Analysis
-
max time kernel
13s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
10/11/2024, 16:02
Static task
static1
Behavioral task
behavioral1
Sample
083aa734e64a8838e5babd957c55f8d9efbbac19e5f794a616096e29ecc9f67aN.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
083aa734e64a8838e5babd957c55f8d9efbbac19e5f794a616096e29ecc9f67aN.exe
Resource
win10v2004-20241007-en
General
-
Target
083aa734e64a8838e5babd957c55f8d9efbbac19e5f794a616096e29ecc9f67aN.exe
-
Size
97KB
-
MD5
658ee4fb18eeb89d602fbba50e399a30
-
SHA1
b24681bce775a76847b64fad6c7d143deefee3cc
-
SHA256
083aa734e64a8838e5babd957c55f8d9efbbac19e5f794a616096e29ecc9f67a
-
SHA512
86784eb1fb8d11966ebdc2803762e76a9445e97e8399be478669390fbc6ba16e8951aea5642fa9bfe5591df70c35ea220d26c46f7714f277da12938296b698b9
-
SSDEEP
1536:Kbzb4Uf98zN/5uvrFe7BXUwXfzwE57pvJXeYZ6:kb/f98BhT7VPzwm7pJXeK6
Malware Config
Extracted
berbew
http://tat-neftbank.ru/kkq.php
http://tat-neftbank.ru/wcmd.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 50 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lkhalo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Meeopdhb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Meeopdhb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mcjlap32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhhqfb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odckfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lfdbcing.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lighjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oomlfpdi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Loocanbe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmcpjfcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nebnigmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhfdqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhhqfb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad 083aa734e64a8838e5babd957c55f8d9efbbac19e5f794a616096e29ecc9f67aN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" 083aa734e64a8838e5babd957c55f8d9efbbac19e5f794a616096e29ecc9f67aN.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kninog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Loocanbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mbdfni32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmemoe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhcgkbja.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oaqeogll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kbncof32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbppdfmk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbdfni32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhfdqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Omgfdhbq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocdnloph.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oomlfpdi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olalpdbc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfdbcing.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkhalo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Olalpdbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oaqeogll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ocdnloph.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kngaig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mmemoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Npffaq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kngaig32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lighjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kninog32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcjlap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mmcpjfcj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbncof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kbppdfmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhcgkbja.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omgfdhbq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Odckfb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npffaq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nebnigmp.exe -
Berbew family
-
Executes dropped EXE 25 IoCs
pid Process 2700 Kbncof32.exe 2148 Kbppdfmk.exe 3060 Kngaig32.exe 424 Kninog32.exe 1384 Lfdbcing.exe 2792 Loocanbe.exe 2428 Lighjd32.exe 736 Lkhalo32.exe 2044 Mbdfni32.exe 2684 Meeopdhb.exe 2120 Mcjlap32.exe 1724 Mmcpjfcj.exe 2208 Mmemoe32.exe 2228 Npffaq32.exe 1672 Nebnigmp.exe 532 Nhcgkbja.exe 1736 Nhfdqb32.exe 2452 Nhhqfb32.exe 2628 Oaqeogll.exe 1688 Omgfdhbq.exe 1016 Ocdnloph.exe 2668 Odckfb32.exe 2036 Oomlfpdi.exe 2244 Olalpdbc.exe 1896 Ockdmn32.exe -
Loads dropped DLL 54 IoCs
pid Process 1084 083aa734e64a8838e5babd957c55f8d9efbbac19e5f794a616096e29ecc9f67aN.exe 1084 083aa734e64a8838e5babd957c55f8d9efbbac19e5f794a616096e29ecc9f67aN.exe 2700 Kbncof32.exe 2700 Kbncof32.exe 2148 Kbppdfmk.exe 2148 Kbppdfmk.exe 3060 Kngaig32.exe 3060 Kngaig32.exe 424 Kninog32.exe 424 Kninog32.exe 1384 Lfdbcing.exe 1384 Lfdbcing.exe 2792 Loocanbe.exe 2792 Loocanbe.exe 2428 Lighjd32.exe 2428 Lighjd32.exe 736 Lkhalo32.exe 736 Lkhalo32.exe 2044 Mbdfni32.exe 2044 Mbdfni32.exe 2684 Meeopdhb.exe 2684 Meeopdhb.exe 2120 Mcjlap32.exe 2120 Mcjlap32.exe 1724 Mmcpjfcj.exe 1724 Mmcpjfcj.exe 2208 Mmemoe32.exe 2208 Mmemoe32.exe 2228 Npffaq32.exe 2228 Npffaq32.exe 1672 Nebnigmp.exe 1672 Nebnigmp.exe 532 Nhcgkbja.exe 532 Nhcgkbja.exe 1736 Nhfdqb32.exe 1736 Nhfdqb32.exe 2452 Nhhqfb32.exe 2452 Nhhqfb32.exe 2628 Oaqeogll.exe 2628 Oaqeogll.exe 1688 Omgfdhbq.exe 1688 Omgfdhbq.exe 1016 Ocdnloph.exe 1016 Ocdnloph.exe 2668 Odckfb32.exe 2668 Odckfb32.exe 2036 Oomlfpdi.exe 2036 Oomlfpdi.exe 2244 Olalpdbc.exe 2244 Olalpdbc.exe 872 WerFault.exe 872 WerFault.exe 872 WerFault.exe 872 WerFault.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Ahpfkg32.dll Kngaig32.exe File opened for modification C:\Windows\SysWOW64\Nhhqfb32.exe Nhfdqb32.exe File created C:\Windows\SysWOW64\Ockdmn32.exe Olalpdbc.exe File created C:\Windows\SysWOW64\Kninog32.exe Kngaig32.exe File opened for modification C:\Windows\SysWOW64\Lfdbcing.exe Kninog32.exe File created C:\Windows\SysWOW64\Hqebodfa.dll Loocanbe.exe File created C:\Windows\SysWOW64\Nlieiq32.dll Nebnigmp.exe File created C:\Windows\SysWOW64\Fjfiqjch.dll Nhfdqb32.exe File created C:\Windows\SysWOW64\Odckfb32.exe Ocdnloph.exe File created C:\Windows\SysWOW64\Kngaig32.exe Kbppdfmk.exe File created C:\Windows\SysWOW64\Defadnfb.dll Lfdbcing.exe File created C:\Windows\SysWOW64\Mmooam32.dll Meeopdhb.exe File opened for modification C:\Windows\SysWOW64\Mmcpjfcj.exe Mcjlap32.exe File opened for modification C:\Windows\SysWOW64\Nhfdqb32.exe Nhcgkbja.exe File created C:\Windows\SysWOW64\Doeljaja.dll Omgfdhbq.exe File created C:\Windows\SysWOW64\Lkdjamga.dll Oomlfpdi.exe File opened for modification C:\Windows\SysWOW64\Mbdfni32.exe Lkhalo32.exe File created C:\Windows\SysWOW64\Mcjlap32.exe Meeopdhb.exe File created C:\Windows\SysWOW64\Dkhdhoei.dll Mmemoe32.exe File created C:\Windows\SysWOW64\Loocanbe.exe Lfdbcing.exe File opened for modification C:\Windows\SysWOW64\Mmemoe32.exe Mmcpjfcj.exe File created C:\Windows\SysWOW64\Oaqeogll.exe Nhhqfb32.exe File created C:\Windows\SysWOW64\Oomlfpdi.exe Odckfb32.exe File created C:\Windows\SysWOW64\Kbppdfmk.exe Kbncof32.exe File created C:\Windows\SysWOW64\Ifadmn32.dll Kbncof32.exe File opened for modification C:\Windows\SysWOW64\Kninog32.exe Kngaig32.exe File created C:\Windows\SysWOW64\Ahdheo32.dll Kninog32.exe File created C:\Windows\SysWOW64\Lkhalo32.exe Lighjd32.exe File created C:\Windows\SysWOW64\Bblkmipo.dll Mmcpjfcj.exe File created C:\Windows\SysWOW64\Nhcgkbja.exe Nebnigmp.exe File opened for modification C:\Windows\SysWOW64\Kbppdfmk.exe Kbncof32.exe File opened for modification C:\Windows\SysWOW64\Nebnigmp.exe Npffaq32.exe File created C:\Windows\SysWOW64\Mhfoej32.dll 083aa734e64a8838e5babd957c55f8d9efbbac19e5f794a616096e29ecc9f67aN.exe File created C:\Windows\SysWOW64\Lighjd32.exe Loocanbe.exe File created C:\Windows\SysWOW64\Glfiinip.dll Mbdfni32.exe File created C:\Windows\SysWOW64\Mmcpjfcj.exe Mcjlap32.exe File opened for modification C:\Windows\SysWOW64\Nhcgkbja.exe Nebnigmp.exe File created C:\Windows\SysWOW64\Ffeejokj.dll Kbppdfmk.exe File opened for modification C:\Windows\SysWOW64\Mcjlap32.exe Meeopdhb.exe File created C:\Windows\SysWOW64\Mmemoe32.exe Mmcpjfcj.exe File opened for modification C:\Windows\SysWOW64\Npffaq32.exe Mmemoe32.exe File created C:\Windows\SysWOW64\Ibjenkae.dll Nhhqfb32.exe File opened for modification C:\Windows\SysWOW64\Kbncof32.exe 083aa734e64a8838e5babd957c55f8d9efbbac19e5f794a616096e29ecc9f67aN.exe File opened for modification C:\Windows\SysWOW64\Kngaig32.exe Kbppdfmk.exe File created C:\Windows\SysWOW64\Mbdfni32.exe Lkhalo32.exe File created C:\Windows\SysWOW64\Mmhaikja.dll Lkhalo32.exe File created C:\Windows\SysWOW64\Hdqcfdkh.dll Mcjlap32.exe File created C:\Windows\SysWOW64\Madikm32.dll Npffaq32.exe File created C:\Windows\SysWOW64\Nhfdqb32.exe Nhcgkbja.exe File opened for modification C:\Windows\SysWOW64\Omgfdhbq.exe Oaqeogll.exe File created C:\Windows\SysWOW64\Eikkoh32.dll Oaqeogll.exe File created C:\Windows\SysWOW64\Kbncof32.exe 083aa734e64a8838e5babd957c55f8d9efbbac19e5f794a616096e29ecc9f67aN.exe File created C:\Windows\SysWOW64\Nhhqfb32.exe Nhfdqb32.exe File created C:\Windows\SysWOW64\Ocdnloph.exe Omgfdhbq.exe File opened for modification C:\Windows\SysWOW64\Oomlfpdi.exe Odckfb32.exe File created C:\Windows\SysWOW64\Lfdbcing.exe Kninog32.exe File created C:\Windows\SysWOW64\Mmelhc32.dll Lighjd32.exe File opened for modification C:\Windows\SysWOW64\Meeopdhb.exe Mbdfni32.exe File created C:\Windows\SysWOW64\Nebnigmp.exe Npffaq32.exe File opened for modification C:\Windows\SysWOW64\Lighjd32.exe Loocanbe.exe File created C:\Windows\SysWOW64\Npffaq32.exe Mmemoe32.exe File created C:\Windows\SysWOW64\Mfdfng32.dll Odckfb32.exe File created C:\Windows\SysWOW64\Olalpdbc.exe Oomlfpdi.exe File opened for modification C:\Windows\SysWOW64\Lkhalo32.exe Lighjd32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 872 1896 WerFault.exe 54 -
System Location Discovery: System Language Discovery 1 TTPs 26 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odckfb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ockdmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 083aa734e64a8838e5babd957c55f8d9efbbac19e5f794a616096e29ecc9f67aN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbdfni32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Meeopdhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhfdqb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oaqeogll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omgfdhbq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbncof32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbppdfmk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Loocanbe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhhqfb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olalpdbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kninog32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lighjd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmcpjfcj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nebnigmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmemoe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npffaq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhcgkbja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocdnloph.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kngaig32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfdbcing.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkhalo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcjlap32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oomlfpdi.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmelhc32.dll" Lighjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nhcgkbja.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Npffaq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffeejokj.dll" Kbppdfmk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lfdbcing.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lkhalo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mbdfni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mbdfni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkdjamga.dll" Oomlfpdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kbppdfmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Loocanbe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Meeopdhb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjfiqjch.dll" Nhfdqb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Odckfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nebnigmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nhhqfb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID 083aa734e64a8838e5babd957c55f8d9efbbac19e5f794a616096e29ecc9f67aN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kbncof32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kbppdfmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hqebodfa.dll" Loocanbe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mmcpjfcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bblkmipo.dll" Mmcpjfcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mmcpjfcj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ocdnloph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nhfdqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eikkoh32.dll" Oaqeogll.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kngaig32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kninog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lfdbcing.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Loocanbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmooam32.dll" Meeopdhb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahpfkg32.dll" Kngaig32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nebnigmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlieiq32.dll" Nebnigmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oaqeogll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ocdnloph.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oomlfpdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Olalpdbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kngaig32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lighjd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lkhalo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Npffaq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibjenkae.dll" Nhhqfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" 083aa734e64a8838e5babd957c55f8d9efbbac19e5f794a616096e29ecc9f67aN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Madikm32.dll" Npffaq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfdfng32.dll" Odckfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Odckfb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Olalpdbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mmemoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nhhqfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Doeljaja.dll" Omgfdhbq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kbncof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmhaikja.dll" Lkhalo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glfiinip.dll" Mbdfni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Meeopdhb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mcjlap32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Omgfdhbq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Omgfdhbq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oomlfpdi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} 083aa734e64a8838e5babd957c55f8d9efbbac19e5f794a616096e29ecc9f67aN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifadmn32.dll" Kbncof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahdheo32.dll" Kninog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kninog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Defadnfb.dll" Lfdbcing.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1084 wrote to memory of 2700 1084 083aa734e64a8838e5babd957c55f8d9efbbac19e5f794a616096e29ecc9f67aN.exe 30 PID 1084 wrote to memory of 2700 1084 083aa734e64a8838e5babd957c55f8d9efbbac19e5f794a616096e29ecc9f67aN.exe 30 PID 1084 wrote to memory of 2700 1084 083aa734e64a8838e5babd957c55f8d9efbbac19e5f794a616096e29ecc9f67aN.exe 30 PID 1084 wrote to memory of 2700 1084 083aa734e64a8838e5babd957c55f8d9efbbac19e5f794a616096e29ecc9f67aN.exe 30 PID 2700 wrote to memory of 2148 2700 Kbncof32.exe 31 PID 2700 wrote to memory of 2148 2700 Kbncof32.exe 31 PID 2700 wrote to memory of 2148 2700 Kbncof32.exe 31 PID 2700 wrote to memory of 2148 2700 Kbncof32.exe 31 PID 2148 wrote to memory of 3060 2148 Kbppdfmk.exe 32 PID 2148 wrote to memory of 3060 2148 Kbppdfmk.exe 32 PID 2148 wrote to memory of 3060 2148 Kbppdfmk.exe 32 PID 2148 wrote to memory of 3060 2148 Kbppdfmk.exe 32 PID 3060 wrote to memory of 424 3060 Kngaig32.exe 33 PID 3060 wrote to memory of 424 3060 Kngaig32.exe 33 PID 3060 wrote to memory of 424 3060 Kngaig32.exe 33 PID 3060 wrote to memory of 424 3060 Kngaig32.exe 33 PID 424 wrote to memory of 1384 424 Kninog32.exe 34 PID 424 wrote to memory of 1384 424 Kninog32.exe 34 PID 424 wrote to memory of 1384 424 Kninog32.exe 34 PID 424 wrote to memory of 1384 424 Kninog32.exe 34 PID 1384 wrote to memory of 2792 1384 Lfdbcing.exe 35 PID 1384 wrote to memory of 2792 1384 Lfdbcing.exe 35 PID 1384 wrote to memory of 2792 1384 Lfdbcing.exe 35 PID 1384 wrote to memory of 2792 1384 Lfdbcing.exe 35 PID 2792 wrote to memory of 2428 2792 Loocanbe.exe 36 PID 2792 wrote to memory of 2428 2792 Loocanbe.exe 36 PID 2792 wrote to memory of 2428 2792 Loocanbe.exe 36 PID 2792 wrote to memory of 2428 2792 Loocanbe.exe 36 PID 2428 wrote to memory of 736 2428 Lighjd32.exe 37 PID 2428 wrote to memory of 736 2428 Lighjd32.exe 37 PID 2428 wrote to memory of 736 2428 Lighjd32.exe 37 PID 2428 wrote to memory of 736 2428 Lighjd32.exe 37 PID 736 wrote to memory of 2044 736 Lkhalo32.exe 38 PID 736 wrote to memory of 2044 736 Lkhalo32.exe 38 PID 736 wrote to memory of 2044 736 Lkhalo32.exe 38 PID 736 wrote to memory of 2044 736 Lkhalo32.exe 38 PID 2044 wrote to memory of 2684 2044 Mbdfni32.exe 39 PID 2044 wrote to memory of 2684 2044 Mbdfni32.exe 39 PID 2044 wrote to memory of 2684 2044 Mbdfni32.exe 39 PID 2044 wrote to memory of 2684 2044 Mbdfni32.exe 39 PID 2684 wrote to memory of 2120 2684 Meeopdhb.exe 40 PID 2684 wrote to memory of 2120 2684 Meeopdhb.exe 40 PID 2684 wrote to memory of 2120 2684 Meeopdhb.exe 40 PID 2684 wrote to memory of 2120 2684 Meeopdhb.exe 40 PID 2120 wrote to memory of 1724 2120 Mcjlap32.exe 41 PID 2120 wrote to memory of 1724 2120 Mcjlap32.exe 41 PID 2120 wrote to memory of 1724 2120 Mcjlap32.exe 41 PID 2120 wrote to memory of 1724 2120 Mcjlap32.exe 41 PID 1724 wrote to memory of 2208 1724 Mmcpjfcj.exe 42 PID 1724 wrote to memory of 2208 1724 Mmcpjfcj.exe 42 PID 1724 wrote to memory of 2208 1724 Mmcpjfcj.exe 42 PID 1724 wrote to memory of 2208 1724 Mmcpjfcj.exe 42 PID 2208 wrote to memory of 2228 2208 Mmemoe32.exe 43 PID 2208 wrote to memory of 2228 2208 Mmemoe32.exe 43 PID 2208 wrote to memory of 2228 2208 Mmemoe32.exe 43 PID 2208 wrote to memory of 2228 2208 Mmemoe32.exe 43 PID 2228 wrote to memory of 1672 2228 Npffaq32.exe 44 PID 2228 wrote to memory of 1672 2228 Npffaq32.exe 44 PID 2228 wrote to memory of 1672 2228 Npffaq32.exe 44 PID 2228 wrote to memory of 1672 2228 Npffaq32.exe 44 PID 1672 wrote to memory of 532 1672 Nebnigmp.exe 45 PID 1672 wrote to memory of 532 1672 Nebnigmp.exe 45 PID 1672 wrote to memory of 532 1672 Nebnigmp.exe 45 PID 1672 wrote to memory of 532 1672 Nebnigmp.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\083aa734e64a8838e5babd957c55f8d9efbbac19e5f794a616096e29ecc9f67aN.exe"C:\Users\Admin\AppData\Local\Temp\083aa734e64a8838e5babd957c55f8d9efbbac19e5f794a616096e29ecc9f67aN.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1084 -
C:\Windows\SysWOW64\Kbncof32.exeC:\Windows\system32\Kbncof32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Windows\SysWOW64\Kbppdfmk.exeC:\Windows\system32\Kbppdfmk.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Windows\SysWOW64\Kngaig32.exeC:\Windows\system32\Kngaig32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Windows\SysWOW64\Kninog32.exeC:\Windows\system32\Kninog32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:424 -
C:\Windows\SysWOW64\Lfdbcing.exeC:\Windows\system32\Lfdbcing.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1384 -
C:\Windows\SysWOW64\Loocanbe.exeC:\Windows\system32\Loocanbe.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\SysWOW64\Lighjd32.exeC:\Windows\system32\Lighjd32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Windows\SysWOW64\Lkhalo32.exeC:\Windows\system32\Lkhalo32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:736 -
C:\Windows\SysWOW64\Mbdfni32.exeC:\Windows\system32\Mbdfni32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Windows\SysWOW64\Meeopdhb.exeC:\Windows\system32\Meeopdhb.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Windows\SysWOW64\Mcjlap32.exeC:\Windows\system32\Mcjlap32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Windows\SysWOW64\Mmcpjfcj.exeC:\Windows\system32\Mmcpjfcj.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Windows\SysWOW64\Mmemoe32.exeC:\Windows\system32\Mmemoe32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Windows\SysWOW64\Npffaq32.exeC:\Windows\system32\Npffaq32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2228 -
C:\Windows\SysWOW64\Nebnigmp.exeC:\Windows\system32\Nebnigmp.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1672 -
C:\Windows\SysWOW64\Nhcgkbja.exeC:\Windows\system32\Nhcgkbja.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:532 -
C:\Windows\SysWOW64\Nhfdqb32.exeC:\Windows\system32\Nhfdqb32.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1736 -
C:\Windows\SysWOW64\Nhhqfb32.exeC:\Windows\system32\Nhhqfb32.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2452 -
C:\Windows\SysWOW64\Oaqeogll.exeC:\Windows\system32\Oaqeogll.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2628 -
C:\Windows\SysWOW64\Omgfdhbq.exeC:\Windows\system32\Omgfdhbq.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1688 -
C:\Windows\SysWOW64\Ocdnloph.exeC:\Windows\system32\Ocdnloph.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1016 -
C:\Windows\SysWOW64\Odckfb32.exeC:\Windows\system32\Odckfb32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2668 -
C:\Windows\SysWOW64\Oomlfpdi.exeC:\Windows\system32\Oomlfpdi.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2036 -
C:\Windows\SysWOW64\Olalpdbc.exeC:\Windows\system32\Olalpdbc.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2244 -
C:\Windows\SysWOW64\Ockdmn32.exeC:\Windows\system32\Ockdmn32.exe26⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1896 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1896 -s 14027⤵
- Loads dropped DLL
- Program crash
PID:872
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD595ddcf5ce15be1172c3773d2aab4f257
SHA11ddd52d5dc5f5510030e4cdf4f010bc00a1eb431
SHA25610afe0371ab134517af58edf499dd2edd88282bf0081ed27575625b645a717c5
SHA5128071423ac20239e1d150baeb366b2d4ab657132c4b1d17cfd85ca42152940bf8c7fdaa16b4e87b40bf2e37be10a7b3472b75f8c947a035e67c7f58403095170c
-
Filesize
97KB
MD57d1b7f5c854e3ef0bb42fce2f821a2e3
SHA118a76cc2af06b801cfb234e3ca08fc995766d381
SHA256876c4b0b8ffbcb8e92c2c3bb9895c20d8b1cbe835907e36b20ed571a742b1e0a
SHA512af265f23a1150558081094ca906cba3eb89fea6a94e6f978d959383467007512a55f0a08c6bc1feb6a763f6574c6c5d55ccd7f85fbc4ca74ecc5ec066e34904f
-
Filesize
97KB
MD5da18b1b6f45759609e5825929a702cd4
SHA1c495851260ac86245214df51ec9d33bb5d6849d9
SHA25646740a828c3e4699a818d44a3ea467d9b061b57920c5fa80485c7d7ff8a1bc27
SHA51236c1d29a560223e04cf84940edbb42c334e5b7b8f11766e4f0193b9f7e5dc9e68515a257ec6dcb16a1c576cff4fea92963a517f2cd4c82f7f98689de651a2911
-
Filesize
97KB
MD50234e37ddd12ac383af7737fea382537
SHA14517e0031a19d2f60b301813ea79080358e6767c
SHA256429846148959430d02c49223c690ab487e424902b98a27bdfe3a30f296be78d6
SHA51209f461e4e98ba3c6dcb16d831516736018663ca106326a5694ddbe76e5616f742b40069035b255dece6425d6565875f135500b6cc07b105255d14a23793cfd72
-
Filesize
97KB
MD579effe069ce599904108fcb5d8d654e6
SHA1f4e28fd9cb8d6f338556b3719d23b4a1464155c7
SHA2568e58eeb0c4b436e6cc409851de42183eeb205c8518326db214958a49bafc519f
SHA512072b70374e489c0aaae1017a8877fefc797473fdf77111853f4dce04b2f3dca6ed087821a4cf308c411f8409a75fb06e44058843cda860ce573707b0875192d2
-
Filesize
97KB
MD5f37f65cdbe925ab85248e81ae22b6e71
SHA1c68379c7abb785d4f00f4ac06635f7f2087f9770
SHA256791140d22aaf8891772d4a2e68adc8d3f5e2035176f76cd99c54564b34c5a10a
SHA512293ae9d1bb2c20cbfc690d9cfc7226660e62329704079ff785e08c407045b898a7c4e50b2b78ff5923965026ae81a813982002f9f19b869f5460be8c68664bbc
-
Filesize
97KB
MD55cc6e66f3db17633532a2c5f8beaa942
SHA1930f78c8e27d32c86897852c0a3ad40210a8e23a
SHA256acc82136f709d1942a8d95a0424388c6558e9c148a194ca5995207ab0ccdd7dd
SHA512eaa52414d5b69dd12b764dae49c34a5866e4c4ddb09535793a3e7fba738f2ee52f9d6ade41763036de16a3f2bdc17846931787dacf88f31a67f486d3710f6e7d
-
Filesize
97KB
MD5e9d563bc59cf40a213464c9eeec1d710
SHA1bbce8bd134d8255c92979dd138f4625f9a17fc93
SHA2568b248d8ad65ad220db0d77ec76b082082e43a71b889d3a6eebec95f293686217
SHA512be83cfefee6f3f447d81a715854f1c2b49117ca0aab8fa1f42b02b96a10f635ef9280553ae61ac823c3e5b7d1454a14eb55a84969384516a55d5a0be10842fe8
-
Filesize
97KB
MD5f892e320a266b4445d38115e0b2f1084
SHA1f1533b4e0dfaa0ca0d5f918ac3e4b7f3934d753d
SHA25669becfe5a49f2a719a849cdf78f7636f87e8b6df90766471e991c82ccc6008b6
SHA5124b18314d8bdff461bff0cddbdb28b7c551f85627d40936a9d72b6798b6803e34493e11397260ab839835f43368b7b666d4fd24173cab71fe94d41feca08f2d1c
-
Filesize
97KB
MD56a5e36201eb55934936e9ba559b2936b
SHA1745f5c21eb21d623ed66242190f1ad145b0eb5f8
SHA256ed16b4c446293eca575799f27880d9dfa7d08405d62bc8d6bf99baaac513afad
SHA512e29ed090d7b5e13166028d3bd41eeb86861a16fb1cb65919cc3f5a84bef4ce85c95b3f103886b4c4c529a4b7c926b48bd6a0332031283385add1388ea14941b4
-
Filesize
97KB
MD5d956434e2efca491b35758c52d3fb957
SHA1c7059d8d3902c4c09c85ace134a63c1177d75383
SHA2561921c7c44663d0f1e6a7af179a6ff2bafb25460aa9ea8fef503816cec8cb6f53
SHA512f6efc5648bd344fc1092d06fc3228d9839318d1c2df25fd51afe346a8677a6efbc8d2db034c793bf3844ff8520e909290d1efc9a768e892db2437aebcaae1ec9
-
Filesize
97KB
MD5dc01ad465f5c2c494461dafd6860ef08
SHA1c86540b15d90677632d89384089d65796770bb39
SHA256f18a58a0cc2f286c1a1140a2290192655893ed2e480377243288d4e8eab00332
SHA512d130e03491ccc694db58c16d07f393df7eef29857402c00396c52a4376f3fa6acf30d00038f75530ca987d613f1d19456f64eeea4b31ceb3bac7877e16bac1b7
-
Filesize
97KB
MD5c7f86de9704e04b495b1f523bdddaa52
SHA18007ace429b52cea41ae22da9a2f163ecb79b084
SHA256a57c03a37c79c6f3990d389a0eb62fe9ead79dc52ef4297c42bc39b115cc34f4
SHA512d841d88947e4dfe67ff1402f6050a9fe8da3048a288a25e10ebf3e86d85d44a15829a4730f5281eae0c478d5c0d5b8c486dd30f932c3f8dd15ea84d767948b6e
-
Filesize
97KB
MD59392d6245ffbbd4c099c75233c4142e1
SHA16f2327f55bf2120cb3f095184347729fce1178a8
SHA25635226bbce27216de4849c1323539dac6712cfe86321f53ede02f30ec1e1d958f
SHA512a3b9ad45241e5dd47c9360613a3a1e5d86be44b888c1501c5670ffb1a6123a9a621bd7ad164dabc0ef405e3e93bbc49c59d264f64779d74fad37ea0e247066c6
-
Filesize
97KB
MD5afdbabc1457703c5346be89d253d400a
SHA1a5740f288d5ac7cb87af4e48ba5031280859110c
SHA2562bf4be95f42bdd5328640a578c1824948425956368b15d9f36dc5e9004b62bee
SHA51290d9046c2d53a78d9867626d8429d2f9a9446c6d9f12cdc59da5c270320cd1d40d52a5d392a4243166d2dac32480714e1ae76ea7f1ee832a3fda956721dfb0fa
-
Filesize
97KB
MD589ec12cd44cfbf1b906a6fab1d81f99a
SHA17fc61e42b55d53965759f614f188746b37986ec4
SHA256327123bdd2e88150d400f1b2c89e15b1ff0edaa00a263fbf2e15abbdbae0ffcb
SHA51272fab7178fbeb6645f13553a8a8400946adbe09f89dae7d75b7732ac574c282a7beb0bd49b5e3b55cc0d310386cd7c47180aaa3eab0b9555a6b47515be76f9bd
-
Filesize
97KB
MD583ab3d61f404639470ff1b27bdbe69f9
SHA144ae454fd929296de5822d0537352c7b7d26186e
SHA2560a363db3e6a00017a20cc010d8a9f8617f03bcb8fe1d5ce516ab4832ec097471
SHA5123abc650cc1064701a349ac0c14a73fcc23c7f578032a2e18310b21b727dc07f199d8089a4cc4e7eada21940be71e0dcb3f2dda21621d93a5f6630878c65fb998
-
Filesize
97KB
MD574b81ec98034e760730e3cce02c6046e
SHA145754344b0cd79bc5cbe1ab7c8328e14b52afa24
SHA2564b4736548aa1dc5931ad7add232437d22bad0ec7c9b091e8a488223dc2c80a9d
SHA51218fd9109c8e7144bd456ca457976e3192d7c6439af09bf7765b8fd219a0dd10148055524166a67886ce1c8724e9536e94afca3e0340c354d9c91d95779dd0aac
-
Filesize
97KB
MD5a0d30d35d3eaa9cebc0e09d706604310
SHA15ff4768d05b54d007bf289518dd31455e9d68f6a
SHA25677ba63fea703541992e25e01d25aa6379fa134c2443fff59b56344217c0d3bef
SHA512a9abd74dd40dcbaacb7001052b917cccdb64b85e3b7a98f63ecd0e5a56d42835ecc2887cc7cfc740fb418273f818ec1ff4659778fff56bd707fc0d471dd7ac0a
-
Filesize
97KB
MD57f2e8d98e46ae26fd5df317ff423aa08
SHA16dff98d5ff2db396f79e9fb928595d5b18d53cb4
SHA256e720a7e00e791e0af5b02eccafbc12f5f08b33e0dadc96ad9c0698a0c21b3299
SHA512b0be5198c6facfa08574711935e799fd36b08dad072a3e587315dcf2fa48af3a0e1e78177eb20e1a20113e0be2d79e20b5795265a1896ad1588beac5501ccfeb
-
Filesize
97KB
MD57a82ed7edf1b9ec062e6ffe54df0a690
SHA157d3efba5fc2a78725aac3bb78f6e6a1f3dc7176
SHA256d9b924387ab219e9cd02190468daa8af16864c88ae1333b19101aee56f393959
SHA512b522e4719d312ce9453688dc3a64fe100d6f0eb618dcac9915469fa82ee011f6279a39d605d256e2305ce9c1c56b32c521cf917803c0584d810e5a74af2c1771
-
Filesize
97KB
MD554b7ebd058a0659792c35ae57412dda9
SHA111fedf73ecbcca381499015c0d5c3b471c8c3e2f
SHA2561a017b22306268c8acdde28bd00fe5fe854cd76d8a315d6bfa673d2f43a6e850
SHA5120510c05838f6ddb765afddb98eff8adb76b3cbf83d418b3d3f8ad13c5ac3d6687b344d5c031c9ebd944720fa3bbb3d50b31090977838cff8b023498de123f6c2
-
Filesize
97KB
MD55cfb2b0603e066387fd2f1fee7904bf0
SHA14b594a1892b5c4523059ea6e0a2757b318fa5335
SHA256cd43ccc8297e0cf47615a26fb15d161a58b7ea5b5c7670388138835f36077cce
SHA5128c9d77728f42d052c5350c27c6b7d934e7897da3efbd3436bb1cf2de1ccb2d97023a4128af3deba1c86633f5c44301e44018f64db259863cd7f2716c0bb54399
-
Filesize
97KB
MD5ca5bc246c12877a3176cd6f89cf8f6ec
SHA14c1c4afcd3235f01ca29b72dc5c5ce347df21c75
SHA256cbb2aa45bd8b56c73e8d4238ef7325957280a07d6707657105d3a4af0de745c1
SHA5120dcd6c3650f5a206cfdbe95062983f9a178e20f60aeedb750d7b58a8cee86a6b4fbaabb9fb0dc3b1889a8e5272de9fce751ffddf4306a702f4a173e99974d554
-
Filesize
97KB
MD5893dea1f7102dd2af54e6bd61b649a4c
SHA12b366eb5c076d7fe5650ebf0a13e34da5dadb565
SHA2566c548e28817d7b933b72c9accc66c228587cd38c7fc69ad786f2f9a315a7f328
SHA512796b44b61729dc2e37721708284c82966e83cbe83cd6841b8716db3777ae3a771334d8cff436f41eec0425858f69095461a878dcfc7ead0b8da452a07433379d