Analysis
-
max time kernel
46s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
02-12-2024 06:52
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
1fabefc18a350c03016c5f8fc5242a09e8506d3d3c2b08517a11352862d2e8fcN.exe
Resource
win7-20240903-en
windows7-x64
13 signatures
120 seconds
Behavioral task
behavioral2
Sample
1fabefc18a350c03016c5f8fc5242a09e8506d3d3c2b08517a11352862d2e8fcN.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
120 seconds
General
-
Target
1fabefc18a350c03016c5f8fc5242a09e8506d3d3c2b08517a11352862d2e8fcN.exe
-
Size
96KB
-
MD5
618926edc25974cbec6b4d07c76602e0
-
SHA1
e0ce45e308de4a1d4aa0a0783b85a3402118d22d
-
SHA256
1fabefc18a350c03016c5f8fc5242a09e8506d3d3c2b08517a11352862d2e8fc
-
SHA512
2eda4c75ff5c37716091aabfe38a3859e6d1df2cece460891e77e8623a6391f02916485298386e1e7a7cbd75614e9584ddec2a7f6d1b9b1a2d2119eceb28d942
-
SSDEEP
1536:OYK/nnggQMKKGQN1rgLpwHmob2LGG7RZObZUUWaegPYAm:M/ggQMZVgLyGo4DClUUWaet
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Fbmfkkbm.exeFfaaoh32.exeLklgbadb.exeCfmhdpnc.exeFckhhgcf.exeLgingm32.exePqkobqhd.exePilfpqaa.exePpfomk32.exeFjhcegll.exeMfgnnhkc.exeMbchni32.exeOidglb32.exeDokfme32.exeCkmnbg32.exeEddeladm.exeIedfqeka.exePebpkk32.exeIiqldc32.exeLaqojfli.exeBplhnoej.exeLlbqfe32.exePlmbkd32.exeEpgphcqd.exeMijamjnm.exeBpjkiogm.exePoklngnf.exePmhejhao.exeIpokcdjn.exeLgpdglhn.exeGoldfelp.exeDepbfhpe.exeOmqlpp32.exeGpcoib32.exeKcmcoblm.exeFnacpffh.exeEkkjheja.exeGaojnq32.exeBbjdjjdn.exeKlbdgb32.exeMqbbagjo.exeHfpfdeon.exeMpbdnk32.exeDhkkbmnp.exeBkpeci32.exeBaojapfj.exeFhomkcoa.exeLhiakf32.exeLnjcomcf.exeOmnipjni.exeLopfhk32.exeKlehgh32.exeQhmcmk32.exeBiaign32.exeHohkmj32.exeDedlag32.exeElkmmodo.exeOejcpf32.exeCbepdhgc.exeJlnklcej.exeQhkipdeb.exeHeealhla.exedescription ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbmfkkbm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ffaaoh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lklgbadb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfmhdpnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fckhhgcf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgingm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pqkobqhd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pilfpqaa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppfomk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fjhcegll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mfgnnhkc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mbchni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oidglb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dokfme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckmnbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eddeladm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iedfqeka.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pebpkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iiqldc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Laqojfli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bplhnoej.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llbqfe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plmbkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Epgphcqd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mijamjnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bpjkiogm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Poklngnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmhejhao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ipokcdjn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lgpdglhn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Goldfelp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Depbfhpe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omqlpp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpcoib32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcmcoblm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnacpffh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekkjheja.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gaojnq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbjdjjdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Klbdgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mqbbagjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hfpfdeon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mpbdnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhkkbmnp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkpeci32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Baojapfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fhomkcoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lhiakf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lnjcomcf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omnipjni.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lopfhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Klehgh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qhmcmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Biaign32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hohkmj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dedlag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Elkmmodo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oejcpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbepdhgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jlnklcej.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qhkipdeb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Heealhla.exe -
Berbew family
-
Brute Ratel C4
A customized command and control framework for red teaming and adversary simulation.
-
Bruteratel family
-
Detect BruteRatel badger 1 IoCs
Processes:
resource yara_rule behavioral1/files/0x00030000000212ff-9658.dat family_bruteratel -
Executes dropped EXE 64 IoCs
Processes:
Mpbdnk32.exeMmfdhojb.exeMpdqdkie.exeMjjdacik.exeMlkail32.exeMpgmijgc.exeMedeaaej.exeNoljjglk.exeNfcbldmm.exeNoogpfjh.exeNidkmojn.exeNhgkil32.exeNblpfepo.exeNdnlnm32.exeNaalga32.exeNkjapglg.exeNadimacd.exeOklnff32.exeOmkjbb32.exeOdebolpe.exeOiakgcnl.exeOpkccm32.exeOcjophem.exeOehklddp.exeOidglb32.exeOcllehcj.exeOghhfg32.exeOoclji32.exeOcohkh32.exePcaepg32.exePadeldeo.exePhnnho32.exePohfehdi.exePnmcfeia.exePqkobqhd.exePhbgcnig.exePqnlhpfb.exePjfpafmb.exePmdmmalf.exeQndigd32.exeQqbecp32.exeQfonkfqd.exeQinjgbpg.exeQmifhq32.exeQogbdl32.exeAmkbnp32.exeAkncimmh.exeAcekjjmk.exeAfdgfelo.exeAeggbbci.exeAibcba32.exeAollokco.exeAffdle32.exeAeidgbaf.exeAggpdnpj.exeAkcldl32.exeAbmdafpp.exeAapemc32.exeAgjmim32.exeAjhiei32.exeAababceh.exeAennba32.exeAkhfoldn.exeBnfblgca.exepid Process 492 Mpbdnk32.exe 1748 Mmfdhojb.exe 2364 Mpdqdkie.exe 284 Mjjdacik.exe 1612 Mlkail32.exe 1320 Mpgmijgc.exe 2684 Medeaaej.exe 2804 Noljjglk.exe 2692 Nfcbldmm.exe 2548 Noogpfjh.exe 2892 Nidkmojn.exe 1924 Nhgkil32.exe 2420 Nblpfepo.exe 1976 Ndnlnm32.exe 2392 Naalga32.exe 1756 Nkjapglg.exe 2524 Nadimacd.exe 2128 Oklnff32.exe 796 Omkjbb32.exe 1596 Odebolpe.exe 1720 Oiakgcnl.exe 3004 Opkccm32.exe 2276 Ocjophem.exe 2964 Oehklddp.exe 2252 Oidglb32.exe 1732 Ocllehcj.exe 392 Oghhfg32.exe 2904 Ooclji32.exe 1728 Ocohkh32.exe 2160 Pcaepg32.exe 1752 Padeldeo.exe 2772 Phnnho32.exe 3048 Pohfehdi.exe 2732 Pnmcfeia.exe 2672 Pqkobqhd.exe 2508 Phbgcnig.exe 2504 Pqnlhpfb.exe 2888 Pjfpafmb.exe 572 Pmdmmalf.exe 1908 Qndigd32.exe 1940 Qqbecp32.exe 752 Qfonkfqd.exe 1984 Qinjgbpg.exe 1676 Qmifhq32.exe 2872 Qogbdl32.exe 2236 Amkbnp32.exe 1740 Akncimmh.exe 1516 Acekjjmk.exe 672 Afdgfelo.exe 2120 Aeggbbci.exe 2584 Aibcba32.exe 1980 Aollokco.exe 2900 Affdle32.exe 2336 Aeidgbaf.exe 2072 Aggpdnpj.exe 2168 Akcldl32.exe 2112 Abmdafpp.exe 2984 Aapemc32.exe 2700 Agjmim32.exe 2620 Ajhiei32.exe 2560 Aababceh.exe 836 Aennba32.exe 1064 Akhfoldn.exe 1776 Bnfblgca.exe -
Loads dropped DLL 64 IoCs
Processes:
1fabefc18a350c03016c5f8fc5242a09e8506d3d3c2b08517a11352862d2e8fcN.exeMpbdnk32.exeMmfdhojb.exeMpdqdkie.exeMjjdacik.exeMlkail32.exeMpgmijgc.exeMedeaaej.exeNoljjglk.exeNfcbldmm.exeNoogpfjh.exeNidkmojn.exeNhgkil32.exeNblpfepo.exeNdnlnm32.exeNaalga32.exeNkjapglg.exeNadimacd.exeOklnff32.exeOmkjbb32.exeOdebolpe.exeOiakgcnl.exeOpkccm32.exeOcjophem.exeOehklddp.exeOidglb32.exeOcllehcj.exeOghhfg32.exeOoclji32.exeOcohkh32.exePcaepg32.exePadeldeo.exepid Process 2856 1fabefc18a350c03016c5f8fc5242a09e8506d3d3c2b08517a11352862d2e8fcN.exe 2856 1fabefc18a350c03016c5f8fc5242a09e8506d3d3c2b08517a11352862d2e8fcN.exe 492 Mpbdnk32.exe 492 Mpbdnk32.exe 1748 Mmfdhojb.exe 1748 Mmfdhojb.exe 2364 Mpdqdkie.exe 2364 Mpdqdkie.exe 284 Mjjdacik.exe 284 Mjjdacik.exe 1612 Mlkail32.exe 1612 Mlkail32.exe 1320 Mpgmijgc.exe 1320 Mpgmijgc.exe 2684 Medeaaej.exe 2684 Medeaaej.exe 2804 Noljjglk.exe 2804 Noljjglk.exe 2692 Nfcbldmm.exe 2692 Nfcbldmm.exe 2548 Noogpfjh.exe 2548 Noogpfjh.exe 2892 Nidkmojn.exe 2892 Nidkmojn.exe 1924 Nhgkil32.exe 1924 Nhgkil32.exe 2420 Nblpfepo.exe 2420 Nblpfepo.exe 1976 Ndnlnm32.exe 1976 Ndnlnm32.exe 2392 Naalga32.exe 2392 Naalga32.exe 1756 Nkjapglg.exe 1756 Nkjapglg.exe 2524 Nadimacd.exe 2524 Nadimacd.exe 2128 Oklnff32.exe 2128 Oklnff32.exe 796 Omkjbb32.exe 796 Omkjbb32.exe 1596 Odebolpe.exe 1596 Odebolpe.exe 1720 Oiakgcnl.exe 1720 Oiakgcnl.exe 3004 Opkccm32.exe 3004 Opkccm32.exe 2276 Ocjophem.exe 2276 Ocjophem.exe 2964 Oehklddp.exe 2964 Oehklddp.exe 2252 Oidglb32.exe 2252 Oidglb32.exe 1732 Ocllehcj.exe 1732 Ocllehcj.exe 392 Oghhfg32.exe 392 Oghhfg32.exe 2904 Ooclji32.exe 2904 Ooclji32.exe 1728 Ocohkh32.exe 1728 Ocohkh32.exe 2160 Pcaepg32.exe 2160 Pcaepg32.exe 1752 Padeldeo.exe 1752 Padeldeo.exe -
Drops file in System32 directory 64 IoCs
Processes:
Einjdb32.exeJniefm32.exeHpbdmo32.exePopeif32.exeBqeqqk32.exeDbdehdfc.exeMgmdapml.exeKcmcoblm.exeKdefgj32.exeAnbkipok.exeAnljck32.exePpcbgkka.exeBecpap32.exeIfpcchai.exeNqjaeeog.exePlmbkd32.exeBnapnm32.exeDpgcip32.exeFogibnha.exeCkmnbg32.exeFleifl32.exeKdmban32.exeNcinap32.exeEfjmbaba.exeNjpgpbpf.exeMcnbhb32.exeJbpdeogo.exeGjjmijme.exeDjdgic32.exeDjfdob32.exeJeqopcld.exeNcmglp32.exeMjjdacik.exeCmbalfem.exeLonibk32.exeNmcopebh.exeCidddj32.exeEmoldlmc.exePqnlhpfb.exeLklgbadb.exeNpolmh32.exeEoepnk32.exeHbaaik32.exeLonpma32.exePaaddgkj.exeEnbnkigh.exeEhjona32.exeDfmeccao.exeOhbikbkb.exeBogjaamh.exeFdbhge32.exeNpaich32.exeIbcnojnp.exeGconbj32.exeHinbppna.exeJoggci32.exeKlhgfq32.exeMdmkoepk.exeOioggmmc.exeDahifbpk.exeBfoeil32.exePanaeb32.exeGoiehm32.exeEakooqih.exedescription ioc Process File opened for modification C:\Windows\SysWOW64\Eaebeoan.exe Einjdb32.exe File opened for modification C:\Windows\SysWOW64\Jepmgj32.exe Jniefm32.exe File created C:\Windows\SysWOW64\Hbaaik32.exe Hpbdmo32.exe File created C:\Windows\SysWOW64\Dcfmdh32.dll Popeif32.exe File created C:\Windows\SysWOW64\Obahbj32.dll Bqeqqk32.exe File created C:\Windows\SysWOW64\Aoaqogml.dll Dbdehdfc.exe File created C:\Windows\SysWOW64\Modlbmmn.exe Mgmdapml.exe File opened for modification C:\Windows\SysWOW64\Klehgh32.exe Kcmcoblm.exe File opened for modification C:\Windows\SysWOW64\Khabghdl.exe Kdefgj32.exe File created C:\Windows\SysWOW64\Fiqhbk32.dll Anbkipok.exe File opened for modification C:\Windows\SysWOW64\Apkgpf32.exe Anljck32.exe File created C:\Windows\SysWOW64\Pcbncfjd.exe Ppcbgkka.exe File opened for modification C:\Windows\SysWOW64\Bgblmk32.exe Becpap32.exe File created C:\Windows\SysWOW64\Gbdnfd32.dll Ifpcchai.exe File created C:\Windows\SysWOW64\Ncinap32.exe Nqjaeeog.exe File created C:\Windows\SysWOW64\Apoahgqd.dll Plmbkd32.exe File created C:\Windows\SysWOW64\Hfglml32.dll Bnapnm32.exe File created C:\Windows\SysWOW64\Dedlag32.exe Dpgcip32.exe File created C:\Windows\SysWOW64\Ffaaoh32.exe Fogibnha.exe File created C:\Windows\SysWOW64\Ckmnbg32.exe Ckmnbg32.exe File created C:\Windows\SysWOW64\Fodebh32.exe Fleifl32.exe File opened for modification C:\Windows\SysWOW64\Kgkonj32.exe Kdmban32.exe File created C:\Windows\SysWOW64\Bhimbk32.dll Ncinap32.exe File created C:\Windows\SysWOW64\Eihjolae.exe Efjmbaba.exe File created C:\Windows\SysWOW64\Hjqmnofi.dll Njpgpbpf.exe File opened for modification C:\Windows\SysWOW64\Mfmndn32.exe Mcnbhb32.exe File created C:\Windows\SysWOW64\Aqgkdo32.dll Jbpdeogo.exe File opened for modification C:\Windows\SysWOW64\Gbadjg32.exe Gjjmijme.exe File created C:\Windows\SysWOW64\Dmbcen32.exe Djdgic32.exe File created C:\Windows\SysWOW64\Gdnibjgk.dll Djfdob32.exe File opened for modification C:\Windows\SysWOW64\Jlkglm32.exe Jeqopcld.exe File created C:\Windows\SysWOW64\Nflchkii.exe Ncmglp32.exe File created C:\Windows\SysWOW64\Mlkail32.exe Mjjdacik.exe File created C:\Windows\SysWOW64\Biliep32.dll Cmbalfem.exe File opened for modification C:\Windows\SysWOW64\Laleof32.exe Lonibk32.exe File created C:\Windows\SysWOW64\Ncmglp32.exe Nmcopebh.exe File created C:\Windows\SysWOW64\Pnmjop32.dll Cidddj32.exe File opened for modification C:\Windows\SysWOW64\Epnhpglg.exe Emoldlmc.exe File created C:\Windows\SysWOW64\Fgilkf32.dll Pqnlhpfb.exe File created C:\Windows\SysWOW64\Lnjcomcf.exe Lklgbadb.exe File created C:\Windows\SysWOW64\Ahbakd32.dll Npolmh32.exe File created C:\Windows\SysWOW64\Eeohkeoe.exe Eoepnk32.exe File created C:\Windows\SysWOW64\Dejdjfjb.dll Hbaaik32.exe File opened for modification C:\Windows\SysWOW64\Lcjlnpmo.exe Lonpma32.exe File created C:\Windows\SysWOW64\Cdlfik32.dll Paaddgkj.exe File opened for modification C:\Windows\SysWOW64\Edlfhc32.exe Enbnkigh.exe File created C:\Windows\SysWOW64\Ekhkjm32.exe Ehjona32.exe File opened for modification C:\Windows\SysWOW64\Dmgmpnhl.exe Dfmeccao.exe File created C:\Windows\SysWOW64\Meoaif32.dll Ohbikbkb.exe File created C:\Windows\SysWOW64\Bfabnl32.exe Bogjaamh.exe File created C:\Windows\SysWOW64\Fgadda32.exe Fdbhge32.exe File created C:\Windows\SysWOW64\Ckmqbj32.dll Npaich32.exe File created C:\Windows\SysWOW64\Cbkipjbh.dll Ibcnojnp.exe File created C:\Windows\SysWOW64\Gjifodii.exe Gconbj32.exe File created C:\Windows\SysWOW64\Iahghfmb.dll Hinbppna.exe File opened for modification C:\Windows\SysWOW64\Jeqopcld.exe Joggci32.exe File opened for modification C:\Windows\SysWOW64\Kbbobkol.exe Klhgfq32.exe File created C:\Windows\SysWOW64\Nfnealjn.dll Mdmkoepk.exe File created C:\Windows\SysWOW64\Ankojf32.dll Oioggmmc.exe File created C:\Windows\SysWOW64\Dbifnj32.exe Dahifbpk.exe File opened for modification C:\Windows\SysWOW64\Bhmaeg32.exe Bfoeil32.exe File created C:\Windows\SysWOW64\Damocb32.dll Panaeb32.exe File opened for modification C:\Windows\SysWOW64\Gceailog.exe Goiehm32.exe File created C:\Windows\SysWOW64\Elacliin.exe Eakooqih.exe -
Program crash 1 IoCs
Processes:
pid pid_target Process procid_target 2156 8876 1078 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Dbifnj32.exeKaompi32.exeNplimbka.exeEdlhqlfi.exeNcmglp32.exeOnlahm32.exeNidkmojn.exeNblpfepo.exeAeidgbaf.exeQhkipdeb.exeDmmpolof.exeEpnhpglg.exeComdkipe.exeMijamjnm.exeAckmih32.exeIgoomk32.exeNppofado.exeEifmimch.exeNpolmh32.exeEjcmmp32.exeFkkfgi32.exeOnqkclni.exeGlbaei32.exeOghhfg32.exeAbmdafpp.exeGceailog.exeKglehp32.exeBpnddn32.exeIfampo32.exePhfmllbd.exePpmgfb32.exeCmfmojcb.exeKdefgj32.exeNlnpgd32.exeNlqmmd32.exeDbafjlaa.exeJbpdeogo.exeDhpemm32.exeOcllehcj.exeAkcldl32.exeDfmeccao.exeBibpad32.exeIeajkfmd.exeLanbdf32.exeAaejojjq.exeHegnahjo.exeKbdmeoob.exeApgagg32.exeJoggci32.exeMmccqbpm.exeBncaekhp.exeHldlga32.exeNedhjj32.exeKlhgfq32.exeEfedga32.exeLqejbiim.exeNfidjbdg.exeBnqned32.exeGkmbmh32.exeCafgle32.exeJniefm32.exeMicklk32.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbifnj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kaompi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nplimbka.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edlhqlfi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncmglp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onlahm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nidkmojn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nblpfepo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aeidgbaf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qhkipdeb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmmpolof.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epnhpglg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Comdkipe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mijamjnm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ackmih32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igoomk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nppofado.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eifmimch.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npolmh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejcmmp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkkfgi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onqkclni.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glbaei32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oghhfg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abmdafpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gceailog.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kglehp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpnddn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifampo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phfmllbd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppmgfb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmfmojcb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdefgj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlnpgd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlqmmd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbafjlaa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbpdeogo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhpemm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocllehcj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akcldl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfmeccao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bibpad32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ieajkfmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lanbdf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aaejojjq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hegnahjo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbdmeoob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apgagg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Joggci32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmccqbpm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bncaekhp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hldlga32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nedhjj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klhgfq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efedga32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lqejbiim.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfidjbdg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnqned32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkmbmh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cafgle32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jniefm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Micklk32.exe -
Modifies registry class 64 IoCs
Processes:
Akcldl32.exeJgfcja32.exeFnflke32.exeHjaeba32.exeBagkmb32.exeEnfgfh32.exeHlafnbal.exeGamnhq32.exeCakqgeoi.exeKgnbnpkp.exeKdbbgdjj.exeCfmhdpnc.exeMobomnoq.exeCcpeld32.exeFaonom32.exeInjqmdki.exeMjjdacik.exeMnomjl32.exeMfjann32.exeEpeekmjk.exeCheido32.exeGqiimfam.exeGcmamj32.exePjihmmbk.exeFbbofjnh.exeAfjjed32.exeBcpgdhpp.exeBofgii32.exeDogpdg32.exeHfjpdjjo.exeIhpfgalh.exeGqaafn32.exeQoeamo32.exeBlkjkflb.exeCjhabndo.exeEihjolae.exeJfjolf32.exeJmkmjoec.exeOiakgcnl.exeHbiaemkk.exeLhcafa32.exeHegnahjo.exePadhdm32.exeDkdmfe32.exePilfpqaa.exeHbaaik32.exeGckdgjeb.exeHfpfdeon.exeKbbobkol.exeObjjnkie.exeOehgjfhi.exeAjehnk32.exeAmkbnp32.exeCiohqa32.exeGqahqd32.exeAnbkipok.exeLaleof32.exeDmmpolof.exeFhbpkh32.exeIjcngenj.exeNpaich32.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Akcldl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jgfcja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkkeeecj.dll" Fnflke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hjaeba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocgcbd32.dll" Bagkmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Enfgfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hlafnbal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eickphoo.dll" Gamnhq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cakqgeoi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kgnbnpkp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kdbbgdjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdgqdaoh.dll" Cfmhdpnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mobomnoq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ccpeld32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Faonom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Injqmdki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egmmgd32.dll" Mjjdacik.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mnomjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afbioogg.dll" Mfjann32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Epeekmjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hngpchih.dll" Cakqgeoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njifbl32.dll" Cheido32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gqiimfam.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gcmamj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgglcg32.dll" Pjihmmbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmegnj32.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fbbofjnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Afjjed32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cejmcm32.dll" Bcpgdhpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bofgii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idgnjl32.dll" Dogpdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hfjpdjjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ihpfgalh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjnmkplj.dll" Gqaafn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgefgpha.dll" Qoeamo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Blkjkflb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cjhabndo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eihjolae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekhnnojb.dll" Jfjolf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knfddo32.dll" Jmkmjoec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifmnalja.dll" Oiakgcnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdcagkgd.dll" Hbiaemkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lhcafa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anpmdf32.dll" Hegnahjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iidobe32.dll" Padhdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pocdjfob.dll" Dkdmfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pilfpqaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hbaaik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbccnjjb.dll" Gckdgjeb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hfpfdeon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kbbobkol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Objjnkie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oehgjfhi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ajehnk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Amkbnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ciohqa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gqahqd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Anbkipok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdlkggmp.dll" Laleof32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dmmpolof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljdpbj32.dll" Fhbpkh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ijcngenj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Npaich32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
1fabefc18a350c03016c5f8fc5242a09e8506d3d3c2b08517a11352862d2e8fcN.exeMpbdnk32.exeMmfdhojb.exeMpdqdkie.exeMjjdacik.exeMlkail32.exeMpgmijgc.exeMedeaaej.exeNoljjglk.exeNfcbldmm.exeNoogpfjh.exeNidkmojn.exeNhgkil32.exeNblpfepo.exeNdnlnm32.exeNaalga32.exedescription pid Process procid_target PID 2856 wrote to memory of 492 2856 1fabefc18a350c03016c5f8fc5242a09e8506d3d3c2b08517a11352862d2e8fcN.exe 28 PID 2856 wrote to memory of 492 2856 1fabefc18a350c03016c5f8fc5242a09e8506d3d3c2b08517a11352862d2e8fcN.exe 28 PID 2856 wrote to memory of 492 2856 1fabefc18a350c03016c5f8fc5242a09e8506d3d3c2b08517a11352862d2e8fcN.exe 28 PID 2856 wrote to memory of 492 2856 1fabefc18a350c03016c5f8fc5242a09e8506d3d3c2b08517a11352862d2e8fcN.exe 28 PID 492 wrote to memory of 1748 492 Mpbdnk32.exe 29 PID 492 wrote to memory of 1748 492 Mpbdnk32.exe 29 PID 492 wrote to memory of 1748 492 Mpbdnk32.exe 29 PID 492 wrote to memory of 1748 492 Mpbdnk32.exe 29 PID 1748 wrote to memory of 2364 1748 Mmfdhojb.exe 30 PID 1748 wrote to memory of 2364 1748 Mmfdhojb.exe 30 PID 1748 wrote to memory of 2364 1748 Mmfdhojb.exe 30 PID 1748 wrote to memory of 2364 1748 Mmfdhojb.exe 30 PID 2364 wrote to memory of 284 2364 Mpdqdkie.exe 31 PID 2364 wrote to memory of 284 2364 Mpdqdkie.exe 31 PID 2364 wrote to memory of 284 2364 Mpdqdkie.exe 31 PID 2364 wrote to memory of 284 2364 Mpdqdkie.exe 31 PID 284 wrote to memory of 1612 284 Mjjdacik.exe 32 PID 284 wrote to memory of 1612 284 Mjjdacik.exe 32 PID 284 wrote to memory of 1612 284 Mjjdacik.exe 32 PID 284 wrote to memory of 1612 284 Mjjdacik.exe 32 PID 1612 wrote to memory of 1320 1612 Mlkail32.exe 33 PID 1612 wrote to memory of 1320 1612 Mlkail32.exe 33 PID 1612 wrote to memory of 1320 1612 Mlkail32.exe 33 PID 1612 wrote to memory of 1320 1612 Mlkail32.exe 33 PID 1320 wrote to memory of 2684 1320 Mpgmijgc.exe 34 PID 1320 wrote to memory of 2684 1320 Mpgmijgc.exe 34 PID 1320 wrote to memory of 2684 1320 Mpgmijgc.exe 34 PID 1320 wrote to memory of 2684 1320 Mpgmijgc.exe 34 PID 2684 wrote to memory of 2804 2684 Medeaaej.exe 35 PID 2684 wrote to memory of 2804 2684 Medeaaej.exe 35 PID 2684 wrote to memory of 2804 2684 Medeaaej.exe 35 PID 2684 wrote to memory of 2804 2684 Medeaaej.exe 35 PID 2804 wrote to memory of 2692 2804 Noljjglk.exe 36 PID 2804 wrote to memory of 2692 2804 Noljjglk.exe 36 PID 2804 wrote to memory of 2692 2804 Noljjglk.exe 36 PID 2804 wrote to memory of 2692 2804 Noljjglk.exe 36 PID 2692 wrote to memory of 2548 2692 Nfcbldmm.exe 37 PID 2692 wrote to memory of 2548 2692 Nfcbldmm.exe 37 PID 2692 wrote to memory of 2548 2692 Nfcbldmm.exe 37 PID 2692 wrote to memory of 2548 2692 Nfcbldmm.exe 37 PID 2548 wrote to memory of 2892 2548 Noogpfjh.exe 38 PID 2548 wrote to memory of 2892 2548 Noogpfjh.exe 38 PID 2548 wrote to memory of 2892 2548 Noogpfjh.exe 38 PID 2548 wrote to memory of 2892 2548 Noogpfjh.exe 38 PID 2892 wrote to memory of 1924 2892 Nidkmojn.exe 39 PID 2892 wrote to memory of 1924 2892 Nidkmojn.exe 39 PID 2892 wrote to memory of 1924 2892 Nidkmojn.exe 39 PID 2892 wrote to memory of 1924 2892 Nidkmojn.exe 39 PID 1924 wrote to memory of 2420 1924 Nhgkil32.exe 40 PID 1924 wrote to memory of 2420 1924 Nhgkil32.exe 40 PID 1924 wrote to memory of 2420 1924 Nhgkil32.exe 40 PID 1924 wrote to memory of 2420 1924 Nhgkil32.exe 40 PID 2420 wrote to memory of 1976 2420 Nblpfepo.exe 41 PID 2420 wrote to memory of 1976 2420 Nblpfepo.exe 41 PID 2420 wrote to memory of 1976 2420 Nblpfepo.exe 41 PID 2420 wrote to memory of 1976 2420 Nblpfepo.exe 41 PID 1976 wrote to memory of 2392 1976 Ndnlnm32.exe 42 PID 1976 wrote to memory of 2392 1976 Ndnlnm32.exe 42 PID 1976 wrote to memory of 2392 1976 Ndnlnm32.exe 42 PID 1976 wrote to memory of 2392 1976 Ndnlnm32.exe 42 PID 2392 wrote to memory of 1756 2392 Naalga32.exe 43 PID 2392 wrote to memory of 1756 2392 Naalga32.exe 43 PID 2392 wrote to memory of 1756 2392 Naalga32.exe 43 PID 2392 wrote to memory of 1756 2392 Naalga32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\1fabefc18a350c03016c5f8fc5242a09e8506d3d3c2b08517a11352862d2e8fcN.exe"C:\Users\Admin\AppData\Local\Temp\1fabefc18a350c03016c5f8fc5242a09e8506d3d3c2b08517a11352862d2e8fcN.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Windows\SysWOW64\Mpbdnk32.exeC:\Windows\system32\Mpbdnk32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:492 -
C:\Windows\SysWOW64\Mmfdhojb.exeC:\Windows\system32\Mmfdhojb.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Windows\SysWOW64\Mpdqdkie.exeC:\Windows\system32\Mpdqdkie.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Windows\SysWOW64\Mjjdacik.exeC:\Windows\system32\Mjjdacik.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:284 -
C:\Windows\SysWOW64\Mlkail32.exeC:\Windows\system32\Mlkail32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1612 -
C:\Windows\SysWOW64\Mpgmijgc.exeC:\Windows\system32\Mpgmijgc.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1320 -
C:\Windows\SysWOW64\Medeaaej.exeC:\Windows\system32\Medeaaej.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Windows\SysWOW64\Noljjglk.exeC:\Windows\system32\Noljjglk.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Windows\SysWOW64\Nfcbldmm.exeC:\Windows\system32\Nfcbldmm.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\SysWOW64\Noogpfjh.exeC:\Windows\system32\Noogpfjh.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Windows\SysWOW64\Nidkmojn.exeC:\Windows\system32\Nidkmojn.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Windows\SysWOW64\Nhgkil32.exeC:\Windows\system32\Nhgkil32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1924 -
C:\Windows\SysWOW64\Nblpfepo.exeC:\Windows\system32\Nblpfepo.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Windows\SysWOW64\Ndnlnm32.exeC:\Windows\system32\Ndnlnm32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\Windows\SysWOW64\Naalga32.exeC:\Windows\system32\Naalga32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Windows\SysWOW64\Nkjapglg.exeC:\Windows\system32\Nkjapglg.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1756 -
C:\Windows\SysWOW64\Nadimacd.exeC:\Windows\system32\Nadimacd.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2524 -
C:\Windows\SysWOW64\Oklnff32.exeC:\Windows\system32\Oklnff32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2128 -
C:\Windows\SysWOW64\Omkjbb32.exeC:\Windows\system32\Omkjbb32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:796 -
C:\Windows\SysWOW64\Odebolpe.exeC:\Windows\system32\Odebolpe.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1596 -
C:\Windows\SysWOW64\Oiakgcnl.exeC:\Windows\system32\Oiakgcnl.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1720 -
C:\Windows\SysWOW64\Opkccm32.exeC:\Windows\system32\Opkccm32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3004 -
C:\Windows\SysWOW64\Ocjophem.exeC:\Windows\system32\Ocjophem.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2276 -
C:\Windows\SysWOW64\Oehklddp.exeC:\Windows\system32\Oehklddp.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2964 -
C:\Windows\SysWOW64\Oidglb32.exeC:\Windows\system32\Oidglb32.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2252 -
C:\Windows\SysWOW64\Ocllehcj.exeC:\Windows\system32\Ocllehcj.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1732 -
C:\Windows\SysWOW64\Oghhfg32.exeC:\Windows\system32\Oghhfg32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:392 -
C:\Windows\SysWOW64\Ooclji32.exeC:\Windows\system32\Ooclji32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2904 -
C:\Windows\SysWOW64\Ocohkh32.exeC:\Windows\system32\Ocohkh32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1728 -
C:\Windows\SysWOW64\Pcaepg32.exeC:\Windows\system32\Pcaepg32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2160 -
C:\Windows\SysWOW64\Padeldeo.exeC:\Windows\system32\Padeldeo.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1752 -
C:\Windows\SysWOW64\Phnnho32.exeC:\Windows\system32\Phnnho32.exe33⤵
- Executes dropped EXE
PID:2772 -
C:\Windows\SysWOW64\Pohfehdi.exeC:\Windows\system32\Pohfehdi.exe34⤵
- Executes dropped EXE
PID:3048 -
C:\Windows\SysWOW64\Pnmcfeia.exeC:\Windows\system32\Pnmcfeia.exe35⤵
- Executes dropped EXE
PID:2732 -
C:\Windows\SysWOW64\Pqkobqhd.exeC:\Windows\system32\Pqkobqhd.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2672 -
C:\Windows\SysWOW64\Phbgcnig.exeC:\Windows\system32\Phbgcnig.exe37⤵
- Executes dropped EXE
PID:2508 -
C:\Windows\SysWOW64\Pqnlhpfb.exeC:\Windows\system32\Pqnlhpfb.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2504 -
C:\Windows\SysWOW64\Pjfpafmb.exeC:\Windows\system32\Pjfpafmb.exe39⤵
- Executes dropped EXE
PID:2888 -
C:\Windows\SysWOW64\Pmdmmalf.exeC:\Windows\system32\Pmdmmalf.exe40⤵
- Executes dropped EXE
PID:572 -
C:\Windows\SysWOW64\Qndigd32.exeC:\Windows\system32\Qndigd32.exe41⤵
- Executes dropped EXE
PID:1908 -
C:\Windows\SysWOW64\Qqbecp32.exeC:\Windows\system32\Qqbecp32.exe42⤵
- Executes dropped EXE
PID:1940 -
C:\Windows\SysWOW64\Qfonkfqd.exeC:\Windows\system32\Qfonkfqd.exe43⤵
- Executes dropped EXE
PID:752 -
C:\Windows\SysWOW64\Qinjgbpg.exeC:\Windows\system32\Qinjgbpg.exe44⤵
- Executes dropped EXE
PID:1984 -
C:\Windows\SysWOW64\Qmifhq32.exeC:\Windows\system32\Qmifhq32.exe45⤵
- Executes dropped EXE
PID:1676 -
C:\Windows\SysWOW64\Qogbdl32.exeC:\Windows\system32\Qogbdl32.exe46⤵
- Executes dropped EXE
PID:2872 -
C:\Windows\SysWOW64\Amkbnp32.exeC:\Windows\system32\Amkbnp32.exe47⤵
- Executes dropped EXE
- Modifies registry class
PID:2236 -
C:\Windows\SysWOW64\Akncimmh.exeC:\Windows\system32\Akncimmh.exe48⤵
- Executes dropped EXE
PID:1740 -
C:\Windows\SysWOW64\Acekjjmk.exeC:\Windows\system32\Acekjjmk.exe49⤵
- Executes dropped EXE
PID:1516 -
C:\Windows\SysWOW64\Afdgfelo.exeC:\Windows\system32\Afdgfelo.exe50⤵
- Executes dropped EXE
PID:672 -
C:\Windows\SysWOW64\Aeggbbci.exeC:\Windows\system32\Aeggbbci.exe51⤵
- Executes dropped EXE
PID:2120 -
C:\Windows\SysWOW64\Aibcba32.exeC:\Windows\system32\Aibcba32.exe52⤵
- Executes dropped EXE
PID:2584 -
C:\Windows\SysWOW64\Aollokco.exeC:\Windows\system32\Aollokco.exe53⤵
- Executes dropped EXE
PID:1980 -
C:\Windows\SysWOW64\Affdle32.exeC:\Windows\system32\Affdle32.exe54⤵
- Executes dropped EXE
PID:2900 -
C:\Windows\SysWOW64\Aeidgbaf.exeC:\Windows\system32\Aeidgbaf.exe55⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2336 -
C:\Windows\SysWOW64\Aggpdnpj.exeC:\Windows\system32\Aggpdnpj.exe56⤵
- Executes dropped EXE
PID:2072 -
C:\Windows\SysWOW64\Akcldl32.exeC:\Windows\system32\Akcldl32.exe57⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2168 -
C:\Windows\SysWOW64\Abmdafpp.exeC:\Windows\system32\Abmdafpp.exe58⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2112 -
C:\Windows\SysWOW64\Aapemc32.exeC:\Windows\system32\Aapemc32.exe59⤵
- Executes dropped EXE
PID:2984 -
C:\Windows\SysWOW64\Agjmim32.exeC:\Windows\system32\Agjmim32.exe60⤵
- Executes dropped EXE
PID:2700 -
C:\Windows\SysWOW64\Ajhiei32.exeC:\Windows\system32\Ajhiei32.exe61⤵
- Executes dropped EXE
PID:2620 -
C:\Windows\SysWOW64\Aababceh.exeC:\Windows\system32\Aababceh.exe62⤵
- Executes dropped EXE
PID:2560 -
C:\Windows\SysWOW64\Aennba32.exeC:\Windows\system32\Aennba32.exe63⤵
- Executes dropped EXE
PID:836 -
C:\Windows\SysWOW64\Akhfoldn.exeC:\Windows\system32\Akhfoldn.exe64⤵
- Executes dropped EXE
PID:1064 -
C:\Windows\SysWOW64\Bnfblgca.exeC:\Windows\system32\Bnfblgca.exe65⤵
- Executes dropped EXE
PID:1776 -
C:\Windows\SysWOW64\Badnhbce.exeC:\Windows\system32\Badnhbce.exe66⤵PID:1704
-
C:\Windows\SysWOW64\Bccjdnbi.exeC:\Windows\system32\Bccjdnbi.exe67⤵PID:616
-
C:\Windows\SysWOW64\Bfagpiam.exeC:\Windows\system32\Bfagpiam.exe68⤵PID:2716
-
C:\Windows\SysWOW64\Bjmbqhif.exeC:\Windows\system32\Bjmbqhif.exe69⤵PID:2944
-
C:\Windows\SysWOW64\Bagkmb32.exeC:\Windows\system32\Bagkmb32.exe70⤵
- Modifies registry class
PID:680 -
C:\Windows\SysWOW64\Bpjkiogm.exeC:\Windows\system32\Bpjkiogm.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1148 -
C:\Windows\SysWOW64\Bgqcjlhp.exeC:\Windows\system32\Bgqcjlhp.exe72⤵PID:236
-
C:\Windows\SysWOW64\Bfccei32.exeC:\Windows\system32\Bfccei32.exe73⤵PID:1688
-
C:\Windows\SysWOW64\Bibpad32.exeC:\Windows\system32\Bibpad32.exe74⤵
- System Location Discovery: System Language Discovery
PID:2848 -
C:\Windows\SysWOW64\Bmnlbcfg.exeC:\Windows\system32\Bmnlbcfg.exe75⤵PID:2300
-
C:\Windows\SysWOW64\Bplhnoej.exeC:\Windows\system32\Bplhnoej.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1604 -
C:\Windows\SysWOW64\Bbjdjjdn.exeC:\Windows\system32\Bbjdjjdn.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2268 -
C:\Windows\SysWOW64\Bffpki32.exeC:\Windows\system32\Bffpki32.exe78⤵PID:2704
-
C:\Windows\SysWOW64\Bidlgdlk.exeC:\Windows\system32\Bidlgdlk.exe79⤵PID:2720
-
C:\Windows\SysWOW64\Bmphhc32.exeC:\Windows\system32\Bmphhc32.exe80⤵PID:2596
-
C:\Windows\SysWOW64\Bpnddn32.exeC:\Windows\system32\Bpnddn32.exe81⤵
- System Location Discovery: System Language Discovery
PID:2264 -
C:\Windows\SysWOW64\Bbmapj32.exeC:\Windows\system32\Bbmapj32.exe82⤵PID:1916
-
C:\Windows\SysWOW64\Bigimdjh.exeC:\Windows\system32\Bigimdjh.exe83⤵PID:1928
-
C:\Windows\SysWOW64\Bleeioil.exeC:\Windows\system32\Bleeioil.exe84⤵PID:1936
-
C:\Windows\SysWOW64\Bncaekhp.exeC:\Windows\system32\Bncaekhp.exe85⤵
- System Location Discovery: System Language Discovery
PID:2784 -
C:\Windows\SysWOW64\Bfkifhib.exeC:\Windows\system32\Bfkifhib.exe86⤵PID:2184
-
C:\Windows\SysWOW64\Ciifbchf.exeC:\Windows\system32\Ciifbchf.exe87⤵PID:2304
-
C:\Windows\SysWOW64\Clgbno32.exeC:\Windows\system32\Clgbno32.exe88⤵PID:1764
-
C:\Windows\SysWOW64\Cbajkiof.exeC:\Windows\system32\Cbajkiof.exe89⤵PID:1528
-
C:\Windows\SysWOW64\Cikbhc32.exeC:\Windows\system32\Cikbhc32.exe90⤵PID:2924
-
C:\Windows\SysWOW64\Cjmopkla.exeC:\Windows\system32\Cjmopkla.exe91⤵PID:868
-
C:\Windows\SysWOW64\Cafgle32.exeC:\Windows\system32\Cafgle32.exe92⤵
- System Location Discovery: System Language Discovery
PID:2448 -
C:\Windows\SysWOW64\Ckolek32.exeC:\Windows\system32\Ckolek32.exe93⤵PID:1648
-
C:\Windows\SysWOW64\Caidaeak.exeC:\Windows\system32\Caidaeak.exe94⤵PID:2084
-
C:\Windows\SysWOW64\Chcloo32.exeC:\Windows\system32\Chcloo32.exe95⤵PID:2952
-
C:\Windows\SysWOW64\Comdkipe.exeC:\Windows\system32\Comdkipe.exe96⤵
- System Location Discovery: System Language Discovery
PID:2520 -
C:\Windows\SysWOW64\Cakqgeoi.exeC:\Windows\system32\Cakqgeoi.exe97⤵
- Modifies registry class
PID:2484 -
C:\Windows\SysWOW64\Cheido32.exeC:\Windows\system32\Cheido32.exe98⤵
- Modifies registry class
PID:2384 -
C:\Windows\SysWOW64\Cfhiplmp.exeC:\Windows\system32\Cfhiplmp.exe99⤵PID:1700
-
C:\Windows\SysWOW64\Cmbalfem.exeC:\Windows\system32\Cmbalfem.exe100⤵
- Drops file in System32 directory
PID:1972 -
C:\Windows\SysWOW64\Dpqnhadq.exeC:\Windows\system32\Dpqnhadq.exe101⤵PID:1640
-
C:\Windows\SysWOW64\Dgjfek32.exeC:\Windows\system32\Dgjfek32.exe102⤵PID:1348
-
C:\Windows\SysWOW64\Diibag32.exeC:\Windows\system32\Diibag32.exe103⤵PID:1800
-
C:\Windows\SysWOW64\Dlgnmb32.exeC:\Windows\system32\Dlgnmb32.exe104⤵PID:744
-
C:\Windows\SysWOW64\Dbafjlaa.exeC:\Windows\system32\Dbafjlaa.exe105⤵
- System Location Discovery: System Language Discovery
PID:2840 -
C:\Windows\SysWOW64\Depbfhpe.exeC:\Windows\system32\Depbfhpe.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2284 -
C:\Windows\SysWOW64\Dljkcb32.exeC:\Windows\system32\Dljkcb32.exe107⤵PID:304
-
C:\Windows\SysWOW64\Dohgomgf.exeC:\Windows\system32\Dohgomgf.exe108⤵PID:2292
-
C:\Windows\SysWOW64\Dgoopkgh.exeC:\Windows\system32\Dgoopkgh.exe109⤵PID:2632
-
C:\Windows\SysWOW64\Dhplhc32.exeC:\Windows\system32\Dhplhc32.exe110⤵PID:2644
-
C:\Windows\SysWOW64\Dpgcip32.exeC:\Windows\system32\Dpgcip32.exe111⤵
- Drops file in System32 directory
PID:2652 -
C:\Windows\SysWOW64\Dedlag32.exeC:\Windows\system32\Dedlag32.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1836 -
C:\Windows\SysWOW64\Dkadjn32.exeC:\Windows\system32\Dkadjn32.exe113⤵PID:1904
-
C:\Windows\SysWOW64\Dchmkkkj.exeC:\Windows\system32\Dchmkkkj.exe114⤵PID:2416
-
C:\Windows\SysWOW64\Degiggjm.exeC:\Windows\system32\Degiggjm.exe115⤵PID:1052
-
C:\Windows\SysWOW64\Ekcaonhe.exeC:\Windows\system32\Ekcaonhe.exe116⤵PID:1896
-
C:\Windows\SysWOW64\Enbnkigh.exeC:\Windows\system32\Enbnkigh.exe117⤵
- Drops file in System32 directory
PID:1276 -
C:\Windows\SysWOW64\Edlfhc32.exeC:\Windows\system32\Edlfhc32.exe118⤵PID:1628
-
C:\Windows\SysWOW64\Ekfndmfb.exeC:\Windows\system32\Ekfndmfb.exe119⤵PID:1552
-
C:\Windows\SysWOW64\Epbfmd32.exeC:\Windows\system32\Epbfmd32.exe120⤵PID:2272
-
C:\Windows\SysWOW64\Ehjona32.exeC:\Windows\system32\Ehjona32.exe121⤵
- Drops file in System32 directory
PID:2624
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-