Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
23-11-2024 04:34
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e1e4105eb59ccab4cf949e9493cb7ef412c7a82b594e63fbbc23f3b5c8f461c6.exe
Resource
win7-20240903-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
e1e4105eb59ccab4cf949e9493cb7ef412c7a82b594e63fbbc23f3b5c8f461c6.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
e1e4105eb59ccab4cf949e9493cb7ef412c7a82b594e63fbbc23f3b5c8f461c6.exe
-
Size
96KB
-
MD5
c4d6b986a82484021aad910d13e03c5a
-
SHA1
de902ecb345f8b275577d37e041363269e910749
-
SHA256
e1e4105eb59ccab4cf949e9493cb7ef412c7a82b594e63fbbc23f3b5c8f461c6
-
SHA512
1806f1120d0b25e11d574dce8469a316e951fd26ccbb34f0484d941a0120bd2297fa03f780621642f820df27c4a629570ca4492661f310fc0380c2f786169e2a
-
SSDEEP
1536:qwEQ9GyGof01fLMSNvTTiX2PrAPgnDNBrcN4i6tBYuR3PlNPMAr:+TyGo6hvTTi4rAPgxed6BYudlNPMAr
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Aqbdkk32.exeFeggob32.exeFennoa32.exeKhohkamc.exeHidcef32.exeHpphhp32.exeOffmipej.exeQiioon32.exeLhfnkqgk.exeBqijljfd.exeKgclio32.exeObokcqhk.exeImokehhl.exeLnjcomcf.exePohhna32.exeBkhhhd32.exePejmfqan.exeNlcibc32.exeHjlbdc32.exeLgingm32.exeQobdgo32.exeLqejbiim.exeMbnljqic.exeBgdibkam.exeJacfidem.exeKbigpn32.exeOpqoge32.exeFdqnkoep.exeJfdhmk32.exeGifclb32.exeGbadjg32.exeIdkpganf.exeOalkih32.exeDilapopb.exeOfnpnkgf.exeEiekpd32.exeHmkeke32.exePkoicb32.exeBbbpenco.exePhnpagdp.exeQlgkki32.exePnjofo32.exeKddomchg.exeFlapkmlj.exeNqokpd32.exeLcomce32.exeEnlidg32.exeEkhmcelc.exeEipgjaoi.exeMhfjjdjf.exeMcknhm32.exeFjegog32.exeLdbofgme.exeAbmgjo32.exeCenljmgq.exedescription ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aqbdkk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Feggob32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fennoa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khohkamc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hidcef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hpphhp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Offmipej.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qiioon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lhfnkqgk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bqijljfd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgclio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Obokcqhk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Imokehhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lnjcomcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pohhna32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkhhhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pejmfqan.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlcibc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjlbdc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lgingm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qobdgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lqejbiim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mbnljqic.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgdibkam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jacfidem.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kbigpn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opqoge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fdqnkoep.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfdhmk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gifclb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbadjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Idkpganf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oalkih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dilapopb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ofnpnkgf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eiekpd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmkeke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pkoicb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbbpenco.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phnpagdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qlgkki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pnjofo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kddomchg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flapkmlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nqokpd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lcomce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Enlidg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekhmcelc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eipgjaoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhfjjdjf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcknhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fjegog32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldbofgme.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abmgjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cenljmgq.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
Processes:
Kbdmeoob.exeKfpifm32.exeKljabgnh.exeKohnoc32.exeKhabghdl.exeKkoncdcp.exeKbigpn32.exeKdhcli32.exeLkakicam.exeLomgjb32.exeLblcfnhj.exeLdjpbign.exeLghlndfa.exeLnbdko32.exeLqqpgj32.exeLcomce32.exeLkfddc32.exeLmgalkcf.exeLqcmmjko.exeLgmeid32.exeLngnfnji.exeLqejbiim.exeLcdfnehp.exeLjnnko32.exeLiqoflfh.exeLokgcf32.exeLbicoamh.exeMkaghg32.exeMfglep32.exeMbnljqic.exeMfihkoal.exeMihdgkpp.exeMacilmnk.exeMeoell32.exeMlhnifmq.exeMaefamlh.exeMeabakda.exeMccbmh32.exeMnifja32.exeNmlgfnal.exeNecogkbo.exeNnkcpq32.exeNpmphinm.exeNdhlhg32.exeNmqpam32.exeNallalep.exeNpolmh32.exeNbniid32.exeNigafnck.exeNmcmgm32.exeNpaich32.exeNdmecgba.exeNbpeoc32.exeNmejllia.exeNpdfhhhe.exeNoffdd32.exeNfnneb32.exeOiljam32.exeOlkfmi32.exeOoicid32.exeOagoep32.exeOhagbj32.exeOkpcoe32.exeOokpodkj.exepid Process 2360 Kbdmeoob.exe 2916 Kfpifm32.exe 2172 Kljabgnh.exe 2976 Kohnoc32.exe 2744 Khabghdl.exe 2756 Kkoncdcp.exe 2604 Kbigpn32.exe 2416 Kdhcli32.exe 2324 Lkakicam.exe 1676 Lomgjb32.exe 1280 Lblcfnhj.exe 1980 Ldjpbign.exe 1380 Lghlndfa.exe 2800 Lnbdko32.exe 2496 Lqqpgj32.exe 2828 Lcomce32.exe 2988 Lkfddc32.exe 1332 Lmgalkcf.exe 1624 Lqcmmjko.exe 2132 Lgmeid32.exe 872 Lngnfnji.exe 700 Lqejbiim.exe 3060 Lcdfnehp.exe 3012 Ljnnko32.exe 2280 Liqoflfh.exe 2336 Lokgcf32.exe 2740 Lbicoamh.exe 2792 Mkaghg32.exe 2864 Mfglep32.exe 2932 Mbnljqic.exe 2888 Mfihkoal.exe 1596 Mihdgkpp.exe 1524 Macilmnk.exe 1936 Meoell32.exe 1940 Mlhnifmq.exe 1420 Maefamlh.exe 2816 Meabakda.exe 2796 Mccbmh32.exe 1720 Mnifja32.exe 2020 Nmlgfnal.exe 560 Necogkbo.exe 2468 Nnkcpq32.exe 1516 Npmphinm.exe 1364 Ndhlhg32.exe 1656 Nmqpam32.exe 1268 Nallalep.exe 1748 Npolmh32.exe 2404 Nbniid32.exe 1592 Nigafnck.exe 2860 Nmcmgm32.exe 2928 Npaich32.exe 1704 Ndmecgba.exe 2636 Nbpeoc32.exe 1912 Nmejllia.exe 1488 Npdfhhhe.exe 1360 Noffdd32.exe 2684 Nfnneb32.exe 2652 Oiljam32.exe 2680 Olkfmi32.exe 1928 Ooicid32.exe 1852 Oagoep32.exe 2276 Ohagbj32.exe 2560 Okpcoe32.exe 1036 Ookpodkj.exe -
Loads dropped DLL 64 IoCs
Processes:
e1e4105eb59ccab4cf949e9493cb7ef412c7a82b594e63fbbc23f3b5c8f461c6.exeKbdmeoob.exeKfpifm32.exeKljabgnh.exeKohnoc32.exeKhabghdl.exeKkoncdcp.exeKbigpn32.exeKdhcli32.exeLkakicam.exeLomgjb32.exeLblcfnhj.exeLdjpbign.exeLghlndfa.exeLnbdko32.exeLqqpgj32.exeLcomce32.exeLkfddc32.exeLmgalkcf.exeLqcmmjko.exeLgmeid32.exeLngnfnji.exeLqejbiim.exeLcdfnehp.exeLjnnko32.exeLiqoflfh.exeLokgcf32.exeLbicoamh.exeMkaghg32.exeMfglep32.exeMbnljqic.exeMfihkoal.exepid Process 1788 e1e4105eb59ccab4cf949e9493cb7ef412c7a82b594e63fbbc23f3b5c8f461c6.exe 1788 e1e4105eb59ccab4cf949e9493cb7ef412c7a82b594e63fbbc23f3b5c8f461c6.exe 2360 Kbdmeoob.exe 2360 Kbdmeoob.exe 2916 Kfpifm32.exe 2916 Kfpifm32.exe 2172 Kljabgnh.exe 2172 Kljabgnh.exe 2976 Kohnoc32.exe 2976 Kohnoc32.exe 2744 Khabghdl.exe 2744 Khabghdl.exe 2756 Kkoncdcp.exe 2756 Kkoncdcp.exe 2604 Kbigpn32.exe 2604 Kbigpn32.exe 2416 Kdhcli32.exe 2416 Kdhcli32.exe 2324 Lkakicam.exe 2324 Lkakicam.exe 1676 Lomgjb32.exe 1676 Lomgjb32.exe 1280 Lblcfnhj.exe 1280 Lblcfnhj.exe 1980 Ldjpbign.exe 1980 Ldjpbign.exe 1380 Lghlndfa.exe 1380 Lghlndfa.exe 2800 Lnbdko32.exe 2800 Lnbdko32.exe 2496 Lqqpgj32.exe 2496 Lqqpgj32.exe 2828 Lcomce32.exe 2828 Lcomce32.exe 2988 Lkfddc32.exe 2988 Lkfddc32.exe 1332 Lmgalkcf.exe 1332 Lmgalkcf.exe 1624 Lqcmmjko.exe 1624 Lqcmmjko.exe 2132 Lgmeid32.exe 2132 Lgmeid32.exe 872 Lngnfnji.exe 872 Lngnfnji.exe 700 Lqejbiim.exe 700 Lqejbiim.exe 3060 Lcdfnehp.exe 3060 Lcdfnehp.exe 3012 Ljnnko32.exe 3012 Ljnnko32.exe 2280 Liqoflfh.exe 2280 Liqoflfh.exe 2336 Lokgcf32.exe 2336 Lokgcf32.exe 2740 Lbicoamh.exe 2740 Lbicoamh.exe 2792 Mkaghg32.exe 2792 Mkaghg32.exe 2864 Mfglep32.exe 2864 Mfglep32.exe 2932 Mbnljqic.exe 2932 Mbnljqic.exe 2888 Mfihkoal.exe 2888 Mfihkoal.exe -
Drops file in System32 directory 64 IoCs
Processes:
Laleof32.exeLboiol32.exeKofcbl32.exeObhdcanc.exeJpgjgboe.exeKaajei32.exePpcbgkka.exeBqlfaj32.exeGifclb32.exeGkalhgfd.exeJaecod32.exeCjhabndo.exeEabepp32.exeKbmfgk32.exeFlhflleb.exeJhoklnkg.exeAccqnc32.exeFqfemqod.exeLlbqfe32.exeBgghac32.exeKdhcli32.exeAnogijnb.exePmjaohol.exeDaplkmbg.exeNfigck32.exeOhbikbkb.exeAfdiondb.exeJijokbfp.exeInhanl32.exePkcbnanl.exeAddfkeid.exeCfeepelg.exeGkoobhhg.exeHdecea32.exeMobfgdcl.exeJeclebja.exeKfpifm32.exeBqolji32.exeLjfapjbi.exeBccmmf32.exeIfbphh32.exeNkkmgncb.exePonklpcg.exePpmgfb32.exeCkeqga32.exeFncpef32.exeAbpjjeim.exeHcgjmo32.exeHakkgc32.exeBcjcme32.exePlmpblnb.exeKcecbq32.exePcljmdmj.exeDmgmpnhl.exeFiepea32.exePjleclph.exedescription ioc Process File created C:\Windows\SysWOW64\Pdlkggmp.dll Laleof32.exe File created C:\Windows\SysWOW64\Goejbpjh.dll Lboiol32.exe File created C:\Windows\SysWOW64\Bokblhqh.dll Kofcbl32.exe File created C:\Windows\SysWOW64\Ofcqcp32.exe Obhdcanc.exe File created C:\Windows\SysWOW64\Jojkco32.exe Jpgjgboe.exe File opened for modification C:\Windows\SysWOW64\Kdpfadlm.exe Kaajei32.exe File opened for modification C:\Windows\SysWOW64\Gekfnoog.exe File created C:\Windows\SysWOW64\Pkifdd32.exe Ppcbgkka.exe File created C:\Windows\SysWOW64\Bcjcme32.exe Bqlfaj32.exe File opened for modification C:\Windows\SysWOW64\Ggicgopd.exe Gifclb32.exe File opened for modification C:\Windows\SysWOW64\Gjdldd32.exe Gkalhgfd.exe File created C:\Windows\SysWOW64\Kajpmc32.dll Jaecod32.exe File opened for modification C:\Windows\SysWOW64\Cmfmojcb.exe Cjhabndo.exe File created C:\Windows\SysWOW64\Edaalk32.exe Eabepp32.exe File created C:\Windows\SysWOW64\Feachqgb.exe File created C:\Windows\SysWOW64\Iglhhc32.dll Kbmfgk32.exe File created C:\Windows\SysWOW64\Fkkfgi32.exe Flhflleb.exe File created C:\Windows\SysWOW64\Jjnhhjjk.exe Jhoklnkg.exe File opened for modification C:\Windows\SysWOW64\Hqnjek32.exe File created C:\Windows\SysWOW64\Ekndacia.dll Accqnc32.exe File created C:\Windows\SysWOW64\Hedbmpnc.dll Fqfemqod.exe File created C:\Windows\SysWOW64\Boadnkpf.dll Llbqfe32.exe File opened for modification C:\Windows\SysWOW64\Bjedmo32.exe Bgghac32.exe File created C:\Windows\SysWOW64\Epphbb32.dll Kdhcli32.exe File created C:\Windows\SysWOW64\Kjigmkld.dll Anogijnb.exe File created C:\Windows\SysWOW64\Hgciff32.exe File created C:\Windows\SysWOW64\Plmbkd32.exe Pmjaohol.exe File created C:\Windows\SysWOW64\Dcohghbk.exe Daplkmbg.exe File created C:\Windows\SysWOW64\Njeccjcd.exe Nfigck32.exe File created C:\Windows\SysWOW64\Klcjnl32.dll Ohbikbkb.exe File created C:\Windows\SysWOW64\Gbejnl32.dll File opened for modification C:\Windows\SysWOW64\Ahbekjcf.exe Afdiondb.exe File created C:\Windows\SysWOW64\Jlhkgm32.exe Jijokbfp.exe File opened for modification C:\Windows\SysWOW64\Jabponba.exe File opened for modification C:\Windows\SysWOW64\Ibcnojnp.exe Inhanl32.exe File created C:\Windows\SysWOW64\Pnbojmmp.exe Pkcbnanl.exe File opened for modification C:\Windows\SysWOW64\Ahpbkd32.exe Addfkeid.exe File created C:\Windows\SysWOW64\Cicalakk.exe Cfeepelg.exe File created C:\Windows\SysWOW64\Gnnlocgk.exe Gkoobhhg.exe File created C:\Windows\SysWOW64\Klncqmjg.dll Hdecea32.exe File created C:\Windows\SysWOW64\Mcnbhb32.exe Mobfgdcl.exe File created C:\Windows\SysWOW64\Jhahanie.exe Jeclebja.exe File opened for modification C:\Windows\SysWOW64\Kljabgnh.exe Kfpifm32.exe File opened for modification C:\Windows\SysWOW64\Ccnifd32.exe Bqolji32.exe File created C:\Windows\SysWOW64\Pehbqi32.dll File created C:\Windows\SysWOW64\Kccllg32.dll Ljfapjbi.exe File opened for modification C:\Windows\SysWOW64\Bgoime32.exe Bccmmf32.exe File created C:\Windows\SysWOW64\Ofoabofe.dll Ifbphh32.exe File opened for modification C:\Windows\SysWOW64\Njnmbk32.exe Nkkmgncb.exe File opened for modification C:\Windows\SysWOW64\Pfebnmcj.exe Ponklpcg.exe File opened for modification C:\Windows\SysWOW64\Pblcbn32.exe Ppmgfb32.exe File opened for modification C:\Windows\SysWOW64\Cjhabndo.exe Ckeqga32.exe File created C:\Windows\SysWOW64\Fdmhbplb.exe Fncpef32.exe File created C:\Windows\SysWOW64\Nmlnjo32.dll Abpjjeim.exe File created C:\Windows\SysWOW64\Hfegij32.exe Hcgjmo32.exe File created C:\Windows\SysWOW64\Hgccgk32.dll Hakkgc32.exe File opened for modification C:\Windows\SysWOW64\Bfioia32.exe Bcjcme32.exe File created C:\Windows\SysWOW64\Jmaebf32.dll Jhoklnkg.exe File created C:\Windows\SysWOW64\Pphkbj32.exe Plmpblnb.exe File opened for modification C:\Windows\SysWOW64\Kklkcn32.exe Kcecbq32.exe File created C:\Windows\SysWOW64\Leblqb32.dll Pcljmdmj.exe File opened for modification C:\Windows\SysWOW64\Dpeiligo.exe Dmgmpnhl.exe File created C:\Windows\SysWOW64\Fhaflo32.dll Fiepea32.exe File opened for modification C:\Windows\SysWOW64\Pmjaohol.exe Pjleclph.exe -
Program crash 1 IoCs
Processes:
pid pid_target Process procid_target 11780 11736 1268 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Gmpcgace.exePkcbnanl.exeKfibhjlj.exeLlmmpcfe.exeDicnkdnf.exeNjeccjcd.exeOimmjffj.exeQlgkki32.exeNnleiipc.exeKjahej32.exePlolgk32.exeOiffkkbk.exeNlilqbgp.exeQlfdac32.exeNbpeoc32.exeOadkej32.exeFkpjnkig.exeHfpfdeon.exeGkoobhhg.exeOfnpnkgf.exeQiioon32.exeBfdenafn.exeIjkocg32.exeGdmdacnn.exeBnihdemo.exeBammlq32.exeAobpfb32.exeOlkfmi32.exeDobgihgp.exeDeollamj.exeJehlkhig.exeEcfnmh32.exeDldkmlhl.exeElajgpmj.exeGnphdceh.exeMciabmlo.exeAfgmodel.exeLldmleam.exeDlljaj32.exeKmcjedcg.exeAmaelomh.exeIpjdameg.exeLkicbk32.exeAgeompfe.exeKcecbq32.exeOdkgec32.exePfebnmcj.exeAnadojlo.exeOabkom32.exeIfgicg32.exeIejiodbl.exeNnoiio32.exeLdmopa32.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmpcgace.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkcbnanl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfibhjlj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llmmpcfe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dicnkdnf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njeccjcd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oimmjffj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qlgkki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnleiipc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjahej32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plolgk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oiffkkbk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlilqbgp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qlfdac32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbpeoc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oadkej32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkpjnkig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfpfdeon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkoobhhg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofnpnkgf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qiioon32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfdenafn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijkocg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdmdacnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnihdemo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bammlq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aobpfb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olkfmi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dobgihgp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Deollamj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jehlkhig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ecfnmh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dldkmlhl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elajgpmj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnphdceh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mciabmlo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afgmodel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lldmleam.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlljaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmcjedcg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amaelomh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipjdameg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkicbk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ageompfe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcecbq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odkgec32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfebnmcj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anadojlo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oabkom32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifgicg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iejiodbl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnoiio32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldmopa32.exe -
Modifies registry class 64 IoCs
Processes:
Gnphdceh.exeJeqopcld.exePacajg32.exePpcbgkka.exeCiaefa32.exeHdecea32.exeBbjpil32.exeDiaaeepi.exeEppcmncq.exeAakjdo32.exeNjgpij32.exeOdkgec32.exeHaqnea32.exeMeoell32.exeLhfnkqgk.exeHgpjhn32.exeMfjann32.exeEegkpo32.exeEgmabg32.exeDlljaj32.exePiqpkpml.exeBcpgdhpp.exeGconbj32.exeNbpghl32.exePmjaohol.exeNpmphinm.exeOkdmjdol.exeHfjpdjjo.exeGnbejb32.exeJlhkgm32.exeMbnocipg.exePkdihhag.exeQfljkp32.exeHcgjmo32.exeIbcnojnp.exeAcfmcc32.exeHbidne32.exeMjkgjl32.exeNjjcip32.exePohhna32.exeMneohj32.exeNknimnap.exeOoicid32.exeHmdhad32.exeNcnngfna.exeOhdfqbio.exeHblgnkdh.exeNeiaeiii.exePkmlmbcd.exeLcjlnpmo.exeBoljgg32.exeBcjcme32.exeCagienkb.exeObgnhkkh.exeAkfkbd32.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pelnlcjj.dll" Gnphdceh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jeqopcld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pacajg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ppcbgkka.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ciaefa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hdecea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egdpmo32.dll" Bbjpil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Diaaeepi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdfddadf.dll" Eppcmncq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aakjdo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Njgpij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Odkgec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpopbabj.dll" Haqnea32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbdnbdld.dll" Meoell32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egjnpn32.dll" Lhfnkqgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hgpjhn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mfjann32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eegkpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Egmabg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcflap32.dll" Dlljaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Piqpkpml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bcpgdhpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gconbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nidjhoea.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nbpghl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pmjaohol.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Npmphinm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fllmhajo.dll" Okdmjdol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ongkdd32.dll" Hfjpdjjo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gnbejb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jlhkgm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mbnocipg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgeefjhh.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pkdihhag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpkjkkdg.dll" Qfljkp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hcgjmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ibcnojnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkppib32.dll" Acfmcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fejcohho.dll" Hbidne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mjkgjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Njjcip32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pohhna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poibnekg.dll" Mneohj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nknimnap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bapefloq.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ooicid32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hmdhad32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ncnngfna.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ohdfqbio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dijdkh32.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hblgnkdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpdidmdg.dll" Neiaeiii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlbakl32.dll" Pkmlmbcd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lcjlnpmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmkame32.dll" Boljgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bcjcme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cagienkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbkngi32.dll" Obgnhkkh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Akfkbd32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
e1e4105eb59ccab4cf949e9493cb7ef412c7a82b594e63fbbc23f3b5c8f461c6.exeKbdmeoob.exeKfpifm32.exeKljabgnh.exeKohnoc32.exeKhabghdl.exeKkoncdcp.exeKbigpn32.exeKdhcli32.exeLkakicam.exeLomgjb32.exeLblcfnhj.exeLdjpbign.exeLghlndfa.exeLnbdko32.exeLqqpgj32.exedescription pid Process procid_target PID 1788 wrote to memory of 2360 1788 e1e4105eb59ccab4cf949e9493cb7ef412c7a82b594e63fbbc23f3b5c8f461c6.exe 30 PID 1788 wrote to memory of 2360 1788 e1e4105eb59ccab4cf949e9493cb7ef412c7a82b594e63fbbc23f3b5c8f461c6.exe 30 PID 1788 wrote to memory of 2360 1788 e1e4105eb59ccab4cf949e9493cb7ef412c7a82b594e63fbbc23f3b5c8f461c6.exe 30 PID 1788 wrote to memory of 2360 1788 e1e4105eb59ccab4cf949e9493cb7ef412c7a82b594e63fbbc23f3b5c8f461c6.exe 30 PID 2360 wrote to memory of 2916 2360 Kbdmeoob.exe 31 PID 2360 wrote to memory of 2916 2360 Kbdmeoob.exe 31 PID 2360 wrote to memory of 2916 2360 Kbdmeoob.exe 31 PID 2360 wrote to memory of 2916 2360 Kbdmeoob.exe 31 PID 2916 wrote to memory of 2172 2916 Kfpifm32.exe 32 PID 2916 wrote to memory of 2172 2916 Kfpifm32.exe 32 PID 2916 wrote to memory of 2172 2916 Kfpifm32.exe 32 PID 2916 wrote to memory of 2172 2916 Kfpifm32.exe 32 PID 2172 wrote to memory of 2976 2172 Kljabgnh.exe 33 PID 2172 wrote to memory of 2976 2172 Kljabgnh.exe 33 PID 2172 wrote to memory of 2976 2172 Kljabgnh.exe 33 PID 2172 wrote to memory of 2976 2172 Kljabgnh.exe 33 PID 2976 wrote to memory of 2744 2976 Kohnoc32.exe 34 PID 2976 wrote to memory of 2744 2976 Kohnoc32.exe 34 PID 2976 wrote to memory of 2744 2976 Kohnoc32.exe 34 PID 2976 wrote to memory of 2744 2976 Kohnoc32.exe 34 PID 2744 wrote to memory of 2756 2744 Khabghdl.exe 35 PID 2744 wrote to memory of 2756 2744 Khabghdl.exe 35 PID 2744 wrote to memory of 2756 2744 Khabghdl.exe 35 PID 2744 wrote to memory of 2756 2744 Khabghdl.exe 35 PID 2756 wrote to memory of 2604 2756 Kkoncdcp.exe 36 PID 2756 wrote to memory of 2604 2756 Kkoncdcp.exe 36 PID 2756 wrote to memory of 2604 2756 Kkoncdcp.exe 36 PID 2756 wrote to memory of 2604 2756 Kkoncdcp.exe 36 PID 2604 wrote to memory of 2416 2604 Kbigpn32.exe 37 PID 2604 wrote to memory of 2416 2604 Kbigpn32.exe 37 PID 2604 wrote to memory of 2416 2604 Kbigpn32.exe 37 PID 2604 wrote to memory of 2416 2604 Kbigpn32.exe 37 PID 2416 wrote to memory of 2324 2416 Kdhcli32.exe 38 PID 2416 wrote to memory of 2324 2416 Kdhcli32.exe 38 PID 2416 wrote to memory of 2324 2416 Kdhcli32.exe 38 PID 2416 wrote to memory of 2324 2416 Kdhcli32.exe 38 PID 2324 wrote to memory of 1676 2324 Lkakicam.exe 39 PID 2324 wrote to memory of 1676 2324 Lkakicam.exe 39 PID 2324 wrote to memory of 1676 2324 Lkakicam.exe 39 PID 2324 wrote to memory of 1676 2324 Lkakicam.exe 39 PID 1676 wrote to memory of 1280 1676 Lomgjb32.exe 40 PID 1676 wrote to memory of 1280 1676 Lomgjb32.exe 40 PID 1676 wrote to memory of 1280 1676 Lomgjb32.exe 40 PID 1676 wrote to memory of 1280 1676 Lomgjb32.exe 40 PID 1280 wrote to memory of 1980 1280 Lblcfnhj.exe 41 PID 1280 wrote to memory of 1980 1280 Lblcfnhj.exe 41 PID 1280 wrote to memory of 1980 1280 Lblcfnhj.exe 41 PID 1280 wrote to memory of 1980 1280 Lblcfnhj.exe 41 PID 1980 wrote to memory of 1380 1980 Ldjpbign.exe 42 PID 1980 wrote to memory of 1380 1980 Ldjpbign.exe 42 PID 1980 wrote to memory of 1380 1980 Ldjpbign.exe 42 PID 1980 wrote to memory of 1380 1980 Ldjpbign.exe 42 PID 1380 wrote to memory of 2800 1380 Lghlndfa.exe 43 PID 1380 wrote to memory of 2800 1380 Lghlndfa.exe 43 PID 1380 wrote to memory of 2800 1380 Lghlndfa.exe 43 PID 1380 wrote to memory of 2800 1380 Lghlndfa.exe 43 PID 2800 wrote to memory of 2496 2800 Lnbdko32.exe 44 PID 2800 wrote to memory of 2496 2800 Lnbdko32.exe 44 PID 2800 wrote to memory of 2496 2800 Lnbdko32.exe 44 PID 2800 wrote to memory of 2496 2800 Lnbdko32.exe 44 PID 2496 wrote to memory of 2828 2496 Lqqpgj32.exe 45 PID 2496 wrote to memory of 2828 2496 Lqqpgj32.exe 45 PID 2496 wrote to memory of 2828 2496 Lqqpgj32.exe 45 PID 2496 wrote to memory of 2828 2496 Lqqpgj32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\e1e4105eb59ccab4cf949e9493cb7ef412c7a82b594e63fbbc23f3b5c8f461c6.exe"C:\Users\Admin\AppData\Local\Temp\e1e4105eb59ccab4cf949e9493cb7ef412c7a82b594e63fbbc23f3b5c8f461c6.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1788 -
C:\Windows\SysWOW64\Kbdmeoob.exeC:\Windows\system32\Kbdmeoob.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Windows\SysWOW64\Kfpifm32.exeC:\Windows\system32\Kfpifm32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Windows\SysWOW64\Kljabgnh.exeC:\Windows\system32\Kljabgnh.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Windows\SysWOW64\Kohnoc32.exeC:\Windows\system32\Kohnoc32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2976 -
C:\Windows\SysWOW64\Khabghdl.exeC:\Windows\system32\Khabghdl.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\SysWOW64\Kkoncdcp.exeC:\Windows\system32\Kkoncdcp.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\SysWOW64\Kbigpn32.exeC:\Windows\system32\Kbigpn32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Windows\SysWOW64\Kdhcli32.exeC:\Windows\system32\Kdhcli32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\Windows\SysWOW64\Lkakicam.exeC:\Windows\system32\Lkakicam.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Windows\SysWOW64\Lomgjb32.exeC:\Windows\system32\Lomgjb32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1676 -
C:\Windows\SysWOW64\Lblcfnhj.exeC:\Windows\system32\Lblcfnhj.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1280 -
C:\Windows\SysWOW64\Ldjpbign.exeC:\Windows\system32\Ldjpbign.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Windows\SysWOW64\Lghlndfa.exeC:\Windows\system32\Lghlndfa.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1380 -
C:\Windows\SysWOW64\Lnbdko32.exeC:\Windows\system32\Lnbdko32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Windows\SysWOW64\Lqqpgj32.exeC:\Windows\system32\Lqqpgj32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2496 -
C:\Windows\SysWOW64\Lcomce32.exeC:\Windows\system32\Lcomce32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2828 -
C:\Windows\SysWOW64\Lkfddc32.exeC:\Windows\system32\Lkfddc32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2988 -
C:\Windows\SysWOW64\Lmgalkcf.exeC:\Windows\system32\Lmgalkcf.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1332 -
C:\Windows\SysWOW64\Lqcmmjko.exeC:\Windows\system32\Lqcmmjko.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1624 -
C:\Windows\SysWOW64\Lgmeid32.exeC:\Windows\system32\Lgmeid32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2132 -
C:\Windows\SysWOW64\Lngnfnji.exeC:\Windows\system32\Lngnfnji.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:872 -
C:\Windows\SysWOW64\Lqejbiim.exeC:\Windows\system32\Lqejbiim.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:700 -
C:\Windows\SysWOW64\Lcdfnehp.exeC:\Windows\system32\Lcdfnehp.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3060 -
C:\Windows\SysWOW64\Ljnnko32.exeC:\Windows\system32\Ljnnko32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3012 -
C:\Windows\SysWOW64\Liqoflfh.exeC:\Windows\system32\Liqoflfh.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2280 -
C:\Windows\SysWOW64\Lokgcf32.exeC:\Windows\system32\Lokgcf32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2336 -
C:\Windows\SysWOW64\Lbicoamh.exeC:\Windows\system32\Lbicoamh.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2740 -
C:\Windows\SysWOW64\Mkaghg32.exeC:\Windows\system32\Mkaghg32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2792 -
C:\Windows\SysWOW64\Mfglep32.exeC:\Windows\system32\Mfglep32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2864 -
C:\Windows\SysWOW64\Mbnljqic.exeC:\Windows\system32\Mbnljqic.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2932 -
C:\Windows\SysWOW64\Mfihkoal.exeC:\Windows\system32\Mfihkoal.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2888 -
C:\Windows\SysWOW64\Mihdgkpp.exeC:\Windows\system32\Mihdgkpp.exe33⤵
- Executes dropped EXE
PID:1596 -
C:\Windows\SysWOW64\Macilmnk.exeC:\Windows\system32\Macilmnk.exe34⤵
- Executes dropped EXE
PID:1524 -
C:\Windows\SysWOW64\Meoell32.exeC:\Windows\system32\Meoell32.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:1936 -
C:\Windows\SysWOW64\Mlhnifmq.exeC:\Windows\system32\Mlhnifmq.exe36⤵
- Executes dropped EXE
PID:1940 -
C:\Windows\SysWOW64\Maefamlh.exeC:\Windows\system32\Maefamlh.exe37⤵
- Executes dropped EXE
PID:1420 -
C:\Windows\SysWOW64\Meabakda.exeC:\Windows\system32\Meabakda.exe38⤵
- Executes dropped EXE
PID:2816 -
C:\Windows\SysWOW64\Mccbmh32.exeC:\Windows\system32\Mccbmh32.exe39⤵
- Executes dropped EXE
PID:2796 -
C:\Windows\SysWOW64\Mnifja32.exeC:\Windows\system32\Mnifja32.exe40⤵
- Executes dropped EXE
PID:1720 -
C:\Windows\SysWOW64\Nmlgfnal.exeC:\Windows\system32\Nmlgfnal.exe41⤵
- Executes dropped EXE
PID:2020 -
C:\Windows\SysWOW64\Necogkbo.exeC:\Windows\system32\Necogkbo.exe42⤵
- Executes dropped EXE
PID:560 -
C:\Windows\SysWOW64\Nnkcpq32.exeC:\Windows\system32\Nnkcpq32.exe43⤵
- Executes dropped EXE
PID:2468 -
C:\Windows\SysWOW64\Npmphinm.exeC:\Windows\system32\Npmphinm.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:1516 -
C:\Windows\SysWOW64\Ndhlhg32.exeC:\Windows\system32\Ndhlhg32.exe45⤵
- Executes dropped EXE
PID:1364 -
C:\Windows\SysWOW64\Nmqpam32.exeC:\Windows\system32\Nmqpam32.exe46⤵
- Executes dropped EXE
PID:1656 -
C:\Windows\SysWOW64\Nallalep.exeC:\Windows\system32\Nallalep.exe47⤵
- Executes dropped EXE
PID:1268 -
C:\Windows\SysWOW64\Npolmh32.exeC:\Windows\system32\Npolmh32.exe48⤵
- Executes dropped EXE
PID:1748 -
C:\Windows\SysWOW64\Nbniid32.exeC:\Windows\system32\Nbniid32.exe49⤵
- Executes dropped EXE
PID:2404 -
C:\Windows\SysWOW64\Nigafnck.exeC:\Windows\system32\Nigafnck.exe50⤵
- Executes dropped EXE
PID:1592 -
C:\Windows\SysWOW64\Nmcmgm32.exeC:\Windows\system32\Nmcmgm32.exe51⤵
- Executes dropped EXE
PID:2860 -
C:\Windows\SysWOW64\Npaich32.exeC:\Windows\system32\Npaich32.exe52⤵
- Executes dropped EXE
PID:2928 -
C:\Windows\SysWOW64\Ndmecgba.exeC:\Windows\system32\Ndmecgba.exe53⤵
- Executes dropped EXE
PID:1704 -
C:\Windows\SysWOW64\Nbpeoc32.exeC:\Windows\system32\Nbpeoc32.exe54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2636 -
C:\Windows\SysWOW64\Nmejllia.exeC:\Windows\system32\Nmejllia.exe55⤵
- Executes dropped EXE
PID:1912 -
C:\Windows\SysWOW64\Npdfhhhe.exeC:\Windows\system32\Npdfhhhe.exe56⤵
- Executes dropped EXE
PID:1488 -
C:\Windows\SysWOW64\Noffdd32.exeC:\Windows\system32\Noffdd32.exe57⤵
- Executes dropped EXE
PID:1360 -
C:\Windows\SysWOW64\Nfnneb32.exeC:\Windows\system32\Nfnneb32.exe58⤵
- Executes dropped EXE
PID:2684 -
C:\Windows\SysWOW64\Oiljam32.exeC:\Windows\system32\Oiljam32.exe59⤵
- Executes dropped EXE
PID:2652 -
C:\Windows\SysWOW64\Olkfmi32.exeC:\Windows\system32\Olkfmi32.exe60⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2680 -
C:\Windows\SysWOW64\Ooicid32.exeC:\Windows\system32\Ooicid32.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:1928 -
C:\Windows\SysWOW64\Oagoep32.exeC:\Windows\system32\Oagoep32.exe62⤵
- Executes dropped EXE
PID:1852 -
C:\Windows\SysWOW64\Ohagbj32.exeC:\Windows\system32\Ohagbj32.exe63⤵
- Executes dropped EXE
PID:2276 -
C:\Windows\SysWOW64\Okpcoe32.exeC:\Windows\system32\Okpcoe32.exe64⤵
- Executes dropped EXE
PID:2560 -
C:\Windows\SysWOW64\Ookpodkj.exeC:\Windows\system32\Ookpodkj.exe65⤵
- Executes dropped EXE
PID:1036 -
C:\Windows\SysWOW64\Oajlkojn.exeC:\Windows\system32\Oajlkojn.exe66⤵PID:2472
-
C:\Windows\SysWOW64\Odhhgkib.exeC:\Windows\system32\Odhhgkib.exe67⤵PID:2688
-
C:\Windows\SysWOW64\Olophhjd.exeC:\Windows\system32\Olophhjd.exe68⤵PID:2884
-
C:\Windows\SysWOW64\Okbpde32.exeC:\Windows\system32\Okbpde32.exe69⤵PID:2580
-
C:\Windows\SysWOW64\Oalhqohl.exeC:\Windows\system32\Oalhqohl.exe70⤵PID:2648
-
C:\Windows\SysWOW64\Odjdmjgo.exeC:\Windows\system32\Odjdmjgo.exe71⤵PID:2204
-
C:\Windows\SysWOW64\Okdmjdol.exeC:\Windows\system32\Okdmjdol.exe72⤵
- Modifies registry class
PID:284 -
C:\Windows\SysWOW64\Oopijc32.exeC:\Windows\system32\Oopijc32.exe73⤵PID:760
-
C:\Windows\SysWOW64\Opaebkmc.exeC:\Windows\system32\Opaebkmc.exe74⤵PID:580
-
C:\Windows\SysWOW64\Odmabj32.exeC:\Windows\system32\Odmabj32.exe75⤵PID:2804
-
C:\Windows\SysWOW64\Ogknoe32.exeC:\Windows\system32\Ogknoe32.exe76⤵PID:916
-
C:\Windows\SysWOW64\Okgjodmi.exeC:\Windows\system32\Okgjodmi.exe77⤵PID:1708
-
C:\Windows\SysWOW64\Omefkplm.exeC:\Windows\system32\Omefkplm.exe78⤵PID:676
-
C:\Windows\SysWOW64\Ppcbgkka.exeC:\Windows\system32\Ppcbgkka.exe79⤵
- Drops file in System32 directory
- Modifies registry class
PID:1044 -
C:\Windows\SysWOW64\Pkifdd32.exeC:\Windows\system32\Pkifdd32.exe80⤵PID:2012
-
C:\Windows\SysWOW64\Pljcllqe.exeC:\Windows\system32\Pljcllqe.exe81⤵PID:316
-
C:\Windows\SysWOW64\Pdakniag.exeC:\Windows\system32\Pdakniag.exe82⤵PID:1736
-
C:\Windows\SysWOW64\Pcdkif32.exeC:\Windows\system32\Pcdkif32.exe83⤵PID:3032
-
C:\Windows\SysWOW64\Pecgea32.exeC:\Windows\system32\Pecgea32.exe84⤵PID:2844
-
C:\Windows\SysWOW64\Pnjofo32.exeC:\Windows\system32\Pnjofo32.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2608 -
C:\Windows\SysWOW64\Plmpblnb.exeC:\Windows\system32\Plmpblnb.exe86⤵
- Drops file in System32 directory
PID:2180 -
C:\Windows\SysWOW64\Pphkbj32.exeC:\Windows\system32\Pphkbj32.exe87⤵PID:800
-
C:\Windows\SysWOW64\Pgbdodnh.exeC:\Windows\system32\Pgbdodnh.exe88⤵PID:3044
-
C:\Windows\SysWOW64\Pgbdodnh.exeC:\Windows\system32\Pgbdodnh.exe89⤵PID:2412
-
C:\Windows\SysWOW64\Peedka32.exeC:\Windows\system32\Peedka32.exe90⤵PID:1756
-
C:\Windows\SysWOW64\Piqpkpml.exeC:\Windows\system32\Piqpkpml.exe91⤵
- Modifies registry class
PID:1816 -
C:\Windows\SysWOW64\Plolgk32.exeC:\Windows\system32\Plolgk32.exe92⤵
- System Location Discovery: System Language Discovery
PID:2788 -
C:\Windows\SysWOW64\Ppkhhjei.exeC:\Windows\system32\Ppkhhjei.exe93⤵PID:2224
-
C:\Windows\SysWOW64\Pciddedl.exeC:\Windows\system32\Pciddedl.exe94⤵PID:3068
-
C:\Windows\SysWOW64\Palepb32.exeC:\Windows\system32\Palepb32.exe95⤵PID:2108
-
C:\Windows\SysWOW64\Pegqpacp.exeC:\Windows\system32\Pegqpacp.exe96⤵PID:2052
-
C:\Windows\SysWOW64\Phfmllbd.exeC:\Windows\system32\Phfmllbd.exe97⤵PID:812
-
C:\Windows\SysWOW64\Pkdihhag.exeC:\Windows\system32\Pkdihhag.exe98⤵
- Modifies registry class
PID:2396 -
C:\Windows\SysWOW64\Popeif32.exeC:\Windows\system32\Popeif32.exe99⤵PID:2620
-
C:\Windows\SysWOW64\Panaeb32.exeC:\Windows\system32\Panaeb32.exe100⤵PID:2572
-
C:\Windows\SysWOW64\Pejmfqan.exeC:\Windows\system32\Pejmfqan.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2868 -
C:\Windows\SysWOW64\Pdmnam32.exeC:\Windows\system32\Pdmnam32.exe102⤵PID:408
-
C:\Windows\SysWOW64\Phhjblpa.exeC:\Windows\system32\Phhjblpa.exe103⤵PID:1520
-
C:\Windows\SysWOW64\Pldebkhj.exeC:\Windows\system32\Pldebkhj.exe104⤵PID:1084
-
C:\Windows\SysWOW64\Qkffng32.exeC:\Windows\system32\Qkffng32.exe105⤵PID:976
-
C:\Windows\SysWOW64\Qaqnkafa.exeC:\Windows\system32\Qaqnkafa.exe106⤵PID:2456
-
C:\Windows\SysWOW64\Qfljkp32.exeC:\Windows\system32\Qfljkp32.exe107⤵
- Modifies registry class
PID:2692 -
C:\Windows\SysWOW64\Qhjfgl32.exeC:\Windows\system32\Qhjfgl32.exe108⤵PID:3020
-
C:\Windows\SysWOW64\Qgmfchei.exeC:\Windows\system32\Qgmfchei.exe109⤵PID:2904
-
C:\Windows\SysWOW64\Qkibcg32.exeC:\Windows\system32\Qkibcg32.exe110⤵PID:2704
-
C:\Windows\SysWOW64\Qngopb32.exeC:\Windows\system32\Qngopb32.exe111⤵PID:2000
-
C:\Windows\SysWOW64\Qackpado.exeC:\Windows\system32\Qackpado.exe112⤵PID:1632
-
C:\Windows\SysWOW64\Qqfkln32.exeC:\Windows\system32\Qqfkln32.exe113⤵PID:2004
-
C:\Windows\SysWOW64\Qhmcmk32.exeC:\Windows\system32\Qhmcmk32.exe114⤵PID:2220
-
C:\Windows\SysWOW64\Akkoig32.exeC:\Windows\system32\Akkoig32.exe115⤵PID:1744
-
C:\Windows\SysWOW64\Abegfa32.exeC:\Windows\system32\Abegfa32.exe116⤵PID:2088
-
C:\Windows\SysWOW64\Adcdbl32.exeC:\Windows\system32\Adcdbl32.exe117⤵PID:1476
-
C:\Windows\SysWOW64\Acfdnihk.exeC:\Windows\system32\Acfdnihk.exe118⤵PID:2392
-
C:\Windows\SysWOW64\Aknlofim.exeC:\Windows\system32\Aknlofim.exe119⤵PID:2592
-
C:\Windows\SysWOW64\Aqjdgmgd.exeC:\Windows\system32\Aqjdgmgd.exe120⤵PID:632
-
C:\Windows\SysWOW64\Adfqgl32.exeC:\Windows\system32\Adfqgl32.exe121⤵PID:3052
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-