Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
23-11-2024 03:25
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
c5a12b38d6f59c4401c1a35cce9e5511831aa14ba4257cdad09235b6d3f8c084.exe
Resource
win7-20240708-en
windows7-x64
9 signatures
150 seconds
Behavioral task
behavioral2
Sample
c5a12b38d6f59c4401c1a35cce9e5511831aa14ba4257cdad09235b6d3f8c084.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
c5a12b38d6f59c4401c1a35cce9e5511831aa14ba4257cdad09235b6d3f8c084.exe
-
Size
320KB
-
MD5
d297fc10dc2204d5cc6f19dbb15cd7c8
-
SHA1
7de29a94bab565cb59d82387c23306cdddb45d0a
-
SHA256
c5a12b38d6f59c4401c1a35cce9e5511831aa14ba4257cdad09235b6d3f8c084
-
SHA512
c4add5b4effc1592c4f8fc5f4b8e9b2e0a4320a043a42cc9b304772ca97b35f0bc597b2dc10cada7ed0f1a68a2774a220135015b3f14dedfe2717addaf9db23a
-
SSDEEP
6144:18PX3zpSp/ZRJnkLAYCtE07kli0KoCYtw2B0Ddu9szWfx09UBIUbPLwH/lLOUaRZ:1MnGhR1YJ07kE0KoFtw2gu9RxrBIUbPZ
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://viruslist.com/wcmd.txt
http://viruslist.com/ppslog.php
http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Eegmhhie.exeAadobccg.exeHghdjn32.exeNcfmjc32.exePhgannal.exeNgoleb32.exeBdfjnkne.exePeqhgmdd.exePkojoghl.exeJnlbgq32.exeMhdpnm32.exeCppobaeb.exeEikimeff.exeJgjmoace.exeNloachkf.exeOapcfo32.exeBiccfalm.exeImogcj32.exeKimjhnnl.exeLalhgogb.exeAjjgei32.exeBdinnqon.exeNikkkn32.exeBhkghqpb.exeGidhbgag.exeOjndpqpq.exeAcohnhab.exeFjhdpk32.exeLidilk32.exeOqlfhjch.exeHdgkicek.exeNdjfgkha.exeMeecaa32.exePjjkfe32.exeBbchkime.exeBhpqcpkm.exeFnjnkkbk.exePbjifgcd.exeKghmhegc.exeMagdam32.exeBceeqi32.exeBahelebm.exeCnabffeo.exeGbhcpmkm.exeIfpnaj32.exeJmdiahco.exePfnoegaf.exeBoleejag.exePnkiebib.exeQpaohjkk.exeAicfgn32.exeKiofnm32.exeAmmmlcgi.exeMkohjbah.exePbdipa32.exeBfpmog32.exeKnaeeo32.exeKnikfnih.exeLpanne32.exeImhqbkbm.exeKfnnlboi.exePlpqim32.exedescription ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eegmhhie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aadobccg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hghdjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ncfmjc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phgannal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ngoleb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdfjnkne.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Peqhgmdd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkojoghl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jnlbgq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mhdpnm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cppobaeb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eikimeff.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgjmoace.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nloachkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oapcfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Biccfalm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Imogcj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kimjhnnl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lalhgogb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ajjgei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bdinnqon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nikkkn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhkghqpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gidhbgag.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojndpqpq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Acohnhab.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjhdpk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lidilk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oqlfhjch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hdgkicek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ndjfgkha.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Meecaa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjjkfe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbchkime.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bhpqcpkm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnjnkkbk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gidhbgag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pbjifgcd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kghmhegc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Magdam32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bceeqi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bahelebm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cnabffeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gbhcpmkm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifpnaj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmdiahco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pfnoegaf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Boleejag.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnkiebib.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qpaohjkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aicfgn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kiofnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ammmlcgi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkohjbah.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncfmjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pbdipa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bfpmog32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knaeeo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knikfnih.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpanne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Imhqbkbm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kfnnlboi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plpqim32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
Processes:
Dmgoif32.exeDcageqgm.exeEegmhhie.exeEjdfqogm.exeEelgcg32.exeEndklmlq.exeFmlecinf.exeFicehj32.exeFbkjap32.exeFlcojeak.exeFhmldfdm.exeFogdap32.exeGmnngl32.exeGpogiglp.exeGgklka32.exeHaemloni.exeHagianlf.exeHkpnjd32.exeHdhbci32.exeHkbkpcpd.exeHhfkihon.exeHjggap32.exeIgkhjdde.exeIjidfpci.exeImhqbkbm.exeIqfiii32.exeIoiidfon.exeIianmlfn.exeImogcj32.exeIciopdca.exeJbnlaqhi.exeJgkdigfa.exeJngilalk.exeJaeehmko.exeJecnnk32.exeJnlbgq32.exeKjbclamj.exeKiecgo32.exeKmclmm32.exeKcmdjgbh.exeKflafbak.exeKngekdnf.exeKfnnlboi.exeKimjhnnl.exeKoibpd32.exeKiofnm32.exeLolofd32.exeLeegbnan.exeLlpoohik.exeLalhgogb.exeLhfpdi32.exeLophacfl.exeLhimji32.exeLkgifd32.exeLpdankjg.exeLbbnjgik.exeLmhbgpia.exeLpfnckhe.exeMecglbfl.exeMmjomogn.exeMlmoilni.exeMeecaa32.exeMhdpnm32.exeMcidkf32.exepid Process 2672 Dmgoif32.exe 2656 Dcageqgm.exe 2712 Eegmhhie.exe 2588 Ejdfqogm.exe 2652 Eelgcg32.exe 948 Endklmlq.exe 2464 Fmlecinf.exe 2512 Ficehj32.exe 2628 Fbkjap32.exe 860 Flcojeak.exe 2356 Fhmldfdm.exe 776 Fogdap32.exe 2184 Gmnngl32.exe 2928 Gpogiglp.exe 2344 Ggklka32.exe 840 Haemloni.exe 684 Hagianlf.exe 1536 Hkpnjd32.exe 1996 Hdhbci32.exe 2484 Hkbkpcpd.exe 1412 Hhfkihon.exe 2260 Hjggap32.exe 1908 Igkhjdde.exe 1868 Ijidfpci.exe 1672 Imhqbkbm.exe 2896 Iqfiii32.exe 1592 Ioiidfon.exe 2744 Iianmlfn.exe 2856 Imogcj32.exe 236 Iciopdca.exe 2252 Jbnlaqhi.exe 2288 Jgkdigfa.exe 2088 Jngilalk.exe 3036 Jaeehmko.exe 2892 Jecnnk32.exe 2428 Jnlbgq32.exe 292 Kjbclamj.exe 1084 Kiecgo32.exe 1740 Kmclmm32.exe 2920 Kcmdjgbh.exe 2976 Kflafbak.exe 752 Kngekdnf.exe 1956 Kfnnlboi.exe 1580 Kimjhnnl.exe 1680 Koibpd32.exe 1932 Kiofnm32.exe 1056 Lolofd32.exe 1000 Leegbnan.exe 1800 Llpoohik.exe 2104 Lalhgogb.exe 2780 Lhfpdi32.exe 2668 Lophacfl.exe 2564 Lhimji32.exe 2960 Lkgifd32.exe 1488 Lpdankjg.exe 2592 Lbbnjgik.exe 2336 Lmhbgpia.exe 1164 Lpfnckhe.exe 1296 Mecglbfl.exe 1936 Mmjomogn.exe 3064 Mlmoilni.exe 1796 Meecaa32.exe 2836 Mhdpnm32.exe 2944 Mcidkf32.exe -
Loads dropped DLL 64 IoCs
Processes:
c5a12b38d6f59c4401c1a35cce9e5511831aa14ba4257cdad09235b6d3f8c084.exeDmgoif32.exeDcageqgm.exeEegmhhie.exeEjdfqogm.exeEelgcg32.exeEndklmlq.exeFmlecinf.exeFicehj32.exeFbkjap32.exeFlcojeak.exeFhmldfdm.exeFogdap32.exeGmnngl32.exeGpogiglp.exeGgklka32.exeHaemloni.exeHagianlf.exeHkpnjd32.exeHdhbci32.exeHkbkpcpd.exeHhfkihon.exeHjggap32.exeIgkhjdde.exeIjidfpci.exeImhqbkbm.exeIqfiii32.exeIoiidfon.exeIianmlfn.exeImogcj32.exeIciopdca.exeJbnlaqhi.exepid Process 2624 c5a12b38d6f59c4401c1a35cce9e5511831aa14ba4257cdad09235b6d3f8c084.exe 2624 c5a12b38d6f59c4401c1a35cce9e5511831aa14ba4257cdad09235b6d3f8c084.exe 2672 Dmgoif32.exe 2672 Dmgoif32.exe 2656 Dcageqgm.exe 2656 Dcageqgm.exe 2712 Eegmhhie.exe 2712 Eegmhhie.exe 2588 Ejdfqogm.exe 2588 Ejdfqogm.exe 2652 Eelgcg32.exe 2652 Eelgcg32.exe 948 Endklmlq.exe 948 Endklmlq.exe 2464 Fmlecinf.exe 2464 Fmlecinf.exe 2512 Ficehj32.exe 2512 Ficehj32.exe 2628 Fbkjap32.exe 2628 Fbkjap32.exe 860 Flcojeak.exe 860 Flcojeak.exe 2356 Fhmldfdm.exe 2356 Fhmldfdm.exe 776 Fogdap32.exe 776 Fogdap32.exe 2184 Gmnngl32.exe 2184 Gmnngl32.exe 2928 Gpogiglp.exe 2928 Gpogiglp.exe 2344 Ggklka32.exe 2344 Ggklka32.exe 840 Haemloni.exe 840 Haemloni.exe 684 Hagianlf.exe 684 Hagianlf.exe 1536 Hkpnjd32.exe 1536 Hkpnjd32.exe 1996 Hdhbci32.exe 1996 Hdhbci32.exe 2484 Hkbkpcpd.exe 2484 Hkbkpcpd.exe 1412 Hhfkihon.exe 1412 Hhfkihon.exe 2260 Hjggap32.exe 2260 Hjggap32.exe 1908 Igkhjdde.exe 1908 Igkhjdde.exe 1868 Ijidfpci.exe 1868 Ijidfpci.exe 1672 Imhqbkbm.exe 1672 Imhqbkbm.exe 2896 Iqfiii32.exe 2896 Iqfiii32.exe 1592 Ioiidfon.exe 1592 Ioiidfon.exe 2744 Iianmlfn.exe 2744 Iianmlfn.exe 2856 Imogcj32.exe 2856 Imogcj32.exe 236 Iciopdca.exe 236 Iciopdca.exe 2252 Jbnlaqhi.exe 2252 Jbnlaqhi.exe -
Drops file in System32 directory 64 IoCs
Processes:
Imogcj32.exeAadobccg.exeBaclaf32.exeEikimeff.exeBdfjnkne.exeHaemloni.exeCpgecq32.exeOchenfdn.exeAhpddmia.exeFlqkjo32.exeGleqdb32.exeHdhbci32.exeFhmldfdm.exeNknkeg32.exeBceeqi32.exeBahelebm.exeLbmnea32.exeKjbclamj.exeHadfah32.exeIafofkkf.exeNphpng32.exeAbinjdad.exeIlemce32.exeObjmgd32.exePmmqmpdm.exeBhkghqpb.exeEcjgio32.exeFjhdpk32.exeAicmadmm.exeNdjfgkha.exeAcohnhab.exeKflafbak.exeGlpgibbn.exeJmdiahco.exeNnbjpqoa.exeFbkjap32.exeAdblnnbk.exeBpmkbl32.exeLfdpjp32.exeMlmoilni.exePkojoghl.exeBmjekahk.exePcnfdl32.exeCceapl32.exeJibpghbk.exeOllqllod.exeBdodmlcm.exeOjceef32.exeIdekbgji.exeNhcebj32.exeFikelhib.exeMmbnam32.exeNkfkidmk.exeAjdcofop.exeKoibpd32.exeQifnhaho.exeEqngcc32.exeHdgkicek.exeIgcgnbim.exeMehpga32.exedescription ioc Process File created C:\Windows\SysWOW64\Omgipo32.dll Imogcj32.exe File created C:\Windows\SysWOW64\Mmmloaog.dll Aadobccg.exe File created C:\Windows\SysWOW64\Bikcbc32.exe Baclaf32.exe File created C:\Windows\SysWOW64\Mofapq32.dll Eikimeff.exe File opened for modification C:\Windows\SysWOW64\Biccfalm.exe Bdfjnkne.exe File opened for modification C:\Windows\SysWOW64\Hagianlf.exe Haemloni.exe File created C:\Windows\SysWOW64\Cceapl32.exe Cpgecq32.exe File opened for modification C:\Windows\SysWOW64\Ohengmcf.exe Ochenfdn.exe File created C:\Windows\SysWOW64\Gdcdgpcj.dll Ahpddmia.exe File created C:\Windows\SysWOW64\Oaqejn32.dll Flqkjo32.exe File created C:\Windows\SysWOW64\Gkhaooec.exe Gleqdb32.exe File opened for modification C:\Windows\SysWOW64\Hkbkpcpd.exe Hdhbci32.exe File opened for modification C:\Windows\SysWOW64\Fogdap32.exe Fhmldfdm.exe File created C:\Windows\SysWOW64\Mpbelhkp.dll Nknkeg32.exe File opened for modification C:\Windows\SysWOW64\Bahelebm.exe Bceeqi32.exe File created C:\Windows\SysWOW64\Bkqiek32.exe Bahelebm.exe File created C:\Windows\SysWOW64\Nlqiie32.dll Lbmnea32.exe File created C:\Windows\SysWOW64\Kiecgo32.exe Kjbclamj.exe File created C:\Windows\SysWOW64\Hganjo32.exe Hadfah32.exe File created C:\Windows\SysWOW64\Idekbgji.exe Iafofkkf.exe File created C:\Windows\SysWOW64\Qhnmei32.dll Nphpng32.exe File opened for modification C:\Windows\SysWOW64\Aicfgn32.exe Abinjdad.exe File created C:\Windows\SysWOW64\Mfnfdm32.dll Ilemce32.exe File opened for modification C:\Windows\SysWOW64\Oggeokoq.exe Objmgd32.exe File opened for modification C:\Windows\SysWOW64\Plpqim32.exe Pmmqmpdm.exe File opened for modification C:\Windows\SysWOW64\Blgcio32.exe Bhkghqpb.exe File created C:\Windows\SysWOW64\Panfjh32.dll Ecjgio32.exe File created C:\Windows\SysWOW64\Fikelhib.exe Fjhdpk32.exe File opened for modification C:\Windows\SysWOW64\Afgnkilf.exe Aicmadmm.exe File created C:\Windows\SysWOW64\Efhcej32.exe Ecjgio32.exe File created C:\Windows\SysWOW64\Aphgbo32.dll Ndjfgkha.exe File created C:\Windows\SysWOW64\Ailqfooi.exe Acohnhab.exe File created C:\Windows\SysWOW64\Aggpokfi.dll Kflafbak.exe File opened for modification C:\Windows\SysWOW64\Gbjpem32.exe Glpgibbn.exe File created C:\Windows\SysWOW64\Nijjfj32.dll Jmdiahco.exe File created C:\Windows\SysWOW64\Ebinok32.dll Nnbjpqoa.exe File created C:\Windows\SysWOW64\Ppgeni32.dll Fbkjap32.exe File created C:\Windows\SysWOW64\Apilcoho.exe Adblnnbk.exe File opened for modification C:\Windows\SysWOW64\Cggcofkf.exe Bpmkbl32.exe File created C:\Windows\SysWOW64\Liblfl32.exe Lfdpjp32.exe File opened for modification C:\Windows\SysWOW64\Ncfmjc32.exe Nphpng32.exe File created C:\Windows\SysWOW64\Plliem32.dll Haemloni.exe File opened for modification C:\Windows\SysWOW64\Meecaa32.exe Mlmoilni.exe File created C:\Windows\SysWOW64\Pmqffonj.exe Pkojoghl.exe File created C:\Windows\SysWOW64\Bkofkccd.dll Bmjekahk.exe File created C:\Windows\SysWOW64\Pflbpg32.exe Pcnfdl32.exe File created C:\Windows\SysWOW64\Cjoilfek.exe Cceapl32.exe File created C:\Windows\SysWOW64\Kkalcdao.exe Jibpghbk.exe File created C:\Windows\SysWOW64\Chkfjj32.dll Ollqllod.exe File opened for modification C:\Windows\SysWOW64\Bmgifa32.exe Bdodmlcm.exe File opened for modification C:\Windows\SysWOW64\Objmgd32.exe Ojceef32.exe File opened for modification C:\Windows\SysWOW64\Igcgnbim.exe Idekbgji.exe File created C:\Windows\SysWOW64\Kaimoj32.dll Nhcebj32.exe File created C:\Windows\SysWOW64\Fdqiiaih.exe Fikelhib.exe File opened for modification C:\Windows\SysWOW64\Mpqjmh32.exe Mmbnam32.exe File opened for modification C:\Windows\SysWOW64\Oapcfo32.exe Nkfkidmk.exe File created C:\Windows\SysWOW64\Befima32.dll Ajdcofop.exe File created C:\Windows\SysWOW64\Nkilelaf.dll Koibpd32.exe File created C:\Windows\SysWOW64\Qaablcej.exe Qifnhaho.exe File created C:\Windows\SysWOW64\Efjpkj32.exe Eqngcc32.exe File created C:\Windows\SysWOW64\Bdocimni.dll Hdgkicek.exe File created C:\Windows\SysWOW64\Ibillk32.exe Igcgnbim.exe File created C:\Windows\SysWOW64\Mlglpa32.dll Mehpga32.exe File opened for modification C:\Windows\SysWOW64\Apilcoho.exe Adblnnbk.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Leegbnan.exeMcidkf32.exeKndbko32.exeKnikfnih.exeNnbjpqoa.exeHagianlf.exeJgkdigfa.exeMmjomogn.exeBlgcio32.exePoacighp.exeLalhgogb.exeBhpqcpkm.exeHjddaj32.exeMbdcepcm.exeNikkkn32.exeNdjfgkha.exeDcageqgm.exeMecglbfl.exeEfhcej32.exeLbmnea32.exeLpfnckhe.exeAppbcn32.exeEfjpkj32.exeKghmhegc.exeNgoleb32.exeMlmoilni.exeMehpga32.exePhgannal.exeJgmjdaqb.exeAiqjao32.exePeqhgmdd.exeAilqfooi.exeBbchkime.exeGbcien32.exeHgckoofa.exeJibpghbk.exeKelmbifm.exeMpnngi32.exeBknfeege.exeCkkenikc.exeHadfah32.exeHdeoccgn.exeGgklka32.exeIgkhjdde.exeJecnnk32.exeOiokholk.exeBikcbc32.exeEnmnahnm.exeIbillk32.exeKepgmh32.exePigklmqc.exeKimjhnnl.exeLkgifd32.exeLbbnjgik.exePadccpal.exeBceeqi32.exeEgcfdn32.exeIjidfpci.exeGminbfoh.exeHdgkicek.exeMhflcm32.exeGipngg32.exeJdlacfca.exeLmhbgpia.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Leegbnan.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcidkf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kndbko32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knikfnih.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnbjpqoa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hagianlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgkdigfa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmjomogn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blgcio32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Poacighp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lalhgogb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhpqcpkm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjddaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbdcepcm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nikkkn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndjfgkha.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcageqgm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mecglbfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efhcej32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbmnea32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpfnckhe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Appbcn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efjpkj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kghmhegc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngoleb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlmoilni.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mehpga32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phgannal.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgmjdaqb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aiqjao32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Peqhgmdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ailqfooi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbchkime.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbcien32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgckoofa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jibpghbk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kelmbifm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpnngi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bknfeege.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckkenikc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hadfah32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdeoccgn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggklka32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igkhjdde.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jecnnk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oiokholk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bikcbc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enmnahnm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibillk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kepgmh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pigklmqc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kimjhnnl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkgifd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbbnjgik.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Padccpal.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bceeqi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egcfdn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijidfpci.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gminbfoh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdgkicek.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhflcm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gipngg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdlacfca.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmhbgpia.exe -
Modifies registry class 64 IoCs
Processes:
Ckkenikc.exeBhkghqpb.exeCggcofkf.exePajeanhf.exeObjmgd32.exeBdinnqon.exePodpoffm.exeBacefpbg.exec5a12b38d6f59c4401c1a35cce9e5511831aa14ba4257cdad09235b6d3f8c084.exeLekjal32.exeOqlfhjch.exeAjdcofop.exeFlqkjo32.exeLbkaoalg.exeBbchkime.exeHdhbci32.exeLhfpdi32.exeKeiqlihp.exeMkohjbah.exeQfikod32.exeCceapl32.exeGlpgibbn.exeKnaeeo32.exeIlemce32.exeIklfia32.exeBfbjdf32.exeIciopdca.exeAhpddmia.exeCpgecq32.exeOfaolcmh.exeEcnpdnho.exeBmgifa32.exeKjbclamj.exeNhkbmo32.exeOomjng32.exeAcohnhab.exeAadobccg.exeIafofkkf.exeDhiphb32.exeDnfhqi32.exeBoleejag.exeHganjo32.exeQdpohodn.exeGkhaooec.exeClnehado.exeDmmbge32.exeAejglo32.exeBmjekahk.exeNnodgbed.exeBikcbc32.exeNhqhmj32.exeHkbkpcpd.exeEgpena32.exePmqffonj.exeBdfjnkne.exeGipngg32.exeKgjjndeq.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ckkenikc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bhkghqpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iibogmjf.dll" Cggcofkf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pajeanhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iifpfl32.dll" Objmgd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bdinnqon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pphkcaig.dll" Podpoffm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bacefpbg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID c5a12b38d6f59c4401c1a35cce9e5511831aa14ba4257cdad09235b6d3f8c084.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lekjal32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Oqlfhjch.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ajdcofop.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Flqkjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lbkaoalg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eknjoj32.dll" Bbchkime.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hdhbci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeebeabe.dll" Lhfpdi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Keiqlihp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mkohjbah.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Qfikod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifhfbgmj.dll" Cceapl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhmdfm32.dll" Glpgibbn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Knaeeo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ilemce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aldecmgc.dll" Iklfia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bfbjdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khpbbn32.dll" Ckkenikc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 c5a12b38d6f59c4401c1a35cce9e5511831aa14ba4257cdad09235b6d3f8c084.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Iciopdca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdcdgpcj.dll" Ahpddmia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cpgecq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oipklb32.dll" Ofaolcmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eidmboob.dll" Bhkghqpb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ecnpdnho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bmgifa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnbdeb32.dll" Kjbclamj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nhkbmo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Oomjng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Acohnhab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Aadobccg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Iafofkkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dhiphb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dnfhqi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bhkghqpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghbakjma.dll" Boleejag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfgqnf32.dll" Hganjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgmggp32.dll" Keiqlihp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Qdpohodn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gkhaooec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihbldk32.dll" Clnehado.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olahgd32.dll" Dmmbge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aeackjhh.dll" Ecnpdnho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgioeh32.dll" Aejglo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkofkccd.dll" Bmjekahk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obckefai.dll" Nnodgbed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bikcbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nhqhmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hkbkpcpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Egpena32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Objmgd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pmqffonj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlggmcob.dll" Bdfjnkne.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gipngg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kgjjndeq.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
c5a12b38d6f59c4401c1a35cce9e5511831aa14ba4257cdad09235b6d3f8c084.exeDmgoif32.exeDcageqgm.exeEegmhhie.exeEjdfqogm.exeEelgcg32.exeEndklmlq.exeFmlecinf.exeFicehj32.exeFbkjap32.exeFlcojeak.exeFhmldfdm.exeFogdap32.exeGmnngl32.exeGpogiglp.exeGgklka32.exedescription pid Process procid_target PID 2624 wrote to memory of 2672 2624 c5a12b38d6f59c4401c1a35cce9e5511831aa14ba4257cdad09235b6d3f8c084.exe 30 PID 2624 wrote to memory of 2672 2624 c5a12b38d6f59c4401c1a35cce9e5511831aa14ba4257cdad09235b6d3f8c084.exe 30 PID 2624 wrote to memory of 2672 2624 c5a12b38d6f59c4401c1a35cce9e5511831aa14ba4257cdad09235b6d3f8c084.exe 30 PID 2624 wrote to memory of 2672 2624 c5a12b38d6f59c4401c1a35cce9e5511831aa14ba4257cdad09235b6d3f8c084.exe 30 PID 2672 wrote to memory of 2656 2672 Dmgoif32.exe 31 PID 2672 wrote to memory of 2656 2672 Dmgoif32.exe 31 PID 2672 wrote to memory of 2656 2672 Dmgoif32.exe 31 PID 2672 wrote to memory of 2656 2672 Dmgoif32.exe 31 PID 2656 wrote to memory of 2712 2656 Dcageqgm.exe 32 PID 2656 wrote to memory of 2712 2656 Dcageqgm.exe 32 PID 2656 wrote to memory of 2712 2656 Dcageqgm.exe 32 PID 2656 wrote to memory of 2712 2656 Dcageqgm.exe 32 PID 2712 wrote to memory of 2588 2712 Eegmhhie.exe 33 PID 2712 wrote to memory of 2588 2712 Eegmhhie.exe 33 PID 2712 wrote to memory of 2588 2712 Eegmhhie.exe 33 PID 2712 wrote to memory of 2588 2712 Eegmhhie.exe 33 PID 2588 wrote to memory of 2652 2588 Ejdfqogm.exe 34 PID 2588 wrote to memory of 2652 2588 Ejdfqogm.exe 34 PID 2588 wrote to memory of 2652 2588 Ejdfqogm.exe 34 PID 2588 wrote to memory of 2652 2588 Ejdfqogm.exe 34 PID 2652 wrote to memory of 948 2652 Eelgcg32.exe 35 PID 2652 wrote to memory of 948 2652 Eelgcg32.exe 35 PID 2652 wrote to memory of 948 2652 Eelgcg32.exe 35 PID 2652 wrote to memory of 948 2652 Eelgcg32.exe 35 PID 948 wrote to memory of 2464 948 Endklmlq.exe 36 PID 948 wrote to memory of 2464 948 Endklmlq.exe 36 PID 948 wrote to memory of 2464 948 Endklmlq.exe 36 PID 948 wrote to memory of 2464 948 Endklmlq.exe 36 PID 2464 wrote to memory of 2512 2464 Fmlecinf.exe 37 PID 2464 wrote to memory of 2512 2464 Fmlecinf.exe 37 PID 2464 wrote to memory of 2512 2464 Fmlecinf.exe 37 PID 2464 wrote to memory of 2512 2464 Fmlecinf.exe 37 PID 2512 wrote to memory of 2628 2512 Ficehj32.exe 38 PID 2512 wrote to memory of 2628 2512 Ficehj32.exe 38 PID 2512 wrote to memory of 2628 2512 Ficehj32.exe 38 PID 2512 wrote to memory of 2628 2512 Ficehj32.exe 38 PID 2628 wrote to memory of 860 2628 Fbkjap32.exe 39 PID 2628 wrote to memory of 860 2628 Fbkjap32.exe 39 PID 2628 wrote to memory of 860 2628 Fbkjap32.exe 39 PID 2628 wrote to memory of 860 2628 Fbkjap32.exe 39 PID 860 wrote to memory of 2356 860 Flcojeak.exe 40 PID 860 wrote to memory of 2356 860 Flcojeak.exe 40 PID 860 wrote to memory of 2356 860 Flcojeak.exe 40 PID 860 wrote to memory of 2356 860 Flcojeak.exe 40 PID 2356 wrote to memory of 776 2356 Fhmldfdm.exe 41 PID 2356 wrote to memory of 776 2356 Fhmldfdm.exe 41 PID 2356 wrote to memory of 776 2356 Fhmldfdm.exe 41 PID 2356 wrote to memory of 776 2356 Fhmldfdm.exe 41 PID 776 wrote to memory of 2184 776 Fogdap32.exe 42 PID 776 wrote to memory of 2184 776 Fogdap32.exe 42 PID 776 wrote to memory of 2184 776 Fogdap32.exe 42 PID 776 wrote to memory of 2184 776 Fogdap32.exe 42 PID 2184 wrote to memory of 2928 2184 Gmnngl32.exe 43 PID 2184 wrote to memory of 2928 2184 Gmnngl32.exe 43 PID 2184 wrote to memory of 2928 2184 Gmnngl32.exe 43 PID 2184 wrote to memory of 2928 2184 Gmnngl32.exe 43 PID 2928 wrote to memory of 2344 2928 Gpogiglp.exe 44 PID 2928 wrote to memory of 2344 2928 Gpogiglp.exe 44 PID 2928 wrote to memory of 2344 2928 Gpogiglp.exe 44 PID 2928 wrote to memory of 2344 2928 Gpogiglp.exe 44 PID 2344 wrote to memory of 840 2344 Ggklka32.exe 45 PID 2344 wrote to memory of 840 2344 Ggklka32.exe 45 PID 2344 wrote to memory of 840 2344 Ggklka32.exe 45 PID 2344 wrote to memory of 840 2344 Ggklka32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\c5a12b38d6f59c4401c1a35cce9e5511831aa14ba4257cdad09235b6d3f8c084.exe"C:\Users\Admin\AppData\Local\Temp\c5a12b38d6f59c4401c1a35cce9e5511831aa14ba4257cdad09235b6d3f8c084.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Windows\SysWOW64\Dmgoif32.exeC:\Windows\system32\Dmgoif32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\SysWOW64\Dcageqgm.exeC:\Windows\system32\Dcageqgm.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\SysWOW64\Eegmhhie.exeC:\Windows\system32\Eegmhhie.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\SysWOW64\Ejdfqogm.exeC:\Windows\system32\Ejdfqogm.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Windows\SysWOW64\Eelgcg32.exeC:\Windows\system32\Eelgcg32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Windows\SysWOW64\Endklmlq.exeC:\Windows\system32\Endklmlq.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:948 -
C:\Windows\SysWOW64\Fmlecinf.exeC:\Windows\system32\Fmlecinf.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2464 -
C:\Windows\SysWOW64\Ficehj32.exeC:\Windows\system32\Ficehj32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Windows\SysWOW64\Fbkjap32.exeC:\Windows\system32\Fbkjap32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\SysWOW64\Flcojeak.exeC:\Windows\system32\Flcojeak.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:860 -
C:\Windows\SysWOW64\Fhmldfdm.exeC:\Windows\system32\Fhmldfdm.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\Windows\SysWOW64\Fogdap32.exeC:\Windows\system32\Fogdap32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:776 -
C:\Windows\SysWOW64\Gmnngl32.exeC:\Windows\system32\Gmnngl32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Windows\SysWOW64\Gpogiglp.exeC:\Windows\system32\Gpogiglp.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Windows\SysWOW64\Ggklka32.exeC:\Windows\system32\Ggklka32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\Windows\SysWOW64\Haemloni.exeC:\Windows\system32\Haemloni.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:840 -
C:\Windows\SysWOW64\Hagianlf.exeC:\Windows\system32\Hagianlf.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:684 -
C:\Windows\SysWOW64\Hkpnjd32.exeC:\Windows\system32\Hkpnjd32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1536 -
C:\Windows\SysWOW64\Hdhbci32.exeC:\Windows\system32\Hdhbci32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1996 -
C:\Windows\SysWOW64\Hkbkpcpd.exeC:\Windows\system32\Hkbkpcpd.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2484 -
C:\Windows\SysWOW64\Hhfkihon.exeC:\Windows\system32\Hhfkihon.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1412 -
C:\Windows\SysWOW64\Hjggap32.exeC:\Windows\system32\Hjggap32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2260 -
C:\Windows\SysWOW64\Igkhjdde.exeC:\Windows\system32\Igkhjdde.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1908 -
C:\Windows\SysWOW64\Ijidfpci.exeC:\Windows\system32\Ijidfpci.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1868 -
C:\Windows\SysWOW64\Imhqbkbm.exeC:\Windows\system32\Imhqbkbm.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1672 -
C:\Windows\SysWOW64\Iqfiii32.exeC:\Windows\system32\Iqfiii32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2896 -
C:\Windows\SysWOW64\Ioiidfon.exeC:\Windows\system32\Ioiidfon.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1592 -
C:\Windows\SysWOW64\Iianmlfn.exeC:\Windows\system32\Iianmlfn.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2744 -
C:\Windows\SysWOW64\Imogcj32.exeC:\Windows\system32\Imogcj32.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2856 -
C:\Windows\SysWOW64\Iciopdca.exeC:\Windows\system32\Iciopdca.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:236 -
C:\Windows\SysWOW64\Jbnlaqhi.exeC:\Windows\system32\Jbnlaqhi.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2252 -
C:\Windows\SysWOW64\Jgkdigfa.exeC:\Windows\system32\Jgkdigfa.exe33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2288 -
C:\Windows\SysWOW64\Jngilalk.exeC:\Windows\system32\Jngilalk.exe34⤵
- Executes dropped EXE
PID:2088 -
C:\Windows\SysWOW64\Jaeehmko.exeC:\Windows\system32\Jaeehmko.exe35⤵
- Executes dropped EXE
PID:3036 -
C:\Windows\SysWOW64\Jecnnk32.exeC:\Windows\system32\Jecnnk32.exe36⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2892 -
C:\Windows\SysWOW64\Jnlbgq32.exeC:\Windows\system32\Jnlbgq32.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2428 -
C:\Windows\SysWOW64\Kjbclamj.exeC:\Windows\system32\Kjbclamj.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:292 -
C:\Windows\SysWOW64\Kiecgo32.exeC:\Windows\system32\Kiecgo32.exe39⤵
- Executes dropped EXE
PID:1084 -
C:\Windows\SysWOW64\Kmclmm32.exeC:\Windows\system32\Kmclmm32.exe40⤵
- Executes dropped EXE
PID:1740 -
C:\Windows\SysWOW64\Kcmdjgbh.exeC:\Windows\system32\Kcmdjgbh.exe41⤵
- Executes dropped EXE
PID:2920 -
C:\Windows\SysWOW64\Kflafbak.exeC:\Windows\system32\Kflafbak.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2976 -
C:\Windows\SysWOW64\Kngekdnf.exeC:\Windows\system32\Kngekdnf.exe43⤵
- Executes dropped EXE
PID:752 -
C:\Windows\SysWOW64\Kfnnlboi.exeC:\Windows\system32\Kfnnlboi.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1956 -
C:\Windows\SysWOW64\Kimjhnnl.exeC:\Windows\system32\Kimjhnnl.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1580 -
C:\Windows\SysWOW64\Koibpd32.exeC:\Windows\system32\Koibpd32.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1680 -
C:\Windows\SysWOW64\Kiofnm32.exeC:\Windows\system32\Kiofnm32.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1932 -
C:\Windows\SysWOW64\Lolofd32.exeC:\Windows\system32\Lolofd32.exe48⤵
- Executes dropped EXE
PID:1056 -
C:\Windows\SysWOW64\Leegbnan.exeC:\Windows\system32\Leegbnan.exe49⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1000 -
C:\Windows\SysWOW64\Llpoohik.exeC:\Windows\system32\Llpoohik.exe50⤵
- Executes dropped EXE
PID:1800 -
C:\Windows\SysWOW64\Lalhgogb.exeC:\Windows\system32\Lalhgogb.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2104 -
C:\Windows\SysWOW64\Lhfpdi32.exeC:\Windows\system32\Lhfpdi32.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:2780 -
C:\Windows\SysWOW64\Lophacfl.exeC:\Windows\system32\Lophacfl.exe53⤵
- Executes dropped EXE
PID:2668 -
C:\Windows\SysWOW64\Lhimji32.exeC:\Windows\system32\Lhimji32.exe54⤵
- Executes dropped EXE
PID:2564 -
C:\Windows\SysWOW64\Lkgifd32.exeC:\Windows\system32\Lkgifd32.exe55⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2960 -
C:\Windows\SysWOW64\Lpdankjg.exeC:\Windows\system32\Lpdankjg.exe56⤵
- Executes dropped EXE
PID:1488 -
C:\Windows\SysWOW64\Lbbnjgik.exeC:\Windows\system32\Lbbnjgik.exe57⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2592 -
C:\Windows\SysWOW64\Lmhbgpia.exeC:\Windows\system32\Lmhbgpia.exe58⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2336 -
C:\Windows\SysWOW64\Lpfnckhe.exeC:\Windows\system32\Lpfnckhe.exe59⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1164 -
C:\Windows\SysWOW64\Mecglbfl.exeC:\Windows\system32\Mecglbfl.exe60⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1296 -
C:\Windows\SysWOW64\Mmjomogn.exeC:\Windows\system32\Mmjomogn.exe61⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1936 -
C:\Windows\SysWOW64\Mlmoilni.exeC:\Windows\system32\Mlmoilni.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3064 -
C:\Windows\SysWOW64\Meecaa32.exeC:\Windows\system32\Meecaa32.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1796 -
C:\Windows\SysWOW64\Mhdpnm32.exeC:\Windows\system32\Mhdpnm32.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2836 -
C:\Windows\SysWOW64\Mcidkf32.exeC:\Windows\system32\Mcidkf32.exe65⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2944 -
C:\Windows\SysWOW64\Mehpga32.exeC:\Windows\system32\Mehpga32.exe66⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:760 -
C:\Windows\SysWOW64\Mhflcm32.exeC:\Windows\system32\Mhflcm32.exe67⤵
- System Location Discovery: System Language Discovery
PID:1504 -
C:\Windows\SysWOW64\Maoalb32.exeC:\Windows\system32\Maoalb32.exe68⤵PID:740
-
C:\Windows\SysWOW64\Mhhiiloh.exeC:\Windows\system32\Mhhiiloh.exe69⤵PID:2368
-
C:\Windows\SysWOW64\Mneaacno.exeC:\Windows\system32\Mneaacno.exe70⤵PID:2768
-
C:\Windows\SysWOW64\Mdojnm32.exeC:\Windows\system32\Mdojnm32.exe71⤵PID:2792
-
C:\Windows\SysWOW64\Mkibjgli.exeC:\Windows\system32\Mkibjgli.exe72⤵PID:2848
-
C:\Windows\SysWOW64\Macjgadf.exeC:\Windows\system32\Macjgadf.exe73⤵PID:2604
-
C:\Windows\SysWOW64\Nhmbdl32.exeC:\Windows\system32\Nhmbdl32.exe74⤵PID:2972
-
C:\Windows\SysWOW64\Njnokdaq.exeC:\Windows\system32\Njnokdaq.exe75⤵PID:444
-
C:\Windows\SysWOW64\Naegmabc.exeC:\Windows\system32\Naegmabc.exe76⤵PID:112
-
C:\Windows\SysWOW64\Ncgcdi32.exeC:\Windows\system32\Ncgcdi32.exe77⤵PID:608
-
C:\Windows\SysWOW64\Nknkeg32.exeC:\Windows\system32\Nknkeg32.exe78⤵
- Drops file in System32 directory
PID:2352 -
C:\Windows\SysWOW64\Nlohmonb.exeC:\Windows\system32\Nlohmonb.exe79⤵PID:1256
-
C:\Windows\SysWOW64\Nfglfdeb.exeC:\Windows\system32\Nfglfdeb.exe80⤵PID:2164
-
C:\Windows\SysWOW64\Nnodgbed.exeC:\Windows\system32\Nnodgbed.exe81⤵
- Modifies registry class
PID:2924 -
C:\Windows\SysWOW64\Nggipg32.exeC:\Windows\system32\Nggipg32.exe82⤵PID:1532
-
C:\Windows\SysWOW64\Nldahn32.exeC:\Windows\system32\Nldahn32.exe83⤵PID:1104
-
C:\Windows\SysWOW64\Nbqjqehd.exeC:\Windows\system32\Nbqjqehd.exe84⤵PID:668
-
C:\Windows\SysWOW64\Nhkbmo32.exeC:\Windows\system32\Nhkbmo32.exe85⤵
- Modifies registry class
PID:1540 -
C:\Windows\SysWOW64\Ofobgc32.exeC:\Windows\system32\Ofobgc32.exe86⤵PID:1720
-
C:\Windows\SysWOW64\Ooggpiek.exeC:\Windows\system32\Ooggpiek.exe87⤵PID:2676
-
C:\Windows\SysWOW64\Ofaolcmh.exeC:\Windows\system32\Ofaolcmh.exe88⤵
- Modifies registry class
PID:2760 -
C:\Windows\SysWOW64\Oiokholk.exeC:\Windows\system32\Oiokholk.exe89⤵
- System Location Discovery: System Language Discovery
PID:2700 -
C:\Windows\SysWOW64\Oknhdjko.exeC:\Windows\system32\Oknhdjko.exe90⤵PID:2720
-
C:\Windows\SysWOW64\Oqkpmaif.exeC:\Windows\system32\Oqkpmaif.exe91⤵PID:1456
-
C:\Windows\SysWOW64\Ojceef32.exeC:\Windows\system32\Ojceef32.exe92⤵
- Drops file in System32 directory
PID:2440 -
C:\Windows\SysWOW64\Objmgd32.exeC:\Windows\system32\Objmgd32.exe93⤵
- Drops file in System32 directory
- Modifies registry class
PID:1236 -
C:\Windows\SysWOW64\Oggeokoq.exeC:\Windows\system32\Oggeokoq.exe94⤵PID:2152
-
C:\Windows\SysWOW64\Ojeakfnd.exeC:\Windows\system32\Ojeakfnd.exe95⤵PID:1276
-
C:\Windows\SysWOW64\Pcnfdl32.exeC:\Windows\system32\Pcnfdl32.exe96⤵
- Drops file in System32 directory
PID:2228 -
C:\Windows\SysWOW64\Pflbpg32.exeC:\Windows\system32\Pflbpg32.exe97⤵PID:868
-
C:\Windows\SysWOW64\Paafmp32.exeC:\Windows\system32\Paafmp32.exe98⤵PID:2888
-
C:\Windows\SysWOW64\Pfnoegaf.exeC:\Windows\system32\Pfnoegaf.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2052 -
C:\Windows\SysWOW64\Pjjkfe32.exeC:\Windows\system32\Pjjkfe32.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:988 -
C:\Windows\SysWOW64\Padccpal.exeC:\Windows\system32\Padccpal.exe101⤵
- System Location Discovery: System Language Discovery
PID:2056 -
C:\Windows\SysWOW64\Pfqlkfoc.exeC:\Windows\system32\Pfqlkfoc.exe102⤵PID:3032
-
C:\Windows\SysWOW64\Plndcmmj.exeC:\Windows\system32\Plndcmmj.exe103⤵PID:2736
-
C:\Windows\SysWOW64\Pfchqf32.exeC:\Windows\system32\Pfchqf32.exe104⤵PID:2060
-
C:\Windows\SysWOW64\Pmmqmpdm.exeC:\Windows\system32\Pmmqmpdm.exe105⤵
- Drops file in System32 directory
PID:1484 -
C:\Windows\SysWOW64\Plpqim32.exeC:\Windows\system32\Plpqim32.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2532 -
C:\Windows\SysWOW64\Pbjifgcd.exeC:\Windows\system32\Pbjifgcd.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:320 -
C:\Windows\SysWOW64\Phgannal.exeC:\Windows\system32\Phgannal.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1644 -
C:\Windows\SysWOW64\Plbmom32.exeC:\Windows\system32\Plbmom32.exe109⤵PID:1816
-
C:\Windows\SysWOW64\Qifnhaho.exeC:\Windows\system32\Qifnhaho.exe110⤵
- Drops file in System32 directory
PID:1804 -
C:\Windows\SysWOW64\Qaablcej.exeC:\Windows\system32\Qaablcej.exe111⤵PID:600
-
C:\Windows\SysWOW64\Qdpohodn.exeC:\Windows\system32\Qdpohodn.exe112⤵
- Modifies registry class
PID:2388 -
C:\Windows\SysWOW64\Ajjgei32.exeC:\Windows\system32\Ajjgei32.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2648 -
C:\Windows\SysWOW64\Aadobccg.exeC:\Windows\system32\Aadobccg.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2560 -
C:\Windows\SysWOW64\Adblnnbk.exeC:\Windows\system32\Adblnnbk.exe115⤵
- Drops file in System32 directory
PID:2508 -
C:\Windows\SysWOW64\Apilcoho.exeC:\Windows\system32\Apilcoho.exe116⤵PID:2904
-
C:\Windows\SysWOW64\Ahpddmia.exeC:\Windows\system32\Ahpddmia.exe117⤵
- Drops file in System32 directory
- Modifies registry class
PID:2360 -
C:\Windows\SysWOW64\Ajnqphhe.exeC:\Windows\system32\Ajnqphhe.exe118⤵PID:2460
-
C:\Windows\SysWOW64\Ammmlcgi.exeC:\Windows\system32\Ammmlcgi.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1988 -
C:\Windows\SysWOW64\Abjeejep.exeC:\Windows\system32\Abjeejep.exe120⤵PID:3052
-
C:\Windows\SysWOW64\Aicmadmm.exeC:\Windows\system32\Aicmadmm.exe121⤵
- Drops file in System32 directory
PID:2128
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-