Analysis
-
max time kernel
75s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
26-10-2024 01:03
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e559b98db143734dac36b5faca42c90f1f3e4cbb070bb18d33b5518fb2180763N.exe
Resource
win7-20240903-en
windows7-x64
13 signatures
120 seconds
Behavioral task
behavioral2
Sample
e559b98db143734dac36b5faca42c90f1f3e4cbb070bb18d33b5518fb2180763N.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
12 signatures
120 seconds
General
-
Target
e559b98db143734dac36b5faca42c90f1f3e4cbb070bb18d33b5518fb2180763N.exe
-
Size
96KB
-
MD5
fed8c910ebbdeb293d68f5f98fd58c10
-
SHA1
80116dd08a184cee7be4f29fcf595fbd1329219d
-
SHA256
e559b98db143734dac36b5faca42c90f1f3e4cbb070bb18d33b5518fb2180763
-
SHA512
a794cec2cd28a222816ccb451b2948318908c3e030964fca30e46f4ab6691a1bfdb6ca889805fe3116109beff17d35fdf60c4d863d941f7f10e4b0f4b146ce6c
-
SSDEEP
1536:GCAFCwBy1m2jQaHjVQof66sfRa82Lx7RZObZUUWaegPYA:GCAFCwsVQoLsg1xClUUWae
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Pglojj32.exeNcdpdcfh.exeOomjng32.exeIlkpac32.exeNbqjqehd.exePmfjmake.exePiadma32.exeIjimli32.exeHdhdlbpk.exeGeaofc32.exeIpabfcdm.exeLbjjekhl.exeAaflgb32.exeClilmbhd.exeIgeddb32.exeJegdgj32.exePioamlkk.exeNpkfff32.exePfkkeq32.exeHhogaamj.exeMkggnp32.exePcdldknm.exeAejnfe32.exeFabmmejd.exeGampaipe.exeJmdiahco.exeFbipdi32.exeIhdmld32.exeKmhhae32.exePadccpal.exeIhbdhepp.exeMmndfnpl.exeOkhgod32.exePalbgn32.exeKimjhnnl.exeBlipno32.exeEikimeff.exeHlhfmqge.exeDhiphb32.exeNafiej32.exeEblpke32.exeLehfafgp.exeLfnlcnih.exeOdflmp32.exeGhidcceo.exeIjdppm32.exeAjipkb32.exeDfbbpd32.exeEokgij32.exeHolldk32.exeIgpdnlgd.exeKmfklepl.exeKbcddlnd.exeDnhefh32.exeGefolhja.exeLadgkmlj.exeAlaccj32.exeLpiacp32.exePnnmeh32.exeKepgmh32.exeJneoojeb.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pglojj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ncdpdcfh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oomjng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ilkpac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nbqjqehd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmfjmake.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Piadma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ijimli32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdhdlbpk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Geaofc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ipabfcdm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbjjekhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aaflgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Clilmbhd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igeddb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jegdgj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pioamlkk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npkfff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pfkkeq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhogaamj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mkggnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pcdldknm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aejnfe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fabmmejd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gampaipe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jmdiahco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fbipdi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihdmld32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmhhae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Padccpal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ihbdhepp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mmndfnpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Okhgod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Palbgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kimjhnnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Blipno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eikimeff.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlhfmqge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hhogaamj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aaflgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhiphb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ihdmld32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nafiej32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eblpke32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lehfafgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lfnlcnih.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odflmp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghidcceo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijdppm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajipkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfbbpd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eokgij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Holldk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Igpdnlgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmfklepl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kbcddlnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dnhefh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gefolhja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ladgkmlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Alaccj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpiacp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnnmeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kepgmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jneoojeb.exe -
Berbew family
-
Brute Ratel C4
A customized command and control framework for red teaming and adversary simulation.
-
Bruteratel family
-
Detect BruteRatel badger 2 IoCs
Processes:
resource yara_rule behavioral1/files/0x0005000000020201-4118.dat family_bruteratel behavioral1/files/0x0003000000020b3f-5707.dat family_bruteratel -
Executes dropped EXE 64 IoCs
Processes:
Kimjhnnl.exeKpfbegei.exeKlmbjh32.exeLajkbp32.exeLhdcojaa.exeLmalgq32.exeLehdhn32.exeLkelpd32.exeLmcilp32.exeLkgifd32.exeLdpnoj32.exeLgnjke32.exeLlkbcl32.exeLgpfpe32.exeMiocmq32.exeMokkegmm.exeMgbcfdmo.exeMlolnllf.exeMehpga32.exeMkdioh32.exeMclqqeaq.exeMaoalb32.exeMldeik32.exeMobaef32.exeMaanab32.exeMdojnm32.exeMgnfji32.exeNgpcohbm.exeNjnokdaq.exeNphghn32.exeNgbpehpj.exeNlohmonb.exeNcipjieo.exeNcipjieo.exeNqmqcmdh.exeNckmpicl.exeNldahn32.exeNobndj32.exeNbqjqehd.exeOmfnnnhj.exeOcpfkh32.exeOfobgc32.exeOkkkoj32.exeOfaolcmh.exeOgbldk32.exeOnldqejb.exeOqkpmaif.exeOdflmp32.exeOgdhik32.exeOjceef32.exeObjmgd32.exeOehicoom.exeOckinl32.exeOkbapi32.exeOnamle32.exeOqojhp32.exePcnfdl32.exePgibdjln.exePflbpg32.exePncjad32.exePmfjmake.exePpdfimji.exePglojj32.exePimkbbpi.exepid Process 2804 Kimjhnnl.exe 2692 Kpfbegei.exe 2780 Klmbjh32.exe 632 Lajkbp32.exe 324 Lhdcojaa.exe 912 Lmalgq32.exe 2028 Lehdhn32.exe 672 Lkelpd32.exe 2164 Lmcilp32.exe 2864 Lkgifd32.exe 2116 Ldpnoj32.exe 2844 Lgnjke32.exe 1964 Llkbcl32.exe 2180 Lgpfpe32.exe 1772 Miocmq32.exe 1740 Mokkegmm.exe 964 Mgbcfdmo.exe 1248 Mlolnllf.exe 340 Mehpga32.exe 1072 Mkdioh32.exe 2308 Mclqqeaq.exe 1760 Maoalb32.exe 2044 Mldeik32.exe 1972 Mobaef32.exe 2124 Maanab32.exe 1528 Mdojnm32.exe 2876 Mgnfji32.exe 2580 Ngpcohbm.exe 2568 Njnokdaq.exe 2588 Nphghn32.exe 2596 Ngbpehpj.exe 2848 Nlohmonb.exe 440 Ncipjieo.exe 2128 Ncipjieo.exe 1176 Nqmqcmdh.exe 2852 Nckmpicl.exe 2324 Nldahn32.exe 1676 Nobndj32.exe 1684 Nbqjqehd.exe 396 Omfnnnhj.exe 596 Ocpfkh32.exe 2976 Ofobgc32.exe 1992 Okkkoj32.exe 968 Ofaolcmh.exe 1192 Ogbldk32.exe 1032 Onldqejb.exe 372 Oqkpmaif.exe 3056 Odflmp32.exe 1420 Ogdhik32.exe 2688 Ojceef32.exe 2880 Objmgd32.exe 2736 Oehicoom.exe 2708 Ockinl32.exe 2720 Okbapi32.exe 1552 Onamle32.exe 1764 Oqojhp32.exe 2752 Pcnfdl32.exe 2860 Pgibdjln.exe 2636 Pflbpg32.exe 2644 Pncjad32.exe 1300 Pmfjmake.exe 2196 Ppdfimji.exe 568 Pglojj32.exe 1800 Pimkbbpi.exe -
Loads dropped DLL 64 IoCs
Processes:
e559b98db143734dac36b5faca42c90f1f3e4cbb070bb18d33b5518fb2180763N.exeKimjhnnl.exeKpfbegei.exeKlmbjh32.exeLajkbp32.exeLhdcojaa.exeLmalgq32.exeLehdhn32.exeLkelpd32.exeLmcilp32.exeLkgifd32.exeLdpnoj32.exeLgnjke32.exeLlkbcl32.exeLgpfpe32.exeMiocmq32.exeMokkegmm.exeMgbcfdmo.exeMlolnllf.exeMehpga32.exeMkdioh32.exeMclqqeaq.exeMaoalb32.exeMldeik32.exeMobaef32.exeMaanab32.exeMdojnm32.exeMgnfji32.exeNgpcohbm.exeNjnokdaq.exeNphghn32.exeNgbpehpj.exepid Process 2092 e559b98db143734dac36b5faca42c90f1f3e4cbb070bb18d33b5518fb2180763N.exe 2092 e559b98db143734dac36b5faca42c90f1f3e4cbb070bb18d33b5518fb2180763N.exe 2804 Kimjhnnl.exe 2804 Kimjhnnl.exe 2692 Kpfbegei.exe 2692 Kpfbegei.exe 2780 Klmbjh32.exe 2780 Klmbjh32.exe 632 Lajkbp32.exe 632 Lajkbp32.exe 324 Lhdcojaa.exe 324 Lhdcojaa.exe 912 Lmalgq32.exe 912 Lmalgq32.exe 2028 Lehdhn32.exe 2028 Lehdhn32.exe 672 Lkelpd32.exe 672 Lkelpd32.exe 2164 Lmcilp32.exe 2164 Lmcilp32.exe 2864 Lkgifd32.exe 2864 Lkgifd32.exe 2116 Ldpnoj32.exe 2116 Ldpnoj32.exe 2844 Lgnjke32.exe 2844 Lgnjke32.exe 1964 Llkbcl32.exe 1964 Llkbcl32.exe 2180 Lgpfpe32.exe 2180 Lgpfpe32.exe 1772 Miocmq32.exe 1772 Miocmq32.exe 1740 Mokkegmm.exe 1740 Mokkegmm.exe 964 Mgbcfdmo.exe 964 Mgbcfdmo.exe 1248 Mlolnllf.exe 1248 Mlolnllf.exe 340 Mehpga32.exe 340 Mehpga32.exe 1072 Mkdioh32.exe 1072 Mkdioh32.exe 2308 Mclqqeaq.exe 2308 Mclqqeaq.exe 1760 Maoalb32.exe 1760 Maoalb32.exe 2044 Mldeik32.exe 2044 Mldeik32.exe 1972 Mobaef32.exe 1972 Mobaef32.exe 2124 Maanab32.exe 2124 Maanab32.exe 1528 Mdojnm32.exe 1528 Mdojnm32.exe 2876 Mgnfji32.exe 2876 Mgnfji32.exe 2580 Ngpcohbm.exe 2580 Ngpcohbm.exe 2568 Njnokdaq.exe 2568 Njnokdaq.exe 2588 Nphghn32.exe 2588 Nphghn32.exe 2596 Ngbpehpj.exe 2596 Ngbpehpj.exe -
Drops file in System32 directory 64 IoCs
Processes:
Oqlfhjch.exeDbejjfek.exeHchoop32.exeMmndfnpl.exeJnlepioj.exeNcnlnaim.exeFmddgg32.exeNhqhmj32.exeCpbkhabp.exeEifobe32.exeJmlobg32.exeLbkaoalg.exeMaocekoo.exeBoobki32.exeEclcon32.exeEjfllhao.exeKccgheib.exeAaflgb32.exeBfjkphjd.exeApkbnibq.exeHijjpeha.exeNifgekbm.exeBbchkime.exeAilqfooi.exeBknfeege.exeHogcil32.exePflbpg32.exeEblpke32.exeMlbkmdah.exeNphghn32.exeDkgldm32.exeGdflgo32.exeJgnchplb.exePhgannal.exeBlkmdodf.exeQcmkhi32.exeEfeoedjo.exeLggbmbfc.exeOkhgod32.exeOkkddd32.exeIokhcodo.exeKffqqm32.exeDflmpebj.exeGpafgp32.exeCpiaipmh.exeFnjnkkbk.exeFpmpnmck.exeIhlnhffh.exeIdghhf32.exeKmiolk32.exePchbmigj.exeBpjnmlel.exeBopknhjd.exeCcpqjfnh.exeFbipdi32.exeNpppaejj.exeAdblnnbk.exeApfici32.exeFihalb32.exeNacmpj32.exePjlgle32.exeIlifndlo.exedescription ioc Process File created C:\Windows\SysWOW64\Bimlibmn.dll Oqlfhjch.exe File created C:\Windows\SysWOW64\Peblbj32.dll Dbejjfek.exe File opened for modification C:\Windows\SysWOW64\Hkogpn32.exe Hchoop32.exe File created C:\Windows\SysWOW64\Meemgk32.exe Mmndfnpl.exe File created C:\Windows\SysWOW64\Kqkalenn.exe Jnlepioj.exe File created C:\Windows\SysWOW64\Oemhjlha.exe Ncnlnaim.exe File opened for modification C:\Windows\SysWOW64\Fpbqcb32.exe Fmddgg32.exe File created C:\Windows\SysWOW64\Hennhl32.dll Nhqhmj32.exe File created C:\Windows\SysWOW64\Cdngip32.exe Cpbkhabp.exe File created C:\Windows\SysWOW64\Embkbdce.exe Eifobe32.exe File created C:\Windows\SysWOW64\Nljpjc32.dll Jmlobg32.exe File created C:\Windows\SysWOW64\Lffmpp32.exe Lbkaoalg.exe File created C:\Windows\SysWOW64\Iceojc32.dll Maocekoo.exe File created C:\Windows\SysWOW64\Cnabffeo.exe Boobki32.exe File opened for modification C:\Windows\SysWOW64\Ejfllhao.exe Eclcon32.exe File created C:\Windows\SysWOW64\Epcddopf.exe Ejfllhao.exe File created C:\Windows\SysWOW64\Kfacdqhf.exe Kccgheib.exe File created C:\Windows\SysWOW64\Ndfkbpjk.dll Aaflgb32.exe File created C:\Windows\SysWOW64\Bihgmdih.exe Bfjkphjd.exe File created C:\Windows\SysWOW64\Abinjdad.exe Apkbnibq.exe File opened for modification C:\Windows\SysWOW64\Hlhfmqge.exe Hijjpeha.exe File opened for modification C:\Windows\SysWOW64\Nldcagaq.exe Nifgekbm.exe File created C:\Windows\SysWOW64\Eknjoj32.dll Bbchkime.exe File opened for modification C:\Windows\SysWOW64\Apfici32.exe Ailqfooi.exe File opened for modification C:\Windows\SysWOW64\Bmlbaqfh.exe Bknfeege.exe File created C:\Windows\SysWOW64\Hbboiknb.exe Hogcil32.exe File opened for modification C:\Windows\SysWOW64\Pncjad32.exe Pflbpg32.exe File opened for modification C:\Windows\SysWOW64\Eqopfbfn.exe Eblpke32.exe File opened for modification C:\Windows\SysWOW64\Mpngmb32.exe Mlbkmdah.exe File opened for modification C:\Windows\SysWOW64\Ngbpehpj.exe Nphghn32.exe File created C:\Windows\SysWOW64\Aoqbnfda.dll Dkgldm32.exe File opened for modification C:\Windows\SysWOW64\Ghbhhnhk.exe Gdflgo32.exe File created C:\Windows\SysWOW64\Cpkdfb32.dll Jgnchplb.exe File created C:\Windows\SysWOW64\Pbiffmpn.dll Phgannal.exe File opened for modification C:\Windows\SysWOW64\Bceeqi32.exe Blkmdodf.exe File created C:\Windows\SysWOW64\Ofoebc32.dll Cpbkhabp.exe File created C:\Windows\SysWOW64\Nhjpkq32.dll Qcmkhi32.exe File created C:\Windows\SysWOW64\Edhpaa32.exe Efeoedjo.exe File created C:\Windows\SysWOW64\Cnhgnpbp.dll Lggbmbfc.exe File opened for modification C:\Windows\SysWOW64\Ojkhjabc.exe Okhgod32.exe File created C:\Windows\SysWOW64\Onipqp32.exe Okkddd32.exe File opened for modification C:\Windows\SysWOW64\Icgdcm32.exe Iokhcodo.exe File created C:\Windows\SysWOW64\Cjmoammm.dll Kffqqm32.exe File opened for modification C:\Windows\SysWOW64\Dncdqcbl.exe Dflmpebj.exe File created C:\Windows\SysWOW64\Iialocke.dll Gpafgp32.exe File created C:\Windows\SysWOW64\Ihbldk32.dll Cpiaipmh.exe File created C:\Windows\SysWOW64\Fedfgejh.exe Fnjnkkbk.exe File opened for modification C:\Windows\SysWOW64\Fcilnl32.exe Fpmpnmck.exe File opened for modification C:\Windows\SysWOW64\Ikjjda32.exe Ihlnhffh.exe File created C:\Windows\SysWOW64\Ihbdhepp.exe Idghhf32.exe File opened for modification C:\Windows\SysWOW64\Kepgmh32.exe Kmiolk32.exe File opened for modification C:\Windows\SysWOW64\Pkojoghl.exe Pchbmigj.exe File created C:\Windows\SysWOW64\Bdfjnkne.exe Bpjnmlel.exe File opened for modification C:\Windows\SysWOW64\Cbkgog32.exe Bopknhjd.exe File opened for modification C:\Windows\SysWOW64\Chmibmlo.exe Ccpqjfnh.exe File created C:\Windows\SysWOW64\Ffeldglk.exe Fbipdi32.exe File created C:\Windows\SysWOW64\Ncnlnaim.exe Npppaejj.exe File created C:\Windows\SysWOW64\Ahngomkd.exe Adblnnbk.exe File opened for modification C:\Windows\SysWOW64\Acadchoo.exe Apfici32.exe File opened for modification C:\Windows\SysWOW64\Flfnhnfm.exe Fihalb32.exe File created C:\Windows\SysWOW64\Nhclfogi.dll Nacmpj32.exe File created C:\Windows\SysWOW64\Piohgbng.exe Pjlgle32.exe File created C:\Windows\SysWOW64\Addhcn32.exe Aaflgb32.exe File opened for modification C:\Windows\SysWOW64\Iohbjpkb.exe Ilifndlo.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 7700 7672 WerFault.exe 729 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Meemgk32.exeBphaglgo.exeKmdofebo.exeMobaef32.exeAldfcpjn.exeDgqion32.exeKpoejbhe.exeHdgkicek.exeEqopfbfn.exeFnejdiep.exeLgbibb32.exeFjfhkl32.exeJnbifl32.exeNljhhi32.exeNndgeplo.exeOqkpmaif.exeCffjagko.exeDdbmcb32.exeEddjhb32.exeAankkqfl.exeLpiacp32.exeLadpagin.exeFmddgg32.exeHdeoccgn.exeNegeln32.exeGajlac32.exeOckinl32.exeOqlfhjch.exeNhpabdqd.exeFheoiqgi.exeGbffjmmp.exeJfagemej.exeBahelebm.exeFmbgageq.exeJghqia32.exeKkefoc32.exePkmmigjo.exeHlbpme32.exeCpjklo32.exeIokhcodo.exeJkioho32.exeMaoalb32.exeBlkmdodf.exeHhdqma32.exeLggbmbfc.exeNafiej32.exeMiocmq32.exeBeogaenl.exeJmdiahco.exeOjkhjabc.exeChjmmnnb.exeNmmjjk32.exeOdflmp32.exeBklpjlmc.exeGbcien32.exeHhnnnbaj.exeJegdgj32.exeLffmpp32.exePpkmjlca.exeQaablcej.exeBnofaf32.exeCppobaeb.exeOjdjqp32.exePofldf32.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Meemgk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bphaglgo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmdofebo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mobaef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aldfcpjn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgqion32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpoejbhe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdgkicek.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eqopfbfn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnejdiep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgbibb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjfhkl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnbifl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nljhhi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nndgeplo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oqkpmaif.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cffjagko.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddbmcb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eddjhb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aankkqfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpiacp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ladpagin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmddgg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdeoccgn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Negeln32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gajlac32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ockinl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oqlfhjch.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhpabdqd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fheoiqgi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbffjmmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfagemej.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bahelebm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmbgageq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jghqia32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkefoc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkmmigjo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlbpme32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpjklo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iokhcodo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkioho32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Maoalb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blkmdodf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhdqma32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lggbmbfc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nafiej32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Miocmq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Beogaenl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmdiahco.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojkhjabc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chjmmnnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmmjjk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odflmp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bklpjlmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbcien32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhnnnbaj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jegdgj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lffmpp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppkmjlca.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qaablcej.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnofaf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cppobaeb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojdjqp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pofldf32.exe -
Modifies registry class 64 IoCs
Processes:
Adblnnbk.exeAldfcpjn.exeJqnhmgmk.exeMkdbea32.exeFjnkpf32.exee559b98db143734dac36b5faca42c90f1f3e4cbb070bb18d33b5518fb2180763N.exeNldahn32.exeKmiolk32.exeNipefmkb.exeEkfaij32.exeMaanab32.exeEhfhgogp.exeIaladj32.exeKikokf32.exeBfjkphjd.exeEikimeff.exeNmggllha.exeCelpqbon.exeEcbfmm32.exeHhdqma32.exeMehpga32.exeFjaoplho.exeIfpnaj32.exeMmndfnpl.exeFqffgapf.exePcdldknm.exeAjnqphhe.exeJkcmjpma.exeMlmaad32.exeOfobgc32.exeChjmmnnb.exeGhddnnfi.exeNifgekbm.exeCnabffeo.exeCjoilfek.exeNhhominh.exeIlkpac32.exeJfhmehji.exeAejnfe32.exeJmdiahco.exeKolhdbjh.exePijgbl32.exeLflonn32.exeOgdhik32.exeAbinjdad.exeNcnlnaim.exeIgpdnlgd.exeAiaqle32.exeFedfgejh.exeLigfakaa.exeNnbjpqoa.exePkfghh32.exePpgcol32.exeIcoepohq.exePcmoie32.exeMiaaki32.exePjlgle32.exeAcohnhab.exeLaackgka.exeLkelpd32.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jegaol32.dll" Adblnnbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aldfcpjn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jqnhmgmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mkdbea32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fjnkpf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 e559b98db143734dac36b5faca42c90f1f3e4cbb070bb18d33b5518fb2180763N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nldahn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kmiolk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kaimoj32.dll" Nipefmkb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ekfaij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdffdghm.dll" Maanab32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ehfhgogp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eacmfp32.dll" Ialadj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kikokf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dccpbd32.dll" Bfjkphjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mofapq32.dll" Eikimeff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nmggllha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clmkgm32.dll" Celpqbon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fljkodkb.dll" Ecbfmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hhdqma32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node e559b98db143734dac36b5faca42c90f1f3e4cbb070bb18d33b5518fb2180763N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mehpga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fjaoplho.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ifpnaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jagmhnkn.dll" Mmndfnpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fqffgapf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajfoacnc.dll" Pcdldknm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ajnqphhe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppknlppm.dll" Jkcmjpma.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mlmaad32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ofobgc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Chjmmnnb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ghddnnfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmfmkf32.dll" Nifgekbm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dangeigl.dll" Cnabffeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpcmnaip.dll" Cjoilfek.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nhhominh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ilkpac32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jfhmehji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aejnfe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jkcmjpma.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jmdiahco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgkfkohg.dll" Kolhdbjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjibmbqj.dll" Pijgbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olbkimdk.dll" Lflonn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opdnkeqd.dll" Ogdhik32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Abinjdad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ncnlnaim.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eikimeff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpclfokl.dll" Igpdnlgd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aiaqle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djpjjl32.dll" Fedfgejh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Miepgfmf.dll" Ligfakaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nnbjpqoa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pkfghh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ppgcol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkkbcl32.dll" Icoepohq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pcmoie32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Chjmmnnb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Miaaki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipbolili.dll" Pjlgle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Acohnhab.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Laackgka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lkelpd32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
e559b98db143734dac36b5faca42c90f1f3e4cbb070bb18d33b5518fb2180763N.exeKimjhnnl.exeKpfbegei.exeKlmbjh32.exeLajkbp32.exeLhdcojaa.exeLmalgq32.exeLehdhn32.exeLkelpd32.exeLmcilp32.exeLkgifd32.exeLdpnoj32.exeLgnjke32.exeLlkbcl32.exeLgpfpe32.exeMiocmq32.exedescription pid Process procid_target PID 2092 wrote to memory of 2804 2092 e559b98db143734dac36b5faca42c90f1f3e4cbb070bb18d33b5518fb2180763N.exe 30 PID 2092 wrote to memory of 2804 2092 e559b98db143734dac36b5faca42c90f1f3e4cbb070bb18d33b5518fb2180763N.exe 30 PID 2092 wrote to memory of 2804 2092 e559b98db143734dac36b5faca42c90f1f3e4cbb070bb18d33b5518fb2180763N.exe 30 PID 2092 wrote to memory of 2804 2092 e559b98db143734dac36b5faca42c90f1f3e4cbb070bb18d33b5518fb2180763N.exe 30 PID 2804 wrote to memory of 2692 2804 Kimjhnnl.exe 31 PID 2804 wrote to memory of 2692 2804 Kimjhnnl.exe 31 PID 2804 wrote to memory of 2692 2804 Kimjhnnl.exe 31 PID 2804 wrote to memory of 2692 2804 Kimjhnnl.exe 31 PID 2692 wrote to memory of 2780 2692 Kpfbegei.exe 32 PID 2692 wrote to memory of 2780 2692 Kpfbegei.exe 32 PID 2692 wrote to memory of 2780 2692 Kpfbegei.exe 32 PID 2692 wrote to memory of 2780 2692 Kpfbegei.exe 32 PID 2780 wrote to memory of 632 2780 Klmbjh32.exe 33 PID 2780 wrote to memory of 632 2780 Klmbjh32.exe 33 PID 2780 wrote to memory of 632 2780 Klmbjh32.exe 33 PID 2780 wrote to memory of 632 2780 Klmbjh32.exe 33 PID 632 wrote to memory of 324 632 Lajkbp32.exe 34 PID 632 wrote to memory of 324 632 Lajkbp32.exe 34 PID 632 wrote to memory of 324 632 Lajkbp32.exe 34 PID 632 wrote to memory of 324 632 Lajkbp32.exe 34 PID 324 wrote to memory of 912 324 Lhdcojaa.exe 35 PID 324 wrote to memory of 912 324 Lhdcojaa.exe 35 PID 324 wrote to memory of 912 324 Lhdcojaa.exe 35 PID 324 wrote to memory of 912 324 Lhdcojaa.exe 35 PID 912 wrote to memory of 2028 912 Lmalgq32.exe 36 PID 912 wrote to memory of 2028 912 Lmalgq32.exe 36 PID 912 wrote to memory of 2028 912 Lmalgq32.exe 36 PID 912 wrote to memory of 2028 912 Lmalgq32.exe 36 PID 2028 wrote to memory of 672 2028 Lehdhn32.exe 37 PID 2028 wrote to memory of 672 2028 Lehdhn32.exe 37 PID 2028 wrote to memory of 672 2028 Lehdhn32.exe 37 PID 2028 wrote to memory of 672 2028 Lehdhn32.exe 37 PID 672 wrote to memory of 2164 672 Lkelpd32.exe 38 PID 672 wrote to memory of 2164 672 Lkelpd32.exe 38 PID 672 wrote to memory of 2164 672 Lkelpd32.exe 38 PID 672 wrote to memory of 2164 672 Lkelpd32.exe 38 PID 2164 wrote to memory of 2864 2164 Lmcilp32.exe 39 PID 2164 wrote to memory of 2864 2164 Lmcilp32.exe 39 PID 2164 wrote to memory of 2864 2164 Lmcilp32.exe 39 PID 2164 wrote to memory of 2864 2164 Lmcilp32.exe 39 PID 2864 wrote to memory of 2116 2864 Lkgifd32.exe 40 PID 2864 wrote to memory of 2116 2864 Lkgifd32.exe 40 PID 2864 wrote to memory of 2116 2864 Lkgifd32.exe 40 PID 2864 wrote to memory of 2116 2864 Lkgifd32.exe 40 PID 2116 wrote to memory of 2844 2116 Ldpnoj32.exe 41 PID 2116 wrote to memory of 2844 2116 Ldpnoj32.exe 41 PID 2116 wrote to memory of 2844 2116 Ldpnoj32.exe 41 PID 2116 wrote to memory of 2844 2116 Ldpnoj32.exe 41 PID 2844 wrote to memory of 1964 2844 Lgnjke32.exe 42 PID 2844 wrote to memory of 1964 2844 Lgnjke32.exe 42 PID 2844 wrote to memory of 1964 2844 Lgnjke32.exe 42 PID 2844 wrote to memory of 1964 2844 Lgnjke32.exe 42 PID 1964 wrote to memory of 2180 1964 Llkbcl32.exe 43 PID 1964 wrote to memory of 2180 1964 Llkbcl32.exe 43 PID 1964 wrote to memory of 2180 1964 Llkbcl32.exe 43 PID 1964 wrote to memory of 2180 1964 Llkbcl32.exe 43 PID 2180 wrote to memory of 1772 2180 Lgpfpe32.exe 44 PID 2180 wrote to memory of 1772 2180 Lgpfpe32.exe 44 PID 2180 wrote to memory of 1772 2180 Lgpfpe32.exe 44 PID 2180 wrote to memory of 1772 2180 Lgpfpe32.exe 44 PID 1772 wrote to memory of 1740 1772 Miocmq32.exe 45 PID 1772 wrote to memory of 1740 1772 Miocmq32.exe 45 PID 1772 wrote to memory of 1740 1772 Miocmq32.exe 45 PID 1772 wrote to memory of 1740 1772 Miocmq32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\e559b98db143734dac36b5faca42c90f1f3e4cbb070bb18d33b5518fb2180763N.exe"C:\Users\Admin\AppData\Local\Temp\e559b98db143734dac36b5faca42c90f1f3e4cbb070bb18d33b5518fb2180763N.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2092 -
C:\Windows\SysWOW64\Kimjhnnl.exeC:\Windows\system32\Kimjhnnl.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Windows\SysWOW64\Kpfbegei.exeC:\Windows\system32\Kpfbegei.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\SysWOW64\Klmbjh32.exeC:\Windows\system32\Klmbjh32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\SysWOW64\Lajkbp32.exeC:\Windows\system32\Lajkbp32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:632 -
C:\Windows\SysWOW64\Lhdcojaa.exeC:\Windows\system32\Lhdcojaa.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:324 -
C:\Windows\SysWOW64\Lmalgq32.exeC:\Windows\system32\Lmalgq32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:912 -
C:\Windows\SysWOW64\Lehdhn32.exeC:\Windows\system32\Lehdhn32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Windows\SysWOW64\Lkelpd32.exeC:\Windows\system32\Lkelpd32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:672 -
C:\Windows\SysWOW64\Lmcilp32.exeC:\Windows\system32\Lmcilp32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Windows\SysWOW64\Lkgifd32.exeC:\Windows\system32\Lkgifd32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Windows\SysWOW64\Ldpnoj32.exeC:\Windows\system32\Ldpnoj32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2116 -
C:\Windows\SysWOW64\Lgnjke32.exeC:\Windows\system32\Lgnjke32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\SysWOW64\Llkbcl32.exeC:\Windows\system32\Llkbcl32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Windows\SysWOW64\Lgpfpe32.exeC:\Windows\system32\Lgpfpe32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Windows\SysWOW64\Miocmq32.exeC:\Windows\system32\Miocmq32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1772 -
C:\Windows\SysWOW64\Mokkegmm.exeC:\Windows\system32\Mokkegmm.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1740 -
C:\Windows\SysWOW64\Mgbcfdmo.exeC:\Windows\system32\Mgbcfdmo.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:964 -
C:\Windows\SysWOW64\Mlolnllf.exeC:\Windows\system32\Mlolnllf.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1248 -
C:\Windows\SysWOW64\Mehpga32.exeC:\Windows\system32\Mehpga32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:340 -
C:\Windows\SysWOW64\Mkdioh32.exeC:\Windows\system32\Mkdioh32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1072 -
C:\Windows\SysWOW64\Mclqqeaq.exeC:\Windows\system32\Mclqqeaq.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2308 -
C:\Windows\SysWOW64\Maoalb32.exeC:\Windows\system32\Maoalb32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1760 -
C:\Windows\SysWOW64\Mldeik32.exeC:\Windows\system32\Mldeik32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2044 -
C:\Windows\SysWOW64\Mobaef32.exeC:\Windows\system32\Mobaef32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1972 -
C:\Windows\SysWOW64\Maanab32.exeC:\Windows\system32\Maanab32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2124 -
C:\Windows\SysWOW64\Mdojnm32.exeC:\Windows\system32\Mdojnm32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1528 -
C:\Windows\SysWOW64\Mgnfji32.exeC:\Windows\system32\Mgnfji32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2876 -
C:\Windows\SysWOW64\Ngpcohbm.exeC:\Windows\system32\Ngpcohbm.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2580 -
C:\Windows\SysWOW64\Njnokdaq.exeC:\Windows\system32\Njnokdaq.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2568 -
C:\Windows\SysWOW64\Nphghn32.exeC:\Windows\system32\Nphghn32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2588 -
C:\Windows\SysWOW64\Ngbpehpj.exeC:\Windows\system32\Ngbpehpj.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2596 -
C:\Windows\SysWOW64\Nlohmonb.exeC:\Windows\system32\Nlohmonb.exe33⤵
- Executes dropped EXE
PID:2848 -
C:\Windows\SysWOW64\Ncipjieo.exeC:\Windows\system32\Ncipjieo.exe34⤵
- Executes dropped EXE
PID:440 -
C:\Windows\SysWOW64\Ncipjieo.exeC:\Windows\system32\Ncipjieo.exe35⤵
- Executes dropped EXE
PID:2128 -
C:\Windows\SysWOW64\Nqmqcmdh.exeC:\Windows\system32\Nqmqcmdh.exe36⤵
- Executes dropped EXE
PID:1176 -
C:\Windows\SysWOW64\Nckmpicl.exeC:\Windows\system32\Nckmpicl.exe37⤵
- Executes dropped EXE
PID:2852 -
C:\Windows\SysWOW64\Nldahn32.exeC:\Windows\system32\Nldahn32.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:2324 -
C:\Windows\SysWOW64\Nobndj32.exeC:\Windows\system32\Nobndj32.exe39⤵
- Executes dropped EXE
PID:1676 -
C:\Windows\SysWOW64\Nbqjqehd.exeC:\Windows\system32\Nbqjqehd.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1684 -
C:\Windows\SysWOW64\Omfnnnhj.exeC:\Windows\system32\Omfnnnhj.exe41⤵
- Executes dropped EXE
PID:396 -
C:\Windows\SysWOW64\Ocpfkh32.exeC:\Windows\system32\Ocpfkh32.exe42⤵
- Executes dropped EXE
PID:596 -
C:\Windows\SysWOW64\Ofobgc32.exeC:\Windows\system32\Ofobgc32.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:2976 -
C:\Windows\SysWOW64\Okkkoj32.exeC:\Windows\system32\Okkkoj32.exe44⤵
- Executes dropped EXE
PID:1992 -
C:\Windows\SysWOW64\Ofaolcmh.exeC:\Windows\system32\Ofaolcmh.exe45⤵
- Executes dropped EXE
PID:968 -
C:\Windows\SysWOW64\Ogbldk32.exeC:\Windows\system32\Ogbldk32.exe46⤵
- Executes dropped EXE
PID:1192 -
C:\Windows\SysWOW64\Onldqejb.exeC:\Windows\system32\Onldqejb.exe47⤵
- Executes dropped EXE
PID:1032 -
C:\Windows\SysWOW64\Oqkpmaif.exeC:\Windows\system32\Oqkpmaif.exe48⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:372 -
C:\Windows\SysWOW64\Odflmp32.exeC:\Windows\system32\Odflmp32.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3056 -
C:\Windows\SysWOW64\Ogdhik32.exeC:\Windows\system32\Ogdhik32.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:1420 -
C:\Windows\SysWOW64\Ojceef32.exeC:\Windows\system32\Ojceef32.exe51⤵
- Executes dropped EXE
PID:2688 -
C:\Windows\SysWOW64\Objmgd32.exeC:\Windows\system32\Objmgd32.exe52⤵
- Executes dropped EXE
PID:2880 -
C:\Windows\SysWOW64\Oehicoom.exeC:\Windows\system32\Oehicoom.exe53⤵
- Executes dropped EXE
PID:2736 -
C:\Windows\SysWOW64\Ockinl32.exeC:\Windows\system32\Ockinl32.exe54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2708 -
C:\Windows\SysWOW64\Okbapi32.exeC:\Windows\system32\Okbapi32.exe55⤵
- Executes dropped EXE
PID:2720 -
C:\Windows\SysWOW64\Onamle32.exeC:\Windows\system32\Onamle32.exe56⤵
- Executes dropped EXE
PID:1552 -
C:\Windows\SysWOW64\Oqojhp32.exeC:\Windows\system32\Oqojhp32.exe57⤵
- Executes dropped EXE
PID:1764 -
C:\Windows\SysWOW64\Pcnfdl32.exeC:\Windows\system32\Pcnfdl32.exe58⤵
- Executes dropped EXE
PID:2752 -
C:\Windows\SysWOW64\Pgibdjln.exeC:\Windows\system32\Pgibdjln.exe59⤵
- Executes dropped EXE
PID:2860 -
C:\Windows\SysWOW64\Pflbpg32.exeC:\Windows\system32\Pflbpg32.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2636 -
C:\Windows\SysWOW64\Pncjad32.exeC:\Windows\system32\Pncjad32.exe61⤵
- Executes dropped EXE
PID:2644 -
C:\Windows\SysWOW64\Pmfjmake.exeC:\Windows\system32\Pmfjmake.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1300 -
C:\Windows\SysWOW64\Ppdfimji.exeC:\Windows\system32\Ppdfimji.exe63⤵
- Executes dropped EXE
PID:2196 -
C:\Windows\SysWOW64\Pglojj32.exeC:\Windows\system32\Pglojj32.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:568 -
C:\Windows\SysWOW64\Pimkbbpi.exeC:\Windows\system32\Pimkbbpi.exe65⤵
- Executes dropped EXE
PID:1800 -
C:\Windows\SysWOW64\Padccpal.exeC:\Windows\system32\Padccpal.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1628 -
C:\Windows\SysWOW64\Ppgcol32.exeC:\Windows\system32\Ppgcol32.exe67⤵
- Modifies registry class
PID:2300 -
C:\Windows\SysWOW64\Pjlgle32.exeC:\Windows\system32\Pjlgle32.exe68⤵
- Drops file in System32 directory
- Modifies registry class
PID:1436 -
C:\Windows\SysWOW64\Piohgbng.exeC:\Windows\system32\Piohgbng.exe69⤵PID:2484
-
C:\Windows\SysWOW64\Ppipdl32.exeC:\Windows\system32\Ppipdl32.exe70⤵PID:1496
-
C:\Windows\SysWOW64\Pcdldknm.exeC:\Windows\system32\Pcdldknm.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2332 -
C:\Windows\SysWOW64\Pefhlcdk.exeC:\Windows\system32\Pefhlcdk.exe72⤵PID:2592
-
C:\Windows\SysWOW64\Piadma32.exeC:\Windows\system32\Piadma32.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3016 -
C:\Windows\SysWOW64\Ppkmjlca.exeC:\Windows\system32\Ppkmjlca.exe74⤵
- System Location Discovery: System Language Discovery
PID:2756 -
C:\Windows\SysWOW64\Pnnmeh32.exeC:\Windows\system32\Pnnmeh32.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:892 -
C:\Windows\SysWOW64\Pbjifgcd.exeC:\Windows\system32\Pbjifgcd.exe76⤵PID:2960
-
C:\Windows\SysWOW64\Pehebbbh.exeC:\Windows\system32\Pehebbbh.exe77⤵PID:2972
-
C:\Windows\SysWOW64\Phgannal.exeC:\Windows\system32\Phgannal.exe78⤵
- Drops file in System32 directory
PID:1696 -
C:\Windows\SysWOW64\Plbmom32.exeC:\Windows\system32\Plbmom32.exe79⤵PID:2396
-
C:\Windows\SysWOW64\Qnqjkh32.exeC:\Windows\system32\Qnqjkh32.exe80⤵PID:992
-
C:\Windows\SysWOW64\Qaofgc32.exeC:\Windows\system32\Qaofgc32.exe81⤵PID:2240
-
C:\Windows\SysWOW64\Qifnhaho.exeC:\Windows\system32\Qifnhaho.exe82⤵PID:1468
-
C:\Windows\SysWOW64\Qldjdlgb.exeC:\Windows\system32\Qldjdlgb.exe83⤵PID:1872
-
C:\Windows\SysWOW64\Qjgjpi32.exeC:\Windows\system32\Qjgjpi32.exe84⤵PID:2024
-
C:\Windows\SysWOW64\Qbobaf32.exeC:\Windows\system32\Qbobaf32.exe85⤵PID:1036
-
C:\Windows\SysWOW64\Qaablcej.exeC:\Windows\system32\Qaablcej.exe86⤵
- System Location Discovery: System Language Discovery
PID:1808 -
C:\Windows\SysWOW64\Qemomb32.exeC:\Windows\system32\Qemomb32.exe87⤵PID:2456
-
C:\Windows\SysWOW64\Qhkkim32.exeC:\Windows\system32\Qhkkim32.exe88⤵PID:2132
-
C:\Windows\SysWOW64\Qlggjlep.exeC:\Windows\system32\Qlggjlep.exe89⤵PID:2612
-
C:\Windows\SysWOW64\Anecfgdc.exeC:\Windows\system32\Anecfgdc.exe90⤵PID:2624
-
C:\Windows\SysWOW64\Amhcad32.exeC:\Windows\system32\Amhcad32.exe91⤵PID:3020
-
C:\Windows\SysWOW64\Aadobccg.exeC:\Windows\system32\Aadobccg.exe92⤵PID:2584
-
C:\Windows\SysWOW64\Adblnnbk.exeC:\Windows\system32\Adblnnbk.exe93⤵
- Drops file in System32 directory
- Modifies registry class
PID:2836 -
C:\Windows\SysWOW64\Ahngomkd.exeC:\Windows\system32\Ahngomkd.exe94⤵PID:796
-
C:\Windows\SysWOW64\Aaflgb32.exeC:\Windows\system32\Aaflgb32.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3064 -
C:\Windows\SysWOW64\Addhcn32.exeC:\Windows\system32\Addhcn32.exe96⤵PID:2412
-
C:\Windows\SysWOW64\Ahpddmia.exeC:\Windows\system32\Ahpddmia.exe97⤵PID:1456
-
C:\Windows\SysWOW64\Ajnqphhe.exeC:\Windows\system32\Ajnqphhe.exe98⤵
- Modifies registry class
PID:704 -
C:\Windows\SysWOW64\Aiaqle32.exeC:\Windows\system32\Aiaqle32.exe99⤵
- Modifies registry class
PID:2704 -
C:\Windows\SysWOW64\Aahimb32.exeC:\Windows\system32\Aahimb32.exe100⤵PID:2656
-
C:\Windows\SysWOW64\Abjeejep.exeC:\Windows\system32\Abjeejep.exe101⤵PID:2572
-
C:\Windows\SysWOW64\Afeaei32.exeC:\Windows\system32\Afeaei32.exe102⤵PID:2444
-
C:\Windows\SysWOW64\Aicmadmm.exeC:\Windows\system32\Aicmadmm.exe103⤵PID:1240
-
C:\Windows\SysWOW64\Albjnplq.exeC:\Windows\system32\Albjnplq.exe104⤵PID:1824
-
C:\Windows\SysWOW64\Apnfno32.exeC:\Windows\system32\Apnfno32.exe105⤵PID:1704
-
C:\Windows\SysWOW64\Aejnfe32.exeC:\Windows\system32\Aejnfe32.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:932 -
C:\Windows\SysWOW64\Amafgc32.exeC:\Windows\system32\Amafgc32.exe107⤵PID:112
-
C:\Windows\SysWOW64\Aldfcpjn.exeC:\Windows\system32\Aldfcpjn.exe108⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2336 -
C:\Windows\SysWOW64\Bfjkphjd.exeC:\Windows\system32\Bfjkphjd.exe109⤵
- Drops file in System32 directory
- Modifies registry class
PID:988 -
C:\Windows\SysWOW64\Bihgmdih.exeC:\Windows\system32\Bihgmdih.exe110⤵PID:1660
-
C:\Windows\SysWOW64\Blgcio32.exeC:\Windows\system32\Blgcio32.exe111⤵PID:2956
-
C:\Windows\SysWOW64\Boeoek32.exeC:\Windows\system32\Boeoek32.exe112⤵PID:1616
-
C:\Windows\SysWOW64\Beogaenl.exeC:\Windows\system32\Beogaenl.exe113⤵
- System Location Discovery: System Language Discovery
PID:2768 -
C:\Windows\SysWOW64\Blipno32.exeC:\Windows\system32\Blipno32.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2556 -
C:\Windows\SysWOW64\Bklpjlmc.exeC:\Windows\system32\Bklpjlmc.exe115⤵
- System Location Discovery: System Language Discovery
PID:236 -
C:\Windows\SysWOW64\Bbchkime.exeC:\Windows\system32\Bbchkime.exe116⤵
- Drops file in System32 directory
PID:2224 -
C:\Windows\SysWOW64\Bafhff32.exeC:\Windows\system32\Bafhff32.exe117⤵PID:2160
-
C:\Windows\SysWOW64\Bhpqcpkm.exeC:\Windows\system32\Bhpqcpkm.exe118⤵PID:2344
-
C:\Windows\SysWOW64\Blkmdodf.exeC:\Windows\system32\Blkmdodf.exe119⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2340 -
C:\Windows\SysWOW64\Bceeqi32.exeC:\Windows\system32\Bceeqi32.exe120⤵PID:2188
-
C:\Windows\SysWOW64\Bahelebm.exeC:\Windows\system32\Bahelebm.exe121⤵
- System Location Discovery: System Language Discovery
PID:1788
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-