Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
13-11-2024 18:49
Static task
static1
Behavioral task
behavioral1
Sample
2352aa0e16ed1d6745b0a2984b0c64f35cd77da20f47dddbc947ad18207c2239N.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
2352aa0e16ed1d6745b0a2984b0c64f35cd77da20f47dddbc947ad18207c2239N.exe
Resource
win10v2004-20241007-en
General
-
Target
2352aa0e16ed1d6745b0a2984b0c64f35cd77da20f47dddbc947ad18207c2239N.exe
-
Size
108KB
-
MD5
cb06afca7b65e4a599bab3f9f1ffc400
-
SHA1
54caff593402574c734e70ddf5d7e6087f87beb2
-
SHA256
2352aa0e16ed1d6745b0a2984b0c64f35cd77da20f47dddbc947ad18207c2239
-
SHA512
939ef76b7b25f2f40d35f85f91286d5a91882874fd57231c02118f34582d79da7ba5fdf398f9eb5511b04393a3fd1198337d99b40356d71ac88edb34703a6691
-
SSDEEP
1536:sBwjMg4BWZSs6U9MwB+rjm8NiIqhn3HQ8BawTj2wQ3K:4un6UVUjmOiBn3w8BdTj2h3K
Malware Config
Extracted
berbew
http://tat-neftbank.ru/kkq.php
http://tat-neftbank.ru/wcmd.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Iakino32.exeApgagg32.exeDanpemej.exeInbnhihl.exeKcginj32.exeObjjnkie.exePfbfhm32.exeGcedad32.exeAgpeaa32.exeGamnhq32.exeGoqnae32.exeBkhhhd32.exeCnmfdb32.exeFchkbg32.exeJndjmifj.exePopgboae.exeElgfkhpi.exeHgqlafap.exeLocjhqpa.exeFmnopp32.exeKhadpa32.exeLaqojfli.exeMneohj32.exeNnnbni32.exePebpkk32.exeDbaice32.exeHegpjaac.exeJenbjc32.exeCkeqga32.exeKkjpggkn.exeEpeekmjk.exeHqgddm32.exeNlcibc32.exeFodebh32.exeDfhdnn32.exeIkqnlh32.exeKgcnahoo.exePcljmdmj.exeFhljkm32.exeKpfplo32.exeAphjjf32.exeDhpgfeao.exeGojhafnb.exeIeibdnnp.exeCgfkmgnj.exeOimmjffj.exeKhnapkjg.exe2352aa0e16ed1d6745b0a2984b0c64f35cd77da20f47dddbc947ad18207c2239N.exeAomnhd32.exeJhjbqo32.exeBqolji32.exeQgjccb32.exeQiioon32.exeKilgoe32.exeFmfocnjg.exeKnfndjdp.exeNfahomfd.exeCmfmojcb.exeHcjilgdb.exeKlecfkff.exeMbhlek32.exeBbbpenco.exedescription ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iakino32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apgagg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Danpemej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Inbnhihl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kcginj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Objjnkie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pfbfhm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcedad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Agpeaa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gamnhq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Goqnae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkhhhd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnmfdb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fchkbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jndjmifj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Popgboae.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elgfkhpi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgqlafap.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Locjhqpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmnopp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Khadpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Laqojfli.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mneohj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnnbni32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pebpkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dbaice32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hegpjaac.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jenbjc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckeqga32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkjpggkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Epeekmjk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hqgddm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nlcibc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fodebh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfhdnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ikqnlh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kgcnahoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pcljmdmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fhljkm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kpfplo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aphjjf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhpgfeao.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gojhafnb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ieibdnnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cgfkmgnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oimmjffj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Khnapkjg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad 2352aa0e16ed1d6745b0a2984b0c64f35cd77da20f47dddbc947ad18207c2239N.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aomnhd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhjbqo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bqolji32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikqnlh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qgjccb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qgjccb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qiioon32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kilgoe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmfocnjg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knfndjdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nfahomfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cmfmojcb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcjilgdb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Klecfkff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mbhlek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bbbpenco.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
Processes:
Knfndjdp.exeKdpfadlm.exeKhkbbc32.exeKnhjjj32.exeKadfkhkf.exeKnkgpi32.exeKpicle32.exeKjahej32.exeKlpdaf32.exeLgehno32.exeLhfefgkg.exeLlbqfe32.exeLfkeokjp.exeLocjhqpa.exeLbafdlod.exeLoefnpnn.exeLdbofgme.exeLddlkg32.exeLhpglecl.exeMjaddn32.exeMbhlek32.exeMjcaimgg.exeMmbmeifk.exeMfjann32.exeMjfnomde.exeMobfgdcl.exeMjhjdm32.exeMbcoio32.exeMfokinhf.exeMpgobc32.exeNbflno32.exeNfahomfd.exeNpjlhcmd.exeNefdpjkl.exeNgealejo.exeNplimbka.exeNbjeinje.exeNlcibc32.exeNjfjnpgp.exeNcnngfna.exeNjhfcp32.exeNabopjmj.exeNenkqi32.exeOadkej32.exeOpglafab.exeOfadnq32.exeOjmpooah.exeOmklkkpl.exeOpihgfop.exeObhdcanc.exeOibmpl32.exeOmnipjni.exeOplelf32.exeOdgamdef.exeObjaha32.exeOidiekdn.exeOpnbbe32.exeOoabmbbe.exeObmnna32.exeOekjjl32.exeOhiffh32.exeOlebgfao.exeObokcqhk.exeOemgplgo.exepid Process 1804 Knfndjdp.exe 2084 Kdpfadlm.exe 2244 Khkbbc32.exe 2204 Knhjjj32.exe 2896 Kadfkhkf.exe 2652 Knkgpi32.exe 2640 Kpicle32.exe 2396 Kjahej32.exe 1476 Klpdaf32.exe 2960 Lgehno32.exe 2956 Lhfefgkg.exe 860 Llbqfe32.exe 1756 Lfkeokjp.exe 1624 Locjhqpa.exe 2388 Lbafdlod.exe 1952 Loefnpnn.exe 2188 Ldbofgme.exe 1924 Lddlkg32.exe 1824 Lhpglecl.exe 1768 Mjaddn32.exe 276 Mbhlek32.exe 1104 Mjcaimgg.exe 2540 Mmbmeifk.exe 1412 Mfjann32.exe 740 Mjfnomde.exe 2472 Mobfgdcl.exe 1612 Mjhjdm32.exe 2884 Mbcoio32.exe 2864 Mfokinhf.exe 2972 Mpgobc32.exe 2620 Nbflno32.exe 2700 Nfahomfd.exe 352 Npjlhcmd.exe 2380 Nefdpjkl.exe 2944 Ngealejo.exe 2008 Nplimbka.exe 1068 Nbjeinje.exe 1180 Nlcibc32.exe 2356 Njfjnpgp.exe 2428 Ncnngfna.exe 2432 Njhfcp32.exe 2516 Nabopjmj.exe 2436 Nenkqi32.exe 2264 Oadkej32.exe 2280 Opglafab.exe 1308 Ofadnq32.exe 2364 Ojmpooah.exe 2772 Omklkkpl.exe 1608 Opihgfop.exe 2880 Obhdcanc.exe 2200 Oibmpl32.exe 2676 Omnipjni.exe 2668 Oplelf32.exe 2916 Odgamdef.exe 2816 Objaha32.exe 1424 Oidiekdn.exe 2040 Opnbbe32.exe 3060 Ooabmbbe.exe 2120 Obmnna32.exe 2572 Oekjjl32.exe 1076 Ohiffh32.exe 1764 Olebgfao.exe 544 Obokcqhk.exe 2424 Oemgplgo.exe -
Loads dropped DLL 64 IoCs
Processes:
2352aa0e16ed1d6745b0a2984b0c64f35cd77da20f47dddbc947ad18207c2239N.exeKnfndjdp.exeKdpfadlm.exeKhkbbc32.exeKnhjjj32.exeKadfkhkf.exeKnkgpi32.exeKpicle32.exeKjahej32.exeKlpdaf32.exeLgehno32.exeLhfefgkg.exeLlbqfe32.exeLfkeokjp.exeLocjhqpa.exeLbafdlod.exeLoefnpnn.exeLdbofgme.exeLddlkg32.exeLhpglecl.exeMjaddn32.exeMbhlek32.exeMjcaimgg.exeMmbmeifk.exeMfjann32.exeMjfnomde.exeMobfgdcl.exeMjhjdm32.exeMbcoio32.exeMfokinhf.exeMpgobc32.exeNbflno32.exepid Process 2124 2352aa0e16ed1d6745b0a2984b0c64f35cd77da20f47dddbc947ad18207c2239N.exe 2124 2352aa0e16ed1d6745b0a2984b0c64f35cd77da20f47dddbc947ad18207c2239N.exe 1804 Knfndjdp.exe 1804 Knfndjdp.exe 2084 Kdpfadlm.exe 2084 Kdpfadlm.exe 2244 Khkbbc32.exe 2244 Khkbbc32.exe 2204 Knhjjj32.exe 2204 Knhjjj32.exe 2896 Kadfkhkf.exe 2896 Kadfkhkf.exe 2652 Knkgpi32.exe 2652 Knkgpi32.exe 2640 Kpicle32.exe 2640 Kpicle32.exe 2396 Kjahej32.exe 2396 Kjahej32.exe 1476 Klpdaf32.exe 1476 Klpdaf32.exe 2960 Lgehno32.exe 2960 Lgehno32.exe 2956 Lhfefgkg.exe 2956 Lhfefgkg.exe 860 Llbqfe32.exe 860 Llbqfe32.exe 1756 Lfkeokjp.exe 1756 Lfkeokjp.exe 1624 Locjhqpa.exe 1624 Locjhqpa.exe 2388 Lbafdlod.exe 2388 Lbafdlod.exe 1952 Loefnpnn.exe 1952 Loefnpnn.exe 2188 Ldbofgme.exe 2188 Ldbofgme.exe 1924 Lddlkg32.exe 1924 Lddlkg32.exe 1824 Lhpglecl.exe 1824 Lhpglecl.exe 1768 Mjaddn32.exe 1768 Mjaddn32.exe 276 Mbhlek32.exe 276 Mbhlek32.exe 1104 Mjcaimgg.exe 1104 Mjcaimgg.exe 2540 Mmbmeifk.exe 2540 Mmbmeifk.exe 1412 Mfjann32.exe 1412 Mfjann32.exe 740 Mjfnomde.exe 740 Mjfnomde.exe 2472 Mobfgdcl.exe 2472 Mobfgdcl.exe 1612 Mjhjdm32.exe 1612 Mjhjdm32.exe 2884 Mbcoio32.exe 2884 Mbcoio32.exe 2864 Mfokinhf.exe 2864 Mfokinhf.exe 2972 Mpgobc32.exe 2972 Mpgobc32.exe 2620 Nbflno32.exe 2620 Nbflno32.exe -
Drops file in System32 directory 64 IoCs
Processes:
Fgfdie32.exeFlclam32.exeIgmbgk32.exeIcfpbl32.exeBknjfb32.exeDahkok32.exeKbjbge32.exeQiioon32.exeIcdcllpc.exeNbeedh32.exeFkefbcmf.exeLmmfnb32.exeBjkhdacm.exeBceibfgj.exeEkfpmf32.exeJoidhh32.exeBkpglbaj.exeMmbmeifk.exeBkknac32.exeBoljgg32.exeElacliin.exeLdheebad.exeOdkgec32.exeFbegbacp.exeMbcoio32.exeKilgoe32.exePhklaacg.exeBnlgbnbp.exeDjjjga32.exeAaimopli.exeBchfhfeh.exeKdnkdmec.exeKnhjjj32.exeCchbgi32.exeMfgnnhkc.exeJipaip32.exeKnfndjdp.exeObeacl32.exeDnpciaef.exeAddfkeid.exeCjogcm32.exeEdidqf32.exeEbnabb32.exeHcjilgdb.exeHgeelf32.exeHegpjaac.exeCehhdkjf.exeCbgobp32.exeAjehnk32.exeFdkmeiei.exeKkjpggkn.exeCgoelh32.exeLnjldf32.exeNnleiipc.exeIinhdmma.exePhcilf32.exeOniebmda.exeEafkhn32.exeAbpcooea.exeDnjoco32.exeHqkmplen.exeLanbdf32.exeBdcifi32.exedescription ioc Process File created C:\Windows\SysWOW64\Feiddbbj.exe Fgfdie32.exe File opened for modification C:\Windows\SysWOW64\Foahmh32.exe Flclam32.exe File created C:\Windows\SysWOW64\Nncojg32.dll Igmbgk32.exe File created C:\Windows\SysWOW64\Ofnigm32.dll Icfpbl32.exe File created C:\Windows\SysWOW64\Dhbccb32.dll Bknjfb32.exe File created C:\Windows\SysWOW64\Caefkh32.dll Dahkok32.exe File created C:\Windows\SysWOW64\Blbjlj32.dll Kbjbge32.exe File created C:\Windows\SysWOW64\Pfqgfg32.dll Qiioon32.exe File opened for modification C:\Windows\SysWOW64\Igoomk32.exe Icdcllpc.exe File created C:\Windows\SysWOW64\Bpmacdgo.dll Nbeedh32.exe File created C:\Windows\SysWOW64\Fihfnp32.exe Fkefbcmf.exe File created C:\Windows\SysWOW64\Llpfjomf.exe Lmmfnb32.exe File created C:\Windows\SysWOW64\Jcojqm32.dll Bjkhdacm.exe File opened for modification C:\Windows\SysWOW64\Bfdenafn.exe Bceibfgj.exe File opened for modification C:\Windows\SysWOW64\Emdmjamj.exe Ekfpmf32.exe File created C:\Windows\SysWOW64\Dcibhnqq.dll Joidhh32.exe File created C:\Windows\SysWOW64\Anhdpd32.dll Bkpglbaj.exe File created C:\Windows\SysWOW64\Mfjann32.exe Mmbmeifk.exe File opened for modification C:\Windows\SysWOW64\Bogjaamh.exe Bkknac32.exe File created C:\Windows\SysWOW64\Bchfhfeh.exe Boljgg32.exe File created C:\Windows\SysWOW64\Jclpkjad.dll Elacliin.exe File created C:\Windows\SysWOW64\Pacmhh32.dll Ldheebad.exe File opened for modification C:\Windows\SysWOW64\Olbogqoe.exe Odkgec32.exe File opened for modification C:\Windows\SysWOW64\Fahhnn32.exe Fbegbacp.exe File opened for modification C:\Windows\SysWOW64\Mfokinhf.exe Mbcoio32.exe File created C:\Windows\SysWOW64\Aohndnll.dll Kilgoe32.exe File opened for modification C:\Windows\SysWOW64\Pjihmmbk.exe Phklaacg.exe File created C:\Windows\SysWOW64\Aamhcmdo.dll Bnlgbnbp.exe File opened for modification C:\Windows\SysWOW64\Dbabho32.exe Djjjga32.exe File opened for modification C:\Windows\SysWOW64\Ajpepm32.exe Aaimopli.exe File created C:\Windows\SysWOW64\Bgcbhd32.exe Bchfhfeh.exe File opened for modification C:\Windows\SysWOW64\Klecfkff.exe Kdnkdmec.exe File opened for modification C:\Windows\SysWOW64\Kadfkhkf.exe Knhjjj32.exe File created C:\Windows\SysWOW64\Efeckm32.dll Cchbgi32.exe File created C:\Windows\SysWOW64\Mhfjjdjf.exe Mfgnnhkc.exe File created C:\Windows\SysWOW64\Mnpkephg.dll Jipaip32.exe File created C:\Windows\SysWOW64\Oncobd32.dll Knfndjdp.exe File created C:\Windows\SysWOW64\Ipjkcehe.dll Obeacl32.exe File opened for modification C:\Windows\SysWOW64\Danpemej.exe Dnpciaef.exe File created C:\Windows\SysWOW64\Mieibq32.dll Addfkeid.exe File created C:\Windows\SysWOW64\Cmmcpi32.exe Cjogcm32.exe File opened for modification C:\Windows\SysWOW64\Eblelb32.exe Edidqf32.exe File created C:\Windows\SysWOW64\Eemnnn32.exe Ebnabb32.exe File created C:\Windows\SysWOW64\Hgeelf32.exe Hcjilgdb.exe File created C:\Windows\SysWOW64\Hjcaha32.exe Hgeelf32.exe File opened for modification C:\Windows\SysWOW64\Hiclkp32.exe Hegpjaac.exe File opened for modification C:\Windows\SysWOW64\Cmppehkh.exe Cehhdkjf.exe File created C:\Windows\SysWOW64\Cjogcm32.exe Cbgobp32.exe File opened for modification C:\Windows\SysWOW64\Alddjg32.exe Ajehnk32.exe File created C:\Windows\SysWOW64\Cmppehkh.exe Cehhdkjf.exe File opened for modification C:\Windows\SysWOW64\Fkefbcmf.exe Fdkmeiei.exe File created C:\Windows\SysWOW64\Bodilc32.dll Kkjpggkn.exe File created C:\Windows\SysWOW64\Pobghn32.dll Cgoelh32.exe File created C:\Windows\SysWOW64\Mphiqbon.exe Lnjldf32.exe File opened for modification C:\Windows\SysWOW64\Nqjaeeog.exe Nnleiipc.exe File created C:\Windows\SysWOW64\Igqhpj32.exe Iinhdmma.exe File created C:\Windows\SysWOW64\Pgfjhcge.exe Phcilf32.exe File opened for modification C:\Windows\SysWOW64\Obeacl32.exe Oniebmda.exe File created C:\Windows\SysWOW64\Qbkalpla.dll Eafkhn32.exe File opened for modification C:\Windows\SysWOW64\Bhjlli32.exe Abpcooea.exe File created C:\Windows\SysWOW64\Dahkok32.exe Dnjoco32.exe File created C:\Windows\SysWOW64\Lkjcap32.dll Hqkmplen.exe File opened for modification C:\Windows\SysWOW64\Ldmopa32.exe Lanbdf32.exe File created C:\Windows\SysWOW64\Bceibfgj.exe Bdcifi32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 8152 8100 WerFault.exe 772 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Bfdenafn.exeNppofado.exeJbfilffm.exeMjcaimgg.exeNabopjmj.exeQemldifo.exeApppkekc.exeFamaimfe.exeIkjhki32.exeKpieengb.exePhcilf32.exeGodaakic.exeHgciff32.exeMhhgpc32.exeNqjaeeog.exeAomnhd32.exeDjiqdb32.exeEeiheo32.exeKkpqlm32.exeLnqjnhge.exeMbchni32.exeKnkgpi32.exePiicpk32.exeFpbnjjkm.exeJggoqimd.exeDcohghbk.exeNpbklabl.exeCjljnn32.exeEpbbkf32.exeHnkdnqhm.exeJbhebfck.exePhqmgg32.exeAhpifj32.exeKdphjm32.exeHkahgk32.exeMqjefamk.exePlmbkd32.exeGcedad32.exeGamnhq32.exeHklhae32.exeImjkpb32.exeNnleiipc.exePjihmmbk.exeLbjofi32.exeBqijljfd.exeIgoomk32.exeNnnbni32.exeQbnphngk.exeCjogcm32.exeDjdgic32.exeFoolgh32.exeCchbgi32.exeHbdjcffd.exeImgnjb32.exeLkggmldl.exeMdmkoepk.exeApkgpf32.exeLhpglecl.exeAcfmcc32.exeJfdhmk32.exeNflchkii.exePeefcjlg.exeCglalbbi.exeCcgklc32.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfdenafn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nppofado.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbfilffm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjcaimgg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nabopjmj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qemldifo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apppkekc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Famaimfe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikjhki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpieengb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phcilf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Godaakic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgciff32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhhgpc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nqjaeeog.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aomnhd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djiqdb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eeiheo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkpqlm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnqjnhge.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbchni32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knkgpi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Piicpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpbnjjkm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jggoqimd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcohghbk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npbklabl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjljnn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epbbkf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnkdnqhm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbhebfck.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phqmgg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahpifj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdphjm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkahgk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mqjefamk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plmbkd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcedad32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gamnhq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hklhae32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imjkpb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnleiipc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjihmmbk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbjofi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bqijljfd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igoomk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnnbni32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qbnphngk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjogcm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djdgic32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Foolgh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cchbgi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbdjcffd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imgnjb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkggmldl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdmkoepk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apkgpf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhpglecl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acfmcc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfdhmk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nflchkii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Peefcjlg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cglalbbi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccgklc32.exe -
Modifies registry class 64 IoCs
Processes:
Bkegah32.exeCgaaah32.exeEmdmjamj.exeFkkfgi32.exeCbjlhpkb.exeGdnfjl32.exeAkcomepg.exeJfohgepi.exeFlocfmnl.exeFkefbcmf.exeEegkpo32.exeApgagg32.exeMbnocipg.exeNpdhaq32.exePfebnmcj.exeOidiekdn.exeMgbaml32.exePiicpk32.exeEibgpnjk.exeEinjdb32.exeIkfbbjdj.exeAddfkeid.exeBgdkkc32.exeHkjkle32.exeDpeiligo.exeMkipao32.exeKekkiq32.exeEhjqgjmp.exeBhjlli32.exeIphgln32.exeLnqjnhge.exeOioipf32.exeJedehaea.exe2352aa0e16ed1d6745b0a2984b0c64f35cd77da20f47dddbc947ad18207c2239N.exeDjiqdb32.exeNkkmgncb.exeAgglbp32.exeBqmpdioa.exeBdkhjgeh.exeDeondj32.exeCnmfdb32.exeBjkhdacm.exeInjqmdki.exeMjhjdm32.exeMqjefamk.exeEfhqmadd.exeHddmjk32.exeEpeekmjk.exeKpdcfoph.exeLopfhk32.exeQiflohqk.exeIogpag32.exeOpnbbe32.exeCqaiph32.exeEpeoaffo.exeGoqnae32.exeEcfnmh32.exePmmeon32.exeHbdjcffd.exeNjnmbk32.exeOdkgec32.exeOjglhm32.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bkegah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cgaaah32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Emdmjamj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fkkfgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cbjlhpkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdaaomdi.dll" Gdnfjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bodmepdn.dll" Akcomepg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jfohgepi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Flocfmnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bapefloq.dll" Fkefbcmf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eegkpo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Apgagg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acfenf32.dll" Mbnocipg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djdhoc32.dll" Npdhaq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pfebnmcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dafqii32.dll" Oidiekdn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mgbaml32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Piicpk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eibgpnjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geldbhjk.dll" Einjdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ikfbbjdj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Addfkeid.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bgdkkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbdofg32.dll" Hkjkle32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dpeiligo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqdhpbib.dll" Mkipao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kekkiq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ehjqgjmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bhjlli32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iphgln32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lnqjnhge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbobli32.dll" Oioipf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikbilijo.dll" Jedehaea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pplncj32.dll" 2352aa0e16ed1d6745b0a2984b0c64f35cd77da20f47dddbc947ad18207c2239N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Djiqdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmmjqf32.dll" Mgbaml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nkkmgncb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Agglbp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bqmpdioa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bdkhjgeh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Deondj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofaejacl.dll" Cnmfdb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bjkhdacm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Injqmdki.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mjhjdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmnnpb32.dll" Flocfmnl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mqjefamk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bieepc32.dll" Efhqmadd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hddmjk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Epeekmjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kpdcfoph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhjikp32.dll" Lopfhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qiflohqk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iogpag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmgghnmp.dll" Opnbbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cqaiph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Epeoaffo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikeebbaa.dll" Goqnae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ecfnmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkdhkd32.dll" Pmmeon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndlaqocp.dll" Hbdjcffd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Njnmbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Odkgec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Henmilod.dll" Ojglhm32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
2352aa0e16ed1d6745b0a2984b0c64f35cd77da20f47dddbc947ad18207c2239N.exeKnfndjdp.exeKdpfadlm.exeKhkbbc32.exeKnhjjj32.exeKadfkhkf.exeKnkgpi32.exeKpicle32.exeKjahej32.exeKlpdaf32.exeLgehno32.exeLhfefgkg.exeLlbqfe32.exeLfkeokjp.exeLocjhqpa.exeLbafdlod.exedescription pid Process procid_target PID 2124 wrote to memory of 1804 2124 2352aa0e16ed1d6745b0a2984b0c64f35cd77da20f47dddbc947ad18207c2239N.exe 30 PID 2124 wrote to memory of 1804 2124 2352aa0e16ed1d6745b0a2984b0c64f35cd77da20f47dddbc947ad18207c2239N.exe 30 PID 2124 wrote to memory of 1804 2124 2352aa0e16ed1d6745b0a2984b0c64f35cd77da20f47dddbc947ad18207c2239N.exe 30 PID 2124 wrote to memory of 1804 2124 2352aa0e16ed1d6745b0a2984b0c64f35cd77da20f47dddbc947ad18207c2239N.exe 30 PID 1804 wrote to memory of 2084 1804 Knfndjdp.exe 31 PID 1804 wrote to memory of 2084 1804 Knfndjdp.exe 31 PID 1804 wrote to memory of 2084 1804 Knfndjdp.exe 31 PID 1804 wrote to memory of 2084 1804 Knfndjdp.exe 31 PID 2084 wrote to memory of 2244 2084 Kdpfadlm.exe 32 PID 2084 wrote to memory of 2244 2084 Kdpfadlm.exe 32 PID 2084 wrote to memory of 2244 2084 Kdpfadlm.exe 32 PID 2084 wrote to memory of 2244 2084 Kdpfadlm.exe 32 PID 2244 wrote to memory of 2204 2244 Khkbbc32.exe 33 PID 2244 wrote to memory of 2204 2244 Khkbbc32.exe 33 PID 2244 wrote to memory of 2204 2244 Khkbbc32.exe 33 PID 2244 wrote to memory of 2204 2244 Khkbbc32.exe 33 PID 2204 wrote to memory of 2896 2204 Knhjjj32.exe 34 PID 2204 wrote to memory of 2896 2204 Knhjjj32.exe 34 PID 2204 wrote to memory of 2896 2204 Knhjjj32.exe 34 PID 2204 wrote to memory of 2896 2204 Knhjjj32.exe 34 PID 2896 wrote to memory of 2652 2896 Kadfkhkf.exe 35 PID 2896 wrote to memory of 2652 2896 Kadfkhkf.exe 35 PID 2896 wrote to memory of 2652 2896 Kadfkhkf.exe 35 PID 2896 wrote to memory of 2652 2896 Kadfkhkf.exe 35 PID 2652 wrote to memory of 2640 2652 Knkgpi32.exe 36 PID 2652 wrote to memory of 2640 2652 Knkgpi32.exe 36 PID 2652 wrote to memory of 2640 2652 Knkgpi32.exe 36 PID 2652 wrote to memory of 2640 2652 Knkgpi32.exe 36 PID 2640 wrote to memory of 2396 2640 Kpicle32.exe 37 PID 2640 wrote to memory of 2396 2640 Kpicle32.exe 37 PID 2640 wrote to memory of 2396 2640 Kpicle32.exe 37 PID 2640 wrote to memory of 2396 2640 Kpicle32.exe 37 PID 2396 wrote to memory of 1476 2396 Kjahej32.exe 38 PID 2396 wrote to memory of 1476 2396 Kjahej32.exe 38 PID 2396 wrote to memory of 1476 2396 Kjahej32.exe 38 PID 2396 wrote to memory of 1476 2396 Kjahej32.exe 38 PID 1476 wrote to memory of 2960 1476 Klpdaf32.exe 39 PID 1476 wrote to memory of 2960 1476 Klpdaf32.exe 39 PID 1476 wrote to memory of 2960 1476 Klpdaf32.exe 39 PID 1476 wrote to memory of 2960 1476 Klpdaf32.exe 39 PID 2960 wrote to memory of 2956 2960 Lgehno32.exe 40 PID 2960 wrote to memory of 2956 2960 Lgehno32.exe 40 PID 2960 wrote to memory of 2956 2960 Lgehno32.exe 40 PID 2960 wrote to memory of 2956 2960 Lgehno32.exe 40 PID 2956 wrote to memory of 860 2956 Lhfefgkg.exe 41 PID 2956 wrote to memory of 860 2956 Lhfefgkg.exe 41 PID 2956 wrote to memory of 860 2956 Lhfefgkg.exe 41 PID 2956 wrote to memory of 860 2956 Lhfefgkg.exe 41 PID 860 wrote to memory of 1756 860 Llbqfe32.exe 42 PID 860 wrote to memory of 1756 860 Llbqfe32.exe 42 PID 860 wrote to memory of 1756 860 Llbqfe32.exe 42 PID 860 wrote to memory of 1756 860 Llbqfe32.exe 42 PID 1756 wrote to memory of 1624 1756 Lfkeokjp.exe 43 PID 1756 wrote to memory of 1624 1756 Lfkeokjp.exe 43 PID 1756 wrote to memory of 1624 1756 Lfkeokjp.exe 43 PID 1756 wrote to memory of 1624 1756 Lfkeokjp.exe 43 PID 1624 wrote to memory of 2388 1624 Locjhqpa.exe 44 PID 1624 wrote to memory of 2388 1624 Locjhqpa.exe 44 PID 1624 wrote to memory of 2388 1624 Locjhqpa.exe 44 PID 1624 wrote to memory of 2388 1624 Locjhqpa.exe 44 PID 2388 wrote to memory of 1952 2388 Lbafdlod.exe 45 PID 2388 wrote to memory of 1952 2388 Lbafdlod.exe 45 PID 2388 wrote to memory of 1952 2388 Lbafdlod.exe 45 PID 2388 wrote to memory of 1952 2388 Lbafdlod.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\2352aa0e16ed1d6745b0a2984b0c64f35cd77da20f47dddbc947ad18207c2239N.exe"C:\Users\Admin\AppData\Local\Temp\2352aa0e16ed1d6745b0a2984b0c64f35cd77da20f47dddbc947ad18207c2239N.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Windows\SysWOW64\Knfndjdp.exeC:\Windows\system32\Knfndjdp.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1804 -
C:\Windows\SysWOW64\Kdpfadlm.exeC:\Windows\system32\Kdpfadlm.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\Windows\SysWOW64\Khkbbc32.exeC:\Windows\system32\Khkbbc32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Windows\SysWOW64\Knhjjj32.exeC:\Windows\system32\Knhjjj32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\Windows\SysWOW64\Kadfkhkf.exeC:\Windows\system32\Kadfkhkf.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Windows\SysWOW64\Knkgpi32.exeC:\Windows\system32\Knkgpi32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Windows\SysWOW64\Kpicle32.exeC:\Windows\system32\Kpicle32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\SysWOW64\Kjahej32.exeC:\Windows\system32\Kjahej32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2396 -
C:\Windows\SysWOW64\Klpdaf32.exeC:\Windows\system32\Klpdaf32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1476 -
C:\Windows\SysWOW64\Lgehno32.exeC:\Windows\system32\Lgehno32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Windows\SysWOW64\Lhfefgkg.exeC:\Windows\system32\Lhfefgkg.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Windows\SysWOW64\Llbqfe32.exeC:\Windows\system32\Llbqfe32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:860 -
C:\Windows\SysWOW64\Lfkeokjp.exeC:\Windows\system32\Lfkeokjp.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1756 -
C:\Windows\SysWOW64\Locjhqpa.exeC:\Windows\system32\Locjhqpa.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Windows\SysWOW64\Lbafdlod.exeC:\Windows\system32\Lbafdlod.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\Windows\SysWOW64\Loefnpnn.exeC:\Windows\system32\Loefnpnn.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1952 -
C:\Windows\SysWOW64\Ldbofgme.exeC:\Windows\system32\Ldbofgme.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2188 -
C:\Windows\SysWOW64\Lddlkg32.exeC:\Windows\system32\Lddlkg32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1924 -
C:\Windows\SysWOW64\Lhpglecl.exeC:\Windows\system32\Lhpglecl.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1824 -
C:\Windows\SysWOW64\Mjaddn32.exeC:\Windows\system32\Mjaddn32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1768 -
C:\Windows\SysWOW64\Mbhlek32.exeC:\Windows\system32\Mbhlek32.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:276 -
C:\Windows\SysWOW64\Mjcaimgg.exeC:\Windows\system32\Mjcaimgg.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1104 -
C:\Windows\SysWOW64\Mmbmeifk.exeC:\Windows\system32\Mmbmeifk.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2540 -
C:\Windows\SysWOW64\Mfjann32.exeC:\Windows\system32\Mfjann32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1412 -
C:\Windows\SysWOW64\Mjfnomde.exeC:\Windows\system32\Mjfnomde.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:740 -
C:\Windows\SysWOW64\Mobfgdcl.exeC:\Windows\system32\Mobfgdcl.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2472 -
C:\Windows\SysWOW64\Mjhjdm32.exeC:\Windows\system32\Mjhjdm32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1612 -
C:\Windows\SysWOW64\Mbcoio32.exeC:\Windows\system32\Mbcoio32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2884 -
C:\Windows\SysWOW64\Mfokinhf.exeC:\Windows\system32\Mfokinhf.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2864 -
C:\Windows\SysWOW64\Mpgobc32.exeC:\Windows\system32\Mpgobc32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2972 -
C:\Windows\SysWOW64\Nbflno32.exeC:\Windows\system32\Nbflno32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2620 -
C:\Windows\SysWOW64\Nfahomfd.exeC:\Windows\system32\Nfahomfd.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2700 -
C:\Windows\SysWOW64\Npjlhcmd.exeC:\Windows\system32\Npjlhcmd.exe34⤵
- Executes dropped EXE
PID:352 -
C:\Windows\SysWOW64\Nefdpjkl.exeC:\Windows\system32\Nefdpjkl.exe35⤵
- Executes dropped EXE
PID:2380 -
C:\Windows\SysWOW64\Ngealejo.exeC:\Windows\system32\Ngealejo.exe36⤵
- Executes dropped EXE
PID:2944 -
C:\Windows\SysWOW64\Nplimbka.exeC:\Windows\system32\Nplimbka.exe37⤵
- Executes dropped EXE
PID:2008 -
C:\Windows\SysWOW64\Nbjeinje.exeC:\Windows\system32\Nbjeinje.exe38⤵
- Executes dropped EXE
PID:1068 -
C:\Windows\SysWOW64\Nlcibc32.exeC:\Windows\system32\Nlcibc32.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1180 -
C:\Windows\SysWOW64\Njfjnpgp.exeC:\Windows\system32\Njfjnpgp.exe40⤵
- Executes dropped EXE
PID:2356 -
C:\Windows\SysWOW64\Ncnngfna.exeC:\Windows\system32\Ncnngfna.exe41⤵
- Executes dropped EXE
PID:2428 -
C:\Windows\SysWOW64\Njhfcp32.exeC:\Windows\system32\Njhfcp32.exe42⤵
- Executes dropped EXE
PID:2432 -
C:\Windows\SysWOW64\Nabopjmj.exeC:\Windows\system32\Nabopjmj.exe43⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2516 -
C:\Windows\SysWOW64\Nenkqi32.exeC:\Windows\system32\Nenkqi32.exe44⤵
- Executes dropped EXE
PID:2436 -
C:\Windows\SysWOW64\Oadkej32.exeC:\Windows\system32\Oadkej32.exe45⤵
- Executes dropped EXE
PID:2264 -
C:\Windows\SysWOW64\Opglafab.exeC:\Windows\system32\Opglafab.exe46⤵
- Executes dropped EXE
PID:2280 -
C:\Windows\SysWOW64\Ofadnq32.exeC:\Windows\system32\Ofadnq32.exe47⤵
- Executes dropped EXE
PID:1308 -
C:\Windows\SysWOW64\Ojmpooah.exeC:\Windows\system32\Ojmpooah.exe48⤵
- Executes dropped EXE
PID:2364 -
C:\Windows\SysWOW64\Omklkkpl.exeC:\Windows\system32\Omklkkpl.exe49⤵
- Executes dropped EXE
PID:2772 -
C:\Windows\SysWOW64\Opihgfop.exeC:\Windows\system32\Opihgfop.exe50⤵
- Executes dropped EXE
PID:1608 -
C:\Windows\SysWOW64\Obhdcanc.exeC:\Windows\system32\Obhdcanc.exe51⤵
- Executes dropped EXE
PID:2880 -
C:\Windows\SysWOW64\Oibmpl32.exeC:\Windows\system32\Oibmpl32.exe52⤵
- Executes dropped EXE
PID:2200 -
C:\Windows\SysWOW64\Omnipjni.exeC:\Windows\system32\Omnipjni.exe53⤵
- Executes dropped EXE
PID:2676 -
C:\Windows\SysWOW64\Oplelf32.exeC:\Windows\system32\Oplelf32.exe54⤵
- Executes dropped EXE
PID:2668 -
C:\Windows\SysWOW64\Odgamdef.exeC:\Windows\system32\Odgamdef.exe55⤵
- Executes dropped EXE
PID:2916 -
C:\Windows\SysWOW64\Objaha32.exeC:\Windows\system32\Objaha32.exe56⤵
- Executes dropped EXE
PID:2816 -
C:\Windows\SysWOW64\Oidiekdn.exeC:\Windows\system32\Oidiekdn.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:1424 -
C:\Windows\SysWOW64\Opnbbe32.exeC:\Windows\system32\Opnbbe32.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:2040 -
C:\Windows\SysWOW64\Ooabmbbe.exeC:\Windows\system32\Ooabmbbe.exe59⤵
- Executes dropped EXE
PID:3060 -
C:\Windows\SysWOW64\Obmnna32.exeC:\Windows\system32\Obmnna32.exe60⤵
- Executes dropped EXE
PID:2120 -
C:\Windows\SysWOW64\Oekjjl32.exeC:\Windows\system32\Oekjjl32.exe61⤵
- Executes dropped EXE
PID:2572 -
C:\Windows\SysWOW64\Ohiffh32.exeC:\Windows\system32\Ohiffh32.exe62⤵
- Executes dropped EXE
PID:1076 -
C:\Windows\SysWOW64\Olebgfao.exeC:\Windows\system32\Olebgfao.exe63⤵
- Executes dropped EXE
PID:1764 -
C:\Windows\SysWOW64\Obokcqhk.exeC:\Windows\system32\Obokcqhk.exe64⤵
- Executes dropped EXE
PID:544 -
C:\Windows\SysWOW64\Oemgplgo.exeC:\Windows\system32\Oemgplgo.exe65⤵
- Executes dropped EXE
PID:2424 -
C:\Windows\SysWOW64\Piicpk32.exeC:\Windows\system32\Piicpk32.exe66⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2344 -
C:\Windows\SysWOW64\Phlclgfc.exeC:\Windows\system32\Phlclgfc.exe67⤵PID:1712
-
C:\Windows\SysWOW64\Pofkha32.exeC:\Windows\system32\Pofkha32.exe68⤵PID:1272
-
C:\Windows\SysWOW64\Padhdm32.exeC:\Windows\system32\Padhdm32.exe69⤵PID:2736
-
C:\Windows\SysWOW64\Pepcelel.exeC:\Windows\system32\Pepcelel.exe70⤵PID:2876
-
C:\Windows\SysWOW64\Pdbdqh32.exeC:\Windows\system32\Pdbdqh32.exe71⤵PID:2932
-
C:\Windows\SysWOW64\Phnpagdp.exeC:\Windows\system32\Phnpagdp.exe72⤵PID:3016
-
C:\Windows\SysWOW64\Pljlbf32.exeC:\Windows\system32\Pljlbf32.exe73⤵PID:2032
-
C:\Windows\SysWOW64\Pohhna32.exeC:\Windows\system32\Pohhna32.exe74⤵PID:1596
-
C:\Windows\SysWOW64\Pafdjmkq.exeC:\Windows\system32\Pafdjmkq.exe75⤵PID:2160
-
C:\Windows\SysWOW64\Pebpkk32.exeC:\Windows\system32\Pebpkk32.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1088 -
C:\Windows\SysWOW64\Phqmgg32.exeC:\Windows\system32\Phqmgg32.exe77⤵
- System Location Discovery: System Language Discovery
PID:644 -
C:\Windows\SysWOW64\Pgcmbcih.exeC:\Windows\system32\Pgcmbcih.exe78⤵PID:1960
-
C:\Windows\SysWOW64\Pkoicb32.exeC:\Windows\system32\Pkoicb32.exe79⤵PID:904
-
C:\Windows\SysWOW64\Pmmeon32.exeC:\Windows\system32\Pmmeon32.exe80⤵
- Modifies registry class
PID:1572 -
C:\Windows\SysWOW64\Pplaki32.exeC:\Windows\system32\Pplaki32.exe81⤵PID:2756
-
C:\Windows\SysWOW64\Phcilf32.exeC:\Windows\system32\Phcilf32.exe82⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2400 -
C:\Windows\SysWOW64\Pgfjhcge.exeC:\Windows\system32\Pgfjhcge.exe83⤵PID:988
-
C:\Windows\SysWOW64\Pidfdofi.exeC:\Windows\system32\Pidfdofi.exe84⤵PID:2760
-
C:\Windows\SysWOW64\Pmpbdm32.exeC:\Windows\system32\Pmpbdm32.exe85⤵PID:2660
-
C:\Windows\SysWOW64\Ppnnai32.exeC:\Windows\system32\Ppnnai32.exe86⤵PID:1868
-
C:\Windows\SysWOW64\Pdjjag32.exeC:\Windows\system32\Pdjjag32.exe87⤵PID:2940
-
C:\Windows\SysWOW64\Pcljmdmj.exeC:\Windows\system32\Pcljmdmj.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2684 -
C:\Windows\SysWOW64\Pkcbnanl.exeC:\Windows\system32\Pkcbnanl.exe89⤵PID:1512
-
C:\Windows\SysWOW64\Pifbjn32.exeC:\Windows\system32\Pifbjn32.exe90⤵PID:2268
-
C:\Windows\SysWOW64\Pleofj32.exeC:\Windows\system32\Pleofj32.exe91⤵PID:1516
-
C:\Windows\SysWOW64\Qppkfhlc.exeC:\Windows\system32\Qppkfhlc.exe92⤵PID:952
-
C:\Windows\SysWOW64\Qcogbdkg.exeC:\Windows\system32\Qcogbdkg.exe93⤵PID:1500
-
C:\Windows\SysWOW64\Qgjccb32.exeC:\Windows\system32\Qgjccb32.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1632 -
C:\Windows\SysWOW64\Qiioon32.exeC:\Windows\system32\Qiioon32.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2328 -
C:\Windows\SysWOW64\Qndkpmkm.exeC:\Windows\system32\Qndkpmkm.exe96⤵PID:2888
-
C:\Windows\SysWOW64\Qpbglhjq.exeC:\Windows\system32\Qpbglhjq.exe97⤵PID:2796
-
C:\Windows\SysWOW64\Qcachc32.exeC:\Windows\system32\Qcachc32.exe98⤵PID:1752
-
C:\Windows\SysWOW64\Qeppdo32.exeC:\Windows\system32\Qeppdo32.exe99⤵PID:1044
-
C:\Windows\SysWOW64\Qjklenpa.exeC:\Windows\system32\Qjklenpa.exe100⤵PID:1892
-
C:\Windows\SysWOW64\Qnghel32.exeC:\Windows\system32\Qnghel32.exe101⤵PID:2484
-
C:\Windows\SysWOW64\Aebmjo32.exeC:\Windows\system32\Aebmjo32.exe102⤵PID:3056
-
C:\Windows\SysWOW64\Ahpifj32.exeC:\Windows\system32\Ahpifj32.exe103⤵
- System Location Discovery: System Language Discovery
PID:3028 -
C:\Windows\SysWOW64\Apgagg32.exeC:\Windows\system32\Apgagg32.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1508 -
C:\Windows\SysWOW64\Acfmcc32.exeC:\Windows\system32\Acfmcc32.exe105⤵
- System Location Discovery: System Language Discovery
PID:1376 -
C:\Windows\SysWOW64\Aaimopli.exeC:\Windows\system32\Aaimopli.exe106⤵
- Drops file in System32 directory
PID:1720 -
C:\Windows\SysWOW64\Ajpepm32.exeC:\Windows\system32\Ajpepm32.exe107⤵PID:2448
-
C:\Windows\SysWOW64\Alnalh32.exeC:\Windows\system32\Alnalh32.exe108⤵PID:2680
-
C:\Windows\SysWOW64\Aomnhd32.exeC:\Windows\system32\Aomnhd32.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1972 -
C:\Windows\SysWOW64\Achjibcl.exeC:\Windows\system32\Achjibcl.exe110⤵PID:2764
-
C:\Windows\SysWOW64\Afffenbp.exeC:\Windows\system32\Afffenbp.exe111⤵PID:1028
-
C:\Windows\SysWOW64\Adifpk32.exeC:\Windows\system32\Adifpk32.exe112⤵PID:2176
-
C:\Windows\SysWOW64\Ahebaiac.exeC:\Windows\system32\Ahebaiac.exe113⤵PID:1684
-
C:\Windows\SysWOW64\Akcomepg.exeC:\Windows\system32\Akcomepg.exe114⤵
- Modifies registry class
PID:2096 -
C:\Windows\SysWOW64\Anbkipok.exeC:\Windows\system32\Anbkipok.exe115⤵PID:1208
-
C:\Windows\SysWOW64\Abmgjo32.exeC:\Windows\system32\Abmgjo32.exe116⤵PID:2464
-
C:\Windows\SysWOW64\Adlcfjgh.exeC:\Windows\system32\Adlcfjgh.exe117⤵PID:2752
-
C:\Windows\SysWOW64\Agjobffl.exeC:\Windows\system32\Agjobffl.exe118⤵PID:2692
-
C:\Windows\SysWOW64\Andgop32.exeC:\Windows\system32\Andgop32.exe119⤵PID:3032
-
C:\Windows\SysWOW64\Abpcooea.exeC:\Windows\system32\Abpcooea.exe120⤵
- Drops file in System32 directory
PID:2928 -
C:\Windows\SysWOW64\Bhjlli32.exeC:\Windows\system32\Bhjlli32.exe121⤵
- Modifies registry class
PID:408 -
C:\Windows\SysWOW64\Bkhhhd32.exeC:\Windows\system32\Bkhhhd32.exe122⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3040
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-