Analysis
-
max time kernel
71s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
27-11-2024 10:46
Behavioral task
behavioral1
Sample
d2b7a060d4c29572b56002ed997e06270c4389882449c70a6c9a7f458acd1d33N.exe
Resource
win7-20241010-en
windows7-x64
12 signatures
120 seconds
General
-
Target
d2b7a060d4c29572b56002ed997e06270c4389882449c70a6c9a7f458acd1d33N.exe
-
Size
93KB
-
MD5
f1cdeaf162d9d80d0c59cc7b5f024ab0
-
SHA1
d963b2a2135a224803552951c92df29cfa4fafc0
-
SHA256
d2b7a060d4c29572b56002ed997e06270c4389882449c70a6c9a7f458acd1d33
-
SHA512
5b1d3e1eedd247e1978b68c77fd64cc67980fb8da43a9bb88197f08ffca339f0d965da94cf0bf65ab9462cb188e04c9719e6d8aac8d3a21f900003dc925998be
-
SSDEEP
1536:rd/hOm2jgBXrRSZ9vHNGGviPsFeb/Fqq/G1DaYfMZRWuLsV+1Z:r/qgBXrRSnHMPZ/GgYfc0DV+1Z
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Lmeebpkd.exePjpmdd32.exeBkkioeig.exeBknfeege.exeEdeclabl.exeNebnigmp.exeKiemmh32.exeBiccfalm.exeIdbgbahq.exeHlcbfnjk.exeKbkgig32.exeLkcgapjl.exeCaccnllf.exeFqilppic.exePcnfdl32.exeBphaglgo.exeJfjjkhhg.exeQidckjae.exeAjmfca32.exeAakhkj32.exeEkhjlioa.exeHdcdfmqe.exeFpbqcb32.exeChofhm32.exeLnnndl32.exeOfdeeb32.exePfkkeq32.exeAcohnhab.exeCapdpcge.exeHdkaabnh.exeFghngimj.exeGbfhcf32.exeOfobgc32.exeIhnjmf32.exeKbmafngi.exeMgkbjb32.exePajeanhf.exeNafiej32.exeOaciom32.exeMfkebkjk.exeNmbmii32.exeAnndbnao.exeBphdpe32.exeCealdjcm.exeBlodefdg.exeMonhjgkj.exePidaba32.exeBceeqi32.exeEcjibgdh.exeJghcbjll.exeMalpee32.exeBejiehfi.exeDgiomabc.exeKabngjla.exeOcclcg32.exeDcpmijqc.exeAbgaeddg.exeMdmmhn32.exeMacjgadf.exeCglcek32.exeGdnibdmf.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lmeebpkd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjpmdd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkkioeig.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bknfeege.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edeclabl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nebnigmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kiemmh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Biccfalm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idbgbahq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlcbfnjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kbkgig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lkcgapjl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Caccnllf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fqilppic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pcnfdl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bphaglgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jfjjkhhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qidckjae.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajmfca32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aakhkj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekhjlioa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdcdfmqe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpbqcb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chofhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Idbgbahq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnnndl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ofdeeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pfkkeq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acohnhab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Capdpcge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hdkaabnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fghngimj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbfhcf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofobgc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihnjmf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbmafngi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgkbjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pajeanhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nafiej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oaciom32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfkebkjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nmbmii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Anndbnao.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bphdpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cealdjcm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blodefdg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Monhjgkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pidaba32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bceeqi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecjibgdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jghcbjll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Malpee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bejiehfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Caccnllf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgiomabc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dgiomabc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kabngjla.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Occlcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dcpmijqc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Abgaeddg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdmmhn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Macjgadf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cglcek32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdnibdmf.exe -
Berbew family
-
Njrat family
-
Executes dropped EXE 64 IoCs
Processes:
Lmeebpkd.exeLbbnjgik.exeMiocmq32.exeMonhjgkj.exeMkdioh32.exeMdmmhn32.exeMdojnm32.exeMacjgadf.exeNjalacon.exeNqmqcmdh.exeNbqjqehd.exeOfobgc32.exeOiokholk.exeOnoqfehp.exeOjeakfnd.exePcnfdl32.exePimkbbpi.exePjlgle32.exePfchqf32.exePidaba32.exeQblfkgqb.exeQbobaf32.exeQhkkim32.exeAadobccg.exeAfcdpi32.exeAahimb32.exeAicmadmm.exeAejnfe32.exeAbnopj32.exeBeogaenl.exeBceeqi32.exeBkqiek32.exeBakaaepk.exeCamnge32.exeCglcek32.exeCgnpjkhj.exeDglpdomh.exeDqfabdaf.exeDklepmal.exeEmpomd32.exeEgebjmdn.exeEfjpkj32.exeEpcddopf.exeEebibf32.exeFakglf32.exeFjckelfm.exeFhglop32.exeFpbqcb32.exeFabmmejd.exeGjjafkpe.exeGdcfoq32.exeGmkjgfmf.exeGibkmgcj.exeGbjpem32.exeGlbdnbpk.exeGdnibdmf.exeGkhaooec.exeHabili32.exeHmijajbd.exeHhnnnbaj.exeHafbghhj.exeHkogpn32.exeHplphd32.exeHehhqk32.exepid Process 2832 Lmeebpkd.exe 2884 Lbbnjgik.exe 2916 Miocmq32.exe 2676 Monhjgkj.exe 688 Mkdioh32.exe 1380 Mdmmhn32.exe 1672 Mdojnm32.exe 2300 Macjgadf.exe 2608 Njalacon.exe 2972 Nqmqcmdh.exe 572 Nbqjqehd.exe 1572 Ofobgc32.exe 2428 Oiokholk.exe 2128 Onoqfehp.exe 2396 Ojeakfnd.exe 1384 Pcnfdl32.exe 316 Pimkbbpi.exe 600 Pjlgle32.exe 1772 Pfchqf32.exe 1688 Pidaba32.exe 2132 Qblfkgqb.exe 112 Qbobaf32.exe 2536 Qhkkim32.exe 1004 Aadobccg.exe 2420 Afcdpi32.exe 1940 Aahimb32.exe 2752 Aicmadmm.exe 2776 Aejnfe32.exe 2812 Abnopj32.exe 1784 Beogaenl.exe 2684 Bceeqi32.exe 2668 Bkqiek32.exe 2660 Bakaaepk.exe 516 Camnge32.exe 2148 Cglcek32.exe 2936 Cgnpjkhj.exe 1968 Dglpdomh.exe 1632 Dqfabdaf.exe 1608 Dklepmal.exe 1780 Empomd32.exe 2364 Egebjmdn.exe 2452 Efjpkj32.exe 1844 Epcddopf.exe 972 Eebibf32.exe 2460 Fakglf32.exe 1984 Fjckelfm.exe 1788 Fhglop32.exe 2584 Fpbqcb32.exe 3000 Fabmmejd.exe 2248 Gjjafkpe.exe 2824 Gdcfoq32.exe 2628 Gmkjgfmf.exe 2644 Gibkmgcj.exe 2696 Gbjpem32.exe 428 Glbdnbpk.exe 2124 Gdnibdmf.exe 2004 Gkhaooec.exe 2964 Habili32.exe 2576 Hmijajbd.exe 1956 Hhnnnbaj.exe 2368 Hafbghhj.exe 2284 Hkogpn32.exe 1676 Hplphd32.exe 2012 Hehhqk32.exe -
Loads dropped DLL 64 IoCs
Processes:
d2b7a060d4c29572b56002ed997e06270c4389882449c70a6c9a7f458acd1d33N.exeLmeebpkd.exeLbbnjgik.exeMiocmq32.exeMonhjgkj.exeMkdioh32.exeMdmmhn32.exeMdojnm32.exeMacjgadf.exeNjalacon.exeNqmqcmdh.exeNbqjqehd.exeOfobgc32.exeOiokholk.exeOnoqfehp.exeOjeakfnd.exePcnfdl32.exePimkbbpi.exePjlgle32.exePfchqf32.exePidaba32.exeQblfkgqb.exeQbobaf32.exeQhkkim32.exeAadobccg.exeAfcdpi32.exeAahimb32.exeAicmadmm.exeAejnfe32.exeAbnopj32.exeBeogaenl.exeBceeqi32.exepid Process 2448 d2b7a060d4c29572b56002ed997e06270c4389882449c70a6c9a7f458acd1d33N.exe 2448 d2b7a060d4c29572b56002ed997e06270c4389882449c70a6c9a7f458acd1d33N.exe 2832 Lmeebpkd.exe 2832 Lmeebpkd.exe 2884 Lbbnjgik.exe 2884 Lbbnjgik.exe 2916 Miocmq32.exe 2916 Miocmq32.exe 2676 Monhjgkj.exe 2676 Monhjgkj.exe 688 Mkdioh32.exe 688 Mkdioh32.exe 1380 Mdmmhn32.exe 1380 Mdmmhn32.exe 1672 Mdojnm32.exe 1672 Mdojnm32.exe 2300 Macjgadf.exe 2300 Macjgadf.exe 2608 Njalacon.exe 2608 Njalacon.exe 2972 Nqmqcmdh.exe 2972 Nqmqcmdh.exe 572 Nbqjqehd.exe 572 Nbqjqehd.exe 1572 Ofobgc32.exe 1572 Ofobgc32.exe 2428 Oiokholk.exe 2428 Oiokholk.exe 2128 Onoqfehp.exe 2128 Onoqfehp.exe 2396 Ojeakfnd.exe 2396 Ojeakfnd.exe 1384 Pcnfdl32.exe 1384 Pcnfdl32.exe 316 Pimkbbpi.exe 316 Pimkbbpi.exe 600 Pjlgle32.exe 600 Pjlgle32.exe 1772 Pfchqf32.exe 1772 Pfchqf32.exe 1688 Pidaba32.exe 1688 Pidaba32.exe 2132 Qblfkgqb.exe 2132 Qblfkgqb.exe 112 Qbobaf32.exe 112 Qbobaf32.exe 2536 Qhkkim32.exe 2536 Qhkkim32.exe 1004 Aadobccg.exe 1004 Aadobccg.exe 2420 Afcdpi32.exe 2420 Afcdpi32.exe 1940 Aahimb32.exe 1940 Aahimb32.exe 2752 Aicmadmm.exe 2752 Aicmadmm.exe 2776 Aejnfe32.exe 2776 Aejnfe32.exe 2812 Abnopj32.exe 2812 Abnopj32.exe 1784 Beogaenl.exe 1784 Beogaenl.exe 2684 Bceeqi32.exe 2684 Bceeqi32.exe -
Drops file in System32 directory 64 IoCs
Processes:
Ihnjmf32.exeKnjdimdh.exeGbfhcf32.exeHdcdfmqe.exeLfilnh32.exeCihojiok.exeBceeqi32.exeBakaaepk.exeOckbdebl.exeKeappgmg.exeDcepgh32.exeOnoqfehp.exeDqfabdaf.exeDoijcjde.exeGjjafkpe.exeJdlacfca.exeDpaceg32.exeQblfkgqb.exeEgebjmdn.exeKglfcd32.exeAfpapcnc.exeCpjklo32.exeFpbqcb32.exeIgeddb32.exeJqfhqe32.exeNlanhh32.exeEdofbpja.exeDkeahf32.exeIkjlmjmp.exeDlhdjh32.exeAahimb32.exeNpcika32.exeOingii32.exeAmebjgai.exeGdcfoq32.exeInjlkf32.exeMljnaocd.exeMacjgadf.exeFjckelfm.exeDofnnkfg.exeNpnclf32.exeIpqicdim.exeLhlbbg32.exeEbicee32.exeDkjkcfjc.exeQqoaefke.exeIaladj32.exeLpgqlc32.exeDhehfk32.exeLiboodmk.exeMonhjgkj.exeNqmqcmdh.exeNbqjqehd.exeJjcieg32.exeKgocid32.exeJdlclo32.exeAofklbnj.exeOjeakfnd.exeFabmmejd.exeNloachkf.exeEnbapf32.exedescription ioc Process File opened for modification C:\Windows\SysWOW64\Iohbjpkb.exe Ihnjmf32.exe File created C:\Windows\SysWOW64\Lmieogma.dll Knjdimdh.exe File created C:\Windows\SysWOW64\Lhiqbpqm.dll Gbfhcf32.exe File opened for modification C:\Windows\SysWOW64\Hipmoc32.exe Hdcdfmqe.exe File created C:\Windows\SysWOW64\Cgejdc32.dll Lfilnh32.exe File created C:\Windows\SysWOW64\Gkldecjp.dll Cihojiok.exe File created C:\Windows\SysWOW64\Dilmaf32.dll Bceeqi32.exe File opened for modification C:\Windows\SysWOW64\Camnge32.exe Bakaaepk.exe File opened for modification C:\Windows\SysWOW64\Pigklmqc.exe Ockbdebl.exe File opened for modification C:\Windows\SysWOW64\Knjdimdh.exe Keappgmg.exe File created C:\Windows\SysWOW64\Kmnechcf.dll Dcepgh32.exe File created C:\Windows\SysWOW64\Bamoho32.dll Onoqfehp.exe File opened for modification C:\Windows\SysWOW64\Dklepmal.exe Dqfabdaf.exe File opened for modification C:\Windows\SysWOW64\Edeclabl.exe Doijcjde.exe File created C:\Windows\SysWOW64\Gdcfoq32.exe Gjjafkpe.exe File opened for modification C:\Windows\SysWOW64\Jndflk32.exe Jdlacfca.exe File created C:\Windows\SysWOW64\Fhfbabeh.dll Jdlacfca.exe File opened for modification C:\Windows\SysWOW64\Dlhdjh32.exe Dpaceg32.exe File created C:\Windows\SysWOW64\Bidjckae.dll Qblfkgqb.exe File created C:\Windows\SysWOW64\Efjpkj32.exe Egebjmdn.exe File opened for modification C:\Windows\SysWOW64\Kmiolk32.exe Kglfcd32.exe File opened for modification C:\Windows\SysWOW64\Aphehidc.exe Afpapcnc.exe File created C:\Windows\SysWOW64\Cjboeenh.exe Cpjklo32.exe File created C:\Windows\SysWOW64\Ffcnqe32.dll Dqfabdaf.exe File created C:\Windows\SysWOW64\Fabmmejd.exe Fpbqcb32.exe File created C:\Windows\SysWOW64\Gjhoogoe.dll Igeddb32.exe File created C:\Windows\SysWOW64\Hjchkfnl.dll Jqfhqe32.exe File created C:\Windows\SysWOW64\Peiejhfb.dll Nlanhh32.exe File created C:\Windows\SysWOW64\Mencqhni.dll Edofbpja.exe File opened for modification C:\Windows\SysWOW64\Dpdfemkm.exe Dkeahf32.exe File opened for modification C:\Windows\SysWOW64\Iebmpcjc.exe Ikjlmjmp.exe File created C:\Windows\SysWOW64\Adaflhhb.dll Dlhdjh32.exe File opened for modification C:\Windows\SysWOW64\Aicmadmm.exe Aahimb32.exe File created C:\Windows\SysWOW64\Oeoedmpg.dll Npcika32.exe File created C:\Windows\SysWOW64\Oipcnieb.exe Oingii32.exe File opened for modification C:\Windows\SysWOW64\Aofklbnj.exe Amebjgai.exe File created C:\Windows\SysWOW64\Gmkjgfmf.exe Gdcfoq32.exe File created C:\Windows\SysWOW64\Ihdmld32.exe Injlkf32.exe File opened for modification C:\Windows\SysWOW64\Lnlaomae.exe Knjdimdh.exe File created C:\Windows\SysWOW64\Mganfp32.exe Mljnaocd.exe File created C:\Windows\SysWOW64\Njalacon.exe Macjgadf.exe File created C:\Windows\SysWOW64\Fhglop32.exe Fjckelfm.exe File opened for modification C:\Windows\SysWOW64\Dfpfke32.exe Dofnnkfg.exe File opened for modification C:\Windows\SysWOW64\Nldcagaq.exe Npnclf32.exe File created C:\Windows\SysWOW64\Iemalkgd.exe Ipqicdim.exe File opened for modification C:\Windows\SysWOW64\Lepclldc.exe Lhlbbg32.exe File opened for modification C:\Windows\SysWOW64\Egflml32.exe Ebicee32.exe File opened for modification C:\Windows\SysWOW64\Dcepgh32.exe Dkjkcfjc.exe File opened for modification C:\Windows\SysWOW64\Amebjgai.exe Qqoaefke.exe File opened for modification C:\Windows\SysWOW64\Jjcieg32.exe Ialadj32.exe File created C:\Windows\SysWOW64\Mioeeifi.exe Lpgqlc32.exe File opened for modification C:\Windows\SysWOW64\Ddliklgk.exe Dhehfk32.exe File created C:\Windows\SysWOW64\Kffhfj32.dll Liboodmk.exe File opened for modification C:\Windows\SysWOW64\Mkdioh32.exe Monhjgkj.exe File created C:\Windows\SysWOW64\Mafick32.dll Nqmqcmdh.exe File opened for modification C:\Windows\SysWOW64\Ofobgc32.exe Nbqjqehd.exe File opened for modification C:\Windows\SysWOW64\Jfjjkhhg.exe Jjcieg32.exe File created C:\Windows\SysWOW64\Kmklak32.exe Kgocid32.exe File created C:\Windows\SysWOW64\Jndhddaf.exe Jdlclo32.exe File created C:\Windows\SysWOW64\Aioodg32.exe Aofklbnj.exe File created C:\Windows\SysWOW64\Cdeffdbl.dll Ojeakfnd.exe File opened for modification C:\Windows\SysWOW64\Gjjafkpe.exe Fabmmejd.exe File created C:\Windows\SysWOW64\Hgeckn32.dll Nloachkf.exe File opened for modification C:\Windows\SysWOW64\Ejiadgkl.exe Enbapf32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 3008 4356 WerFault.exe 402 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Aofklbnj.exePjlgle32.exeEfjpkj32.exeKbmafngi.exeAphehidc.exeMganfp32.exeOingii32.exeGbfhcf32.exeBceeqi32.exeGibkmgcj.exeHkogpn32.exeLbmnea32.exePnimpcke.exeGjemoi32.exeOmqjgl32.exeDgildi32.exeEnbapf32.exeBpbabf32.exeCipleo32.exeLiboodmk.exeMgkbjb32.exeJjnlikic.exePqdelh32.exeBhbpahan.exeQonlhd32.exeDdliklgk.exeKbppdfmk.exeNphbfplf.exeEokgij32.exeJneoojeb.exeCdnjaibm.exeDkjkcfjc.exePeqhgmdd.exeHbboiknb.exeNldcagaq.exeCmikpngk.exeFbiijb32.exeOiokholk.exeQbobaf32.exeQcjoci32.exeGbbbjg32.exeAglmbfdk.exeFqilppic.exePimkbbpi.exeJbhhkn32.exeCdamao32.exeFgqhgjbb.exeHmiljb32.exeIhpgce32.exeMiaaki32.exeEcjibgdh.exeKninog32.exeDiencmcj.exeAicmadmm.exeCamnge32.exeNpcika32.exeOipcnieb.exeGjjafkpe.exeGbjpem32.exeEkhjlioa.exeLfilnh32.exeLijepc32.exeEmpomd32.exeOckbdebl.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aofklbnj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjlgle32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efjpkj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbmafngi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aphehidc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mganfp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oingii32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbfhcf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bceeqi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gibkmgcj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkogpn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbmnea32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnimpcke.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjemoi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omqjgl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgildi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enbapf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpbabf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cipleo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Liboodmk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgkbjb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjnlikic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pqdelh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhbpahan.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qonlhd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddliklgk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbppdfmk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nphbfplf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eokgij32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jneoojeb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdnjaibm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkjkcfjc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Peqhgmdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbboiknb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nldcagaq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmikpngk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbiijb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oiokholk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qbobaf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qcjoci32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbbbjg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aglmbfdk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fqilppic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pimkbbpi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbhhkn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdamao32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgqhgjbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmiljb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihpgce32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Miaaki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ecjibgdh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kninog32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Diencmcj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aicmadmm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Camnge32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npcika32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oipcnieb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjjafkpe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbjpem32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekhjlioa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfilnh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lijepc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Empomd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ockbdebl.exe -
Modifies registry class 64 IoCs
Processes:
Mkdioh32.exeKglfcd32.exeAcohnhab.exeDdliklgk.exeOipcnieb.exed2b7a060d4c29572b56002ed997e06270c4389882449c70a6c9a7f458acd1d33N.exeDjjeedhp.exeOaciom32.exeAbldccka.exeKbqgolpf.exeKnjdimdh.exeMkggnp32.exeEkhjlioa.exeJjkiie32.exeManljd32.exeImcfjg32.exeAicmadmm.exeDglpdomh.exeLhlbbg32.exeOmqjgl32.exeCjboeenh.exeDdjphm32.exeCbnfmo32.exeIohbjpkb.exeLcedne32.exeNlanhh32.exeLpgqlc32.exeAejnfe32.exeAakhkj32.exeNljjqbfp.exeBlodefdg.exeDiencmcj.exeFjckelfm.exeIgeddb32.exeEjlnjg32.exeAgccbenc.exeCaccnllf.exeJdlacfca.exeAphehidc.exeKiemmh32.exeNloachkf.exeOabplobe.exePnnfkb32.exeNcjbba32.exeCmikpngk.exeLojjfo32.exeIhjcko32.exeKbkgig32.exeLepclldc.exeFqilppic.exeNpcika32.exeCgnpjkhj.exeIpqicdim.exeIoefdpne.exeJndflk32.exeDgfpni32.exeCdqfgh32.exeLijepc32.exeCodeih32.exeCihedpcg.exeFbiijb32.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mkdioh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cblaaajo.dll" Kglfcd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Acohnhab.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ddliklgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oipcnieb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node d2b7a060d4c29572b56002ed997e06270c4389882449c70a6c9a7f458acd1d33N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Djjeedhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oaciom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkfmmd32.dll" Abldccka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdfipdll.dll" Kbqgolpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Knjdimdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfnihd32.dll" Mkggnp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ekhjlioa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfmogk32.dll" Jjkiie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfgmna32.dll" Manljd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Imcfjg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aicmadmm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dglpdomh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lhlbbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbjhhm32.dll" Omqjgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Omqjgl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cjboeenh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ddjphm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oipcnieb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cbnfmo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iohbjpkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfjlmef.dll" Lcedne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Peiejhfb.dll" Nlanhh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpqfpd32.dll" Lpgqlc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aejnfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdegnfli.dll" Aakhkj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nljjqbfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Blodefdg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Diencmcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhgmfb32.dll" Fjckelfm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Igeddb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ejlnjg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Agccbenc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngcjbg32.dll" Caccnllf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jdlacfca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lecaooal.dll" Aphehidc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekpbgbme.dll" Kiemmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nloachkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kegmaomi.dll" Oabplobe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bchmahjj.dll" Pnnfkb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ncjbba32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cmikpngk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lojjfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlelkn32.dll" Ihjcko32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kbkgig32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lepclldc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fqilppic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kbkgig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oeoedmpg.dll" Npcika32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cgnpjkhj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ipqicdim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdklmlof.dll" Ioefdpne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddlffnae.dll" Jndflk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dgfpni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cdqfgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkokjpai.dll" Lijepc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Codeih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agngpn32.dll" Cihedpcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fbiijb32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
d2b7a060d4c29572b56002ed997e06270c4389882449c70a6c9a7f458acd1d33N.exeLmeebpkd.exeLbbnjgik.exeMiocmq32.exeMonhjgkj.exeMkdioh32.exeMdmmhn32.exeMdojnm32.exeMacjgadf.exeNjalacon.exeNqmqcmdh.exeNbqjqehd.exeOfobgc32.exeOiokholk.exeOnoqfehp.exeOjeakfnd.exedescription pid Process procid_target PID 2448 wrote to memory of 2832 2448 d2b7a060d4c29572b56002ed997e06270c4389882449c70a6c9a7f458acd1d33N.exe 30 PID 2448 wrote to memory of 2832 2448 d2b7a060d4c29572b56002ed997e06270c4389882449c70a6c9a7f458acd1d33N.exe 30 PID 2448 wrote to memory of 2832 2448 d2b7a060d4c29572b56002ed997e06270c4389882449c70a6c9a7f458acd1d33N.exe 30 PID 2448 wrote to memory of 2832 2448 d2b7a060d4c29572b56002ed997e06270c4389882449c70a6c9a7f458acd1d33N.exe 30 PID 2832 wrote to memory of 2884 2832 Lmeebpkd.exe 31 PID 2832 wrote to memory of 2884 2832 Lmeebpkd.exe 31 PID 2832 wrote to memory of 2884 2832 Lmeebpkd.exe 31 PID 2832 wrote to memory of 2884 2832 Lmeebpkd.exe 31 PID 2884 wrote to memory of 2916 2884 Lbbnjgik.exe 32 PID 2884 wrote to memory of 2916 2884 Lbbnjgik.exe 32 PID 2884 wrote to memory of 2916 2884 Lbbnjgik.exe 32 PID 2884 wrote to memory of 2916 2884 Lbbnjgik.exe 32 PID 2916 wrote to memory of 2676 2916 Miocmq32.exe 33 PID 2916 wrote to memory of 2676 2916 Miocmq32.exe 33 PID 2916 wrote to memory of 2676 2916 Miocmq32.exe 33 PID 2916 wrote to memory of 2676 2916 Miocmq32.exe 33 PID 2676 wrote to memory of 688 2676 Monhjgkj.exe 34 PID 2676 wrote to memory of 688 2676 Monhjgkj.exe 34 PID 2676 wrote to memory of 688 2676 Monhjgkj.exe 34 PID 2676 wrote to memory of 688 2676 Monhjgkj.exe 34 PID 688 wrote to memory of 1380 688 Mkdioh32.exe 35 PID 688 wrote to memory of 1380 688 Mkdioh32.exe 35 PID 688 wrote to memory of 1380 688 Mkdioh32.exe 35 PID 688 wrote to memory of 1380 688 Mkdioh32.exe 35 PID 1380 wrote to memory of 1672 1380 Mdmmhn32.exe 36 PID 1380 wrote to memory of 1672 1380 Mdmmhn32.exe 36 PID 1380 wrote to memory of 1672 1380 Mdmmhn32.exe 36 PID 1380 wrote to memory of 1672 1380 Mdmmhn32.exe 36 PID 1672 wrote to memory of 2300 1672 Mdojnm32.exe 37 PID 1672 wrote to memory of 2300 1672 Mdojnm32.exe 37 PID 1672 wrote to memory of 2300 1672 Mdojnm32.exe 37 PID 1672 wrote to memory of 2300 1672 Mdojnm32.exe 37 PID 2300 wrote to memory of 2608 2300 Macjgadf.exe 38 PID 2300 wrote to memory of 2608 2300 Macjgadf.exe 38 PID 2300 wrote to memory of 2608 2300 Macjgadf.exe 38 PID 2300 wrote to memory of 2608 2300 Macjgadf.exe 38 PID 2608 wrote to memory of 2972 2608 Njalacon.exe 39 PID 2608 wrote to memory of 2972 2608 Njalacon.exe 39 PID 2608 wrote to memory of 2972 2608 Njalacon.exe 39 PID 2608 wrote to memory of 2972 2608 Njalacon.exe 39 PID 2972 wrote to memory of 572 2972 Nqmqcmdh.exe 40 PID 2972 wrote to memory of 572 2972 Nqmqcmdh.exe 40 PID 2972 wrote to memory of 572 2972 Nqmqcmdh.exe 40 PID 2972 wrote to memory of 572 2972 Nqmqcmdh.exe 40 PID 572 wrote to memory of 1572 572 Nbqjqehd.exe 41 PID 572 wrote to memory of 1572 572 Nbqjqehd.exe 41 PID 572 wrote to memory of 1572 572 Nbqjqehd.exe 41 PID 572 wrote to memory of 1572 572 Nbqjqehd.exe 41 PID 1572 wrote to memory of 2428 1572 Ofobgc32.exe 42 PID 1572 wrote to memory of 2428 1572 Ofobgc32.exe 42 PID 1572 wrote to memory of 2428 1572 Ofobgc32.exe 42 PID 1572 wrote to memory of 2428 1572 Ofobgc32.exe 42 PID 2428 wrote to memory of 2128 2428 Oiokholk.exe 43 PID 2428 wrote to memory of 2128 2428 Oiokholk.exe 43 PID 2428 wrote to memory of 2128 2428 Oiokholk.exe 43 PID 2428 wrote to memory of 2128 2428 Oiokholk.exe 43 PID 2128 wrote to memory of 2396 2128 Onoqfehp.exe 44 PID 2128 wrote to memory of 2396 2128 Onoqfehp.exe 44 PID 2128 wrote to memory of 2396 2128 Onoqfehp.exe 44 PID 2128 wrote to memory of 2396 2128 Onoqfehp.exe 44 PID 2396 wrote to memory of 1384 2396 Ojeakfnd.exe 45 PID 2396 wrote to memory of 1384 2396 Ojeakfnd.exe 45 PID 2396 wrote to memory of 1384 2396 Ojeakfnd.exe 45 PID 2396 wrote to memory of 1384 2396 Ojeakfnd.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\d2b7a060d4c29572b56002ed997e06270c4389882449c70a6c9a7f458acd1d33N.exe"C:\Users\Admin\AppData\Local\Temp\d2b7a060d4c29572b56002ed997e06270c4389882449c70a6c9a7f458acd1d33N.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2448 -
C:\Windows\SysWOW64\Lmeebpkd.exeC:\Windows\system32\Lmeebpkd.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Windows\SysWOW64\Lbbnjgik.exeC:\Windows\system32\Lbbnjgik.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Windows\SysWOW64\Miocmq32.exeC:\Windows\system32\Miocmq32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Windows\SysWOW64\Monhjgkj.exeC:\Windows\system32\Monhjgkj.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Windows\SysWOW64\Mkdioh32.exeC:\Windows\system32\Mkdioh32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:688 -
C:\Windows\SysWOW64\Mdmmhn32.exeC:\Windows\system32\Mdmmhn32.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1380 -
C:\Windows\SysWOW64\Mdojnm32.exeC:\Windows\system32\Mdojnm32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1672 -
C:\Windows\SysWOW64\Macjgadf.exeC:\Windows\system32\Macjgadf.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2300 -
C:\Windows\SysWOW64\Njalacon.exeC:\Windows\system32\Njalacon.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Windows\SysWOW64\Nqmqcmdh.exeC:\Windows\system32\Nqmqcmdh.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\SysWOW64\Nbqjqehd.exeC:\Windows\system32\Nbqjqehd.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:572 -
C:\Windows\SysWOW64\Ofobgc32.exeC:\Windows\system32\Ofobgc32.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1572 -
C:\Windows\SysWOW64\Oiokholk.exeC:\Windows\system32\Oiokholk.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Windows\SysWOW64\Onoqfehp.exeC:\Windows\system32\Onoqfehp.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Windows\SysWOW64\Ojeakfnd.exeC:\Windows\system32\Ojeakfnd.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2396 -
C:\Windows\SysWOW64\Pcnfdl32.exeC:\Windows\system32\Pcnfdl32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1384 -
C:\Windows\SysWOW64\Pimkbbpi.exeC:\Windows\system32\Pimkbbpi.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:316 -
C:\Windows\SysWOW64\Pjlgle32.exeC:\Windows\system32\Pjlgle32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:600 -
C:\Windows\SysWOW64\Pfchqf32.exeC:\Windows\system32\Pfchqf32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1772 -
C:\Windows\SysWOW64\Pidaba32.exeC:\Windows\system32\Pidaba32.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1688 -
C:\Windows\SysWOW64\Qblfkgqb.exeC:\Windows\system32\Qblfkgqb.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2132 -
C:\Windows\SysWOW64\Qbobaf32.exeC:\Windows\system32\Qbobaf32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:112 -
C:\Windows\SysWOW64\Qhkkim32.exeC:\Windows\system32\Qhkkim32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2536 -
C:\Windows\SysWOW64\Aadobccg.exeC:\Windows\system32\Aadobccg.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1004 -
C:\Windows\SysWOW64\Afcdpi32.exeC:\Windows\system32\Afcdpi32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2420 -
C:\Windows\SysWOW64\Aahimb32.exeC:\Windows\system32\Aahimb32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1940 -
C:\Windows\SysWOW64\Aicmadmm.exeC:\Windows\system32\Aicmadmm.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2752 -
C:\Windows\SysWOW64\Aejnfe32.exeC:\Windows\system32\Aejnfe32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2776 -
C:\Windows\SysWOW64\Abnopj32.exeC:\Windows\system32\Abnopj32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2812 -
C:\Windows\SysWOW64\Beogaenl.exeC:\Windows\system32\Beogaenl.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1784 -
C:\Windows\SysWOW64\Bceeqi32.exeC:\Windows\system32\Bceeqi32.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2684 -
C:\Windows\SysWOW64\Bkqiek32.exeC:\Windows\system32\Bkqiek32.exe33⤵
- Executes dropped EXE
PID:2668 -
C:\Windows\SysWOW64\Bakaaepk.exeC:\Windows\system32\Bakaaepk.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2660 -
C:\Windows\SysWOW64\Camnge32.exeC:\Windows\system32\Camnge32.exe35⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:516 -
C:\Windows\SysWOW64\Cglcek32.exeC:\Windows\system32\Cglcek32.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2148 -
C:\Windows\SysWOW64\Cgnpjkhj.exeC:\Windows\system32\Cgnpjkhj.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:2936 -
C:\Windows\SysWOW64\Dglpdomh.exeC:\Windows\system32\Dglpdomh.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:1968 -
C:\Windows\SysWOW64\Dqfabdaf.exeC:\Windows\system32\Dqfabdaf.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1632 -
C:\Windows\SysWOW64\Dklepmal.exeC:\Windows\system32\Dklepmal.exe40⤵
- Executes dropped EXE
PID:1608 -
C:\Windows\SysWOW64\Empomd32.exeC:\Windows\system32\Empomd32.exe41⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1780 -
C:\Windows\SysWOW64\Egebjmdn.exeC:\Windows\system32\Egebjmdn.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2364 -
C:\Windows\SysWOW64\Efjpkj32.exeC:\Windows\system32\Efjpkj32.exe43⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2452 -
C:\Windows\SysWOW64\Epcddopf.exeC:\Windows\system32\Epcddopf.exe44⤵
- Executes dropped EXE
PID:1844 -
C:\Windows\SysWOW64\Eebibf32.exeC:\Windows\system32\Eebibf32.exe45⤵
- Executes dropped EXE
PID:972 -
C:\Windows\SysWOW64\Fakglf32.exeC:\Windows\system32\Fakglf32.exe46⤵
- Executes dropped EXE
PID:2460 -
C:\Windows\SysWOW64\Fjckelfm.exeC:\Windows\system32\Fjckelfm.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1984 -
C:\Windows\SysWOW64\Fhglop32.exeC:\Windows\system32\Fhglop32.exe48⤵
- Executes dropped EXE
PID:1788 -
C:\Windows\SysWOW64\Fpbqcb32.exeC:\Windows\system32\Fpbqcb32.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2584 -
C:\Windows\SysWOW64\Fabmmejd.exeC:\Windows\system32\Fabmmejd.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3000 -
C:\Windows\SysWOW64\Gjjafkpe.exeC:\Windows\system32\Gjjafkpe.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2248 -
C:\Windows\SysWOW64\Gdcfoq32.exeC:\Windows\system32\Gdcfoq32.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2824 -
C:\Windows\SysWOW64\Gmkjgfmf.exeC:\Windows\system32\Gmkjgfmf.exe53⤵
- Executes dropped EXE
PID:2628 -
C:\Windows\SysWOW64\Gibkmgcj.exeC:\Windows\system32\Gibkmgcj.exe54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2644 -
C:\Windows\SysWOW64\Gbjpem32.exeC:\Windows\system32\Gbjpem32.exe55⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2696 -
C:\Windows\SysWOW64\Glbdnbpk.exeC:\Windows\system32\Glbdnbpk.exe56⤵
- Executes dropped EXE
PID:428 -
C:\Windows\SysWOW64\Gdnibdmf.exeC:\Windows\system32\Gdnibdmf.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2124 -
C:\Windows\SysWOW64\Gkhaooec.exeC:\Windows\system32\Gkhaooec.exe58⤵
- Executes dropped EXE
PID:2004 -
C:\Windows\SysWOW64\Habili32.exeC:\Windows\system32\Habili32.exe59⤵
- Executes dropped EXE
PID:2964 -
C:\Windows\SysWOW64\Hmijajbd.exeC:\Windows\system32\Hmijajbd.exe60⤵
- Executes dropped EXE
PID:2576 -
C:\Windows\SysWOW64\Hhnnnbaj.exeC:\Windows\system32\Hhnnnbaj.exe61⤵
- Executes dropped EXE
PID:1956 -
C:\Windows\SysWOW64\Hafbghhj.exeC:\Windows\system32\Hafbghhj.exe62⤵
- Executes dropped EXE
PID:2368 -
C:\Windows\SysWOW64\Hkogpn32.exeC:\Windows\system32\Hkogpn32.exe63⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2284 -
C:\Windows\SysWOW64\Hplphd32.exeC:\Windows\system32\Hplphd32.exe64⤵
- Executes dropped EXE
PID:1676 -
C:\Windows\SysWOW64\Hehhqk32.exeC:\Windows\system32\Hehhqk32.exe65⤵
- Executes dropped EXE
PID:2012 -
C:\Windows\SysWOW64\Hoalia32.exeC:\Windows\system32\Hoalia32.exe66⤵PID:2308
-
C:\Windows\SysWOW64\Ipqicdim.exeC:\Windows\system32\Ipqicdim.exe67⤵
- Drops file in System32 directory
- Modifies registry class
PID:1972 -
C:\Windows\SysWOW64\Iemalkgd.exeC:\Windows\system32\Iemalkgd.exe68⤵PID:1108
-
C:\Windows\SysWOW64\Ioefdpne.exeC:\Windows\system32\Ioefdpne.exe69⤵
- Modifies registry class
PID:1320 -
C:\Windows\SysWOW64\Ihnjmf32.exeC:\Windows\system32\Ihnjmf32.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1724 -
C:\Windows\SysWOW64\Iohbjpkb.exeC:\Windows\system32\Iohbjpkb.exe71⤵
- Modifies registry class
PID:2820 -
C:\Windows\SysWOW64\Ihpgce32.exeC:\Windows\system32\Ihpgce32.exe72⤵
- System Location Discovery: System Language Discovery
PID:1544 -
C:\Windows\SysWOW64\Iqllghon.exeC:\Windows\system32\Iqllghon.exe73⤵PID:2900
-
C:\Windows\SysWOW64\Igeddb32.exeC:\Windows\system32\Igeddb32.exe74⤵
- Drops file in System32 directory
- Modifies registry class
PID:2372 -
C:\Windows\SysWOW64\Jdidmf32.exeC:\Windows\system32\Jdidmf32.exe75⤵PID:1820
-
C:\Windows\SysWOW64\Jdlacfca.exeC:\Windows\system32\Jdlacfca.exe76⤵
- Drops file in System32 directory
- Modifies registry class
PID:2304 -
C:\Windows\SysWOW64\Jndflk32.exeC:\Windows\system32\Jndflk32.exe77⤵
- Modifies registry class
PID:2188 -
C:\Windows\SysWOW64\Jgmjdaqb.exeC:\Windows\system32\Jgmjdaqb.exe78⤵PID:1868
-
C:\Windows\SysWOW64\Johoic32.exeC:\Windows\system32\Johoic32.exe79⤵PID:940
-
C:\Windows\SysWOW64\Jjmcfl32.exeC:\Windows\system32\Jjmcfl32.exe80⤵PID:2160
-
C:\Windows\SysWOW64\Jbhhkn32.exeC:\Windows\system32\Jbhhkn32.exe81⤵
- System Location Discovery: System Language Discovery
PID:2260 -
C:\Windows\SysWOW64\Kmnlhg32.exeC:\Windows\system32\Kmnlhg32.exe82⤵PID:2504
-
C:\Windows\SysWOW64\Kiemmh32.exeC:\Windows\system32\Kiemmh32.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1332 -
C:\Windows\SysWOW64\Kbmafngi.exeC:\Windows\system32\Kbmafngi.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:360 -
C:\Windows\SysWOW64\Kabngjla.exeC:\Windows\system32\Kabngjla.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1316 -
C:\Windows\SysWOW64\Kglfcd32.exeC:\Windows\system32\Kglfcd32.exe86⤵
- Drops file in System32 directory
- Modifies registry class
PID:1040 -
C:\Windows\SysWOW64\Kmiolk32.exeC:\Windows\system32\Kmiolk32.exe87⤵PID:2908
-
C:\Windows\SysWOW64\Kgocid32.exeC:\Windows\system32\Kgocid32.exe88⤵
- Drops file in System32 directory
PID:2656 -
C:\Windows\SysWOW64\Kmklak32.exeC:\Windows\system32\Kmklak32.exe89⤵PID:2652
-
C:\Windows\SysWOW64\Lcedne32.exeC:\Windows\system32\Lcedne32.exe90⤵
- Modifies registry class
PID:2600 -
C:\Windows\SysWOW64\Liblfl32.exeC:\Windows\system32\Liblfl32.exe91⤵PID:3024
-
C:\Windows\SysWOW64\Lchqcd32.exeC:\Windows\system32\Lchqcd32.exe92⤵PID:1052
-
C:\Windows\SysWOW64\Lmpeljkm.exeC:\Windows\system32\Lmpeljkm.exe93⤵PID:2796
-
C:\Windows\SysWOW64\Lbmnea32.exeC:\Windows\system32\Lbmnea32.exe94⤵
- System Location Discovery: System Language Discovery
PID:580 -
C:\Windows\SysWOW64\Lbojjq32.exeC:\Windows\system32\Lbojjq32.exe95⤵PID:2144
-
C:\Windows\SysWOW64\Lhlbbg32.exeC:\Windows\system32\Lhlbbg32.exe96⤵
- Drops file in System32 directory
- Modifies registry class
PID:768 -
C:\Windows\SysWOW64\Lepclldc.exeC:\Windows\system32\Lepclldc.exe97⤵
- Modifies registry class
PID:1980 -
C:\Windows\SysWOW64\Mgkbjb32.exeC:\Windows\system32\Mgkbjb32.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:3056 -
C:\Windows\SysWOW64\Mcacochk.exeC:\Windows\system32\Mcacochk.exe99⤵PID:1044
-
C:\Windows\SysWOW64\Nikkkn32.exeC:\Windows\system32\Nikkkn32.exe100⤵PID:2768
-
C:\Windows\SysWOW64\Naimepkp.exeC:\Windows\system32\Naimepkp.exe101⤵PID:772
-
C:\Windows\SysWOW64\Nloachkf.exeC:\Windows\system32\Nloachkf.exe102⤵
- Drops file in System32 directory
- Modifies registry class
PID:2732 -
C:\Windows\SysWOW64\Negeln32.exeC:\Windows\system32\Negeln32.exe103⤵PID:2616
-
C:\Windows\SysWOW64\Nlanhh32.exeC:\Windows\system32\Nlanhh32.exe104⤵
- Drops file in System32 directory
- Modifies registry class
PID:2276 -
C:\Windows\SysWOW64\Neibanod.exeC:\Windows\system32\Neibanod.exe105⤵PID:2000
-
C:\Windows\SysWOW64\Nkfkidmk.exeC:\Windows\system32\Nkfkidmk.exe106⤵PID:2948
-
C:\Windows\SysWOW64\Ohjkcile.exeC:\Windows\system32\Ohjkcile.exe107⤵PID:1744
-
C:\Windows\SysWOW64\Oabplobe.exeC:\Windows\system32\Oabplobe.exe108⤵
- Modifies registry class
PID:2244 -
C:\Windows\SysWOW64\Occlcg32.exeC:\Windows\system32\Occlcg32.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2580 -
C:\Windows\SysWOW64\Oqgmmk32.exeC:\Windows\system32\Oqgmmk32.exe110⤵PID:1288
-
C:\Windows\SysWOW64\Ofdeeb32.exeC:\Windows\system32\Ofdeeb32.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1588 -
C:\Windows\SysWOW64\Omnmal32.exeC:\Windows\system32\Omnmal32.exe112⤵PID:2220
-
C:\Windows\SysWOW64\Ochenfdn.exeC:\Windows\system32\Ochenfdn.exe113⤵PID:2724
-
C:\Windows\SysWOW64\Omqjgl32.exeC:\Windows\system32\Omqjgl32.exe114⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2864 -
C:\Windows\SysWOW64\Ockbdebl.exeC:\Windows\system32\Ockbdebl.exe115⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:964 -
C:\Windows\SysWOW64\Pigklmqc.exeC:\Windows\system32\Pigklmqc.exe116⤵PID:2320
-
C:\Windows\SysWOW64\Pfkkeq32.exeC:\Windows\system32\Pfkkeq32.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2904 -
C:\Windows\SysWOW64\Podpoffm.exeC:\Windows\system32\Podpoffm.exe118⤵PID:2480
-
C:\Windows\SysWOW64\Peqhgmdd.exeC:\Windows\system32\Peqhgmdd.exe119⤵
- System Location Discovery: System Language Discovery
PID:1616 -
C:\Windows\SysWOW64\Pnimpcke.exeC:\Windows\system32\Pnimpcke.exe120⤵
- System Location Discovery: System Language Discovery
PID:1680 -
C:\Windows\SysWOW64\Pioamlkk.exeC:\Windows\system32\Pioamlkk.exe121⤵PID:556
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-