Analysis
-
max time kernel
75s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
27-10-2024 12:24
Behavioral task
behavioral1
Sample
e23f3ab456d259b3c922c4ce032201787828f9673590abd108fc8d5454ccaaffN.exe
Resource
win7-20240903-en
windows7-x64
12 signatures
120 seconds
General
-
Target
e23f3ab456d259b3c922c4ce032201787828f9673590abd108fc8d5454ccaaffN.exe
-
Size
320KB
-
MD5
6b3cc65c127099c03c4ef7389bbd47d0
-
SHA1
ed81facf202999bd763794708a310efda923ac0d
-
SHA256
e23f3ab456d259b3c922c4ce032201787828f9673590abd108fc8d5454ccaaff
-
SHA512
ce745becc238a1146bfb095f6640bd17c25c9d18ca4a77155e4efc17d4de34d51935da449a550902eb95137a5fc685df3edd11f45b8e909831d7e45fa5fd5f33
-
SSDEEP
3072:BKrUHcodARb8k8gYfc0DV+1BIyLK5jZWlfXXqyYwi8x4YfK:Bb8omRAk81+fIyG5jZkCwi8s
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Pbemboof.exeAjehnk32.exeEjcmmp32.exeKkdnhi32.exePbigmn32.exeMqehjecl.exeIeofkp32.exeApmcefmf.exeGnkoid32.exeOlbogqoe.exeAklabp32.exeCgnnab32.exeEfedga32.exeEbnabb32.exeOecmogln.exeKigndekn.exeLonibk32.exeAdfbpega.exeDkdmfe32.exeDlifadkk.exeDmepkn32.exeEgmabg32.exeJkbaci32.exeMphiqbon.exeNflchkii.exee23f3ab456d259b3c922c4ce032201787828f9673590abd108fc8d5454ccaaffN.exeNfigck32.exeCkbpqe32.exeFmdbnnlj.exeKipmhc32.exeDcbnpgkh.exeIaimipjl.exeGkmbmh32.exeAhmefdcp.exeFccglehn.exeGcmamj32.exeJbfilffm.exeKoaclfgl.exeDboeco32.exeNbeedh32.exeEafkhn32.exeGlpepj32.exeHdbpekam.exeHgflflqg.exeElibpg32.exeElkofg32.exeGefmcp32.exeDeondj32.exeGghmmilh.exeHmlkfo32.exeJfdhmk32.exeKalipcmb.exeMkfclo32.exeAahfdihn.exeDjlfma32.exeEemnnn32.exeLibjncnc.exeFkkfgi32.exeDpklkgoj.exeFeggob32.exeIcncgf32.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pbemboof.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajehnk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejcmmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kkdnhi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbigmn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mqehjecl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ieofkp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apmcefmf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gnkoid32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olbogqoe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aklabp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cgnnab32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efedga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ebnabb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oecmogln.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kigndekn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lonibk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adfbpega.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dkdmfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dlifadkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmepkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Egmabg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jkbaci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mphiqbon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nflchkii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" e23f3ab456d259b3c922c4ce032201787828f9673590abd108fc8d5454ccaaffN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nfigck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckbpqe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmdbnnlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kipmhc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmepkn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcbnpgkh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iaimipjl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkmbmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ahmefdcp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fccglehn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcmamj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbfilffm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Koaclfgl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dboeco32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbeedh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eafkhn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glpepj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hdbpekam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hgflflqg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Elibpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Elkofg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gefmcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Deondj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gghmmilh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmlkfo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfdhmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kalipcmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mkfclo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aahfdihn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djlfma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkmbmh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eemnnn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Libjncnc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebnabb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fkkfgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dpklkgoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Feggob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Icncgf32.exe -
Berbew family
-
Njrat family
-
Executes dropped EXE 64 IoCs
Processes:
Cpfmmf32.exeCagienkb.exeCbffoabe.exeCchbgi32.exeCegoqlof.exeDjdgic32.exeDmbcen32.exeDmepkn32.exeDpcmgi32.exeDpeiligo.exeDbdehdfc.exeDlljaj32.exeDokfme32.exeDpjbgh32.exeEegkpo32.exeEopphehb.exeEdlhqlfi.exeEeldkonl.exeEdoefl32.exeEgmabg32.exeEodicd32.exeEpeekmjk.exeEdaalk32.exeEkkjheja.exeEmifeqid.exeEaebeoan.exeEcfnmh32.exeEkmfne32.exeFmlbjq32.exeFdekgjno.exeFeggob32.exeFoolgh32.exeFckhhgcf.exeFgfdie32.exeFoahmh32.exeFcmdnfad.exeFhjmfnok.exeFodebh32.exeFcpacf32.exeFkkfgi32.exeFkkfgi32.exeFadndbci.exeGdcjpncm.exeGkmbmh32.exeGnkoid32.exeGpjkeoha.exeGgdcbi32.exeGjbpne32.exeGaihob32.exeGdhdkn32.exeGckdgjeb.exeGgfpgi32.exeGjdldd32.exeGnphdceh.exeGqodqodl.exeGcmamj32.exeGghmmilh.exeGnbejb32.exeGmeeepjp.exeGgkibhjf.exeGfnjne32.exeGhlfjq32.exeHcajhi32.exeHjlbdc32.exepid Process 2132 Cpfmmf32.exe 3056 Cagienkb.exe 2776 Cbffoabe.exe 2852 Cchbgi32.exe 2632 Cegoqlof.exe 2540 Djdgic32.exe 2972 Dmbcen32.exe 1684 Dmepkn32.exe 1656 Dpcmgi32.exe 1344 Dpeiligo.exe 1524 Dbdehdfc.exe 976 Dlljaj32.exe 1768 Dokfme32.exe 952 Dpjbgh32.exe 1808 Eegkpo32.exe 1312 Eopphehb.exe 1664 Edlhqlfi.exe 684 Eeldkonl.exe 3032 Edoefl32.exe 1552 Egmabg32.exe 2216 Eodicd32.exe 2080 Epeekmjk.exe 2960 Edaalk32.exe 1496 Ekkjheja.exe 2312 Emifeqid.exe 1940 Eaebeoan.exe 2828 Ecfnmh32.exe 2824 Ekmfne32.exe 2648 Fmlbjq32.exe 2700 Fdekgjno.exe 2832 Feggob32.exe 2808 Foolgh32.exe 2936 Fckhhgcf.exe 1216 Fgfdie32.exe 1816 Foahmh32.exe 2016 Fcmdnfad.exe 2528 Fhjmfnok.exe 324 Fodebh32.exe 376 Fcpacf32.exe 2144 Fkkfgi32.exe 2192 Fkkfgi32.exe 1520 Fadndbci.exe 2420 Gdcjpncm.exe 1820 Gkmbmh32.exe 1724 Gnkoid32.exe 888 Gpjkeoha.exe 3048 Ggdcbi32.exe 1876 Gjbpne32.exe 2268 Gaihob32.exe 876 Gdhdkn32.exe 1880 Gckdgjeb.exe 2128 Ggfpgi32.exe 2744 Gjdldd32.exe 1424 Gnphdceh.exe 2796 Gqodqodl.exe 2556 Gcmamj32.exe 2620 Gghmmilh.exe 2616 Gnbejb32.exe 1156 Gmeeepjp.exe 1164 Ggkibhjf.exe 1956 Gfnjne32.exe 3064 Ghlfjq32.exe 1080 Hcajhi32.exe 1032 Hjlbdc32.exe -
Loads dropped DLL 64 IoCs
Processes:
e23f3ab456d259b3c922c4ce032201787828f9673590abd108fc8d5454ccaaffN.exeCpfmmf32.exeCagienkb.exeCbffoabe.exeCchbgi32.exeCegoqlof.exeDjdgic32.exeDmbcen32.exeDmepkn32.exeDpcmgi32.exeDpeiligo.exeDbdehdfc.exeDlljaj32.exeDokfme32.exeDpjbgh32.exeEegkpo32.exeEopphehb.exeEdlhqlfi.exeEeldkonl.exeEdoefl32.exeEgmabg32.exeEodicd32.exeEpeekmjk.exeEdaalk32.exeEkkjheja.exeEmifeqid.exeEaebeoan.exeEcfnmh32.exeEkmfne32.exeFmlbjq32.exeFdekgjno.exeFeggob32.exepid Process 2072 e23f3ab456d259b3c922c4ce032201787828f9673590abd108fc8d5454ccaaffN.exe 2072 e23f3ab456d259b3c922c4ce032201787828f9673590abd108fc8d5454ccaaffN.exe 2132 Cpfmmf32.exe 2132 Cpfmmf32.exe 3056 Cagienkb.exe 3056 Cagienkb.exe 2776 Cbffoabe.exe 2776 Cbffoabe.exe 2852 Cchbgi32.exe 2852 Cchbgi32.exe 2632 Cegoqlof.exe 2632 Cegoqlof.exe 2540 Djdgic32.exe 2540 Djdgic32.exe 2972 Dmbcen32.exe 2972 Dmbcen32.exe 1684 Dmepkn32.exe 1684 Dmepkn32.exe 1656 Dpcmgi32.exe 1656 Dpcmgi32.exe 1344 Dpeiligo.exe 1344 Dpeiligo.exe 1524 Dbdehdfc.exe 1524 Dbdehdfc.exe 976 Dlljaj32.exe 976 Dlljaj32.exe 1768 Dokfme32.exe 1768 Dokfme32.exe 952 Dpjbgh32.exe 952 Dpjbgh32.exe 1808 Eegkpo32.exe 1808 Eegkpo32.exe 1312 Eopphehb.exe 1312 Eopphehb.exe 1664 Edlhqlfi.exe 1664 Edlhqlfi.exe 684 Eeldkonl.exe 684 Eeldkonl.exe 3032 Edoefl32.exe 3032 Edoefl32.exe 1552 Egmabg32.exe 1552 Egmabg32.exe 2216 Eodicd32.exe 2216 Eodicd32.exe 2080 Epeekmjk.exe 2080 Epeekmjk.exe 2960 Edaalk32.exe 2960 Edaalk32.exe 1496 Ekkjheja.exe 1496 Ekkjheja.exe 2312 Emifeqid.exe 2312 Emifeqid.exe 1940 Eaebeoan.exe 1940 Eaebeoan.exe 2828 Ecfnmh32.exe 2828 Ecfnmh32.exe 2824 Ekmfne32.exe 2824 Ekmfne32.exe 2648 Fmlbjq32.exe 2648 Fmlbjq32.exe 2700 Fdekgjno.exe 2700 Fdekgjno.exe 2832 Feggob32.exe 2832 Feggob32.exe -
Drops file in System32 directory 64 IoCs
Processes:
Qhkipdeb.exeBnochnpm.exeElgfkhpi.exeJcnoejch.exeJbfilffm.exeGpjkeoha.exeHjlbdc32.exeHokhbj32.exeKkdnhi32.exeNjnmbk32.exeDboeco32.exeDjjjga32.exeGoqnae32.exeHqkmplen.exeJllqplnp.exeGgdcbi32.exePpddpd32.exeAdfbpega.exeIkgkei32.exeJapciodd.exeLhfnkqgk.exePbemboof.exePddjlb32.exeAnogijnb.exeEldiehbk.exeCpfmmf32.exeEcfnmh32.exeHkdemk32.exeMdmkoepk.exeFdgdji32.exeGcgqgd32.exeGlpepj32.exeJlnmel32.exeKipmhc32.exeGnkoid32.exeKdmban32.exeNmcopebh.exeOjglhm32.exeFeddombd.exeGehiioaj.exePfnmmn32.exeCglalbbi.exeEmifeqid.exeEaebeoan.exeHcdgmimg.exeKlfjpa32.exeLkbmbl32.exeEjcmmp32.exeEbnabb32.exeGkebafoa.exeGekfnoog.exeDokfme32.exeIchmgl32.exeLanbdf32.exeNfigck32.exeQobdgo32.exeFdnjkh32.exeHkjkle32.exeHgkfal32.exeMblbnj32.exeNjpihk32.exeElkofg32.exeFimoiopk.exedescription ioc Process File created C:\Windows\SysWOW64\Mehoblpm.dll Qhkipdeb.exe File opened for modification C:\Windows\SysWOW64\Bqmpdioa.exe Bnochnpm.exe File created C:\Windows\SysWOW64\Elibpg32.exe Elgfkhpi.exe File opened for modification C:\Windows\SysWOW64\Jgjkfi32.exe Jcnoejch.exe File opened for modification C:\Windows\SysWOW64\Jfaeme32.exe Jbfilffm.exe File opened for modification C:\Windows\SysWOW64\Ggdcbi32.exe Gpjkeoha.exe File created C:\Windows\SysWOW64\Hmjoqo32.exe Hjlbdc32.exe File created C:\Windows\SysWOW64\Hnnhngjf.exe Hokhbj32.exe File opened for modification C:\Windows\SysWOW64\Kigndekn.exe Kkdnhi32.exe File created C:\Windows\SysWOW64\Nbeedh32.exe Njnmbk32.exe File created C:\Windows\SysWOW64\Hjpqkajf.dll Dboeco32.exe File created C:\Windows\SysWOW64\Dbabho32.exe Djjjga32.exe File opened for modification C:\Windows\SysWOW64\Gncnmane.exe Goqnae32.exe File opened for modification C:\Windows\SysWOW64\Honnki32.exe Hqkmplen.exe File created C:\Windows\SysWOW64\Khljoh32.dll Jllqplnp.exe File created C:\Windows\SysWOW64\Gjbpne32.exe Ggdcbi32.exe File opened for modification C:\Windows\SysWOW64\Phklaacg.exe Ppddpd32.exe File created C:\Windows\SysWOW64\Jalcdhla.dll Adfbpega.exe File opened for modification C:\Windows\SysWOW64\Iocgfhhc.exe Ikgkei32.exe File created C:\Windows\SysWOW64\Cgngaoal.dll Japciodd.exe File opened for modification C:\Windows\SysWOW64\Lopfhk32.exe Lhfnkqgk.exe File created C:\Windows\SysWOW64\Pjleclph.exe Pbemboof.exe File opened for modification C:\Windows\SysWOW64\Pmmneg32.exe Pddjlb32.exe File created C:\Windows\SysWOW64\Apmcefmf.exe Anogijnb.exe File opened for modification C:\Windows\SysWOW64\Edlafebn.exe Eldiehbk.exe File created C:\Windows\SysWOW64\Cagienkb.exe Cpfmmf32.exe File created C:\Windows\SysWOW64\Jmhjff32.dll Ecfnmh32.exe File created C:\Windows\SysWOW64\Gmemln32.dll Hkdemk32.exe File created C:\Windows\SysWOW64\Mhhgpc32.exe Mdmkoepk.exe File created C:\Windows\SysWOW64\Flnlkgjq.exe Fdgdji32.exe File created C:\Windows\SysWOW64\Hnbbcale.dll Gcgqgd32.exe File created C:\Windows\SysWOW64\Gkcekfad.exe Glpepj32.exe File created C:\Windows\SysWOW64\Eplpdepa.dll Jlnmel32.exe File created C:\Windows\SysWOW64\Canhhi32.dll Kipmhc32.exe File opened for modification C:\Windows\SysWOW64\Gpjkeoha.exe Gnkoid32.exe File created C:\Windows\SysWOW64\Jbfghckb.dll Kdmban32.exe File opened for modification C:\Windows\SysWOW64\Ncmglp32.exe Nmcopebh.exe File created C:\Windows\SysWOW64\Bilfjg32.dll Ojglhm32.exe File opened for modification C:\Windows\SysWOW64\Fdgdji32.exe Feddombd.exe File created C:\Windows\SysWOW64\Glbaei32.exe Gehiioaj.exe File opened for modification C:\Windows\SysWOW64\Pmhejhao.exe Pfnmmn32.exe File created C:\Windows\SysWOW64\Cnejim32.exe Cglalbbi.exe File created C:\Windows\SysWOW64\Eaebeoan.exe Emifeqid.exe File opened for modification C:\Windows\SysWOW64\Ecfnmh32.exe Eaebeoan.exe File created C:\Windows\SysWOW64\Nkmggbfb.dll Hcdgmimg.exe File opened for modification C:\Windows\SysWOW64\Kdmban32.exe Klfjpa32.exe File opened for modification C:\Windows\SysWOW64\Lonibk32.exe Lkbmbl32.exe File created C:\Windows\SysWOW64\Eldiehbk.exe Ejcmmp32.exe File created C:\Windows\SysWOW64\Eemnnn32.exe Ebnabb32.exe File created C:\Windows\SysWOW64\Goqnae32.exe Gkebafoa.exe File created C:\Windows\SysWOW64\Gdnfjl32.exe Gekfnoog.exe File opened for modification C:\Windows\SysWOW64\Dpjbgh32.exe Dokfme32.exe File created C:\Windows\SysWOW64\Ibkmchbh.exe Ichmgl32.exe File opened for modification C:\Windows\SysWOW64\Lpabpcdf.exe Lanbdf32.exe File created C:\Windows\SysWOW64\Gfbliabl.dll Nfigck32.exe File opened for modification C:\Windows\SysWOW64\Qaapcj32.exe Qobdgo32.exe File opened for modification C:\Windows\SysWOW64\Fglfgd32.exe Fdnjkh32.exe File opened for modification C:\Windows\SysWOW64\Hjmlhbbg.exe Hkjkle32.exe File created C:\Windows\SysWOW64\Kmkbjj32.dll Hgkfal32.exe File opened for modification C:\Windows\SysWOW64\Kgkonj32.exe Kdmban32.exe File created C:\Windows\SysWOW64\Mhfjjdjf.exe Mblbnj32.exe File opened for modification C:\Windows\SysWOW64\Nnleiipc.exe Njpihk32.exe File created C:\Windows\SysWOW64\Eojlbb32.exe Elkofg32.exe File created C:\Windows\SysWOW64\Gpggei32.exe Fimoiopk.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 5952 5912 WerFault.exe 526 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Kilgoe32.exeAgglbp32.exeIocgfhhc.exeJnagmc32.exeCbffoabe.exeGpggei32.exeKekkiq32.exeGghmmilh.exeLjigih32.exeMhhgpc32.exeOjglhm32.exeDjjjga32.exeDafoikjb.exeKpojkp32.exeGoqnae32.exeAjehnk32.exeFijbco32.exeIbacbcgg.exeLkbmbl32.exeQkielpdf.exeAcicla32.exeGockgdeh.exeIegeonpc.exeJgjkfi32.exeJbclgf32.exeJagpdd32.exeBjjaikoa.exeCiagojda.exeGehiioaj.exeHcepqh32.exeFeggob32.exeIcfpbl32.exeKlmqapci.exeDgiaefgg.exeIbhicbao.exeJllqplnp.exeKljdkpfl.exeFdnjkh32.exeHjlbdc32.exeLaqojfli.exeMqehjecl.exeBfabnl32.exeCjhabndo.exeIogpag32.exeKfodfh32.exeEaebeoan.exeHkdemk32.exeObjjnkie.exeAahfdihn.exeKmkihbho.exeHeliepmn.exeIahceq32.exeIchmgl32.exeNmcopebh.exeDnjoco32.exeHjmlhbbg.exeDbdehdfc.exeKbmfgk32.exeCnejim32.exeFpdkpiik.exeIinhdmma.exeMbnocipg.exeOefjdgjk.exeQoeamo32.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kilgoe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agglbp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iocgfhhc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnagmc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbffoabe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpggei32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kekkiq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gghmmilh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljigih32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhhgpc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojglhm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djjjga32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dafoikjb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpojkp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Goqnae32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajehnk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fijbco32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibacbcgg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkbmbl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qkielpdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acicla32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gockgdeh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iegeonpc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgjkfi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbclgf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jagpdd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjjaikoa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ciagojda.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gehiioaj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcepqh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Feggob32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icfpbl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klmqapci.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgiaefgg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibhicbao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jllqplnp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kljdkpfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdnjkh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjlbdc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Laqojfli.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mqehjecl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfabnl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjhabndo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iogpag32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfodfh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eaebeoan.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkdemk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Objjnkie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aahfdihn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmkihbho.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Heliepmn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iahceq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ichmgl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmcopebh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnjoco32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjmlhbbg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbdehdfc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbmfgk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnejim32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpdkpiik.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iinhdmma.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbnocipg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oefjdgjk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qoeamo32.exe -
Modifies registry class 64 IoCs
Processes:
Momfan32.exeNmcopebh.exeOmckoi32.exeQhilkege.exeQkielpdf.exeGjbpne32.exeJenbjc32.exeJlkglm32.exeGpggei32.exeCcnifd32.exeCjogcm32.exeFggmldfp.exeJhjbqo32.exeCkeqga32.exeJnagmc32.exeLjigih32.exeBnochnpm.exeHfhfhbce.exeJggoqimd.exeImjkpb32.exeKbmfgk32.exeJpepkk32.exeKjeglh32.exeLdgnklmi.exeIeofkp32.exeIchmgl32.exeOlmela32.exeBknjfb32.exeCceogcfj.exeCpfmmf32.exeGdcjpncm.exeIndnnfdn.exeIocgfhhc.exeKmimcbja.exeBoifga32.exeIahceq32.exeKalipcmb.exeAacmij32.exeIegeonpc.exeJibnop32.exeCbffoabe.exeFkkfgi32.exeFmfocnjg.exeIinhdmma.exeIeibdnnp.exeEkkjheja.exeMhcmedli.exeFdgdji32.exeKgkonj32.exeLaleof32.exeDnjoco32.exeKfodfh32.exeGpjkeoha.exeJhahanie.exeJkbaci32.exeKbhbai32.exeKekkiq32.exeDjdgic32.exePmehdh32.exeBfabnl32.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Momfan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fchopn32.dll" Nmcopebh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Omckoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgdekc32.dll" Qhilkege.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qkielpdf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gjbpne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Looghene.dll" Jenbjc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jlkglm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gpggei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ccnifd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cjogcm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fggmldfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbhmhk32.dll" Jhjbqo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ckeqga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jnagmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dokmejcg.dll" Ljigih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bnochnpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jefndikl.dll" Ckeqga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghcmae32.dll" Hfhfhbce.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jggoqimd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Imjkpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnjblg32.dll" Kbmfgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kbmfgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jpepkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kjeglh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ldgnklmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ieofkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ichmgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Olmela32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bknjfb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cceogcfj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cpfmmf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gdcjpncm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Indnnfdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iocgfhhc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kmimcbja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aamhcmdo.dll" Boifga32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ckeqga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iahceq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kalipcmb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aacmij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leoebflm.dll" Iegeonpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Biklma32.dll" Jibnop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acnenl32.dll" Cbffoabe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fkkfgi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fmfocnjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iinhdmma.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ieibdnnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geldbhjk.dll" Ekkjheja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ioljnm32.dll" Mhcmedli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fdgdji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kgkonj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okjejkao.dll" Laleof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohpjoahj.dll" Cceogcfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ongcaafk.dll" Dnjoco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kfodfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fameoj32.dll" Gpjkeoha.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jhahanie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdhdfgep.dll" Jkbaci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kbhbai32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kekkiq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Djdgic32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pmehdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bfabnl32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
e23f3ab456d259b3c922c4ce032201787828f9673590abd108fc8d5454ccaaffN.exeCpfmmf32.exeCagienkb.exeCbffoabe.exeCchbgi32.exeCegoqlof.exeDjdgic32.exeDmbcen32.exeDmepkn32.exeDpcmgi32.exeDpeiligo.exeDbdehdfc.exeDlljaj32.exeDokfme32.exeDpjbgh32.exeEegkpo32.exedescription pid Process procid_target PID 2072 wrote to memory of 2132 2072 e23f3ab456d259b3c922c4ce032201787828f9673590abd108fc8d5454ccaaffN.exe 31 PID 2072 wrote to memory of 2132 2072 e23f3ab456d259b3c922c4ce032201787828f9673590abd108fc8d5454ccaaffN.exe 31 PID 2072 wrote to memory of 2132 2072 e23f3ab456d259b3c922c4ce032201787828f9673590abd108fc8d5454ccaaffN.exe 31 PID 2072 wrote to memory of 2132 2072 e23f3ab456d259b3c922c4ce032201787828f9673590abd108fc8d5454ccaaffN.exe 31 PID 2132 wrote to memory of 3056 2132 Cpfmmf32.exe 32 PID 2132 wrote to memory of 3056 2132 Cpfmmf32.exe 32 PID 2132 wrote to memory of 3056 2132 Cpfmmf32.exe 32 PID 2132 wrote to memory of 3056 2132 Cpfmmf32.exe 32 PID 3056 wrote to memory of 2776 3056 Cagienkb.exe 33 PID 3056 wrote to memory of 2776 3056 Cagienkb.exe 33 PID 3056 wrote to memory of 2776 3056 Cagienkb.exe 33 PID 3056 wrote to memory of 2776 3056 Cagienkb.exe 33 PID 2776 wrote to memory of 2852 2776 Cbffoabe.exe 34 PID 2776 wrote to memory of 2852 2776 Cbffoabe.exe 34 PID 2776 wrote to memory of 2852 2776 Cbffoabe.exe 34 PID 2776 wrote to memory of 2852 2776 Cbffoabe.exe 34 PID 2852 wrote to memory of 2632 2852 Cchbgi32.exe 35 PID 2852 wrote to memory of 2632 2852 Cchbgi32.exe 35 PID 2852 wrote to memory of 2632 2852 Cchbgi32.exe 35 PID 2852 wrote to memory of 2632 2852 Cchbgi32.exe 35 PID 2632 wrote to memory of 2540 2632 Cegoqlof.exe 36 PID 2632 wrote to memory of 2540 2632 Cegoqlof.exe 36 PID 2632 wrote to memory of 2540 2632 Cegoqlof.exe 36 PID 2632 wrote to memory of 2540 2632 Cegoqlof.exe 36 PID 2540 wrote to memory of 2972 2540 Djdgic32.exe 37 PID 2540 wrote to memory of 2972 2540 Djdgic32.exe 37 PID 2540 wrote to memory of 2972 2540 Djdgic32.exe 37 PID 2540 wrote to memory of 2972 2540 Djdgic32.exe 37 PID 2972 wrote to memory of 1684 2972 Dmbcen32.exe 38 PID 2972 wrote to memory of 1684 2972 Dmbcen32.exe 38 PID 2972 wrote to memory of 1684 2972 Dmbcen32.exe 38 PID 2972 wrote to memory of 1684 2972 Dmbcen32.exe 38 PID 1684 wrote to memory of 1656 1684 Dmepkn32.exe 39 PID 1684 wrote to memory of 1656 1684 Dmepkn32.exe 39 PID 1684 wrote to memory of 1656 1684 Dmepkn32.exe 39 PID 1684 wrote to memory of 1656 1684 Dmepkn32.exe 39 PID 1656 wrote to memory of 1344 1656 Dpcmgi32.exe 40 PID 1656 wrote to memory of 1344 1656 Dpcmgi32.exe 40 PID 1656 wrote to memory of 1344 1656 Dpcmgi32.exe 40 PID 1656 wrote to memory of 1344 1656 Dpcmgi32.exe 40 PID 1344 wrote to memory of 1524 1344 Dpeiligo.exe 41 PID 1344 wrote to memory of 1524 1344 Dpeiligo.exe 41 PID 1344 wrote to memory of 1524 1344 Dpeiligo.exe 41 PID 1344 wrote to memory of 1524 1344 Dpeiligo.exe 41 PID 1524 wrote to memory of 976 1524 Dbdehdfc.exe 42 PID 1524 wrote to memory of 976 1524 Dbdehdfc.exe 42 PID 1524 wrote to memory of 976 1524 Dbdehdfc.exe 42 PID 1524 wrote to memory of 976 1524 Dbdehdfc.exe 42 PID 976 wrote to memory of 1768 976 Dlljaj32.exe 43 PID 976 wrote to memory of 1768 976 Dlljaj32.exe 43 PID 976 wrote to memory of 1768 976 Dlljaj32.exe 43 PID 976 wrote to memory of 1768 976 Dlljaj32.exe 43 PID 1768 wrote to memory of 952 1768 Dokfme32.exe 44 PID 1768 wrote to memory of 952 1768 Dokfme32.exe 44 PID 1768 wrote to memory of 952 1768 Dokfme32.exe 44 PID 1768 wrote to memory of 952 1768 Dokfme32.exe 44 PID 952 wrote to memory of 1808 952 Dpjbgh32.exe 45 PID 952 wrote to memory of 1808 952 Dpjbgh32.exe 45 PID 952 wrote to memory of 1808 952 Dpjbgh32.exe 45 PID 952 wrote to memory of 1808 952 Dpjbgh32.exe 45 PID 1808 wrote to memory of 1312 1808 Eegkpo32.exe 46 PID 1808 wrote to memory of 1312 1808 Eegkpo32.exe 46 PID 1808 wrote to memory of 1312 1808 Eegkpo32.exe 46 PID 1808 wrote to memory of 1312 1808 Eegkpo32.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\e23f3ab456d259b3c922c4ce032201787828f9673590abd108fc8d5454ccaaffN.exe"C:\Users\Admin\AppData\Local\Temp\e23f3ab456d259b3c922c4ce032201787828f9673590abd108fc8d5454ccaaffN.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2072 -
C:\Windows\SysWOW64\Cpfmmf32.exeC:\Windows\system32\Cpfmmf32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Windows\SysWOW64\Cagienkb.exeC:\Windows\system32\Cagienkb.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\Windows\SysWOW64\Cbffoabe.exeC:\Windows\system32\Cbffoabe.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\SysWOW64\Cchbgi32.exeC:\Windows\system32\Cchbgi32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Windows\SysWOW64\Cegoqlof.exeC:\Windows\system32\Cegoqlof.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\SysWOW64\Djdgic32.exeC:\Windows\system32\Djdgic32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Windows\SysWOW64\Dmbcen32.exeC:\Windows\system32\Dmbcen32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\SysWOW64\Dmepkn32.exeC:\Windows\system32\Dmepkn32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1684 -
C:\Windows\SysWOW64\Dpcmgi32.exeC:\Windows\system32\Dpcmgi32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Windows\SysWOW64\Dpeiligo.exeC:\Windows\system32\Dpeiligo.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1344 -
C:\Windows\SysWOW64\Dbdehdfc.exeC:\Windows\system32\Dbdehdfc.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1524 -
C:\Windows\SysWOW64\Dlljaj32.exeC:\Windows\system32\Dlljaj32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:976 -
C:\Windows\SysWOW64\Dokfme32.exeC:\Windows\system32\Dokfme32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1768 -
C:\Windows\SysWOW64\Dpjbgh32.exeC:\Windows\system32\Dpjbgh32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:952 -
C:\Windows\SysWOW64\Eegkpo32.exeC:\Windows\system32\Eegkpo32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1808 -
C:\Windows\SysWOW64\Eopphehb.exeC:\Windows\system32\Eopphehb.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1312 -
C:\Windows\SysWOW64\Edlhqlfi.exeC:\Windows\system32\Edlhqlfi.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1664 -
C:\Windows\SysWOW64\Eeldkonl.exeC:\Windows\system32\Eeldkonl.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:684 -
C:\Windows\SysWOW64\Edoefl32.exeC:\Windows\system32\Edoefl32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3032 -
C:\Windows\SysWOW64\Egmabg32.exeC:\Windows\system32\Egmabg32.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1552 -
C:\Windows\SysWOW64\Eodicd32.exeC:\Windows\system32\Eodicd32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2216 -
C:\Windows\SysWOW64\Epeekmjk.exeC:\Windows\system32\Epeekmjk.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2080 -
C:\Windows\SysWOW64\Edaalk32.exeC:\Windows\system32\Edaalk32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2960 -
C:\Windows\SysWOW64\Ekkjheja.exeC:\Windows\system32\Ekkjheja.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1496 -
C:\Windows\SysWOW64\Emifeqid.exeC:\Windows\system32\Emifeqid.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2312 -
C:\Windows\SysWOW64\Eaebeoan.exeC:\Windows\system32\Eaebeoan.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1940 -
C:\Windows\SysWOW64\Ecfnmh32.exeC:\Windows\system32\Ecfnmh32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2828 -
C:\Windows\SysWOW64\Ekmfne32.exeC:\Windows\system32\Ekmfne32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2824 -
C:\Windows\SysWOW64\Fmlbjq32.exeC:\Windows\system32\Fmlbjq32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2648 -
C:\Windows\SysWOW64\Fdekgjno.exeC:\Windows\system32\Fdekgjno.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2700 -
C:\Windows\SysWOW64\Feggob32.exeC:\Windows\system32\Feggob32.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2832 -
C:\Windows\SysWOW64\Foolgh32.exeC:\Windows\system32\Foolgh32.exe33⤵
- Executes dropped EXE
PID:2808 -
C:\Windows\SysWOW64\Fckhhgcf.exeC:\Windows\system32\Fckhhgcf.exe34⤵
- Executes dropped EXE
PID:2936 -
C:\Windows\SysWOW64\Fgfdie32.exeC:\Windows\system32\Fgfdie32.exe35⤵
- Executes dropped EXE
PID:1216 -
C:\Windows\SysWOW64\Foahmh32.exeC:\Windows\system32\Foahmh32.exe36⤵
- Executes dropped EXE
PID:1816 -
C:\Windows\SysWOW64\Fcmdnfad.exeC:\Windows\system32\Fcmdnfad.exe37⤵
- Executes dropped EXE
PID:2016 -
C:\Windows\SysWOW64\Fhjmfnok.exeC:\Windows\system32\Fhjmfnok.exe38⤵
- Executes dropped EXE
PID:2528 -
C:\Windows\SysWOW64\Fodebh32.exeC:\Windows\system32\Fodebh32.exe39⤵
- Executes dropped EXE
PID:324 -
C:\Windows\SysWOW64\Fcpacf32.exeC:\Windows\system32\Fcpacf32.exe40⤵
- Executes dropped EXE
PID:376 -
C:\Windows\SysWOW64\Fkkfgi32.exeC:\Windows\system32\Fkkfgi32.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:2144 -
C:\Windows\SysWOW64\Fkkfgi32.exeC:\Windows\system32\Fkkfgi32.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2192 -
C:\Windows\SysWOW64\Fadndbci.exeC:\Windows\system32\Fadndbci.exe43⤵
- Executes dropped EXE
PID:1520 -
C:\Windows\SysWOW64\Gdcjpncm.exeC:\Windows\system32\Gdcjpncm.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:2420 -
C:\Windows\SysWOW64\Gkmbmh32.exeC:\Windows\system32\Gkmbmh32.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1820 -
C:\Windows\SysWOW64\Gnkoid32.exeC:\Windows\system32\Gnkoid32.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1724 -
C:\Windows\SysWOW64\Gpjkeoha.exeC:\Windows\system32\Gpjkeoha.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:888 -
C:\Windows\SysWOW64\Ggdcbi32.exeC:\Windows\system32\Ggdcbi32.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3048 -
C:\Windows\SysWOW64\Gjbpne32.exeC:\Windows\system32\Gjbpne32.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:1876 -
C:\Windows\SysWOW64\Gaihob32.exeC:\Windows\system32\Gaihob32.exe50⤵
- Executes dropped EXE
PID:2268 -
C:\Windows\SysWOW64\Gdhdkn32.exeC:\Windows\system32\Gdhdkn32.exe51⤵
- Executes dropped EXE
PID:876 -
C:\Windows\SysWOW64\Gckdgjeb.exeC:\Windows\system32\Gckdgjeb.exe52⤵
- Executes dropped EXE
PID:1880 -
C:\Windows\SysWOW64\Ggfpgi32.exeC:\Windows\system32\Ggfpgi32.exe53⤵
- Executes dropped EXE
PID:2128 -
C:\Windows\SysWOW64\Gjdldd32.exeC:\Windows\system32\Gjdldd32.exe54⤵
- Executes dropped EXE
PID:2744 -
C:\Windows\SysWOW64\Gnphdceh.exeC:\Windows\system32\Gnphdceh.exe55⤵
- Executes dropped EXE
PID:1424 -
C:\Windows\SysWOW64\Gqodqodl.exeC:\Windows\system32\Gqodqodl.exe56⤵
- Executes dropped EXE
PID:2796 -
C:\Windows\SysWOW64\Gcmamj32.exeC:\Windows\system32\Gcmamj32.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2556 -
C:\Windows\SysWOW64\Gghmmilh.exeC:\Windows\system32\Gghmmilh.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2620 -
C:\Windows\SysWOW64\Gnbejb32.exeC:\Windows\system32\Gnbejb32.exe59⤵
- Executes dropped EXE
PID:2616 -
C:\Windows\SysWOW64\Gmeeepjp.exeC:\Windows\system32\Gmeeepjp.exe60⤵
- Executes dropped EXE
PID:1156 -
C:\Windows\SysWOW64\Ggkibhjf.exeC:\Windows\system32\Ggkibhjf.exe61⤵
- Executes dropped EXE
PID:1164 -
C:\Windows\SysWOW64\Gfnjne32.exeC:\Windows\system32\Gfnjne32.exe62⤵
- Executes dropped EXE
PID:1956 -
C:\Windows\SysWOW64\Ghlfjq32.exeC:\Windows\system32\Ghlfjq32.exe63⤵
- Executes dropped EXE
PID:3064 -
C:\Windows\SysWOW64\Hcajhi32.exeC:\Windows\system32\Hcajhi32.exe64⤵
- Executes dropped EXE
PID:1080 -
C:\Windows\SysWOW64\Hjlbdc32.exeC:\Windows\system32\Hjlbdc32.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1032 -
C:\Windows\SysWOW64\Hmjoqo32.exeC:\Windows\system32\Hmjoqo32.exe66⤵PID:1688
-
C:\Windows\SysWOW64\Hcdgmimg.exeC:\Windows\system32\Hcdgmimg.exe67⤵
- Drops file in System32 directory
PID:1944 -
C:\Windows\SysWOW64\Hbggif32.exeC:\Windows\system32\Hbggif32.exe68⤵PID:1512
-
C:\Windows\SysWOW64\Hfbcidmk.exeC:\Windows\system32\Hfbcidmk.exe69⤵PID:1884
-
C:\Windows\SysWOW64\Hmlkfo32.exeC:\Windows\system32\Hmlkfo32.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2964 -
C:\Windows\SysWOW64\Hokhbj32.exeC:\Windows\system32\Hokhbj32.exe71⤵
- Drops file in System32 directory
PID:2992 -
C:\Windows\SysWOW64\Hnnhngjf.exeC:\Windows\system32\Hnnhngjf.exe72⤵PID:2164
-
C:\Windows\SysWOW64\Hbidne32.exeC:\Windows\system32\Hbidne32.exe73⤵PID:2748
-
C:\Windows\SysWOW64\Hiclkp32.exeC:\Windows\system32\Hiclkp32.exe74⤵PID:2812
-
C:\Windows\SysWOW64\Hgflflqg.exeC:\Windows\system32\Hgflflqg.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2228 -
C:\Windows\SysWOW64\Homdhjai.exeC:\Windows\system32\Homdhjai.exe76⤵PID:2928
-
C:\Windows\SysWOW64\Hqnapb32.exeC:\Windows\system32\Hqnapb32.exe77⤵PID:2656
-
C:\Windows\SysWOW64\Hejmpqop.exeC:\Windows\system32\Hejmpqop.exe78⤵PID:2060
-
C:\Windows\SysWOW64\Hghillnd.exeC:\Windows\system32\Hghillnd.exe79⤵PID:2028
-
C:\Windows\SysWOW64\Hkdemk32.exeC:\Windows\system32\Hkdemk32.exe80⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1992 -
C:\Windows\SysWOW64\Hnbaif32.exeC:\Windows\system32\Hnbaif32.exe81⤵PID:476
-
C:\Windows\SysWOW64\Hbnmienj.exeC:\Windows\system32\Hbnmienj.exe82⤵PID:2120
-
C:\Windows\SysWOW64\Heliepmn.exeC:\Windows\system32\Heliepmn.exe83⤵
- System Location Discovery: System Language Discovery
PID:1632 -
C:\Windows\SysWOW64\Hgkfal32.exeC:\Windows\system32\Hgkfal32.exe84⤵
- Drops file in System32 directory
PID:2496 -
C:\Windows\SysWOW64\Ikfbbjdj.exeC:\Windows\system32\Ikfbbjdj.exe85⤵PID:1160
-
C:\Windows\SysWOW64\Indnnfdn.exeC:\Windows\system32\Indnnfdn.exe86⤵
- Modifies registry class
PID:1148 -
C:\Windows\SysWOW64\Imgnjb32.exeC:\Windows\system32\Imgnjb32.exe87⤵PID:2104
-
C:\Windows\SysWOW64\Ieofkp32.exeC:\Windows\system32\Ieofkp32.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2180 -
C:\Windows\SysWOW64\Igmbgk32.exeC:\Windows\system32\Igmbgk32.exe89⤵PID:1600
-
C:\Windows\SysWOW64\Ijkocg32.exeC:\Windows\system32\Ijkocg32.exe90⤵PID:2996
-
C:\Windows\SysWOW64\Ingkdeak.exeC:\Windows\system32\Ingkdeak.exe91⤵PID:2436
-
C:\Windows\SysWOW64\Imjkpb32.exeC:\Windows\system32\Imjkpb32.exe92⤵
- Modifies registry class
PID:2240 -
C:\Windows\SysWOW64\Iphgln32.exeC:\Windows\system32\Iphgln32.exe93⤵PID:2484
-
C:\Windows\SysWOW64\Igoomk32.exeC:\Windows\system32\Igoomk32.exe94⤵PID:2940
-
C:\Windows\SysWOW64\Ifbphh32.exeC:\Windows\system32\Ifbphh32.exe95⤵PID:2280
-
C:\Windows\SysWOW64\Imlhebfc.exeC:\Windows\system32\Imlhebfc.exe96⤵PID:2004
-
C:\Windows\SysWOW64\Iahceq32.exeC:\Windows\system32\Iahceq32.exe97⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2340 -
C:\Windows\SysWOW64\Icfpbl32.exeC:\Windows\system32\Icfpbl32.exe98⤵
- System Location Discovery: System Language Discovery
PID:1812 -
C:\Windows\SysWOW64\Ifdlng32.exeC:\Windows\system32\Ifdlng32.exe99⤵PID:1036
-
C:\Windows\SysWOW64\Iichjc32.exeC:\Windows\system32\Iichjc32.exe100⤵PID:1752
-
C:\Windows\SysWOW64\Ipmqgmcd.exeC:\Windows\system32\Ipmqgmcd.exe101⤵PID:1232
-
C:\Windows\SysWOW64\Ichmgl32.exeC:\Windows\system32\Ichmgl32.exe102⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1652 -
C:\Windows\SysWOW64\Ibkmchbh.exeC:\Windows\system32\Ibkmchbh.exe103⤵PID:2772
-
C:\Windows\SysWOW64\Iejiodbl.exeC:\Windows\system32\Iejiodbl.exe104⤵PID:2708
-
C:\Windows\SysWOW64\Imaapa32.exeC:\Windows\system32\Imaapa32.exe105⤵PID:2324
-
C:\Windows\SysWOW64\Ilcalnii.exeC:\Windows\system32\Ilcalnii.exe106⤵PID:580
-
C:\Windows\SysWOW64\Ipomlm32.exeC:\Windows\system32\Ipomlm32.exe107⤵PID:1680
-
C:\Windows\SysWOW64\Jbnjhh32.exeC:\Windows\system32\Jbnjhh32.exe108⤵PID:2348
-
C:\Windows\SysWOW64\Jigbebhb.exeC:\Windows\system32\Jigbebhb.exe109⤵PID:2272
-
C:\Windows\SysWOW64\Jhjbqo32.exeC:\Windows\system32\Jhjbqo32.exe110⤵
- Modifies registry class
PID:1360 -
C:\Windows\SysWOW64\Jndjmifj.exeC:\Windows\system32\Jndjmifj.exe111⤵PID:2220
-
C:\Windows\SysWOW64\Jbpfnh32.exeC:\Windows\system32\Jbpfnh32.exe112⤵PID:932
-
C:\Windows\SysWOW64\Jenbjc32.exeC:\Windows\system32\Jenbjc32.exe113⤵
- Modifies registry class
PID:2376 -
C:\Windows\SysWOW64\Jlhkgm32.exeC:\Windows\system32\Jlhkgm32.exe114⤵PID:2168
-
C:\Windows\SysWOW64\Jjkkbjln.exeC:\Windows\system32\Jjkkbjln.exe115⤵PID:2676
-
C:\Windows\SysWOW64\Jbbccgmp.exeC:\Windows\system32\Jbbccgmp.exe116⤵PID:2588
-
C:\Windows\SysWOW64\Jeqopcld.exeC:\Windows\system32\Jeqopcld.exe117⤵PID:2664
-
C:\Windows\SysWOW64\Jhoklnkg.exeC:\Windows\system32\Jhoklnkg.exe118⤵PID:2552
-
C:\Windows\SysWOW64\Jlkglm32.exeC:\Windows\system32\Jlkglm32.exe119⤵
- Modifies registry class
PID:1624 -
C:\Windows\SysWOW64\Joidhh32.exeC:\Windows\system32\Joidhh32.exe120⤵PID:380
-
C:\Windows\SysWOW64\Jagpdd32.exeC:\Windows\system32\Jagpdd32.exe121⤵
- System Location Discovery: System Language Discovery
PID:972
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-