Analysis
-
max time kernel
119s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
10-11-2024 01:01
Static task
static1
Behavioral task
behavioral1
Sample
eb98c9f9ca3a9b00bb8f88f194adb8a7700b385df16324eaf7f963769d49deedN.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
eb98c9f9ca3a9b00bb8f88f194adb8a7700b385df16324eaf7f963769d49deedN.exe
Resource
win10v2004-20241007-en
General
-
Target
eb98c9f9ca3a9b00bb8f88f194adb8a7700b385df16324eaf7f963769d49deedN.exe
-
Size
64KB
-
MD5
8675f5ca225de204608bdb9e7231e130
-
SHA1
4f68e6213fce0b4e765c1bf5eda2e82aa5af4864
-
SHA256
eb98c9f9ca3a9b00bb8f88f194adb8a7700b385df16324eaf7f963769d49deed
-
SHA512
695a764b01239adfba280998126c900df8345f5e1415d76b5e0533a99f72613eb9e3971c8da3883a1105d38de9666aca183fd84801346eb5a753120ac7420935
-
SSDEEP
768:8aa++UI4vp3QmNYZVcfCHtlH1rLMsVAD4C0qpDoTO3yQi4+2p/1H5IXdnh0Usb0x:9arAuV9l9LMsplqpFo4+2L4rDWBi
Malware Config
Extracted
berbew
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Pincfpoo.exeFamope32.exeOfcqcp32.exeBmpkqklh.exeOmmfga32.exeFgcejm32.exeDahifbpk.exeFqdiga32.exeElqaca32.exeKkmand32.exeKaompi32.exeKgqocoin.exeLfmbek32.exeBchfhfeh.exeNaopaa32.exeFkecij32.exeNnoiio32.exePdeqfhjd.exePkoicb32.exeBgllgedi.exeCljodo32.exeMclebc32.exeLmjnak32.exeLocjhqpa.exeGoiehm32.exePhpjnnki.exeBnnaoe32.exeKkgahoel.exeHeikgh32.exeNmejllia.exeJliaac32.exePjfpafmb.exeEkhkjm32.exeNhgnaehm.exeGdmdacnn.exeCfcijf32.exeFcphnm32.exeDogpdg32.exeLhiakf32.exeOlbfagca.exeOoclji32.exeDllhhaep.exeImnbbi32.exeFncpef32.exeGkglnm32.exeKncaojfb.exeKkjnnn32.exeOjomdoof.exeBffpki32.exeEgokonjc.exeFkbgckgd.exeJkchmo32.exeBmnnkl32.exePkljdj32.exeMpopnejo.exeLjddjj32.exeLlbqfe32.exeMobfgdcl.exeEpgphcqd.exeHnbopmnm.exeOeckfndj.exeIllbhp32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pincfpoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Famope32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ofcqcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bmpkqklh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ommfga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fgcejm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dahifbpk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fqdiga32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Elqaca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kkmand32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kaompi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kgqocoin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lfmbek32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bchfhfeh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Naopaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fkecij32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnoiio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pdeqfhjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pkoicb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bgllgedi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cljodo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mclebc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmjnak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Locjhqpa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Goiehm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phpjnnki.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnnaoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kkgahoel.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Heikgh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmejllia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jliaac32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjfpafmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ekhkjm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhgnaehm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gdmdacnn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfcijf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fcphnm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dogpdg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhiakf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Olbfagca.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkoicb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ooclji32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dllhhaep.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imnbbi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fncpef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkglnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kncaojfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kkjnnn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojomdoof.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bffpki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Egokonjc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkbgckgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jkchmo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmnnkl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkljdj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mpopnejo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljddjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Llbqfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mobfgdcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Epgphcqd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnbopmnm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oeckfndj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Illbhp32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
Processes:
Lnlnlc32.exeMakjho32.exeMjcoqdoc.exeMamgmofp.exeMeicnm32.exeMhgoji32.exeMnaggcej.exeMhilph32.exeMfllkece.exeMdpldi32.exeMjjdacik.exeMlkail32.exeMbeiefff.exeNmkncofl.exeNpijoj32.exeNfcbldmm.exeNianhplq.exeNoogpfjh.exeNamclbil.exeNhgkil32.exeNkegeg32.exeNaopaa32.exeNdnlnm32.exeNhiholof.exeNkhdkgnj.exeNmfqgbmm.exeNdpicm32.exeNoemqe32.exeNmhmlbkk.exeOhnaik32.exeOgqaehak.exeOmkjbb32.exeOdebolpe.exeOgcnkgoh.exeOiakgcnl.exeOmmfga32.exeOpkccm32.exeOdgodl32.exeOcjophem.exeOidglb32.exeOlbchn32.exeOpnpimdf.exeOoqpdj32.exeOghhfg32.exeOekhacbn.exeOhidmoaa.exeOpplolac.exeOoclji32.exeOcohkh32.exeOaaifdhb.exeOhkaco32.exePkjmoj32.exePcaepg32.exePadeldeo.exePeoalc32.exePhnnho32.exePkljdj32.exePohfehdi.exePafbadcm.exePeanbblf.exePhpjnnki.exePkofjijm.exePojbkh32.exePahogc32.exepid process 2528 Lnlnlc32.exe 2296 Makjho32.exe 2904 Mjcoqdoc.exe 2932 Mamgmofp.exe 2964 Meicnm32.exe 2616 Mhgoji32.exe 1784 Mnaggcej.exe 1648 Mhilph32.exe 2832 Mfllkece.exe 1280 Mdpldi32.exe 2680 Mjjdacik.exe 2016 Mlkail32.exe 2220 Mbeiefff.exe 3000 Nmkncofl.exe 1944 Npijoj32.exe 2332 Nfcbldmm.exe 1492 Nianhplq.exe 1520 Noogpfjh.exe 1596 Namclbil.exe 336 Nhgkil32.exe 2416 Nkegeg32.exe 2144 Naopaa32.exe 2312 Ndnlnm32.exe 2360 Nhiholof.exe 2104 Nkhdkgnj.exe 2912 Nmfqgbmm.exe 2648 Ndpicm32.exe 2652 Noemqe32.exe 2624 Nmhmlbkk.exe 3068 Ohnaik32.exe 2148 Ogqaehak.exe 564 Omkjbb32.exe 1608 Odebolpe.exe 2512 Ogcnkgoh.exe 2712 Oiakgcnl.exe 1800 Ommfga32.exe 2428 Opkccm32.exe 844 Odgodl32.exe 760 Ocjophem.exe 2120 Oidglb32.exe 1104 Olbchn32.exe 1372 Opnpimdf.exe 1292 Ooqpdj32.exe 1672 Oghhfg32.exe 2988 Oekhacbn.exe 2168 Ohidmoaa.exe 888 Opplolac.exe 2392 Ooclji32.exe 1556 Ocohkh32.exe 2920 Oaaifdhb.exe 2176 Ohkaco32.exe 2748 Pkjmoj32.exe 2688 Pcaepg32.exe 1248 Padeldeo.exe 1788 Peoalc32.exe 2132 Phnnho32.exe 1976 Pkljdj32.exe 2420 Pohfehdi.exe 1432 Pafbadcm.exe 996 Peanbblf.exe 264 Phpjnnki.exe 816 Pkofjijm.exe 440 Pojbkh32.exe 2800 Pahogc32.exe -
Loads dropped DLL 64 IoCs
Processes:
eb98c9f9ca3a9b00bb8f88f194adb8a7700b385df16324eaf7f963769d49deedN.exeLnlnlc32.exeMakjho32.exeMjcoqdoc.exeMamgmofp.exeMeicnm32.exeMhgoji32.exeMnaggcej.exeMhilph32.exeMfllkece.exeMdpldi32.exeMjjdacik.exeMlkail32.exeMbeiefff.exeNmkncofl.exeNpijoj32.exeNfcbldmm.exeNianhplq.exeNoogpfjh.exeNamclbil.exeNhgkil32.exeNkegeg32.exeNaopaa32.exeNdnlnm32.exeNhiholof.exeNkhdkgnj.exeNmfqgbmm.exeNdpicm32.exeNoemqe32.exeNmhmlbkk.exeOhnaik32.exeOgqaehak.exepid process 1724 eb98c9f9ca3a9b00bb8f88f194adb8a7700b385df16324eaf7f963769d49deedN.exe 1724 eb98c9f9ca3a9b00bb8f88f194adb8a7700b385df16324eaf7f963769d49deedN.exe 2528 Lnlnlc32.exe 2528 Lnlnlc32.exe 2296 Makjho32.exe 2296 Makjho32.exe 2904 Mjcoqdoc.exe 2904 Mjcoqdoc.exe 2932 Mamgmofp.exe 2932 Mamgmofp.exe 2964 Meicnm32.exe 2964 Meicnm32.exe 2616 Mhgoji32.exe 2616 Mhgoji32.exe 1784 Mnaggcej.exe 1784 Mnaggcej.exe 1648 Mhilph32.exe 1648 Mhilph32.exe 2832 Mfllkece.exe 2832 Mfllkece.exe 1280 Mdpldi32.exe 1280 Mdpldi32.exe 2680 Mjjdacik.exe 2680 Mjjdacik.exe 2016 Mlkail32.exe 2016 Mlkail32.exe 2220 Mbeiefff.exe 2220 Mbeiefff.exe 3000 Nmkncofl.exe 3000 Nmkncofl.exe 1944 Npijoj32.exe 1944 Npijoj32.exe 2332 Nfcbldmm.exe 2332 Nfcbldmm.exe 1492 Nianhplq.exe 1492 Nianhplq.exe 1520 Noogpfjh.exe 1520 Noogpfjh.exe 1596 Namclbil.exe 1596 Namclbil.exe 336 Nhgkil32.exe 336 Nhgkil32.exe 2416 Nkegeg32.exe 2416 Nkegeg32.exe 2144 Naopaa32.exe 2144 Naopaa32.exe 2312 Ndnlnm32.exe 2312 Ndnlnm32.exe 2360 Nhiholof.exe 2360 Nhiholof.exe 2104 Nkhdkgnj.exe 2104 Nkhdkgnj.exe 2912 Nmfqgbmm.exe 2912 Nmfqgbmm.exe 2648 Ndpicm32.exe 2648 Ndpicm32.exe 2652 Noemqe32.exe 2652 Noemqe32.exe 2624 Nmhmlbkk.exe 2624 Nmhmlbkk.exe 3068 Ohnaik32.exe 3068 Ohnaik32.exe 2148 Ogqaehak.exe 2148 Ogqaehak.exe -
Drops file in System32 directory 64 IoCs
Processes:
Iinmfk32.exeHebnlb32.exeKhghgchk.exeBchfhfeh.exeQndigd32.exeMpamde32.exeMeabakda.exeIeajkfmd.exeAlnalh32.exeAdlcfjgh.exePiicpk32.exeMfllkece.exeEpecbd32.exeAjnpecbj.exeDphmloih.exeIbejdjln.exeIlnomp32.exeDdfebnoo.exeKkgahoel.exeNjfjnpgp.exeOjomdoof.exeOpplolac.exeDdiibc32.exeHidcef32.exeQpbglhjq.exeLbcbjlmb.exeAjmijmnn.exeCbdgqimc.exeHpjeialg.exeHlccdboi.exeIoooiack.exeMiehak32.exeMpopnejo.exeCmpdgf32.exeIiecgjba.exeOdjdmjgo.exeIjehdl32.exeNkhdkgnj.exeClgbno32.exeIahkpg32.exeJioopgef.exeNlqmmd32.exeQgjccb32.exeKcdjoaee.exeMbnljqic.exeCmfkfa32.exeHmoofdea.exeJlphbbbg.exeLdpbpgoh.exeIigpli32.exeBnldjekl.exeHpphhp32.exeHmdhad32.exeJgabdlfb.exeOmmfga32.exeCdjmcpnl.exeGcmoda32.exeJmhnkfpa.exeJbefcm32.exeJhdlad32.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Iaeegh32.exe Iinmfk32.exe File created C:\Windows\SysWOW64\Hcdnhoac.exe Hebnlb32.exe File created C:\Windows\SysWOW64\Dldlhdpl.dll Khghgchk.exe File created C:\Windows\SysWOW64\Dfefmpeo.dll Bchfhfeh.exe File created C:\Windows\SysWOW64\Qmgibqjc.exe Qndigd32.exe File created C:\Windows\SysWOW64\Nplbqgdb.dll Mpamde32.exe File opened for modification C:\Windows\SysWOW64\Mhonngce.exe Meabakda.exe File created C:\Windows\SysWOW64\Iimfld32.exe Ieajkfmd.exe File opened for modification C:\Windows\SysWOW64\Aomnhd32.exe Alnalh32.exe File opened for modification C:\Windows\SysWOW64\Agjobffl.exe Adlcfjgh.exe File created C:\Windows\SysWOW64\Obecdjcn.dll Piicpk32.exe File opened for modification C:\Windows\SysWOW64\Mdpldi32.exe Mfllkece.exe File opened for modification C:\Windows\SysWOW64\Eccpoo32.exe Epecbd32.exe File created C:\Windows\SysWOW64\Aqhhanig.exe Ajnpecbj.exe File created C:\Windows\SysWOW64\Dphmloih.exe Dphmloih.exe File created C:\Windows\SysWOW64\Mlionk32.dll Ibejdjln.exe File opened for modification C:\Windows\SysWOW64\Ijqoilii.exe Ilnomp32.exe File opened for modification C:\Windows\SysWOW64\Dgeaoinb.exe Ddfebnoo.exe File opened for modification C:\Windows\SysWOW64\Knfndjdp.exe Kkgahoel.exe File created C:\Windows\SysWOW64\Moohhbcf.dll Njfjnpgp.exe File created C:\Windows\SysWOW64\Omnipjni.exe Ojomdoof.exe File opened for modification C:\Windows\SysWOW64\Ooclji32.exe Opplolac.exe File created C:\Windows\SysWOW64\Onejdijo.dll Ddiibc32.exe File created C:\Windows\SysWOW64\Dmhgjdli.dll Hidcef32.exe File created C:\Windows\SysWOW64\Dfqnol32.dll Qpbglhjq.exe File created C:\Windows\SysWOW64\Agjobffl.exe Adlcfjgh.exe File created C:\Windows\SysWOW64\Ldbofgme.exe Lbcbjlmb.exe File created C:\Windows\SysWOW64\Nmlfpfpl.dll Ajmijmnn.exe File opened for modification C:\Windows\SysWOW64\Cafgle32.exe Cbdgqimc.exe File created C:\Windows\SysWOW64\Lgbgkabo.dll Hpjeialg.exe File created C:\Windows\SysWOW64\Ibebjn32.dll Hlccdboi.exe File created C:\Windows\SysWOW64\Ibkkjp32.exe Ioooiack.exe File opened for modification C:\Windows\SysWOW64\Mmadbjkk.exe Miehak32.exe File opened for modification C:\Windows\SysWOW64\Mbnljqic.exe Mpopnejo.exe File opened for modification C:\Windows\SysWOW64\Cpnaca32.exe Cmpdgf32.exe File opened for modification C:\Windows\SysWOW64\Ilcoce32.exe Iiecgjba.exe File opened for modification C:\Windows\SysWOW64\Ohfqmi32.exe Odjdmjgo.exe File created C:\Windows\SysWOW64\Fnddef32.dll Ijehdl32.exe File created C:\Windows\SysWOW64\Omakjj32.dll File created C:\Windows\SysWOW64\Nmfqgbmm.exe Nkhdkgnj.exe File created C:\Windows\SysWOW64\Cpcnonob.exe Clgbno32.exe File created C:\Windows\SysWOW64\Apgahbgk.dll Iahkpg32.exe File opened for modification C:\Windows\SysWOW64\Jhbold32.exe Jioopgef.exe File created C:\Windows\SysWOW64\Nmlkfoig.dll Ojomdoof.exe File created C:\Windows\SysWOW64\Ippbdn32.dll Nlqmmd32.exe File opened for modification C:\Windows\SysWOW64\Qkfocaki.exe Qgjccb32.exe File created C:\Windows\SysWOW64\Kbgjkn32.exe Kcdjoaee.exe File created C:\Windows\SysWOW64\Anjcbljh.dll Mbnljqic.exe File created C:\Windows\SysWOW64\Caaggpdh.exe Cmfkfa32.exe File opened for modification C:\Windows\SysWOW64\Hakkgc32.exe Hmoofdea.exe File created C:\Windows\SysWOW64\Jkchmo32.exe Jlphbbbg.exe File opened for modification C:\Windows\SysWOW64\Llgjaeoj.exe Ldpbpgoh.exe File opened for modification C:\Windows\SysWOW64\Jlelhe32.exe Iigpli32.exe File created C:\Windows\SysWOW64\Dmdgpc32.dll Bnldjekl.exe File created C:\Windows\SysWOW64\Hboddk32.exe Hpphhp32.exe File created C:\Windows\SysWOW64\Hlgimqhf.exe Hmdhad32.exe File created C:\Windows\SysWOW64\Jioopgef.exe Jgabdlfb.exe File created C:\Windows\SysWOW64\Opkccm32.exe Ommfga32.exe File opened for modification C:\Windows\SysWOW64\Cfhiplmp.exe Cdjmcpnl.exe File opened for modification C:\Windows\SysWOW64\Gfkkpmko.exe Gcmoda32.exe File created C:\Windows\SysWOW64\Gchfle32.dll Jmhnkfpa.exe File created C:\Windows\SysWOW64\Jgabdlfb.exe Jbefcm32.exe File opened for modification C:\Windows\SysWOW64\ÿs.e¢e File created C:\Windows\SysWOW64\Gdhclbka.dll Jhdlad32.exe -
Program crash 1 IoCs
Processes:
pid pid_target process target process 9588 8280 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Pojecajj.exeOidglb32.exeJhdlad32.exeFgldnkkf.exeIhdpbq32.exeAfdiondb.exeBigkel32.exeChnbcpmn.exeIdadnd32.exeLbcbjlmb.exeQiioon32.exeAjpepm32.exeMgjebg32.exePilfpqaa.exeIbejdjln.exeJlhhndno.exeKcmcoblm.exeMnomjl32.exeDlndnacm.exeMeoell32.exeCbgmigeq.exeIakgefqe.exeAkncimmh.exeEapfagno.exeHblgnkdh.exeEgmojnlf.exeMkaghg32.exeIpeaco32.exeKncaojfb.exePdgkco32.exeEamilh32.exeImnbbi32.exeMqpflg32.exeLqipkhbj.exePofkha32.exeOdebolpe.exeGjjmijme.exeDmdnbecj.exeLdbofgme.exeIllbhp32.exeJdpjba32.exeJlkngc32.exeQkfocaki.exeOkgjodmi.exeHjcppidk.exeFcphnm32.exeMmgfqh32.exePgfjhcge.exePhbgcnig.exeEnkpahon.exeFqdiga32.exeLclicpkm.exeNedhjj32.exeOcohkh32.exeAckmih32.exeGceailog.exeJpgjgboe.exeKadfkhkf.exePggdejno.exeElkmmodo.exeFkecij32.exeOghhfg32.exeCfcijf32.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pojecajj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oidglb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhdlad32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgldnkkf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihdpbq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afdiondb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bigkel32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chnbcpmn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idadnd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbcbjlmb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qiioon32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajpepm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgjebg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pilfpqaa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibejdjln.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlhhndno.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcmcoblm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnomjl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlndnacm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Meoell32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbgmigeq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iakgefqe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akncimmh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eapfagno.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hblgnkdh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egmojnlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkaghg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipeaco32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kncaojfb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdgkco32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eamilh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imnbbi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mqpflg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lqipkhbj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pofkha32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odebolpe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjjmijme.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmdnbecj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldbofgme.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Illbhp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdpjba32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlkngc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qkfocaki.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okgjodmi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjcppidk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcphnm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmgfqh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgfjhcge.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phbgcnig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enkpahon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fqdiga32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lclicpkm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nedhjj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocohkh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ackmih32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gceailog.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpgjgboe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kadfkhkf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pggdejno.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elkmmodo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkecij32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oghhfg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfcijf32.exe -
Modifies registry class 64 IoCs
Processes:
Chcloo32.exeCbgmigeq.exeAababceh.exeCllkin32.exeIoakoq32.exeLjnnko32.exeNmejllia.exeNlqmmd32.exeOhncbdbd.exeAidphq32.exeBcjqdmla.exeNajpll32.exeCjlheehe.exeAfdiondb.exeBkegah32.exeJlhhndno.exeKfpifm32.exeQkffng32.exeDahifbpk.exeIdkpganf.exeOidiekdn.exeFhikme32.exeFkhgip32.exeJaeafklf.exeLngnfnji.exeFlhmfbim.exeGgnmbn32.exeAlihaioe.exeDedlag32.exeGnkmqkbi.exeAdfqgl32.exeDgeaoinb.exeGjjmijme.exePbagipfi.exePdeqfhjd.exePafbadcm.exeAipfmane.exeFbdlkj32.exeMchoid32.exePalepb32.exeDklddhka.exeKhcomhbi.exeHpbdmo32.exeJioopgef.exeHhjcic32.exeNmqpam32.exeElkmmodo.exeJbqmhnbo.exeJgabdlfb.exeAjmijmnn.exeAggpdnpj.exeNmkplgnq.exeGcjbna32.exePcghof32.exeJhbold32.exeLcofio32.exeNcnngfna.exeJjbbpmgo.exeNfkapb32.exeOkpcoe32.exeOhcdhi32.exeFkecij32.exeKnfndjdp.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Chcloo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgdgodno.dll" Cbgmigeq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aababceh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cllkin32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ioakoq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ljnnko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nmejllia.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nlqmmd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ohncbdbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aidphq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bcjqdmla.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Najpll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cjlheehe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Afdiondb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bkegah32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jlhhndno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Homdlljo.dll" Kfpifm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qkffng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idppjg32.dll" Dahifbpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cihifg32.dll" Idkpganf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oidiekdn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fhikme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fkhgip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbnclf32.dll" Jaeafklf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lngnfnji.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Flhmfbim.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ggnmbn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Alihaioe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dedlag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gnkmqkbi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Adfqgl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dgeaoinb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gjjmijme.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pbagipfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibkhnd32.dll" Pdeqfhjd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pafbadcm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aipfmane.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fbdlkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mchoid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Foehfmaf.dll" Palepb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dklddhka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Khcomhbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hpbdmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jioopgef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hhjcic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncfefh32.dll" Nmqpam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Elkmmodo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jbqmhnbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jgabdlfb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ajmijmnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aggpdnpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nmkplgnq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gcjbna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkibpkho.dll" Pcghof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Majdmi32.dll" Jhbold32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lcofio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhcmgmam.dll" Ncnngfna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jjbbpmgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nfkapb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Okpcoe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ohcdhi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fkecij32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Knfndjdp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
eb98c9f9ca3a9b00bb8f88f194adb8a7700b385df16324eaf7f963769d49deedN.exeLnlnlc32.exeMakjho32.exeMjcoqdoc.exeMamgmofp.exeMeicnm32.exeMhgoji32.exeMnaggcej.exeMhilph32.exeMfllkece.exeMdpldi32.exeMjjdacik.exeMlkail32.exeMbeiefff.exeNmkncofl.exeNpijoj32.exedescription pid process target process PID 1724 wrote to memory of 2528 1724 eb98c9f9ca3a9b00bb8f88f194adb8a7700b385df16324eaf7f963769d49deedN.exe Lnlnlc32.exe PID 1724 wrote to memory of 2528 1724 eb98c9f9ca3a9b00bb8f88f194adb8a7700b385df16324eaf7f963769d49deedN.exe Lnlnlc32.exe PID 1724 wrote to memory of 2528 1724 eb98c9f9ca3a9b00bb8f88f194adb8a7700b385df16324eaf7f963769d49deedN.exe Lnlnlc32.exe PID 1724 wrote to memory of 2528 1724 eb98c9f9ca3a9b00bb8f88f194adb8a7700b385df16324eaf7f963769d49deedN.exe Lnlnlc32.exe PID 2528 wrote to memory of 2296 2528 Lnlnlc32.exe Makjho32.exe PID 2528 wrote to memory of 2296 2528 Lnlnlc32.exe Makjho32.exe PID 2528 wrote to memory of 2296 2528 Lnlnlc32.exe Makjho32.exe PID 2528 wrote to memory of 2296 2528 Lnlnlc32.exe Makjho32.exe PID 2296 wrote to memory of 2904 2296 Makjho32.exe Mjcoqdoc.exe PID 2296 wrote to memory of 2904 2296 Makjho32.exe Mjcoqdoc.exe PID 2296 wrote to memory of 2904 2296 Makjho32.exe Mjcoqdoc.exe PID 2296 wrote to memory of 2904 2296 Makjho32.exe Mjcoqdoc.exe PID 2904 wrote to memory of 2932 2904 Mjcoqdoc.exe Mamgmofp.exe PID 2904 wrote to memory of 2932 2904 Mjcoqdoc.exe Mamgmofp.exe PID 2904 wrote to memory of 2932 2904 Mjcoqdoc.exe Mamgmofp.exe PID 2904 wrote to memory of 2932 2904 Mjcoqdoc.exe Mamgmofp.exe PID 2932 wrote to memory of 2964 2932 Mamgmofp.exe Meicnm32.exe PID 2932 wrote to memory of 2964 2932 Mamgmofp.exe Meicnm32.exe PID 2932 wrote to memory of 2964 2932 Mamgmofp.exe Meicnm32.exe PID 2932 wrote to memory of 2964 2932 Mamgmofp.exe Meicnm32.exe PID 2964 wrote to memory of 2616 2964 Meicnm32.exe Mhgoji32.exe PID 2964 wrote to memory of 2616 2964 Meicnm32.exe Mhgoji32.exe PID 2964 wrote to memory of 2616 2964 Meicnm32.exe Mhgoji32.exe PID 2964 wrote to memory of 2616 2964 Meicnm32.exe Mhgoji32.exe PID 2616 wrote to memory of 1784 2616 Mhgoji32.exe Mnaggcej.exe PID 2616 wrote to memory of 1784 2616 Mhgoji32.exe Mnaggcej.exe PID 2616 wrote to memory of 1784 2616 Mhgoji32.exe Mnaggcej.exe PID 2616 wrote to memory of 1784 2616 Mhgoji32.exe Mnaggcej.exe PID 1784 wrote to memory of 1648 1784 Mnaggcej.exe Mhilph32.exe PID 1784 wrote to memory of 1648 1784 Mnaggcej.exe Mhilph32.exe PID 1784 wrote to memory of 1648 1784 Mnaggcej.exe Mhilph32.exe PID 1784 wrote to memory of 1648 1784 Mnaggcej.exe Mhilph32.exe PID 1648 wrote to memory of 2832 1648 Mhilph32.exe Mfllkece.exe PID 1648 wrote to memory of 2832 1648 Mhilph32.exe Mfllkece.exe PID 1648 wrote to memory of 2832 1648 Mhilph32.exe Mfllkece.exe PID 1648 wrote to memory of 2832 1648 Mhilph32.exe Mfllkece.exe PID 2832 wrote to memory of 1280 2832 Mfllkece.exe Mdpldi32.exe PID 2832 wrote to memory of 1280 2832 Mfllkece.exe Mdpldi32.exe PID 2832 wrote to memory of 1280 2832 Mfllkece.exe Mdpldi32.exe PID 2832 wrote to memory of 1280 2832 Mfllkece.exe Mdpldi32.exe PID 1280 wrote to memory of 2680 1280 Mdpldi32.exe Mjjdacik.exe PID 1280 wrote to memory of 2680 1280 Mdpldi32.exe Mjjdacik.exe PID 1280 wrote to memory of 2680 1280 Mdpldi32.exe Mjjdacik.exe PID 1280 wrote to memory of 2680 1280 Mdpldi32.exe Mjjdacik.exe PID 2680 wrote to memory of 2016 2680 Mjjdacik.exe Mlkail32.exe PID 2680 wrote to memory of 2016 2680 Mjjdacik.exe Mlkail32.exe PID 2680 wrote to memory of 2016 2680 Mjjdacik.exe Mlkail32.exe PID 2680 wrote to memory of 2016 2680 Mjjdacik.exe Mlkail32.exe PID 2016 wrote to memory of 2220 2016 Mlkail32.exe Mbeiefff.exe PID 2016 wrote to memory of 2220 2016 Mlkail32.exe Mbeiefff.exe PID 2016 wrote to memory of 2220 2016 Mlkail32.exe Mbeiefff.exe PID 2016 wrote to memory of 2220 2016 Mlkail32.exe Mbeiefff.exe PID 2220 wrote to memory of 3000 2220 Mbeiefff.exe Nmkncofl.exe PID 2220 wrote to memory of 3000 2220 Mbeiefff.exe Nmkncofl.exe PID 2220 wrote to memory of 3000 2220 Mbeiefff.exe Nmkncofl.exe PID 2220 wrote to memory of 3000 2220 Mbeiefff.exe Nmkncofl.exe PID 3000 wrote to memory of 1944 3000 Nmkncofl.exe Npijoj32.exe PID 3000 wrote to memory of 1944 3000 Nmkncofl.exe Npijoj32.exe PID 3000 wrote to memory of 1944 3000 Nmkncofl.exe Npijoj32.exe PID 3000 wrote to memory of 1944 3000 Nmkncofl.exe Npijoj32.exe PID 1944 wrote to memory of 2332 1944 Npijoj32.exe Nfcbldmm.exe PID 1944 wrote to memory of 2332 1944 Npijoj32.exe Nfcbldmm.exe PID 1944 wrote to memory of 2332 1944 Npijoj32.exe Nfcbldmm.exe PID 1944 wrote to memory of 2332 1944 Npijoj32.exe Nfcbldmm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\eb98c9f9ca3a9b00bb8f88f194adb8a7700b385df16324eaf7f963769d49deedN.exe"C:\Users\Admin\AppData\Local\Temp\eb98c9f9ca3a9b00bb8f88f194adb8a7700b385df16324eaf7f963769d49deedN.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Windows\SysWOW64\Lnlnlc32.exeC:\Windows\system32\Lnlnlc32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Windows\SysWOW64\Makjho32.exeC:\Windows\system32\Makjho32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\Windows\SysWOW64\Mjcoqdoc.exeC:\Windows\system32\Mjcoqdoc.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Windows\SysWOW64\Mamgmofp.exeC:\Windows\system32\Mamgmofp.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Windows\SysWOW64\Meicnm32.exeC:\Windows\system32\Meicnm32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Windows\SysWOW64\Mhgoji32.exeC:\Windows\system32\Mhgoji32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\SysWOW64\Mnaggcej.exeC:\Windows\system32\Mnaggcej.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1784 -
C:\Windows\SysWOW64\Mhilph32.exeC:\Windows\system32\Mhilph32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1648 -
C:\Windows\SysWOW64\Mfllkece.exeC:\Windows\system32\Mfllkece.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Windows\SysWOW64\Mdpldi32.exeC:\Windows\system32\Mdpldi32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1280 -
C:\Windows\SysWOW64\Mjjdacik.exeC:\Windows\system32\Mjjdacik.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Windows\SysWOW64\Mlkail32.exeC:\Windows\system32\Mlkail32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Windows\SysWOW64\Mbeiefff.exeC:\Windows\system32\Mbeiefff.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2220 -
C:\Windows\SysWOW64\Nmkncofl.exeC:\Windows\system32\Nmkncofl.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Windows\SysWOW64\Npijoj32.exeC:\Windows\system32\Npijoj32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1944 -
C:\Windows\SysWOW64\Nfcbldmm.exeC:\Windows\system32\Nfcbldmm.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2332 -
C:\Windows\SysWOW64\Nianhplq.exeC:\Windows\system32\Nianhplq.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1492 -
C:\Windows\SysWOW64\Noogpfjh.exeC:\Windows\system32\Noogpfjh.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1520 -
C:\Windows\SysWOW64\Namclbil.exeC:\Windows\system32\Namclbil.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1596 -
C:\Windows\SysWOW64\Nhgkil32.exeC:\Windows\system32\Nhgkil32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:336 -
C:\Windows\SysWOW64\Nkegeg32.exeC:\Windows\system32\Nkegeg32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2416 -
C:\Windows\SysWOW64\Naopaa32.exeC:\Windows\system32\Naopaa32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2144 -
C:\Windows\SysWOW64\Ndnlnm32.exeC:\Windows\system32\Ndnlnm32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2312 -
C:\Windows\SysWOW64\Nhiholof.exeC:\Windows\system32\Nhiholof.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2360 -
C:\Windows\SysWOW64\Nkhdkgnj.exeC:\Windows\system32\Nkhdkgnj.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2104 -
C:\Windows\SysWOW64\Nmfqgbmm.exeC:\Windows\system32\Nmfqgbmm.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2912 -
C:\Windows\SysWOW64\Ndpicm32.exeC:\Windows\system32\Ndpicm32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2648 -
C:\Windows\SysWOW64\Noemqe32.exeC:\Windows\system32\Noemqe32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2652 -
C:\Windows\SysWOW64\Nmhmlbkk.exeC:\Windows\system32\Nmhmlbkk.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2624 -
C:\Windows\SysWOW64\Ohnaik32.exeC:\Windows\system32\Ohnaik32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3068 -
C:\Windows\SysWOW64\Ogqaehak.exeC:\Windows\system32\Ogqaehak.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2148 -
C:\Windows\SysWOW64\Omkjbb32.exeC:\Windows\system32\Omkjbb32.exe33⤵
- Executes dropped EXE
PID:564 -
C:\Windows\SysWOW64\Odebolpe.exeC:\Windows\system32\Odebolpe.exe34⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1608 -
C:\Windows\SysWOW64\Ogcnkgoh.exeC:\Windows\system32\Ogcnkgoh.exe35⤵
- Executes dropped EXE
PID:2512 -
C:\Windows\SysWOW64\Oiakgcnl.exeC:\Windows\system32\Oiakgcnl.exe36⤵
- Executes dropped EXE
PID:2712 -
C:\Windows\SysWOW64\Ommfga32.exeC:\Windows\system32\Ommfga32.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1800 -
C:\Windows\SysWOW64\Opkccm32.exeC:\Windows\system32\Opkccm32.exe38⤵
- Executes dropped EXE
PID:2428 -
C:\Windows\SysWOW64\Odgodl32.exeC:\Windows\system32\Odgodl32.exe39⤵
- Executes dropped EXE
PID:844 -
C:\Windows\SysWOW64\Ocjophem.exeC:\Windows\system32\Ocjophem.exe40⤵
- Executes dropped EXE
PID:760 -
C:\Windows\SysWOW64\Oidglb32.exeC:\Windows\system32\Oidglb32.exe41⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2120 -
C:\Windows\SysWOW64\Olbchn32.exeC:\Windows\system32\Olbchn32.exe42⤵
- Executes dropped EXE
PID:1104 -
C:\Windows\SysWOW64\Opnpimdf.exeC:\Windows\system32\Opnpimdf.exe43⤵
- Executes dropped EXE
PID:1372 -
C:\Windows\SysWOW64\Ooqpdj32.exeC:\Windows\system32\Ooqpdj32.exe44⤵
- Executes dropped EXE
PID:1292 -
C:\Windows\SysWOW64\Oghhfg32.exeC:\Windows\system32\Oghhfg32.exe45⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1672 -
C:\Windows\SysWOW64\Oekhacbn.exeC:\Windows\system32\Oekhacbn.exe46⤵
- Executes dropped EXE
PID:2988 -
C:\Windows\SysWOW64\Ohidmoaa.exeC:\Windows\system32\Ohidmoaa.exe47⤵
- Executes dropped EXE
PID:2168 -
C:\Windows\SysWOW64\Opplolac.exeC:\Windows\system32\Opplolac.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:888 -
C:\Windows\SysWOW64\Ooclji32.exeC:\Windows\system32\Ooclji32.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2392 -
C:\Windows\SysWOW64\Ocohkh32.exeC:\Windows\system32\Ocohkh32.exe50⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1556 -
C:\Windows\SysWOW64\Oaaifdhb.exeC:\Windows\system32\Oaaifdhb.exe51⤵
- Executes dropped EXE
PID:2920 -
C:\Windows\SysWOW64\Ohkaco32.exeC:\Windows\system32\Ohkaco32.exe52⤵
- Executes dropped EXE
PID:2176 -
C:\Windows\SysWOW64\Pkjmoj32.exeC:\Windows\system32\Pkjmoj32.exe53⤵
- Executes dropped EXE
PID:2748 -
C:\Windows\SysWOW64\Pcaepg32.exeC:\Windows\system32\Pcaepg32.exe54⤵
- Executes dropped EXE
PID:2688 -
C:\Windows\SysWOW64\Padeldeo.exeC:\Windows\system32\Padeldeo.exe55⤵
- Executes dropped EXE
PID:1248 -
C:\Windows\SysWOW64\Peoalc32.exeC:\Windows\system32\Peoalc32.exe56⤵
- Executes dropped EXE
PID:1788 -
C:\Windows\SysWOW64\Phnnho32.exeC:\Windows\system32\Phnnho32.exe57⤵
- Executes dropped EXE
PID:2132 -
C:\Windows\SysWOW64\Pkljdj32.exeC:\Windows\system32\Pkljdj32.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1976 -
C:\Windows\SysWOW64\Pohfehdi.exeC:\Windows\system32\Pohfehdi.exe59⤵
- Executes dropped EXE
PID:2420 -
C:\Windows\SysWOW64\Pafbadcm.exeC:\Windows\system32\Pafbadcm.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:1432 -
C:\Windows\SysWOW64\Peanbblf.exeC:\Windows\system32\Peanbblf.exe61⤵
- Executes dropped EXE
PID:996 -
C:\Windows\SysWOW64\Phpjnnki.exeC:\Windows\system32\Phpjnnki.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:264 -
C:\Windows\SysWOW64\Pkofjijm.exeC:\Windows\system32\Pkofjijm.exe63⤵
- Executes dropped EXE
PID:816 -
C:\Windows\SysWOW64\Pojbkh32.exeC:\Windows\system32\Pojbkh32.exe64⤵
- Executes dropped EXE
PID:440 -
C:\Windows\SysWOW64\Pahogc32.exeC:\Windows\system32\Pahogc32.exe65⤵
- Executes dropped EXE
PID:2800 -
C:\Windows\SysWOW64\Pdgkco32.exeC:\Windows\system32\Pdgkco32.exe66⤵
- System Location Discovery: System Language Discovery
PID:2056 -
C:\Windows\SysWOW64\Phbgcnig.exeC:\Windows\system32\Phbgcnig.exe67⤵
- System Location Discovery: System Language Discovery
PID:916 -
C:\Windows\SysWOW64\Pgegok32.exeC:\Windows\system32\Pgegok32.exe68⤵PID:2444
-
C:\Windows\SysWOW64\Pjcckf32.exeC:\Windows\system32\Pjcckf32.exe69⤵PID:1616
-
C:\Windows\SysWOW64\Pnopldgn.exeC:\Windows\system32\Pnopldgn.exe70⤵PID:2140
-
C:\Windows\SysWOW64\Pqnlhpfb.exeC:\Windows\system32\Pqnlhpfb.exe71⤵PID:1584
-
C:\Windows\SysWOW64\Pdihiook.exeC:\Windows\system32\Pdihiook.exe72⤵PID:2984
-
C:\Windows\SysWOW64\Pggdejno.exeC:\Windows\system32\Pggdejno.exe73⤵
- System Location Discovery: System Language Discovery
PID:1956 -
C:\Windows\SysWOW64\Pjfpafmb.exeC:\Windows\system32\Pjfpafmb.exe74⤵PID:3056
-
C:\Windows\SysWOW64\Pjfpafmb.exeC:\Windows\system32\Pjfpafmb.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1844 -
C:\Windows\SysWOW64\Pmdmmalf.exeC:\Windows\system32\Pmdmmalf.exe76⤵PID:1812
-
C:\Windows\SysWOW64\Pmdmmalf.exeC:\Windows\system32\Pmdmmalf.exe77⤵PID:2008
-
C:\Windows\SysWOW64\Pqphnp32.exeC:\Windows\system32\Pqphnp32.exe78⤵PID:660
-
C:\Windows\SysWOW64\Pcnejk32.exeC:\Windows\system32\Pcnejk32.exe79⤵PID:1972
-
C:\Windows\SysWOW64\Qgjqjjll.exeC:\Windows\system32\Qgjqjjll.exe80⤵PID:2000
-
C:\Windows\SysWOW64\Qjhmfekp.exeC:\Windows\system32\Qjhmfekp.exe81⤵PID:3036
-
C:\Windows\SysWOW64\Qndigd32.exeC:\Windows\system32\Qndigd32.exe82⤵
- Drops file in System32 directory
PID:636 -
C:\Windows\SysWOW64\Qmgibqjc.exeC:\Windows\system32\Qmgibqjc.exe83⤵PID:1240
-
C:\Windows\SysWOW64\Qoeeolig.exeC:\Windows\system32\Qoeeolig.exe84⤵PID:608
-
C:\Windows\SysWOW64\Qfonkfqd.exeC:\Windows\system32\Qfonkfqd.exe85⤵PID:1656
-
C:\Windows\SysWOW64\Qjkjle32.exeC:\Windows\system32\Qjkjle32.exe86⤵PID:920
-
C:\Windows\SysWOW64\Qqdbiopj.exeC:\Windows\system32\Qqdbiopj.exe87⤵PID:2380
-
C:\Windows\SysWOW64\Qogbdl32.exeC:\Windows\system32\Qogbdl32.exe88⤵PID:876
-
C:\Windows\SysWOW64\Abfnpg32.exeC:\Windows\system32\Abfnpg32.exe89⤵PID:804
-
C:\Windows\SysWOW64\Afajafoa.exeC:\Windows\system32\Afajafoa.exe90⤵PID:2924
-
C:\Windows\SysWOW64\Aipfmane.exeC:\Windows\system32\Aipfmane.exe91⤵
- Modifies registry class
PID:2788 -
C:\Windows\SysWOW64\Akncimmh.exeC:\Windows\system32\Akncimmh.exe92⤵
- System Location Discovery: System Language Discovery
PID:2724 -
C:\Windows\SysWOW64\Acekjjmk.exeC:\Windows\system32\Acekjjmk.exe93⤵PID:1256
-
C:\Windows\SysWOW64\Abhkfg32.exeC:\Windows\system32\Abhkfg32.exe94⤵PID:1524
-
C:\Windows\SysWOW64\Aeggbbci.exeC:\Windows\system32\Aeggbbci.exe95⤵PID:1720
-
C:\Windows\SysWOW64\Aibcba32.exeC:\Windows\system32\Aibcba32.exe96⤵PID:2852
-
C:\Windows\SysWOW64\Akqpom32.exeC:\Windows\system32\Akqpom32.exe97⤵PID:2460
-
C:\Windows\SysWOW64\Aollokco.exeC:\Windows\system32\Aollokco.exe98⤵PID:1676
-
C:\Windows\SysWOW64\Anolkh32.exeC:\Windows\system32\Anolkh32.exe99⤵PID:2340
-
C:\Windows\SysWOW64\Abkhkgbb.exeC:\Windows\system32\Abkhkgbb.exe100⤵PID:1660
-
C:\Windows\SysWOW64\Aeidgbaf.exeC:\Windows\system32\Aeidgbaf.exe101⤵PID:2152
-
C:\Windows\SysWOW64\Aidphq32.exeC:\Windows\system32\Aidphq32.exe102⤵
- Modifies registry class
PID:2848 -
C:\Windows\SysWOW64\Aggpdnpj.exeC:\Windows\system32\Aggpdnpj.exe103⤵
- Modifies registry class
PID:1028 -
C:\Windows\SysWOW64\Akcldl32.exeC:\Windows\system32\Akcldl32.exe104⤵PID:2328
-
C:\Windows\SysWOW64\Aoohekal.exeC:\Windows\system32\Aoohekal.exe105⤵PID:2780
-
C:\Windows\SysWOW64\Abmdafpp.exeC:\Windows\system32\Abmdafpp.exe106⤵PID:2448
-
C:\Windows\SysWOW64\Aekqmbod.exeC:\Windows\system32\Aekqmbod.exe107⤵PID:2860
-
C:\Windows\SysWOW64\Aigmnqgm.exeC:\Windows\system32\Aigmnqgm.exe108⤵PID:1952
-
C:\Windows\SysWOW64\Agjmim32.exeC:\Windows\system32\Agjmim32.exe109⤵PID:2212
-
C:\Windows\SysWOW64\Ajhiei32.exeC:\Windows\system32\Ajhiei32.exe110⤵PID:2240
-
C:\Windows\SysWOW64\Ancefgfd.exeC:\Windows\system32\Ancefgfd.exe111⤵PID:2108
-
C:\Windows\SysWOW64\Aboaff32.exeC:\Windows\system32\Aboaff32.exe112⤵PID:396
-
C:\Windows\SysWOW64\Aababceh.exeC:\Windows\system32\Aababceh.exe113⤵
- Modifies registry class
PID:1532 -
C:\Windows\SysWOW64\Aennba32.exeC:\Windows\system32\Aennba32.exe114⤵PID:1736
-
C:\Windows\SysWOW64\Acqnnndl.exeC:\Windows\system32\Acqnnndl.exe115⤵PID:1856
-
C:\Windows\SysWOW64\Agljom32.exeC:\Windows\system32\Agljom32.exe116⤵PID:2728
-
C:\Windows\SysWOW64\Bnfblgca.exeC:\Windows\system32\Bnfblgca.exe117⤵PID:2732
-
C:\Windows\SysWOW64\Bmibgd32.exeC:\Windows\system32\Bmibgd32.exe118⤵PID:2004
-
C:\Windows\SysWOW64\Bccjdnbi.exeC:\Windows\system32\Bccjdnbi.exe119⤵PID:1048
-
C:\Windows\SysWOW64\Bnhoag32.exeC:\Windows\system32\Bnhoag32.exe120⤵PID:592
-
C:\Windows\SysWOW64\Bagkmb32.exeC:\Windows\system32\Bagkmb32.exe121⤵PID:2352
-
C:\Windows\SysWOW64\Bpjkiogm.exeC:\Windows\system32\Bpjkiogm.exe122⤵PID:2560
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-