Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
23-10-2024 02:57
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e506cf188b0a3e8ce90bf2dc96f41c7334fe002e6c9b0f24666a595f99fa4e71N.exe
Resource
win7-20240903-en
windows7-x64
11 signatures
120 seconds
Behavioral task
behavioral2
Sample
e506cf188b0a3e8ce90bf2dc96f41c7334fe002e6c9b0f24666a595f99fa4e71N.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
10 signatures
120 seconds
General
-
Target
e506cf188b0a3e8ce90bf2dc96f41c7334fe002e6c9b0f24666a595f99fa4e71N.exe
-
Size
96KB
-
MD5
5530ebd4d66b1cd5a011bc390c9c0c60
-
SHA1
711d6b3791e10ba33027e4b92a493e3078368c6e
-
SHA256
e506cf188b0a3e8ce90bf2dc96f41c7334fe002e6c9b0f24666a595f99fa4e71
-
SHA512
4514537c12ce4ed0f13706cb60315820077d521df2fe155cc10fff90c3ac4d879e6c96d833e11a37401dc7b8e4f81d5fd55529343087cad7621a50dffdb1e457
-
SSDEEP
1536:vhQsQjjaNORfF7kfxffIIIf9vTM2LrN7RZObZUUWaegPYA:vhQsTORlZ9vJrNClUUWae
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Kkciic32.exeAmmmlcgi.exeKbmome32.exeEmjhmipi.exeIciopdca.exeOcpfkh32.exeEjaphpnp.exeHjddaj32.exeJpepkk32.exeFlcojeak.exeMejmmqpd.exeKabngjla.exeBlfapfpg.exeMhflcm32.exePcdldknm.exeCpgecq32.exeEgpena32.exeGfabkl32.exeMmdkfmjc.exeEmdeok32.exeLgnjke32.exeAdblnnbk.exeGimaah32.exeGdfiofhn.exeFmfocnjg.exeKoflgf32.exeEimcjl32.exeEcmjid32.exeMaanab32.exeNgpcohbm.exeQifnhaho.exeHabili32.exeMhcfjnhm.exeGojhafnb.exeMagdam32.exeIogpag32.exePlndcmmj.exeDbabho32.exeJbhebfck.exeMpphdpcf.exeOdacbpee.exeElibpg32.exeMokkegmm.exeAmafgc32.exeCglcek32.exeLhapocoi.exeMmndfnpl.exeGoiafp32.exeLghgmg32.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kkciic32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ammmlcgi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbmome32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Emjhmipi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iciopdca.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocpfkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ejaphpnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjddaj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jpepkk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flcojeak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mejmmqpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kabngjla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blfapfpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhflcm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcdldknm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cpgecq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Egpena32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfabkl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmdkfmjc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Emdeok32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgnjke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Adblnnbk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gimaah32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdfiofhn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmfocnjg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Koflgf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eimcjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ecmjid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Maanab32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngpcohbm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qifnhaho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Habili32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhcfjnhm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gojhafnb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejaphpnp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Magdam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iogpag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Plndcmmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dbabho32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbhebfck.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpphdpcf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odacbpee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Elibpg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mokkegmm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adblnnbk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amafgc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cglcek32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhapocoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mmndfnpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Goiafp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lghgmg32.exe -
Brute Ratel C4
A customized command and control framework for red teaming and adversary simulation.
-
Detect BruteRatel badger 8 IoCs
Processes:
resource yara_rule behavioral1/files/0x000500000001c888-864.dat family_bruteratel behavioral1/files/0x000500000001c895-884.dat family_bruteratel behavioral1/files/0x000400000001d1a6-1685.dat family_bruteratel behavioral1/files/0x000400000002063f-4664.dat family_bruteratel behavioral1/files/0x000300000002085a-5007.dat family_bruteratel behavioral1/files/0x0003000000020890-5080.dat family_bruteratel behavioral1/files/0x000300000002171d-11433.dat family_bruteratel behavioral1/files/0x00030000000217f2-11941.dat family_bruteratel -
Executes dropped EXE 64 IoCs
Processes:
Ldheebad.exeLkbmbl32.exeLonibk32.exeLgingm32.exeLncfcgeb.exeLgkkmm32.exeLjigih32.exeLaqojfli.exeLpcoeb32.exeLcblan32.exeLkicbk32.exeLngpog32.exeLpflkb32.exeLgpdglhn.exeLfbdci32.exeLnjldf32.exeLlmmpcfe.exeMokilo32.exeMfeaiime.exeMhcmedli.exeMloiec32.exeMqjefamk.exeMciabmlo.exeMblbnj32.exeMjcjog32.exeMhfjjdjf.exeMopbgn32.exeMbnocipg.exeMfjkdh32.exeMhhgpc32.exeMkfclo32.exeMneohj32.exeMflgih32.exeMgmdapml.exeModlbmmn.exeMnglnj32.exeMbchni32.exeMimpkcdn.exeNgpqfp32.exeNdcapd32.exeNgbmlo32.exeNjpihk32.exeNmofdf32.exeNdfnecgp.exeNcinap32.exeNfgjml32.exeNjbfnjeg.exeNnnbni32.exeNppofado.exeNggggoda.exeNfigck32.exeNihcog32.exeNmcopebh.exeNqokpd32.exeNpbklabl.exeNcmglp32.exeNmflee32.exeNlilqbgp.exeNpdhaq32.exeNcpdbohb.exeOfnpnkgf.exeOeaqig32.exeOimmjffj.exeOlkifaen.exepid Process 2768 Ldheebad.exe 2780 Lkbmbl32.exe 2872 Lonibk32.exe 2540 Lgingm32.exe 3004 Lncfcgeb.exe 1440 Lgkkmm32.exe 2876 Ljigih32.exe 2188 Laqojfli.exe 1028 Lpcoeb32.exe 1404 Lcblan32.exe 1336 Lkicbk32.exe 1668 Lngpog32.exe 1860 Lpflkb32.exe 3064 Lgpdglhn.exe 2964 Lfbdci32.exe 1060 Lnjldf32.exe 1284 Llmmpcfe.exe 1568 Mokilo32.exe 944 Mfeaiime.exe 876 Mhcmedli.exe 1588 Mloiec32.exe 1268 Mqjefamk.exe 2460 Mciabmlo.exe 2444 Mblbnj32.exe 1156 Mjcjog32.exe 2356 Mhfjjdjf.exe 2708 Mopbgn32.exe 2592 Mbnocipg.exe 2604 Mfjkdh32.exe 2660 Mhhgpc32.exe 2728 Mkfclo32.exe 1732 Mneohj32.exe 1392 Mflgih32.exe 1628 Mgmdapml.exe 1288 Modlbmmn.exe 2600 Mnglnj32.exe 2528 Mbchni32.exe 2436 Mimpkcdn.exe 2152 Ngpqfp32.exe 1888 Ndcapd32.exe 608 Ngbmlo32.exe 2932 Njpihk32.exe 1684 Nmofdf32.exe 1360 Ndfnecgp.exe 2440 Ncinap32.exe 1660 Nfgjml32.exe 2364 Njbfnjeg.exe 2692 Nnnbni32.exe 1876 Nppofado.exe 2612 Nggggoda.exe 2644 Nfigck32.exe 2732 Nihcog32.exe 1644 Nmcopebh.exe 2020 Nqokpd32.exe 2104 Npbklabl.exe 2208 Ncmglp32.exe 1532 Nmflee32.exe 2408 Nlilqbgp.exe 848 Npdhaq32.exe 1252 Ncpdbohb.exe 2012 Ofnpnkgf.exe 2368 Oeaqig32.exe 788 Oimmjffj.exe 2792 Olkifaen.exe -
Loads dropped DLL 64 IoCs
Processes:
e506cf188b0a3e8ce90bf2dc96f41c7334fe002e6c9b0f24666a595f99fa4e71N.exeLdheebad.exeLkbmbl32.exeLonibk32.exeLgingm32.exeLncfcgeb.exeLgkkmm32.exeLjigih32.exeLaqojfli.exeLpcoeb32.exeLcblan32.exeLkicbk32.exeLngpog32.exeLpflkb32.exeLgpdglhn.exeLfbdci32.exeLnjldf32.exeLlmmpcfe.exeMokilo32.exeMfeaiime.exeMhcmedli.exeMloiec32.exeMqjefamk.exeMciabmlo.exeMblbnj32.exeMjcjog32.exeMhfjjdjf.exeMopbgn32.exeMbnocipg.exeMfjkdh32.exeMhhgpc32.exeMkfclo32.exepid Process 2248 e506cf188b0a3e8ce90bf2dc96f41c7334fe002e6c9b0f24666a595f99fa4e71N.exe 2248 e506cf188b0a3e8ce90bf2dc96f41c7334fe002e6c9b0f24666a595f99fa4e71N.exe 2768 Ldheebad.exe 2768 Ldheebad.exe 2780 Lkbmbl32.exe 2780 Lkbmbl32.exe 2872 Lonibk32.exe 2872 Lonibk32.exe 2540 Lgingm32.exe 2540 Lgingm32.exe 3004 Lncfcgeb.exe 3004 Lncfcgeb.exe 1440 Lgkkmm32.exe 1440 Lgkkmm32.exe 2876 Ljigih32.exe 2876 Ljigih32.exe 2188 Laqojfli.exe 2188 Laqojfli.exe 1028 Lpcoeb32.exe 1028 Lpcoeb32.exe 1404 Lcblan32.exe 1404 Lcblan32.exe 1336 Lkicbk32.exe 1336 Lkicbk32.exe 1668 Lngpog32.exe 1668 Lngpog32.exe 1860 Lpflkb32.exe 1860 Lpflkb32.exe 3064 Lgpdglhn.exe 3064 Lgpdglhn.exe 2964 Lfbdci32.exe 2964 Lfbdci32.exe 1060 Lnjldf32.exe 1060 Lnjldf32.exe 1284 Llmmpcfe.exe 1284 Llmmpcfe.exe 1568 Mokilo32.exe 1568 Mokilo32.exe 944 Mfeaiime.exe 944 Mfeaiime.exe 876 Mhcmedli.exe 876 Mhcmedli.exe 1588 Mloiec32.exe 1588 Mloiec32.exe 1268 Mqjefamk.exe 1268 Mqjefamk.exe 2460 Mciabmlo.exe 2460 Mciabmlo.exe 2444 Mblbnj32.exe 2444 Mblbnj32.exe 1156 Mjcjog32.exe 1156 Mjcjog32.exe 2356 Mhfjjdjf.exe 2356 Mhfjjdjf.exe 2708 Mopbgn32.exe 2708 Mopbgn32.exe 2592 Mbnocipg.exe 2592 Mbnocipg.exe 2604 Mfjkdh32.exe 2604 Mfjkdh32.exe 2660 Mhhgpc32.exe 2660 Mhhgpc32.exe 2728 Mkfclo32.exe 2728 Mkfclo32.exe -
Drops file in System32 directory 64 IoCs
Processes:
Eebibf32.exeGpjfcali.exeOpaqpn32.exeGpacogjm.exeFglfgd32.exeMflgih32.exePpmgfb32.exeCfehhn32.exeOejcpf32.exeDlifadkk.exeMokilo32.exeQmhahkdj.exeFaonom32.exeDihmpinj.exeEogolc32.exeBjngbihn.exeObecld32.exeMkfclo32.exeEjcmmp32.exeFpdkpiik.exeMpphdpcf.exeCamnge32.exeGqdgom32.exePfhhflmg.exeAlaqjaaa.exeDboeco32.exeHpgfmeag.exeDfcgbb32.exeEbappk32.exeJcandb32.exeBlqmid32.exeCdnncfoe.exeFbimkpmm.exeMdmmhn32.exeQlfdac32.exeKmfpmc32.exeKhnapkjg.exeHkogpn32.exeJbcelp32.exeBemkle32.exeCjhckg32.exeLlmmpcfe.exeHgiked32.exeFdlpnamm.exeAaejojjq.exeEemnnn32.exeJeaahk32.exeJjkfqlpf.exeNcmglp32.exeCccdjl32.exedescription ioc Process File created C:\Windows\SysWOW64\Cldcdi32.dll File created C:\Windows\SysWOW64\Pggcij32.dll Eebibf32.exe File created C:\Windows\SysWOW64\Gfcopl32.exe Gpjfcali.exe File opened for modification C:\Windows\SysWOW64\Hfnkji32.exe File created C:\Windows\SysWOW64\Pndalkgf.exe Opaqpn32.exe File opened for modification C:\Windows\SysWOW64\Goddjc32.exe Gpacogjm.exe File created C:\Windows\SysWOW64\Ecoihm32.exe File opened for modification C:\Windows\SysWOW64\Fkhbgbkc.exe Fglfgd32.exe File created C:\Windows\SysWOW64\Mkpdghaq.dll Mflgih32.exe File created C:\Windows\SysWOW64\Pblcbn32.exe Ppmgfb32.exe File opened for modification C:\Windows\SysWOW64\Cehhdkjf.exe Cfehhn32.exe File created C:\Windows\SysWOW64\Ohipla32.exe Oejcpf32.exe File opened for modification C:\Windows\SysWOW64\Dnhbmpkn.exe Dlifadkk.exe File created C:\Windows\SysWOW64\Mfeaiime.exe Mokilo32.exe File opened for modification C:\Windows\SysWOW64\Aeoijidl.exe Qmhahkdj.exe File opened for modification C:\Windows\SysWOW64\Fpbnjjkm.exe Faonom32.exe File created C:\Windows\SysWOW64\Egmpofck.dll Dihmpinj.exe File created C:\Windows\SysWOW64\Flefhg32.dll File created C:\Windows\SysWOW64\Ahemgiea.dll Eogolc32.exe File created C:\Windows\SysWOW64\Llolnffe.dll Bjngbihn.exe File opened for modification C:\Windows\SysWOW64\Oddphp32.exe Obecld32.exe File created C:\Windows\SysWOW64\Mneohj32.exe Mkfclo32.exe File created C:\Windows\SysWOW64\Eifmimch.exe Ejcmmp32.exe File created C:\Windows\SysWOW64\Fdpgph32.exe Fpdkpiik.exe File created C:\Windows\SysWOW64\Mgjpaj32.exe Mpphdpcf.exe File opened for modification C:\Windows\SysWOW64\Cdkkcp32.exe Camnge32.exe File opened for modification C:\Windows\SysWOW64\Pgaahh32.exe File created C:\Windows\SysWOW64\Opjqff32.dll Gqdgom32.exe File created C:\Windows\SysWOW64\Qmbqcf32.exe Pfhhflmg.exe File created C:\Windows\SysWOW64\Aoomflpd.exe Alaqjaaa.exe File opened for modification C:\Windows\SysWOW64\Daaenlng.exe Dboeco32.exe File created C:\Windows\SysWOW64\Jjejnabb.dll Hpgfmeag.exe File created C:\Windows\SysWOW64\Fijnabef.exe File created C:\Windows\SysWOW64\Hlkcbp32.exe File created C:\Windows\SysWOW64\Lodpeepd.dll File opened for modification C:\Windows\SysWOW64\Ellqil32.dll Dfcgbb32.exe File opened for modification C:\Windows\SysWOW64\Eepmlf32.exe Ebappk32.exe File created C:\Windows\SysWOW64\Jjkfqlpf.exe Jcandb32.exe File opened for modification C:\Windows\SysWOW64\Bckefnki.exe Blqmid32.exe File created C:\Windows\SysWOW64\Peblbj32.dll File opened for modification C:\Windows\SysWOW64\Fiedfb32.exe File created C:\Windows\SysWOW64\Eehhiell.dll Cdnncfoe.exe File created C:\Windows\SysWOW64\Ficehj32.exe Fbimkpmm.exe File created C:\Windows\SysWOW64\Kqnablhp.dll Mdmmhn32.exe File created C:\Windows\SysWOW64\Mehoblpm.dll Qlfdac32.exe File created C:\Windows\SysWOW64\Kdphjm32.exe Kmfpmc32.exe File created C:\Windows\SysWOW64\Canhhi32.dll Khnapkjg.exe File created C:\Windows\SysWOW64\Hnmcli32.exe Hkogpn32.exe File created C:\Windows\SysWOW64\Nipefmkb.exe File created C:\Windows\SysWOW64\Mmfmkf32.dll File created C:\Windows\SysWOW64\Jeaahk32.exe Jbcelp32.exe File opened for modification C:\Windows\SysWOW64\Bhkghqpb.exe Bemkle32.exe File opened for modification C:\Windows\SysWOW64\Caokmd32.exe Cjhckg32.exe File created C:\Windows\SysWOW64\Ddpidhgj.dll File opened for modification C:\Windows\SysWOW64\Maocekoo.exe File opened for modification C:\Windows\SysWOW64\Mokilo32.exe Llmmpcfe.exe File created C:\Windows\SysWOW64\Iqapnjli.exe Hgiked32.exe File opened for modification C:\Windows\SysWOW64\Fhglop32.exe Fdlpnamm.exe File created C:\Windows\SysWOW64\Aphjjf32.exe Aaejojjq.exe File created C:\Windows\SysWOW64\Eihjolae.exe Eemnnn32.exe File opened for modification C:\Windows\SysWOW64\Jjnjqb32.exe Jeaahk32.exe File opened for modification C:\Windows\SysWOW64\Jmibmhoj.exe Jjkfqlpf.exe File created C:\Windows\SysWOW64\Nokhie32.dll Ncmglp32.exe File created C:\Windows\SysWOW64\Cjmmffgn.exe Cccdjl32.exe -
Program crash 1 IoCs
Processes:
pid pid_target Process procid_target 4444 4100 1394 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Alddjg32.exeDboeco32.exeApilcoho.exeCkpckece.exeKmfpmc32.exeMjkibehc.exeKngekdnf.exeLgpdglhn.exePiliii32.exeCkeqga32.exeCjjnhnbl.exeKolhdbjh.exeEifmimch.exeFkhbgbkc.exeJpepkk32.exeNcamen32.exePmjaohol.exeBfcodkcb.exeOmhkcnfg.exePpfafcpb.exeGbmlkl32.exeMmdkfmjc.exeGlnhjjml.exeBckefnki.exeEjfllhao.exeKapaaj32.exeJohoic32.exeMdoccg32.exeAgeompfe.exeFelcbk32.exeQifnhaho.exeIjfqfj32.exeNhbciaki.exeJdlacfca.exeJgjmoace.exeMbnocipg.exeEppefg32.exeJmdiahco.exeGojhafnb.exeAfgnkilf.exeMigbpocm.exeLpckce32.exeIfmocb32.exeLadebd32.exeNldahn32.exeKeiqlihp.exeOdflmp32.exePnchhllf.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alddjg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dboeco32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apilcoho.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckpckece.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmfpmc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjkibehc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kngekdnf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgpdglhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Piliii32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckeqga32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjjnhnbl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kolhdbjh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eifmimch.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkhbgbkc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpepkk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncamen32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmjaohol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfcodkcb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omhkcnfg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppfafcpb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbmlkl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmdkfmjc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glnhjjml.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bckefnki.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejfllhao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kapaaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Johoic32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdoccg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ageompfe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Felcbk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qifnhaho.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijfqfj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhbciaki.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdlacfca.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgjmoace.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbnocipg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eppefg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmdiahco.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gojhafnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afgnkilf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Migbpocm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpckce32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifmocb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ladebd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nldahn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Keiqlihp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odflmp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnchhllf.exe -
Modifies registry class 64 IoCs
Processes:
Ejcmmp32.exeJbcelp32.exeMhdpnm32.exeIhbdhepp.exeMjcjog32.exeBjngbihn.exeOeaqig32.exeQdompf32.exeHcjilgdb.exeJnofgg32.exeBhbmip32.exeMainndaq.exeOdflmp32.exeLchqcd32.exePbgjgomc.exeEmoldlmc.exeEdcqjc32.exeNfigck32.exeNbpqmfmd.exeObjjnkie.exeBnochnpm.exeLaaabo32.exeHffibceh.exeLgpfpe32.exeEbockkal.exeOnlahm32.exePfpibn32.exeEhnfpifm.exeCdpdnpif.exeEjfllhao.exeFakdcnhh.exeGmqkml32.exeOdacbpee.exeBbchkime.exeQmhahkdj.exeOgabql32.exeJcfoihhp.exeGoapjnoo.exeNmcopebh.exeDgknkf32.exeGekhgh32.exeQdpohodn.exeDgnjqe32.exeMlgkbi32.exeApkihofl.exeAmoibc32.exeDdppmclb.exeFelcbk32.exeLehdhn32.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ejcmmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adlqbf32.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jbcelp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebdqhg32.dll" Mhdpnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oqncib32.dll" Ihbdhepp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mjcjog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llolnffe.dll" Bjngbihn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oeaqig32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qdompf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oqfopomn.dll" Hcjilgdb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jnofgg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bhbmip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mainndaq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Odflmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgnapb32.dll" Lchqcd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pihmcioe.dll" Pbgjgomc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Emoldlmc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Edcqjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nfigck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Deankpkm.dll" Nbpqmfmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Objjnkie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bnochnpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofeceb32.dll" Laaabo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hffibceh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lgpfpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ebockkal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djndfdbb.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbkngi32.dll" Onlahm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pfpibn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajokhp32.dll" Ehnfpifm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cdpdnpif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Almpdj32.dll" Ejfllhao.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fakdcnhh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gmqkml32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Odacbpee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bbchkime.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qmhahkdj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ogabql32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jcfoihhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Goapjnoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nmcopebh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lqahpi32.dll" Dgknkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pobiicng.dll" Gekhgh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qdpohodn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dgnjqe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mlgkbi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Apkihofl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Amoibc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kabgha32.dll" Ddppmclb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phohmbjf.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Onlahm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Felcbk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lehdhn32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
e506cf188b0a3e8ce90bf2dc96f41c7334fe002e6c9b0f24666a595f99fa4e71N.exeLdheebad.exeLkbmbl32.exeLonibk32.exeLgingm32.exeLncfcgeb.exeLgkkmm32.exeLjigih32.exeLaqojfli.exeLpcoeb32.exeLcblan32.exeLkicbk32.exeLngpog32.exeLpflkb32.exeLgpdglhn.exeLfbdci32.exedescription pid Process procid_target PID 2248 wrote to memory of 2768 2248 e506cf188b0a3e8ce90bf2dc96f41c7334fe002e6c9b0f24666a595f99fa4e71N.exe 30 PID 2248 wrote to memory of 2768 2248 e506cf188b0a3e8ce90bf2dc96f41c7334fe002e6c9b0f24666a595f99fa4e71N.exe 30 PID 2248 wrote to memory of 2768 2248 e506cf188b0a3e8ce90bf2dc96f41c7334fe002e6c9b0f24666a595f99fa4e71N.exe 30 PID 2248 wrote to memory of 2768 2248 e506cf188b0a3e8ce90bf2dc96f41c7334fe002e6c9b0f24666a595f99fa4e71N.exe 30 PID 2768 wrote to memory of 2780 2768 Ldheebad.exe 31 PID 2768 wrote to memory of 2780 2768 Ldheebad.exe 31 PID 2768 wrote to memory of 2780 2768 Ldheebad.exe 31 PID 2768 wrote to memory of 2780 2768 Ldheebad.exe 31 PID 2780 wrote to memory of 2872 2780 Lkbmbl32.exe 32 PID 2780 wrote to memory of 2872 2780 Lkbmbl32.exe 32 PID 2780 wrote to memory of 2872 2780 Lkbmbl32.exe 32 PID 2780 wrote to memory of 2872 2780 Lkbmbl32.exe 32 PID 2872 wrote to memory of 2540 2872 Lonibk32.exe 33 PID 2872 wrote to memory of 2540 2872 Lonibk32.exe 33 PID 2872 wrote to memory of 2540 2872 Lonibk32.exe 33 PID 2872 wrote to memory of 2540 2872 Lonibk32.exe 33 PID 2540 wrote to memory of 3004 2540 Lgingm32.exe 34 PID 2540 wrote to memory of 3004 2540 Lgingm32.exe 34 PID 2540 wrote to memory of 3004 2540 Lgingm32.exe 34 PID 2540 wrote to memory of 3004 2540 Lgingm32.exe 34 PID 3004 wrote to memory of 1440 3004 Lncfcgeb.exe 35 PID 3004 wrote to memory of 1440 3004 Lncfcgeb.exe 35 PID 3004 wrote to memory of 1440 3004 Lncfcgeb.exe 35 PID 3004 wrote to memory of 1440 3004 Lncfcgeb.exe 35 PID 1440 wrote to memory of 2876 1440 Lgkkmm32.exe 36 PID 1440 wrote to memory of 2876 1440 Lgkkmm32.exe 36 PID 1440 wrote to memory of 2876 1440 Lgkkmm32.exe 36 PID 1440 wrote to memory of 2876 1440 Lgkkmm32.exe 36 PID 2876 wrote to memory of 2188 2876 Ljigih32.exe 37 PID 2876 wrote to memory of 2188 2876 Ljigih32.exe 37 PID 2876 wrote to memory of 2188 2876 Ljigih32.exe 37 PID 2876 wrote to memory of 2188 2876 Ljigih32.exe 37 PID 2188 wrote to memory of 1028 2188 Laqojfli.exe 38 PID 2188 wrote to memory of 1028 2188 Laqojfli.exe 38 PID 2188 wrote to memory of 1028 2188 Laqojfli.exe 38 PID 2188 wrote to memory of 1028 2188 Laqojfli.exe 38 PID 1028 wrote to memory of 1404 1028 Lpcoeb32.exe 39 PID 1028 wrote to memory of 1404 1028 Lpcoeb32.exe 39 PID 1028 wrote to memory of 1404 1028 Lpcoeb32.exe 39 PID 1028 wrote to memory of 1404 1028 Lpcoeb32.exe 39 PID 1404 wrote to memory of 1336 1404 Lcblan32.exe 40 PID 1404 wrote to memory of 1336 1404 Lcblan32.exe 40 PID 1404 wrote to memory of 1336 1404 Lcblan32.exe 40 PID 1404 wrote to memory of 1336 1404 Lcblan32.exe 40 PID 1336 wrote to memory of 1668 1336 Lkicbk32.exe 41 PID 1336 wrote to memory of 1668 1336 Lkicbk32.exe 41 PID 1336 wrote to memory of 1668 1336 Lkicbk32.exe 41 PID 1336 wrote to memory of 1668 1336 Lkicbk32.exe 41 PID 1668 wrote to memory of 1860 1668 Lngpog32.exe 42 PID 1668 wrote to memory of 1860 1668 Lngpog32.exe 42 PID 1668 wrote to memory of 1860 1668 Lngpog32.exe 42 PID 1668 wrote to memory of 1860 1668 Lngpog32.exe 42 PID 1860 wrote to memory of 3064 1860 Lpflkb32.exe 43 PID 1860 wrote to memory of 3064 1860 Lpflkb32.exe 43 PID 1860 wrote to memory of 3064 1860 Lpflkb32.exe 43 PID 1860 wrote to memory of 3064 1860 Lpflkb32.exe 43 PID 3064 wrote to memory of 2964 3064 Lgpdglhn.exe 44 PID 3064 wrote to memory of 2964 3064 Lgpdglhn.exe 44 PID 3064 wrote to memory of 2964 3064 Lgpdglhn.exe 44 PID 3064 wrote to memory of 2964 3064 Lgpdglhn.exe 44 PID 2964 wrote to memory of 1060 2964 Lfbdci32.exe 45 PID 2964 wrote to memory of 1060 2964 Lfbdci32.exe 45 PID 2964 wrote to memory of 1060 2964 Lfbdci32.exe 45 PID 2964 wrote to memory of 1060 2964 Lfbdci32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\e506cf188b0a3e8ce90bf2dc96f41c7334fe002e6c9b0f24666a595f99fa4e71N.exe"C:\Users\Admin\AppData\Local\Temp\e506cf188b0a3e8ce90bf2dc96f41c7334fe002e6c9b0f24666a595f99fa4e71N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Windows\SysWOW64\Ldheebad.exeC:\Windows\system32\Ldheebad.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Windows\SysWOW64\Lkbmbl32.exeC:\Windows\system32\Lkbmbl32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\SysWOW64\Lonibk32.exeC:\Windows\system32\Lonibk32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\SysWOW64\Lgingm32.exeC:\Windows\system32\Lgingm32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Windows\SysWOW64\Lncfcgeb.exeC:\Windows\system32\Lncfcgeb.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Windows\SysWOW64\Lgkkmm32.exeC:\Windows\system32\Lgkkmm32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1440 -
C:\Windows\SysWOW64\Ljigih32.exeC:\Windows\system32\Ljigih32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Windows\SysWOW64\Laqojfli.exeC:\Windows\system32\Laqojfli.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Windows\SysWOW64\Lpcoeb32.exeC:\Windows\system32\Lpcoeb32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1028 -
C:\Windows\SysWOW64\Lcblan32.exeC:\Windows\system32\Lcblan32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1404 -
C:\Windows\SysWOW64\Lkicbk32.exeC:\Windows\system32\Lkicbk32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1336 -
C:\Windows\SysWOW64\Lngpog32.exeC:\Windows\system32\Lngpog32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1668 -
C:\Windows\SysWOW64\Lpflkb32.exeC:\Windows\system32\Lpflkb32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1860 -
C:\Windows\SysWOW64\Lgpdglhn.exeC:\Windows\system32\Lgpdglhn.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\Windows\SysWOW64\Lfbdci32.exeC:\Windows\system32\Lfbdci32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Windows\SysWOW64\Lnjldf32.exeC:\Windows\system32\Lnjldf32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1060 -
C:\Windows\SysWOW64\Llmmpcfe.exeC:\Windows\system32\Llmmpcfe.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1284 -
C:\Windows\SysWOW64\Mokilo32.exeC:\Windows\system32\Mokilo32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1568 -
C:\Windows\SysWOW64\Mfeaiime.exeC:\Windows\system32\Mfeaiime.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:944 -
C:\Windows\SysWOW64\Mhcmedli.exeC:\Windows\system32\Mhcmedli.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:876 -
C:\Windows\SysWOW64\Mloiec32.exeC:\Windows\system32\Mloiec32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1588 -
C:\Windows\SysWOW64\Mqjefamk.exeC:\Windows\system32\Mqjefamk.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1268 -
C:\Windows\SysWOW64\Mciabmlo.exeC:\Windows\system32\Mciabmlo.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2460 -
C:\Windows\SysWOW64\Mblbnj32.exeC:\Windows\system32\Mblbnj32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2444 -
C:\Windows\SysWOW64\Mjcjog32.exeC:\Windows\system32\Mjcjog32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1156 -
C:\Windows\SysWOW64\Mhfjjdjf.exeC:\Windows\system32\Mhfjjdjf.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2356 -
C:\Windows\SysWOW64\Mopbgn32.exeC:\Windows\system32\Mopbgn32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2708 -
C:\Windows\SysWOW64\Mbnocipg.exeC:\Windows\system32\Mbnocipg.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2592 -
C:\Windows\SysWOW64\Mfjkdh32.exeC:\Windows\system32\Mfjkdh32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2604 -
C:\Windows\SysWOW64\Mhhgpc32.exeC:\Windows\system32\Mhhgpc32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2660 -
C:\Windows\SysWOW64\Mkfclo32.exeC:\Windows\system32\Mkfclo32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2728 -
C:\Windows\SysWOW64\Mneohj32.exeC:\Windows\system32\Mneohj32.exe33⤵
- Executes dropped EXE
PID:1732 -
C:\Windows\SysWOW64\Mflgih32.exeC:\Windows\system32\Mflgih32.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1392 -
C:\Windows\SysWOW64\Mgmdapml.exeC:\Windows\system32\Mgmdapml.exe35⤵
- Executes dropped EXE
PID:1628 -
C:\Windows\SysWOW64\Modlbmmn.exeC:\Windows\system32\Modlbmmn.exe36⤵
- Executes dropped EXE
PID:1288 -
C:\Windows\SysWOW64\Mnglnj32.exeC:\Windows\system32\Mnglnj32.exe37⤵
- Executes dropped EXE
PID:2600 -
C:\Windows\SysWOW64\Mbchni32.exeC:\Windows\system32\Mbchni32.exe38⤵
- Executes dropped EXE
PID:2528 -
C:\Windows\SysWOW64\Mimpkcdn.exeC:\Windows\system32\Mimpkcdn.exe39⤵
- Executes dropped EXE
PID:2436 -
C:\Windows\SysWOW64\Ngpqfp32.exeC:\Windows\system32\Ngpqfp32.exe40⤵
- Executes dropped EXE
PID:2152 -
C:\Windows\SysWOW64\Ndcapd32.exeC:\Windows\system32\Ndcapd32.exe41⤵
- Executes dropped EXE
PID:1888 -
C:\Windows\SysWOW64\Ngbmlo32.exeC:\Windows\system32\Ngbmlo32.exe42⤵
- Executes dropped EXE
PID:608 -
C:\Windows\SysWOW64\Njpihk32.exeC:\Windows\system32\Njpihk32.exe43⤵
- Executes dropped EXE
PID:2932 -
C:\Windows\SysWOW64\Nmofdf32.exeC:\Windows\system32\Nmofdf32.exe44⤵
- Executes dropped EXE
PID:1684 -
C:\Windows\SysWOW64\Ndfnecgp.exeC:\Windows\system32\Ndfnecgp.exe45⤵
- Executes dropped EXE
PID:1360 -
C:\Windows\SysWOW64\Ncinap32.exeC:\Windows\system32\Ncinap32.exe46⤵
- Executes dropped EXE
PID:2440 -
C:\Windows\SysWOW64\Nfgjml32.exeC:\Windows\system32\Nfgjml32.exe47⤵
- Executes dropped EXE
PID:1660 -
C:\Windows\SysWOW64\Njbfnjeg.exeC:\Windows\system32\Njbfnjeg.exe48⤵
- Executes dropped EXE
PID:2364 -
C:\Windows\SysWOW64\Nnnbni32.exeC:\Windows\system32\Nnnbni32.exe49⤵
- Executes dropped EXE
PID:2692 -
C:\Windows\SysWOW64\Nppofado.exeC:\Windows\system32\Nppofado.exe50⤵
- Executes dropped EXE
PID:1876 -
C:\Windows\SysWOW64\Nggggoda.exeC:\Windows\system32\Nggggoda.exe51⤵
- Executes dropped EXE
PID:2612 -
C:\Windows\SysWOW64\Nfigck32.exeC:\Windows\system32\Nfigck32.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:2644 -
C:\Windows\SysWOW64\Nihcog32.exeC:\Windows\system32\Nihcog32.exe53⤵
- Executes dropped EXE
PID:2732 -
C:\Windows\SysWOW64\Nmcopebh.exeC:\Windows\system32\Nmcopebh.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:1644 -
C:\Windows\SysWOW64\Nqokpd32.exeC:\Windows\system32\Nqokpd32.exe55⤵
- Executes dropped EXE
PID:2020 -
C:\Windows\SysWOW64\Npbklabl.exeC:\Windows\system32\Npbklabl.exe56⤵
- Executes dropped EXE
PID:2104 -
C:\Windows\SysWOW64\Ncmglp32.exeC:\Windows\system32\Ncmglp32.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2208 -
C:\Windows\SysWOW64\Nmflee32.exeC:\Windows\system32\Nmflee32.exe58⤵
- Executes dropped EXE
PID:1532 -
C:\Windows\SysWOW64\Nlilqbgp.exeC:\Windows\system32\Nlilqbgp.exe59⤵
- Executes dropped EXE
PID:2408 -
C:\Windows\SysWOW64\Npdhaq32.exeC:\Windows\system32\Npdhaq32.exe60⤵
- Executes dropped EXE
PID:848 -
C:\Windows\SysWOW64\Ncpdbohb.exeC:\Windows\system32\Ncpdbohb.exe61⤵
- Executes dropped EXE
PID:1252 -
C:\Windows\SysWOW64\Ofnpnkgf.exeC:\Windows\system32\Ofnpnkgf.exe62⤵
- Executes dropped EXE
PID:2012 -
C:\Windows\SysWOW64\Oeaqig32.exeC:\Windows\system32\Oeaqig32.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:2368 -
C:\Windows\SysWOW64\Oimmjffj.exeC:\Windows\system32\Oimmjffj.exe64⤵
- Executes dropped EXE
PID:788 -
C:\Windows\SysWOW64\Olkifaen.exeC:\Windows\system32\Olkifaen.exe65⤵
- Executes dropped EXE
PID:2792 -
C:\Windows\SysWOW64\Opfegp32.exeC:\Windows\system32\Opfegp32.exe66⤵PID:2204
-
C:\Windows\SysWOW64\Obeacl32.exeC:\Windows\system32\Obeacl32.exe67⤵PID:1692
-
C:\Windows\SysWOW64\Ofqmcj32.exeC:\Windows\system32\Ofqmcj32.exe68⤵PID:2636
-
C:\Windows\SysWOW64\Oecmogln.exeC:\Windows\system32\Oecmogln.exe69⤵PID:2852
-
C:\Windows\SysWOW64\Oioipf32.exeC:\Windows\system32\Oioipf32.exe70⤵PID:1640
-
C:\Windows\SysWOW64\Ohbikbkb.exeC:\Windows\system32\Ohbikbkb.exe71⤵PID:2548
-
C:\Windows\SysWOW64\Opialpld.exeC:\Windows\system32\Opialpld.exe72⤵PID:1968
-
C:\Windows\SysWOW64\Onlahm32.exeC:\Windows\system32\Onlahm32.exe73⤵
- Modifies registry class
PID:1984 -
C:\Windows\SysWOW64\Oajndh32.exeC:\Windows\system32\Oajndh32.exe74⤵PID:2880
-
C:\Windows\SysWOW64\Oefjdgjk.exeC:\Windows\system32\Oefjdgjk.exe75⤵PID:2676
-
C:\Windows\SysWOW64\Oiafee32.exeC:\Windows\system32\Oiafee32.exe76⤵PID:2120
-
C:\Windows\SysWOW64\Olpbaa32.exeC:\Windows\system32\Olpbaa32.exe77⤵PID:1260
-
C:\Windows\SysWOW64\Ojbbmnhc.exeC:\Windows\system32\Ojbbmnhc.exe78⤵PID:1932
-
C:\Windows\SysWOW64\Objjnkie.exeC:\Windows\system32\Objjnkie.exe79⤵
- Modifies registry class
PID:1720 -
C:\Windows\SysWOW64\Oalkih32.exeC:\Windows\system32\Oalkih32.exe80⤵PID:2040
-
C:\Windows\SysWOW64\Oehgjfhi.exeC:\Windows\system32\Oehgjfhi.exe81⤵PID:1624
-
C:\Windows\SysWOW64\Odkgec32.exeC:\Windows\system32\Odkgec32.exe82⤵PID:3008
-
C:\Windows\SysWOW64\Ojeobm32.exeC:\Windows\system32\Ojeobm32.exe83⤵PID:2428
-
C:\Windows\SysWOW64\Omckoi32.exeC:\Windows\system32\Omckoi32.exe84⤵PID:1492
-
C:\Windows\SysWOW64\Oaogognm.exeC:\Windows\system32\Oaogognm.exe85⤵PID:1064
-
C:\Windows\SysWOW64\Oejcpf32.exeC:\Windows\system32\Oejcpf32.exe86⤵
- Drops file in System32 directory
PID:1916 -
C:\Windows\SysWOW64\Ohipla32.exeC:\Windows\system32\Ohipla32.exe87⤵PID:2180
-
C:\Windows\SysWOW64\Oflpgnld.exeC:\Windows\system32\Oflpgnld.exe88⤵PID:1084
-
C:\Windows\SysWOW64\Ojglhm32.exeC:\Windows\system32\Ojglhm32.exe89⤵PID:1780
-
C:\Windows\SysWOW64\Pnchhllf.exeC:\Windows\system32\Pnchhllf.exe90⤵
- System Location Discovery: System Language Discovery
PID:2832 -
C:\Windows\SysWOW64\Paaddgkj.exeC:\Windows\system32\Paaddgkj.exe91⤵PID:1728
-
C:\Windows\SysWOW64\Ppddpd32.exeC:\Windows\system32\Ppddpd32.exe92⤵PID:844
-
C:\Windows\SysWOW64\Phklaacg.exeC:\Windows\system32\Phklaacg.exe93⤵PID:1292
-
C:\Windows\SysWOW64\Pfnmmn32.exeC:\Windows\system32\Pfnmmn32.exe94⤵PID:2624
-
C:\Windows\SysWOW64\Pjihmmbk.exeC:\Windows\system32\Pjihmmbk.exe95⤵PID:2572
-
C:\Windows\SysWOW64\Piliii32.exeC:\Windows\system32\Piliii32.exe96⤵
- System Location Discovery: System Language Discovery
PID:1548 -
C:\Windows\SysWOW64\Pacajg32.exeC:\Windows\system32\Pacajg32.exe97⤵PID:284
-
C:\Windows\SysWOW64\Ppfafcpb.exeC:\Windows\system32\Ppfafcpb.exe98⤵
- System Location Discovery: System Language Discovery
PID:2764 -
C:\Windows\SysWOW64\Pdbmfb32.exeC:\Windows\system32\Pdbmfb32.exe99⤵PID:2280
-
C:\Windows\SysWOW64\Pfpibn32.exeC:\Windows\system32\Pfpibn32.exe100⤵
- Modifies registry class
PID:2200 -
C:\Windows\SysWOW64\Pjleclph.exeC:\Windows\system32\Pjleclph.exe101⤵PID:3016
-
C:\Windows\SysWOW64\Pioeoi32.exeC:\Windows\system32\Pioeoi32.exe102⤵PID:2108
-
C:\Windows\SysWOW64\Pmjaohol.exeC:\Windows\system32\Pmjaohol.exe103⤵
- System Location Discovery: System Language Discovery
PID:352 -
C:\Windows\SysWOW64\Ppinkcnp.exeC:\Windows\system32\Ppinkcnp.exe104⤵PID:1952
-
C:\Windows\SysWOW64\Pddjlb32.exeC:\Windows\system32\Pddjlb32.exe105⤵PID:692
-
C:\Windows\SysWOW64\Pbgjgomc.exeC:\Windows\system32\Pbgjgomc.exe106⤵
- Modifies registry class
PID:1524 -
C:\Windows\SysWOW64\Peefcjlg.exeC:\Windows\system32\Peefcjlg.exe107⤵PID:2212
-
C:\Windows\SysWOW64\Piabdiep.exeC:\Windows\system32\Piabdiep.exe108⤵PID:320
-
C:\Windows\SysWOW64\Pmmneg32.exeC:\Windows\system32\Pmmneg32.exe109⤵PID:272
-
C:\Windows\SysWOW64\Ppkjac32.exeC:\Windows\system32\Ppkjac32.exe110⤵PID:1476
-
C:\Windows\SysWOW64\Ponklpcg.exeC:\Windows\system32\Ponklpcg.exe111⤵PID:2224
-
C:\Windows\SysWOW64\Pfebnmcj.exeC:\Windows\system32\Pfebnmcj.exe112⤵PID:2400
-
C:\Windows\SysWOW64\Pehcij32.exeC:\Windows\system32\Pehcij32.exe113⤵PID:972
-
C:\Windows\SysWOW64\Phfoee32.exeC:\Windows\system32\Phfoee32.exe114⤵PID:2028
-
C:\Windows\SysWOW64\Plbkfdba.exeC:\Windows\system32\Plbkfdba.exe115⤵PID:1512
-
C:\Windows\SysWOW64\Ppmgfb32.exeC:\Windows\system32\Ppmgfb32.exe116⤵
- Drops file in System32 directory
PID:2556 -
C:\Windows\SysWOW64\Pblcbn32.exeC:\Windows\system32\Pblcbn32.exe117⤵PID:580
-
C:\Windows\SysWOW64\Paocnkph.exeC:\Windows\system32\Paocnkph.exe118⤵PID:1960
-
C:\Windows\SysWOW64\Qiflohqk.exeC:\Windows\system32\Qiflohqk.exe119⤵PID:756
-
C:\Windows\SysWOW64\Qhilkege.exeC:\Windows\system32\Qhilkege.exe120⤵PID:2240
-
C:\Windows\SysWOW64\Qldhkc32.exeC:\Windows\system32\Qldhkc32.exe121⤵PID:2376
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-