Analysis
-
max time kernel
16s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
27-11-2024 11:57
Behavioral task
behavioral1
Sample
9fe3edfc64cdad4d27a526b2da1846e64c5dc5f39e3139c76539503e288cfc49.exe
Resource
win7-20240729-en
windows7-x64
12 signatures
120 seconds
General
-
Target
9fe3edfc64cdad4d27a526b2da1846e64c5dc5f39e3139c76539503e288cfc49.exe
-
Size
93KB
-
MD5
be9b38e04bc1929c0a44edbfaa25b22b
-
SHA1
c422816f7086a311050dccda2ef91ee35eb11c7f
-
SHA256
9fe3edfc64cdad4d27a526b2da1846e64c5dc5f39e3139c76539503e288cfc49
-
SHA512
a0254de30e8905bfc6c21dd6c3e110d649c7c847828916bc1fc694115a03b77c251e67b95bc594405001b3a42145bcd7f91a8c5320252b93c2d1fdcf75aca618
-
SSDEEP
1536:Wf60i/oIBYaJghNqQfs6j3X2OZdBFpt59hlJNeCGq7E1DaYfMZRWuLsV+1j:Wf6dhpSfVhEgYfc0DV+1j
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Dkblohek.exeDcpmijqc.exeLmhdph32.exeMdepmh32.exeMgfiocfl.exeAeenapck.exeBpmkbl32.exeGjbqjiem.exeNafiej32.exeKepgmh32.exeQgfkchmp.exeClhecl32.exeDgfpni32.exeNeohqicc.exeMkfojakp.exeAegkfpah.exeBdaabk32.exeMhfoleio.exeNhpabdqd.exeLpanne32.exeOqjibkek.exeBjfpdf32.exeHilgfe32.exeJoekimld.exeKggfnoch.exeMblcin32.exeLlhocfnb.exeOcclcg32.exeAinmlomf.exeFmaqgaae.exeFnbmoi32.exeHpdbmooo.exeIpabfcdm.exeIcdhnn32.exeOpccallb.exeFiedfb32.exeNpppaejj.exeOgmkne32.exeQcmkhi32.exeCkpoih32.exeIopeoknn.exeJfjjkhhg.exeKbcddlnd.exeLknebaba.exeMioeeifi.exeMoccnoni.exeOhjkcile.exePkojoghl.exeFgpock32.exeGlijnmdj.exeJqhdfe32.exeKfgjdlme.exeKmfklepl.exeLmckeidj.exeNmhqokcq.exeLbagpp32.exeMpnngi32.exeNkdndeon.exeAcadchoo.exeNgqeha32.exeEqcjaa32.exeHoniikpa.exedescription ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkblohek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dcpmijqc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmhdph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mdepmh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgfiocfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aeenapck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bpmkbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gjbqjiem.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nafiej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kepgmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qgfkchmp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clhecl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dgfpni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Neohqicc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkfojakp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aegkfpah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bdaabk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhfoleio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhpabdqd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lpanne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oqjibkek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjfpdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hilgfe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Joekimld.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kggfnoch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kggfnoch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mblcin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Llhocfnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Occlcg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ainmlomf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmaqgaae.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnbmoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hpdbmooo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ipabfcdm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Icdhnn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opccallb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fiedfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Npppaejj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogmkne32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qcmkhi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckpoih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iopeoknn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfjjkhhg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbcddlnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lknebaba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mioeeifi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Moccnoni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ohjkcile.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pkojoghl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fgpock32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glijnmdj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jqhdfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kfgjdlme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmfklepl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmckeidj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmhqokcq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbagpp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpnngi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkdndeon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Acadchoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ngqeha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eqcjaa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgpock32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Honiikpa.exe -
Berbew family
-
Njrat family
-
Executes dropped EXE 64 IoCs
Processes:
Kepgmh32.exeKccgheib.exeKmklak32.exeLfdpjp32.exeLiblfl32.exeLffmpp32.exeLidilk32.exeLdjmidcj.exeLfhiepbn.exeLpanne32.exeLfkfkopk.exeLlhocfnb.exeLbagpp32.exeLepclldc.exeLhoohgdg.exeMbdcepcm.exeMdepmh32.exeMkohjbah.exeMmndfnpl.exeMgfiocfl.exeMmpakm32.exeMpnngi32.exeMheeif32.exeMigbpocm.exeMmbnam32.exeMgkbjb32.exeMkfojakp.exeMpcgbhig.exeMcacochk.exeNohddd32.exeNcdpdcfh.exeNlldmimi.exeNphpng32.exeNedifo32.exeNhcebj32.exeNloachkf.exeNkaane32.exeNdjfgkha.exeNkdndeon.exeNhhominh.exeNkfkidmk.exeOpccallb.exeOhjkcile.exeOgmkne32.exeOabplobe.exeOqepgk32.exeOcclcg32.exeOnipqp32.exeOllqllod.exeOcfiif32.exeOfdeeb32.exeOjpaeq32.exeOmnmal32.exeOqjibkek.exeOchenfdn.exeOfgbkacb.exeOhengmcf.exeOqlfhjch.exeOckbdebl.exeOfiopaap.exeOjdjqp32.exePmcgmkil.exePoacighp.exePcmoie32.exepid Process 2200 Kepgmh32.exe 2660 Kccgheib.exe 2684 Kmklak32.exe 2800 Lfdpjp32.exe 1004 Liblfl32.exe 2940 Lffmpp32.exe 1968 Lidilk32.exe 1720 Ldjmidcj.exe 1748 Lfhiepbn.exe 2804 Lpanne32.exe 2412 Lfkfkopk.exe 2824 Llhocfnb.exe 2936 Lbagpp32.exe 1404 Lepclldc.exe 1912 Lhoohgdg.exe 1972 Mbdcepcm.exe 2144 Mdepmh32.exe 1400 Mkohjbah.exe 320 Mmndfnpl.exe 2856 Mgfiocfl.exe 1884 Mmpakm32.exe 2156 Mpnngi32.exe 1016 Mheeif32.exe 868 Migbpocm.exe 2368 Mmbnam32.exe 2324 Mgkbjb32.exe 1584 Mkfojakp.exe 2680 Mpcgbhig.exe 2864 Mcacochk.exe 2844 Nohddd32.exe 2616 Ncdpdcfh.exe 2496 Nlldmimi.exe 1600 Nphpng32.exe 2128 Nedifo32.exe 836 Nhcebj32.exe 2300 Nloachkf.exe 1888 Nkaane32.exe 1292 Ndjfgkha.exe 816 Nkdndeon.exe 2004 Nhhominh.exe 2428 Nkfkidmk.exe 3068 Opccallb.exe 1568 Ohjkcile.exe 1196 Ogmkne32.exe 2996 Oabplobe.exe 1916 Oqepgk32.exe 2336 Occlcg32.exe 2260 Onipqp32.exe 2088 Ollqllod.exe 1640 Ocfiif32.exe 3060 Ofdeeb32.exe 2676 Ojpaeq32.exe 2688 Omnmal32.exe 2808 Oqjibkek.exe 2644 Ochenfdn.exe 2760 Ofgbkacb.exe 1784 Ohengmcf.exe 1572 Oqlfhjch.exe 1452 Ockbdebl.exe 1168 Ofiopaap.exe 1908 Ojdjqp32.exe 1896 Pmcgmkil.exe 776 Poacighp.exe 1940 Pcmoie32.exe -
Loads dropped DLL 64 IoCs
Processes:
9fe3edfc64cdad4d27a526b2da1846e64c5dc5f39e3139c76539503e288cfc49.exeKepgmh32.exeKccgheib.exeKmklak32.exeLfdpjp32.exeLiblfl32.exeLffmpp32.exeLidilk32.exeLdjmidcj.exeLfhiepbn.exeLpanne32.exeLfkfkopk.exeLlhocfnb.exeLbagpp32.exeLepclldc.exeLhoohgdg.exeMbdcepcm.exeMdepmh32.exeMkohjbah.exeMmndfnpl.exeMgfiocfl.exeMmpakm32.exeMpnngi32.exeMheeif32.exeMigbpocm.exeMmbnam32.exeMgkbjb32.exeMkfojakp.exeMpcgbhig.exeMcacochk.exeNohddd32.exeNcdpdcfh.exepid Process 2172 9fe3edfc64cdad4d27a526b2da1846e64c5dc5f39e3139c76539503e288cfc49.exe 2172 9fe3edfc64cdad4d27a526b2da1846e64c5dc5f39e3139c76539503e288cfc49.exe 2200 Kepgmh32.exe 2200 Kepgmh32.exe 2660 Kccgheib.exe 2660 Kccgheib.exe 2684 Kmklak32.exe 2684 Kmklak32.exe 2800 Lfdpjp32.exe 2800 Lfdpjp32.exe 1004 Liblfl32.exe 1004 Liblfl32.exe 2940 Lffmpp32.exe 2940 Lffmpp32.exe 1968 Lidilk32.exe 1968 Lidilk32.exe 1720 Ldjmidcj.exe 1720 Ldjmidcj.exe 1748 Lfhiepbn.exe 1748 Lfhiepbn.exe 2804 Lpanne32.exe 2804 Lpanne32.exe 2412 Lfkfkopk.exe 2412 Lfkfkopk.exe 2824 Llhocfnb.exe 2824 Llhocfnb.exe 2936 Lbagpp32.exe 2936 Lbagpp32.exe 1404 Lepclldc.exe 1404 Lepclldc.exe 1912 Lhoohgdg.exe 1912 Lhoohgdg.exe 1972 Mbdcepcm.exe 1972 Mbdcepcm.exe 2144 Mdepmh32.exe 2144 Mdepmh32.exe 1400 Mkohjbah.exe 1400 Mkohjbah.exe 320 Mmndfnpl.exe 320 Mmndfnpl.exe 2856 Mgfiocfl.exe 2856 Mgfiocfl.exe 1884 Mmpakm32.exe 1884 Mmpakm32.exe 2156 Mpnngi32.exe 2156 Mpnngi32.exe 1016 Mheeif32.exe 1016 Mheeif32.exe 868 Migbpocm.exe 868 Migbpocm.exe 2368 Mmbnam32.exe 2368 Mmbnam32.exe 2324 Mgkbjb32.exe 2324 Mgkbjb32.exe 1584 Mkfojakp.exe 1584 Mkfojakp.exe 2680 Mpcgbhig.exe 2680 Mpcgbhig.exe 2864 Mcacochk.exe 2864 Mcacochk.exe 2844 Nohddd32.exe 2844 Nohddd32.exe 2616 Ncdpdcfh.exe 2616 Ncdpdcfh.exe -
Drops file in System32 directory 64 IoCs
Processes:
Dajgfboj.exeIpabfcdm.exeKnjdimdh.exeOpccallb.exeCelpqbon.exeKjhopjqi.exeElmkmo32.exeGdihmo32.exeIhdmld32.exeMejoei32.exeLidilk32.exeMheeif32.exeLmhdph32.exeNianjl32.exeAfndjdpe.exeKckjmpko.exeMlgdhcmb.exeNddeae32.exeEbnmpemq.exeDleelp32.exeDoijcjde.exeHkppcmjk.exeNphpng32.exePbgefa32.exeBiccfalm.exeDjghpd32.exeEkpkhkji.exeOhjkcile.exeAbkkpd32.exeBphaglgo.exeCaenkc32.exeLdjmidcj.exeOfiopaap.exeIdokma32.exeIgngim32.exeMfebdm32.exeNmogpj32.exeHechkfkc.exeHhdqma32.exeJkllnn32.exeLaackgka.exeCofaog32.exeFpkchm32.exeChjmmnnb.exeJobocn32.exeKioiffcn.exeLckflc32.exeAbgaeddg.exeBdaabk32.exeLmfgkh32.exeOabplobe.exeFiakkcma.exeLcppgbjd.exePnfpjc32.exeKdfmlc32.exeIpfkabpg.exeIaladj32.exeJaonji32.exeLhoohgdg.exeCkiiiine.exeLknebaba.exedescription ioc Process File created C:\Windows\SysWOW64\Qbegfg32.dll Dajgfboj.exe File created C:\Windows\SysWOW64\Ihijhpdo.exe Ipabfcdm.exe File created C:\Windows\SysWOW64\Kbeqjl32.exe Knjdimdh.exe File created C:\Windows\SysWOW64\Ohjkcile.exe Opccallb.exe File created C:\Windows\SysWOW64\Chjmmnnb.exe Celpqbon.exe File created C:\Windows\SysWOW64\Kmfklepl.exe Kjhopjqi.exe File opened for modification C:\Windows\SysWOW64\Ekpkhkji.exe Elmkmo32.exe File opened for modification C:\Windows\SysWOW64\Ghddnnfi.exe Gdihmo32.exe File created C:\Windows\SysWOW64\Eljgid32.dll Ihdmld32.exe File created C:\Windows\SysWOW64\Fnickdla.dll Mejoei32.exe File created C:\Windows\SysWOW64\Ldjmidcj.exe Lidilk32.exe File opened for modification C:\Windows\SysWOW64\Migbpocm.exe Mheeif32.exe File created C:\Windows\SysWOW64\Chnjdl32.dll Lmhdph32.exe File created C:\Windows\SysWOW64\Pfknaf32.dll Nianjl32.exe File opened for modification C:\Windows\SysWOW64\Ailqfooi.exe Afndjdpe.exe File opened for modification C:\Windows\SysWOW64\Kggfnoch.exe Kckjmpko.exe File created C:\Windows\SysWOW64\Noepdo32.exe Mlgdhcmb.exe File created C:\Windows\SysWOW64\Nhpabdqd.exe Nddeae32.exe File created C:\Windows\SysWOW64\Jeapidjc.dll Lidilk32.exe File opened for modification C:\Windows\SysWOW64\Edmilpld.exe Ebnmpemq.exe File opened for modification C:\Windows\SysWOW64\Dcpmijqc.exe Dleelp32.exe File created C:\Windows\SysWOW64\Mdfldbog.dll Doijcjde.exe File created C:\Windows\SysWOW64\Holldk32.exe Hkppcmjk.exe File opened for modification C:\Windows\SysWOW64\Nedifo32.exe Nphpng32.exe File opened for modification C:\Windows\SysWOW64\Pajeanhf.exe Pbgefa32.exe File created C:\Windows\SysWOW64\Hjnhlm32.dll Biccfalm.exe File created C:\Windows\SysWOW64\Dncdqcbl.exe Djghpd32.exe File created C:\Windows\SysWOW64\Hilgcb32.dll Ekpkhkji.exe File created C:\Windows\SysWOW64\Iagiph32.dll Ohjkcile.exe File created C:\Windows\SysWOW64\Befima32.dll Abkkpd32.exe File opened for modification C:\Windows\SysWOW64\Bbfnchfb.exe Bphaglgo.exe File created C:\Windows\SysWOW64\Pkknia32.dll Caenkc32.exe File created C:\Windows\SysWOW64\Lfhiepbn.exe Ldjmidcj.exe File opened for modification C:\Windows\SysWOW64\Ojdjqp32.exe Ofiopaap.exe File opened for modification C:\Windows\SysWOW64\Igngim32.exe Idokma32.exe File opened for modification C:\Windows\SysWOW64\Ikicikap.exe Igngim32.exe File opened for modification C:\Windows\SysWOW64\Mehbpjjk.exe Mfebdm32.exe File created C:\Windows\SysWOW64\Ijpfnpij.dll Nmogpj32.exe File created C:\Windows\SysWOW64\Ffffpb32.dll Hechkfkc.exe File opened for modification C:\Windows\SysWOW64\Hkbmil32.exe Hhdqma32.exe File created C:\Windows\SysWOW64\Gqaaok32.dll Jkllnn32.exe File opened for modification C:\Windows\SysWOW64\Lcppgbjd.exe Laackgka.exe File created C:\Windows\SysWOW64\Caenkc32.exe Cofaog32.exe File created C:\Windows\SysWOW64\Nmhmmnpq.dll Fpkchm32.exe File opened for modification C:\Windows\SysWOW64\Ckiiiine.exe Chjmmnnb.exe File opened for modification C:\Windows\SysWOW64\Jbakpi32.exe Jobocn32.exe File opened for modification C:\Windows\SysWOW64\Lknebaba.exe Kioiffcn.exe File opened for modification C:\Windows\SysWOW64\Lggbmbfc.exe Lckflc32.exe File opened for modification C:\Windows\SysWOW64\Aeenapck.exe Abgaeddg.exe File opened for modification C:\Windows\SysWOW64\Bkkioeig.exe Bdaabk32.exe File created C:\Windows\SysWOW64\Laackgka.exe Lmfgkh32.exe File created C:\Windows\SysWOW64\Njhhcpnk.dll Oabplobe.exe File created C:\Windows\SysWOW64\Fqhclqnc.exe Fiakkcma.exe File opened for modification C:\Windows\SysWOW64\Lfnlcnih.exe Lcppgbjd.exe File opened for modification C:\Windows\SysWOW64\Noepdo32.exe Mlgdhcmb.exe File created C:\Windows\SysWOW64\Pfnhkq32.exe Pnfpjc32.exe File created C:\Windows\SysWOW64\Kgdiho32.exe Kdfmlc32.exe File opened for modification C:\Windows\SysWOW64\Icdhnn32.exe Ipfkabpg.exe File created C:\Windows\SysWOW64\Eacmfp32.dll Ialadj32.exe File opened for modification C:\Windows\SysWOW64\Jfjjkhhg.exe Jaonji32.exe File opened for modification C:\Windows\SysWOW64\Mbdcepcm.exe Lhoohgdg.exe File opened for modification C:\Windows\SysWOW64\Ccpqjfnh.exe Ckiiiine.exe File created C:\Windows\SysWOW64\Lnlaomae.exe Lknebaba.exe File opened for modification C:\Windows\SysWOW64\Npnclf32.exe Nmogpj32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 5016 4944 WerFault.exe 428 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Jngkdj32.exeKckjmpko.exeLmckeidj.exePdnkanfg.exePegnglnm.exeIlmlfcel.exeMlpngd32.exeLhoohgdg.exeGecklbih.exeLmhdph32.exeDjlbkcfn.exeGpoibp32.exeHlkcbp32.exeLbhmok32.exeOckbdebl.exePoacighp.exeDkblohek.exeHilgfe32.exeLjgkom32.exeNpnclf32.exeLpanne32.exeAilqfooi.exeDncdqcbl.exeJhfjadim.exeLadpagin.exeOpblgehg.exeLdjmidcj.exeLfkfkopk.exeDjghpd32.exeQjdgpcmd.exeGeaofc32.exeFlfnhnfm.exeHmefad32.exeMhikae32.exeLidilk32.exeMmpakm32.exePnnfkb32.exeHoipnl32.exeIeeqpi32.exeJhmpbc32.exeMbginomj.exePkhdnh32.exeBmelpa32.exeCapdpcge.exeEgkehllh.exeFbpfeh32.exeGdmbhnjj.exeHolldk32.exeLjjhdm32.exeNohddd32.exeNdjfgkha.exeOmnmal32.exeAnmbje32.exeJhkclc32.exeMlgdhcmb.exeLffmpp32.exeOfiopaap.exeAmjiln32.exeKbeqjl32.exeLlpaha32.exeEcbfmm32.exeFblljhbo.exeIokhcodo.exeCdfgmnpa.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jngkdj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kckjmpko.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmckeidj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdnkanfg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pegnglnm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilmlfcel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlpngd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhoohgdg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gecklbih.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmhdph32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djlbkcfn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpoibp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlkcbp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbhmok32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ockbdebl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Poacighp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkblohek.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hilgfe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljgkom32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npnclf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpanne32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ailqfooi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dncdqcbl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhfjadim.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ladpagin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opblgehg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldjmidcj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfkfkopk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djghpd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qjdgpcmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Geaofc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flfnhnfm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmefad32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhikae32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lidilk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmpakm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnnfkb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hoipnl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ieeqpi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhmpbc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbginomj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkhdnh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmelpa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Capdpcge.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egkehllh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbpfeh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdmbhnjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Holldk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljjhdm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nohddd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndjfgkha.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omnmal32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anmbje32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhkclc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlgdhcmb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lffmpp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofiopaap.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amjiln32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbeqjl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llpaha32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ecbfmm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fblljhbo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iokhcodo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdfgmnpa.exe -
Modifies registry class 64 IoCs
Processes:
Nphpng32.exePioamlkk.exeFlfnhnfm.exeGdflgo32.exeKecmfg32.exeLmckeidj.exeHdhdlbpk.exeImcfjg32.exeJnjhjj32.exeBphaglgo.exeGbbbjg32.exeHkbmil32.exeLflonn32.exeNpppaejj.exeNcdpdcfh.exeOcclcg32.exeGajlac32.exeKdfmlc32.exeLnlaomae.exeMblcin32.exeMigbpocm.exeBjiljf32.exeCdamao32.exeEdmilpld.exeMgkbjb32.exePkjqcg32.exeMlgdhcmb.exeLffmpp32.exePnfpjc32.exeBpmkbl32.exeFhkagonc.exeJclnnmic.exeJaonji32.exeKnjdimdh.exeOihdjk32.exeNahfkigd.exeOcfiif32.exeAfndjdpe.exeFbipdi32.exeFladmn32.exeMoqgiopk.exeNeohqicc.exeNcloha32.exeNohddd32.exeAljmbknm.exePegnglnm.exeCkiiiine.exeCnlnpd32.exeJqhdfe32.exeMmndfnpl.exeMmpakm32.exePbgefa32.exeQfkgdd32.exeAalofa32.exeEmjjfb32.exeIecdji32.exeJngkdj32.exeMddibb32.exeNgencpel.exeBmlbaqfh.exeGbnenk32.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nphpng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pioamlkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Flfnhnfm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gdflgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oefkcp32.dll" Kecmfg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lmckeidj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hdhdlbpk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Imcfjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jnjhjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bphaglgo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gbbbjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hknpkfec.dll" Hkbmil32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lflonn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Moanhnka.dll" Npppaejj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ncdpdcfh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Occlcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gajlac32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kdfmlc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lnlaomae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chmglegi.dll" Mblcin32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Migbpocm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bjiljf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cdamao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpfncf32.dll" Edmilpld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpmiidmj.dll" Imcfjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmeefhhi.dll" Mgkbjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofmlooqi.dll" Pkjqcg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mlgdhcmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lffmpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pnfpjc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bpmkbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fhkagonc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jclnnmic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jaonji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogoicfml.dll" Knjdimdh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oihdjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nahfkigd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chkfjj32.dll" Ocfiif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Afndjdpe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fbipdi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fladmn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Moqgiopk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kanafj32.dll" Neohqicc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ncloha32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nohddd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aljmbknm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pegnglnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ckiiiine.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cnlnpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jqhdfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mmndfnpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mmpakm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pbgefa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qfkgdd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfgjcq32.dll" Aalofa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbglqg32.dll" Pioamlkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dagocg32.dll" Emjjfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iecdji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jngkdj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klnkbdan.dll" Jnjhjj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mddibb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Heknhioh.dll" Ngencpel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bmlbaqfh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gbnenk32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
9fe3edfc64cdad4d27a526b2da1846e64c5dc5f39e3139c76539503e288cfc49.exeKepgmh32.exeKccgheib.exeKmklak32.exeLfdpjp32.exeLiblfl32.exeLffmpp32.exeLidilk32.exeLdjmidcj.exeLfhiepbn.exeLpanne32.exeLfkfkopk.exeLlhocfnb.exeLbagpp32.exeLepclldc.exeLhoohgdg.exedescription pid Process procid_target PID 2172 wrote to memory of 2200 2172 9fe3edfc64cdad4d27a526b2da1846e64c5dc5f39e3139c76539503e288cfc49.exe 29 PID 2172 wrote to memory of 2200 2172 9fe3edfc64cdad4d27a526b2da1846e64c5dc5f39e3139c76539503e288cfc49.exe 29 PID 2172 wrote to memory of 2200 2172 9fe3edfc64cdad4d27a526b2da1846e64c5dc5f39e3139c76539503e288cfc49.exe 29 PID 2172 wrote to memory of 2200 2172 9fe3edfc64cdad4d27a526b2da1846e64c5dc5f39e3139c76539503e288cfc49.exe 29 PID 2200 wrote to memory of 2660 2200 Kepgmh32.exe 30 PID 2200 wrote to memory of 2660 2200 Kepgmh32.exe 30 PID 2200 wrote to memory of 2660 2200 Kepgmh32.exe 30 PID 2200 wrote to memory of 2660 2200 Kepgmh32.exe 30 PID 2660 wrote to memory of 2684 2660 Kccgheib.exe 31 PID 2660 wrote to memory of 2684 2660 Kccgheib.exe 31 PID 2660 wrote to memory of 2684 2660 Kccgheib.exe 31 PID 2660 wrote to memory of 2684 2660 Kccgheib.exe 31 PID 2684 wrote to memory of 2800 2684 Kmklak32.exe 32 PID 2684 wrote to memory of 2800 2684 Kmklak32.exe 32 PID 2684 wrote to memory of 2800 2684 Kmklak32.exe 32 PID 2684 wrote to memory of 2800 2684 Kmklak32.exe 32 PID 2800 wrote to memory of 1004 2800 Lfdpjp32.exe 33 PID 2800 wrote to memory of 1004 2800 Lfdpjp32.exe 33 PID 2800 wrote to memory of 1004 2800 Lfdpjp32.exe 33 PID 2800 wrote to memory of 1004 2800 Lfdpjp32.exe 33 PID 1004 wrote to memory of 2940 1004 Liblfl32.exe 34 PID 1004 wrote to memory of 2940 1004 Liblfl32.exe 34 PID 1004 wrote to memory of 2940 1004 Liblfl32.exe 34 PID 1004 wrote to memory of 2940 1004 Liblfl32.exe 34 PID 2940 wrote to memory of 1968 2940 Lffmpp32.exe 35 PID 2940 wrote to memory of 1968 2940 Lffmpp32.exe 35 PID 2940 wrote to memory of 1968 2940 Lffmpp32.exe 35 PID 2940 wrote to memory of 1968 2940 Lffmpp32.exe 35 PID 1968 wrote to memory of 1720 1968 Lidilk32.exe 36 PID 1968 wrote to memory of 1720 1968 Lidilk32.exe 36 PID 1968 wrote to memory of 1720 1968 Lidilk32.exe 36 PID 1968 wrote to memory of 1720 1968 Lidilk32.exe 36 PID 1720 wrote to memory of 1748 1720 Ldjmidcj.exe 37 PID 1720 wrote to memory of 1748 1720 Ldjmidcj.exe 37 PID 1720 wrote to memory of 1748 1720 Ldjmidcj.exe 37 PID 1720 wrote to memory of 1748 1720 Ldjmidcj.exe 37 PID 1748 wrote to memory of 2804 1748 Lfhiepbn.exe 38 PID 1748 wrote to memory of 2804 1748 Lfhiepbn.exe 38 PID 1748 wrote to memory of 2804 1748 Lfhiepbn.exe 38 PID 1748 wrote to memory of 2804 1748 Lfhiepbn.exe 38 PID 2804 wrote to memory of 2412 2804 Lpanne32.exe 39 PID 2804 wrote to memory of 2412 2804 Lpanne32.exe 39 PID 2804 wrote to memory of 2412 2804 Lpanne32.exe 39 PID 2804 wrote to memory of 2412 2804 Lpanne32.exe 39 PID 2412 wrote to memory of 2824 2412 Lfkfkopk.exe 40 PID 2412 wrote to memory of 2824 2412 Lfkfkopk.exe 40 PID 2412 wrote to memory of 2824 2412 Lfkfkopk.exe 40 PID 2412 wrote to memory of 2824 2412 Lfkfkopk.exe 40 PID 2824 wrote to memory of 2936 2824 Llhocfnb.exe 41 PID 2824 wrote to memory of 2936 2824 Llhocfnb.exe 41 PID 2824 wrote to memory of 2936 2824 Llhocfnb.exe 41 PID 2824 wrote to memory of 2936 2824 Llhocfnb.exe 41 PID 2936 wrote to memory of 1404 2936 Lbagpp32.exe 42 PID 2936 wrote to memory of 1404 2936 Lbagpp32.exe 42 PID 2936 wrote to memory of 1404 2936 Lbagpp32.exe 42 PID 2936 wrote to memory of 1404 2936 Lbagpp32.exe 42 PID 1404 wrote to memory of 1912 1404 Lepclldc.exe 43 PID 1404 wrote to memory of 1912 1404 Lepclldc.exe 43 PID 1404 wrote to memory of 1912 1404 Lepclldc.exe 43 PID 1404 wrote to memory of 1912 1404 Lepclldc.exe 43 PID 1912 wrote to memory of 1972 1912 Lhoohgdg.exe 44 PID 1912 wrote to memory of 1972 1912 Lhoohgdg.exe 44 PID 1912 wrote to memory of 1972 1912 Lhoohgdg.exe 44 PID 1912 wrote to memory of 1972 1912 Lhoohgdg.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\9fe3edfc64cdad4d27a526b2da1846e64c5dc5f39e3139c76539503e288cfc49.exe"C:\Users\Admin\AppData\Local\Temp\9fe3edfc64cdad4d27a526b2da1846e64c5dc5f39e3139c76539503e288cfc49.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Windows\SysWOW64\Kepgmh32.exeC:\Windows\system32\Kepgmh32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Windows\SysWOW64\Kccgheib.exeC:\Windows\system32\Kccgheib.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\SysWOW64\Kmklak32.exeC:\Windows\system32\Kmklak32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Windows\SysWOW64\Lfdpjp32.exeC:\Windows\system32\Lfdpjp32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Windows\SysWOW64\Liblfl32.exeC:\Windows\system32\Liblfl32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1004 -
C:\Windows\SysWOW64\Lffmpp32.exeC:\Windows\system32\Lffmpp32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Windows\SysWOW64\Lidilk32.exeC:\Windows\system32\Lidilk32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\Windows\SysWOW64\Ldjmidcj.exeC:\Windows\system32\Ldjmidcj.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1720 -
C:\Windows\SysWOW64\Lfhiepbn.exeC:\Windows\system32\Lfhiepbn.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Windows\SysWOW64\Lpanne32.exeC:\Windows\system32\Lpanne32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Windows\SysWOW64\Lfkfkopk.exeC:\Windows\system32\Lfkfkopk.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Windows\SysWOW64\Llhocfnb.exeC:\Windows\system32\Llhocfnb.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\SysWOW64\Lbagpp32.exeC:\Windows\system32\Lbagpp32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Windows\SysWOW64\Lepclldc.exeC:\Windows\system32\Lepclldc.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1404 -
C:\Windows\SysWOW64\Lhoohgdg.exeC:\Windows\system32\Lhoohgdg.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1912 -
C:\Windows\SysWOW64\Mbdcepcm.exeC:\Windows\system32\Mbdcepcm.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1972 -
C:\Windows\SysWOW64\Mdepmh32.exeC:\Windows\system32\Mdepmh32.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2144 -
C:\Windows\SysWOW64\Mkohjbah.exeC:\Windows\system32\Mkohjbah.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1400 -
C:\Windows\SysWOW64\Mmndfnpl.exeC:\Windows\system32\Mmndfnpl.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:320 -
C:\Windows\SysWOW64\Mgfiocfl.exeC:\Windows\system32\Mgfiocfl.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2856 -
C:\Windows\SysWOW64\Mmpakm32.exeC:\Windows\system32\Mmpakm32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1884 -
C:\Windows\SysWOW64\Mpnngi32.exeC:\Windows\system32\Mpnngi32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2156 -
C:\Windows\SysWOW64\Mheeif32.exeC:\Windows\system32\Mheeif32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1016 -
C:\Windows\SysWOW64\Migbpocm.exeC:\Windows\system32\Migbpocm.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:868 -
C:\Windows\SysWOW64\Mmbnam32.exeC:\Windows\system32\Mmbnam32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2368 -
C:\Windows\SysWOW64\Mgkbjb32.exeC:\Windows\system32\Mgkbjb32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2324 -
C:\Windows\SysWOW64\Mkfojakp.exeC:\Windows\system32\Mkfojakp.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1584 -
C:\Windows\SysWOW64\Mpcgbhig.exeC:\Windows\system32\Mpcgbhig.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2680 -
C:\Windows\SysWOW64\Mcacochk.exeC:\Windows\system32\Mcacochk.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2864 -
C:\Windows\SysWOW64\Nohddd32.exeC:\Windows\system32\Nohddd32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2844 -
C:\Windows\SysWOW64\Ncdpdcfh.exeC:\Windows\system32\Ncdpdcfh.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2616 -
C:\Windows\SysWOW64\Nlldmimi.exeC:\Windows\system32\Nlldmimi.exe33⤵
- Executes dropped EXE
PID:2496 -
C:\Windows\SysWOW64\Nphpng32.exeC:\Windows\system32\Nphpng32.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1600 -
C:\Windows\SysWOW64\Nedifo32.exeC:\Windows\system32\Nedifo32.exe35⤵
- Executes dropped EXE
PID:2128 -
C:\Windows\SysWOW64\Nhcebj32.exeC:\Windows\system32\Nhcebj32.exe36⤵
- Executes dropped EXE
PID:836 -
C:\Windows\SysWOW64\Nloachkf.exeC:\Windows\system32\Nloachkf.exe37⤵
- Executes dropped EXE
PID:2300 -
C:\Windows\SysWOW64\Nkaane32.exeC:\Windows\system32\Nkaane32.exe38⤵
- Executes dropped EXE
PID:1888 -
C:\Windows\SysWOW64\Ndjfgkha.exeC:\Windows\system32\Ndjfgkha.exe39⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1292 -
C:\Windows\SysWOW64\Nkdndeon.exeC:\Windows\system32\Nkdndeon.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:816 -
C:\Windows\SysWOW64\Nhhominh.exeC:\Windows\system32\Nhhominh.exe41⤵
- Executes dropped EXE
PID:2004 -
C:\Windows\SysWOW64\Nkfkidmk.exeC:\Windows\system32\Nkfkidmk.exe42⤵
- Executes dropped EXE
PID:2428 -
C:\Windows\SysWOW64\Opccallb.exeC:\Windows\system32\Opccallb.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:3068 -
C:\Windows\SysWOW64\Ohjkcile.exeC:\Windows\system32\Ohjkcile.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1568 -
C:\Windows\SysWOW64\Ogmkne32.exeC:\Windows\system32\Ogmkne32.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1196 -
C:\Windows\SysWOW64\Oabplobe.exeC:\Windows\system32\Oabplobe.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2996 -
C:\Windows\SysWOW64\Oqepgk32.exeC:\Windows\system32\Oqepgk32.exe47⤵
- Executes dropped EXE
PID:1916 -
C:\Windows\SysWOW64\Occlcg32.exeC:\Windows\system32\Occlcg32.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2336 -
C:\Windows\SysWOW64\Onipqp32.exeC:\Windows\system32\Onipqp32.exe49⤵
- Executes dropped EXE
PID:2260 -
C:\Windows\SysWOW64\Ollqllod.exeC:\Windows\system32\Ollqllod.exe50⤵
- Executes dropped EXE
PID:2088 -
C:\Windows\SysWOW64\Ocfiif32.exeC:\Windows\system32\Ocfiif32.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:1640 -
C:\Windows\SysWOW64\Ofdeeb32.exeC:\Windows\system32\Ofdeeb32.exe52⤵
- Executes dropped EXE
PID:3060 -
C:\Windows\SysWOW64\Ojpaeq32.exeC:\Windows\system32\Ojpaeq32.exe53⤵
- Executes dropped EXE
PID:2676 -
C:\Windows\SysWOW64\Omnmal32.exeC:\Windows\system32\Omnmal32.exe54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2688 -
C:\Windows\SysWOW64\Oqjibkek.exeC:\Windows\system32\Oqjibkek.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2808 -
C:\Windows\SysWOW64\Ochenfdn.exeC:\Windows\system32\Ochenfdn.exe56⤵
- Executes dropped EXE
PID:2644 -
C:\Windows\SysWOW64\Ofgbkacb.exeC:\Windows\system32\Ofgbkacb.exe57⤵
- Executes dropped EXE
PID:2760 -
C:\Windows\SysWOW64\Ohengmcf.exeC:\Windows\system32\Ohengmcf.exe58⤵
- Executes dropped EXE
PID:1784 -
C:\Windows\SysWOW64\Oqlfhjch.exeC:\Windows\system32\Oqlfhjch.exe59⤵
- Executes dropped EXE
PID:1572 -
C:\Windows\SysWOW64\Ockbdebl.exeC:\Windows\system32\Ockbdebl.exe60⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1452 -
C:\Windows\SysWOW64\Ofiopaap.exeC:\Windows\system32\Ofiopaap.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1168 -
C:\Windows\SysWOW64\Ojdjqp32.exeC:\Windows\system32\Ojdjqp32.exe62⤵
- Executes dropped EXE
PID:1908 -
C:\Windows\SysWOW64\Pmcgmkil.exeC:\Windows\system32\Pmcgmkil.exe63⤵
- Executes dropped EXE
PID:1896 -
C:\Windows\SysWOW64\Poacighp.exeC:\Windows\system32\Poacighp.exe64⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:776 -
C:\Windows\SysWOW64\Pcmoie32.exeC:\Windows\system32\Pcmoie32.exe65⤵
- Executes dropped EXE
PID:1940 -
C:\Windows\SysWOW64\Pdnkanfg.exeC:\Windows\system32\Pdnkanfg.exe66⤵
- System Location Discovery: System Language Discovery
PID:2984 -
C:\Windows\SysWOW64\Pijgbl32.exeC:\Windows\system32\Pijgbl32.exe67⤵PID:540
-
C:\Windows\SysWOW64\Pkhdnh32.exeC:\Windows\system32\Pkhdnh32.exe68⤵
- System Location Discovery: System Language Discovery
PID:2232 -
C:\Windows\SysWOW64\Pnfpjc32.exeC:\Windows\system32\Pnfpjc32.exe69⤵
- Drops file in System32 directory
- Modifies registry class
PID:2636 -
C:\Windows\SysWOW64\Pfnhkq32.exeC:\Windows\system32\Pfnhkq32.exe70⤵PID:1088
-
C:\Windows\SysWOW64\Peqhgmdd.exeC:\Windows\system32\Peqhgmdd.exe71⤵PID:2316
-
C:\Windows\SysWOW64\Pkjqcg32.exeC:\Windows\system32\Pkjqcg32.exe72⤵
- Modifies registry class
PID:1588 -
C:\Windows\SysWOW64\Pnimpcke.exeC:\Windows\system32\Pnimpcke.exe73⤵PID:2224
-
C:\Windows\SysWOW64\Pecelm32.exeC:\Windows\system32\Pecelm32.exe74⤵PID:2724
-
C:\Windows\SysWOW64\Pioamlkk.exeC:\Windows\system32\Pioamlkk.exe75⤵
- Modifies registry class
PID:2504 -
C:\Windows\SysWOW64\Pkmmigjo.exeC:\Windows\system32\Pkmmigjo.exe76⤵PID:1100
-
C:\Windows\SysWOW64\Pjpmdd32.exeC:\Windows\system32\Pjpmdd32.exe77⤵PID:2028
-
C:\Windows\SysWOW64\Pbgefa32.exeC:\Windows\system32\Pbgefa32.exe78⤵
- Drops file in System32 directory
- Modifies registry class
PID:1084 -
C:\Windows\SysWOW64\Pajeanhf.exeC:\Windows\system32\Pajeanhf.exe79⤵PID:2032
-
C:\Windows\SysWOW64\Pchbmigj.exeC:\Windows\system32\Pchbmigj.exe80⤵PID:1276
-
C:\Windows\SysWOW64\Pkojoghl.exeC:\Windows\system32\Pkojoghl.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2380 -
C:\Windows\SysWOW64\Pnnfkb32.exeC:\Windows\system32\Pnnfkb32.exe82⤵
- System Location Discovery: System Language Discovery
PID:2012 -
C:\Windows\SysWOW64\Pmqffonj.exeC:\Windows\system32\Pmqffonj.exe83⤵PID:3020
-
C:\Windows\SysWOW64\Pegnglnm.exeC:\Windows\system32\Pegnglnm.exe84⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2356 -
C:\Windows\SysWOW64\Qgfkchmp.exeC:\Windows\system32\Qgfkchmp.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:756 -
C:\Windows\SysWOW64\Qjdgpcmd.exeC:\Windows\system32\Qjdgpcmd.exe86⤵
- System Location Discovery: System Language Discovery
PID:336 -
C:\Windows\SysWOW64\Qmcclolh.exeC:\Windows\system32\Qmcclolh.exe87⤵PID:1264
-
C:\Windows\SysWOW64\Qpaohjkk.exeC:\Windows\system32\Qpaohjkk.exe88⤵PID:3008
-
C:\Windows\SysWOW64\Qcmkhi32.exeC:\Windows\system32\Qcmkhi32.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1760 -
C:\Windows\SysWOW64\Qfkgdd32.exeC:\Windows\system32\Qfkgdd32.exe90⤵
- Modifies registry class
PID:2500 -
C:\Windows\SysWOW64\Qijdqp32.exeC:\Windows\system32\Qijdqp32.exe91⤵PID:2448
-
C:\Windows\SysWOW64\Qaqlbmbn.exeC:\Windows\system32\Qaqlbmbn.exe92⤵PID:864
-
C:\Windows\SysWOW64\Abbhje32.exeC:\Windows\system32\Abbhje32.exe93⤵PID:2064
-
C:\Windows\SysWOW64\Afndjdpe.exeC:\Windows\system32\Afndjdpe.exe94⤵
- Drops file in System32 directory
- Modifies registry class
PID:1668 -
C:\Windows\SysWOW64\Ailqfooi.exeC:\Windows\system32\Ailqfooi.exe95⤵
- System Location Discovery: System Language Discovery
PID:1220 -
C:\Windows\SysWOW64\Aljmbknm.exeC:\Windows\system32\Aljmbknm.exe96⤵
- Modifies registry class
PID:1900 -
C:\Windows\SysWOW64\Acadchoo.exeC:\Windows\system32\Acadchoo.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2196 -
C:\Windows\SysWOW64\Afpapcnc.exeC:\Windows\system32\Afpapcnc.exe98⤵PID:2880
-
C:\Windows\SysWOW64\Ainmlomf.exeC:\Windows\system32\Ainmlomf.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2624 -
C:\Windows\SysWOW64\Amjiln32.exeC:\Windows\system32\Amjiln32.exe100⤵
- System Location Discovery: System Language Discovery
PID:2160 -
C:\Windows\SysWOW64\Ankedf32.exeC:\Windows\system32\Ankedf32.exe101⤵PID:2328
-
C:\Windows\SysWOW64\Abgaeddg.exeC:\Windows\system32\Abgaeddg.exe102⤵
- Drops file in System32 directory
PID:3016 -
C:\Windows\SysWOW64\Aeenapck.exeC:\Windows\system32\Aeenapck.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2720 -
C:\Windows\SysWOW64\Alofnj32.exeC:\Windows\system32\Alofnj32.exe104⤵PID:2440
-
C:\Windows\SysWOW64\Anmbje32.exeC:\Windows\system32\Anmbje32.exe105⤵
- System Location Discovery: System Language Discovery
PID:1932 -
C:\Windows\SysWOW64\Aalofa32.exeC:\Windows\system32\Aalofa32.exe106⤵
- Modifies registry class
PID:2408 -
C:\Windows\SysWOW64\Aegkfpah.exeC:\Windows\system32\Aegkfpah.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1964 -
C:\Windows\SysWOW64\Ahfgbkpl.exeC:\Windows\system32\Ahfgbkpl.exe108⤵PID:2820
-
C:\Windows\SysWOW64\Anpooe32.exeC:\Windows\system32\Anpooe32.exe109⤵PID:2916
-
C:\Windows\SysWOW64\Abkkpd32.exeC:\Windows\system32\Abkkpd32.exe110⤵
- Drops file in System32 directory
PID:1072 -
C:\Windows\SysWOW64\Aejglo32.exeC:\Windows\system32\Aejglo32.exe111⤵PID:1804
-
C:\Windows\SysWOW64\Ahhchk32.exeC:\Windows\system32\Ahhchk32.exe112⤵PID:2340
-
C:\Windows\SysWOW64\Bjfpdf32.exeC:\Windows\system32\Bjfpdf32.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1980 -
C:\Windows\SysWOW64\Bmelpa32.exeC:\Windows\system32\Bmelpa32.exe114⤵
- System Location Discovery: System Language Discovery
PID:1164 -
C:\Windows\SysWOW64\Baqhapdj.exeC:\Windows\system32\Baqhapdj.exe115⤵PID:2732
-
C:\Windows\SysWOW64\Bdodmlcm.exeC:\Windows\system32\Bdodmlcm.exe116⤵PID:2492
-
C:\Windows\SysWOW64\Bjiljf32.exeC:\Windows\system32\Bjiljf32.exe117⤵
- Modifies registry class
PID:2944 -
C:\Windows\SysWOW64\Bmgifa32.exeC:\Windows\system32\Bmgifa32.exe118⤵PID:2056
-
C:\Windows\SysWOW64\Bpfebmia.exeC:\Windows\system32\Bpfebmia.exe119⤵PID:2484
-
C:\Windows\SysWOW64\Bdaabk32.exeC:\Windows\system32\Bdaabk32.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2240 -
C:\Windows\SysWOW64\Bkkioeig.exeC:\Windows\system32\Bkkioeig.exe121⤵PID:2396
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-