Analysis
-
max time kernel
69s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
13-11-2024 18:46
Static task
static1
Behavioral task
behavioral1
Sample
075e350a3c6d4655a92a9beb66adf51306e170496f65356ebc410a070da0b078.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
075e350a3c6d4655a92a9beb66adf51306e170496f65356ebc410a070da0b078.exe
Resource
win10v2004-20241007-en
General
-
Target
075e350a3c6d4655a92a9beb66adf51306e170496f65356ebc410a070da0b078.exe
-
Size
88KB
-
MD5
fe6c8ceab2e7c4d7a94ae1bba3fe0acd
-
SHA1
d657462aa98f08b8147c0fdde2c64fae5e37642f
-
SHA256
075e350a3c6d4655a92a9beb66adf51306e170496f65356ebc410a070da0b078
-
SHA512
ddf439a2424a69450317768b768df274b71160abd969497f08b522396778853a695d318e3cb26cc215805a7bc75c5ec5f919da27ad734e3c017a708d6aa6449c
-
SSDEEP
1536:ILzBeklfOfPT85PjgvYD5aCZHwFL8QOVXtE1ukVd71rFZO7+90vJ:AzBekMf785PjJ5ZILi9EIIJ15ZO7Vx
Malware Config
Extracted
berbew
http://tat-neftbank.ru/kkq.php
http://tat-neftbank.ru/wcmd.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Pdbmfb32.exeIeofkp32.exeLopfhk32.exeDadbdkld.exeLgingm32.exeNmflee32.exeOecmogln.exeHjfnnajl.exeLpcoeb32.exeBnochnpm.exeEhpcehcj.exePfbfhm32.exeCiokijfd.exeHdbpekam.exeIcdcllpc.exeInjqmdki.exeAobpfb32.exeIchmgl32.exeOdmckcmq.exeFkhbgbkc.exeHonnki32.exeImbjcpnn.exeBolcma32.exeEknpadcn.exeJfcabd32.exePmjaohol.exeEbqngb32.exeAfliclij.exeBnlgbnbp.exeDfcgbb32.exeKpfplo32.exeMgmdapml.exeEdidqf32.exeIoeclg32.exePpinkcnp.exeAphjjf32.exeKbbobkol.exeJnagmc32.exeJcqlkjae.exeGamnhq32.exeLhcafa32.exeCmfmojcb.exeOhdfqbio.exeLgngbmjp.exeOimmjffj.exeObjjnkie.exeKbhbai32.exeAdaiee32.exeCehhdkjf.exeCcnifd32.exeKjeglh32.exeKjhcag32.exeNflchkii.exeBjjaikoa.exeBqolji32.exeGncnmane.exeEpnhpglg.exeLdokfakl.exeNcinap32.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pdbmfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ieofkp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lopfhk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dadbdkld.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgingm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nmflee32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oecmogln.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjfnnajl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lpcoeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bnochnpm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehpcehcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lgingm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfbfhm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ciokijfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hdbpekam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Icdcllpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Injqmdki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aobpfb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ichmgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Odmckcmq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fkhbgbkc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Honnki32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imbjcpnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ichmgl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bolcma32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eknpadcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jfcabd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmjaohol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ebqngb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afliclij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bnlgbnbp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfcgbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kpfplo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgmdapml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Edidqf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ioeclg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ppinkcnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aphjjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ciokijfd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbbobkol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jnagmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jcqlkjae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dadbdkld.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gamnhq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lhcafa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmfmojcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ohdfqbio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lgngbmjp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oimmjffj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Objjnkie.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbhbai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Adaiee32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cehhdkjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ccnifd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ehpcehcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kjeglh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kjhcag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nflchkii.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjjaikoa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bqolji32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gncnmane.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epnhpglg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ldokfakl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncinap32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
Processes:
Gfnjne32.exeGjifodii.exeHofngkga.exeHfpfdeon.exeHinbppna.exeHbggif32.exeHfbcidmk.exeHiqoeplo.exeHnnhngjf.exeHbidne32.exeHkahgk32.exeHejmpqop.exeHnbaif32.exeHnbaif32.exeHgkfal32.exeIkfbbjdj.exeIeofkp32.exeIjkocg32.exeIngkdeak.exeIcdcllpc.exeIiqldc32.exeImlhebfc.exeIcfpbl32.exeIichjc32.exeIladfn32.exeIchmgl32.exeIlcalnii.exeJigbebhb.exeJhjbqo32.exeJbpfnh32.exeJijokbfp.exeJlhkgm32.exeJaecod32.exeJjnhhjjk.exeJoidhh32.exeJdflqo32.exeJokqnhpa.exeJmnqje32.exeJkbaci32.exeJieaofmp.exeKalipcmb.exeKmcjedcg.exeKlfjpa32.exeKenoifpb.exeKmegjdad.exeKlhgfq32.exeKofcbl32.exeKbbobkol.exeKilgoe32.exeKhohkamc.exeKljdkpfl.exeKpfplo32.exeKcdlhj32.exeKechdf32.exeKhadpa32.exeKlmqapci.exeKcginj32.exeKajiigba.exeLhcafa32.exeLhcafa32.exeLlomfpag.exeLkbmbl32.exeLaleof32.exeLegaoehg.exepid Process 2168 Gfnjne32.exe 2712 Gjifodii.exe 2716 Hofngkga.exe 2760 Hfpfdeon.exe 2604 Hinbppna.exe 2148 Hbggif32.exe 624 Hfbcidmk.exe 1124 Hiqoeplo.exe 1484 Hnnhngjf.exe 688 Hbidne32.exe 2888 Hkahgk32.exe 2436 Hejmpqop.exe 3000 Hnbaif32.exe 3004 Hnbaif32.exe 2144 Hgkfal32.exe 2104 Ikfbbjdj.exe 1144 Ieofkp32.exe 1620 Ijkocg32.exe 680 Ingkdeak.exe 2252 Icdcllpc.exe 1544 Iiqldc32.exe 2500 Imlhebfc.exe 1040 Icfpbl32.exe 2460 Iichjc32.exe 2484 Iladfn32.exe 2708 Ichmgl32.exe 2828 Ilcalnii.exe 2980 Jigbebhb.exe 2572 Jhjbqo32.exe 1976 Jbpfnh32.exe 1744 Jijokbfp.exe 2652 Jlhkgm32.exe 2876 Jaecod32.exe 2884 Jjnhhjjk.exe 1092 Joidhh32.exe 1276 Jdflqo32.exe 772 Jokqnhpa.exe 2920 Jmnqje32.exe 1252 Jkbaci32.exe 2384 Jieaofmp.exe 448 Kalipcmb.exe 1672 Kmcjedcg.exe 2440 Klfjpa32.exe 1552 Kenoifpb.exe 1728 Kmegjdad.exe 2308 Klhgfq32.exe 792 Kofcbl32.exe 2432 Kbbobkol.exe 1608 Kilgoe32.exe 2164 Khohkamc.exe 1528 Kljdkpfl.exe 2608 Kpfplo32.exe 2644 Kcdlhj32.exe 1696 Kechdf32.exe 2900 Khadpa32.exe 2320 Klmqapci.exe 2952 Kcginj32.exe 1104 Kajiigba.exe 1432 Lhcafa32.exe 1848 Lhcafa32.exe 2748 Llomfpag.exe 2976 Lkbmbl32.exe 1712 Laleof32.exe 1704 Legaoehg.exe -
Loads dropped DLL 64 IoCs
Processes:
075e350a3c6d4655a92a9beb66adf51306e170496f65356ebc410a070da0b078.exeGfnjne32.exeGjifodii.exeHofngkga.exeHfpfdeon.exeHinbppna.exeHbggif32.exeHfbcidmk.exeHiqoeplo.exeHnnhngjf.exeHbidne32.exeHkahgk32.exeHejmpqop.exeHnbaif32.exeHnbaif32.exeHgkfal32.exeIkfbbjdj.exeIeofkp32.exeIjkocg32.exeIngkdeak.exeIcdcllpc.exeIiqldc32.exeImlhebfc.exeIcfpbl32.exeIichjc32.exeIladfn32.exeIchmgl32.exeIlcalnii.exeJigbebhb.exeJhjbqo32.exeJbpfnh32.exeJijokbfp.exepid Process 2224 075e350a3c6d4655a92a9beb66adf51306e170496f65356ebc410a070da0b078.exe 2224 075e350a3c6d4655a92a9beb66adf51306e170496f65356ebc410a070da0b078.exe 2168 Gfnjne32.exe 2168 Gfnjne32.exe 2712 Gjifodii.exe 2712 Gjifodii.exe 2716 Hofngkga.exe 2716 Hofngkga.exe 2760 Hfpfdeon.exe 2760 Hfpfdeon.exe 2604 Hinbppna.exe 2604 Hinbppna.exe 2148 Hbggif32.exe 2148 Hbggif32.exe 624 Hfbcidmk.exe 624 Hfbcidmk.exe 1124 Hiqoeplo.exe 1124 Hiqoeplo.exe 1484 Hnnhngjf.exe 1484 Hnnhngjf.exe 688 Hbidne32.exe 688 Hbidne32.exe 2888 Hkahgk32.exe 2888 Hkahgk32.exe 2436 Hejmpqop.exe 2436 Hejmpqop.exe 3000 Hnbaif32.exe 3000 Hnbaif32.exe 3004 Hnbaif32.exe 3004 Hnbaif32.exe 2144 Hgkfal32.exe 2144 Hgkfal32.exe 2104 Ikfbbjdj.exe 2104 Ikfbbjdj.exe 1144 Ieofkp32.exe 1144 Ieofkp32.exe 1620 Ijkocg32.exe 1620 Ijkocg32.exe 680 Ingkdeak.exe 680 Ingkdeak.exe 2252 Icdcllpc.exe 2252 Icdcllpc.exe 1544 Iiqldc32.exe 1544 Iiqldc32.exe 2500 Imlhebfc.exe 2500 Imlhebfc.exe 1040 Icfpbl32.exe 1040 Icfpbl32.exe 2460 Iichjc32.exe 2460 Iichjc32.exe 2484 Iladfn32.exe 2484 Iladfn32.exe 2708 Ichmgl32.exe 2708 Ichmgl32.exe 2828 Ilcalnii.exe 2828 Ilcalnii.exe 2980 Jigbebhb.exe 2980 Jigbebhb.exe 2572 Jhjbqo32.exe 2572 Jhjbqo32.exe 1976 Jbpfnh32.exe 1976 Jbpfnh32.exe 1744 Jijokbfp.exe 1744 Jijokbfp.exe -
Drops file in System32 directory 64 IoCs
Processes:
Ojeobm32.exeDjocbqpb.exeKpgionie.exeNgpqfp32.exeLkbmbl32.exeMdogedmh.exeNcpdbohb.exePaocnkph.exeEfjmbaba.exeKlecfkff.exeKcginj32.exeLgingm32.exeObeacl32.exePddjlb32.exeFooembgb.exeHinbppna.exeIbfmmb32.exeGoldfelp.exeNijpdfhm.exeBjjaikoa.exeBlinefnd.exeCfoaho32.exeLjigih32.exeNqmnjd32.exeBfcodkcb.exeFcqjfeja.exeNbeedh32.exeNmcopebh.exeJfjolf32.exeHejmpqop.exeJjhgbd32.exeKhldkllj.exeAdipfd32.exePjleclph.exeGqdgom32.exeIkldqile.exeIeibdnnp.exeLhcafa32.exeCgnnab32.exeGiolnomh.exeIcfpbl32.exeEpnhpglg.exeFmfocnjg.exeIoeclg32.exeNflchkii.exeLgingm32.exeCjhabndo.exeGockgdeh.exeHhkopj32.exeIocgfhhc.exeHnbaif32.exeHclfag32.exeKoflgf32.exeBcpimq32.exeMqehjecl.exeAgbbgqhh.exeHnbaif32.exeKhadpa32.exeNcinap32.exeDgnjqe32.exeIjaaae32.exedescription ioc Process File created C:\Windows\SysWOW64\Omckoi32.exe Ojeobm32.exe File opened for modification C:\Windows\SysWOW64\Dnjoco32.exe Djocbqpb.exe File opened for modification C:\Windows\SysWOW64\Khnapkjg.exe Kpgionie.exe File created C:\Windows\SysWOW64\Dcjjhc32.dll Ngpqfp32.exe File created C:\Windows\SysWOW64\Ahdkab32.dll Lkbmbl32.exe File created C:\Windows\SysWOW64\Mkpdghaq.dll Mdogedmh.exe File created C:\Windows\SysWOW64\Ofnpnkgf.exe Ncpdbohb.exe File opened for modification C:\Windows\SysWOW64\Qiflohqk.exe Paocnkph.exe File opened for modification C:\Windows\SysWOW64\Eihjolae.exe Efjmbaba.exe File created C:\Windows\SysWOW64\Kjhcag32.exe Klecfkff.exe File opened for modification C:\Windows\SysWOW64\Kajiigba.exe Kcginj32.exe File created C:\Windows\SysWOW64\Lgingm32.exe Lgingm32.exe File opened for modification C:\Windows\SysWOW64\Oecmogln.exe Obeacl32.exe File created C:\Windows\SysWOW64\Jlhdnf32.dll Pddjlb32.exe File created C:\Windows\SysWOW64\Famaimfe.exe Fooembgb.exe File created C:\Windows\SysWOW64\Nkmggbfb.dll Hinbppna.exe File created C:\Windows\SysWOW64\Iipejmko.exe Ibfmmb32.exe File created C:\Windows\SysWOW64\Ojacgdmh.dll Goldfelp.exe File created C:\Windows\SysWOW64\Nmflee32.exe Nijpdfhm.exe File created C:\Windows\SysWOW64\Ginaep32.dll Bjjaikoa.exe File opened for modification C:\Windows\SysWOW64\Bogjaamh.exe Blinefnd.exe File created C:\Windows\SysWOW64\Cnejim32.exe Cfoaho32.exe File created C:\Windows\SysWOW64\Dokmejcg.dll Ljigih32.exe File created C:\Windows\SysWOW64\Nppofado.exe Nqmnjd32.exe File created C:\Windows\SysWOW64\Nklcci32.dll Bfcodkcb.exe File created C:\Windows\SysWOW64\Fganph32.dll Fcqjfeja.exe File created C:\Windows\SysWOW64\Nqhepeai.exe Nbeedh32.exe File created C:\Windows\SysWOW64\Nqokpd32.exe Nmcopebh.exe File opened for modification C:\Windows\SysWOW64\Cnejim32.exe Cfoaho32.exe File created C:\Windows\SysWOW64\Jnagmc32.exe Jfjolf32.exe File created C:\Windows\SysWOW64\Ekhnnojb.dll Jfjolf32.exe File opened for modification C:\Windows\SysWOW64\Hnbaif32.exe Hejmpqop.exe File opened for modification C:\Windows\SysWOW64\Jikhnaao.exe Jjhgbd32.exe File created C:\Windows\SysWOW64\Kcjeje32.dll Khldkllj.exe File opened for modification C:\Windows\SysWOW64\Agglbp32.exe Adipfd32.exe File created C:\Windows\SysWOW64\Bbjjjgna.dll Pjleclph.exe File created C:\Windows\SysWOW64\Eioigi32.dll Gqdgom32.exe File created C:\Windows\SysWOW64\Mgqbajfj.dll Ikldqile.exe File created C:\Windows\SysWOW64\Mjcccnbp.dll Ibfmmb32.exe File created C:\Windows\SysWOW64\Kobgmfjh.dll Ieibdnnp.exe File created C:\Windows\SysWOW64\Lhcafa32.exe Lhcafa32.exe File opened for modification C:\Windows\SysWOW64\Cjljnn32.exe Cgnnab32.exe File created C:\Windows\SysWOW64\Glnhjjml.exe Giolnomh.exe File created C:\Windows\SysWOW64\Jlnaae32.dll Icfpbl32.exe File opened for modification C:\Windows\SysWOW64\Edidqf32.exe Epnhpglg.exe File created C:\Windows\SysWOW64\Hjleia32.dll Fmfocnjg.exe File opened for modification C:\Windows\SysWOW64\Inhdgdmk.exe Ioeclg32.exe File opened for modification C:\Windows\SysWOW64\Nijpdfhm.exe Nflchkii.exe File created C:\Windows\SysWOW64\Lopfhk32.exe Lgingm32.exe File created C:\Windows\SysWOW64\Cmfmojcb.exe Cjhabndo.exe File created C:\Windows\SysWOW64\Gaagcpdl.exe Gockgdeh.exe File created C:\Windows\SysWOW64\Hgnokgcc.exe Hhkopj32.exe File created C:\Windows\SysWOW64\Lpfhdddb.dll Iocgfhhc.exe File created C:\Windows\SysWOW64\Hgkfal32.exe Hnbaif32.exe File opened for modification C:\Windows\SysWOW64\Hbofmcij.exe Hclfag32.exe File created C:\Windows\SysWOW64\Hhhamf32.dll Koflgf32.exe File opened for modification C:\Windows\SysWOW64\Bacihmoo.exe Bcpimq32.exe File created C:\Windows\SysWOW64\Ngpqfp32.exe Mqehjecl.exe File created C:\Windows\SysWOW64\Mieibq32.dll Agbbgqhh.exe File created C:\Windows\SysWOW64\Hnbaif32.exe Hnbaif32.exe File created C:\Windows\SysWOW64\Klmqapci.exe Khadpa32.exe File created C:\Windows\SysWOW64\Ngdjaofc.exe Ncinap32.exe File opened for modification C:\Windows\SysWOW64\Djlfma32.exe Dgnjqe32.exe File created C:\Windows\SysWOW64\Ibhicbao.exe Ijaaae32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 6012 5988 WerFault.exe 478 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Fdnjkh32.exeGmhkin32.exeKhldkllj.exeBbhccm32.exeCidddj32.exeFdiqpigl.exeIlcalnii.exeFgocmc32.exeIkqnlh32.exeLpcoeb32.exePjihmmbk.exeEmdeok32.exeFhgifgnb.exeJgjkfi32.exeHnbaif32.exeNqjaeeog.exeBacihmoo.exeAfliclij.exeCkbpqe32.exeDhbdleol.exeBjjaikoa.exeHofngkga.exeIichjc32.exeKofcbl32.exeNppofado.exeOhipla32.exeGlnhjjml.exeKechdf32.exeMcknhm32.exeNgbmlo32.exeFhbpkh32.exeHfpfdeon.exePpfafcpb.exeCjogcm32.exeIcfpbl32.exeBfabnl32.exeEihjolae.exeKmfpmc32.exeMokilo32.exeAjckilei.exeJjhgbd32.exeJieaofmp.exeQkghgpfi.exeOmckoi32.exeBbllnlfd.exeFkhbgbkc.exeGecpnp32.exeGqdgom32.exeIjaaae32.exeJijokbfp.exeOjeobm32.exePjleclph.exeKhadpa32.exeAhmefdcp.exeIbhicbao.exeBqolji32.exeCcnifd32.exeJigbebhb.exeKcdlhj32.exeMneohj32.exeQobdgo32.exeDgnjqe32.exeHjmlhbbg.exeHcjilgdb.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdnjkh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmhkin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khldkllj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbhccm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cidddj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdiqpigl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilcalnii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgocmc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikqnlh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpcoeb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjihmmbk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emdeok32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhgifgnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgjkfi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnbaif32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nqjaeeog.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bacihmoo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afliclij.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckbpqe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhbdleol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjjaikoa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hofngkga.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iichjc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kofcbl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nppofado.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohipla32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glnhjjml.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kechdf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcknhm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngbmlo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhbpkh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfpfdeon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppfafcpb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjogcm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icfpbl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfabnl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eihjolae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmfpmc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mokilo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajckilei.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjhgbd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jieaofmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qkghgpfi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omckoi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbllnlfd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkhbgbkc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gecpnp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gqdgom32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijaaae32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jijokbfp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojeobm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjleclph.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khadpa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahmefdcp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibhicbao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bqolji32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccnifd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jigbebhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcdlhj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mneohj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qobdgo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgnjqe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjmlhbbg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcjilgdb.exe -
Modifies registry class 64 IoCs
Processes:
Ncpdbohb.exeIcfpbl32.exeJaecod32.exeGcedad32.exeCjogcm32.exeDihmpinj.exeBolcma32.exeJjjdhc32.exeLlpfjomf.exeJhjbqo32.exeBhkeohhn.exeJpbcek32.exe075e350a3c6d4655a92a9beb66adf51306e170496f65356ebc410a070da0b078.exePfbfhm32.exeBhonjg32.exeKlecfkff.exeJoidhh32.exeAacmij32.exePdbmfb32.exeKhldkllj.exeLhhkapeh.exeMqehjecl.exeAjckilei.exeDjjjga32.exeEppefg32.exeEfjmbaba.exeGncnmane.exeIkldqile.exeNflchkii.exeNijpdfhm.exeKenhopmf.exeNcfalqpm.exeFeachqgb.exeKkmmlgik.exeHbidne32.exeKpfplo32.exeMbqkiind.exeNggggoda.exeEfedga32.exeEicpcm32.exeFeddombd.exeJdflqo32.exeLdahkaij.exeGoldfelp.exePmjaohol.exeQoeamo32.exeEknpadcn.exeGamnhq32.exeIcifjk32.exeLgingm32.exeOpfegp32.exeNnnbni32.exeAnljck32.exeAjehnk32.exeHbggif32.exeJjnhhjjk.exeOmckoi32.exeDjlfma32.exeHbofmcij.exeCiagojda.exeEpnhpglg.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ncpdbohb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlnaae32.dll" Icfpbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmaebf32.dll" Jaecod32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gcedad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cjogcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njmokcbh.dll" Dihmpinj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anhdpd32.dll" Bolcma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pknbhi32.dll" Jjjdhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Llpfjomf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olbbhfld.dll" Jhjbqo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bolcma32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bhkeohhn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jpbcek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecnlcm32.dll" 075e350a3c6d4655a92a9beb66adf51306e170496f65356ebc410a070da0b078.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pfbfhm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bhonjg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Klecfkff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Joidhh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aacmij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkkiehdc.dll" Pdbmfb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Khldkllj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lhhkapeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mqehjecl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ajckilei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Djjjga32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eppefg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Efjmbaba.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gncnmane.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ikldqile.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nflchkii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokhie32.dll" Nijpdfhm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kenhopmf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ncfalqpm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Feachqgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Canhhi32.dll" Kkmmlgik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Conobqhi.dll" Hbidne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kpfplo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dchdgl32.dll" Mbqkiind.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nggggoda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gocbagqd.dll" Efedga32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eicpcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idhdck32.dll" Feddombd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gcedad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jdflqo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ldahkaij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Goldfelp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jjjdhc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pmjaohol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgefgpha.dll" Qoeamo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebepdj32.dll" Eknpadcn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gamnhq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Icifjk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lgingm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Opfegp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdapnj32.dll" Nnnbni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Anljck32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ajehnk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hbggif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jjnhhjjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Omckoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Djlfma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hbofmcij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkhgoifc.dll" Ciagojda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcnllk32.dll" Epnhpglg.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
075e350a3c6d4655a92a9beb66adf51306e170496f65356ebc410a070da0b078.exeGfnjne32.exeGjifodii.exeHofngkga.exeHfpfdeon.exeHinbppna.exeHbggif32.exeHfbcidmk.exeHiqoeplo.exeHnnhngjf.exeHbidne32.exeHkahgk32.exeHejmpqop.exeHnbaif32.exeHnbaif32.exeHgkfal32.exedescription pid Process procid_target PID 2224 wrote to memory of 2168 2224 075e350a3c6d4655a92a9beb66adf51306e170496f65356ebc410a070da0b078.exe 30 PID 2224 wrote to memory of 2168 2224 075e350a3c6d4655a92a9beb66adf51306e170496f65356ebc410a070da0b078.exe 30 PID 2224 wrote to memory of 2168 2224 075e350a3c6d4655a92a9beb66adf51306e170496f65356ebc410a070da0b078.exe 30 PID 2224 wrote to memory of 2168 2224 075e350a3c6d4655a92a9beb66adf51306e170496f65356ebc410a070da0b078.exe 30 PID 2168 wrote to memory of 2712 2168 Gfnjne32.exe 31 PID 2168 wrote to memory of 2712 2168 Gfnjne32.exe 31 PID 2168 wrote to memory of 2712 2168 Gfnjne32.exe 31 PID 2168 wrote to memory of 2712 2168 Gfnjne32.exe 31 PID 2712 wrote to memory of 2716 2712 Gjifodii.exe 32 PID 2712 wrote to memory of 2716 2712 Gjifodii.exe 32 PID 2712 wrote to memory of 2716 2712 Gjifodii.exe 32 PID 2712 wrote to memory of 2716 2712 Gjifodii.exe 32 PID 2716 wrote to memory of 2760 2716 Hofngkga.exe 33 PID 2716 wrote to memory of 2760 2716 Hofngkga.exe 33 PID 2716 wrote to memory of 2760 2716 Hofngkga.exe 33 PID 2716 wrote to memory of 2760 2716 Hofngkga.exe 33 PID 2760 wrote to memory of 2604 2760 Hfpfdeon.exe 34 PID 2760 wrote to memory of 2604 2760 Hfpfdeon.exe 34 PID 2760 wrote to memory of 2604 2760 Hfpfdeon.exe 34 PID 2760 wrote to memory of 2604 2760 Hfpfdeon.exe 34 PID 2604 wrote to memory of 2148 2604 Hinbppna.exe 35 PID 2604 wrote to memory of 2148 2604 Hinbppna.exe 35 PID 2604 wrote to memory of 2148 2604 Hinbppna.exe 35 PID 2604 wrote to memory of 2148 2604 Hinbppna.exe 35 PID 2148 wrote to memory of 624 2148 Hbggif32.exe 36 PID 2148 wrote to memory of 624 2148 Hbggif32.exe 36 PID 2148 wrote to memory of 624 2148 Hbggif32.exe 36 PID 2148 wrote to memory of 624 2148 Hbggif32.exe 36 PID 624 wrote to memory of 1124 624 Hfbcidmk.exe 37 PID 624 wrote to memory of 1124 624 Hfbcidmk.exe 37 PID 624 wrote to memory of 1124 624 Hfbcidmk.exe 37 PID 624 wrote to memory of 1124 624 Hfbcidmk.exe 37 PID 1124 wrote to memory of 1484 1124 Hiqoeplo.exe 38 PID 1124 wrote to memory of 1484 1124 Hiqoeplo.exe 38 PID 1124 wrote to memory of 1484 1124 Hiqoeplo.exe 38 PID 1124 wrote to memory of 1484 1124 Hiqoeplo.exe 38 PID 1484 wrote to memory of 688 1484 Hnnhngjf.exe 39 PID 1484 wrote to memory of 688 1484 Hnnhngjf.exe 39 PID 1484 wrote to memory of 688 1484 Hnnhngjf.exe 39 PID 1484 wrote to memory of 688 1484 Hnnhngjf.exe 39 PID 688 wrote to memory of 2888 688 Hbidne32.exe 40 PID 688 wrote to memory of 2888 688 Hbidne32.exe 40 PID 688 wrote to memory of 2888 688 Hbidne32.exe 40 PID 688 wrote to memory of 2888 688 Hbidne32.exe 40 PID 2888 wrote to memory of 2436 2888 Hkahgk32.exe 41 PID 2888 wrote to memory of 2436 2888 Hkahgk32.exe 41 PID 2888 wrote to memory of 2436 2888 Hkahgk32.exe 41 PID 2888 wrote to memory of 2436 2888 Hkahgk32.exe 41 PID 2436 wrote to memory of 3000 2436 Hejmpqop.exe 42 PID 2436 wrote to memory of 3000 2436 Hejmpqop.exe 42 PID 2436 wrote to memory of 3000 2436 Hejmpqop.exe 42 PID 2436 wrote to memory of 3000 2436 Hejmpqop.exe 42 PID 3000 wrote to memory of 3004 3000 Hnbaif32.exe 43 PID 3000 wrote to memory of 3004 3000 Hnbaif32.exe 43 PID 3000 wrote to memory of 3004 3000 Hnbaif32.exe 43 PID 3000 wrote to memory of 3004 3000 Hnbaif32.exe 43 PID 3004 wrote to memory of 2144 3004 Hnbaif32.exe 44 PID 3004 wrote to memory of 2144 3004 Hnbaif32.exe 44 PID 3004 wrote to memory of 2144 3004 Hnbaif32.exe 44 PID 3004 wrote to memory of 2144 3004 Hnbaif32.exe 44 PID 2144 wrote to memory of 2104 2144 Hgkfal32.exe 45 PID 2144 wrote to memory of 2104 2144 Hgkfal32.exe 45 PID 2144 wrote to memory of 2104 2144 Hgkfal32.exe 45 PID 2144 wrote to memory of 2104 2144 Hgkfal32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\075e350a3c6d4655a92a9beb66adf51306e170496f65356ebc410a070da0b078.exe"C:\Users\Admin\AppData\Local\Temp\075e350a3c6d4655a92a9beb66adf51306e170496f65356ebc410a070da0b078.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\Windows\SysWOW64\Gfnjne32.exeC:\Windows\system32\Gfnjne32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Windows\SysWOW64\Gjifodii.exeC:\Windows\system32\Gjifodii.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\SysWOW64\Hofngkga.exeC:\Windows\system32\Hofngkga.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\SysWOW64\Hfpfdeon.exeC:\Windows\system32\Hfpfdeon.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\SysWOW64\Hinbppna.exeC:\Windows\system32\Hinbppna.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Windows\SysWOW64\Hbggif32.exeC:\Windows\system32\Hbggif32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Windows\SysWOW64\Hfbcidmk.exeC:\Windows\system32\Hfbcidmk.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:624 -
C:\Windows\SysWOW64\Hiqoeplo.exeC:\Windows\system32\Hiqoeplo.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1124 -
C:\Windows\SysWOW64\Hnnhngjf.exeC:\Windows\system32\Hnnhngjf.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1484 -
C:\Windows\SysWOW64\Hbidne32.exeC:\Windows\system32\Hbidne32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:688 -
C:\Windows\SysWOW64\Hkahgk32.exeC:\Windows\system32\Hkahgk32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Windows\SysWOW64\Hejmpqop.exeC:\Windows\system32\Hejmpqop.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2436 -
C:\Windows\SysWOW64\Hnbaif32.exeC:\Windows\system32\Hnbaif32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Windows\SysWOW64\Hnbaif32.exeC:\Windows\system32\Hnbaif32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Windows\SysWOW64\Hgkfal32.exeC:\Windows\system32\Hgkfal32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2144 -
C:\Windows\SysWOW64\Ikfbbjdj.exeC:\Windows\system32\Ikfbbjdj.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2104 -
C:\Windows\SysWOW64\Ieofkp32.exeC:\Windows\system32\Ieofkp32.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1144 -
C:\Windows\SysWOW64\Ijkocg32.exeC:\Windows\system32\Ijkocg32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1620 -
C:\Windows\SysWOW64\Ingkdeak.exeC:\Windows\system32\Ingkdeak.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:680 -
C:\Windows\SysWOW64\Icdcllpc.exeC:\Windows\system32\Icdcllpc.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2252 -
C:\Windows\SysWOW64\Iiqldc32.exeC:\Windows\system32\Iiqldc32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1544 -
C:\Windows\SysWOW64\Imlhebfc.exeC:\Windows\system32\Imlhebfc.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2500 -
C:\Windows\SysWOW64\Icfpbl32.exeC:\Windows\system32\Icfpbl32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1040 -
C:\Windows\SysWOW64\Iichjc32.exeC:\Windows\system32\Iichjc32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2460 -
C:\Windows\SysWOW64\Iladfn32.exeC:\Windows\system32\Iladfn32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2484 -
C:\Windows\SysWOW64\Ichmgl32.exeC:\Windows\system32\Ichmgl32.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2708 -
C:\Windows\SysWOW64\Ilcalnii.exeC:\Windows\system32\Ilcalnii.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2828 -
C:\Windows\SysWOW64\Jigbebhb.exeC:\Windows\system32\Jigbebhb.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2980 -
C:\Windows\SysWOW64\Jhjbqo32.exeC:\Windows\system32\Jhjbqo32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2572 -
C:\Windows\SysWOW64\Jbpfnh32.exeC:\Windows\system32\Jbpfnh32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1976 -
C:\Windows\SysWOW64\Jijokbfp.exeC:\Windows\system32\Jijokbfp.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1744 -
C:\Windows\SysWOW64\Jlhkgm32.exeC:\Windows\system32\Jlhkgm32.exe33⤵
- Executes dropped EXE
PID:2652 -
C:\Windows\SysWOW64\Jaecod32.exeC:\Windows\system32\Jaecod32.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:2876 -
C:\Windows\SysWOW64\Jjnhhjjk.exeC:\Windows\system32\Jjnhhjjk.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:2884 -
C:\Windows\SysWOW64\Joidhh32.exeC:\Windows\system32\Joidhh32.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:1092 -
C:\Windows\SysWOW64\Jdflqo32.exeC:\Windows\system32\Jdflqo32.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:1276 -
C:\Windows\SysWOW64\Jokqnhpa.exeC:\Windows\system32\Jokqnhpa.exe38⤵
- Executes dropped EXE
PID:772 -
C:\Windows\SysWOW64\Jmnqje32.exeC:\Windows\system32\Jmnqje32.exe39⤵
- Executes dropped EXE
PID:2920 -
C:\Windows\SysWOW64\Jkbaci32.exeC:\Windows\system32\Jkbaci32.exe40⤵
- Executes dropped EXE
PID:1252 -
C:\Windows\SysWOW64\Jieaofmp.exeC:\Windows\system32\Jieaofmp.exe41⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2384 -
C:\Windows\SysWOW64\Kalipcmb.exeC:\Windows\system32\Kalipcmb.exe42⤵
- Executes dropped EXE
PID:448 -
C:\Windows\SysWOW64\Kmcjedcg.exeC:\Windows\system32\Kmcjedcg.exe43⤵
- Executes dropped EXE
PID:1672 -
C:\Windows\SysWOW64\Klfjpa32.exeC:\Windows\system32\Klfjpa32.exe44⤵
- Executes dropped EXE
PID:2440 -
C:\Windows\SysWOW64\Kenoifpb.exeC:\Windows\system32\Kenoifpb.exe45⤵
- Executes dropped EXE
PID:1552 -
C:\Windows\SysWOW64\Kmegjdad.exeC:\Windows\system32\Kmegjdad.exe46⤵
- Executes dropped EXE
PID:1728 -
C:\Windows\SysWOW64\Klhgfq32.exeC:\Windows\system32\Klhgfq32.exe47⤵
- Executes dropped EXE
PID:2308 -
C:\Windows\SysWOW64\Kofcbl32.exeC:\Windows\system32\Kofcbl32.exe48⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:792 -
C:\Windows\SysWOW64\Kbbobkol.exeC:\Windows\system32\Kbbobkol.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2432 -
C:\Windows\SysWOW64\Kilgoe32.exeC:\Windows\system32\Kilgoe32.exe50⤵
- Executes dropped EXE
PID:1608 -
C:\Windows\SysWOW64\Khohkamc.exeC:\Windows\system32\Khohkamc.exe51⤵
- Executes dropped EXE
PID:2164 -
C:\Windows\SysWOW64\Kljdkpfl.exeC:\Windows\system32\Kljdkpfl.exe52⤵
- Executes dropped EXE
PID:1528 -
C:\Windows\SysWOW64\Kpfplo32.exeC:\Windows\system32\Kpfplo32.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2608 -
C:\Windows\SysWOW64\Kcdlhj32.exeC:\Windows\system32\Kcdlhj32.exe54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2644 -
C:\Windows\SysWOW64\Kechdf32.exeC:\Windows\system32\Kechdf32.exe55⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1696 -
C:\Windows\SysWOW64\Khadpa32.exeC:\Windows\system32\Khadpa32.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2900 -
C:\Windows\SysWOW64\Klmqapci.exeC:\Windows\system32\Klmqapci.exe57⤵
- Executes dropped EXE
PID:2320 -
C:\Windows\SysWOW64\Kcginj32.exeC:\Windows\system32\Kcginj32.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2952 -
C:\Windows\SysWOW64\Kajiigba.exeC:\Windows\system32\Kajiigba.exe59⤵
- Executes dropped EXE
PID:1104 -
C:\Windows\SysWOW64\Lhcafa32.exeC:\Windows\system32\Lhcafa32.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1432 -
C:\Windows\SysWOW64\Lhcafa32.exeC:\Windows\system32\Lhcafa32.exe61⤵
- Executes dropped EXE
PID:1848 -
C:\Windows\SysWOW64\Llomfpag.exeC:\Windows\system32\Llomfpag.exe62⤵
- Executes dropped EXE
PID:2748 -
C:\Windows\SysWOW64\Lkbmbl32.exeC:\Windows\system32\Lkbmbl32.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2976 -
C:\Windows\SysWOW64\Laleof32.exeC:\Windows\system32\Laleof32.exe64⤵
- Executes dropped EXE
PID:1712 -
C:\Windows\SysWOW64\Legaoehg.exeC:\Windows\system32\Legaoehg.exe65⤵
- Executes dropped EXE
PID:1704 -
C:\Windows\SysWOW64\Lgingm32.exeC:\Windows\system32\Lgingm32.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2340 -
C:\Windows\SysWOW64\Lgingm32.exeC:\Windows\system32\Lgingm32.exe67⤵
- Drops file in System32 directory
- Modifies registry class
PID:2520 -
C:\Windows\SysWOW64\Lopfhk32.exeC:\Windows\system32\Lopfhk32.exe68⤵PID:1716
-
C:\Windows\SysWOW64\Lopfhk32.exeC:\Windows\system32\Lopfhk32.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2996 -
C:\Windows\SysWOW64\Lncfcgeb.exeC:\Windows\system32\Lncfcgeb.exe70⤵PID:2680
-
C:\Windows\SysWOW64\Lhhkapeh.exeC:\Windows\system32\Lhhkapeh.exe71⤵
- Modifies registry class
PID:2584 -
C:\Windows\SysWOW64\Ljigih32.exeC:\Windows\system32\Ljigih32.exe72⤵
- Drops file in System32 directory
PID:2824 -
C:\Windows\SysWOW64\Laqojfli.exeC:\Windows\system32\Laqojfli.exe73⤵PID:2620
-
C:\Windows\SysWOW64\Lpcoeb32.exeC:\Windows\system32\Lpcoeb32.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2244 -
C:\Windows\SysWOW64\Ldokfakl.exeC:\Windows\system32\Ldokfakl.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2612 -
C:\Windows\SysWOW64\Lgngbmjp.exeC:\Windows\system32\Lgngbmjp.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1656 -
C:\Windows\SysWOW64\Lkicbk32.exeC:\Windows\system32\Lkicbk32.exe77⤵PID:332
-
C:\Windows\SysWOW64\Lljpjchg.exeC:\Windows\system32\Lljpjchg.exe78⤵PID:2412
-
C:\Windows\SysWOW64\Ldahkaij.exeC:\Windows\system32\Ldahkaij.exe79⤵
- Modifies registry class
PID:2408 -
C:\Windows\SysWOW64\Lnjldf32.exeC:\Windows\system32\Lnjldf32.exe80⤵PID:2988
-
C:\Windows\SysWOW64\Llmmpcfe.exeC:\Windows\system32\Llmmpcfe.exe81⤵PID:1292
-
C:\Windows\SysWOW64\Mokilo32.exeC:\Windows\system32\Mokilo32.exe82⤵
- System Location Discovery: System Language Discovery
PID:872 -
C:\Windows\SysWOW64\Mcfemmna.exeC:\Windows\system32\Mcfemmna.exe83⤵PID:1268
-
C:\Windows\SysWOW64\Mfeaiime.exeC:\Windows\system32\Mfeaiime.exe84⤵PID:2636
-
C:\Windows\SysWOW64\Mhcmedli.exeC:\Windows\system32\Mhcmedli.exe85⤵PID:3020
-
C:\Windows\SysWOW64\Momfan32.exeC:\Windows\system32\Momfan32.exe86⤵PID:2688
-
C:\Windows\SysWOW64\Mciabmlo.exeC:\Windows\system32\Mciabmlo.exe87⤵PID:2692
-
C:\Windows\SysWOW64\Mfgnnhkc.exeC:\Windows\system32\Mfgnnhkc.exe88⤵PID:2624
-
C:\Windows\SysWOW64\Mjcjog32.exeC:\Windows\system32\Mjcjog32.exe89⤵PID:2284
-
C:\Windows\SysWOW64\Mkdffoij.exeC:\Windows\system32\Mkdffoij.exe90⤵PID:564
-
C:\Windows\SysWOW64\Mopbgn32.exeC:\Windows\system32\Mopbgn32.exe91⤵PID:532
-
C:\Windows\SysWOW64\Mcknhm32.exeC:\Windows\system32\Mcknhm32.exe92⤵
- System Location Discovery: System Language Discovery
PID:2912 -
C:\Windows\SysWOW64\Mbnocipg.exeC:\Windows\system32\Mbnocipg.exe93⤵PID:2424
-
C:\Windows\SysWOW64\Mdmkoepk.exeC:\Windows\system32\Mdmkoepk.exe94⤵PID:1380
-
C:\Windows\SysWOW64\Mhhgpc32.exeC:\Windows\system32\Mhhgpc32.exe95⤵PID:812
-
C:\Windows\SysWOW64\Mkfclo32.exeC:\Windows\system32\Mkfclo32.exe96⤵PID:2060
-
C:\Windows\SysWOW64\Mneohj32.exeC:\Windows\system32\Mneohj32.exe97⤵
- System Location Discovery: System Language Discovery
PID:988 -
C:\Windows\SysWOW64\Mbqkiind.exeC:\Windows\system32\Mbqkiind.exe98⤵
- Modifies registry class
PID:2784 -
C:\Windows\SysWOW64\Mdogedmh.exeC:\Windows\system32\Mdogedmh.exe99⤵
- Drops file in System32 directory
PID:2108 -
C:\Windows\SysWOW64\Mgmdapml.exeC:\Windows\system32\Mgmdapml.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1984 -
C:\Windows\SysWOW64\Mkipao32.exeC:\Windows\system32\Mkipao32.exe101⤵PID:2188
-
C:\Windows\SysWOW64\Mbchni32.exeC:\Windows\system32\Mbchni32.exe102⤵PID:2936
-
C:\Windows\SysWOW64\Mqehjecl.exeC:\Windows\system32\Mqehjecl.exe103⤵
- Drops file in System32 directory
- Modifies registry class
PID:784 -
C:\Windows\SysWOW64\Ngpqfp32.exeC:\Windows\system32\Ngpqfp32.exe104⤵
- Drops file in System32 directory
PID:2532 -
C:\Windows\SysWOW64\Nkkmgncb.exeC:\Windows\system32\Nkkmgncb.exe105⤵PID:2368
-
C:\Windows\SysWOW64\Nbeedh32.exeC:\Windows\system32\Nbeedh32.exe106⤵
- Drops file in System32 directory
PID:2016 -
C:\Windows\SysWOW64\Nqhepeai.exeC:\Windows\system32\Nqhepeai.exe107⤵PID:1776
-
C:\Windows\SysWOW64\Ncfalqpm.exeC:\Windows\system32\Ncfalqpm.exe108⤵
- Modifies registry class
PID:2300 -
C:\Windows\SysWOW64\Ngbmlo32.exeC:\Windows\system32\Ngbmlo32.exe109⤵
- System Location Discovery: System Language Discovery
PID:1612 -
C:\Windows\SysWOW64\Nmofdf32.exeC:\Windows\system32\Nmofdf32.exe110⤵PID:2560
-
C:\Windows\SysWOW64\Nqjaeeog.exeC:\Windows\system32\Nqjaeeog.exe111⤵
- System Location Discovery: System Language Discovery
PID:2548 -
C:\Windows\SysWOW64\Ncinap32.exeC:\Windows\system32\Ncinap32.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2112 -
C:\Windows\SysWOW64\Ngdjaofc.exeC:\Windows\system32\Ngdjaofc.exe113⤵PID:776
-
C:\Windows\SysWOW64\Njbfnjeg.exeC:\Windows\system32\Njbfnjeg.exe114⤵PID:1752
-
C:\Windows\SysWOW64\Nnnbni32.exeC:\Windows\system32\Nnnbni32.exe115⤵
- Modifies registry class
PID:2276 -
C:\Windows\SysWOW64\Nqmnjd32.exeC:\Windows\system32\Nqmnjd32.exe116⤵
- Drops file in System32 directory
PID:1592 -
C:\Windows\SysWOW64\Nppofado.exeC:\Windows\system32\Nppofado.exe117⤵
- System Location Discovery: System Language Discovery
PID:2036 -
C:\Windows\SysWOW64\Nggggoda.exeC:\Windows\system32\Nggggoda.exe118⤵
- Modifies registry class
PID:2068 -
C:\Windows\SysWOW64\Njeccjcd.exeC:\Windows\system32\Njeccjcd.exe119⤵PID:1576
-
C:\Windows\SysWOW64\Nmcopebh.exeC:\Windows\system32\Nmcopebh.exe120⤵
- Drops file in System32 directory
PID:2580 -
C:\Windows\SysWOW64\Nqokpd32.exeC:\Windows\system32\Nqokpd32.exe121⤵PID:2124
-
C:\Windows\SysWOW64\Npbklabl.exeC:\Windows\system32\Npbklabl.exe122⤵PID:2868
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-