Analysis
-
max time kernel
94s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
23-11-2024 02:22
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
adc1a6681136eb998c5027974ba4724cd0878bfd734e9695dc9ad66421e65084.exe
Resource
win7-20240729-en
windows7-x64
9 signatures
150 seconds
Behavioral task
behavioral2
Sample
adc1a6681136eb998c5027974ba4724cd0878bfd734e9695dc9ad66421e65084.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
adc1a6681136eb998c5027974ba4724cd0878bfd734e9695dc9ad66421e65084.exe
-
Size
93KB
-
MD5
457593edeed8ab780cc62e6f06493c33
-
SHA1
90a3ec9d1b88709a25b5e2e4d47ad01b3b931757
-
SHA256
adc1a6681136eb998c5027974ba4724cd0878bfd734e9695dc9ad66421e65084
-
SHA512
5a6fcc9943e072672cfec9d63cd8ccb67aa2969b258fa7542cb93d0d8d28e07c55d98e9240091bdc0d0809bc4550526b4c75097b2876df125481cf99c33ea160
-
SSDEEP
1536:n8ScGMI1cQKk9TYL37m3wepvCPFWsyVyiKNI8I4ZAWiTEF/ATLjiwg58:OyYippvSdgyVNlH5F/A7Y58
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Nloachkf.exeQmepanje.exeJcckibfg.exeMhcicf32.exeNcfmjc32.exeGoocenaa.exeJfmnkn32.exeGleqdb32.exeLofkoamf.exeMkaeob32.exeMkdbea32.exeGpjfcali.exeJmlobg32.exeBaqhapdj.exeCabaec32.exeLpanne32.exeOmnmal32.exeHipkfkgh.exeOomjng32.exeOngckp32.exeOqgmmk32.exePbgefa32.exeKbkdpnil.exeLffmpp32.exeJbfkeo32.exeBdfjnkne.exeNchipb32.exeNakikpin.exeAcadchoo.exeGdnibdmf.exeIbkhak32.exeLkmldbcj.exeJqbbhg32.exeJjmcfl32.exeHdgkicek.exeNhebhipj.exePigklmqc.exePdnkanfg.exeJegdgj32.exeNgoleb32.exeHdpehd32.exeAnkedf32.exeAljmbknm.exeKeiqlihp.exeMmdkfmjc.exeNommodjj.exeAfbnec32.exeHlpchfdi.exeNhqhmj32.exeFefcmehe.exeLfkfkopk.exeLhapocoi.exePfnhkq32.exeCbkgog32.exeKglfcd32.exeKgocid32.exeAcohnhab.exeCaenkc32.exeGampaipe.exePeqhgmdd.exePkfghh32.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nloachkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qmepanje.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcckibfg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhcicf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ncfmjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Goocenaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jfmnkn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gleqdb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lofkoamf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mkaeob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mkdbea32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpjfcali.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmlobg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Baqhapdj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cabaec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lpanne32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omnmal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hipkfkgh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oomjng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ongckp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oqgmmk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbgefa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbkdpnil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lffmpp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbfkeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bdfjnkne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nchipb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nakikpin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Acadchoo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdnibdmf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibkhak32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkmldbcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jqbbhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jjmcfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hdgkicek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nhebhipj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pigklmqc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdnkanfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jegdgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ngoleb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hdpehd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ankedf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aljmbknm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Keiqlihp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nloachkf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmdkfmjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nommodjj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afbnec32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlpchfdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mhcicf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhqhmj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdfjnkne.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fefcmehe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfkfkopk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lhapocoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pfnhkq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbkgog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kglfcd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgocid32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acohnhab.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Caenkc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gampaipe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Peqhgmdd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkfghh32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
Processes:
Fipbhd32.exeFefcmehe.exeFjckelfm.exeFamcbf32.exeFdlpnamm.exeFmddgg32.exeFdnlcakk.exeFikelhib.exeFabmmejd.exeGjjafkpe.exeGimaah32.exeGllnnc32.exeGbffjmmp.exeGmkjgfmf.exeGpjfcali.exeGibkmgcj.exeGlpgibbn.exeGoocenaa.exeGampaipe.exeGlbdnbpk.exeGkedjo32.exeGdnibdmf.exeGleqdb32.exeHdpehd32.exeHkjnenbp.exeHofjem32.exeHdbbnd32.exeHipkfkgh.exeHchoop32.exeHlpchfdi.exeHdgkicek.exeHcjldp32.exeHghdjn32.exeIjfqfj32.exeIhiabfhk.exeIkjjda32.exeIoefdpne.exeIadbqlmh.exeIklfia32.exeIfbkgj32.exeIgcgnbim.exeIhbdhepp.exeIgeddb32.exeIbkhak32.exeJghqia32.exeJkcmjpma.exeJnbifl32.exeJmdiahco.exeJdlacfca.exeJfmnkn32.exeJmgfgham.exeJqbbhg32.exeJcandb32.exeJgmjdaqb.exeJjkfqlpf.exeJqeomfgc.exeJcckibfg.exeJbfkeo32.exeJjmcfl32.exeJmlobg32.exeJojloc32.exeJcfgoadd.exeJegdgj32.exeJibpghbk.exepid Process 3000 Fipbhd32.exe 2504 Fefcmehe.exe 2792 Fjckelfm.exe 2840 Famcbf32.exe 2864 Fdlpnamm.exe 2612 Fmddgg32.exe 2384 Fdnlcakk.exe 1032 Fikelhib.exe 1676 Fabmmejd.exe 1936 Gjjafkpe.exe 1960 Gimaah32.exe 2484 Gllnnc32.exe 472 Gbffjmmp.exe 1492 Gmkjgfmf.exe 2356 Gpjfcali.exe 2196 Gibkmgcj.exe 1180 Glpgibbn.exe 632 Goocenaa.exe 564 Gampaipe.exe 2184 Glbdnbpk.exe 1552 Gkedjo32.exe 1740 Gdnibdmf.exe 3052 Gleqdb32.exe 1316 Hdpehd32.exe 2336 Hkjnenbp.exe 2452 Hofjem32.exe 2740 Hdbbnd32.exe 2828 Hipkfkgh.exe 2712 Hchoop32.exe 2620 Hlpchfdi.exe 2768 Hdgkicek.exe 2096 Hcjldp32.exe 1120 Hghdjn32.exe 316 Ijfqfj32.exe 2408 Ihiabfhk.exe 1920 Ikjjda32.exe 1924 Ioefdpne.exe 988 Iadbqlmh.exe 1848 Iklfia32.exe 3044 Ifbkgj32.exe 2432 Igcgnbim.exe 1016 Ihbdhepp.exe 2176 Igeddb32.exe 2968 Ibkhak32.exe 2152 Jghqia32.exe 1476 Jkcmjpma.exe 2372 Jnbifl32.exe 780 Jmdiahco.exe 1052 Jdlacfca.exe 1604 Jfmnkn32.exe 2788 Jmgfgham.exe 2136 Jqbbhg32.exe 2624 Jcandb32.exe 2600 Jgmjdaqb.exe 2308 Jjkfqlpf.exe 452 Jqeomfgc.exe 2460 Jcckibfg.exe 1392 Jbfkeo32.exe 2116 Jjmcfl32.exe 1104 Jmlobg32.exe 2220 Jojloc32.exe 2396 Jcfgoadd.exe 2448 Jegdgj32.exe 1784 Jibpghbk.exe -
Loads dropped DLL 64 IoCs
Processes:
adc1a6681136eb998c5027974ba4724cd0878bfd734e9695dc9ad66421e65084.exeFipbhd32.exeFefcmehe.exeFjckelfm.exeFamcbf32.exeFdlpnamm.exeFmddgg32.exeFdnlcakk.exeFikelhib.exeFabmmejd.exeGjjafkpe.exeGimaah32.exeGllnnc32.exeGbffjmmp.exeGmkjgfmf.exeGpjfcali.exeGibkmgcj.exeGlpgibbn.exeGoocenaa.exeGampaipe.exeGlbdnbpk.exeGkedjo32.exeGdnibdmf.exeGleqdb32.exeHdpehd32.exeHkjnenbp.exeHofjem32.exeHdbbnd32.exeHipkfkgh.exeHchoop32.exeHlpchfdi.exeHdgkicek.exepid Process 376 adc1a6681136eb998c5027974ba4724cd0878bfd734e9695dc9ad66421e65084.exe 376 adc1a6681136eb998c5027974ba4724cd0878bfd734e9695dc9ad66421e65084.exe 3000 Fipbhd32.exe 3000 Fipbhd32.exe 2504 Fefcmehe.exe 2504 Fefcmehe.exe 2792 Fjckelfm.exe 2792 Fjckelfm.exe 2840 Famcbf32.exe 2840 Famcbf32.exe 2864 Fdlpnamm.exe 2864 Fdlpnamm.exe 2612 Fmddgg32.exe 2612 Fmddgg32.exe 2384 Fdnlcakk.exe 2384 Fdnlcakk.exe 1032 Fikelhib.exe 1032 Fikelhib.exe 1676 Fabmmejd.exe 1676 Fabmmejd.exe 1936 Gjjafkpe.exe 1936 Gjjafkpe.exe 1960 Gimaah32.exe 1960 Gimaah32.exe 2484 Gllnnc32.exe 2484 Gllnnc32.exe 472 Gbffjmmp.exe 472 Gbffjmmp.exe 1492 Gmkjgfmf.exe 1492 Gmkjgfmf.exe 2356 Gpjfcali.exe 2356 Gpjfcali.exe 2196 Gibkmgcj.exe 2196 Gibkmgcj.exe 1180 Glpgibbn.exe 1180 Glpgibbn.exe 632 Goocenaa.exe 632 Goocenaa.exe 564 Gampaipe.exe 564 Gampaipe.exe 2184 Glbdnbpk.exe 2184 Glbdnbpk.exe 1552 Gkedjo32.exe 1552 Gkedjo32.exe 1740 Gdnibdmf.exe 1740 Gdnibdmf.exe 3052 Gleqdb32.exe 3052 Gleqdb32.exe 1316 Hdpehd32.exe 1316 Hdpehd32.exe 2336 Hkjnenbp.exe 2336 Hkjnenbp.exe 2452 Hofjem32.exe 2452 Hofjem32.exe 2740 Hdbbnd32.exe 2740 Hdbbnd32.exe 2828 Hipkfkgh.exe 2828 Hipkfkgh.exe 2712 Hchoop32.exe 2712 Hchoop32.exe 2620 Hlpchfdi.exe 2620 Hlpchfdi.exe 2768 Hdgkicek.exe 2768 Hdgkicek.exe -
Drops file in System32 directory 64 IoCs
Processes:
Jjkfqlpf.exeGlpgibbn.exeGlbdnbpk.exeOmnmal32.exeAebakp32.exeAinmlomf.exeBinikb32.exeJcandb32.exeNhqhmj32.exeMdoccg32.exeAlofnj32.exeBlaobmkq.exeJfmnkn32.exeBhmmcjjd.exeBknfeege.exeCpohhk32.exeMgmoob32.exeCiglaa32.exeJghqia32.exeJmgfgham.exeNchipb32.exePegnglnm.exeAfbnec32.exeFdlpnamm.exeNhebhipj.exePigklmqc.exePmecbkgj.exePgodcich.exePecelm32.exeBmgifa32.exeIhbdhepp.exeLidilk32.exeLiblfl32.exeMgkbjb32.exeAcohnhab.exeJcckibfg.exeKapaaj32.exeJjmcfl32.exeLadgkmlj.exeMaiqfl32.exeNoagjc32.exeOjkhjabc.exeOdcimipf.exeFmddgg32.exeIgcgnbim.exeNkdndeon.exeBfmqigba.exeCcnddg32.exeHipkfkgh.exeJcfgoadd.exeKnfopnkk.exeLfkfkopk.exeQpaohjkk.exeGmkjgfmf.exeIadbqlmh.exeOomjng32.exeKpoejbhe.exeLlebnfpe.exedescription ioc Process File created C:\Windows\SysWOW64\Jqeomfgc.exe Jjkfqlpf.exe File opened for modification C:\Windows\SysWOW64\Goocenaa.exe Glpgibbn.exe File created C:\Windows\SysWOW64\Mmkhejmb.dll Glbdnbpk.exe File created C:\Windows\SysWOW64\Oomjng32.exe Omnmal32.exe File created C:\Windows\SysWOW64\Ainmlomf.exe Aebakp32.exe File opened for modification C:\Windows\SysWOW64\Almihjlj.exe Ainmlomf.exe File opened for modification C:\Windows\SysWOW64\Bmjekahk.exe Binikb32.exe File created C:\Windows\SysWOW64\Jgmjdaqb.exe Jcandb32.exe File opened for modification C:\Windows\SysWOW64\Nphpng32.exe Nhqhmj32.exe File opened for modification C:\Windows\SysWOW64\Mgmoob32.exe Mdoccg32.exe File created C:\Windows\SysWOW64\Nphpng32.exe Nhqhmj32.exe File opened for modification C:\Windows\SysWOW64\Anmbje32.exe Alofnj32.exe File opened for modification C:\Windows\SysWOW64\Bpmkbl32.exe Blaobmkq.exe File created C:\Windows\SysWOW64\Gkedjo32.exe Glbdnbpk.exe File created C:\Windows\SysWOW64\Hbbilmqm.dll Jfmnkn32.exe File created C:\Windows\SysWOW64\Binikb32.exe Bhmmcjjd.exe File created C:\Windows\SysWOW64\Blobmm32.exe Bknfeege.exe File created C:\Windows\SysWOW64\Madcho32.dll Cpohhk32.exe File created C:\Windows\SysWOW64\Jmgfgham.exe Jfmnkn32.exe File created C:\Windows\SysWOW64\Nmggllha.exe Mgmoob32.exe File created C:\Windows\SysWOW64\Hjlkkhne.dll Ciglaa32.exe File created C:\Windows\SysWOW64\Lmmlbi32.dll Jghqia32.exe File opened for modification C:\Windows\SysWOW64\Jqbbhg32.exe Jmgfgham.exe File created C:\Windows\SysWOW64\Lnkmkbpj.dll Nchipb32.exe File opened for modification C:\Windows\SysWOW64\Qgfkchmp.exe Pegnglnm.exe File created C:\Windows\SysWOW64\Aeenapck.exe Afbnec32.exe File created C:\Windows\SysWOW64\Ffdiiopj.dll Fdlpnamm.exe File created C:\Windows\SysWOW64\Jkcmjpma.exe Jghqia32.exe File opened for modification C:\Windows\SysWOW64\Nkdndeon.exe Nhebhipj.exe File created C:\Windows\SysWOW64\Pkfghh32.exe Pigklmqc.exe File opened for modification C:\Windows\SysWOW64\Podpoffm.exe Pmecbkgj.exe File opened for modification C:\Windows\SysWOW64\Pofldf32.exe Pgodcich.exe File created C:\Windows\SysWOW64\Pgaahh32.exe Pecelm32.exe File created C:\Windows\SysWOW64\Bpfebmia.exe Bmgifa32.exe File created C:\Windows\SysWOW64\Igeddb32.exe Ihbdhepp.exe File opened for modification C:\Windows\SysWOW64\Llcehg32.exe Lidilk32.exe File created C:\Windows\SysWOW64\Cnkgnb32.dll Liblfl32.exe File opened for modification C:\Windows\SysWOW64\Mkfojakp.exe Mgkbjb32.exe File opened for modification C:\Windows\SysWOW64\Afndjdpe.exe Acohnhab.exe File opened for modification C:\Windows\SysWOW64\Jbfkeo32.exe Jcckibfg.exe File created C:\Windows\SysWOW64\Kelmbifm.exe Kapaaj32.exe File created C:\Windows\SysWOW64\Jbndmh32.dll Jjmcfl32.exe File created C:\Windows\SysWOW64\Lhoohgdg.exe Ladgkmlj.exe File created C:\Windows\SysWOW64\Pjlncjhk.dll Maiqfl32.exe File created C:\Windows\SysWOW64\Hjgkgm32.dll Noagjc32.exe File created C:\Windows\SysWOW64\Igjeji32.dll Ojkhjabc.exe File opened for modification C:\Windows\SysWOW64\Ogaeieoj.exe Odcimipf.exe File created C:\Windows\SysWOW64\Ecipfpcm.dll Fmddgg32.exe File created C:\Windows\SysWOW64\Ihbdhepp.exe Igcgnbim.exe File created C:\Windows\SysWOW64\Noojdc32.exe Nkdndeon.exe File created C:\Windows\SysWOW64\Bodhjdcc.exe Bfmqigba.exe File created C:\Windows\SysWOW64\Celpqbon.exe Ccnddg32.exe File opened for modification C:\Windows\SysWOW64\Hchoop32.exe Hipkfkgh.exe File created C:\Windows\SysWOW64\Jqbbhg32.exe Jmgfgham.exe File created C:\Windows\SysWOW64\Dmhpkkdp.dll Jcfgoadd.exe File opened for modification C:\Windows\SysWOW64\Kaekljjo.exe Knfopnkk.exe File created C:\Windows\SysWOW64\Lhlbbg32.exe Lfkfkopk.exe File created C:\Windows\SysWOW64\Qghgigkn.exe Qpaohjkk.exe File opened for modification C:\Windows\SysWOW64\Gpjfcali.exe Gmkjgfmf.exe File created C:\Windows\SysWOW64\Iklfia32.exe Iadbqlmh.exe File created C:\Windows\SysWOW64\Igpkgp32.dll Mdoccg32.exe File opened for modification C:\Windows\SysWOW64\Ogdaod32.exe Oomjng32.exe File created C:\Windows\SysWOW64\Kbmafngi.exe Kpoejbhe.exe File created C:\Windows\SysWOW64\Lpanne32.exe Llebnfpe.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Onipqp32.exeCdamao32.exeFipbhd32.exeJjkfqlpf.exeLlebnfpe.exeQjgcecja.exeLidilk32.exeOjkhjabc.exeAebakp32.exePbgefa32.exeAlmihjlj.exeAdmgglep.exeClfhml32.exeGibkmgcj.exeNoojdc32.exeGimaah32.exeOjpaeq32.exeAbinjdad.exeBdcnhk32.exeJfmnkn32.exeCcnddg32.exeClhecl32.exeGoocenaa.exeMebpakbq.exeGjjafkpe.exeGleqdb32.exeJqbbhg32.exeNhqhmj32.exeNanfqo32.exeOmnmal32.exePofldf32.exeAcohnhab.exeAlofnj32.exeHofjem32.exeIkjjda32.exeJmdiahco.exePbblkaea.exeQnpcpa32.exeAinmlomf.exeBinikb32.exeBpmkbl32.exeFikelhib.exeLhoohgdg.exePmecbkgj.exePegnglnm.exeFjckelfm.exeHlpchfdi.exeIjfqfj32.exeJegdgj32.exeLofkoamf.exeMhcicf32.exeOgdaod32.exePgaahh32.exeBfmqigba.exeIoefdpne.exeIhbdhepp.exeNgoleb32.exeOoofcg32.exePmqffonj.exeBeggec32.exeFmddgg32.exeOgohdeam.exeChhpgn32.exeCiglaa32.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onipqp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdamao32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fipbhd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjkfqlpf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llebnfpe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qjgcecja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lidilk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojkhjabc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aebakp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbgefa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Almihjlj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Admgglep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clfhml32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gibkmgcj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Noojdc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gimaah32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojpaeq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abinjdad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdcnhk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfmnkn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccnddg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clhecl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Goocenaa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mebpakbq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjjafkpe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gleqdb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jqbbhg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhqhmj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nanfqo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omnmal32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pofldf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acohnhab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alofnj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hofjem32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikjjda32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmdiahco.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbblkaea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qnpcpa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ainmlomf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Binikb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpmkbl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fikelhib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhoohgdg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmecbkgj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pegnglnm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjckelfm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlpchfdi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijfqfj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jegdgj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lofkoamf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhcicf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogdaod32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgaahh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfmqigba.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ioefdpne.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihbdhepp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngoleb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ooofcg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmqffonj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Beggec32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmddgg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogohdeam.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chhpgn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ciglaa32.exe -
Modifies registry class 64 IoCs
Processes:
Lcedne32.exePjpmdd32.exeMkaeob32.exeNkdndeon.exeCiglaa32.exeCeqjla32.exeQgfkchmp.exeAilqfooi.exeJjkfqlpf.exePfnhkq32.exePbdipa32.exePgcnnh32.exePofldf32.exeBfmqigba.exeChhpgn32.exeHdbbnd32.exeIhbdhepp.exeJgmjdaqb.exeKglfcd32.exePkfghh32.exeJcckibfg.exeLbmnea32.exeBdfjnkne.exeMmdkfmjc.exeOjpaeq32.exeQghgigkn.exeBinikb32.exeCpohhk32.exeJmlobg32.exeJcfgoadd.exeKmklak32.exeNommodjj.exeQnpcpa32.exeCelpqbon.exeLadgkmlj.exeJjmcfl32.exeJegdgj32.exeOfgbkacb.exePeqhgmdd.exeBmgifa32.exeGibkmgcj.exeHghdjn32.exeOgohdeam.exePodpoffm.exeBdodmlcm.exeMhcicf32.exeMdoccg32.exeadc1a6681136eb998c5027974ba4724cd0878bfd734e9695dc9ad66421e65084.exeFabmmejd.exeGdnibdmf.exeKgjjndeq.exeLffmpp32.exeAfndjdpe.exeAhcjmkbo.exeAbinjdad.exeBeggec32.exeLidilk32.exeCodeih32.exeGkedjo32.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lcedne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pjpmdd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mkaeob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nkdndeon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ciglaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ceqjla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihjfjc32.dll" Qgfkchmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ailqfooi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdcbqe32.dll" Jjkfqlpf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pfnhkq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pfnhkq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pbdipa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fglnmheg.dll" Pgcnnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eoadpbdp.dll" Pofldf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acdlnnal.dll" Bfmqigba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Chhpgn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hdbbnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkbgjc32.dll" Ihbdhepp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffmaalgf.dll" Jgmjdaqb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfjkbmim.dll" Kglfcd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pkfghh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfldmeci.dll" Jcckibfg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lbmnea32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bdfjnkne.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mmdkfmjc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ojpaeq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qghgigkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qamnbhdj.dll" Binikb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cpohhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nelgfoke.dll" Jmlobg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jcfgoadd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebmbnn32.dll" Kmklak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nommodjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnfbic32.dll" Qnpcpa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Celpqbon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djdbeobe.dll" Ladgkmlj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jjmcfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfcekf32.dll" Jegdgj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ofgbkacb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Peqhgmdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bmgifa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gibkmgcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Einoopbn.dll" Hghdjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ogohdeam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Podpoffm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nalmek32.dll" Bdodmlcm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enjqlaec.dll" Mhcicf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mdoccg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pphkcaig.dll" Pfnhkq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 adc1a6681136eb998c5027974ba4724cd0878bfd734e9695dc9ad66421e65084.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmgdlnjc.dll" Fabmmejd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gdnibdmf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kgjjndeq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lffmpp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Afndjdpe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dggekf32.dll" Ahcjmkbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmecge32.dll" Abinjdad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Beggec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mokegi32.dll" Celpqbon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gdnibdmf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jegdgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lidilk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jqlidcln.dll" Codeih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gkedjo32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
adc1a6681136eb998c5027974ba4724cd0878bfd734e9695dc9ad66421e65084.exeFipbhd32.exeFefcmehe.exeFjckelfm.exeFamcbf32.exeFdlpnamm.exeFmddgg32.exeFdnlcakk.exeFikelhib.exeFabmmejd.exeGjjafkpe.exeGimaah32.exeGllnnc32.exeGbffjmmp.exeGmkjgfmf.exeGpjfcali.exedescription pid Process procid_target PID 376 wrote to memory of 3000 376 adc1a6681136eb998c5027974ba4724cd0878bfd734e9695dc9ad66421e65084.exe 30 PID 376 wrote to memory of 3000 376 adc1a6681136eb998c5027974ba4724cd0878bfd734e9695dc9ad66421e65084.exe 30 PID 376 wrote to memory of 3000 376 adc1a6681136eb998c5027974ba4724cd0878bfd734e9695dc9ad66421e65084.exe 30 PID 376 wrote to memory of 3000 376 adc1a6681136eb998c5027974ba4724cd0878bfd734e9695dc9ad66421e65084.exe 30 PID 3000 wrote to memory of 2504 3000 Fipbhd32.exe 31 PID 3000 wrote to memory of 2504 3000 Fipbhd32.exe 31 PID 3000 wrote to memory of 2504 3000 Fipbhd32.exe 31 PID 3000 wrote to memory of 2504 3000 Fipbhd32.exe 31 PID 2504 wrote to memory of 2792 2504 Fefcmehe.exe 32 PID 2504 wrote to memory of 2792 2504 Fefcmehe.exe 32 PID 2504 wrote to memory of 2792 2504 Fefcmehe.exe 32 PID 2504 wrote to memory of 2792 2504 Fefcmehe.exe 32 PID 2792 wrote to memory of 2840 2792 Fjckelfm.exe 33 PID 2792 wrote to memory of 2840 2792 Fjckelfm.exe 33 PID 2792 wrote to memory of 2840 2792 Fjckelfm.exe 33 PID 2792 wrote to memory of 2840 2792 Fjckelfm.exe 33 PID 2840 wrote to memory of 2864 2840 Famcbf32.exe 34 PID 2840 wrote to memory of 2864 2840 Famcbf32.exe 34 PID 2840 wrote to memory of 2864 2840 Famcbf32.exe 34 PID 2840 wrote to memory of 2864 2840 Famcbf32.exe 34 PID 2864 wrote to memory of 2612 2864 Fdlpnamm.exe 35 PID 2864 wrote to memory of 2612 2864 Fdlpnamm.exe 35 PID 2864 wrote to memory of 2612 2864 Fdlpnamm.exe 35 PID 2864 wrote to memory of 2612 2864 Fdlpnamm.exe 35 PID 2612 wrote to memory of 2384 2612 Fmddgg32.exe 36 PID 2612 wrote to memory of 2384 2612 Fmddgg32.exe 36 PID 2612 wrote to memory of 2384 2612 Fmddgg32.exe 36 PID 2612 wrote to memory of 2384 2612 Fmddgg32.exe 36 PID 2384 wrote to memory of 1032 2384 Fdnlcakk.exe 37 PID 2384 wrote to memory of 1032 2384 Fdnlcakk.exe 37 PID 2384 wrote to memory of 1032 2384 Fdnlcakk.exe 37 PID 2384 wrote to memory of 1032 2384 Fdnlcakk.exe 37 PID 1032 wrote to memory of 1676 1032 Fikelhib.exe 38 PID 1032 wrote to memory of 1676 1032 Fikelhib.exe 38 PID 1032 wrote to memory of 1676 1032 Fikelhib.exe 38 PID 1032 wrote to memory of 1676 1032 Fikelhib.exe 38 PID 1676 wrote to memory of 1936 1676 Fabmmejd.exe 39 PID 1676 wrote to memory of 1936 1676 Fabmmejd.exe 39 PID 1676 wrote to memory of 1936 1676 Fabmmejd.exe 39 PID 1676 wrote to memory of 1936 1676 Fabmmejd.exe 39 PID 1936 wrote to memory of 1960 1936 Gjjafkpe.exe 40 PID 1936 wrote to memory of 1960 1936 Gjjafkpe.exe 40 PID 1936 wrote to memory of 1960 1936 Gjjafkpe.exe 40 PID 1936 wrote to memory of 1960 1936 Gjjafkpe.exe 40 PID 1960 wrote to memory of 2484 1960 Gimaah32.exe 41 PID 1960 wrote to memory of 2484 1960 Gimaah32.exe 41 PID 1960 wrote to memory of 2484 1960 Gimaah32.exe 41 PID 1960 wrote to memory of 2484 1960 Gimaah32.exe 41 PID 2484 wrote to memory of 472 2484 Gllnnc32.exe 42 PID 2484 wrote to memory of 472 2484 Gllnnc32.exe 42 PID 2484 wrote to memory of 472 2484 Gllnnc32.exe 42 PID 2484 wrote to memory of 472 2484 Gllnnc32.exe 42 PID 472 wrote to memory of 1492 472 Gbffjmmp.exe 43 PID 472 wrote to memory of 1492 472 Gbffjmmp.exe 43 PID 472 wrote to memory of 1492 472 Gbffjmmp.exe 43 PID 472 wrote to memory of 1492 472 Gbffjmmp.exe 43 PID 1492 wrote to memory of 2356 1492 Gmkjgfmf.exe 44 PID 1492 wrote to memory of 2356 1492 Gmkjgfmf.exe 44 PID 1492 wrote to memory of 2356 1492 Gmkjgfmf.exe 44 PID 1492 wrote to memory of 2356 1492 Gmkjgfmf.exe 44 PID 2356 wrote to memory of 2196 2356 Gpjfcali.exe 45 PID 2356 wrote to memory of 2196 2356 Gpjfcali.exe 45 PID 2356 wrote to memory of 2196 2356 Gpjfcali.exe 45 PID 2356 wrote to memory of 2196 2356 Gpjfcali.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\adc1a6681136eb998c5027974ba4724cd0878bfd734e9695dc9ad66421e65084.exe"C:\Users\Admin\AppData\Local\Temp\adc1a6681136eb998c5027974ba4724cd0878bfd734e9695dc9ad66421e65084.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:376 -
C:\Windows\SysWOW64\Fipbhd32.exeC:\Windows\system32\Fipbhd32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Windows\SysWOW64\Fefcmehe.exeC:\Windows\system32\Fefcmehe.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Windows\SysWOW64\Fjckelfm.exeC:\Windows\system32\Fjckelfm.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\SysWOW64\Famcbf32.exeC:\Windows\system32\Famcbf32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Windows\SysWOW64\Fdlpnamm.exeC:\Windows\system32\Fdlpnamm.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Windows\SysWOW64\Fmddgg32.exeC:\Windows\system32\Fmddgg32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\SysWOW64\Fdnlcakk.exeC:\Windows\system32\Fdnlcakk.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Windows\SysWOW64\Fikelhib.exeC:\Windows\system32\Fikelhib.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1032 -
C:\Windows\SysWOW64\Fabmmejd.exeC:\Windows\system32\Fabmmejd.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1676 -
C:\Windows\SysWOW64\Gjjafkpe.exeC:\Windows\system32\Gjjafkpe.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1936 -
C:\Windows\SysWOW64\Gimaah32.exeC:\Windows\system32\Gimaah32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1960 -
C:\Windows\SysWOW64\Gllnnc32.exeC:\Windows\system32\Gllnnc32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2484 -
C:\Windows\SysWOW64\Gbffjmmp.exeC:\Windows\system32\Gbffjmmp.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:472 -
C:\Windows\SysWOW64\Gmkjgfmf.exeC:\Windows\system32\Gmkjgfmf.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1492 -
C:\Windows\SysWOW64\Gpjfcali.exeC:\Windows\system32\Gpjfcali.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\Windows\SysWOW64\Gibkmgcj.exeC:\Windows\system32\Gibkmgcj.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2196 -
C:\Windows\SysWOW64\Glpgibbn.exeC:\Windows\system32\Glpgibbn.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1180 -
C:\Windows\SysWOW64\Goocenaa.exeC:\Windows\system32\Goocenaa.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:632 -
C:\Windows\SysWOW64\Gampaipe.exeC:\Windows\system32\Gampaipe.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:564 -
C:\Windows\SysWOW64\Glbdnbpk.exeC:\Windows\system32\Glbdnbpk.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2184 -
C:\Windows\SysWOW64\Gkedjo32.exeC:\Windows\system32\Gkedjo32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1552 -
C:\Windows\SysWOW64\Gdnibdmf.exeC:\Windows\system32\Gdnibdmf.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1740 -
C:\Windows\SysWOW64\Gleqdb32.exeC:\Windows\system32\Gleqdb32.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3052 -
C:\Windows\SysWOW64\Hdpehd32.exeC:\Windows\system32\Hdpehd32.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1316 -
C:\Windows\SysWOW64\Hkjnenbp.exeC:\Windows\system32\Hkjnenbp.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2336 -
C:\Windows\SysWOW64\Hofjem32.exeC:\Windows\system32\Hofjem32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2452 -
C:\Windows\SysWOW64\Hdbbnd32.exeC:\Windows\system32\Hdbbnd32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2740 -
C:\Windows\SysWOW64\Hipkfkgh.exeC:\Windows\system32\Hipkfkgh.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2828 -
C:\Windows\SysWOW64\Hchoop32.exeC:\Windows\system32\Hchoop32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2712 -
C:\Windows\SysWOW64\Hlpchfdi.exeC:\Windows\system32\Hlpchfdi.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2620 -
C:\Windows\SysWOW64\Hdgkicek.exeC:\Windows\system32\Hdgkicek.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2768 -
C:\Windows\SysWOW64\Hcjldp32.exeC:\Windows\system32\Hcjldp32.exe33⤵
- Executes dropped EXE
PID:2096 -
C:\Windows\SysWOW64\Hghdjn32.exeC:\Windows\system32\Hghdjn32.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:1120 -
C:\Windows\SysWOW64\Ijfqfj32.exeC:\Windows\system32\Ijfqfj32.exe35⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:316 -
C:\Windows\SysWOW64\Ihiabfhk.exeC:\Windows\system32\Ihiabfhk.exe36⤵
- Executes dropped EXE
PID:2408 -
C:\Windows\SysWOW64\Ikjjda32.exeC:\Windows\system32\Ikjjda32.exe37⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1920 -
C:\Windows\SysWOW64\Ioefdpne.exeC:\Windows\system32\Ioefdpne.exe38⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1924 -
C:\Windows\SysWOW64\Iadbqlmh.exeC:\Windows\system32\Iadbqlmh.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:988 -
C:\Windows\SysWOW64\Iklfia32.exeC:\Windows\system32\Iklfia32.exe40⤵
- Executes dropped EXE
PID:1848 -
C:\Windows\SysWOW64\Ifbkgj32.exeC:\Windows\system32\Ifbkgj32.exe41⤵
- Executes dropped EXE
PID:3044 -
C:\Windows\SysWOW64\Igcgnbim.exeC:\Windows\system32\Igcgnbim.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2432 -
C:\Windows\SysWOW64\Ihbdhepp.exeC:\Windows\system32\Ihbdhepp.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1016 -
C:\Windows\SysWOW64\Igeddb32.exeC:\Windows\system32\Igeddb32.exe44⤵
- Executes dropped EXE
PID:2176 -
C:\Windows\SysWOW64\Ibkhak32.exeC:\Windows\system32\Ibkhak32.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2968 -
C:\Windows\SysWOW64\Jghqia32.exeC:\Windows\system32\Jghqia32.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2152 -
C:\Windows\SysWOW64\Jkcmjpma.exeC:\Windows\system32\Jkcmjpma.exe47⤵
- Executes dropped EXE
PID:1476 -
C:\Windows\SysWOW64\Jnbifl32.exeC:\Windows\system32\Jnbifl32.exe48⤵
- Executes dropped EXE
PID:2372 -
C:\Windows\SysWOW64\Jmdiahco.exeC:\Windows\system32\Jmdiahco.exe49⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:780 -
C:\Windows\SysWOW64\Jdlacfca.exeC:\Windows\system32\Jdlacfca.exe50⤵
- Executes dropped EXE
PID:1052 -
C:\Windows\SysWOW64\Jfmnkn32.exeC:\Windows\system32\Jfmnkn32.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1604 -
C:\Windows\SysWOW64\Jmgfgham.exeC:\Windows\system32\Jmgfgham.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2788 -
C:\Windows\SysWOW64\Jqbbhg32.exeC:\Windows\system32\Jqbbhg32.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2136 -
C:\Windows\SysWOW64\Jcandb32.exeC:\Windows\system32\Jcandb32.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2624 -
C:\Windows\SysWOW64\Jgmjdaqb.exeC:\Windows\system32\Jgmjdaqb.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:2600 -
C:\Windows\SysWOW64\Jjkfqlpf.exeC:\Windows\system32\Jjkfqlpf.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2308 -
C:\Windows\SysWOW64\Jqeomfgc.exeC:\Windows\system32\Jqeomfgc.exe57⤵
- Executes dropped EXE
PID:452 -
C:\Windows\SysWOW64\Jcckibfg.exeC:\Windows\system32\Jcckibfg.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2460 -
C:\Windows\SysWOW64\Jbfkeo32.exeC:\Windows\system32\Jbfkeo32.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1392 -
C:\Windows\SysWOW64\Jjmcfl32.exeC:\Windows\system32\Jjmcfl32.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2116 -
C:\Windows\SysWOW64\Jmlobg32.exeC:\Windows\system32\Jmlobg32.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1104 -
C:\Windows\SysWOW64\Jojloc32.exeC:\Windows\system32\Jojloc32.exe62⤵
- Executes dropped EXE
PID:2220 -
C:\Windows\SysWOW64\Jcfgoadd.exeC:\Windows\system32\Jcfgoadd.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2396 -
C:\Windows\SysWOW64\Jegdgj32.exeC:\Windows\system32\Jegdgj32.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2448 -
C:\Windows\SysWOW64\Jibpghbk.exeC:\Windows\system32\Jibpghbk.exe65⤵
- Executes dropped EXE
PID:1784 -
C:\Windows\SysWOW64\Kkalcdao.exeC:\Windows\system32\Kkalcdao.exe66⤵PID:1736
-
C:\Windows\SysWOW64\Kbkdpnil.exeC:\Windows\system32\Kbkdpnil.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2956 -
C:\Windows\SysWOW64\Keiqlihp.exeC:\Windows\system32\Keiqlihp.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:556 -
C:\Windows\SysWOW64\Kiemmh32.exeC:\Windows\system32\Kiemmh32.exe69⤵PID:860
-
C:\Windows\SysWOW64\Kpoejbhe.exeC:\Windows\system32\Kpoejbhe.exe70⤵
- Drops file in System32 directory
PID:2728 -
C:\Windows\SysWOW64\Kbmafngi.exeC:\Windows\system32\Kbmafngi.exe71⤵PID:2652
-
C:\Windows\SysWOW64\Kapaaj32.exeC:\Windows\system32\Kapaaj32.exe72⤵
- Drops file in System32 directory
PID:2672 -
C:\Windows\SysWOW64\Kelmbifm.exeC:\Windows\system32\Kelmbifm.exe73⤵PID:2996
-
C:\Windows\SysWOW64\Kgjjndeq.exeC:\Windows\system32\Kgjjndeq.exe74⤵
- Modifies registry class
PID:1948 -
C:\Windows\SysWOW64\Kjhfjpdd.exeC:\Windows\system32\Kjhfjpdd.exe75⤵PID:1956
-
C:\Windows\SysWOW64\Kenjgi32.exeC:\Windows\system32\Kenjgi32.exe76⤵PID:2428
-
C:\Windows\SysWOW64\Kglfcd32.exeC:\Windows\system32\Kglfcd32.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1420 -
C:\Windows\SysWOW64\Knfopnkk.exeC:\Windows\system32\Knfopnkk.exe78⤵
- Drops file in System32 directory
PID:3036 -
C:\Windows\SysWOW64\Kaekljjo.exeC:\Windows\system32\Kaekljjo.exe79⤵PID:2144
-
C:\Windows\SysWOW64\Kccgheib.exeC:\Windows\system32\Kccgheib.exe80⤵PID:1612
-
C:\Windows\SysWOW64\Kgocid32.exeC:\Windows\system32\Kgocid32.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2544 -
C:\Windows\SysWOW64\Knikfnih.exeC:\Windows\system32\Knikfnih.exe82⤵PID:1660
-
C:\Windows\SysWOW64\Kmklak32.exeC:\Windows\system32\Kmklak32.exe83⤵
- Modifies registry class
PID:1532 -
C:\Windows\SysWOW64\Lcedne32.exeC:\Windows\system32\Lcedne32.exe84⤵
- Modifies registry class
PID:2444 -
C:\Windows\SysWOW64\Lhapocoi.exeC:\Windows\system32\Lhapocoi.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1368 -
C:\Windows\SysWOW64\Liblfl32.exeC:\Windows\system32\Liblfl32.exe86⤵
- Drops file in System32 directory
PID:3032 -
C:\Windows\SysWOW64\Laidgi32.exeC:\Windows\system32\Laidgi32.exe87⤵PID:2988
-
C:\Windows\SysWOW64\Lchqcd32.exeC:\Windows\system32\Lchqcd32.exe88⤵PID:2832
-
C:\Windows\SysWOW64\Lffmpp32.exeC:\Windows\system32\Lffmpp32.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1580 -
C:\Windows\SysWOW64\Lidilk32.exeC:\Windows\system32\Lidilk32.exe90⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1364 -
C:\Windows\SysWOW64\Llcehg32.exeC:\Windows\system32\Llcehg32.exe91⤵PID:2416
-
C:\Windows\SysWOW64\Lbmnea32.exeC:\Windows\system32\Lbmnea32.exe92⤵
- Modifies registry class
PID:776 -
C:\Windows\SysWOW64\Lekjal32.exeC:\Windows\system32\Lekjal32.exe93⤵PID:1060
-
C:\Windows\SysWOW64\Llebnfpe.exeC:\Windows\system32\Llebnfpe.exe94⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2192 -
C:\Windows\SysWOW64\Lpanne32.exeC:\Windows\system32\Lpanne32.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:952 -
C:\Windows\SysWOW64\Lfkfkopk.exeC:\Windows\system32\Lfkfkopk.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1788 -
C:\Windows\SysWOW64\Lhlbbg32.exeC:\Windows\system32\Lhlbbg32.exe97⤵PID:2928
-
C:\Windows\SysWOW64\Lofkoamf.exeC:\Windows\system32\Lofkoamf.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2332 -
C:\Windows\SysWOW64\Ladgkmlj.exeC:\Windows\system32\Ladgkmlj.exe99⤵
- Drops file in System32 directory
- Modifies registry class
PID:2820 -
C:\Windows\SysWOW64\Lhoohgdg.exeC:\Windows\system32\Lhoohgdg.exe100⤵
- System Location Discovery: System Language Discovery
PID:2744 -
C:\Windows\SysWOW64\Lkmldbcj.exeC:\Windows\system32\Lkmldbcj.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2660 -
C:\Windows\SysWOW64\Mebpakbq.exeC:\Windows\system32\Mebpakbq.exe102⤵
- System Location Discovery: System Language Discovery
PID:2900 -
C:\Windows\SysWOW64\Mhalngad.exeC:\Windows\system32\Mhalngad.exe103⤵PID:1904
-
C:\Windows\SysWOW64\Mokdja32.exeC:\Windows\system32\Mokdja32.exe104⤵PID:2492
-
C:\Windows\SysWOW64\Maiqfl32.exeC:\Windows\system32\Maiqfl32.exe105⤵
- Drops file in System32 directory
PID:348 -
C:\Windows\SysWOW64\Mhcicf32.exeC:\Windows\system32\Mhcicf32.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2404 -
C:\Windows\SysWOW64\Mkaeob32.exeC:\Windows\system32\Mkaeob32.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2088 -
C:\Windows\SysWOW64\Mmpakm32.exeC:\Windows\system32\Mmpakm32.exe108⤵PID:2200
-
C:\Windows\SysWOW64\Mpnngi32.exeC:\Windows\system32\Mpnngi32.exe109⤵PID:1640
-
C:\Windows\SysWOW64\Mheeif32.exeC:\Windows\system32\Mheeif32.exe110⤵PID:1972
-
C:\Windows\SysWOW64\Mkdbea32.exeC:\Windows\system32\Mkdbea32.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2520 -
C:\Windows\SysWOW64\Mmbnam32.exeC:\Windows\system32\Mmbnam32.exe112⤵PID:2244
-
C:\Windows\SysWOW64\Mpqjmh32.exeC:\Windows\system32\Mpqjmh32.exe113⤵PID:1448
-
C:\Windows\SysWOW64\Mcofid32.exeC:\Windows\system32\Mcofid32.exe114⤵PID:1148
-
C:\Windows\SysWOW64\Mgkbjb32.exeC:\Windows\system32\Mgkbjb32.exe115⤵
- Drops file in System32 directory
PID:684 -
C:\Windows\SysWOW64\Mkfojakp.exeC:\Windows\system32\Mkfojakp.exe116⤵PID:1548
-
C:\Windows\SysWOW64\Mmdkfmjc.exeC:\Windows\system32\Mmdkfmjc.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2100 -
C:\Windows\SysWOW64\Mdoccg32.exeC:\Windows\system32\Mdoccg32.exe118⤵
- Drops file in System32 directory
- Modifies registry class
PID:2564 -
C:\Windows\SysWOW64\Mgmoob32.exeC:\Windows\system32\Mgmoob32.exe119⤵
- Drops file in System32 directory
PID:624 -
C:\Windows\SysWOW64\Nmggllha.exeC:\Windows\system32\Nmggllha.exe120⤵PID:2808
-
C:\Windows\SysWOW64\Npechhgd.exeC:\Windows\system32\Npechhgd.exe121⤵PID:2752
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-