Analysis
-
max time kernel
91s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 01:42
Static task
static1
Behavioral task
behavioral1
Sample
ae56b67b9c1dda37130137c96a67e9f194bde3659d1543a7474cdcc003c11c10.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
ae56b67b9c1dda37130137c96a67e9f194bde3659d1543a7474cdcc003c11c10.exe
Resource
win10v2004-20241007-en
General
-
Target
ae56b67b9c1dda37130137c96a67e9f194bde3659d1543a7474cdcc003c11c10.exe
-
Size
315KB
-
MD5
dee785024b77dc69382a05daf8fbd366
-
SHA1
cbb852e8d62cf09953977f0210d1f0c1e4681e43
-
SHA256
ae56b67b9c1dda37130137c96a67e9f194bde3659d1543a7474cdcc003c11c10
-
SHA512
fdb225d1cde651deb03ac36c437613acf3c6b1baefb6e9e23b11e124ea0459483202b02101a41f9cb87c4b9b9ebff2df7cf9c478ccd9faf9dcfe4fd4f91c973f
-
SSDEEP
3072:r+AX0lLy6GyWamSxiO6GyeKWCuamS+q2iO6GyeKWCuamS+q2iO6GyeKWCua+qf0a:SAXNitqI+stesMmG
Malware Config
Extracted
berbew
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Nhhlilld.exeNliadjph.exeEmkngo32.exeLkgili32.exeImpceced.exeKgcapa32.exePqmjab32.exeHdkpapgd.exeCjhfcm32.exeOaomcpfd.exePiknom32.exeFhfjdclb.exeIinbbnie.exeMbedjm32.exeFdjgio32.exeJqpfmiml.exeDbgnhhed.exeMpghna32.exeFkflkh32.exeLgamappo.exeJplkbm32.exeOpmakd32.exeQjhlpgpk.exeEapkad32.exeEhlpcopa.exeObefgdeb.exeGmmmifei.exeNdjajeni.exeOlcbpe32.exeIgoehk32.exeGkgebfge.exeIqfcgjeg.exeBjicgh32.exeKqfeca32.exeOgdmaocp.exeOjjooilk.exePofalj32.exeInjcpndq.exeMjneoicb.exeChbcinee.exeCkclkibf.exeEfkfdobg.exeBadiio32.exeCakpjn32.exeQhghkn32.exeDmmipgif.exeFmpoldhq.exeAjijqkfa.exeJkdcpkif.exeFpmmcc32.exeHkehnj32.exeGhcokk32.exeIqklbi32.exeAadoem32.exeBmgpccgb.exeHpcfpfaq.exeMncajble.exeJlclgnml.exeGggfanfm.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhhlilld.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nliadjph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Emkngo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkgili32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Impceced.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgcapa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pqmjab32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdkpapgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjhfcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oaomcpfd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Piknom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fhfjdclb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iinbbnie.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbedjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fdjgio32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jqpfmiml.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbgnhhed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mpghna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fkflkh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgamappo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jplkbm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Opmakd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qjhlpgpk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eapkad32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehlpcopa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Obefgdeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmmmifei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ndjajeni.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olcbpe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igoehk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkgebfge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iqfcgjeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjicgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kqfeca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogdmaocp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojjooilk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pofalj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Injcpndq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjneoicb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chbcinee.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckclkibf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efkfdobg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Badiio32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cakpjn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qhghkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmmipgif.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmpoldhq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajijqkfa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkdcpkif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fpmmcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hkehnj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghcokk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iqklbi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aadoem32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmgpccgb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpcfpfaq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mncajble.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlclgnml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gggfanfm.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
Processes:
Lbhocegl.exeLefkpq32.exeLmmcqn32.exeLlpcljnl.exeLdjhcgll.exeLghdockp.exeLekekp32.exeMemapppg.exeMpcenhpn.exeMgmnjb32.exeMikjfn32.exeMljfbiea.exeMccooc32.exeMdckifda.exeMipcambi.exeMlnpnh32.exeMegdfnhm.exeMnnlgkho.exeMlqlch32.exeMplhdghc.exeNdjajeni.exeNeknam32.exeNnbebk32.exeNdlnoelf.exeNenjgm32.exeNnebhj32.exeNlhbdgia.exeNdoked32.exeNcakqaqo.exeNgmgap32.exeNfpgmmpb.exeNngonjqd.exeNpekjeph.exeNgpcgp32.exeNfbdblnp.exeNjnpck32.exeNnilcjnb.exeOphhpene.exeOdcdpd32.exeOcfdlqmi.exeOgbploeb.exeOfeqhl32.exeOnlhii32.exeOloidfcj.exeOpjeee32.exeOdfqecdl.exeOgdmaocp.exeOfgmml32.exeOjbinjbc.exeOlaejfag.exeOpmakd32.exeOdhmkcbi.exeOgfjgo32.exeOfijckhg.exeOjefcj32.exeOlcbpe32.exeOqonpdgn.exeOcmjlpfa.exeOqakfdek.exeOgkcbn32.exeOjjooilk.exeOnekoh32.exePqcgkc32.exePgnphnke.exepid process 1112 Lbhocegl.exe 3532 Lefkpq32.exe 4100 Lmmcqn32.exe 2124 Llpcljnl.exe 2604 Ldjhcgll.exe 4676 Lghdockp.exe 5028 Lekekp32.exe 60 Memapppg.exe 444 Mpcenhpn.exe 2988 Mgmnjb32.exe 116 Mikjfn32.exe 2720 Mljfbiea.exe 5104 Mccooc32.exe 3952 Mdckifda.exe 2628 Mipcambi.exe 5080 Mlnpnh32.exe 2320 Megdfnhm.exe 2192 Mnnlgkho.exe 4116 Mlqlch32.exe 2736 Mplhdghc.exe 4372 Ndjajeni.exe 4620 Neknam32.exe 1120 Nnbebk32.exe 4752 Ndlnoelf.exe 5004 Nenjgm32.exe 3816 Nnebhj32.exe 2336 Nlhbdgia.exe 4800 Ndoked32.exe 2372 Ncakqaqo.exe 1740 Ngmgap32.exe 1040 Nfpgmmpb.exe 3056 Nngonjqd.exe 3812 Npekjeph.exe 3972 Ngpcgp32.exe 4592 Nfbdblnp.exe 3052 Njnpck32.exe 1264 Nnilcjnb.exe 4368 Ophhpene.exe 1276 Odcdpd32.exe 5100 Ocfdlqmi.exe 2824 Ogbploeb.exe 3704 Ofeqhl32.exe 3424 Onlhii32.exe 700 Oloidfcj.exe 1792 Opjeee32.exe 4128 Odfqecdl.exe 1504 Ogdmaocp.exe 1620 Ofgmml32.exe 1292 Ojbinjbc.exe 1964 Olaejfag.exe 3360 Opmakd32.exe 3124 Odhmkcbi.exe 2632 Ogfjgo32.exe 2956 Ofijckhg.exe 1400 Ojefcj32.exe 4548 Olcbpe32.exe 4932 Oqonpdgn.exe 4764 Ocmjlpfa.exe 3448 Oqakfdek.exe 976 Ogkcbn32.exe 872 Ojjooilk.exe 3528 Onekoh32.exe 2528 Pqcgkc32.exe 3492 Pgnphnke.exe -
Drops file in System32 directory 64 IoCs
Processes:
Npbhjp32.exeFpbmii32.exeOhahdepn.exeJeidkc32.exeMlqlch32.exeFikildjp.exeLnhandfb.exeLbladn32.exeLnmbci32.exeAachjfpq.exeOhpidaig.exeIgmgcnkk.exeEfkfdobg.exeIbadhi32.exeKhfdpgng.exeNeopbf32.exeJkggpakp.exeGlbadhmm.exeObjpbc32.exeBfkkajbh.exeLdbjkn32.exeJedjpdjd.exeJkdcpkif.exeMplhdghc.exeOojaql32.exeAgbkpdea.exeHkkgco32.exeKddnipio.exeIlgllogi.exeOognqfok.exePobfbnab.exeDbiccapf.exeIfklkc32.exeMpdkiajo.exeMefmlh32.exeDiopji32.exeKfdcfb32.exeDkkifnpj.exeJgkdel32.exeNndjqpnb.exeAogidk32.exeIllfgo32.exeOjefcj32.exeJniflb32.exeMjfhcd32.exeFbpcknkk.exePnakkf32.exeBagfooep.exeLejnpi32.exePlndfgnp.exeIkfgom32.exeAlfpbpbi.exeDohkaf32.exeOjjooilk.exeKgenea32.exeFikbbnfd.exedescription ioc process File created C:\Windows\SysWOW64\Mphqbmpf.dll Npbhjp32.exe File created C:\Windows\SysWOW64\Aipedlfc.dll Fpbmii32.exe File created C:\Windows\SysWOW64\Olmdec32.exe Ohahdepn.exe File opened for modification C:\Windows\SysWOW64\Jlclgnml.exe Jeidkc32.exe File opened for modification C:\Windows\SysWOW64\Mplhdghc.exe Mlqlch32.exe File created C:\Windows\SysWOW64\Dkielo32.dll Fikildjp.exe File created C:\Windows\SysWOW64\Bkllonlg.dll Lnhandfb.exe File created C:\Windows\SysWOW64\Paophgec.dll Lbladn32.exe File created C:\Windows\SysWOW64\Lalnpe32.exe Lnmbci32.exe File created C:\Windows\SysWOW64\Gfjlojda.dll Aachjfpq.exe File created C:\Windows\SysWOW64\Oojaql32.exe Ohpidaig.exe File created C:\Windows\SysWOW64\Ijldpjjo.exe Igmgcnkk.exe File opened for modification C:\Windows\SysWOW64\Eenfpl32.exe Efkfdobg.exe File created C:\Windows\SysWOW64\Iikmecfc.exe Ibadhi32.exe File created C:\Windows\SysWOW64\Kpmlaenj.exe Khfdpgng.exe File opened for modification C:\Windows\SysWOW64\Nhnlnb32.exe Neopbf32.exe File created C:\Windows\SysWOW64\Jbaomkbl.exe Jkggpakp.exe File opened for modification C:\Windows\SysWOW64\Gdjiefno.exe Glbadhmm.exe File created C:\Windows\SysWOW64\Lfgngn32.dll File created C:\Windows\SysWOW64\Bfjjcf32.dll File created C:\Windows\SysWOW64\Oehlno32.exe Objpbc32.exe File created C:\Windows\SysWOW64\Mjdnpj32.dll Bfkkajbh.exe File created C:\Windows\SysWOW64\Lklbghel.exe Ldbjkn32.exe File opened for modification C:\Windows\SysWOW64\Jlnbln32.exe Jedjpdjd.exe File created C:\Windows\SysWOW64\Jncolghj.exe Jkdcpkif.exe File created C:\Windows\SysWOW64\Jieice32.dll Mplhdghc.exe File created C:\Windows\SysWOW64\Mdgamc32.dll Oojaql32.exe File created C:\Windows\SysWOW64\Kkeqkqag.dll File created C:\Windows\SysWOW64\Ajqglpde.exe Agbkpdea.exe File opened for modification C:\Windows\SysWOW64\Hmicoj32.exe Hkkgco32.exe File created C:\Windows\SysWOW64\Kgbjekic.exe Kddnipio.exe File created C:\Windows\SysWOW64\Ibadhi32.exe Ilgllogi.exe File created C:\Windows\SysWOW64\Oaejmano.exe Oognqfok.exe File created C:\Windows\SysWOW64\Mcadalja.dll Pobfbnab.exe File opened for modification C:\Windows\SysWOW64\Ddgpomoj.exe Dbiccapf.exe File created C:\Windows\SysWOW64\Ifhkkmjm.dll File opened for modification C:\Windows\SysWOW64\Idnlgpea.exe Ifklkc32.exe File created C:\Windows\SysWOW64\Ggnmphhq.dll Mpdkiajo.exe File created C:\Windows\SysWOW64\Hkgambqk.dll Mefmlh32.exe File created C:\Windows\SysWOW64\Amcpbdgn.dll Diopji32.exe File created C:\Windows\SysWOW64\Imblgdnq.dll File created C:\Windows\SysWOW64\Gdjiefno.exe Glbadhmm.exe File created C:\Windows\SysWOW64\Kpjgdk32.exe Kfdcfb32.exe File created C:\Windows\SysWOW64\Ghdabl32.dll Dkkifnpj.exe File created C:\Windows\SysWOW64\Jlhlmc32.exe Jgkdel32.exe File created C:\Windows\SysWOW64\Hcgdglak.dll Nndjqpnb.exe File created C:\Windows\SysWOW64\Blkljneq.dll Aogidk32.exe File created C:\Windows\SysWOW64\Iojbcj32.exe Illfgo32.exe File opened for modification C:\Windows\SysWOW64\Olcbpe32.exe Ojefcj32.exe File opened for modification C:\Windows\SysWOW64\Jecoimci.exe Jniflb32.exe File created C:\Windows\SysWOW64\Mmdepo32.exe Mjfhcd32.exe File created C:\Windows\SysWOW64\Fjnbjqmm.dll File created C:\Windows\SysWOW64\Fijkghch.exe Fbpcknkk.exe File created C:\Windows\SysWOW64\Qqoggb32.exe Pnakkf32.exe File created C:\Windows\SysWOW64\Albmog32.dll Bagfooep.exe File opened for modification C:\Windows\SysWOW64\Mppbnb32.exe Lejnpi32.exe File opened for modification C:\Windows\SysWOW64\Pchlcael.exe Plndfgnp.exe File opened for modification C:\Windows\SysWOW64\Ilhcfeke.exe Ikfgom32.exe File created C:\Windows\SysWOW64\Jphenl32.dll Alfpbpbi.exe File created C:\Windows\SysWOW64\Dbfgna32.exe Dohkaf32.exe File opened for modification C:\Windows\SysWOW64\Pdnhpnln.exe File created C:\Windows\SysWOW64\Jdeikd32.dll Ojjooilk.exe File opened for modification C:\Windows\SysWOW64\Knofbkai.exe Kgenea32.exe File opened for modification C:\Windows\SysWOW64\Fpejoh32.exe Fikbbnfd.exe -
Program crash 1 IoCs
Processes:
pid pid_target process target process 10024 9536 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Kgchjh32.exeJhijdfkl.exeIllfgo32.exeCleejkgf.exeEilofj32.exeNngonjqd.exeMlcobmbp.exeDjlide32.exeJkggpakp.exeAlfpbpbi.exeAlnfco32.exeDdjemgal.exeFdogodpd.exeJgedocho.exeGopffnie.exeOehlno32.exeQaofjnha.exeEjoopc32.exeJnomkn32.exeJnlikhnb.exeJnfjfc32.exeLgniaj32.exeBnfhkflg.exeNliadjph.exePemeinlk.exeDiafeb32.exeKpldijie.exeAebihpkl.exeAqhccj32.exePdfekcia.exeBcokknab.exeHbhbbk32.exeGkgebfge.exeEkhnmfpo.exeJchkihin.exeKcanogqc.exeLbhocegl.exeOfgmml32.exeNidfbf32.exeDopijpab.exeLoninpid.exeAoelnkam.exeHlpfkpna.exeKpjgdk32.exeOjefcj32.exeAgpoje32.exeBhnqhe32.exeNhfocmnf.exeOajchq32.exeCegljmid.exeEdhane32.exeKgenea32.exeAmmnmbig.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgchjh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhijdfkl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Illfgo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cleejkgf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eilofj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nngonjqd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlcobmbp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djlide32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkggpakp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alfpbpbi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alnfco32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddjemgal.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdogodpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgedocho.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gopffnie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oehlno32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qaofjnha.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejoopc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnomkn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnlikhnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnfjfc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgniaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnfhkflg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nliadjph.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pemeinlk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Diafeb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpldijie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aebihpkl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aqhccj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdfekcia.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcokknab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbhbbk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkgebfge.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekhnmfpo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jchkihin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcanogqc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbhocegl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofgmml32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nidfbf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dopijpab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Loninpid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aoelnkam.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlpfkpna.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpjgdk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojefcj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agpoje32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhnqhe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhfocmnf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oajchq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cegljmid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edhane32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgenea32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ammnmbig.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Modifies registry class 64 IoCs
Processes:
Agbkpdea.exeKbfhhk32.exeOmpmbklb.exeEdakmf32.exeGlbjjbja.exeLpnehb32.exeMbnnjnmh.exeGhcokk32.exeIkokdi32.exeOgcfgiod.exeLgamappo.exeQonfnl32.exeBjeago32.exeJpmbmc32.exeKndfhaao.exeOagphk32.exeFoiegl32.exeNejpmamp.exeAlggmfee.exeCjgpiflo.exeAmmnmbig.exeBebbom32.exeBcbokd32.exeHdafqklc.exeNhfocmnf.exeNaodlb32.exeHlqmef32.exeGbnoll32.exeMhppmd32.exeDiqojlie.exeJlnbln32.exeOqonpdgn.exeHlpfkpna.exeJlhlmc32.exeNelfhjgb.exeCnahgdaj.exeIllfgo32.exeHggohl32.exePoejbd32.exeEoanhe32.exeFiahaikc.exeOlbdkihm.exeEmhaaokm.exeEcdfcipg.exeOeqocj32.exeGggfanfm.exeAemhee32.exeDomldpcd.exeOedjmfha.exeKgcapa32.exeIiippdhe.exeNjnpck32.exeCdcolh32.exeInjcpndq.exeNenjgm32.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Agbkpdea.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kbfhhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ompmbklb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Edakmf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Glbjjbja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flcmpd32.dll" Lpnehb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhfdle32.dll" Mbnnjnmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpjdajmn.dll" Ghcokk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nijlieef.dll" Ikokdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfjoag32.dll" Ogcfgiod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obhmni32.dll" Lgamappo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qonfnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acpail32.dll" Bjeago32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jpmbmc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kndfhaao.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oagphk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Foiegl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nejpmamp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Alggmfee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cjgpiflo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmpjpg32.dll" Ammnmbig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bebbom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bcbokd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mllqookb.dll" Hdafqklc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gaikbe32.dll" Nhfocmnf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Naodlb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmhkgk32.dll" Hlqmef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfojmo32.dll" Gbnoll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mhppmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nljhfm32.dll" Diqojlie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jlnbln32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oqonpdgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmalpajl.dll" Hlpfkpna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Laecconk.dll" Jlhlmc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nelfhjgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cnahgdaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfdhcpoo.dll" Illfgo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hggohl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Poejbd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eoanhe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aogldg32.dll" Fiahaikc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Olbdkihm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Emhaaokm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ecdfcipg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lechib32.dll" Oeqocj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gggfanfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aemhee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhhfep32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khpkgglb.dll" Domldpcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Limhmgjf.dll" Oedjmfha.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kgcapa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkjabnfk.dll" Iiippdhe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfjigg32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Njnpck32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cdcolh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Injcpndq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igclea32.dll" Nenjgm32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
ae56b67b9c1dda37130137c96a67e9f194bde3659d1543a7474cdcc003c11c10.exeLbhocegl.exeLefkpq32.exeLmmcqn32.exeLlpcljnl.exeLdjhcgll.exeLghdockp.exeLekekp32.exeMemapppg.exeMpcenhpn.exeMgmnjb32.exeMikjfn32.exeMljfbiea.exeMccooc32.exeMdckifda.exeMipcambi.exeMlnpnh32.exeMegdfnhm.exeMnnlgkho.exeMlqlch32.exeMplhdghc.exeNdjajeni.exedescription pid process target process PID 1624 wrote to memory of 1112 1624 ae56b67b9c1dda37130137c96a67e9f194bde3659d1543a7474cdcc003c11c10.exe Lbhocegl.exe PID 1624 wrote to memory of 1112 1624 ae56b67b9c1dda37130137c96a67e9f194bde3659d1543a7474cdcc003c11c10.exe Lbhocegl.exe PID 1624 wrote to memory of 1112 1624 ae56b67b9c1dda37130137c96a67e9f194bde3659d1543a7474cdcc003c11c10.exe Lbhocegl.exe PID 1112 wrote to memory of 3532 1112 Lbhocegl.exe Lefkpq32.exe PID 1112 wrote to memory of 3532 1112 Lbhocegl.exe Lefkpq32.exe PID 1112 wrote to memory of 3532 1112 Lbhocegl.exe Lefkpq32.exe PID 3532 wrote to memory of 4100 3532 Lefkpq32.exe Lmmcqn32.exe PID 3532 wrote to memory of 4100 3532 Lefkpq32.exe Lmmcqn32.exe PID 3532 wrote to memory of 4100 3532 Lefkpq32.exe Lmmcqn32.exe PID 4100 wrote to memory of 2124 4100 Lmmcqn32.exe Llpcljnl.exe PID 4100 wrote to memory of 2124 4100 Lmmcqn32.exe Llpcljnl.exe PID 4100 wrote to memory of 2124 4100 Lmmcqn32.exe Llpcljnl.exe PID 2124 wrote to memory of 2604 2124 Llpcljnl.exe Ldjhcgll.exe PID 2124 wrote to memory of 2604 2124 Llpcljnl.exe Ldjhcgll.exe PID 2124 wrote to memory of 2604 2124 Llpcljnl.exe Ldjhcgll.exe PID 2604 wrote to memory of 4676 2604 Ldjhcgll.exe Lghdockp.exe PID 2604 wrote to memory of 4676 2604 Ldjhcgll.exe Lghdockp.exe PID 2604 wrote to memory of 4676 2604 Ldjhcgll.exe Lghdockp.exe PID 4676 wrote to memory of 5028 4676 Lghdockp.exe Lekekp32.exe PID 4676 wrote to memory of 5028 4676 Lghdockp.exe Lekekp32.exe PID 4676 wrote to memory of 5028 4676 Lghdockp.exe Lekekp32.exe PID 5028 wrote to memory of 60 5028 Lekekp32.exe Memapppg.exe PID 5028 wrote to memory of 60 5028 Lekekp32.exe Memapppg.exe PID 5028 wrote to memory of 60 5028 Lekekp32.exe Memapppg.exe PID 60 wrote to memory of 444 60 Memapppg.exe Mpcenhpn.exe PID 60 wrote to memory of 444 60 Memapppg.exe Mpcenhpn.exe PID 60 wrote to memory of 444 60 Memapppg.exe Mpcenhpn.exe PID 444 wrote to memory of 2988 444 Mpcenhpn.exe Mgmnjb32.exe PID 444 wrote to memory of 2988 444 Mpcenhpn.exe Mgmnjb32.exe PID 444 wrote to memory of 2988 444 Mpcenhpn.exe Mgmnjb32.exe PID 2988 wrote to memory of 116 2988 Mgmnjb32.exe Mikjfn32.exe PID 2988 wrote to memory of 116 2988 Mgmnjb32.exe Mikjfn32.exe PID 2988 wrote to memory of 116 2988 Mgmnjb32.exe Mikjfn32.exe PID 116 wrote to memory of 2720 116 Mikjfn32.exe Mljfbiea.exe PID 116 wrote to memory of 2720 116 Mikjfn32.exe Mljfbiea.exe PID 116 wrote to memory of 2720 116 Mikjfn32.exe Mljfbiea.exe PID 2720 wrote to memory of 5104 2720 Mljfbiea.exe Mccooc32.exe PID 2720 wrote to memory of 5104 2720 Mljfbiea.exe Mccooc32.exe PID 2720 wrote to memory of 5104 2720 Mljfbiea.exe Mccooc32.exe PID 5104 wrote to memory of 3952 5104 Mccooc32.exe Mdckifda.exe PID 5104 wrote to memory of 3952 5104 Mccooc32.exe Mdckifda.exe PID 5104 wrote to memory of 3952 5104 Mccooc32.exe Mdckifda.exe PID 3952 wrote to memory of 2628 3952 Mdckifda.exe Mipcambi.exe PID 3952 wrote to memory of 2628 3952 Mdckifda.exe Mipcambi.exe PID 3952 wrote to memory of 2628 3952 Mdckifda.exe Mipcambi.exe PID 2628 wrote to memory of 5080 2628 Mipcambi.exe Mlnpnh32.exe PID 2628 wrote to memory of 5080 2628 Mipcambi.exe Mlnpnh32.exe PID 2628 wrote to memory of 5080 2628 Mipcambi.exe Mlnpnh32.exe PID 5080 wrote to memory of 2320 5080 Mlnpnh32.exe Megdfnhm.exe PID 5080 wrote to memory of 2320 5080 Mlnpnh32.exe Megdfnhm.exe PID 5080 wrote to memory of 2320 5080 Mlnpnh32.exe Megdfnhm.exe PID 2320 wrote to memory of 2192 2320 Megdfnhm.exe Mnnlgkho.exe PID 2320 wrote to memory of 2192 2320 Megdfnhm.exe Mnnlgkho.exe PID 2320 wrote to memory of 2192 2320 Megdfnhm.exe Mnnlgkho.exe PID 2192 wrote to memory of 4116 2192 Mnnlgkho.exe Mlqlch32.exe PID 2192 wrote to memory of 4116 2192 Mnnlgkho.exe Mlqlch32.exe PID 2192 wrote to memory of 4116 2192 Mnnlgkho.exe Mlqlch32.exe PID 4116 wrote to memory of 2736 4116 Mlqlch32.exe Mplhdghc.exe PID 4116 wrote to memory of 2736 4116 Mlqlch32.exe Mplhdghc.exe PID 4116 wrote to memory of 2736 4116 Mlqlch32.exe Mplhdghc.exe PID 2736 wrote to memory of 4372 2736 Mplhdghc.exe Ndjajeni.exe PID 2736 wrote to memory of 4372 2736 Mplhdghc.exe Ndjajeni.exe PID 2736 wrote to memory of 4372 2736 Mplhdghc.exe Ndjajeni.exe PID 4372 wrote to memory of 4620 4372 Ndjajeni.exe Neknam32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ae56b67b9c1dda37130137c96a67e9f194bde3659d1543a7474cdcc003c11c10.exe"C:\Users\Admin\AppData\Local\Temp\ae56b67b9c1dda37130137c96a67e9f194bde3659d1543a7474cdcc003c11c10.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Windows\SysWOW64\Lbhocegl.exeC:\Windows\system32\Lbhocegl.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1112 -
C:\Windows\SysWOW64\Lefkpq32.exeC:\Windows\system32\Lefkpq32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3532 -
C:\Windows\SysWOW64\Lmmcqn32.exeC:\Windows\system32\Lmmcqn32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4100 -
C:\Windows\SysWOW64\Llpcljnl.exeC:\Windows\system32\Llpcljnl.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Windows\SysWOW64\Ldjhcgll.exeC:\Windows\system32\Ldjhcgll.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Windows\SysWOW64\Lghdockp.exeC:\Windows\system32\Lghdockp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4676 -
C:\Windows\SysWOW64\Lekekp32.exeC:\Windows\system32\Lekekp32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5028 -
C:\Windows\SysWOW64\Memapppg.exeC:\Windows\system32\Memapppg.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:60 -
C:\Windows\SysWOW64\Mpcenhpn.exeC:\Windows\system32\Mpcenhpn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:444 -
C:\Windows\SysWOW64\Mgmnjb32.exeC:\Windows\system32\Mgmnjb32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Windows\SysWOW64\Mikjfn32.exeC:\Windows\system32\Mikjfn32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:116 -
C:\Windows\SysWOW64\Mljfbiea.exeC:\Windows\system32\Mljfbiea.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\SysWOW64\Mccooc32.exeC:\Windows\system32\Mccooc32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5104 -
C:\Windows\SysWOW64\Mdckifda.exeC:\Windows\system32\Mdckifda.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3952 -
C:\Windows\SysWOW64\Mipcambi.exeC:\Windows\system32\Mipcambi.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\SysWOW64\Mlnpnh32.exeC:\Windows\system32\Mlnpnh32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5080 -
C:\Windows\SysWOW64\Megdfnhm.exeC:\Windows\system32\Megdfnhm.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\Windows\SysWOW64\Mnnlgkho.exeC:\Windows\system32\Mnnlgkho.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Windows\SysWOW64\Mlqlch32.exeC:\Windows\system32\Mlqlch32.exe20⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4116 -
C:\Windows\SysWOW64\Mplhdghc.exeC:\Windows\system32\Mplhdghc.exe21⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\SysWOW64\Ndjajeni.exeC:\Windows\system32\Ndjajeni.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4372 -
C:\Windows\SysWOW64\Neknam32.exeC:\Windows\system32\Neknam32.exe23⤵
- Executes dropped EXE
PID:4620 -
C:\Windows\SysWOW64\Nnbebk32.exeC:\Windows\system32\Nnbebk32.exe24⤵
- Executes dropped EXE
PID:1120 -
C:\Windows\SysWOW64\Ndlnoelf.exeC:\Windows\system32\Ndlnoelf.exe25⤵
- Executes dropped EXE
PID:4752 -
C:\Windows\SysWOW64\Nenjgm32.exeC:\Windows\system32\Nenjgm32.exe26⤵
- Executes dropped EXE
- Modifies registry class
PID:5004 -
C:\Windows\SysWOW64\Nnebhj32.exeC:\Windows\system32\Nnebhj32.exe27⤵
- Executes dropped EXE
PID:3816 -
C:\Windows\SysWOW64\Nlhbdgia.exeC:\Windows\system32\Nlhbdgia.exe28⤵
- Executes dropped EXE
PID:2336 -
C:\Windows\SysWOW64\Ndoked32.exeC:\Windows\system32\Ndoked32.exe29⤵
- Executes dropped EXE
PID:4800 -
C:\Windows\SysWOW64\Ncakqaqo.exeC:\Windows\system32\Ncakqaqo.exe30⤵
- Executes dropped EXE
PID:2372 -
C:\Windows\SysWOW64\Ngmgap32.exeC:\Windows\system32\Ngmgap32.exe31⤵
- Executes dropped EXE
PID:1740 -
C:\Windows\SysWOW64\Nfpgmmpb.exeC:\Windows\system32\Nfpgmmpb.exe32⤵
- Executes dropped EXE
PID:1040 -
C:\Windows\SysWOW64\Nngonjqd.exeC:\Windows\system32\Nngonjqd.exe33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3056 -
C:\Windows\SysWOW64\Nljoig32.exeC:\Windows\system32\Nljoig32.exe34⤵PID:448
-
C:\Windows\SysWOW64\Npekjeph.exeC:\Windows\system32\Npekjeph.exe35⤵
- Executes dropped EXE
PID:3812 -
C:\Windows\SysWOW64\Ngpcgp32.exeC:\Windows\system32\Ngpcgp32.exe36⤵
- Executes dropped EXE
PID:3972 -
C:\Windows\SysWOW64\Nfbdblnp.exeC:\Windows\system32\Nfbdblnp.exe37⤵
- Executes dropped EXE
PID:4592 -
C:\Windows\SysWOW64\Njnpck32.exeC:\Windows\system32\Njnpck32.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:3052 -
C:\Windows\SysWOW64\Nnilcjnb.exeC:\Windows\system32\Nnilcjnb.exe39⤵
- Executes dropped EXE
PID:1264 -
C:\Windows\SysWOW64\Ophhpene.exeC:\Windows\system32\Ophhpene.exe40⤵
- Executes dropped EXE
PID:4368 -
C:\Windows\SysWOW64\Odcdpd32.exeC:\Windows\system32\Odcdpd32.exe41⤵
- Executes dropped EXE
PID:1276 -
C:\Windows\SysWOW64\Ocfdlqmi.exeC:\Windows\system32\Ocfdlqmi.exe42⤵
- Executes dropped EXE
PID:5100 -
C:\Windows\SysWOW64\Ogbploeb.exeC:\Windows\system32\Ogbploeb.exe43⤵
- Executes dropped EXE
PID:2824 -
C:\Windows\SysWOW64\Ofeqhl32.exeC:\Windows\system32\Ofeqhl32.exe44⤵
- Executes dropped EXE
PID:3704 -
C:\Windows\SysWOW64\Onlhii32.exeC:\Windows\system32\Onlhii32.exe45⤵
- Executes dropped EXE
PID:3424 -
C:\Windows\SysWOW64\Oloidfcj.exeC:\Windows\system32\Oloidfcj.exe46⤵
- Executes dropped EXE
PID:700 -
C:\Windows\SysWOW64\Opjeee32.exeC:\Windows\system32\Opjeee32.exe47⤵
- Executes dropped EXE
PID:1792 -
C:\Windows\SysWOW64\Odfqecdl.exeC:\Windows\system32\Odfqecdl.exe48⤵
- Executes dropped EXE
PID:4128 -
C:\Windows\SysWOW64\Ogdmaocp.exeC:\Windows\system32\Ogdmaocp.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1504 -
C:\Windows\SysWOW64\Ofgmml32.exeC:\Windows\system32\Ofgmml32.exe50⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1620 -
C:\Windows\SysWOW64\Ojbinjbc.exeC:\Windows\system32\Ojbinjbc.exe51⤵
- Executes dropped EXE
PID:1292 -
C:\Windows\SysWOW64\Olaejfag.exeC:\Windows\system32\Olaejfag.exe52⤵
- Executes dropped EXE
PID:1964 -
C:\Windows\SysWOW64\Opmakd32.exeC:\Windows\system32\Opmakd32.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3360 -
C:\Windows\SysWOW64\Odhmkcbi.exeC:\Windows\system32\Odhmkcbi.exe54⤵
- Executes dropped EXE
PID:3124 -
C:\Windows\SysWOW64\Ogfjgo32.exeC:\Windows\system32\Ogfjgo32.exe55⤵
- Executes dropped EXE
PID:2632 -
C:\Windows\SysWOW64\Ofijckhg.exeC:\Windows\system32\Ofijckhg.exe56⤵
- Executes dropped EXE
PID:2956 -
C:\Windows\SysWOW64\Ojefcj32.exeC:\Windows\system32\Ojefcj32.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1400 -
C:\Windows\SysWOW64\Olcbpe32.exeC:\Windows\system32\Olcbpe32.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4548 -
C:\Windows\SysWOW64\Oqonpdgn.exeC:\Windows\system32\Oqonpdgn.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:4932 -
C:\Windows\SysWOW64\Ocmjlpfa.exeC:\Windows\system32\Ocmjlpfa.exe60⤵
- Executes dropped EXE
PID:4764 -
C:\Windows\SysWOW64\Oqakfdek.exeC:\Windows\system32\Oqakfdek.exe61⤵
- Executes dropped EXE
PID:3448 -
C:\Windows\SysWOW64\Ogkcbn32.exeC:\Windows\system32\Ogkcbn32.exe62⤵
- Executes dropped EXE
PID:976 -
C:\Windows\SysWOW64\Ojjooilk.exeC:\Windows\system32\Ojjooilk.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:872 -
C:\Windows\SysWOW64\Onekoh32.exeC:\Windows\system32\Onekoh32.exe64⤵
- Executes dropped EXE
PID:3528 -
C:\Windows\SysWOW64\Pqcgkc32.exeC:\Windows\system32\Pqcgkc32.exe65⤵
- Executes dropped EXE
PID:2528 -
C:\Windows\SysWOW64\Pgnphnke.exeC:\Windows\system32\Pgnphnke.exe66⤵
- Executes dropped EXE
PID:3492 -
C:\Windows\SysWOW64\Pnghdh32.exeC:\Windows\system32\Pnghdh32.exe67⤵PID:1536
-
C:\Windows\SysWOW64\Pqfdac32.exeC:\Windows\system32\Pqfdac32.exe68⤵PID:2136
-
C:\Windows\SysWOW64\Pgplnmib.exeC:\Windows\system32\Pgplnmib.exe69⤵PID:1872
-
C:\Windows\SysWOW64\Pjnijihf.exeC:\Windows\system32\Pjnijihf.exe70⤵PID:4276
-
C:\Windows\SysWOW64\Pqhafcoc.exeC:\Windows\system32\Pqhafcoc.exe71⤵PID:4692
-
C:\Windows\SysWOW64\Pgbicm32.exeC:\Windows\system32\Pgbicm32.exe72⤵PID:2148
-
C:\Windows\SysWOW64\Pjqeoh32.exeC:\Windows\system32\Pjqeoh32.exe73⤵PID:1912
-
C:\Windows\SysWOW64\Pqknlbmp.exeC:\Windows\system32\Pqknlbmp.exe74⤵PID:1192
-
C:\Windows\SysWOW64\Pcijhnld.exeC:\Windows\system32\Pcijhnld.exe75⤵PID:4900
-
C:\Windows\SysWOW64\Pjcbeh32.exeC:\Windows\system32\Pjcbeh32.exe76⤵PID:4628
-
C:\Windows\SysWOW64\Pqmjab32.exeC:\Windows\system32\Pqmjab32.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2196 -
C:\Windows\SysWOW64\Pckfnn32.exeC:\Windows\system32\Pckfnn32.exe78⤵PID:316
-
C:\Windows\SysWOW64\Pnakkf32.exeC:\Windows\system32\Pnakkf32.exe79⤵
- Drops file in System32 directory
PID:1688 -
C:\Windows\SysWOW64\Qqoggb32.exeC:\Windows\system32\Qqoggb32.exe80⤵PID:4896
-
C:\Windows\SysWOW64\Qjhlpgpk.exeC:\Windows\system32\Qjhlpgpk.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4304 -
C:\Windows\SysWOW64\Qncgqf32.exeC:\Windows\system32\Qncgqf32.exe82⤵PID:4968
-
C:\Windows\SysWOW64\Qdmpmp32.exeC:\Windows\system32\Qdmpmp32.exe83⤵PID:3004
-
C:\Windows\SysWOW64\Qgllil32.exeC:\Windows\system32\Qgllil32.exe84⤵PID:1164
-
C:\Windows\SysWOW64\Amhdab32.exeC:\Windows\system32\Amhdab32.exe85⤵PID:472
-
C:\Windows\SysWOW64\Acbmnmdi.exeC:\Windows\system32\Acbmnmdi.exe86⤵PID:2820
-
C:\Windows\SysWOW64\Afaijhcm.exeC:\Windows\system32\Afaijhcm.exe87⤵PID:4552
-
C:\Windows\SysWOW64\Anhaledo.exeC:\Windows\system32\Anhaledo.exe88⤵PID:4484
-
C:\Windows\SysWOW64\Aebihpkl.exeC:\Windows\system32\Aebihpkl.exe89⤵
- System Location Discovery: System Language Discovery
PID:2576 -
C:\Windows\SysWOW64\Agpedkjp.exeC:\Windows\system32\Agpedkjp.exe90⤵PID:1104
-
C:\Windows\SysWOW64\Ajoaqfjc.exeC:\Windows\system32\Ajoaqfjc.exe91⤵PID:4756
-
C:\Windows\SysWOW64\Ammnmbig.exeC:\Windows\system32\Ammnmbig.exe92⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1332 -
C:\Windows\SysWOW64\Acgfil32.exeC:\Windows\system32\Acgfil32.exe93⤵PID:1976
-
C:\Windows\SysWOW64\Anmjfe32.exeC:\Windows\system32\Anmjfe32.exe94⤵PID:2164
-
C:\Windows\SysWOW64\Aefbcogf.exeC:\Windows\system32\Aefbcogf.exe95⤵PID:4268
-
C:\Windows\SysWOW64\Anogldng.exeC:\Windows\system32\Anogldng.exe96⤵PID:548
-
C:\Windows\SysWOW64\Aclpdklo.exeC:\Windows\system32\Aclpdklo.exe97⤵PID:648
-
C:\Windows\SysWOW64\Bnadadld.exeC:\Windows\system32\Bnadadld.exe98⤵PID:2600
-
C:\Windows\SysWOW64\Beklnn32.exeC:\Windows\system32\Beklnn32.exe99⤵PID:1272
-
C:\Windows\SysWOW64\Bgjhkjbe.exeC:\Windows\system32\Bgjhkjbe.exe100⤵PID:5132
-
C:\Windows\SysWOW64\Bmfqcqql.exeC:\Windows\system32\Bmfqcqql.exe101⤵PID:5172
-
C:\Windows\SysWOW64\Benidnao.exeC:\Windows\system32\Benidnao.exe102⤵PID:5216
-
C:\Windows\SysWOW64\Bjjalepf.exeC:\Windows\system32\Bjjalepf.exe103⤵PID:5260
-
C:\Windows\SysWOW64\Badiio32.exeC:\Windows\system32\Badiio32.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5300 -
C:\Windows\SysWOW64\Bccfej32.exeC:\Windows\system32\Bccfej32.exe105⤵PID:5344
-
C:\Windows\SysWOW64\Bagfooep.exeC:\Windows\system32\Bagfooep.exe106⤵
- Drops file in System32 directory
PID:5384 -
C:\Windows\SysWOW64\Bebbom32.exeC:\Windows\system32\Bebbom32.exe107⤵
- Modifies registry class
PID:5424 -
C:\Windows\SysWOW64\Bnkfhcdj.exeC:\Windows\system32\Bnkfhcdj.exe108⤵PID:5464
-
C:\Windows\SysWOW64\Beeodm32.exeC:\Windows\system32\Beeodm32.exe109⤵PID:5504
-
C:\Windows\SysWOW64\Bhckqh32.exeC:\Windows\system32\Bhckqh32.exe110⤵PID:5544
-
C:\Windows\SysWOW64\Cakpjn32.exeC:\Windows\system32\Cakpjn32.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5584 -
C:\Windows\SysWOW64\Cegljmid.exeC:\Windows\system32\Cegljmid.exe112⤵
- System Location Discovery: System Language Discovery
PID:5624 -
C:\Windows\SysWOW64\Chehfhhh.exeC:\Windows\system32\Chehfhhh.exe113⤵PID:5664
-
C:\Windows\SysWOW64\Canlon32.exeC:\Windows\system32\Canlon32.exe114⤵PID:5720
-
C:\Windows\SysWOW64\Cdlhki32.exeC:\Windows\system32\Cdlhki32.exe115⤵PID:5760
-
C:\Windows\SysWOW64\Chhdlhfe.exeC:\Windows\system32\Chhdlhfe.exe116⤵PID:5812
-
C:\Windows\SysWOW64\Cnamib32.exeC:\Windows\system32\Cnamib32.exe117⤵PID:5872
-
C:\Windows\SysWOW64\Cmdmdo32.exeC:\Windows\system32\Cmdmdo32.exe118⤵PID:5932
-
C:\Windows\SysWOW64\Celeel32.exeC:\Windows\system32\Celeel32.exe119⤵PID:5972
-
C:\Windows\SysWOW64\Chjaag32.exeC:\Windows\system32\Chjaag32.exe120⤵PID:6016
-
C:\Windows\SysWOW64\Cfmamdkm.exeC:\Windows\system32\Cfmamdkm.exe121⤵PID:6080
-
C:\Windows\SysWOW64\Cjhmnc32.exeC:\Windows\system32\Cjhmnc32.exe122⤵PID:5124
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-