lpbopfag.exe Lhkgoiqe.exe File created C:\Windows\SysWOW64\Iadenp32.dll Nolgijpk.exe File created C:\Windows\SysWOW64\Ohpkmn32.exe Oeaoab32.exe File created C:\Windows\SysWOW64\Mlkpophj.dll File created C:\Windows\SysWOW64\Odpich32.dll Fhmpagkp.exe File created C:\Windows\SysWOW64\Hjjnae32.exe Hglaej32.exe File created C:\Windows\SysWOW64\Mhoipb32.exe Meamcg32.exe File created C:\Windows\SysWOW64\Neqopnhb.exe Njkkbehl.exe File created C:\Windows\SysWOW64\Jniood32.exe File created C:\Windows\SysWOW64\Difebl32.dll File opened for modification C:\Windows\SysWOW64\Ngndaccj.exe File created C:\Windows\SysWOW64\Ldjcfk32.dll File opened for modification C:\Windows\SysWOW64\Plagcbdn.exe Pjbkgfej.exe File created C:\Windows\SysWOW64\Aocfbi32.dll Aqoiqn32.exe File created C:\Windows\SysWOW64\Ajjjocap.exe Aglnbhal.exe File opened for modification C:\Windows\SysWOW64\Niooqcad.exe Nahgoe32.exe File opened for modification C:\Windows\SysWOW64\Kglmio32.exe Kcpahpmd.exe File opened for modification C:\Windows\SysWOW64\Emoinpcd.exe Eolhbc32.exe File created C:\Windows\SysWOW64\Eglgbdep.exe Eejjjl32.exe File created C:\Windows\SysWOW64\Ffkcnbje.dll Jgenbfoa.exe File created C:\Windows\SysWOW64\Hjfcen32.dll Aeddnp32.exe File opened for modification C:\Windows\SysWOW64\Nnfpinmi.exe File opened for modification C:\Windows\SysWOW64\Adfgdpmi.exe File opened for modification C:\Windows\SysWOW64\Jecofa32.exe Jbdbjf32.exe File created C:\Windows\SysWOW64\Pedlgbkh.exe Pcepkfld.exe File opened for modification C:\Windows\SysWOW64\Bbdhiojo.exe Bcahmb32.exe File created C:\Windows\SysWOW64\Jbklgfdh.dll File opened for modification C:\Windows\SysWOW64\Paiogf32.exe File created C:\Windows\SysWOW64\Ibhkfm32.exe File created C:\Windows\SysWOW64\Fklenm32.dll Pkbjjbda.exe File opened for modification C:\Windows\SysWOW64\Fmgejhgn.exe Fkihnmhj.exe File opened for modification C:\Windows\SysWOW64\Qepkbpak.exe Qcaofebg.exe File opened for modification C:\Windows\SysWOW64\Ebhglj32.exe Epikpo32.exe File created C:\Windows\SysWOW64\Edqnimdf.dll File created C:\Windows\SysWOW64\Kpdjljdk.dll File opened for modification C:\Windows\SysWOW64\Eefaomcg.exe Emoinpcd.exe File created C:\Windows\SysWOW64\Emhkdmlg.exe Deqcbpld.exe -
Program crash 1 IoCs
Processes:
pid pid_target Process procid_target 19528 7636 1369 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Ceehho32.exeNajceeoo.exeQepkbpak.exeEbnfbcbc.exeIhnkel32.exeOoejohhq.exeFoqkdp32.exeEidbij32.exeKgipcogp.exeHlnjbedi.exeEhapfiem.exeLpbopfag.exeNihipdhl.exeBhldpj32.exeFnnjmbpm.exeGgnlobej.exeIdieem32.exeIljpij32.exeMiofjepg.exeKmdlffhj.exeHedafk32.exeQkjgegae.exeLgccinoe.exeKcpahpmd.exeKqdaadln.exeIdjlpc32.exeHaoimcgg.exeJgadgf32.exeDpdaepai.exeEmkndc32.exeIcnklbmj.exeMadjhb32.exeMebcop32.exeBklfgo32.exeAqaffn32.exeDmbbhkjf.exeMgaokl32.exeJdbhkk32.exeFjadje32.exeBhbcfbjk.exeFimhjl32.exeGdlfhj32.exeDmcibama.exeBiogppeg.exeBiadeoce.exeDhlpqc32.exeFmlneg32.exeHglaej32.exeIfbbig32.exeHkeaqi32.exeOkgaijaj.exeEnkdaepb.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ceehho32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Najceeoo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qepkbpak.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebnfbcbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihnkel32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ooejohhq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Foqkdp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eidbij32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgipcogp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlnjbedi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehapfiem.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpbopfag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nihipdhl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhldpj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnnjmbpm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggnlobej.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idieem32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iljpij32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Miofjepg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmdlffhj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hedafk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qkjgegae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgccinoe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcpahpmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kqdaadln.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idjlpc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Haoimcgg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgadgf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpdaepai.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emkndc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icnklbmj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Madjhb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mebcop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bklfgo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aqaffn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmbbhkjf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgaokl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdbhkk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjadje32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhbcfbjk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fimhjl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdlfhj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmcibama.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Biogppeg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Biadeoce.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhlpqc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmlneg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hglaej32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifbbig32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkeaqi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okgaijaj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enkdaepb.exe -
Modifies registry class 64 IoCs
Processes:
Ohlimd32.exeDgejpd32.exeNnkpnclp.exeDjmibn32.exeHgghjjid.exeNlcalieg.exeGncchb32.exeBggnof32.exeCbpajgmf.exeDhclmp32.exeGnjjfegi.exeHgdejd32.exeFhofmq32.exeGgkiol32.exeLeopnglc.exeQaflgago.exeIbnligoc.exeIjcjmmil.exeLjclki32.exeCeehho32.exeKefdbo32.exeCceddf32.exeHdpbon32.exePcjiff32.exeGikkfqmf.exeIcnklbmj.exeBemqih32.exeDkkcge32.exeEhailbaa.exeLjobpiql.exeFdffbake.exeDjdmffnn.exeIghhln32.exeNhpbfpka.exeAlcfei32.exeDodjjimm.exeLbngllob.exeHbjoeojc.exeJpkphjeb.exeEciplm32.exeDokgdkeh.exeAlelqb32.exeCfogeb32.exeIphioh32.exeLdipha32.exeOacoqnci.exePoimpapp.exeFhmpagkp.exeEfkphnbd.exeJjdjoane.exeOalipoiq.exePdkoch32.exeNlleaeff.exeHammhcij.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knegmo32.dll" Ohlimd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dgejpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qofmkc32.dll" Nnkpnclp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Djmibn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hgghjjid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqnpfi32.dll" Nlcalieg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ilmjim32.dll" Gncchb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Keiifian.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bggnof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bqjoqdcl.dll" Cbpajgmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icinkkcp.dll" Dhclmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gnjjfegi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hgdejd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgnboabc.dll" Fhofmq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hepfdc32.dll" Ggkiol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Leopnglc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qaflgago.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jleqgfim.dll" Ibnligoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ijcjmmil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ljclki32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bilonkon.dll" Ceehho32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kefdbo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cceddf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hdpbon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pcjiff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adnipccc.dll" Gikkfqmf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Icnklbmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnjfibml.dll" Bemqih32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dkkcge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ehailbaa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ljobpiql.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lehagi32.dll" Fdffbake.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfjodai.dll" Djdmffnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfildi32.dll" Ighhln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nhpbfpka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkjmfeo.dll" Alcfei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dodjjimm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lbngllob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hbjoeojc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jpkphjeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcoong32.dll" Eciplm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dokgdkeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Alelqb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cfogeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfdjaieh.dll" Iphioh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ldipha32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oacoqnci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Poimpapp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odpich32.dll" Fhmpagkp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Embccf32.dll" Efkphnbd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jjdjoane.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oalipoiq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pdkoch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kioghlbd.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nlleaeff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anhginhk.dll" Hammhcij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfglbe32.dll" Ldipha32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
075e350a3c6d4655a92a9beb66adf51306e170496f65356ebc410a070da0b078.exeCjpckf32.exeCajlhqjp.exeCeehho32.exeChcddk32.exeCnnlaehj.exeCalhnpgn.exeDhfajjoj.exeDjdmffnn.exeDmcibama.exeDdmaok32.exeDfknkg32.exeDmefhako.exeDelnin32.exeDfnjafap.exeDodbbdbb.exeDaconoae.exeDhmgki32.exeDkkcge32.exeDogogcpo.exeDaekdooc.exeDddhpjof.exedescription pid Process procid_target PID 2432 wrote to memory of 4436 2432 075e350a3c6d4655a92a9beb66adf51306e170496f65356ebc410a070da0b078.exe 83 PID 2432 wrote to memory of 4436 2432 075e350a3c6d4655a92a9beb66adf51306e170496f65356ebc410a070da0b078.exe 83 PID 2432 wrote to memory of 4436 2432 075e350a3c6d4655a92a9beb66adf51306e170496f65356ebc410a070da0b078.exe 83 PID 4436 wrote to memory of 2864 4436 Cjpckf32.exe 84 PID 4436 wrote to memory of 2864 4436 Cjpckf32.exe 84 PID 4436 wrote to memory of 2864 4436 Cjpckf32.exe 84 PID 2864 wrote to memory of 2932 2864 Cajlhqjp.exe 85 PID 2864 wrote to memory of 2932 2864 Cajlhqjp.exe 85 PID 2864 wrote to memory of 2932 2864 Cajlhqjp.exe 85 PID 2932 wrote to memory of 4080 2932 Ceehho32.exe 86 PID 2932 wrote to memory of 4080 2932 Ceehho32.exe 86 PID 2932 wrote to memory of 4080 2932 Ceehho32.exe 86 PID 4080 wrote to memory of 1412 4080 Chcddk32.exe 87 PID 4080 wrote to memory of 1412 4080 Chcddk32.exe 87 PID 4080 wrote to memory of 1412 4080 Chcddk32.exe 87 PID 1412 wrote to memory of 4132 1412 Cnnlaehj.exe 89 PID 1412 wrote to memory of 4132 1412 Cnnlaehj.exe 89 PID 1412 wrote to memory of 4132 1412 Cnnlaehj.exe 89 PID 4132 wrote to memory of 4652 4132 Calhnpgn.exe 90 PID 4132 wrote to memory of 4652 4132 Calhnpgn.exe 90 PID 4132 wrote to memory of 4652 4132 Calhnpgn.exe 90 PID 4652 wrote to memory of 2028 4652 Dhfajjoj.exe 91 PID 4652 wrote to memory of 2028 4652 Dhfajjoj.exe 91 PID 4652 wrote to memory of 2028 4652 Dhfajjoj.exe 91 PID 2028 wrote to memory of 3224 2028 Djdmffnn.exe 92 PID 2028 wrote to memory of 3224 2028 Djdmffnn.exe 92 PID 2028 wrote to memory of 3224 2028 Djdmffnn.exe 92 PID 3224 wrote to memory of 4740 3224 Dmcibama.exe 94 PID 3224 wrote to memory of 4740 3224 Dmcibama.exe 94 PID 3224 wrote to memory of 4740 3224 Dmcibama.exe 94 PID 4740 wrote to memory of 4808 4740 Ddmaok32.exe 95 PID 4740 wrote to memory of 4808 4740 Ddmaok32.exe 95 PID 4740 wrote to memory of 4808 4740 Ddmaok32.exe 95 PID 4808 wrote to memory of 3116 4808 Dfknkg32.exe 96 PID 4808 wrote to memory of 3116 4808 Dfknkg32.exe 96 PID 4808 wrote to memory of 3116 4808 Dfknkg32.exe 96 PID 3116 wrote to memory of 804 3116 Dmefhako.exe 97 PID 3116 wrote to memory of 804 3116 Dmefhako.exe 97 PID 3116 wrote to memory of 804 3116 Dmefhako.exe 97 PID 804 wrote to memory of 4840 804 Delnin32.exe 98 PID 804 wrote to memory of 4840 804 Delnin32.exe 98 PID 804 wrote to memory of 4840 804 Delnin32.exe 98 PID 4840 wrote to memory of 220 4840 Dfnjafap.exe 99 PID 4840 wrote to memory of 220 4840 Dfnjafap.exe 99 PID 4840 wrote to memory of 220 4840 Dfnjafap.exe 99 PID 220 wrote to memory of 1180 220 Dodbbdbb.exe 101 PID 220 wrote to memory of 1180 220 Dodbbdbb.exe 101 PID 220 wrote to memory of 1180 220 Dodbbdbb.exe 101 PID 1180 wrote to memory of 5052 1180 Daconoae.exe 102 PID 1180 wrote to memory of 5052 1180 Daconoae.exe 102 PID 1180 wrote to memory of 5052 1180 Daconoae.exe 102 PID 5052 wrote to memory of 5084 5052 Dhmgki32.exe 103 PID 5052 wrote to memory of 5084 5052 Dhmgki32.exe 103 PID 5052 wrote to memory of 5084 5052 Dhmgki32.exe 103 PID 5084 wrote to memory of 1764 5084 Dkkcge32.exe 104 PID 5084 wrote to memory of 1764 5084 Dkkcge32.exe 104 PID 5084 wrote to memory of 1764 5084 Dkkcge32.exe 104 PID 1764 wrote to memory of 3032 1764 Dogogcpo.exe 105 PID 1764 wrote to memory of 3032 1764 Dogogcpo.exe 105 PID 1764 wrote to memory of 3032 1764 Dogogcpo.exe 105 PID 3032 wrote to memory of 1968 3032 Daekdooc.exe 106 PID 3032 wrote to memory of 1968 3032 Daekdooc.exe 106 PID 3032 wrote to memory of 1968 3032 Daekdooc.exe 106 PID 1968 wrote to memory of 2824 1968 Dddhpjof.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\075e350a3c6d4655a92a9beb66adf51306e170496f65356ebc410a070da0b078.exe"C:\Users\Admin\AppData\Local\Temp\075e350a3c6d4655a92a9beb66adf51306e170496f65356ebc410a070da0b078.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Windows\SysWOW64\Cjpckf32.exeC:\Windows\system32\Cjpckf32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4436 -
C:\Windows\SysWOW64\Cajlhqjp.exeC:\Windows\system32\Cajlhqjp.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Windows\SysWOW64\Ceehho32.exeC:\Windows\system32\Ceehho32.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Windows\SysWOW64\Chcddk32.exeC:\Windows\system32\Chcddk32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4080 -
C:\Windows\SysWOW64\Cnnlaehj.exeC:\Windows\system32\Cnnlaehj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1412 -
C:\Windows\SysWOW64\Calhnpgn.exeC:\Windows\system32\Calhnpgn.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4132 -
C:\Windows\SysWOW64\Dhfajjoj.exeC:\Windows\system32\Dhfajjoj.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4652 -
C:\Windows\SysWOW64\Djdmffnn.exeC:\Windows\system32\Djdmffnn.exe9⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Windows\SysWOW64\Dmcibama.exeC:\Windows\system32\Dmcibama.exe10⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3224 -
C:\Windows\SysWOW64\Ddmaok32.exeC:\Windows\system32\Ddmaok32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4740 -
C:\Windows\SysWOW64\Dfknkg32.exeC:\Windows\system32\Dfknkg32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4808 -
C:\Windows\SysWOW64\Dmefhako.exeC:\Windows\system32\Dmefhako.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3116 -
C:\Windows\SysWOW64\Delnin32.exeC:\Windows\system32\Delnin32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:804 -
C:\Windows\SysWOW64\Dfnjafap.exeC:\Windows\system32\Dfnjafap.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4840 -
C:\Windows\SysWOW64\Dodbbdbb.exeC:\Windows\system32\Dodbbdbb.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:220 -
C:\Windows\SysWOW64\Daconoae.exeC:\Windows\system32\Daconoae.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1180 -
C:\Windows\SysWOW64\Dhmgki32.exeC:\Windows\system32\Dhmgki32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5052 -
C:\Windows\SysWOW64\Dkkcge32.exeC:\Windows\system32\Dkkcge32.exe19⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5084 -
C:\Windows\SysWOW64\Dogogcpo.exeC:\Windows\system32\Dogogcpo.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1764 -
C:\Windows\SysWOW64\Daekdooc.exeC:\Windows\system32\Daekdooc.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Windows\SysWOW64\Dddhpjof.exeC:\Windows\system32\Dddhpjof.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\Windows\SysWOW64\Dhocqigp.exeC:\Windows\system32\Dhocqigp.exe23⤵
- Executes dropped EXE
PID:2824 -
C:\Windows\SysWOW64\Doilmc32.exeC:\Windows\system32\Doilmc32.exe24⤵
- Executes dropped EXE
PID:4640 -
C:\Windows\SysWOW64\Dahhio32.exeC:\Windows\system32\Dahhio32.exe25⤵
- Executes dropped EXE
PID:5008 -
C:\Windows\SysWOW64\Edfdej32.exeC:\Windows\system32\Edfdej32.exe26⤵
- Executes dropped EXE
PID:4220 -
C:\Windows\SysWOW64\Ehapfiem.exeC:\Windows\system32\Ehapfiem.exe27⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:448 -
C:\Windows\SysWOW64\Eolhbc32.exeC:\Windows\system32\Eolhbc32.exe28⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4720 -
C:\Windows\SysWOW64\Emoinpcd.exeC:\Windows\system32\Emoinpcd.exe29⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4296 -
C:\Windows\SysWOW64\Eefaomcg.exeC:\Windows\system32\Eefaomcg.exe30⤵
- Executes dropped EXE
PID:1688 -
C:\Windows\SysWOW64\Ehdmlhcj.exeC:\Windows\system32\Ehdmlhcj.exe31⤵
- Executes dropped EXE
PID:3652 -
C:\Windows\SysWOW64\Ekbihd32.exeC:\Windows\system32\Ekbihd32.exe32⤵
- Executes dropped EXE
PID:3928 -
C:\Windows\SysWOW64\Eonehbjg.exeC:\Windows\system32\Eonehbjg.exe33⤵
- Executes dropped EXE
PID:1712 -
C:\Windows\SysWOW64\Eehnem32.exeC:\Windows\system32\Eehnem32.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3964 -
C:\Windows\SysWOW64\Ehfjah32.exeC:\Windows\system32\Ehfjah32.exe35⤵
- Executes dropped EXE
PID:4428 -
C:\Windows\SysWOW64\Ekefmc32.exeC:\Windows\system32\Ekefmc32.exe36⤵
- Executes dropped EXE
PID:4752 -
C:\Windows\SysWOW64\Eopbnbhd.exeC:\Windows\system32\Eopbnbhd.exe37⤵
- Executes dropped EXE
PID:2296 -
C:\Windows\SysWOW64\Eejjjl32.exeC:\Windows\system32\Eejjjl32.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1248 -
C:\Windows\SysWOW64\Eglgbdep.exeC:\Windows\system32\Eglgbdep.exe39⤵
- Executes dropped EXE
PID:2468 -
C:\Windows\SysWOW64\Eobocb32.exeC:\Windows\system32\Eobocb32.exe40⤵
- Executes dropped EXE
PID:4760 -
C:\Windows\SysWOW64\Eaakpm32.exeC:\Windows\system32\Eaakpm32.exe41⤵
- Executes dropped EXE
PID:1344 -
C:\Windows\SysWOW64\Edpgli32.exeC:\Windows\system32\Edpgli32.exe42⤵
- Executes dropped EXE
PID:1740 -
C:\Windows\SysWOW64\Ehkclgmb.exeC:\Windows\system32\Ehkclgmb.exe43⤵
- Executes dropped EXE
PID:2848 -
C:\Windows\SysWOW64\Eoekia32.exeC:\Windows\system32\Eoekia32.exe44⤵
- Executes dropped EXE
PID:2532 -
C:\Windows\SysWOW64\Emhldnkj.exeC:\Windows\system32\Emhldnkj.exe45⤵
- Executes dropped EXE
PID:404 -
C:\Windows\SysWOW64\Feocelll.exeC:\Windows\system32\Feocelll.exe46⤵
- Executes dropped EXE
PID:2904 -
C:\Windows\SysWOW64\Fhmpagkp.exeC:\Windows\system32\Fhmpagkp.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4248 -
C:\Windows\SysWOW64\Fkllnbjc.exeC:\Windows\system32\Fkllnbjc.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2812 -
C:\Windows\SysWOW64\Fafdkmap.exeC:\Windows\system32\Fafdkmap.exe49⤵
- Executes dropped EXE
PID:3696 -
C:\Windows\SysWOW64\Feapkk32.exeC:\Windows\system32\Feapkk32.exe50⤵
- Executes dropped EXE
PID:3764 -
C:\Windows\SysWOW64\Fhpmgg32.exeC:\Windows\system32\Fhpmgg32.exe51⤵
- Executes dropped EXE
PID:4528 -
C:\Windows\SysWOW64\Fknicb32.exeC:\Windows\system32\Fknicb32.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5048 -
C:\Windows\SysWOW64\Fnmepn32.exeC:\Windows\system32\Fnmepn32.exe53⤵
- Executes dropped EXE
PID:4228 -
C:\Windows\SysWOW64\Fedmqk32.exeC:\Windows\system32\Fedmqk32.exe54⤵
- Executes dropped EXE
PID:3408 -
C:\Windows\SysWOW64\Fgeihcme.exeC:\Windows\system32\Fgeihcme.exe55⤵
- Executes dropped EXE
PID:4976 -
C:\Windows\SysWOW64\Folaiqng.exeC:\Windows\system32\Folaiqng.exe56⤵
- Executes dropped EXE
PID:456 -
C:\Windows\SysWOW64\Fefjfked.exeC:\Windows\system32\Fefjfked.exe57⤵
- Executes dropped EXE
PID:1540 -
C:\Windows\SysWOW64\Fhdfbfdh.exeC:\Windows\system32\Fhdfbfdh.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1176 -
C:\Windows\SysWOW64\Fggfnc32.exeC:\Windows\system32\Fggfnc32.exe59⤵
- Executes dropped EXE
PID:1640 -
C:\Windows\SysWOW64\Fonnop32.exeC:\Windows\system32\Fonnop32.exe60⤵
- Executes dropped EXE
PID:4884 -
C:\Windows\SysWOW64\Fnaokmco.exeC:\Windows\system32\Fnaokmco.exe61⤵
- Executes dropped EXE
PID:3172 -
C:\Windows\SysWOW64\Fehfljca.exeC:\Windows\system32\Fehfljca.exe62⤵
- Executes dropped EXE
PID:4272 -
C:\Windows\SysWOW64\Fgjccb32.exeC:\Windows\system32\Fgjccb32.exe63⤵
- Executes dropped EXE
PID:2796 -
C:\Windows\SysWOW64\Foqkdp32.exeC:\Windows\system32\Foqkdp32.exe64⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1512 -
C:\Windows\SysWOW64\Gaogak32.exeC:\Windows\system32\Gaogak32.exe65⤵
- Executes dropped EXE
PID:2704 -
C:\Windows\SysWOW64\Ghipne32.exeC:\Windows\system32\Ghipne32.exe66⤵PID:3448
-
C:\Windows\SysWOW64\Gochjpho.exeC:\Windows\system32\Gochjpho.exe67⤵PID:2788
-
C:\Windows\SysWOW64\Gaadfkgc.exeC:\Windows\system32\Gaadfkgc.exe68⤵PID:4576
-
C:\Windows\SysWOW64\Gdppbfff.exeC:\Windows\system32\Gdppbfff.exe69⤵PID:1792
-
C:\Windows\SysWOW64\Ggnlobej.exeC:\Windows\system32\Ggnlobej.exe70⤵
- System Location Discovery: System Language Discovery
PID:848 -
C:\Windows\SysWOW64\Gnhdkl32.exeC:\Windows\system32\Gnhdkl32.exe71⤵PID:3648
-
C:\Windows\SysWOW64\Gepmlimi.exeC:\Windows\system32\Gepmlimi.exe72⤵PID:4524
-
C:\Windows\SysWOW64\Gohaeo32.exeC:\Windows\system32\Gohaeo32.exe73⤵PID:3908
-
C:\Windows\SysWOW64\Gafmaj32.exeC:\Windows\system32\Gafmaj32.exe74⤵PID:3204
-
C:\Windows\SysWOW64\Gddinf32.exeC:\Windows\system32\Gddinf32.exe75⤵PID:4800
-
C:\Windows\SysWOW64\Ggcfja32.exeC:\Windows\system32\Ggcfja32.exe76⤵PID:720
-
C:\Windows\SysWOW64\Gojnko32.exeC:\Windows\system32\Gojnko32.exe77⤵PID:3736
-
C:\Windows\SysWOW64\Gnmnfkia.exeC:\Windows\system32\Gnmnfkia.exe78⤵PID:1944
-
C:\Windows\SysWOW64\Gdgfce32.exeC:\Windows\system32\Gdgfce32.exe79⤵PID:3436
-
C:\Windows\SysWOW64\Ggeboaob.exeC:\Windows\system32\Ggeboaob.exe80⤵PID:3776
-
C:\Windows\SysWOW64\Gkaopp32.exeC:\Windows\system32\Gkaopp32.exe81⤵PID:3636
-
C:\Windows\SysWOW64\Hffcmh32.exeC:\Windows\system32\Hffcmh32.exe82⤵PID:3460
-
C:\Windows\SysWOW64\Hdicienl.exeC:\Windows\system32\Hdicienl.exe83⤵PID:4664
-
C:\Windows\SysWOW64\Hfipbh32.exeC:\Windows\system32\Hfipbh32.exe84⤵PID:4900
-
C:\Windows\SysWOW64\Hhgloc32.exeC:\Windows\system32\Hhgloc32.exe85⤵PID:960
-
C:\Windows\SysWOW64\Hnddgjbj.exeC:\Windows\system32\Hnddgjbj.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1604 -
C:\Windows\SysWOW64\Hglipp32.exeC:\Windows\system32\Hglipp32.exe87⤵PID:2056
-
C:\Windows\SysWOW64\Hnfamjqg.exeC:\Windows\system32\Hnfamjqg.exe88⤵PID:4128
-
C:\Windows\SysWOW64\Hgoeep32.exeC:\Windows\system32\Hgoeep32.exe89⤵PID:4680
-
C:\Windows\SysWOW64\Hninbj32.exeC:\Windows\system32\Hninbj32.exe90⤵PID:3864
-
C:\Windows\SysWOW64\Hfpecg32.exeC:\Windows\system32\Hfpecg32.exe91⤵PID:5068
-
C:\Windows\SysWOW64\Hdbfodfa.exeC:\Windows\system32\Hdbfodfa.exe92⤵PID:1404
-
C:\Windows\SysWOW64\Hhnbpb32.exeC:\Windows\system32\Hhnbpb32.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3604 -
C:\Windows\SysWOW64\Iohjlmeg.exeC:\Windows\system32\Iohjlmeg.exe94⤵PID:344
-
C:\Windows\SysWOW64\Ifbbig32.exeC:\Windows\system32\Ifbbig32.exe95⤵
- System Location Discovery: System Language Discovery
PID:2320 -
C:\Windows\SysWOW64\Idebdcdo.exeC:\Windows\system32\Idebdcdo.exe96⤵PID:3428
-
C:\Windows\SysWOW64\Iokgal32.exeC:\Windows\system32\Iokgal32.exe97⤵PID:432
-
C:\Windows\SysWOW64\Inmgmijo.exeC:\Windows\system32\Inmgmijo.exe98⤵PID:904
-
C:\Windows\SysWOW64\Ibicnh32.exeC:\Windows\system32\Ibicnh32.exe99⤵PID:4864
-
C:\Windows\SysWOW64\Idgojc32.exeC:\Windows\system32\Idgojc32.exe100⤵PID:1920
-
C:\Windows\SysWOW64\Iomcgl32.exeC:\Windows\system32\Iomcgl32.exe101⤵PID:4268
-
C:\Windows\SysWOW64\Ibkpcg32.exeC:\Windows\system32\Ibkpcg32.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4768 -
C:\Windows\SysWOW64\Ifgldfio.exeC:\Windows\system32\Ifgldfio.exe103⤵PID:5128
-
C:\Windows\SysWOW64\Idjlpc32.exeC:\Windows\system32\Idjlpc32.exe104⤵
- System Location Discovery: System Language Discovery
PID:5184 -
C:\Windows\SysWOW64\Ighhln32.exeC:\Windows\system32\Ighhln32.exe105⤵
- Modifies registry class
PID:5244 -
C:\Windows\SysWOW64\Ibnligoc.exeC:\Windows\system32\Ibnligoc.exe106⤵
- Modifies registry class
PID:5288 -
C:\Windows\SysWOW64\Igjeanmj.exeC:\Windows\system32\Igjeanmj.exe107⤵PID:5332
-
C:\Windows\SysWOW64\Ibpiogmp.exeC:\Windows\system32\Ibpiogmp.exe108⤵PID:5376
-
C:\Windows\SysWOW64\Jkhngl32.exeC:\Windows\system32\Jkhngl32.exe109⤵PID:5420
-
C:\Windows\SysWOW64\Jngjch32.exeC:\Windows\system32\Jngjch32.exe110⤵PID:5464
-
C:\Windows\SysWOW64\Joffnk32.exeC:\Windows\system32\Joffnk32.exe111⤵PID:5508
-
C:\Windows\SysWOW64\Jbdbjf32.exeC:\Windows\system32\Jbdbjf32.exe112⤵
- Drops file in System32 directory
PID:5548 -
C:\Windows\SysWOW64\Jecofa32.exeC:\Windows\system32\Jecofa32.exe113⤵PID:5592
-
C:\Windows\SysWOW64\Joiccj32.exeC:\Windows\system32\Joiccj32.exe114⤵PID:5636
-
C:\Windows\SysWOW64\Jfbkpd32.exeC:\Windows\system32\Jfbkpd32.exe115⤵PID:5680
-
C:\Windows\SysWOW64\Jpkphjeb.exeC:\Windows\system32\Jpkphjeb.exe116⤵
- Modifies registry class
PID:5724 -
C:\Windows\SysWOW64\Jfehed32.exeC:\Windows\system32\Jfehed32.exe117⤵PID:5768
-
C:\Windows\SysWOW64\Jgfdmlcm.exeC:\Windows\system32\Jgfdmlcm.exe118⤵PID:5812
-
C:\Windows\SysWOW64\Jnpmjf32.exeC:\Windows\system32\Jnpmjf32.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5856 -
C:\Windows\SysWOW64\Jfgdkd32.exeC:\Windows\system32\Jfgdkd32.exe120⤵PID:5900
-
C:\Windows\SysWOW64\Jghabl32.exeC:\Windows\system32\Jghabl32.exe121⤵PID:5944
-
C:\Windows\SysWOW64\Kldmckic.exeC:\Windows\system32\Kldmckic.exe122⤵PID:5988
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-