Analysis
-
max time kernel
114s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
10-11-2024 01:13
Static task
static1
Behavioral task
behavioral1
Sample
94c520246fdf47e09050b25fc57ce1a1729e1cccb6dd24ae4d0ea7eec08d4872N.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
94c520246fdf47e09050b25fc57ce1a1729e1cccb6dd24ae4d0ea7eec08d4872N.exe
Resource
win10v2004-20241007-en
General
-
Target
94c520246fdf47e09050b25fc57ce1a1729e1cccb6dd24ae4d0ea7eec08d4872N.exe
-
Size
67KB
-
MD5
d1a261a9637df190d913a0bca5711d30
-
SHA1
9881420a61afda155b2fc3721fbc23b7958b31d1
-
SHA256
94c520246fdf47e09050b25fc57ce1a1729e1cccb6dd24ae4d0ea7eec08d4872
-
SHA512
1fe636348b4c3dae74dfd23a1ec8c6852d458cec408b07a7ab06b646b1372060d775b1467795f74f87b19d899e857f20edac45d91b17b21b8a0f485e31ae5884
-
SSDEEP
1536:6LEG8FAWSekWDhhP+pb1esJifTduD4oTxwf:6BKmt2hp+HesJibdMTxwf
Malware Config
Extracted
berbew
http://tat-neftbank.ru/kkq.php
http://tat-neftbank.ru/wcmd.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Knqnmeff.exeBmogkkkd.exePfadke32.exeBgmjla32.exeDffmgqcp.exeCdmbiojc.exeDcmkciap.exeCbpendha.exeDfbfcn32.exeIoqhed32.exeHfpehq32.exeKhbpii32.exeLicbca32.exeOqdioaqf.exeOpokbdhc.exeQpfmageg.exeHmecjk32.exeObbbbhkf.exeJgqfefpe.exeNhbpbi32.exeOpghmjfg.exeFkaomm32.exePfgeaklb.exeMgalpg32.exeBbnlia32.exeEgpfheoa.exeJihgdd32.exeBpomdmqa.exeGegecopf.exeCekihh32.exeHcnfllcd.exeCbkdhohk.exeFflgahfm.exeNelgkhdp.exeOmbjpd32.exeHhfqejoh.exeIdcdjmao.exeMcddca32.exeEhnpph32.exeLjlhme32.exeGmcogf32.exeHffpiikm.exeJhhagb32.exeNfoinj32.exeKeimhmmd.exeEonhbg32.exeNjhhiiok.exeGmkjjbhg.exeLkbphfab.exeCfaedeme.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Knqnmeff.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmogkkkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pfadke32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgmjla32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dffmgqcp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdmbiojc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcmkciap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbpendha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfbfcn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ioqhed32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfpehq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Khbpii32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Licbca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oqdioaqf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Opokbdhc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qpfmageg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmecjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Obbbbhkf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgqfefpe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhbpbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Opghmjfg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkaomm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfgeaklb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgalpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bbnlia32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egpfheoa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jihgdd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpomdmqa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gegecopf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cekihh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hcnfllcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbkdhohk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fflgahfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nelgkhdp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ombjpd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhfqejoh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idcdjmao.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcddca32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehnpph32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljlhme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmcogf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hffpiikm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jhhagb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nfoinj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Keimhmmd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbpendha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eonhbg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njhhiiok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmkjjbhg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkbphfab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfaedeme.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
Processes:
Dihojnqo.exeDbadcdgp.exeEpgabhdg.exeEedijo32.exeEeffpn32.exeEcnpgj32.exeFpdqlkhe.exeFbeimf32.exeFmknko32.exeFbjchfaq.exeGaamobdf.exeGkjahg32.exeGmkjjbhg.exeGlbcpokl.exeHekhid32.exeHcohbh32.exeHoeigi32.exeHccbnhla.exeHnmcne32.exeIhedan32.exeIbmhjc32.exeIgjabj32.exeIfoncgpc.exeIqgofo32.exeJfdgnf32.exeJmplqp32.exeJbmdig32.exeJncenh32.exeJnfbcg32.exeKagkebpb.exeKnkkngol.exeKjalch32.exeKleeqp32.exeLljolodf.exeLkahbkgk.exeLooahi32.exeLiibigjq.exeMcafbm32.exeMlikkbga.exeMebpchmb.exeMpgdaqmh.exeMlndfa32.exeMakmnh32.exeMoomgmpm.exeMdlfpcnd.exeNoajmlnj.exeNgmoao32.exeNgolgn32.exeNpgppdpc.exeNdeifbfj.exeNoojfpbi.exeOmbjpd32.exeObpbhk32.exeOilgje32.exeOindpd32.exeObfiijia.exePjbnmm32.exePcjbfbmm.exePejnpe32.exePaqoef32.exePmgpjgph.exePfpdcm32.exePbfehn32.exeQpjeaa32.exepid process 2060 Dihojnqo.exe 2948 Dbadcdgp.exe 2520 Epgabhdg.exe 2932 Eedijo32.exe 2928 Eeffpn32.exe 2300 Ecnpgj32.exe 268 Fpdqlkhe.exe 2092 Fbeimf32.exe 2736 Fmknko32.exe 700 Fbjchfaq.exe 2096 Gaamobdf.exe 1680 Gkjahg32.exe 2248 Gmkjjbhg.exe 980 Glbcpokl.exe 2532 Hekhid32.exe 2136 Hcohbh32.exe 1572 Hoeigi32.exe 856 Hccbnhla.exe 2124 Hnmcne32.exe 2260 Ihedan32.exe 2640 Ibmhjc32.exe 1988 Igjabj32.exe 1420 Ifoncgpc.exe 1592 Iqgofo32.exe 2044 Jfdgnf32.exe 2288 Jmplqp32.exe 2824 Jbmdig32.exe 2144 Jncenh32.exe 2900 Jnfbcg32.exe 2756 Kagkebpb.exe 2664 Knkkngol.exe 436 Kjalch32.exe 2308 Kleeqp32.exe 2384 Lljolodf.exe 540 Lkahbkgk.exe 1900 Looahi32.exe 840 Liibigjq.exe 968 Mcafbm32.exe 2416 Mlikkbga.exe 460 Mebpchmb.exe 2388 Mpgdaqmh.exe 1084 Mlndfa32.exe 1828 Makmnh32.exe 2228 Moomgmpm.exe 2040 Mdlfpcnd.exe 1292 Noajmlnj.exe 1764 Ngmoao32.exe 892 Ngolgn32.exe 2604 Npgppdpc.exe 1624 Ndeifbfj.exe 2856 Noojfpbi.exe 2776 Ombjpd32.exe 2676 Obpbhk32.exe 2828 Oilgje32.exe 2780 Oindpd32.exe 2740 Obfiijia.exe 2588 Pjbnmm32.exe 2708 Pcjbfbmm.exe 1532 Pejnpe32.exe 2084 Paqoef32.exe 780 Pmgpjgph.exe 2232 Pfpdcm32.exe 3060 Pbfehn32.exe 2544 Qpjeaa32.exe -
Loads dropped DLL 64 IoCs
Processes:
94c520246fdf47e09050b25fc57ce1a1729e1cccb6dd24ae4d0ea7eec08d4872N.exeDihojnqo.exeDbadcdgp.exeEpgabhdg.exeEedijo32.exeEeffpn32.exeEcnpgj32.exeFpdqlkhe.exeFbeimf32.exeFmknko32.exeFbjchfaq.exeGaamobdf.exeGkjahg32.exeGmkjjbhg.exeGlbcpokl.exeHekhid32.exeHcohbh32.exeHoeigi32.exeHccbnhla.exeHnmcne32.exeIhedan32.exeIbmhjc32.exeIgjabj32.exeIfoncgpc.exeIqgofo32.exeJfdgnf32.exeJmplqp32.exeJbmdig32.exeJncenh32.exeJnfbcg32.exeKagkebpb.exeKnkkngol.exepid process 2304 94c520246fdf47e09050b25fc57ce1a1729e1cccb6dd24ae4d0ea7eec08d4872N.exe 2304 94c520246fdf47e09050b25fc57ce1a1729e1cccb6dd24ae4d0ea7eec08d4872N.exe 2060 Dihojnqo.exe 2060 Dihojnqo.exe 2948 Dbadcdgp.exe 2948 Dbadcdgp.exe 2520 Epgabhdg.exe 2520 Epgabhdg.exe 2932 Eedijo32.exe 2932 Eedijo32.exe 2928 Eeffpn32.exe 2928 Eeffpn32.exe 2300 Ecnpgj32.exe 2300 Ecnpgj32.exe 268 Fpdqlkhe.exe 268 Fpdqlkhe.exe 2092 Fbeimf32.exe 2092 Fbeimf32.exe 2736 Fmknko32.exe 2736 Fmknko32.exe 700 Fbjchfaq.exe 700 Fbjchfaq.exe 2096 Gaamobdf.exe 2096 Gaamobdf.exe 1680 Gkjahg32.exe 1680 Gkjahg32.exe 2248 Gmkjjbhg.exe 2248 Gmkjjbhg.exe 980 Glbcpokl.exe 980 Glbcpokl.exe 2532 Hekhid32.exe 2532 Hekhid32.exe 2136 Hcohbh32.exe 2136 Hcohbh32.exe 1572 Hoeigi32.exe 1572 Hoeigi32.exe 856 Hccbnhla.exe 856 Hccbnhla.exe 2124 Hnmcne32.exe 2124 Hnmcne32.exe 2260 Ihedan32.exe 2260 Ihedan32.exe 2640 Ibmhjc32.exe 2640 Ibmhjc32.exe 1988 Igjabj32.exe 1988 Igjabj32.exe 1420 Ifoncgpc.exe 1420 Ifoncgpc.exe 1592 Iqgofo32.exe 1592 Iqgofo32.exe 2044 Jfdgnf32.exe 2044 Jfdgnf32.exe 2288 Jmplqp32.exe 2288 Jmplqp32.exe 2824 Jbmdig32.exe 2824 Jbmdig32.exe 2144 Jncenh32.exe 2144 Jncenh32.exe 2900 Jnfbcg32.exe 2900 Jnfbcg32.exe 2756 Kagkebpb.exe 2756 Kagkebpb.exe 2664 Knkkngol.exe 2664 Knkkngol.exe -
Drops file in System32 directory 64 IoCs
Processes:
Cialng32.exeMeiigppp.exeHcohbh32.exeGnhlgoia.exeOpokbdhc.exeFcacfd32.exeMnhgga32.exeFmknko32.exeDindme32.exeHhkjpi32.exeLiibigjq.exeNlafmcpa.exeQadhba32.exeIgjabj32.exeIbmhlpge.exeAlcclb32.exePocmhnlk.exeHhgdig32.exeGhlgdecf.exeGjmbohhl.exeFpqjeiji.exeCfcajekc.exeFjpggb32.exeCekihh32.exeDbadcdgp.exePnhhpaio.exeJndgfqlh.exeOeklpeco.exeKabbehjb.exeLjjkgfig.exeBieegcid.exeBpomdmqa.exeNihjfm32.exeGknhlj32.exeGalhhp32.exeOhmllf32.exeCgogbano.exeFnjkdcii.exeAjidnp32.exeLbghpjih.exePigkjmap.exePkglenej.exeJncqlj32.exeNdhooaog.exeGodcgcca.exeQlhpjk32.exeAmalcd32.exeBelfldoh.exeIaaqkkme.exedescription ioc process File created C:\Windows\SysWOW64\Clbdobpc.exe Cialng32.exe File created C:\Windows\SysWOW64\Connaf32.dll Meiigppp.exe File created C:\Windows\SysWOW64\Hoeigi32.exe Hcohbh32.exe File created C:\Windows\SysWOW64\Gibmglep.exe Gnhlgoia.exe File created C:\Windows\SysWOW64\Oigokj32.exe Opokbdhc.exe File created C:\Windows\SysWOW64\Qfcinq32.dll Fcacfd32.exe File created C:\Windows\SysWOW64\Mgalpg32.exe Mnhgga32.exe File created C:\Windows\SysWOW64\Hbpphgmn.exe File created C:\Windows\SysWOW64\Fbjchfaq.exe Fmknko32.exe File opened for modification C:\Windows\SysWOW64\Dcgiejje.exe Dindme32.exe File created C:\Windows\SysWOW64\Mjegcbac.dll File opened for modification C:\Windows\SysWOW64\Hpfoekhm.exe Hhkjpi32.exe File created C:\Windows\SysWOW64\Mcafbm32.exe Liibigjq.exe File created C:\Windows\SysWOW64\Nejjfh32.exe Nlafmcpa.exe File created C:\Windows\SysWOW64\Qjmmkgga.exe Qadhba32.exe File opened for modification C:\Windows\SysWOW64\Dphlkk32.exe File opened for modification C:\Windows\SysWOW64\Gldogjeh.exe File opened for modification C:\Windows\SysWOW64\Ifoncgpc.exe Igjabj32.exe File created C:\Windows\SysWOW64\Amppecdn.dll Ibmhlpge.exe File opened for modification C:\Windows\SysWOW64\Alfpab32.exe Alcclb32.exe File opened for modification C:\Windows\SysWOW64\Pdpepejb.exe Pocmhnlk.exe File opened for modification C:\Windows\SysWOW64\Hkepfb32.exe Hhgdig32.exe File created C:\Windows\SysWOW64\Panoee32.dll Ghlgdecf.exe File opened for modification C:\Windows\SysWOW64\Gmlokdgp.exe Gjmbohhl.exe File created C:\Windows\SysWOW64\Fkfobbjo.exe Fpqjeiji.exe File opened for modification C:\Windows\SysWOW64\Bbgpip32.exe File created C:\Windows\SysWOW64\Kjfifc32.dll Cfcajekc.exe File created C:\Windows\SysWOW64\Ngpoigdg.dll Fjpggb32.exe File created C:\Windows\SysWOW64\Cocnanmd.exe Cekihh32.exe File created C:\Windows\SysWOW64\Epgabhdg.exe Dbadcdgp.exe File created C:\Windows\SysWOW64\Mapnhh32.dll Pnhhpaio.exe File created C:\Windows\SysWOW64\Jcbimj32.exe File created C:\Windows\SysWOW64\Pbpehnhq.dll Jndgfqlh.exe File opened for modification C:\Windows\SysWOW64\Ojhehlag.exe Oeklpeco.exe File opened for modification C:\Windows\SysWOW64\Efakjgni.exe File opened for modification C:\Windows\SysWOW64\Kkkgnmqb.exe Kabbehjb.exe File opened for modification C:\Windows\SysWOW64\Ljlhme32.exe Ljjkgfig.exe File created C:\Windows\SysWOW64\Bpomdmqa.exe Bieegcid.exe File created C:\Windows\SysWOW64\Belfldoh.exe Bpomdmqa.exe File created C:\Windows\SysWOW64\Bjmdqb32.dll Nihjfm32.exe File opened for modification C:\Windows\SysWOW64\Gfclic32.exe Gknhlj32.exe File created C:\Windows\SysWOW64\Ijmffknn.dll File opened for modification C:\Windows\SysWOW64\Hhfqejoh.exe Galhhp32.exe File created C:\Windows\SysWOW64\Olhhmele.exe Ohmllf32.exe File created C:\Windows\SysWOW64\Cqgkkg32.exe Cgogbano.exe File opened for modification C:\Windows\SysWOW64\Fgbpmh32.exe Fnjkdcii.exe File created C:\Windows\SysWOW64\Dgnfedkf.dll File opened for modification C:\Windows\SysWOW64\Acbigfii.exe Ajidnp32.exe File created C:\Windows\SysWOW64\Knleqncp.dll Lbghpjih.exe File created C:\Windows\SysWOW64\Pdmpgfae.exe Pigkjmap.exe File created C:\Windows\SysWOW64\Jocgcmlq.exe File created C:\Windows\SysWOW64\Pfpjonfc.exe File created C:\Windows\SysWOW64\Peoanckj.exe Pkglenej.exe File opened for modification C:\Windows\SysWOW64\Jcpidagc.exe Jncqlj32.exe File created C:\Windows\SysWOW64\Kennjioc.dll Ndhooaog.exe File opened for modification C:\Windows\SysWOW64\Gniqhpgi.exe Godcgcca.exe File created C:\Windows\SysWOW64\Ifnfkmgi.exe File created C:\Windows\SysWOW64\Flpnpelq.dll File created C:\Windows\SysWOW64\Cmnjgo32.exe Cfcajekc.exe File opened for modification C:\Windows\SysWOW64\Qadhba32.exe Qlhpjk32.exe File created C:\Windows\SysWOW64\Kbfilhip.dll File created C:\Windows\SysWOW64\Edghoc32.dll Amalcd32.exe File created C:\Windows\SysWOW64\Bfkbfg32.exe Belfldoh.exe File created C:\Windows\SysWOW64\Jnhcidkc.dll Iaaqkkme.exe -
Program crash 1 IoCs
Processes:
pid pid_target process target process 4904 2124 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Noajoihl.exeHakani32.exeNkhmkf32.exeAkjhcimg.exeCfggccdp.exeJgccjenb.exeEjbhno32.exeMmlfcn32.exeHnbhpl32.exeAekgfdpj.exeLfpebq32.exeGniqhpgi.exeDgmidn32.exeDanblfmk.exeNenaho32.exeNmjhejph.exeAqfiqjgb.exeLhcpkmef.exeJcknqicd.exeEehpoaaf.exeAopffk32.exeIolojejd.exeGoicaell.exeBpomdmqa.exeEnliaf32.exeAendldnh.exeDjpnkhep.exeLmmaoq32.exeJclqefac.exeCjebbkbk.exeGckmgi32.exeGgldlpoc.exeJjocaaoh.exeOfdicodf.exeBnojpdfb.exeIidajaiq.exeIhgcof32.exeJambpb32.exeNpgppdpc.exeHiccbfoa.exeOejfelin.exeKimpocda.exeDihojnqo.exeFcqoec32.exeGmhkkn32.exeEhnpph32.exeMjiemdgp.exeEafmng32.exeDkakad32.exeCmnjgo32.exeCnlcoage.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Noajoihl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hakani32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nkhmkf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akjhcimg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfggccdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgccjenb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejbhno32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmlfcn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnbhpl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aekgfdpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfpebq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gniqhpgi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgmidn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Danblfmk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nenaho32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmjhejph.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aqfiqjgb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhcpkmef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcknqicd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eehpoaaf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aopffk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iolojejd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Goicaell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpomdmqa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enliaf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aendldnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djpnkhep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmmaoq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jclqefac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjebbkbk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gckmgi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggldlpoc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjocaaoh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofdicodf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnojpdfb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iidajaiq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihgcof32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jambpb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npgppdpc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hiccbfoa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oejfelin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kimpocda.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dihojnqo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcqoec32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmhkkn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehnpph32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjiemdgp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eafmng32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkakad32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmnjgo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnlcoage.exe -
Modifies registry class 64 IoCs
Processes:
Cioohh32.exeNibcgb32.exeEehpoaaf.exeEiibok32.exeKlaojm32.exeLhabemgi.exeGlbcpokl.exeAmalcd32.exeEligoe32.exeQfbcae32.exeEngpfgql.exeIjdggc32.exeJiecdn32.exeGdiode32.exeEbbipj32.exeHcohbh32.exeKagkebpb.exeIaaqkkme.exeJelbqg32.exeCbcgmi32.exePhgjnm32.exeOglfodai.exeFmlblq32.exeJjjohbgl.exeMmjlfgml.exeDomgcocg.exeNjhhiiok.exeBkmegaaf.exePhdiglap.exeChoejien.exeAclhap32.exeObllai32.exeHlnfof32.exeMcoioi32.exeMnjokphk.exePnlpmiog.exeIngogcke.exeIdcdjmao.exeLmmaoq32.exeGbeakllj.exeIfecen32.exeOqkimp32.exeObbpio32.exeNgecbndm.exeGcfiqgfp.exeHmecjk32.exeBgemal32.exePlhdkhoq.exeKfofla32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cioohh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gombop32.dll" Nibcgb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eehpoaaf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eiibok32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Klaojm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lhabemgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfgfbj32.dll" Glbcpokl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Amalcd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eligoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eligoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmmgbpbh.dll" Qfbcae32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Engpfgql.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ijdggc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jiecdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gdiode32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icqfcj32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ebbipj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hcohbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnchedie.dll" Kagkebpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iaaqkkme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jelbqg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cbcgmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Phgjnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knjclp32.dll" Oglfodai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fmlblq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flpbbk32.dll" Eehpoaaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gccgip32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anbckadf.dll" Jjjohbgl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mmjlfgml.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Domgcocg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gioojfke.dll" Njhhiiok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecnfbaka.dll" Bkmegaaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Phdiglap.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Choejien.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fmlblq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeekejgj.dll" Aclhap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efdmni32.dll" Obllai32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hlnfof32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mcoioi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pofmgf32.dll" Mnjokphk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Popppemc.dll" Pnlpmiog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khmgblgo.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ingogcke.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Idcdjmao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjingc32.dll" Lmmaoq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gbeakllj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ifecen32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oqkimp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Obbpio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqbdai32.dll" Ngecbndm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ngecbndm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbmflkli.dll" Gcfiqgfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hmecjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bgemal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Plhdkhoq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kfofla32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
94c520246fdf47e09050b25fc57ce1a1729e1cccb6dd24ae4d0ea7eec08d4872N.exeDihojnqo.exeDbadcdgp.exeEpgabhdg.exeEedijo32.exeEeffpn32.exeEcnpgj32.exeFpdqlkhe.exeFbeimf32.exeFmknko32.exeFbjchfaq.exeGaamobdf.exeGkjahg32.exeGmkjjbhg.exeGlbcpokl.exeHekhid32.exedescription pid process target process PID 2304 wrote to memory of 2060 2304 94c520246fdf47e09050b25fc57ce1a1729e1cccb6dd24ae4d0ea7eec08d4872N.exe Dihojnqo.exe PID 2304 wrote to memory of 2060 2304 94c520246fdf47e09050b25fc57ce1a1729e1cccb6dd24ae4d0ea7eec08d4872N.exe Dihojnqo.exe PID 2304 wrote to memory of 2060 2304 94c520246fdf47e09050b25fc57ce1a1729e1cccb6dd24ae4d0ea7eec08d4872N.exe Dihojnqo.exe PID 2304 wrote to memory of 2060 2304 94c520246fdf47e09050b25fc57ce1a1729e1cccb6dd24ae4d0ea7eec08d4872N.exe Dihojnqo.exe PID 2060 wrote to memory of 2948 2060 Dihojnqo.exe Dbadcdgp.exe PID 2060 wrote to memory of 2948 2060 Dihojnqo.exe Dbadcdgp.exe PID 2060 wrote to memory of 2948 2060 Dihojnqo.exe Dbadcdgp.exe PID 2060 wrote to memory of 2948 2060 Dihojnqo.exe Dbadcdgp.exe PID 2948 wrote to memory of 2520 2948 Dbadcdgp.exe Epgabhdg.exe PID 2948 wrote to memory of 2520 2948 Dbadcdgp.exe Epgabhdg.exe PID 2948 wrote to memory of 2520 2948 Dbadcdgp.exe Epgabhdg.exe PID 2948 wrote to memory of 2520 2948 Dbadcdgp.exe Epgabhdg.exe PID 2520 wrote to memory of 2932 2520 Epgabhdg.exe Eedijo32.exe PID 2520 wrote to memory of 2932 2520 Epgabhdg.exe Eedijo32.exe PID 2520 wrote to memory of 2932 2520 Epgabhdg.exe Eedijo32.exe PID 2520 wrote to memory of 2932 2520 Epgabhdg.exe Eedijo32.exe PID 2932 wrote to memory of 2928 2932 Eedijo32.exe Eeffpn32.exe PID 2932 wrote to memory of 2928 2932 Eedijo32.exe Eeffpn32.exe PID 2932 wrote to memory of 2928 2932 Eedijo32.exe Eeffpn32.exe PID 2932 wrote to memory of 2928 2932 Eedijo32.exe Eeffpn32.exe PID 2928 wrote to memory of 2300 2928 Eeffpn32.exe Ecnpgj32.exe PID 2928 wrote to memory of 2300 2928 Eeffpn32.exe Ecnpgj32.exe PID 2928 wrote to memory of 2300 2928 Eeffpn32.exe Ecnpgj32.exe PID 2928 wrote to memory of 2300 2928 Eeffpn32.exe Ecnpgj32.exe PID 2300 wrote to memory of 268 2300 Ecnpgj32.exe Fpdqlkhe.exe PID 2300 wrote to memory of 268 2300 Ecnpgj32.exe Fpdqlkhe.exe PID 2300 wrote to memory of 268 2300 Ecnpgj32.exe Fpdqlkhe.exe PID 2300 wrote to memory of 268 2300 Ecnpgj32.exe Fpdqlkhe.exe PID 268 wrote to memory of 2092 268 Fpdqlkhe.exe Fbeimf32.exe PID 268 wrote to memory of 2092 268 Fpdqlkhe.exe Fbeimf32.exe PID 268 wrote to memory of 2092 268 Fpdqlkhe.exe Fbeimf32.exe PID 268 wrote to memory of 2092 268 Fpdqlkhe.exe Fbeimf32.exe PID 2092 wrote to memory of 2736 2092 Fbeimf32.exe Fmknko32.exe PID 2092 wrote to memory of 2736 2092 Fbeimf32.exe Fmknko32.exe PID 2092 wrote to memory of 2736 2092 Fbeimf32.exe Fmknko32.exe PID 2092 wrote to memory of 2736 2092 Fbeimf32.exe Fmknko32.exe PID 2736 wrote to memory of 700 2736 Fmknko32.exe Fbjchfaq.exe PID 2736 wrote to memory of 700 2736 Fmknko32.exe Fbjchfaq.exe PID 2736 wrote to memory of 700 2736 Fmknko32.exe Fbjchfaq.exe PID 2736 wrote to memory of 700 2736 Fmknko32.exe Fbjchfaq.exe PID 700 wrote to memory of 2096 700 Fbjchfaq.exe Gaamobdf.exe PID 700 wrote to memory of 2096 700 Fbjchfaq.exe Gaamobdf.exe PID 700 wrote to memory of 2096 700 Fbjchfaq.exe Gaamobdf.exe PID 700 wrote to memory of 2096 700 Fbjchfaq.exe Gaamobdf.exe PID 2096 wrote to memory of 1680 2096 Gaamobdf.exe Gkjahg32.exe PID 2096 wrote to memory of 1680 2096 Gaamobdf.exe Gkjahg32.exe PID 2096 wrote to memory of 1680 2096 Gaamobdf.exe Gkjahg32.exe PID 2096 wrote to memory of 1680 2096 Gaamobdf.exe Gkjahg32.exe PID 1680 wrote to memory of 2248 1680 Gkjahg32.exe Gmkjjbhg.exe PID 1680 wrote to memory of 2248 1680 Gkjahg32.exe Gmkjjbhg.exe PID 1680 wrote to memory of 2248 1680 Gkjahg32.exe Gmkjjbhg.exe PID 1680 wrote to memory of 2248 1680 Gkjahg32.exe Gmkjjbhg.exe PID 2248 wrote to memory of 980 2248 Gmkjjbhg.exe Glbcpokl.exe PID 2248 wrote to memory of 980 2248 Gmkjjbhg.exe Glbcpokl.exe PID 2248 wrote to memory of 980 2248 Gmkjjbhg.exe Glbcpokl.exe PID 2248 wrote to memory of 980 2248 Gmkjjbhg.exe Glbcpokl.exe PID 980 wrote to memory of 2532 980 Glbcpokl.exe Hekhid32.exe PID 980 wrote to memory of 2532 980 Glbcpokl.exe Hekhid32.exe PID 980 wrote to memory of 2532 980 Glbcpokl.exe Hekhid32.exe PID 980 wrote to memory of 2532 980 Glbcpokl.exe Hekhid32.exe PID 2532 wrote to memory of 2136 2532 Hekhid32.exe Hcohbh32.exe PID 2532 wrote to memory of 2136 2532 Hekhid32.exe Hcohbh32.exe PID 2532 wrote to memory of 2136 2532 Hekhid32.exe Hcohbh32.exe PID 2532 wrote to memory of 2136 2532 Hekhid32.exe Hcohbh32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\94c520246fdf47e09050b25fc57ce1a1729e1cccb6dd24ae4d0ea7eec08d4872N.exe"C:\Users\Admin\AppData\Local\Temp\94c520246fdf47e09050b25fc57ce1a1729e1cccb6dd24ae4d0ea7eec08d4872N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2304 -
C:\Windows\SysWOW64\Dihojnqo.exeC:\Windows\system32\Dihojnqo.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\Windows\SysWOW64\Dbadcdgp.exeC:\Windows\system32\Dbadcdgp.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\Windows\SysWOW64\Epgabhdg.exeC:\Windows\system32\Epgabhdg.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Windows\SysWOW64\Eedijo32.exeC:\Windows\system32\Eedijo32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Windows\SysWOW64\Eeffpn32.exeC:\Windows\system32\Eeffpn32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Windows\SysWOW64\Ecnpgj32.exeC:\Windows\system32\Ecnpgj32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2300 -
C:\Windows\SysWOW64\Fpdqlkhe.exeC:\Windows\system32\Fpdqlkhe.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:268 -
C:\Windows\SysWOW64\Fbeimf32.exeC:\Windows\system32\Fbeimf32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2092 -
C:\Windows\SysWOW64\Fmknko32.exeC:\Windows\system32\Fmknko32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\SysWOW64\Fbjchfaq.exeC:\Windows\system32\Fbjchfaq.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:700 -
C:\Windows\SysWOW64\Gaamobdf.exeC:\Windows\system32\Gaamobdf.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2096 -
C:\Windows\SysWOW64\Gkjahg32.exeC:\Windows\system32\Gkjahg32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Windows\SysWOW64\Gmkjjbhg.exeC:\Windows\system32\Gmkjjbhg.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Windows\SysWOW64\Glbcpokl.exeC:\Windows\system32\Glbcpokl.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:980 -
C:\Windows\SysWOW64\Hekhid32.exeC:\Windows\system32\Hekhid32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\Windows\SysWOW64\Hcohbh32.exeC:\Windows\system32\Hcohbh32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2136 -
C:\Windows\SysWOW64\Hoeigi32.exeC:\Windows\system32\Hoeigi32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1572 -
C:\Windows\SysWOW64\Hccbnhla.exeC:\Windows\system32\Hccbnhla.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:856 -
C:\Windows\SysWOW64\Hnmcne32.exeC:\Windows\system32\Hnmcne32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2124 -
C:\Windows\SysWOW64\Ihedan32.exeC:\Windows\system32\Ihedan32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2260 -
C:\Windows\SysWOW64\Ibmhjc32.exeC:\Windows\system32\Ibmhjc32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2640 -
C:\Windows\SysWOW64\Igjabj32.exeC:\Windows\system32\Igjabj32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1988 -
C:\Windows\SysWOW64\Ifoncgpc.exeC:\Windows\system32\Ifoncgpc.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1420 -
C:\Windows\SysWOW64\Iqgofo32.exeC:\Windows\system32\Iqgofo32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1592 -
C:\Windows\SysWOW64\Jfdgnf32.exeC:\Windows\system32\Jfdgnf32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2044 -
C:\Windows\SysWOW64\Jmplqp32.exeC:\Windows\system32\Jmplqp32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2288 -
C:\Windows\SysWOW64\Jbmdig32.exeC:\Windows\system32\Jbmdig32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2824 -
C:\Windows\SysWOW64\Jncenh32.exeC:\Windows\system32\Jncenh32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2144 -
C:\Windows\SysWOW64\Jnfbcg32.exeC:\Windows\system32\Jnfbcg32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2900 -
C:\Windows\SysWOW64\Kagkebpb.exeC:\Windows\system32\Kagkebpb.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2756 -
C:\Windows\SysWOW64\Knkkngol.exeC:\Windows\system32\Knkkngol.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2664 -
C:\Windows\SysWOW64\Kjalch32.exeC:\Windows\system32\Kjalch32.exe33⤵
- Executes dropped EXE
PID:436 -
C:\Windows\SysWOW64\Kleeqp32.exeC:\Windows\system32\Kleeqp32.exe34⤵
- Executes dropped EXE
PID:2308 -
C:\Windows\SysWOW64\Lljolodf.exeC:\Windows\system32\Lljolodf.exe35⤵
- Executes dropped EXE
PID:2384 -
C:\Windows\SysWOW64\Lkahbkgk.exeC:\Windows\system32\Lkahbkgk.exe36⤵
- Executes dropped EXE
PID:540 -
C:\Windows\SysWOW64\Looahi32.exeC:\Windows\system32\Looahi32.exe37⤵
- Executes dropped EXE
PID:1900 -
C:\Windows\SysWOW64\Liibigjq.exeC:\Windows\system32\Liibigjq.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:840 -
C:\Windows\SysWOW64\Mcafbm32.exeC:\Windows\system32\Mcafbm32.exe39⤵
- Executes dropped EXE
PID:968 -
C:\Windows\SysWOW64\Mlikkbga.exeC:\Windows\system32\Mlikkbga.exe40⤵
- Executes dropped EXE
PID:2416 -
C:\Windows\SysWOW64\Mebpchmb.exeC:\Windows\system32\Mebpchmb.exe41⤵
- Executes dropped EXE
PID:460 -
C:\Windows\SysWOW64\Mpgdaqmh.exeC:\Windows\system32\Mpgdaqmh.exe42⤵
- Executes dropped EXE
PID:2388 -
C:\Windows\SysWOW64\Mlndfa32.exeC:\Windows\system32\Mlndfa32.exe43⤵
- Executes dropped EXE
PID:1084 -
C:\Windows\SysWOW64\Makmnh32.exeC:\Windows\system32\Makmnh32.exe44⤵
- Executes dropped EXE
PID:1828 -
C:\Windows\SysWOW64\Moomgmpm.exeC:\Windows\system32\Moomgmpm.exe45⤵
- Executes dropped EXE
PID:2228 -
C:\Windows\SysWOW64\Mdlfpcnd.exeC:\Windows\system32\Mdlfpcnd.exe46⤵
- Executes dropped EXE
PID:2040 -
C:\Windows\SysWOW64\Noajmlnj.exeC:\Windows\system32\Noajmlnj.exe47⤵
- Executes dropped EXE
PID:1292 -
C:\Windows\SysWOW64\Ngmoao32.exeC:\Windows\system32\Ngmoao32.exe48⤵
- Executes dropped EXE
PID:1764 -
C:\Windows\SysWOW64\Ngolgn32.exeC:\Windows\system32\Ngolgn32.exe49⤵
- Executes dropped EXE
PID:892 -
C:\Windows\SysWOW64\Npgppdpc.exeC:\Windows\system32\Npgppdpc.exe50⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2604 -
C:\Windows\SysWOW64\Ndeifbfj.exeC:\Windows\system32\Ndeifbfj.exe51⤵
- Executes dropped EXE
PID:1624 -
C:\Windows\SysWOW64\Noojfpbi.exeC:\Windows\system32\Noojfpbi.exe52⤵
- Executes dropped EXE
PID:2856 -
C:\Windows\SysWOW64\Ombjpd32.exeC:\Windows\system32\Ombjpd32.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2776 -
C:\Windows\SysWOW64\Obpbhk32.exeC:\Windows\system32\Obpbhk32.exe54⤵
- Executes dropped EXE
PID:2676 -
C:\Windows\SysWOW64\Oilgje32.exeC:\Windows\system32\Oilgje32.exe55⤵
- Executes dropped EXE
PID:2828 -
C:\Windows\SysWOW64\Oindpd32.exeC:\Windows\system32\Oindpd32.exe56⤵
- Executes dropped EXE
PID:2780 -
C:\Windows\SysWOW64\Obfiijia.exeC:\Windows\system32\Obfiijia.exe57⤵
- Executes dropped EXE
PID:2740 -
C:\Windows\SysWOW64\Pjbnmm32.exeC:\Windows\system32\Pjbnmm32.exe58⤵
- Executes dropped EXE
PID:2588 -
C:\Windows\SysWOW64\Pcjbfbmm.exeC:\Windows\system32\Pcjbfbmm.exe59⤵
- Executes dropped EXE
PID:2708 -
C:\Windows\SysWOW64\Pejnpe32.exeC:\Windows\system32\Pejnpe32.exe60⤵
- Executes dropped EXE
PID:1532 -
C:\Windows\SysWOW64\Paqoef32.exeC:\Windows\system32\Paqoef32.exe61⤵
- Executes dropped EXE
PID:2084 -
C:\Windows\SysWOW64\Pmgpjgph.exeC:\Windows\system32\Pmgpjgph.exe62⤵
- Executes dropped EXE
PID:780 -
C:\Windows\SysWOW64\Pfpdcm32.exeC:\Windows\system32\Pfpdcm32.exe63⤵
- Executes dropped EXE
PID:2232 -
C:\Windows\SysWOW64\Pbfehn32.exeC:\Windows\system32\Pbfehn32.exe64⤵
- Executes dropped EXE
PID:3060 -
C:\Windows\SysWOW64\Qpjeaa32.exeC:\Windows\system32\Qpjeaa32.exe65⤵
- Executes dropped EXE
PID:2544 -
C:\Windows\SysWOW64\Qnpbbn32.exeC:\Windows\system32\Qnpbbn32.exe66⤵PID:712
-
C:\Windows\SysWOW64\Alcclb32.exeC:\Windows\system32\Alcclb32.exe67⤵
- Drops file in System32 directory
PID:1804 -
C:\Windows\SysWOW64\Alfpab32.exeC:\Windows\system32\Alfpab32.exe68⤵PID:1716
-
C:\Windows\SysWOW64\Ahmpfc32.exeC:\Windows\system32\Ahmpfc32.exe69⤵PID:788
-
C:\Windows\SysWOW64\Amiioj32.exeC:\Windows\system32\Amiioj32.exe70⤵PID:1332
-
C:\Windows\SysWOW64\Afamgpga.exeC:\Windows\system32\Afamgpga.exe71⤵PID:2752
-
C:\Windows\SysWOW64\Apjbpemb.exeC:\Windows\system32\Apjbpemb.exe72⤵PID:2748
-
C:\Windows\SysWOW64\Blabef32.exeC:\Windows\system32\Blabef32.exe73⤵PID:2176
-
C:\Windows\SysWOW64\Bbkkbpjc.exeC:\Windows\system32\Bbkkbpjc.exe74⤵PID:2432
-
C:\Windows\SysWOW64\Blcokf32.exeC:\Windows\system32\Blcokf32.exe75⤵PID:2872
-
C:\Windows\SysWOW64\Bigpdjpm.exeC:\Windows\system32\Bigpdjpm.exe76⤵PID:2808
-
C:\Windows\SysWOW64\Bbpdmp32.exeC:\Windows\system32\Bbpdmp32.exe77⤵PID:2924
-
C:\Windows\SysWOW64\Blhifemo.exeC:\Windows\system32\Blhifemo.exe78⤵PID:1736
-
C:\Windows\SysWOW64\Bkmegaaf.exeC:\Windows\system32\Bkmegaaf.exe79⤵
- Modifies registry class
PID:1176 -
C:\Windows\SysWOW64\Bebjdjal.exeC:\Windows\system32\Bebjdjal.exe80⤵PID:2496
-
C:\Windows\SysWOW64\Cdhgegfd.exeC:\Windows\system32\Cdhgegfd.exe81⤵PID:2108
-
C:\Windows\SysWOW64\Cjdonndl.exeC:\Windows\system32\Cjdonndl.exe82⤵PID:2456
-
C:\Windows\SysWOW64\Ccmcfc32.exeC:\Windows\system32\Ccmcfc32.exe83⤵PID:2516
-
C:\Windows\SysWOW64\Cdlppf32.exeC:\Windows\system32\Cdlppf32.exe84⤵PID:2688
-
C:\Windows\SysWOW64\Cnedilio.exeC:\Windows\system32\Cnedilio.exe85⤵PID:604
-
C:\Windows\SysWOW64\Ccamabgg.exeC:\Windows\system32\Ccamabgg.exe86⤵PID:972
-
C:\Windows\SysWOW64\Choejien.exeC:\Windows\system32\Choejien.exe87⤵
- Modifies registry class
PID:1580 -
C:\Windows\SysWOW64\Dfbfcn32.exeC:\Windows\system32\Dfbfcn32.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1744 -
C:\Windows\SysWOW64\Dokjlcjh.exeC:\Windows\system32\Dokjlcjh.exe89⤵PID:644
-
C:\Windows\SysWOW64\Ddgcdjip.exeC:\Windows\system32\Ddgcdjip.exe90⤵PID:1144
-
C:\Windows\SysWOW64\Dkakad32.exeC:\Windows\system32\Dkakad32.exe91⤵
- System Location Discovery: System Language Discovery
PID:2796 -
C:\Windows\SysWOW64\Dblcnngi.exeC:\Windows\system32\Dblcnngi.exe92⤵PID:2068
-
C:\Windows\SysWOW64\Dkdhfdnj.exeC:\Windows\system32\Dkdhfdnj.exe93⤵PID:2396
-
C:\Windows\SysWOW64\Emjnikpc.exeC:\Windows\system32\Emjnikpc.exe94⤵PID:1040
-
C:\Windows\SysWOW64\Eickdlcd.exeC:\Windows\system32\Eickdlcd.exe95⤵PID:964
-
C:\Windows\SysWOW64\Ejbhno32.exeC:\Windows\system32\Ejbhno32.exe96⤵
- System Location Discovery: System Language Discovery
PID:1832 -
C:\Windows\SysWOW64\Eiheok32.exeC:\Windows\system32\Eiheok32.exe97⤵PID:2028
-
C:\Windows\SysWOW64\Endmgb32.exeC:\Windows\system32\Endmgb32.exe98⤵PID:2112
-
C:\Windows\SysWOW64\Fenedlec.exeC:\Windows\system32\Fenedlec.exe99⤵PID:1412
-
C:\Windows\SysWOW64\Fngjmb32.exeC:\Windows\system32\Fngjmb32.exe100⤵PID:1756
-
C:\Windows\SysWOW64\Fjnkac32.exeC:\Windows\system32\Fjnkac32.exe101⤵PID:2508
-
C:\Windows\SysWOW64\Fecool32.exeC:\Windows\system32\Fecool32.exe102⤵PID:2436
-
C:\Windows\SysWOW64\Fjpggb32.exeC:\Windows\system32\Fjpggb32.exe103⤵
- Drops file in System32 directory
PID:2608 -
C:\Windows\SysWOW64\Fdhlphff.exeC:\Windows\system32\Fdhlphff.exe104⤵PID:2244
-
C:\Windows\SysWOW64\Fmqpinlf.exeC:\Windows\system32\Fmqpinlf.exe105⤵PID:2880
-
C:\Windows\SysWOW64\Fhfdffll.exeC:\Windows\system32\Fhfdffll.exe106⤵PID:2792
-
C:\Windows\SysWOW64\Gmcmomjc.exeC:\Windows\system32\Gmcmomjc.exe107⤵PID:2684
-
C:\Windows\SysWOW64\Gbpegdik.exeC:\Windows\system32\Gbpegdik.exe108⤵PID:1560
-
C:\Windows\SysWOW64\Gpdfph32.exeC:\Windows\system32\Gpdfph32.exe109⤵PID:2128
-
C:\Windows\SysWOW64\Gbbbld32.exeC:\Windows\system32\Gbbbld32.exe110⤵PID:1636
-
C:\Windows\SysWOW64\Giljinne.exeC:\Windows\system32\Giljinne.exe111⤵PID:3056
-
C:\Windows\SysWOW64\Goicaell.exeC:\Windows\system32\Goicaell.exe112⤵
- System Location Discovery: System Language Discovery
PID:2484 -
C:\Windows\SysWOW64\Ghagjj32.exeC:\Windows\system32\Ghagjj32.exe113⤵PID:1044
-
C:\Windows\SysWOW64\Ghcdpjqj.exeC:\Windows\system32\Ghcdpjqj.exe114⤵PID:2012
-
C:\Windows\SysWOW64\Galhhp32.exeC:\Windows\system32\Galhhp32.exe115⤵
- Drops file in System32 directory
PID:2596 -
C:\Windows\SysWOW64\Hhfqejoh.exeC:\Windows\system32\Hhfqejoh.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2624 -
C:\Windows\SysWOW64\Hopibdfd.exeC:\Windows\system32\Hopibdfd.exe117⤵PID:2504
-
C:\Windows\SysWOW64\Hhhmki32.exeC:\Windows\system32\Hhhmki32.exe118⤵PID:3032
-
C:\Windows\SysWOW64\Hobfgcdb.exeC:\Windows\system32\Hobfgcdb.exe119⤵PID:2668
-
C:\Windows\SysWOW64\Hhkjpi32.exeC:\Windows\system32\Hhkjpi32.exe120⤵
- Drops file in System32 directory
PID:576 -
C:\Windows\SysWOW64\Hpfoekhm.exeC:\Windows\system32\Hpfoekhm.exe121⤵PID:3008
-
C:\Windows\SysWOW64\Hkkcbdhc.exeC:\Windows\system32\Hkkcbdhc.exe122⤵PID:584
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-