Analysis
-
max time kernel
41s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
10-11-2024 00:53
Static task
static1
Behavioral task
behavioral1
Sample
03064632d313f5fab27c434447580b676e58075349d0f5b591faa980edaf8ff0N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
03064632d313f5fab27c434447580b676e58075349d0f5b591faa980edaf8ff0N.exe
Resource
win10v2004-20241007-en
General
-
Target
03064632d313f5fab27c434447580b676e58075349d0f5b591faa980edaf8ff0N.exe
-
Size
93KB
-
MD5
ccbdae47bee0cf4825bdf28244e1b980
-
SHA1
f3d0892a63447a67c19e6f02ca4e86af1f96bf54
-
SHA256
03064632d313f5fab27c434447580b676e58075349d0f5b591faa980edaf8ff0
-
SHA512
4d0fe17084cabd42e0f1257e115af591362eb497cd0c23cab148a836105590751542861787aea99d5901b33ee518dfa49c2218979ede791e4c6b641caf310838
-
SSDEEP
1536:+3rvZUmN3myAX8oKL6LXxYwxB7SaDMjTZjiwg58:8GDzcwnPotY58
Malware Config
Extracted
berbew
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Afpapcnc.exeKkciic32.exeLhoohgdg.exeGjjafkpe.exePioamlkk.exeEfoifiep.exeFakglf32.exeQcmkhi32.exeAbinjdad.exeAnpooe32.exeCgbfcjag.exeHememgdi.exeNkdndeon.exeOpccallb.exeQfikod32.exeAankkqfl.exeBfpmog32.exeKgjjndeq.exeKenjgi32.exeMkaeob32.exeMpqjmh32.exeNchipb32.exeClfhml32.exeIjimli32.exeIoefdpne.exeCcpqjfnh.exeGhghnc32.exeKepgmh32.exeNegeln32.exePbpoebgc.exeAmglgn32.exeHekefkig.exeIhnjmf32.exeKbmafngi.exeGekhgh32.exeHgfheodo.exeFappgflg.exeJcfgoadd.exeOdqlhjbi.exeEbappk32.exeEinebddd.exeOqgmmk32.exeIaaekl32.exeLhapocoi.exePgcnnh32.exeOabplobe.exeIhiabfhk.exeMpnngi32.exeMmbnam32.exePkjqcg32.exePjbjjc32.exeBphaglgo.exeFmfalg32.exeFabmmejd.exeMkfojakp.exePoacighp.exePfkkeq32.exeBodhjdcc.exeFeipbefb.exeHkmjjn32.exeFhbbcail.exeApclnj32.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afpapcnc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkciic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lhoohgdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gjjafkpe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pioamlkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Efoifiep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fakglf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qcmkhi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abinjdad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Anpooe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cgbfcjag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hememgdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nkdndeon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Opccallb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qfikod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aankkqfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bfpmog32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgjjndeq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kenjgi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkaeob32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpqjmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nchipb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clfhml32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgbfcjag.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijimli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ioefdpne.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccpqjfnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ghghnc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kepgmh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Negeln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pbpoebgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Amglgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hekefkig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ihnjmf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbmafngi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gekhgh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgfheodo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fappgflg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcfgoadd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odqlhjbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ebappk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Einebddd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oqgmmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iaaekl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhapocoi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgcnnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fappgflg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oabplobe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ihiabfhk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mpnngi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmbnam32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkjqcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pjbjjc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bphaglgo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmfalg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fabmmejd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mkfojakp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Poacighp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfkkeq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bodhjdcc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Feipbefb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkmjjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fhbbcail.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apclnj32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
Processes:
Bnofaf32.exeCnabffeo.exeCppobaeb.exeCgjgol32.exeCaokmd32.exeCcqhdmbc.exeCjjpag32.exeCdpdnpif.exeCgnpjkhj.exeCpgecq32.exeCgqmpkfg.exeChbihc32.exeCpiaipmh.exeCffjagko.exeDhdfmbjc.exeDcjjkkji.exeDfhgggim.exeDkeoongd.exeDnckki32.exeDfkclf32.exeDglpdomh.exeDqddmd32.exeDhklna32.exeDcemnopj.exeDjoeki32.exeDmmbge32.exeEgcfdn32.exeEqkjmcmq.exeEmbkbdce.exeEpqgopbi.exeEiilge32.exeEbappk32.exeEmgdmc32.exeEfoifiep.exeEinebddd.exeFllaopcg.exeFaijggao.exeFhbbcail.exeFnmjpk32.exeFbhfajia.exeFakglf32.exeFnogfk32.exeFeipbefb.exeFfjljmla.exeFnadkjlc.exeFappgflg.exeFdnlcakk.exeFfmipmjn.exeFmfalg32.exeFabmmejd.exeGbcien32.exeGjjafkpe.exeGminbfoh.exeGllnnc32.exeGbffjmmp.exeGfabkl32.exeGipngg32.exeGlnkcc32.exeGpjfcali.exeGbhcpmkm.exeGibkmgcj.exeGlpgibbn.exeGoocenaa.exeGampaipe.exepid process 2752 Bnofaf32.exe 2844 Cnabffeo.exe 2704 Cppobaeb.exe 2556 Cgjgol32.exe 3056 Caokmd32.exe 1948 Ccqhdmbc.exe 804 Cjjpag32.exe 2104 Cdpdnpif.exe 2788 Cgnpjkhj.exe 2716 Cpgecq32.exe 2816 Cgqmpkfg.exe 2304 Chbihc32.exe 1476 Cpiaipmh.exe 2140 Cffjagko.exe 2480 Dhdfmbjc.exe 1240 Dcjjkkji.exe 1512 Dfhgggim.exe 832 Dkeoongd.exe 2472 Dnckki32.exe 1848 Dfkclf32.exe 268 Dglpdomh.exe 1296 Dqddmd32.exe 1468 Dhklna32.exe 336 Dcemnopj.exe 1040 Djoeki32.exe 2800 Dmmbge32.exe 2544 Egcfdn32.exe 2728 Eqkjmcmq.exe 528 Embkbdce.exe 408 Epqgopbi.exe 2860 Eiilge32.exe 2320 Ebappk32.exe 2580 Emgdmc32.exe 2944 Efoifiep.exe 2820 Einebddd.exe 1148 Fllaopcg.exe 984 Faijggao.exe 2100 Fhbbcail.exe 1280 Fnmjpk32.exe 2440 Fbhfajia.exe 1484 Fakglf32.exe 856 Fnogfk32.exe 1352 Feipbefb.exe 1672 Ffjljmla.exe 2008 Fnadkjlc.exe 300 Fappgflg.exe 2412 Fdnlcakk.exe 1904 Ffmipmjn.exe 1576 Fmfalg32.exe 2592 Fabmmejd.exe 2080 Gbcien32.exe 2020 Gjjafkpe.exe 2640 Gminbfoh.exe 2112 Gllnnc32.exe 2940 Gbffjmmp.exe 2408 Gfabkl32.exe 2348 Gipngg32.exe 1792 Glnkcc32.exe 2188 Gpjfcali.exe 2024 Gbhcpmkm.exe 1092 Gibkmgcj.exe 2452 Glpgibbn.exe 1644 Goocenaa.exe 1268 Gampaipe.exe -
Loads dropped DLL 64 IoCs
Processes:
03064632d313f5fab27c434447580b676e58075349d0f5b591faa980edaf8ff0N.exeBnofaf32.exeCnabffeo.exeCppobaeb.exeCgjgol32.exeCaokmd32.exeCcqhdmbc.exeCjjpag32.exeCdpdnpif.exeCgnpjkhj.exeCpgecq32.exeCgqmpkfg.exeChbihc32.exeCpiaipmh.exeCffjagko.exeDhdfmbjc.exeDcjjkkji.exeDfhgggim.exeDkeoongd.exeDnckki32.exeDfkclf32.exeDglpdomh.exeDqddmd32.exeDhklna32.exeDcemnopj.exeDjoeki32.exeDmmbge32.exeEgcfdn32.exeEqkjmcmq.exeEmbkbdce.exeEpqgopbi.exeEiilge32.exepid process 2172 03064632d313f5fab27c434447580b676e58075349d0f5b591faa980edaf8ff0N.exe 2172 03064632d313f5fab27c434447580b676e58075349d0f5b591faa980edaf8ff0N.exe 2752 Bnofaf32.exe 2752 Bnofaf32.exe 2844 Cnabffeo.exe 2844 Cnabffeo.exe 2704 Cppobaeb.exe 2704 Cppobaeb.exe 2556 Cgjgol32.exe 2556 Cgjgol32.exe 3056 Caokmd32.exe 3056 Caokmd32.exe 1948 Ccqhdmbc.exe 1948 Ccqhdmbc.exe 804 Cjjpag32.exe 804 Cjjpag32.exe 2104 Cdpdnpif.exe 2104 Cdpdnpif.exe 2788 Cgnpjkhj.exe 2788 Cgnpjkhj.exe 2716 Cpgecq32.exe 2716 Cpgecq32.exe 2816 Cgqmpkfg.exe 2816 Cgqmpkfg.exe 2304 Chbihc32.exe 2304 Chbihc32.exe 1476 Cpiaipmh.exe 1476 Cpiaipmh.exe 2140 Cffjagko.exe 2140 Cffjagko.exe 2480 Dhdfmbjc.exe 2480 Dhdfmbjc.exe 1240 Dcjjkkji.exe 1240 Dcjjkkji.exe 1512 Dfhgggim.exe 1512 Dfhgggim.exe 832 Dkeoongd.exe 832 Dkeoongd.exe 2472 Dnckki32.exe 2472 Dnckki32.exe 1848 Dfkclf32.exe 1848 Dfkclf32.exe 268 Dglpdomh.exe 268 Dglpdomh.exe 1296 Dqddmd32.exe 1296 Dqddmd32.exe 1468 Dhklna32.exe 1468 Dhklna32.exe 336 Dcemnopj.exe 336 Dcemnopj.exe 1040 Djoeki32.exe 1040 Djoeki32.exe 2800 Dmmbge32.exe 2800 Dmmbge32.exe 2544 Egcfdn32.exe 2544 Egcfdn32.exe 2728 Eqkjmcmq.exe 2728 Eqkjmcmq.exe 528 Embkbdce.exe 528 Embkbdce.exe 408 Epqgopbi.exe 408 Epqgopbi.exe 2860 Eiilge32.exe 2860 Eiilge32.exe -
Drops file in System32 directory 64 IoCs
Processes:
Hpgfmeag.exePdnkanfg.exeBfpmog32.exeCdpdnpif.exeOqlfhjch.exeAnpooe32.exeLpckce32.exePkjqcg32.exeAcadchoo.exeGipngg32.exeInplqlng.exeJegdgj32.exeAbinjdad.exeDcjjkkji.exeGampaipe.exePbblkaea.exeBobleeef.exeClhecl32.exeKmnlhg32.exeKbpnkm32.exePmecbkgj.exeMmbnam32.exeNdlbmk32.exeFnogfk32.exeLpoaheja.exeOabplobe.exeJcckibfg.exeNedifo32.exeAjdcofop.exeJkopndcb.exeKepgmh32.exeGbhcpmkm.exeHofjem32.exeHlbpme32.exeIdghhf32.exeKmklak32.exePchbmigj.exeCppobaeb.exeFdnlcakk.exeGidhbgag.exeAjipkb32.exeFllaopcg.exeFbhfajia.exeJcandb32.exeCiglaa32.exeEinebddd.exeFabmmejd.exeMdoccg32.exeBbfnchfb.exeDhdfmbjc.exeEpqgopbi.exeIdekbgji.exeFmfalg32.exeOfdeeb32.exedescription ioc process File created C:\Windows\SysWOW64\Hmomqm32.dll Hpgfmeag.exe File opened for modification C:\Windows\SysWOW64\Pmecbkgj.exe Pdnkanfg.exe File created C:\Windows\SysWOW64\Kgkpck32.dll Pdnkanfg.exe File opened for modification C:\Windows\SysWOW64\Binikb32.exe Bfpmog32.exe File created C:\Windows\SysWOW64\Ienjoljk.dll Cdpdnpif.exe File created C:\Windows\SysWOW64\Ockbdebl.exe Oqlfhjch.exe File opened for modification C:\Windows\SysWOW64\Aankkqfl.exe Anpooe32.exe File opened for modification C:\Windows\SysWOW64\Lbagpp32.exe Lpckce32.exe File created C:\Windows\SysWOW64\Ofmlooqi.dll Pkjqcg32.exe File created C:\Windows\SysWOW64\Kljmfe32.dll Acadchoo.exe File opened for modification C:\Windows\SysWOW64\Glnkcc32.exe Gipngg32.exe File opened for modification C:\Windows\SysWOW64\Jqnhmgmk.exe Inplqlng.exe File created C:\Windows\SysWOW64\Nomklqkm.dll Jegdgj32.exe File created C:\Windows\SysWOW64\Aalofa32.exe Abinjdad.exe File opened for modification C:\Windows\SysWOW64\Dfhgggim.exe Dcjjkkji.exe File opened for modification C:\Windows\SysWOW64\Gidhbgag.exe Gampaipe.exe File created C:\Windows\SysWOW64\Pphkcaig.dll Pbblkaea.exe File created C:\Windows\SysWOW64\Anfdhfiq.dll Bobleeef.exe File created C:\Windows\SysWOW64\Cofaog32.exe Clhecl32.exe File opened for modification C:\Windows\SysWOW64\Knohpo32.exe Kmnlhg32.exe File created C:\Windows\SysWOW64\Kenjgi32.exe Kbpnkm32.exe File created C:\Windows\SysWOW64\Pjibmbqj.dll Pmecbkgj.exe File created C:\Windows\SysWOW64\Binikb32.exe Bfpmog32.exe File created C:\Windows\SysWOW64\Jlmock32.dll Mmbnam32.exe File created C:\Windows\SysWOW64\Elnlcjph.dll Clhecl32.exe File created C:\Windows\SysWOW64\Nkfkidmk.exe Ndlbmk32.exe File opened for modification C:\Windows\SysWOW64\Feipbefb.exe Fnogfk32.exe File opened for modification C:\Windows\SysWOW64\Ldjmidcj.exe Lpoaheja.exe File opened for modification C:\Windows\SysWOW64\Odqlhjbi.exe Oabplobe.exe File created C:\Windows\SysWOW64\Jjmcfl32.exe Jcckibfg.exe File created C:\Windows\SysWOW64\Knohpo32.exe Kmnlhg32.exe File created C:\Windows\SysWOW64\Lkkckf32.dll Nedifo32.exe File opened for modification C:\Windows\SysWOW64\Anpooe32.exe Ajdcofop.exe File created C:\Windows\SysWOW64\Jcfgoadd.exe Jkopndcb.exe File opened for modification C:\Windows\SysWOW64\Kgocid32.exe Kepgmh32.exe File opened for modification C:\Windows\SysWOW64\Gibkmgcj.exe Gbhcpmkm.exe File created C:\Windows\SysWOW64\Afpapcnc.exe Acadchoo.exe File created C:\Windows\SysWOW64\Hmijajbd.exe Hofjem32.exe File opened for modification C:\Windows\SysWOW64\Hpnlndkp.exe Hlbpme32.exe File created C:\Windows\SysWOW64\Idlmjnop.dll Idghhf32.exe File created C:\Windows\SysWOW64\Lcedne32.exe Kmklak32.exe File created C:\Windows\SysWOW64\Nckopjfk.dll Pchbmigj.exe File created C:\Windows\SysWOW64\Cgjgol32.exe Cppobaeb.exe File created C:\Windows\SysWOW64\Gidhbgag.exe Gampaipe.exe File created C:\Windows\SysWOW64\Ibafjo32.dll Fdnlcakk.exe File created C:\Windows\SysWOW64\Qojagi32.dll Gidhbgag.exe File created C:\Windows\SysWOW64\Dbidpo32.dll Ajipkb32.exe File opened for modification C:\Windows\SysWOW64\Faijggao.exe Fllaopcg.exe File opened for modification C:\Windows\SysWOW64\Fakglf32.exe Fbhfajia.exe File opened for modification C:\Windows\SysWOW64\Jgmjdaqb.exe Jcandb32.exe File created C:\Windows\SysWOW64\Hjlkkhne.dll Ciglaa32.exe File created C:\Windows\SysWOW64\Fllaopcg.exe Einebddd.exe File created C:\Windows\SysWOW64\Doclpb32.dll Fabmmejd.exe File opened for modification C:\Windows\SysWOW64\Mgmoob32.exe Mdoccg32.exe File created C:\Windows\SysWOW64\Biqfpb32.exe Bbfnchfb.exe File created C:\Windows\SysWOW64\Jgmjdaqb.exe Jcandb32.exe File opened for modification C:\Windows\SysWOW64\Mpqjmh32.exe Mmbnam32.exe File created C:\Windows\SysWOW64\Dcjjkkji.exe Dhdfmbjc.exe File created C:\Windows\SysWOW64\Eccjdobp.dll Epqgopbi.exe File created C:\Windows\SysWOW64\Cophjpne.dll Idekbgji.exe File created C:\Windows\SysWOW64\Kneibo32.dll Fmfalg32.exe File created C:\Windows\SysWOW64\Hpnlndkp.exe Hlbpme32.exe File created C:\Windows\SysWOW64\Pjeimkch.dll Ofdeeb32.exe File created C:\Windows\SysWOW64\Lalieb32.dll Kbpnkm32.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Fhbbcail.exeHgoadp32.exeIlgjhena.exeMmpakm32.exeAbgaeddg.exeFeipbefb.exeHibgkjee.exeJgmjdaqb.exeNeibanod.exeOjkhjabc.exeBlaobmkq.exeCgnpjkhj.exeJcckibfg.exeOfgbkacb.exeBiqfpb32.exeCobhdhha.exeEinebddd.exeGllnnc32.exeHchoop32.exeKiemmh32.exeOomjng32.exeCenmfbml.exeGpjfcali.exeLaidgi32.exeMkohjbah.exeQjgcecja.exeAankkqfl.exeBnofaf32.exeFnmjpk32.exeGhghnc32.exeNepokogo.exeOgaeieoj.exePbpoebgc.exePbgefa32.exeBhjpnj32.exeDhdfmbjc.exeJqnhmgmk.exeLiibgkoo.exeMagdam32.exeCofaog32.exeCffjagko.exeFakglf32.exeHocmpm32.exePegnglnm.exeClfhml32.exeEmgdmc32.exeFbhfajia.exeFabmmejd.exeGbffjmmp.exeNdlbmk32.exeQfkgdd32.exePgodcich.exeGhidcceo.exeHlbpme32.exeIfpnaj32.exeKmklak32.exeNkdndeon.exeOnipqp32.exePmcgmkil.exeQaqlbmbn.exeAhcjmkbo.exeChofhm32.exeGibkmgcj.exeGidhbgag.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhbbcail.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgoadp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilgjhena.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmpakm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abgaeddg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Feipbefb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hibgkjee.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgmjdaqb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Neibanod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojkhjabc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blaobmkq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgnpjkhj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcckibfg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofgbkacb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Biqfpb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cobhdhha.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Einebddd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gllnnc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hchoop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kiemmh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oomjng32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cenmfbml.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpjfcali.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Laidgi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkohjbah.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qjgcecja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aankkqfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnofaf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnmjpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghghnc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nepokogo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogaeieoj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbpoebgc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbgefa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhjpnj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhdfmbjc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jqnhmgmk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Liibgkoo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Magdam32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cofaog32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cffjagko.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fakglf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hocmpm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pegnglnm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clfhml32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emgdmc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbhfajia.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fabmmejd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbffjmmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndlbmk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qfkgdd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgodcich.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghidcceo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlbpme32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifpnaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmklak32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nkdndeon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onipqp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmcgmkil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qaqlbmbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahcjmkbo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chofhm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gibkmgcj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gidhbgag.exe -
Modifies registry class 64 IoCs
Processes:
Dhdfmbjc.exeJcckibfg.exeNeibanod.exeOfdeeb32.exeIhiabfhk.exePchbmigj.exeJcoanb32.exeLchqcd32.exeOgdaod32.exeBpjnmlel.exeNphpng32.exeAmglgn32.exeAankkqfl.exeGllnnc32.exeIdekbgji.exeKmnlhg32.exeLmpeljkm.exeHabili32.exePmecbkgj.exeBeldao32.exeCdamao32.exeKbpnkm32.exeNnbjpqoa.exeOjkhjabc.exeCeickb32.exeCofaog32.exeFnmjpk32.exeMheeif32.exeMpcgbhig.exeNkdndeon.exeCggcofkf.exeCobhdhha.exeGbcien32.exeKbmafngi.exeKkefoc32.exeNlanhh32.exeBacefpbg.exeChofhm32.exeDcjjkkji.exeFnogfk32.exeIfpnaj32.exeNdlbmk32.exeCppobaeb.exeDfkclf32.exeMkfojakp.exeNohddd32.exePioamlkk.exeAbinjdad.exeEmbkbdce.exeFfmipmjn.exeHofjem32.exeIhnjmf32.exeCffjagko.exeAnpooe32.exeChbihc32.exeKepgmh32.exePnimpcke.exeQjgcecja.exePkjqcg32.exeHlbpme32.exeLbagpp32.exeNkfkidmk.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpmoggbh.dll" Dhdfmbjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jcckibfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Neibanod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjeimkch.dll" Ofdeeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ihiabfhk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pchbmigj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jcoanb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkgmej32.dll" Lchqcd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcpgblfk.dll" Ogdaod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdgmbedh.dll" Bpjnmlel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qhnmei32.dll" Nphpng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmdkki32.dll" Amglgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aankkqfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajpqndbo.dll" Gllnnc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Idekbgji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kmnlhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lmpeljkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmbccp32.dll" Habili32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pmecbkgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Beldao32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cdamao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kbpnkm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nnbjpqoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ojkhjabc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ceickb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cofaog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fnmjpk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mheeif32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mpcgbhig.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nkdndeon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cggcofkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cobhdhha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmgdlnjc.dll" Gbcien32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kbmafngi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kkefoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nlanhh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bijpeihq.dll" Bacefpbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Befddlni.dll" Chofhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgfhapbi.dll" Dcjjkkji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fnogfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ifpnaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qchjfo32.dll" Ndlbmk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cppobaeb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dfkclf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ligleljk.dll" Mkfojakp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nohddd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pioamlkk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Abinjdad.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Embkbdce.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ffmipmjn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckobac32.dll" Hofjem32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ihnjmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cffjagko.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fnogfk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Anpooe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Chbihc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dplclg32.dll" Kepgmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pnimpcke.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qjgcecja.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pkjqcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hlbpme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lbagpp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nphpng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nkfkidmk.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
03064632d313f5fab27c434447580b676e58075349d0f5b591faa980edaf8ff0N.exeBnofaf32.exeCnabffeo.exeCppobaeb.exeCgjgol32.exeCaokmd32.exeCcqhdmbc.exeCjjpag32.exeCdpdnpif.exeCgnpjkhj.exeCpgecq32.exeCgqmpkfg.exeChbihc32.exeCpiaipmh.exeCffjagko.exeDhdfmbjc.exedescription pid process target process PID 2172 wrote to memory of 2752 2172 03064632d313f5fab27c434447580b676e58075349d0f5b591faa980edaf8ff0N.exe Bnofaf32.exe PID 2172 wrote to memory of 2752 2172 03064632d313f5fab27c434447580b676e58075349d0f5b591faa980edaf8ff0N.exe Bnofaf32.exe PID 2172 wrote to memory of 2752 2172 03064632d313f5fab27c434447580b676e58075349d0f5b591faa980edaf8ff0N.exe Bnofaf32.exe PID 2172 wrote to memory of 2752 2172 03064632d313f5fab27c434447580b676e58075349d0f5b591faa980edaf8ff0N.exe Bnofaf32.exe PID 2752 wrote to memory of 2844 2752 Bnofaf32.exe Cnabffeo.exe PID 2752 wrote to memory of 2844 2752 Bnofaf32.exe Cnabffeo.exe PID 2752 wrote to memory of 2844 2752 Bnofaf32.exe Cnabffeo.exe PID 2752 wrote to memory of 2844 2752 Bnofaf32.exe Cnabffeo.exe PID 2844 wrote to memory of 2704 2844 Cnabffeo.exe Cppobaeb.exe PID 2844 wrote to memory of 2704 2844 Cnabffeo.exe Cppobaeb.exe PID 2844 wrote to memory of 2704 2844 Cnabffeo.exe Cppobaeb.exe PID 2844 wrote to memory of 2704 2844 Cnabffeo.exe Cppobaeb.exe PID 2704 wrote to memory of 2556 2704 Cppobaeb.exe Cgjgol32.exe PID 2704 wrote to memory of 2556 2704 Cppobaeb.exe Cgjgol32.exe PID 2704 wrote to memory of 2556 2704 Cppobaeb.exe Cgjgol32.exe PID 2704 wrote to memory of 2556 2704 Cppobaeb.exe Cgjgol32.exe PID 2556 wrote to memory of 3056 2556 Cgjgol32.exe Caokmd32.exe PID 2556 wrote to memory of 3056 2556 Cgjgol32.exe Caokmd32.exe PID 2556 wrote to memory of 3056 2556 Cgjgol32.exe Caokmd32.exe PID 2556 wrote to memory of 3056 2556 Cgjgol32.exe Caokmd32.exe PID 3056 wrote to memory of 1948 3056 Caokmd32.exe Ccqhdmbc.exe PID 3056 wrote to memory of 1948 3056 Caokmd32.exe Ccqhdmbc.exe PID 3056 wrote to memory of 1948 3056 Caokmd32.exe Ccqhdmbc.exe PID 3056 wrote to memory of 1948 3056 Caokmd32.exe Ccqhdmbc.exe PID 1948 wrote to memory of 804 1948 Ccqhdmbc.exe Cjjpag32.exe PID 1948 wrote to memory of 804 1948 Ccqhdmbc.exe Cjjpag32.exe PID 1948 wrote to memory of 804 1948 Ccqhdmbc.exe Cjjpag32.exe PID 1948 wrote to memory of 804 1948 Ccqhdmbc.exe Cjjpag32.exe PID 804 wrote to memory of 2104 804 Cjjpag32.exe Cdpdnpif.exe PID 804 wrote to memory of 2104 804 Cjjpag32.exe Cdpdnpif.exe PID 804 wrote to memory of 2104 804 Cjjpag32.exe Cdpdnpif.exe PID 804 wrote to memory of 2104 804 Cjjpag32.exe Cdpdnpif.exe PID 2104 wrote to memory of 2788 2104 Cdpdnpif.exe Cgnpjkhj.exe PID 2104 wrote to memory of 2788 2104 Cdpdnpif.exe Cgnpjkhj.exe PID 2104 wrote to memory of 2788 2104 Cdpdnpif.exe Cgnpjkhj.exe PID 2104 wrote to memory of 2788 2104 Cdpdnpif.exe Cgnpjkhj.exe PID 2788 wrote to memory of 2716 2788 Cgnpjkhj.exe Cpgecq32.exe PID 2788 wrote to memory of 2716 2788 Cgnpjkhj.exe Cpgecq32.exe PID 2788 wrote to memory of 2716 2788 Cgnpjkhj.exe Cpgecq32.exe PID 2788 wrote to memory of 2716 2788 Cgnpjkhj.exe Cpgecq32.exe PID 2716 wrote to memory of 2816 2716 Cpgecq32.exe Cgqmpkfg.exe PID 2716 wrote to memory of 2816 2716 Cpgecq32.exe Cgqmpkfg.exe PID 2716 wrote to memory of 2816 2716 Cpgecq32.exe Cgqmpkfg.exe PID 2716 wrote to memory of 2816 2716 Cpgecq32.exe Cgqmpkfg.exe PID 2816 wrote to memory of 2304 2816 Cgqmpkfg.exe Chbihc32.exe PID 2816 wrote to memory of 2304 2816 Cgqmpkfg.exe Chbihc32.exe PID 2816 wrote to memory of 2304 2816 Cgqmpkfg.exe Chbihc32.exe PID 2816 wrote to memory of 2304 2816 Cgqmpkfg.exe Chbihc32.exe PID 2304 wrote to memory of 1476 2304 Chbihc32.exe Cpiaipmh.exe PID 2304 wrote to memory of 1476 2304 Chbihc32.exe Cpiaipmh.exe PID 2304 wrote to memory of 1476 2304 Chbihc32.exe Cpiaipmh.exe PID 2304 wrote to memory of 1476 2304 Chbihc32.exe Cpiaipmh.exe PID 1476 wrote to memory of 2140 1476 Cpiaipmh.exe Cffjagko.exe PID 1476 wrote to memory of 2140 1476 Cpiaipmh.exe Cffjagko.exe PID 1476 wrote to memory of 2140 1476 Cpiaipmh.exe Cffjagko.exe PID 1476 wrote to memory of 2140 1476 Cpiaipmh.exe Cffjagko.exe PID 2140 wrote to memory of 2480 2140 Cffjagko.exe Dhdfmbjc.exe PID 2140 wrote to memory of 2480 2140 Cffjagko.exe Dhdfmbjc.exe PID 2140 wrote to memory of 2480 2140 Cffjagko.exe Dhdfmbjc.exe PID 2140 wrote to memory of 2480 2140 Cffjagko.exe Dhdfmbjc.exe PID 2480 wrote to memory of 1240 2480 Dhdfmbjc.exe Dcjjkkji.exe PID 2480 wrote to memory of 1240 2480 Dhdfmbjc.exe Dcjjkkji.exe PID 2480 wrote to memory of 1240 2480 Dhdfmbjc.exe Dcjjkkji.exe PID 2480 wrote to memory of 1240 2480 Dhdfmbjc.exe Dcjjkkji.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\03064632d313f5fab27c434447580b676e58075349d0f5b591faa980edaf8ff0N.exe"C:\Users\Admin\AppData\Local\Temp\03064632d313f5fab27c434447580b676e58075349d0f5b591faa980edaf8ff0N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Windows\SysWOW64\Bnofaf32.exeC:\Windows\system32\Bnofaf32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\SysWOW64\Cnabffeo.exeC:\Windows\system32\Cnabffeo.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\SysWOW64\Cppobaeb.exeC:\Windows\system32\Cppobaeb.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\SysWOW64\Cgjgol32.exeC:\Windows\system32\Cgjgol32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Windows\SysWOW64\Caokmd32.exeC:\Windows\system32\Caokmd32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\Windows\SysWOW64\Ccqhdmbc.exeC:\Windows\system32\Ccqhdmbc.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1948 -
C:\Windows\SysWOW64\Cjjpag32.exeC:\Windows\system32\Cjjpag32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:804 -
C:\Windows\SysWOW64\Cdpdnpif.exeC:\Windows\system32\Cdpdnpif.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Windows\SysWOW64\Cgnpjkhj.exeC:\Windows\system32\Cgnpjkhj.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Windows\SysWOW64\Cpgecq32.exeC:\Windows\system32\Cpgecq32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\SysWOW64\Cgqmpkfg.exeC:\Windows\system32\Cgqmpkfg.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Windows\SysWOW64\Chbihc32.exeC:\Windows\system32\Chbihc32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2304 -
C:\Windows\SysWOW64\Cpiaipmh.exeC:\Windows\system32\Cpiaipmh.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1476 -
C:\Windows\SysWOW64\Cffjagko.exeC:\Windows\system32\Cffjagko.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2140 -
C:\Windows\SysWOW64\Dhdfmbjc.exeC:\Windows\system32\Dhdfmbjc.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Windows\SysWOW64\Dcjjkkji.exeC:\Windows\system32\Dcjjkkji.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1240 -
C:\Windows\SysWOW64\Dfhgggim.exeC:\Windows\system32\Dfhgggim.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1512 -
C:\Windows\SysWOW64\Dkeoongd.exeC:\Windows\system32\Dkeoongd.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:832 -
C:\Windows\SysWOW64\Dnckki32.exeC:\Windows\system32\Dnckki32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2472 -
C:\Windows\SysWOW64\Dfkclf32.exeC:\Windows\system32\Dfkclf32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1848 -
C:\Windows\SysWOW64\Dglpdomh.exeC:\Windows\system32\Dglpdomh.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:268 -
C:\Windows\SysWOW64\Dqddmd32.exeC:\Windows\system32\Dqddmd32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1296 -
C:\Windows\SysWOW64\Dhklna32.exeC:\Windows\system32\Dhklna32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1468 -
C:\Windows\SysWOW64\Dcemnopj.exeC:\Windows\system32\Dcemnopj.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:336 -
C:\Windows\SysWOW64\Djoeki32.exeC:\Windows\system32\Djoeki32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1040 -
C:\Windows\SysWOW64\Dmmbge32.exeC:\Windows\system32\Dmmbge32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2800 -
C:\Windows\SysWOW64\Egcfdn32.exeC:\Windows\system32\Egcfdn32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2544 -
C:\Windows\SysWOW64\Eqkjmcmq.exeC:\Windows\system32\Eqkjmcmq.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2728 -
C:\Windows\SysWOW64\Embkbdce.exeC:\Windows\system32\Embkbdce.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:528 -
C:\Windows\SysWOW64\Epqgopbi.exeC:\Windows\system32\Epqgopbi.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:408 -
C:\Windows\SysWOW64\Eiilge32.exeC:\Windows\system32\Eiilge32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2860 -
C:\Windows\SysWOW64\Ebappk32.exeC:\Windows\system32\Ebappk32.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2320 -
C:\Windows\SysWOW64\Emgdmc32.exeC:\Windows\system32\Emgdmc32.exe34⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2580 -
C:\Windows\SysWOW64\Efoifiep.exeC:\Windows\system32\Efoifiep.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2944 -
C:\Windows\SysWOW64\Einebddd.exeC:\Windows\system32\Einebddd.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2820 -
C:\Windows\SysWOW64\Fllaopcg.exeC:\Windows\system32\Fllaopcg.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1148 -
C:\Windows\SysWOW64\Faijggao.exeC:\Windows\system32\Faijggao.exe38⤵
- Executes dropped EXE
PID:984 -
C:\Windows\SysWOW64\Fhbbcail.exeC:\Windows\system32\Fhbbcail.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2100 -
C:\Windows\SysWOW64\Fnmjpk32.exeC:\Windows\system32\Fnmjpk32.exe40⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1280 -
C:\Windows\SysWOW64\Fbhfajia.exeC:\Windows\system32\Fbhfajia.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2440 -
C:\Windows\SysWOW64\Fakglf32.exeC:\Windows\system32\Fakglf32.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1484 -
C:\Windows\SysWOW64\Fnogfk32.exeC:\Windows\system32\Fnogfk32.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:856 -
C:\Windows\SysWOW64\Feipbefb.exeC:\Windows\system32\Feipbefb.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1352 -
C:\Windows\SysWOW64\Ffjljmla.exeC:\Windows\system32\Ffjljmla.exe45⤵
- Executes dropped EXE
PID:1672 -
C:\Windows\SysWOW64\Fnadkjlc.exeC:\Windows\system32\Fnadkjlc.exe46⤵
- Executes dropped EXE
PID:2008 -
C:\Windows\SysWOW64\Fappgflg.exeC:\Windows\system32\Fappgflg.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:300 -
C:\Windows\SysWOW64\Fdnlcakk.exeC:\Windows\system32\Fdnlcakk.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2412 -
C:\Windows\SysWOW64\Ffmipmjn.exeC:\Windows\system32\Ffmipmjn.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:1904 -
C:\Windows\SysWOW64\Fmfalg32.exeC:\Windows\system32\Fmfalg32.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1576 -
C:\Windows\SysWOW64\Fabmmejd.exeC:\Windows\system32\Fabmmejd.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2592 -
C:\Windows\SysWOW64\Gbcien32.exeC:\Windows\system32\Gbcien32.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:2080 -
C:\Windows\SysWOW64\Gjjafkpe.exeC:\Windows\system32\Gjjafkpe.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2020 -
C:\Windows\SysWOW64\Gminbfoh.exeC:\Windows\system32\Gminbfoh.exe54⤵
- Executes dropped EXE
PID:2640 -
C:\Windows\SysWOW64\Gllnnc32.exeC:\Windows\system32\Gllnnc32.exe55⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2112 -
C:\Windows\SysWOW64\Gbffjmmp.exeC:\Windows\system32\Gbffjmmp.exe56⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2940 -
C:\Windows\SysWOW64\Gfabkl32.exeC:\Windows\system32\Gfabkl32.exe57⤵
- Executes dropped EXE
PID:2408 -
C:\Windows\SysWOW64\Gipngg32.exeC:\Windows\system32\Gipngg32.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2348 -
C:\Windows\SysWOW64\Glnkcc32.exeC:\Windows\system32\Glnkcc32.exe59⤵
- Executes dropped EXE
PID:1792 -
C:\Windows\SysWOW64\Gpjfcali.exeC:\Windows\system32\Gpjfcali.exe60⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2188 -
C:\Windows\SysWOW64\Gbhcpmkm.exeC:\Windows\system32\Gbhcpmkm.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2024 -
C:\Windows\SysWOW64\Gibkmgcj.exeC:\Windows\system32\Gibkmgcj.exe62⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1092 -
C:\Windows\SysWOW64\Glpgibbn.exeC:\Windows\system32\Glpgibbn.exe63⤵
- Executes dropped EXE
PID:2452 -
C:\Windows\SysWOW64\Goocenaa.exeC:\Windows\system32\Goocenaa.exe64⤵
- Executes dropped EXE
PID:1644 -
C:\Windows\SysWOW64\Gampaipe.exeC:\Windows\system32\Gampaipe.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1268 -
C:\Windows\SysWOW64\Gidhbgag.exeC:\Windows\system32\Gidhbgag.exe66⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1652 -
C:\Windows\SysWOW64\Ghghnc32.exeC:\Windows\system32\Ghghnc32.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:320 -
C:\Windows\SysWOW64\Gkedjo32.exeC:\Windows\system32\Gkedjo32.exe68⤵PID:2780
-
C:\Windows\SysWOW64\Gbmlkl32.exeC:\Windows\system32\Gbmlkl32.exe69⤵PID:3060
-
C:\Windows\SysWOW64\Gekhgh32.exeC:\Windows\system32\Gekhgh32.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2120 -
C:\Windows\SysWOW64\Ghidcceo.exeC:\Windows\system32\Ghidcceo.exe71⤵
- System Location Discovery: System Language Discovery
PID:1068 -
C:\Windows\SysWOW64\Gkhaooec.exeC:\Windows\system32\Gkhaooec.exe72⤵PID:2896
-
C:\Windows\SysWOW64\Hocmpm32.exeC:\Windows\system32\Hocmpm32.exe73⤵
- System Location Discovery: System Language Discovery
PID:2872 -
C:\Windows\SysWOW64\Habili32.exeC:\Windows\system32\Habili32.exe74⤵
- Modifies registry class
PID:2128 -
C:\Windows\SysWOW64\Hememgdi.exeC:\Windows\system32\Hememgdi.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:484 -
C:\Windows\SysWOW64\Hhlaiccm.exeC:\Windows\system32\Hhlaiccm.exe76⤵PID:2012
-
C:\Windows\SysWOW64\Hgoadp32.exeC:\Windows\system32\Hgoadp32.exe77⤵
- System Location Discovery: System Language Discovery
PID:1080 -
C:\Windows\SysWOW64\Hofjem32.exeC:\Windows\system32\Hofjem32.exe78⤵
- Drops file in System32 directory
- Modifies registry class
PID:1696 -
C:\Windows\SysWOW64\Hmijajbd.exeC:\Windows\system32\Hmijajbd.exe79⤵PID:3024
-
C:\Windows\SysWOW64\Hpgfmeag.exeC:\Windows\system32\Hpgfmeag.exe80⤵
- Drops file in System32 directory
PID:824 -
C:\Windows\SysWOW64\Hdbbnd32.exeC:\Windows\system32\Hdbbnd32.exe81⤵PID:2028
-
C:\Windows\SysWOW64\Hkmjjn32.exeC:\Windows\system32\Hkmjjn32.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1724 -
C:\Windows\SysWOW64\Hpicbe32.exeC:\Windows\system32\Hpicbe32.exe83⤵PID:2652
-
C:\Windows\SysWOW64\Hchoop32.exeC:\Windows\system32\Hchoop32.exe84⤵
- System Location Discovery: System Language Discovery
PID:2968 -
C:\Windows\SysWOW64\Hibgkjee.exeC:\Windows\system32\Hibgkjee.exe85⤵
- System Location Discovery: System Language Discovery
PID:2612 -
C:\Windows\SysWOW64\Hlpchfdi.exeC:\Windows\system32\Hlpchfdi.exe86⤵PID:2936
-
C:\Windows\SysWOW64\Hdgkicek.exeC:\Windows\system32\Hdgkicek.exe87⤵PID:2928
-
C:\Windows\SysWOW64\Hgfheodo.exeC:\Windows\system32\Hgfheodo.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2636 -
C:\Windows\SysWOW64\Hjddaj32.exeC:\Windows\system32\Hjddaj32.exe89⤵PID:2368
-
C:\Windows\SysWOW64\Hlbpme32.exeC:\Windows\system32\Hlbpme32.exe90⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2520 -
C:\Windows\SysWOW64\Hpnlndkp.exeC:\Windows\system32\Hpnlndkp.exe91⤵PID:956
-
C:\Windows\SysWOW64\Hghdjn32.exeC:\Windows\system32\Hghdjn32.exe92⤵PID:676
-
C:\Windows\SysWOW64\Hekefkig.exeC:\Windows\system32\Hekefkig.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2248 -
C:\Windows\SysWOW64\Ihiabfhk.exeC:\Windows\system32\Ihiabfhk.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1748 -
C:\Windows\SysWOW64\Iocioq32.exeC:\Windows\system32\Iocioq32.exe95⤵PID:1856
-
C:\Windows\SysWOW64\Iaaekl32.exeC:\Windows\system32\Iaaekl32.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2284 -
C:\Windows\SysWOW64\Ijimli32.exeC:\Windows\system32\Ijimli32.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2392 -
C:\Windows\SysWOW64\Ilgjhena.exeC:\Windows\system32\Ilgjhena.exe98⤵
- System Location Discovery: System Language Discovery
PID:2212 -
C:\Windows\SysWOW64\Ioefdpne.exeC:\Windows\system32\Ioefdpne.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2160 -
C:\Windows\SysWOW64\Ifpnaj32.exeC:\Windows\system32\Ifpnaj32.exe100⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2892 -
C:\Windows\SysWOW64\Ihnjmf32.exeC:\Windows\system32\Ihnjmf32.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2308 -
C:\Windows\SysWOW64\Iklfia32.exeC:\Windows\system32\Iklfia32.exe102⤵PID:380
-
C:\Windows\SysWOW64\Inkcem32.exeC:\Windows\system32\Inkcem32.exe103⤵PID:2964
-
C:\Windows\SysWOW64\Idekbgji.exeC:\Windows\system32\Idekbgji.exe104⤵
- Drops file in System32 directory
- Modifies registry class
PID:876 -
C:\Windows\SysWOW64\Ikocoa32.exeC:\Windows\system32\Ikocoa32.exe105⤵PID:1936
-
C:\Windows\SysWOW64\Ibillk32.exeC:\Windows\system32\Ibillk32.exe106⤵PID:1732
-
C:\Windows\SysWOW64\Idghhf32.exeC:\Windows\system32\Idghhf32.exe107⤵
- Drops file in System32 directory
PID:2784 -
C:\Windows\SysWOW64\Ikapdqoc.exeC:\Windows\system32\Ikapdqoc.exe108⤵PID:1284
-
C:\Windows\SysWOW64\Inplqlng.exeC:\Windows\system32\Inplqlng.exe109⤵
- Drops file in System32 directory
PID:2708 -
C:\Windows\SysWOW64\Jqnhmgmk.exeC:\Windows\system32\Jqnhmgmk.exe110⤵
- System Location Discovery: System Language Discovery
PID:3028 -
C:\Windows\SysWOW64\Jcleiclo.exeC:\Windows\system32\Jcleiclo.exe111⤵PID:2900
-
C:\Windows\SysWOW64\Jnbifl32.exeC:\Windows\system32\Jnbifl32.exe112⤵PID:2824
-
C:\Windows\SysWOW64\Jqpebg32.exeC:\Windows\system32\Jqpebg32.exe113⤵PID:540
-
C:\Windows\SysWOW64\Jcoanb32.exeC:\Windows\system32\Jcoanb32.exe114⤵
- Modifies registry class
PID:1800 -
C:\Windows\SysWOW64\Jfmnkn32.exeC:\Windows\system32\Jfmnkn32.exe115⤵PID:2972
-
C:\Windows\SysWOW64\Jjijkmbi.exeC:\Windows\system32\Jjijkmbi.exe116⤵PID:2476
-
C:\Windows\SysWOW64\Jmgfgham.exeC:\Windows\system32\Jmgfgham.exe117⤵PID:1692
-
C:\Windows\SysWOW64\Jcandb32.exeC:\Windows\system32\Jcandb32.exe118⤵
- Drops file in System32 directory
PID:2912 -
C:\Windows\SysWOW64\Jgmjdaqb.exeC:\Windows\system32\Jgmjdaqb.exe119⤵
- System Location Discovery: System Language Discovery
PID:2464 -
C:\Windows\SysWOW64\Jinfli32.exeC:\Windows\system32\Jinfli32.exe120⤵PID:2376
-
C:\Windows\SysWOW64\Jmibmhoj.exeC:\Windows\system32\Jmibmhoj.exe121⤵PID:2420
-
C:\Windows\SysWOW64\Jcckibfg.exeC:\Windows\system32\Jcckibfg.exe122⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1924
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-