Analysis
-
max time kernel
55s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
23-11-2024 04:04
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
d4cf098ca67ab38b87f3615301b7adbe35571dc8a562b9593daf1d74180c9e84.exe
Resource
win7-20241010-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
d4cf098ca67ab38b87f3615301b7adbe35571dc8a562b9593daf1d74180c9e84.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
d4cf098ca67ab38b87f3615301b7adbe35571dc8a562b9593daf1d74180c9e84.exe
-
Size
324KB
-
MD5
e0d9b5990c020f6c02b8575abaa19aa9
-
SHA1
42275723282635a3556c77cad203ba3a6fd85149
-
SHA256
d4cf098ca67ab38b87f3615301b7adbe35571dc8a562b9593daf1d74180c9e84
-
SHA512
c821bbd36635a876f0d065486b7f522a97548ae5009ddf55a6a584f80792d9034cf6db0035e2b81a21c1eaff5782900cb4f6f962a7f6c22a68c486627c4be036
-
SSDEEP
6144:KYis6faNWv9pmzd5IF6rfBBcVPINRFYpfZvT6zAWq6JMf3us8ws:KY7FIv9Up5IFy5BcVPINRFYpfZvTmAW9
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Cnnohmog.exeEojpqpih.exeCmqmgedi.exeMgmbbkij.exeIpmeej32.exeAmlhmb32.exeKpndlobg.exeOohmmojn.exeEnajgllm.exeQipmdhcj.exeEagdgaoe.exeEckcak32.exeIckoimie.exeMeafpibb.exeOfaaghom.exeLdfgbb32.exeBhiglh32.exeAmledj32.exeDqcmdjjo.exeGdedoegh.exeDjiegp32.exeMihkoa32.exeQolmip32.exeMmjqhd32.exePeandcih.exeAamhdckg.exePcmadj32.exeKeekeg32.exeIcnealbb.exeMcccglnn.exeBjclfmfe.exeGcbaop32.exeKpkocpjj.exeIccnmk32.exeKplhfo32.exeLeilnllb.exeGohqhl32.exeNfqbol32.exeCghpgbce.exeEqejjj32.exeJqmadn32.exePonokmah.exeAeommfnf.exeIapghlbe.exeOpkpme32.exeEpflbbpp.exeCgklma32.exeMqgahh32.exeNlfaag32.exeDjoinbpm.exeFabppo32.exeKbajci32.exeNdoenlcf.exeHgpeimhf.exeNcnmhajo.exeClbbfj32.exePqlfjfni.exeAngafl32.exeCdnicemo.exeJnlhbb32.exeKbljmd32.exedescription ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnnohmog.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eojpqpih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cmqmgedi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mgmbbkij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ipmeej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Amlhmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kpndlobg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oohmmojn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enajgllm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qipmdhcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eagdgaoe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eckcak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ickoimie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Meafpibb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ofaaghom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ldfgbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bhiglh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Amledj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dqcmdjjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gdedoegh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Djiegp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mihkoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qolmip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mmjqhd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Peandcih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aamhdckg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pcmadj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Keekeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Icnealbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mcccglnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bjclfmfe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcbaop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kpkocpjj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iccnmk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kplhfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Leilnllb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gohqhl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfqbol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cghpgbce.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eqejjj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jqmadn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ponokmah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aeommfnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iapghlbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Opkpme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Epflbbpp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgklma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Peandcih.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mqgahh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nlfaag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Djoinbpm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fabppo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kbajci32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cghpgbce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ndoenlcf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgpeimhf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncnmhajo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Clbbfj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pqlfjfni.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Angafl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdnicemo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qolmip32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnlhbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kbljmd32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
Processes:
Kbokda32.exeLkoidcaj.exeLgejidgn.exeLpbhmiji.exeMqgahh32.exeMkconepp.exeMgjpcf32.exeNjobpa32.exeOjdlkp32.exeObamebfc.exeOnkjocjd.exePjchjcmf.exePmdalo32.exePhckglbq.exeQhehmkqn.exeAgonig32.exeAcfonhgd.exeBlcmbmip.exeBfkakbpp.exeBkjfhile.exeCdgdlnop.exeCqqbgoba.exeCofohkgi.exeDeedfacn.exeDbidof32.exeDlcfnk32.exeDlfbck32.exeDjkodg32.exeEagdgaoe.exeElaego32.exeElcbmn32.exeEigbfb32.exeFillabde.exeFebmfcjj.exeFgffck32.exeFhfbmn32.exeGcocnk32.exeGohqhl32.exeGllabp32.exeGlongpao.exeGheola32.exeHnbgdh32.exeHgkknm32.exeHjkdoh32.exeHgpeimhf.exeHjpnjheg.exeIjbjpg32.exeIckoimie.exeIcmlnmgb.exeIijdfc32.exeIfndph32.exeIniidj32.exeIjpjik32.exeJeenfd32.exeJmqckf32.exeJnppei32.exeJjgpjjak.exeJilmkffb.exeJcaahofh.exeKmjfae32.exeKnkbimbg.exeKeekeg32.exeKpkocpjj.exeKopldl32.exepid Process 2892 Kbokda32.exe 2860 Lkoidcaj.exe 2836 Lgejidgn.exe 2904 Lpbhmiji.exe 2724 Mqgahh32.exe 2440 Mkconepp.exe 1064 Mgjpcf32.exe 832 Njobpa32.exe 1020 Ojdlkp32.exe 2180 Obamebfc.exe 1400 Onkjocjd.exe 2896 Pjchjcmf.exe 1108 Pmdalo32.exe 2908 Phckglbq.exe 2192 Qhehmkqn.exe 1968 Agonig32.exe 1848 Acfonhgd.exe 1636 Blcmbmip.exe 680 Bfkakbpp.exe 1456 Bkjfhile.exe 1724 Cdgdlnop.exe 1992 Cqqbgoba.exe 1528 Cofohkgi.exe 332 Deedfacn.exe 1748 Dbidof32.exe 1596 Dlcfnk32.exe 2144 Dlfbck32.exe 2920 Djkodg32.exe 2828 Eagdgaoe.exe 2636 Elaego32.exe 1048 Elcbmn32.exe 2616 Eigbfb32.exe 2100 Fillabde.exe 1172 Febmfcjj.exe 580 Fgffck32.exe 3036 Fhfbmn32.exe 540 Gcocnk32.exe 2016 Gohqhl32.exe 1744 Gllabp32.exe 2188 Glongpao.exe 2512 Gheola32.exe 2080 Hnbgdh32.exe 952 Hgkknm32.exe 1644 Hjkdoh32.exe 2128 Hgpeimhf.exe 2164 Hjpnjheg.exe 568 Ijbjpg32.exe 2132 Ickoimie.exe 2656 Icmlnmgb.exe 2256 Iijdfc32.exe 780 Ifndph32.exe 2552 Iniidj32.exe 2720 Ijpjik32.exe 2936 Jeenfd32.exe 2532 Jmqckf32.exe 2472 Jnppei32.exe 2092 Jjgpjjak.exe 2172 Jilmkffb.exe 1984 Jcaahofh.exe 1804 Kmjfae32.exe 2328 Knkbimbg.exe 2260 Keekeg32.exe 1776 Kpkocpjj.exe 612 Kopldl32.exe -
Loads dropped DLL 64 IoCs
Processes:
d4cf098ca67ab38b87f3615301b7adbe35571dc8a562b9593daf1d74180c9e84.exeKbokda32.exeLkoidcaj.exeLgejidgn.exeLpbhmiji.exeMqgahh32.exeMkconepp.exeMgjpcf32.exeNjobpa32.exeOjdlkp32.exeObamebfc.exeOnkjocjd.exePjchjcmf.exePmdalo32.exePhckglbq.exeQhehmkqn.exeAgonig32.exeAcfonhgd.exeBlcmbmip.exeBfkakbpp.exeBkjfhile.exeCdgdlnop.exeCqqbgoba.exeCofohkgi.exeDeedfacn.exeDbidof32.exeDlcfnk32.exeDlfbck32.exeDjkodg32.exeEagdgaoe.exeElaego32.exeElcbmn32.exepid Process 840 d4cf098ca67ab38b87f3615301b7adbe35571dc8a562b9593daf1d74180c9e84.exe 840 d4cf098ca67ab38b87f3615301b7adbe35571dc8a562b9593daf1d74180c9e84.exe 2892 Kbokda32.exe 2892 Kbokda32.exe 2860 Lkoidcaj.exe 2860 Lkoidcaj.exe 2836 Lgejidgn.exe 2836 Lgejidgn.exe 2904 Lpbhmiji.exe 2904 Lpbhmiji.exe 2724 Mqgahh32.exe 2724 Mqgahh32.exe 2440 Mkconepp.exe 2440 Mkconepp.exe 1064 Mgjpcf32.exe 1064 Mgjpcf32.exe 832 Njobpa32.exe 832 Njobpa32.exe 1020 Ojdlkp32.exe 1020 Ojdlkp32.exe 2180 Obamebfc.exe 2180 Obamebfc.exe 1400 Onkjocjd.exe 1400 Onkjocjd.exe 2896 Pjchjcmf.exe 2896 Pjchjcmf.exe 1108 Pmdalo32.exe 1108 Pmdalo32.exe 2908 Phckglbq.exe 2908 Phckglbq.exe 2192 Qhehmkqn.exe 2192 Qhehmkqn.exe 1968 Agonig32.exe 1968 Agonig32.exe 1848 Acfonhgd.exe 1848 Acfonhgd.exe 1636 Blcmbmip.exe 1636 Blcmbmip.exe 680 Bfkakbpp.exe 680 Bfkakbpp.exe 1456 Bkjfhile.exe 1456 Bkjfhile.exe 1724 Cdgdlnop.exe 1724 Cdgdlnop.exe 1992 Cqqbgoba.exe 1992 Cqqbgoba.exe 1528 Cofohkgi.exe 1528 Cofohkgi.exe 332 Deedfacn.exe 332 Deedfacn.exe 1748 Dbidof32.exe 1748 Dbidof32.exe 1596 Dlcfnk32.exe 1596 Dlcfnk32.exe 2144 Dlfbck32.exe 2144 Dlfbck32.exe 2920 Djkodg32.exe 2920 Djkodg32.exe 2828 Eagdgaoe.exe 2828 Eagdgaoe.exe 2636 Elaego32.exe 2636 Elaego32.exe 1048 Elcbmn32.exe 1048 Elcbmn32.exe -
Drops file in System32 directory 64 IoCs
Processes:
Jbmgapgc.exeBaecgdbj.exeEkkppkpf.exeHjkdoh32.exeMicnbe32.exeClphjc32.exeEnjcfm32.exeJkcoee32.exeBpgjob32.exeNmgiga32.exeElaego32.exeMknohpqj.exeMgmbbkij.exeNffenj32.exeNpbpjn32.exeJeenfd32.exeAhbqliap.exeBdiaqj32.exeIccnmk32.exeBijobb32.exeAimckl32.exeFgmaphdg.exeBbhgbj32.exeMeolcb32.exeCnhjbjam.exePcmadj32.exeDbidof32.exeHjpnjheg.exeElpnmhgh.exeQipmdhcj.exeJnlhbb32.exeQhehmkqn.exeLpfagd32.exeAamekk32.exeFeklja32.exeHkoikcaq.exeCqqbgoba.exeHfanjcke.exePpcoqbao.exeQmlknocg.exeLkcehkeh.exeFebmfcjj.exeAbnbccia.exeGemhpq32.exeJchhhjjg.exeJkcllmhb.exeIojoalda.exeBlelpeoa.exeJqakompl.exeDeedfacn.exeBpieli32.exeLkolmk32.exeEfjklh32.exeOlhmnb32.exeCnfnlk32.exeMapjjdjb.exeOoaflp32.exeOcoobngl.exeBdhjfc32.exeNefncd32.exeMgjpcf32.exedescription ioc Process File opened for modification C:\Windows\SysWOW64\Jfkphnmj.exe Jbmgapgc.exe File created C:\Windows\SysWOW64\Kbnppohp.dll Baecgdbj.exe File created C:\Windows\SysWOW64\Gggknmnm.dll Ekkppkpf.exe File created C:\Windows\SysWOW64\Hgpeimhf.exe Hjkdoh32.exe File created C:\Windows\SysWOW64\Mkcjlhdh.exe Micnbe32.exe File opened for modification C:\Windows\SysWOW64\Campbj32.exe Clphjc32.exe File opened for modification C:\Windows\SysWOW64\Eojpqpih.exe Enjcfm32.exe File opened for modification C:\Windows\SysWOW64\Jbmgapgc.exe Jkcoee32.exe File created C:\Windows\SysWOW64\Bgablmfa.exe Bpgjob32.exe File created C:\Windows\SysWOW64\Ibofgebi.dll Nmgiga32.exe File created C:\Windows\SysWOW64\Ikcoomeg.dll Elaego32.exe File created C:\Windows\SysWOW64\Mnnhjk32.exe Mknohpqj.exe File created C:\Windows\SysWOW64\Mcccglnn.exe Mgmbbkij.exe File opened for modification C:\Windows\SysWOW64\Ojdndi32.exe Nffenj32.exe File created C:\Windows\SysWOW64\Npdlpnnj.exe Npbpjn32.exe File opened for modification C:\Windows\SysWOW64\Jmqckf32.exe Jeenfd32.exe File created C:\Windows\SysWOW64\Bdiaqj32.exe Ahbqliap.exe File created C:\Windows\SysWOW64\Bdknfiea.exe Bdiaqj32.exe File opened for modification C:\Windows\SysWOW64\Iojoalda.exe Iccnmk32.exe File created C:\Windows\SysWOW64\Baecgdbj.exe Bijobb32.exe File opened for modification C:\Windows\SysWOW64\Ahbqliap.exe Aimckl32.exe File created C:\Windows\SysWOW64\Faefim32.exe Fgmaphdg.exe File opened for modification C:\Windows\SysWOW64\Bjclfmfe.exe Bbhgbj32.exe File created C:\Windows\SysWOW64\Mmjqhd32.exe Meolcb32.exe File opened for modification C:\Windows\SysWOW64\Djokgk32.exe Cnhjbjam.exe File created C:\Windows\SysWOW64\Plmdeaaf.dll Pcmadj32.exe File created C:\Windows\SysWOW64\Dlcfnk32.exe Dbidof32.exe File created C:\Windows\SysWOW64\Gpjlpa32.dll Hjpnjheg.exe File opened for modification C:\Windows\SysWOW64\Ebjfiboe.exe Elpnmhgh.exe File opened for modification C:\Windows\SysWOW64\Qegnii32.exe Qipmdhcj.exe File created C:\Windows\SysWOW64\Jqmadn32.exe Jnlhbb32.exe File created C:\Windows\SysWOW64\Noffadai.exe Nmgiga32.exe File opened for modification C:\Windows\SysWOW64\Agonig32.exe Qhehmkqn.exe File opened for modification C:\Windows\SysWOW64\Lgbfin32.exe Lpfagd32.exe File opened for modification C:\Windows\SysWOW64\Abnbccia.exe Aamekk32.exe File created C:\Windows\SysWOW64\Ghihfl32.exe Feklja32.exe File created C:\Windows\SysWOW64\Iedmhlqf.exe Hkoikcaq.exe File created C:\Windows\SysWOW64\Ajclkk32.dll Cqqbgoba.exe File opened for modification C:\Windows\SysWOW64\Hfdkoc32.exe Hfanjcke.exe File opened for modification C:\Windows\SysWOW64\Paclje32.exe Ppcoqbao.exe File created C:\Windows\SysWOW64\Aomdpj32.exe Qmlknocg.exe File opened for modification C:\Windows\SysWOW64\Lkfbmj32.exe Lkcehkeh.exe File opened for modification C:\Windows\SysWOW64\Fgffck32.exe Febmfcjj.exe File created C:\Windows\SysWOW64\Kobamdkg.dll Abnbccia.exe File opened for modification C:\Windows\SysWOW64\Goemhfco.exe Gemhpq32.exe File opened for modification C:\Windows\SysWOW64\Jkcllmhb.exe Jchhhjjg.exe File created C:\Windows\SysWOW64\Jekaeb32.exe Jkcllmhb.exe File opened for modification C:\Windows\SysWOW64\Jbhkngcd.exe Iojoalda.exe File created C:\Windows\SysWOW64\Gkemcm32.dll Jkcllmhb.exe File opened for modification C:\Windows\SysWOW64\Baeanl32.exe Blelpeoa.exe File opened for modification C:\Windows\SysWOW64\Kfqpmc32.exe Jqakompl.exe File created C:\Windows\SysWOW64\Dbidof32.exe Deedfacn.exe File created C:\Windows\SysWOW64\Cpkaai32.exe Bpieli32.exe File opened for modification C:\Windows\SysWOW64\Ldgpea32.exe Lkolmk32.exe File created C:\Windows\SysWOW64\Fhnmjmpj.dll Efjklh32.exe File opened for modification C:\Windows\SysWOW64\Ofaaghom.exe Olhmnb32.exe File created C:\Windows\SysWOW64\Cdpfiekl.exe Cnfnlk32.exe File created C:\Windows\SysWOW64\Djokgk32.exe Cnhjbjam.exe File created C:\Windows\SysWOW64\Mgmbbkij.exe Mapjjdjb.exe File opened for modification C:\Windows\SysWOW64\Ocoobngl.exe Ooaflp32.exe File opened for modification C:\Windows\SysWOW64\Oilgje32.exe Ocoobngl.exe File opened for modification C:\Windows\SysWOW64\Bgichoqj.exe Bdhjfc32.exe File created C:\Windows\SysWOW64\Odkkdqmd.exe Nefncd32.exe File created C:\Windows\SysWOW64\Jceahq32.dll Mgjpcf32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 4292 2212 WerFault.exe 467 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Kiifjd32.exeHgknffcp.exeOlhmnb32.exeAbnmae32.exeIndiodbh.exeOceaql32.exeGcocnk32.exePnefiq32.exeLejbhbpn.exeFmabaf32.exeJmqckf32.exeNcnmhajo.exeCpogjh32.exeKbdmboqk.exeKbajci32.exeOhjmnn32.exeFefnmdfo.exeLgejidgn.exeEhilgikj.exeFpijgk32.exeAhjcqcdm.exeDjiegp32.exeQgbfen32.exeCfpinnfj.exeGfnnmboa.exeDjkodg32.exeOpkpme32.exeEmdgjpkd.exeLpbhmiji.exeApdobg32.exeEjnnbpol.exeHdjedk32.exeFcqoec32.exeIkcbfb32.exeIcmlnmgb.exeHfdkoc32.exeEqejjj32.exeFlkjffkm.exeCnhjbjam.exeOiepmajb.exeMckpba32.exeAbnbccia.exeCobkhe32.exeLepihndm.exePiipibff.exeNhmbfhfd.exeOgkbmcba.exeCdgdlnop.exeHgkknm32.exeDjoinbpm.exeKpndlobg.exeOoaflp32.exeNmlcbafa.exeAmlhmb32.exeGeehcoaf.exeAllbpqcp.exeGiafmfad.exeFpoleilj.exeOkgpfjbo.exeNcdciq32.exeEpcomc32.exeGhihfl32.exeLkolmk32.exeNhlkkabh.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kiifjd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgknffcp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olhmnb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abnmae32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Indiodbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oceaql32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcocnk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnefiq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lejbhbpn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmabaf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmqckf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncnmhajo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpogjh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbdmboqk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbajci32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohjmnn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fefnmdfo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgejidgn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehilgikj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpijgk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahjcqcdm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djiegp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qgbfen32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfpinnfj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfnnmboa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djkodg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opkpme32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emdgjpkd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpbhmiji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apdobg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejnnbpol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdjedk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcqoec32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikcbfb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icmlnmgb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfdkoc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eqejjj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flkjffkm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnhjbjam.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oiepmajb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mckpba32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abnbccia.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cobkhe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lepihndm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Piipibff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhmbfhfd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogkbmcba.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdgdlnop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgkknm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djoinbpm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpndlobg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ooaflp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmlcbafa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amlhmb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Geehcoaf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Allbpqcp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Giafmfad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpoleilj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okgpfjbo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncdciq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epcomc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghihfl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkolmk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhlkkabh.exe -
Modifies registry class 64 IoCs
Processes:
Goemhfco.exeBaeanl32.exeIdagdm32.exeLcjodiep.exeBfkakbpp.exeBkjfhile.exeNlfaag32.exeOhjmnn32.exeGohqhl32.exeEmadjj32.exeHgpeimhf.exeOblmom32.exeFpijgk32.exeCofaad32.exePonokmah.exeBgablmfa.exeCokqfhpa.exeLdfgbb32.exeKgqcam32.exeOcoobngl.exeBmcnmapk.exePjlgna32.exeMgmbbkij.exeKfqpmc32.exeHjpnjheg.exeBdiaqj32.exeGhihfl32.exeEjnnbpol.exeGlhjpjok.exeLeilnllb.exeMinnmomo.exeClhgnagn.exeOilgje32.exeGdchifik.exeMcoioi32.exeCeqlff32.exePmmppm32.exeCblniaii.exeNadpdg32.exePjkpckob.exeEjcaanfg.exeFillabde.exeGlongpao.exeIckoimie.exeOpkpme32.exeCgklma32.exeDfmbmkgm.exeLinanl32.exeGaokhdja.exeBlcmbmip.exeIojoalda.exeGllabp32.exeFidkep32.exeFeklja32.exeIcnealbb.exeLdgpea32.exeIlolol32.exeNoalfe32.exeBgaljk32.exeDlfbck32.exeIniidj32.exeElpnmhgh.exePjdjbl32.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Goemhfco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Baeanl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bepajh32.dll" Idagdm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lcjodiep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcfmolmc.dll" Bfkakbpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bkjfhile.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nlfaag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ohjmnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gohqhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Emadjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmphdjpq.dll" Hgpeimhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oblmom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fpijgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Genifa32.dll" Cofaad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iopbaq32.dll" Ponokmah.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bgablmfa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cokqfhpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ldfgbb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kgqcam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Goiihmom.dll" Kgqcam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ocoobngl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Demljd32.dll" Bmcnmapk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pjlgna32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mgmbbkij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qolpolge.dll" Kfqpmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hjpnjheg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bdiaqj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ghihfl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ejnnbpol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Glhjpjok.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Leilnllb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Minnmomo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iflkcl32.dll" Clhgnagn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oilgje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfcfdk32.dll" Gdchifik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mcoioi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjgbfapp.dll" Ceqlff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkooeblb.dll" Pmmppm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agljbf32.dll" Cblniaii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gndliq32.dll" Nadpdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgfqkokb.dll" Pjkpckob.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ejcaanfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdejeo32.dll" Fillabde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Glongpao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ickoimie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Opkpme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cgklma32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dfmbmkgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoppkj32.dll" Linanl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gaokhdja.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Blcmbmip.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iojoalda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gllabp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fidkep32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Feklja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maieqidm.dll" Icnealbb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ldgpea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ilolol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkngbi32.dll" Noalfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bgaljk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdgphqgg.dll" Dlfbck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acblea32.dll" Iniidj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Elpnmhgh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pjdjbl32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
d4cf098ca67ab38b87f3615301b7adbe35571dc8a562b9593daf1d74180c9e84.exeKbokda32.exeLkoidcaj.exeLgejidgn.exeLpbhmiji.exeMqgahh32.exeMkconepp.exeMgjpcf32.exeNjobpa32.exeOjdlkp32.exeObamebfc.exeOnkjocjd.exePjchjcmf.exePmdalo32.exePhckglbq.exeQhehmkqn.exedescription pid Process procid_target PID 840 wrote to memory of 2892 840 d4cf098ca67ab38b87f3615301b7adbe35571dc8a562b9593daf1d74180c9e84.exe 29 PID 840 wrote to memory of 2892 840 d4cf098ca67ab38b87f3615301b7adbe35571dc8a562b9593daf1d74180c9e84.exe 29 PID 840 wrote to memory of 2892 840 d4cf098ca67ab38b87f3615301b7adbe35571dc8a562b9593daf1d74180c9e84.exe 29 PID 840 wrote to memory of 2892 840 d4cf098ca67ab38b87f3615301b7adbe35571dc8a562b9593daf1d74180c9e84.exe 29 PID 2892 wrote to memory of 2860 2892 Kbokda32.exe 30 PID 2892 wrote to memory of 2860 2892 Kbokda32.exe 30 PID 2892 wrote to memory of 2860 2892 Kbokda32.exe 30 PID 2892 wrote to memory of 2860 2892 Kbokda32.exe 30 PID 2860 wrote to memory of 2836 2860 Lkoidcaj.exe 31 PID 2860 wrote to memory of 2836 2860 Lkoidcaj.exe 31 PID 2860 wrote to memory of 2836 2860 Lkoidcaj.exe 31 PID 2860 wrote to memory of 2836 2860 Lkoidcaj.exe 31 PID 2836 wrote to memory of 2904 2836 Lgejidgn.exe 32 PID 2836 wrote to memory of 2904 2836 Lgejidgn.exe 32 PID 2836 wrote to memory of 2904 2836 Lgejidgn.exe 32 PID 2836 wrote to memory of 2904 2836 Lgejidgn.exe 32 PID 2904 wrote to memory of 2724 2904 Lpbhmiji.exe 33 PID 2904 wrote to memory of 2724 2904 Lpbhmiji.exe 33 PID 2904 wrote to memory of 2724 2904 Lpbhmiji.exe 33 PID 2904 wrote to memory of 2724 2904 Lpbhmiji.exe 33 PID 2724 wrote to memory of 2440 2724 Mqgahh32.exe 34 PID 2724 wrote to memory of 2440 2724 Mqgahh32.exe 34 PID 2724 wrote to memory of 2440 2724 Mqgahh32.exe 34 PID 2724 wrote to memory of 2440 2724 Mqgahh32.exe 34 PID 2440 wrote to memory of 1064 2440 Mkconepp.exe 35 PID 2440 wrote to memory of 1064 2440 Mkconepp.exe 35 PID 2440 wrote to memory of 1064 2440 Mkconepp.exe 35 PID 2440 wrote to memory of 1064 2440 Mkconepp.exe 35 PID 1064 wrote to memory of 832 1064 Mgjpcf32.exe 36 PID 1064 wrote to memory of 832 1064 Mgjpcf32.exe 36 PID 1064 wrote to memory of 832 1064 Mgjpcf32.exe 36 PID 1064 wrote to memory of 832 1064 Mgjpcf32.exe 36 PID 832 wrote to memory of 1020 832 Njobpa32.exe 37 PID 832 wrote to memory of 1020 832 Njobpa32.exe 37 PID 832 wrote to memory of 1020 832 Njobpa32.exe 37 PID 832 wrote to memory of 1020 832 Njobpa32.exe 37 PID 1020 wrote to memory of 2180 1020 Ojdlkp32.exe 38 PID 1020 wrote to memory of 2180 1020 Ojdlkp32.exe 38 PID 1020 wrote to memory of 2180 1020 Ojdlkp32.exe 38 PID 1020 wrote to memory of 2180 1020 Ojdlkp32.exe 38 PID 2180 wrote to memory of 1400 2180 Obamebfc.exe 39 PID 2180 wrote to memory of 1400 2180 Obamebfc.exe 39 PID 2180 wrote to memory of 1400 2180 Obamebfc.exe 39 PID 2180 wrote to memory of 1400 2180 Obamebfc.exe 39 PID 1400 wrote to memory of 2896 1400 Onkjocjd.exe 40 PID 1400 wrote to memory of 2896 1400 Onkjocjd.exe 40 PID 1400 wrote to memory of 2896 1400 Onkjocjd.exe 40 PID 1400 wrote to memory of 2896 1400 Onkjocjd.exe 40 PID 2896 wrote to memory of 1108 2896 Pjchjcmf.exe 41 PID 2896 wrote to memory of 1108 2896 Pjchjcmf.exe 41 PID 2896 wrote to memory of 1108 2896 Pjchjcmf.exe 41 PID 2896 wrote to memory of 1108 2896 Pjchjcmf.exe 41 PID 1108 wrote to memory of 2908 1108 Pmdalo32.exe 42 PID 1108 wrote to memory of 2908 1108 Pmdalo32.exe 42 PID 1108 wrote to memory of 2908 1108 Pmdalo32.exe 42 PID 1108 wrote to memory of 2908 1108 Pmdalo32.exe 42 PID 2908 wrote to memory of 2192 2908 Phckglbq.exe 43 PID 2908 wrote to memory of 2192 2908 Phckglbq.exe 43 PID 2908 wrote to memory of 2192 2908 Phckglbq.exe 43 PID 2908 wrote to memory of 2192 2908 Phckglbq.exe 43 PID 2192 wrote to memory of 1968 2192 Qhehmkqn.exe 44 PID 2192 wrote to memory of 1968 2192 Qhehmkqn.exe 44 PID 2192 wrote to memory of 1968 2192 Qhehmkqn.exe 44 PID 2192 wrote to memory of 1968 2192 Qhehmkqn.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\d4cf098ca67ab38b87f3615301b7adbe35571dc8a562b9593daf1d74180c9e84.exe"C:\Users\Admin\AppData\Local\Temp\d4cf098ca67ab38b87f3615301b7adbe35571dc8a562b9593daf1d74180c9e84.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:840 -
C:\Windows\SysWOW64\Kbokda32.exeC:\Windows\system32\Kbokda32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Windows\SysWOW64\Lkoidcaj.exeC:\Windows\system32\Lkoidcaj.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\SysWOW64\Lgejidgn.exeC:\Windows\system32\Lgejidgn.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Windows\SysWOW64\Lpbhmiji.exeC:\Windows\system32\Lpbhmiji.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Windows\SysWOW64\Mqgahh32.exeC:\Windows\system32\Mqgahh32.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\SysWOW64\Mkconepp.exeC:\Windows\system32\Mkconepp.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2440 -
C:\Windows\SysWOW64\Mgjpcf32.exeC:\Windows\system32\Mgjpcf32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1064 -
C:\Windows\SysWOW64\Njobpa32.exeC:\Windows\system32\Njobpa32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:832 -
C:\Windows\SysWOW64\Ojdlkp32.exeC:\Windows\system32\Ojdlkp32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1020 -
C:\Windows\SysWOW64\Obamebfc.exeC:\Windows\system32\Obamebfc.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Windows\SysWOW64\Onkjocjd.exeC:\Windows\system32\Onkjocjd.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1400 -
C:\Windows\SysWOW64\Pjchjcmf.exeC:\Windows\system32\Pjchjcmf.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Windows\SysWOW64\Pmdalo32.exeC:\Windows\system32\Pmdalo32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1108 -
C:\Windows\SysWOW64\Phckglbq.exeC:\Windows\system32\Phckglbq.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Windows\SysWOW64\Qhehmkqn.exeC:\Windows\system32\Qhehmkqn.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Windows\SysWOW64\Agonig32.exeC:\Windows\system32\Agonig32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1968 -
C:\Windows\SysWOW64\Acfonhgd.exeC:\Windows\system32\Acfonhgd.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1848 -
C:\Windows\SysWOW64\Blcmbmip.exeC:\Windows\system32\Blcmbmip.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1636 -
C:\Windows\SysWOW64\Bfkakbpp.exeC:\Windows\system32\Bfkakbpp.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:680 -
C:\Windows\SysWOW64\Bkjfhile.exeC:\Windows\system32\Bkjfhile.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1456 -
C:\Windows\SysWOW64\Cdgdlnop.exeC:\Windows\system32\Cdgdlnop.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1724 -
C:\Windows\SysWOW64\Cqqbgoba.exeC:\Windows\system32\Cqqbgoba.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1992 -
C:\Windows\SysWOW64\Cofohkgi.exeC:\Windows\system32\Cofohkgi.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1528 -
C:\Windows\SysWOW64\Deedfacn.exeC:\Windows\system32\Deedfacn.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:332 -
C:\Windows\SysWOW64\Dbidof32.exeC:\Windows\system32\Dbidof32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1748 -
C:\Windows\SysWOW64\Dlcfnk32.exeC:\Windows\system32\Dlcfnk32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1596 -
C:\Windows\SysWOW64\Dlfbck32.exeC:\Windows\system32\Dlfbck32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2144 -
C:\Windows\SysWOW64\Djkodg32.exeC:\Windows\system32\Djkodg32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2920 -
C:\Windows\SysWOW64\Eagdgaoe.exeC:\Windows\system32\Eagdgaoe.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2828 -
C:\Windows\SysWOW64\Elaego32.exeC:\Windows\system32\Elaego32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2636 -
C:\Windows\SysWOW64\Elcbmn32.exeC:\Windows\system32\Elcbmn32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1048 -
C:\Windows\SysWOW64\Eigbfb32.exeC:\Windows\system32\Eigbfb32.exe33⤵
- Executes dropped EXE
PID:2616 -
C:\Windows\SysWOW64\Fillabde.exeC:\Windows\system32\Fillabde.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:2100 -
C:\Windows\SysWOW64\Febmfcjj.exeC:\Windows\system32\Febmfcjj.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1172 -
C:\Windows\SysWOW64\Fgffck32.exeC:\Windows\system32\Fgffck32.exe36⤵
- Executes dropped EXE
PID:580 -
C:\Windows\SysWOW64\Fhfbmn32.exeC:\Windows\system32\Fhfbmn32.exe37⤵
- Executes dropped EXE
PID:3036 -
C:\Windows\SysWOW64\Gcocnk32.exeC:\Windows\system32\Gcocnk32.exe38⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:540 -
C:\Windows\SysWOW64\Gohqhl32.exeC:\Windows\system32\Gohqhl32.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2016 -
C:\Windows\SysWOW64\Gllabp32.exeC:\Windows\system32\Gllabp32.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:1744 -
C:\Windows\SysWOW64\Glongpao.exeC:\Windows\system32\Glongpao.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:2188 -
C:\Windows\SysWOW64\Gheola32.exeC:\Windows\system32\Gheola32.exe42⤵
- Executes dropped EXE
PID:2512 -
C:\Windows\SysWOW64\Hnbgdh32.exeC:\Windows\system32\Hnbgdh32.exe43⤵
- Executes dropped EXE
PID:2080 -
C:\Windows\SysWOW64\Hgkknm32.exeC:\Windows\system32\Hgkknm32.exe44⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:952 -
C:\Windows\SysWOW64\Hjkdoh32.exeC:\Windows\system32\Hjkdoh32.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1644 -
C:\Windows\SysWOW64\Hgpeimhf.exeC:\Windows\system32\Hgpeimhf.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2128 -
C:\Windows\SysWOW64\Hjpnjheg.exeC:\Windows\system32\Hjpnjheg.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2164 -
C:\Windows\SysWOW64\Ijbjpg32.exeC:\Windows\system32\Ijbjpg32.exe48⤵
- Executes dropped EXE
PID:568 -
C:\Windows\SysWOW64\Ickoimie.exeC:\Windows\system32\Ickoimie.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2132 -
C:\Windows\SysWOW64\Icmlnmgb.exeC:\Windows\system32\Icmlnmgb.exe50⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2656 -
C:\Windows\SysWOW64\Iijdfc32.exeC:\Windows\system32\Iijdfc32.exe51⤵
- Executes dropped EXE
PID:2256 -
C:\Windows\SysWOW64\Ifndph32.exeC:\Windows\system32\Ifndph32.exe52⤵
- Executes dropped EXE
PID:780 -
C:\Windows\SysWOW64\Iniidj32.exeC:\Windows\system32\Iniidj32.exe53⤵
- Executes dropped EXE
- Modifies registry class
PID:2552 -
C:\Windows\SysWOW64\Ijpjik32.exeC:\Windows\system32\Ijpjik32.exe54⤵
- Executes dropped EXE
PID:2720 -
C:\Windows\SysWOW64\Jeenfd32.exeC:\Windows\system32\Jeenfd32.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2936 -
C:\Windows\SysWOW64\Jmqckf32.exeC:\Windows\system32\Jmqckf32.exe56⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2532 -
C:\Windows\SysWOW64\Jnppei32.exeC:\Windows\system32\Jnppei32.exe57⤵
- Executes dropped EXE
PID:2472 -
C:\Windows\SysWOW64\Jjgpjjak.exeC:\Windows\system32\Jjgpjjak.exe58⤵
- Executes dropped EXE
PID:2092 -
C:\Windows\SysWOW64\Jilmkffb.exeC:\Windows\system32\Jilmkffb.exe59⤵
- Executes dropped EXE
PID:2172 -
C:\Windows\SysWOW64\Jcaahofh.exeC:\Windows\system32\Jcaahofh.exe60⤵
- Executes dropped EXE
PID:1984 -
C:\Windows\SysWOW64\Kmjfae32.exeC:\Windows\system32\Kmjfae32.exe61⤵
- Executes dropped EXE
PID:1804 -
C:\Windows\SysWOW64\Knkbimbg.exeC:\Windows\system32\Knkbimbg.exe62⤵
- Executes dropped EXE
PID:2328 -
C:\Windows\SysWOW64\Keekeg32.exeC:\Windows\system32\Keekeg32.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2260 -
C:\Windows\SysWOW64\Kpkocpjj.exeC:\Windows\system32\Kpkocpjj.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1776 -
C:\Windows\SysWOW64\Kopldl32.exeC:\Windows\system32\Kopldl32.exe65⤵
- Executes dropped EXE
PID:612 -
C:\Windows\SysWOW64\Lpfagd32.exeC:\Windows\system32\Lpfagd32.exe66⤵
- Drops file in System32 directory
PID:1052 -
C:\Windows\SysWOW64\Lgbfin32.exeC:\Windows\system32\Lgbfin32.exe67⤵PID:1820
-
C:\Windows\SysWOW64\Ldfgbb32.exeC:\Windows\system32\Ldfgbb32.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1756 -
C:\Windows\SysWOW64\Llalgdbj.exeC:\Windows\system32\Llalgdbj.exe69⤵PID:1632
-
C:\Windows\SysWOW64\Lielphqc.exeC:\Windows\system32\Lielphqc.exe70⤵PID:1940
-
C:\Windows\SysWOW64\Lelmei32.exeC:\Windows\system32\Lelmei32.exe71⤵PID:2448
-
C:\Windows\SysWOW64\Modano32.exeC:\Windows\system32\Modano32.exe72⤵PID:2288
-
C:\Windows\SysWOW64\Meafpibb.exeC:\Windows\system32\Meafpibb.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:660 -
C:\Windows\SysWOW64\Mknohpqj.exeC:\Windows\system32\Mknohpqj.exe74⤵
- Drops file in System32 directory
PID:3000 -
C:\Windows\SysWOW64\Mnnhjk32.exeC:\Windows\system32\Mnnhjk32.exe75⤵PID:2536
-
C:\Windows\SysWOW64\Mckpba32.exeC:\Windows\system32\Mckpba32.exe76⤵
- System Location Discovery: System Language Discovery
PID:2084 -
C:\Windows\SysWOW64\Ncnmhajo.exeC:\Windows\system32\Ncnmhajo.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1688 -
C:\Windows\SysWOW64\Nlfaag32.exeC:\Windows\system32\Nlfaag32.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3052 -
C:\Windows\SysWOW64\Nhmbfhfd.exeC:\Windows\system32\Nhmbfhfd.exe79⤵
- System Location Discovery: System Language Discovery
PID:2024 -
C:\Windows\SysWOW64\Nfqbol32.exeC:\Windows\system32\Nfqbol32.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2272 -
C:\Windows\SysWOW64\Ncdciq32.exeC:\Windows\system32\Ncdciq32.exe81⤵
- System Location Discovery: System Language Discovery
PID:2096 -
C:\Windows\SysWOW64\Nokdnail.exeC:\Windows\system32\Nokdnail.exe82⤵PID:1552
-
C:\Windows\SysWOW64\Ndhlfh32.exeC:\Windows\system32\Ndhlfh32.exe83⤵PID:972
-
C:\Windows\SysWOW64\Oblmom32.exeC:\Windows\system32\Oblmom32.exe84⤵
- Modifies registry class
PID:2564 -
C:\Windows\SysWOW64\Ogkbmcba.exeC:\Windows\system32\Ogkbmcba.exe85⤵
- System Location Discovery: System Language Discovery
PID:2008 -
C:\Windows\SysWOW64\Omhjejai.exeC:\Windows\system32\Omhjejai.exe86⤵PID:2280
-
C:\Windows\SysWOW64\Ojlkonpb.exeC:\Windows\system32\Ojlkonpb.exe87⤵PID:2276
-
C:\Windows\SysWOW64\Oiahpkdj.exeC:\Windows\system32\Oiahpkdj.exe88⤵PID:2804
-
C:\Windows\SysWOW64\Opkpme32.exeC:\Windows\system32\Opkpme32.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2984 -
C:\Windows\SysWOW64\Pciiccbm.exeC:\Windows\system32\Pciiccbm.exe90⤵PID:2744
-
C:\Windows\SysWOW64\Pnbjca32.exeC:\Windows\system32\Pnbjca32.exe91⤵PID:2600
-
C:\Windows\SysWOW64\Pnefiq32.exeC:\Windows\system32\Pnefiq32.exe92⤵
- System Location Discovery: System Language Discovery
PID:1916 -
C:\Windows\SysWOW64\Pjlgna32.exeC:\Windows\system32\Pjlgna32.exe93⤵
- Modifies registry class
PID:2952 -
C:\Windows\SysWOW64\Phphgf32.exeC:\Windows\system32\Phphgf32.exe94⤵PID:2248
-
C:\Windows\SysWOW64\Pmmppm32.exeC:\Windows\system32\Pmmppm32.exe95⤵
- Modifies registry class
PID:592 -
C:\Windows\SysWOW64\Qolmip32.exeC:\Windows\system32\Qolmip32.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2212 -
C:\Windows\SysWOW64\Qajiek32.exeC:\Windows\system32\Qajiek32.exe97⤵PID:1408
-
C:\Windows\SysWOW64\Aamekk32.exeC:\Windows\system32\Aamekk32.exe98⤵
- Drops file in System32 directory
PID:1944 -
C:\Windows\SysWOW64\Abnbccia.exeC:\Windows\system32\Abnbccia.exe99⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:948 -
C:\Windows\SysWOW64\Apbblg32.exeC:\Windows\system32\Apbblg32.exe100⤵PID:2268
-
C:\Windows\SysWOW64\Apdobg32.exeC:\Windows\system32\Apdobg32.exe101⤵
- System Location Discovery: System Language Discovery
PID:2964 -
C:\Windows\SysWOW64\Aimckl32.exeC:\Windows\system32\Aimckl32.exe102⤵
- Drops file in System32 directory
PID:1604 -
C:\Windows\SysWOW64\Ahbqliap.exeC:\Windows\system32\Ahbqliap.exe103⤵
- Drops file in System32 directory
PID:2880 -
C:\Windows\SysWOW64\Bdiaqj32.exeC:\Windows\system32\Bdiaqj32.exe104⤵
- Drops file in System32 directory
- Modifies registry class
PID:2660 -
C:\Windows\SysWOW64\Bdknfiea.exeC:\Windows\system32\Bdknfiea.exe105⤵PID:2508
-
C:\Windows\SysWOW64\Bncboo32.exeC:\Windows\system32\Bncboo32.exe106⤵PID:2960
-
C:\Windows\SysWOW64\Bhiglh32.exeC:\Windows\system32\Bhiglh32.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1704 -
C:\Windows\SysWOW64\Bdpgai32.exeC:\Windows\system32\Bdpgai32.exe108⤵PID:2240
-
C:\Windows\SysWOW64\Bjlpjp32.exeC:\Windows\system32\Bjlpjp32.exe109⤵PID:1996
-
C:\Windows\SysWOW64\Bgqqcd32.exeC:\Windows\system32\Bgqqcd32.exe110⤵PID:1220
-
C:\Windows\SysWOW64\Bpieli32.exeC:\Windows\system32\Bpieli32.exe111⤵
- Drops file in System32 directory
PID:2444 -
C:\Windows\SysWOW64\Cpkaai32.exeC:\Windows\system32\Cpkaai32.exe112⤵PID:288
-
C:\Windows\SysWOW64\Cblniaii.exeC:\Windows\system32\Cblniaii.exe113⤵
- Modifies registry class
PID:2436 -
C:\Windows\SysWOW64\Clbbfj32.exeC:\Windows\system32\Clbbfj32.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1708 -
C:\Windows\SysWOW64\Cobkhe32.exeC:\Windows\system32\Cobkhe32.exe115⤵
- System Location Discovery: System Language Discovery
PID:2932 -
C:\Windows\SysWOW64\Chkpakla.exeC:\Windows\system32\Chkpakla.exe116⤵PID:3016
-
C:\Windows\SysWOW64\Cbcdjpba.exeC:\Windows\system32\Cbcdjpba.exe117⤵PID:2696
-
C:\Windows\SysWOW64\Djoinbpm.exeC:\Windows\system32\Djoinbpm.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1100 -
C:\Windows\SysWOW64\Dddmkkpb.exeC:\Windows\system32\Dddmkkpb.exe119⤵PID:3060
-
C:\Windows\SysWOW64\Efolib32.exeC:\Windows\system32\Efolib32.exe120⤵PID:436
-
C:\Windows\SysWOW64\Epgabhdg.exeC:\Windows\system32\Epgabhdg.exe121⤵PID:2672
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-