Analysis
-
max time kernel
487s -
max time network
486s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
07-12-2024 23:38
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
6c877082236f4df3b1174a6e3977f0e3f7c345fa517d5daf55018f6cc11049c7.exe
Resource
win11-20241007-en
windows11-21h2-x64
32 signatures
1800 seconds
General
-
Target
6c877082236f4df3b1174a6e3977f0e3f7c345fa517d5daf55018f6cc11049c7.exe
-
Size
113KB
-
MD5
89e01431fac78909ed079f6b0f10dea2
-
SHA1
c8a678d0da4ab01e89e7c7c2d7c6b16b4bfce962
-
SHA256
6c877082236f4df3b1174a6e3977f0e3f7c345fa517d5daf55018f6cc11049c7
-
SHA512
4f526074908d15132d3f43a4fe3b3951e6b8bc8254b08385bb57ed1a8acf339f280a84f0e5e0c4dc2efa2eaf5389fe2c168b2ef41bb5e778ec0efb2ef1a9b0d9
-
SSDEEP
1536:mGfAZsUQYxjAWkXAN/3/aOAO617DWkZFfScD7SzCbHWrAW8wTWiliX:1ASYxda7OAOuGkZFfFSebHWrH8wTW0
Malware Config
Extracted
Family
berbew
C2
http://tat-neftbank.ru/kkq.php
http://tat-neftbank.ru/wcmd.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ehbnigjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ganldgib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Likcilhh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibobdqid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Alcfei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lmdemd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pgihfj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fngcmcfe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ljobpiql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lgqfdnah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhnikc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajcdnd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajhniccb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cgqqdeod.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkmioc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Egcaod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Neppokal.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eipinkib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hdmein32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Inmpcc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjomap32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mqafhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Geanfelc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbicpfdk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdhkcb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ollnhb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgmcce32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnmdme32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahgcjddh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eppjfgcp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dddllkbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Akblfj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajcdnd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kndojobi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmpcbhji.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjjbjd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljeafb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adhdjpjf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iklgah32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olicnfco.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfhndpol.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfeljd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pedbahod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gdobnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aekddhcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mnkggfkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckclhn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jcmdaljn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mnhdgpii.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncqlkemc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjkpoq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Achegd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bfgjjm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oldjcg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okchnk32.exe -
Berbew family
-
Downloads MZ/PE file
-
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE 64 IoCs
pid Process 4720 Lifjnm32.exe 4244 Lldfjh32.exe 1780 Locbfd32.exe 1492 Lihfcm32.exe 1256 Llgcph32.exe 3380 Lbqklb32.exe 1364 Likcilhh.exe 4608 Llipehgk.exe 1688 Lbchba32.exe 4188 Leadnm32.exe 916 Mlklkgei.exe 4596 Mbedga32.exe 2076 Mfaqhp32.exe 2656 Miomdk32.exe 3996 Mpieqeko.exe 5112 Mhdjehhj.exe 4140 Moobbb32.exe 4920 Mehjol32.exe 2948 Mpnnle32.exe 4688 Mfhfhong.exe 2012 Mhicpg32.exe 2220 Mleoafmn.exe 2080 Mbognp32.exe 4552 Nemcjk32.exe 3296 Npchgdcd.exe 3012 Nbadcpbh.exe 2472 Neppokal.exe 5096 Nlihle32.exe 764 Ngomin32.exe 2104 Nhpiafnm.exe 1860 Ncfmno32.exe 3988 Nedjjj32.exe 1508 Npjnhc32.exe 4904 Neffpj32.exe 1040 Nlqomd32.exe 2272 Ncjginjn.exe 3028 Ohgoaehe.exe 1812 Oghppm32.exe 2784 Oigllh32.exe 3624 Olehhc32.exe 4880 Ocopdn32.exe 4968 Ohlimd32.exe 2676 Opcqnb32.exe 3864 Ogmijllo.exe 2620 Oileggkb.exe 1856 Ohnebd32.exe 3332 Opemca32.exe 4184 Ojnblg32.exe 4784 Ollnhb32.exe 3808 Ocffempp.exe 4340 Pedbahod.exe 1216 Phcomcng.exe 2528 Pomgjn32.exe 440 Pgdokkfg.exe 2776 Pjbkgfej.exe 1804 Ppmcdq32.exe 2812 Pckppl32.exe 4460 Pjehmfch.exe 2552 Phhhhc32.exe 3576 Poaqemao.exe 2828 Pgihfj32.exe 4944 Phjenbhp.exe 4744 Podmkm32.exe 2636 Pgkelj32.exe -
Loads dropped DLL 24 IoCs
pid Process 3320 Process not Found 11316 Process not Found 10732 Process not Found 232 Process not Found 8404 Process not Found 4936 Process not Found 4936 Process not Found 4936 Process not Found 10864 Process not Found 10864 Process not Found 10864 Process not Found 10864 Process not Found 10864 Process not Found 13484 Process not Found 15656 Process not Found 15656 Process not Found 15656 Process not Found 15656 Process not Found 15228 Process not Found 15228 Process not Found 15228 Process not Found 6460 Process not Found 6460 Process not Found 6460 Process not Found -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{aad8a4b2-74da-409d-abb6-79a299008692} = "\"C:\\ProgramData\\Package Cache\\{aad8a4b2-74da-409d-abb6-79a299008692}\\UEPrereqSetup_x64.exe\" /burn.log.append \"C:\\Users\\Admin\\AppData\\Local\\Temp\\UE_Prerequisites_(x64)_20241207234628.log\" /burn.runonce" Process not Found -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\T: Process not Found File opened (read-only) \??\W: Process not Found File opened (read-only) \??\X: Process not Found File opened (read-only) \??\J: Process not Found File opened (read-only) \??\O: Process not Found File opened (read-only) \??\S: Process not Found File opened (read-only) \??\Z: Process not Found File opened (read-only) \??\K: Process not Found File opened (read-only) \??\P: Process not Found File opened (read-only) \??\Y: Process not Found File opened (read-only) \??\N: Process not Found File opened (read-only) \??\R: Process not Found File opened (read-only) \??\U: Process not Found File opened (read-only) \??\G: Process not Found File opened (read-only) \??\I: Process not Found File opened (read-only) \??\L: Process not Found File opened (read-only) \??\H: Process not Found File opened (read-only) \??\M: Process not Found File opened (read-only) \??\Q: Process not Found File opened (read-only) \??\V: Process not Found File opened (read-only) \??\A: Process not Found File opened (read-only) \??\B: Process not Found File opened (read-only) \??\E: Process not Found -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Mfjnfknb.dll Mfqlfb32.exe File created C:\Windows\SysWOW64\Bkfpfg32.dll Idieem32.exe File created C:\Windows\SysWOW64\Cinbbnpa.dll Ibobdqid.exe File created C:\Windows\SysWOW64\Acfhad32.exe Aojlaeei.exe File created C:\Windows\SysWOW64\Gdobnj32.exe Gmdjapgb.exe File created C:\Windows\SysWOW64\Gflhoo32.exe Gnepna32.exe File created C:\Windows\SysWOW64\Icifhjkc.dll Process not Found File opened for modification C:\Windows\SysWOW64\Mhldbh32.exe Process not Found File created C:\Windows\SysWOW64\Pqolaipg.dll Process not Found File opened for modification C:\Windows\SysWOW64\Miofjepg.exe Mahnhhod.exe File opened for modification C:\Windows\SysWOW64\Bhcjqinf.exe Bcfahbpo.exe File created C:\Windows\SysWOW64\Ppioondd.dll Dbicpfdk.exe File opened for modification C:\Windows\SysWOW64\Oeehkn32.exe Nmnqjp32.exe File created C:\Windows\SysWOW64\Mpolbbim.dll Nqpcjj32.exe File created C:\Windows\SysWOW64\Jponoqjl.dll Pmlfqh32.exe File opened for modification C:\Windows\SysWOW64\Dknnoofg.exe Process not Found File opened for modification C:\Windows\SysWOW64\Inmpcc32.exe Ikndgg32.exe File created C:\Windows\SysWOW64\Ohkbbn32.exe Oemefcap.exe File created C:\Windows\SysWOW64\Klkfenfk.dll Gimqajgh.exe File created C:\Windows\SysWOW64\Egcaod32.exe Ehndnh32.exe File opened for modification C:\Windows\SysWOW64\msvcp140_2.dll Process not Found File created C:\Windows\SysWOW64\Lckiihok.exe Lopmii32.exe File created C:\Windows\SysWOW64\Aablof32.dll Kflide32.exe File created C:\Windows\SysWOW64\Ljnlecmp.exe Lgpoihnl.exe File created C:\Windows\SysWOW64\Nflnbh32.dll Ckbemgcp.exe File created C:\Windows\SysWOW64\Jlmmnd32.dll Process not Found File created C:\Windows\SysWOW64\Pomgjn32.exe Phcomcng.exe File opened for modification C:\Windows\SysWOW64\Cffmfadl.exe Cgcmjd32.exe File created C:\Windows\SysWOW64\Pocfpf32.exe Plejdkmm.exe File created C:\Windows\SysWOW64\Bklomh32.exe Bhmbqm32.exe File created C:\Windows\SysWOW64\Gacepg32.exe Gbpedjnb.exe File opened for modification C:\Windows\SysWOW64\Pjoppf32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Acccdj32.exe Process not Found File created C:\Windows\SysWOW64\Cobhcgin.dll Mbenmk32.exe File opened for modification C:\Windows\SysWOW64\Qepkbpak.exe Qadoba32.exe File created C:\Windows\SysWOW64\Keiifian.dll Qhhpop32.exe File created C:\Windows\SysWOW64\Leenhhdn.exe Lbgalmej.exe File created C:\Windows\SysWOW64\Nlfnaicd.exe Ncofplba.exe File created C:\Windows\SysWOW64\Ckcdlpbd.dll Fecadghc.exe File opened for modification C:\Windows\SysWOW64\Lbchba32.exe Llipehgk.exe File created C:\Windows\SysWOW64\Lnpofnhk.exe Lkabjbih.exe File opened for modification C:\Windows\SysWOW64\Qkjgegae.exe Qlggjk32.exe File created C:\Windows\SysWOW64\Hbohpn32.exe Hpqldc32.exe File created C:\Windows\SysWOW64\Lbchba32.exe Llipehgk.exe File opened for modification C:\Windows\SysWOW64\Pomgjn32.exe Phcomcng.exe File opened for modification C:\Windows\SysWOW64\Nbqmiinl.exe Noeahkfc.exe File created C:\Windows\SysWOW64\Jklinohd.exe Jcdala32.exe File created C:\Windows\SysWOW64\Blnfhilh.dll Hnlodjpa.exe File created C:\Windows\SysWOW64\Ojnfihmo.exe Process not Found File opened for modification C:\Windows\SysWOW64\Aopmfk32.exe Ajcdnd32.exe File created C:\Windows\SysWOW64\Aojlaeei.exe Akoqpg32.exe File created C:\Windows\SysWOW64\Ejoomhmi.exe Ecefqnel.exe File created C:\Windows\SysWOW64\Ckggnp32.exe Process not Found File created C:\Windows\SysWOW64\Hehkajig.exe Hoobdp32.exe File opened for modification C:\Windows\SysWOW64\Caageq32.exe Ckgohf32.exe File created C:\Windows\SysWOW64\Hlblcn32.exe Process not Found File created C:\Windows\SysWOW64\Ijdabh32.dll Kcbnnpka.exe File created C:\Windows\SysWOW64\Ccmbmpbk.dll Ohcegi32.exe File opened for modification C:\Windows\SysWOW64\Dbicpfdk.exe Dokgdkeh.exe File created C:\Windows\SysWOW64\Nadleilm.exe Nmipdk32.exe File created C:\Windows\SysWOW64\Ifolcq32.dll Mfnoqc32.exe File created C:\Windows\SysWOW64\Lipgdi32.dll Gbiockdj.exe File opened for modification C:\Windows\SysWOW64\Pcgdhkem.exe Process not Found File created C:\Windows\SysWOW64\Bohgljdl.dll Kcpjnjii.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\Lang\el.txt Process not Found File opened for modification C:\Program Files\7-Zip\Lang\fa.txt Process not Found File opened for modification C:\Program Files\7-Zip\Lang\lij.txt Process not Found File opened for modification C:\Program Files\7-Zip\Lang\mr.txt Process not Found File opened for modification C:\Program Files\7-Zip\7z.sfx Process not Found File opened for modification C:\Program Files\7-Zip\7-zip.dll Process not Found File opened for modification C:\Program Files\7-Zip\Lang\et.txt Process not Found File opened for modification C:\Program Files\7-Zip\Lang\it.txt Process not Found File opened for modification C:\Program Files\7-Zip\Lang\mn.txt Process not Found File opened for modification C:\Program Files\7-Zip\Lang\sr-spc.txt Process not Found File opened for modification C:\Program Files\7-Zip\Lang\tt.txt Process not Found File opened for modification C:\Program Files\7-Zip\Lang\fur.txt Process not Found File opened for modification C:\Program Files\7-Zip\Lang\nn.txt Process not Found File opened for modification C:\Program Files\7-Zip\Lang\ps.txt Process not Found File opened for modification C:\Program Files\7-Zip\Lang\en.ttt Process not Found File opened for modification C:\Program Files\7-Zip\Lang\mng2.txt Process not Found File opened for modification C:\Program Files\7-Zip\Lang\pt.txt Process not Found File opened for modification C:\Program Files\7-Zip\7z.exe Process not Found File opened for modification C:\Program Files\7-Zip\Lang\co.txt Process not Found File opened for modification C:\Program Files\7-Zip\Lang\eo.txt Process not Found File opened for modification C:\Program Files\7-Zip\Lang\fr.txt Process not Found File opened for modification C:\Program Files\7-Zip\7zG.exe Process not Found File opened for modification C:\Program Files\7-Zip\Lang\fy.txt Process not Found File opened for modification C:\Program Files\7-Zip\Lang\ne.txt Process not Found File opened for modification C:\Program Files\7-Zip\Lang\tg.txt Process not Found File opened for modification C:\Program Files\7-Zip\Lang\uz-cyrl.txt Process not Found File opened for modification C:\Program Files\7-Zip\7-zip32.dll Process not Found File opened for modification C:\Program Files\7-Zip\Lang\io.txt Process not Found File opened for modification C:\Program Files\7-Zip\Lang\sa.txt Process not Found File opened for modification C:\Program Files\7-Zip\Lang\zh-cn.txt Process not Found File opened for modification C:\Program Files\7-Zip\Lang\ku-ckb.txt Process not Found File opened for modification C:\Program Files\7-Zip\Lang\zh-tw.txt Process not Found File opened for modification C:\Program Files\7-Zip\License.txt Process not Found File opened for modification C:\Program Files\7-Zip\Lang\ast.txt Process not Found File opened for modification C:\Program Files\7-Zip\Lang\gu.txt Process not Found File opened for modification C:\Program Files\7-Zip\Lang\sr-spl.txt Process not Found File opened for modification C:\Program Files\7-Zip\Lang\th.txt Process not Found File opened for modification C:\Program Files\7-Zip\Lang\yo.txt Process not Found File opened for modification C:\Program Files\7-Zip\Uninstall.exe Process not Found File opened for modification C:\Program Files\7-Zip\Lang\ext.txt Process not Found File opened for modification C:\Program Files\7-Zip\Lang\sw.txt Process not Found File opened for modification C:\Program Files\7-Zip\Lang\uk.txt Process not Found File opened for modification C:\Program Files\7-Zip\7-zip.chm Process not Found File opened for modification C:\Program Files\7-Zip\Lang\cy.txt Process not Found File opened for modification C:\Program Files\7-Zip\Lang\kaa.txt Process not Found File opened for modification C:\Program Files\7-Zip\Lang\pa-in.txt Process not Found File opened for modification C:\Program Files\7-Zip\Lang\ko.txt Process not Found File opened for modification C:\Program Files\7-Zip\Lang\bg.txt Process not Found File opened for modification C:\Program Files\7-Zip\Lang\cs.txt Process not Found File opened for modification C:\Program Files\7-Zip\readme.txt Process not Found File opened for modification C:\Program Files\7-Zip\Lang\ku.txt Process not Found File opened for modification C:\Program Files\7-Zip\Lang\nb.txt Process not Found File opened for modification C:\Program Files\7-Zip\Lang\sv.txt Process not Found File opened for modification C:\Program Files\7-Zip\Lang\bn.txt Process not Found File opened for modification C:\Program Files\7-Zip\Lang\pt-br.txt Process not Found File opened for modification C:\Program Files\7-Zip\Lang\br.txt Process not Found File opened for modification C:\Program Files\7-Zip\Lang\mng.txt Process not Found File opened for modification C:\Program Files\7-Zip\Lang\va.txt Process not Found File opened for modification C:\Program Files\7-Zip\Lang\af.txt Process not Found File opened for modification C:\Program Files\7-Zip\Lang\lv.txt Process not Found File opened for modification C:\Program Files\7-Zip\Lang\mk.txt Process not Found File opened for modification C:\Program Files\7-Zip\Lang\pl.txt Process not Found File opened for modification C:\Program Files\7-Zip\Lang\ru.txt Process not Found File opened for modification C:\Program Files\7-Zip\Lang\gl.txt Process not Found -
Drops file in Windows directory 64 IoCs
description ioc Process File created C:\Windows\Installer\e5e8d4b.msi Process not Found File opened for modification C:\Windows\Installer\MSIA7E0.tmp-\Microsoft.Deployment.WindowsInstaller.dll Process not Found File opened for modification C:\Windows\Installer\MSIA7E0.tmp-\DXSETUP.exe Process not Found File opened for modification C:\Windows\Installer\ Process not Found File created C:\Windows\Installer\e5e8d74.msi Process not Found File created C:\Windows\SystemTemp\~DF83CC09CA1CB23D4D.TMP Process not Found File opened for modification C:\Windows\Logs\DirectX.log Process not Found File created C:\Windows\SystemTemp\~DF38526453487A8D78.TMP Process not Found File opened for modification C:\Windows\Installer\MSIA7E0.tmp-\dsetup32.dll Process not Found File opened for modification C:\Windows\Installer\MSIA7E0.tmp-\dxdllreg_x86.cab Process not Found File opened for modification C:\Windows\Installer\MSIA7E0.tmp-\Feb2010_X3DAudio_x64.cab Process not Found File opened for modification C:\Windows\Installer\MSIA7E0.tmp-\Feb2010_X3DAudio_x86.cab Process not Found File created C:\Windows\Installer\$PatchCache$\Managed\A12B171E85ADD2347AB41DB302B44A77\1.0.16\F_CENTRAL_msvcp120_x64.05F0B5F5_44A8_3793_976B_A4F17AECF92C Process not Found File opened for modification C:\Windows\Installer\$PatchCache$\Managed\A12B171E85ADD2347AB41DB302B44A77\1.0.16\F_CENTRAL_msvcr110_x86.F9D0B380_EB85_31D4_96AC_C6CB40086A55 Process not Found File opened for modification C:\Windows\Installer\$PatchCache$\Managed\A12B171E85ADD2347AB41DB302B44A77\1.0.16\F_CENTRAL_vccorlib110_x64.4006A2C6_1BD5_3759_9C0C_17A8FFBF6E3C Process not Found File opened for modification C:\Windows\Installer\MSIA7E0.tmp-\APR2007_xinput_x64.cab Process not Found File created C:\Windows\Installer\SourceHash{E171B21A-DA58-432D-A74B-D13B204BA477} Process not Found File created C:\Windows\Installer\$PatchCache$\Managed\A12B171E85ADD2347AB41DB302B44A77\1.0.16\F_CENTRAL_msvcp120_x86.194841A2_D0F2_3B96_9F71_05BA91BEA0FA Process not Found File created C:\Windows\Installer\$PatchCache$\Managed\A12B171E85ADD2347AB41DB302B44A77\1.0.16\F_CENTRAL_msvcr100_x86.DF495DFD_79F6_34DF_BB1E_E58DB5BDCF2C Process not Found File created C:\Windows\Installer\$PatchCache$\Managed\A12B171E85ADD2347AB41DB302B44A77\1.0.16\F_CENTRAL_msvcr120_x86.194841A2_D0F2_3B96_9F71_05BA91BEA0FA Process not Found File opened for modification C:\Windows\Installer\{E171B21A-DA58-432D-A74B-D13B204BA477}\Setup.ico Process not Found File opened for modification C:\Windows\Installer\MSIA7E0.tmp-\DSETUP.dll Process not Found File opened for modification C:\Windows\Installer\MSIA7E0.tmp-\Jun2010_XAudio_x64.cab Process not Found File created C:\Windows\Installer\SourceHash{799E3FFF-705C-461F-B400-6DE27398B3E5} Process not Found File opened for modification C:\Windows\Installer\MSI9B86.tmp Process not Found File created C:\Windows\Installer\e5e8d8f.msi Process not Found File opened for modification C:\Windows\Installer\MSIA7E0.tmp-\Jun2010_d3dx10_43_x86.cab Process not Found File created C:\Windows\SystemTemp\~DF8091289C2506AAFC.TMP Process not Found File created C:\Windows\Installer\$PatchCache$\Managed\A12B171E85ADD2347AB41DB302B44A77\1.0.16\F_CENTRAL_msvcp100_x64.1C11561A_11CB_36A7_8A47_D7A042055FA7 Process not Found File opened for modification C:\Windows\Installer\MSIA7E0.tmp-\Jun2010_D3DCompiler_43_x64.cab Process not Found File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log Process not Found File created C:\Windows\SystemTemp\~DFF85F865380C601E6.TMP Process not Found File opened for modification C:\Windows\Installer\MSI9FFD.tmp Process not Found File created C:\Windows\SystemTemp\~DFE8D209263BA8378B.TMP Process not Found File opened for modification C:\Windows\Installer\$PatchCache$\Managed\A12B171E85ADD2347AB41DB302B44A77\1.0.16\F_CENTRAL_msvcr110_x64.4006A2C6_1BD5_3759_9C0C_17A8FFBF6E3C Process not Found File opened for modification C:\Windows\Installer\MSIA7E0.tmp-\CustomAction.config Process not Found File opened for modification C:\Windows\Installer\MSIA7E0.tmp-\Jun2010_d3dx11_43_x86.cab Process not Found File opened for modification C:\Windows\Installer\e5e8d3a.msi Process not Found File created C:\Windows\Installer\SourceHash{5720EC03-F26F-40B7-980C-50B5D420B5DE} Process not Found File created C:\Windows\SystemTemp\~DFA708599C0A55D057.TMP Process not Found File created C:\Windows\SystemTemp\~DFC3932973DA4C0317.TMP Process not Found File opened for modification C:\Windows\Logs\DirectX.log Process not Found File created C:\Windows\Installer\e5e8d4c.msi Process not Found File created C:\Windows\SystemTemp\~DFCF5C30C35E8854D3.TMP Process not Found File created C:\Windows\Installer\e5e8d75.msi Process not Found File created C:\Windows\Installer\$PatchCache$\Managed\A12B171E85ADD2347AB41DB302B44A77\1.0.16\F_CENTRAL_msvcp110_x86.F9D0B380_EB85_31D4_96AC_C6CB40086A55 Process not Found File created C:\Windows\Installer\$PatchCache$\Managed\A12B171E85ADD2347AB41DB302B44A77\1.0.16\F_CENTRAL_msvcr110_x86.F9D0B380_EB85_31D4_96AC_C6CB40086A55 Process not Found File opened for modification C:\Windows\Installer\MSIA7E0.tmp-\Jun2010_d3dx11_43_x64.cab Process not Found File opened for modification C:\Windows\SystemTemp chrome.exe File created C:\Windows\SystemTemp\~DF3389CFA536B631E8.TMP Process not Found File created C:\Windows\SystemTemp\~DFBEC7BA319775216F.TMP Process not Found File created C:\Windows\Installer\$PatchCache$\Managed\A12B171E85ADD2347AB41DB302B44A77\1.0.16\F_CENTRAL_msvcr120_x64.05F0B5F5_44A8_3793_976B_A4F17AECF92C Process not Found File opened for modification C:\Windows\Logs\DirectX.log Process not Found File created C:\Windows\SystemTemp\~DFCECED0BC61CF2BFD.TMP Process not Found File created C:\Windows\Installer\SourceHash{A977984B-9244-49E3-BD24-43F0A8009667} Process not Found File created C:\Windows\Installer\$PatchCache$\Managed\A12B171E85ADD2347AB41DB302B44A77\1.0.16\F_CENTRAL_msvcp100_x86.DF495DFD_79F6_34DF_BB1E_E58DB5BDCF2C Process not Found File opened for modification C:\Windows\Installer\$PatchCache$\Managed\A12B171E85ADD2347AB41DB302B44A77\1.0.16\F_CENTRAL_msvcp100_x86.DF495DFD_79F6_34DF_BB1E_E58DB5BDCF2C Process not Found File opened for modification C:\Windows\Installer\$PatchCache$\Managed\A12B171E85ADD2347AB41DB302B44A77\1.0.16\F_CENTRAL_msvcr100_x64.1C11561A_11CB_36A7_8A47_D7A042055FA7 Process not Found File opened for modification C:\Windows\Installer\MSIA7E0.tmp-\Jun2010_d3dx9_43_x86.cab Process not Found File opened for modification C:\Windows\DirectX.log Process not Found File created C:\Windows\SystemTemp\~DFFD6C67288014AB97.TMP Process not Found File created C:\Windows\Installer\$PatchCache$\Managed\A12B171E85ADD2347AB41DB302B44A77\1.0.16\F_CENTRAL_msvcp110_x64.4006A2C6_1BD5_3759_9C0C_17A8FFBF6E3C Process not Found File opened for modification C:\Windows\Installer\$PatchCache$\Managed\A12B171E85ADD2347AB41DB302B44A77\1.0.16\F_CENTRAL_msvcr120_x86.194841A2_D0F2_3B96_9F71_05BA91BEA0FA Process not Found File opened for modification C:\Windows\Installer\$PatchCache$\Managed\A12B171E85ADD2347AB41DB302B44A77\1.0.16\F_CENTRAL_vccorlib120_x86.194841A2_D0F2_3B96_9F71_05BA91BEA0FA Process not Found -
Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs
When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.
description ioc Process File opened for modification C:\Users\Admin\Downloads\7z2409-x64.exe:Zone.Identifier Process not Found -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 7956 9008 Process not Found 1342 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efhcbodf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kniieo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfoiaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnbakghm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igdgglfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljeafb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afbgkl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpkmal32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opcqnb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpnbog32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmbmkpie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpofii32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chkobkod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igigla32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mchppmij.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nclbpf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epjajeqo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccgjopal.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Poliea32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qdoacabq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eidbij32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcbnnpka.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcgpni32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnblnlhl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olgncmim.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahgcjddh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aodogdmn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bemqih32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfhadc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Maeachag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eiieicml.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnmdme32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjodla32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjpfjl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehndnh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gokbgpeg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onnmdcjm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fecadghc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jqlefl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Meamcg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnlnbl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjnffjkl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elgaeolp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdmgfedl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfeljd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkpqkcpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmpdhboj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Boeebnhp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfaqhp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfigpm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpglnhad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljbfpo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlbkap32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kqphfe32.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 15656 Process not Found -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr Process not Found Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000097e32746e391c5270000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000097e327460000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff00000000070001000068090097e32746000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d97e32746000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000097e3274600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 Process not Found Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters Process not Found Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters Process not Found -
Enumerates system info in registry 2 TTPs 9 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Process not Found Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer Process not Found Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Process not Found Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates Process not Found Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a Process not Found Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2A Process not Found Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2B Process not Found Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs Process not Found Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs Process not Found Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b Process not Found Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs Process not Found Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs Process not Found Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs Process not Found Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs Process not Found Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople Process not Found Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28 Process not Found Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" Process not Found Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed Process not Found Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs Process not Found Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates Process not Found Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2D Process not Found Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs Process not Found Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2e Process not Found Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2f Process not Found Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates Process not Found Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs Process not Found Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root Process not Found Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\29 Process not Found Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing Process not Found Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2e\52C64B7E Process not Found Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2e\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124 = "Document Encryption" Process not Found Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates Process not Found Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs Process not Found Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs Process not Found Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2e\52C64B7E Process not Found Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs Process not Found Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates Process not Found Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs Process not Found Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\TelemetrySalt = "7" Process not Found Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ Process not Found Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" Process not Found Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed Process not Found Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26 Process not Found Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA Process not Found Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust Process not Found Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates Process not Found Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs Process not Found Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E Process not Found Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" Process not Found Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates Process not Found Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs Process not Found Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates Process not Found Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs Process not Found Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates Process not Found Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs Process not Found Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\27 Process not Found Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2c Process not Found Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2d Process not Found Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2e Process not Found Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2e\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust" Process not Found Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs Process not Found Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133780883549607859" chrome.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\28 Process not Found Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot Process not Found Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates Process not Found Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs Process not Found -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\30CE0275F62F7B0489C0055B4D025BED\SourceList Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ghkeio32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pekbga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{E171B21A-DA58-432D-A74B-D13B204BA477}\Version = "1.0.16.0" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mgphpe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfjnfknb.dll" Mfqlfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ooejohhq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ljhefhha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbehoafp.dll" Qjlnnemp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bhmbqm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dbjkkl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mpieqeko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Algheg32.dll" Kdinljnk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bmjkic32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Akffafgg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jcdala32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mgbefe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ppjbmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Afbgkl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bfhadc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kkmioc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Adhdjpjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iekkfckg.dll" Kqphfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbbiec32.dll" Adikdfna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfbjdgmg.dll" Deqcbpld.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bacjdbch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dddllkbf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iggjga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ilchfdgp.dll" Dkfadkgf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8A567BD6FA501A947AD1F646E53EEC14\SourceList\Net Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gfhndpol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gijmad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlmkgk32.dll" Alnfpcag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oldjcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgpamjnb.dll" Glhimp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlbdab32.dll" Lmbhgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Megljppl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hpfcdojl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gkkgpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cpeohh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gmeakf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlkhbi32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ginlmijp.dll" Lbchba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bfchidda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnaqob32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnjenfjo.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ngqagcag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpcaaeme.dll" Qpeahb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Chiigadc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhelik32.dll" Knqepc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5a508685-a254-4fba-9b82-9a24b00306af} Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omfajq32.dll" Mbgjbkfg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lggldm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ckclhn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kcidmkpq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found -
NTFS ADS 3 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 623082.crdownload:SmartScreen Process not Found File opened for modification C:\Users\Admin\Downloads\killer-in-purple-2-v1.3.zip:Zone.Identifier Process not Found File opened for modification C:\Users\Admin\Downloads\7z2409-x64.exe:Zone.Identifier Process not Found -
Suspicious behavior: EnumeratesProcesses 51 IoCs
pid Process 3416 chrome.exe 3416 chrome.exe 13956 msedge.exe 13956 msedge.exe 14168 msedge.exe 16632 identity_helper.exe 16632 identity_helper.exe 2856 msedge.exe 2856 msedge.exe 7060 Process not Found 7060 Process not Found 7060 Process not Found 7060 Process not Found 4624 Process not Found 4624 Process not Found 10772 Process not Found 10772 Process not Found 4576 Process not Found 4576 Process not Found 1696 Process not Found 1696 Process not Found 15044 Process not Found 15044 Process not Found 15044 Process not Found 15044 Process not Found 14048 Process not Found 14048 Process not Found 5736 Process not Found 5736 Process not Found 9480 Process not Found 9480 Process not Found 9480 Process not Found 9480 Process not Found 9480 Process not Found 9480 Process not Found 9480 Process not Found 9480 Process not Found 9480 Process not Found 9480 Process not Found 9480 Process not Found 9480 Process not Found 9480 Process not Found 9480 Process not Found 9480 Process not Found 9480 Process not Found 9480 Process not Found 9480 Process not Found 15228 Process not Found 15228 Process not Found 6460 Process not Found 6460 Process not Found -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 46 IoCs
pid Process 3416 chrome.exe 3416 chrome.exe 3416 chrome.exe 3416 chrome.exe 3416 chrome.exe 14168 msedge.exe 14168 msedge.exe 14168 msedge.exe 14168 msedge.exe 14168 msedge.exe 14168 msedge.exe 14168 msedge.exe 14168 msedge.exe 14168 msedge.exe 14168 msedge.exe 14168 msedge.exe 14168 msedge.exe 14168 msedge.exe 14168 msedge.exe 14168 msedge.exe 14168 msedge.exe 14168 msedge.exe 14168 msedge.exe 14168 msedge.exe 14168 msedge.exe 10772 Process not Found 10772 Process not Found 10772 Process not Found 10772 Process not Found 10772 Process not Found 10772 Process not Found 10772 Process not Found 10772 Process not Found 10772 Process not Found 10772 Process not Found 10772 Process not Found 10772 Process not Found 10772 Process not Found 10772 Process not Found 10772 Process not Found 10772 Process not Found 10772 Process not Found 10772 Process not Found 10772 Process not Found 10772 Process not Found 10772 Process not Found -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 3416 chrome.exe Token: SeCreatePagefilePrivilege 3416 chrome.exe Token: SeShutdownPrivilege 3416 chrome.exe Token: SeCreatePagefilePrivilege 3416 chrome.exe Token: SeShutdownPrivilege 3416 chrome.exe Token: SeCreatePagefilePrivilege 3416 chrome.exe Token: SeShutdownPrivilege 3416 chrome.exe Token: SeCreatePagefilePrivilege 3416 chrome.exe Token: SeShutdownPrivilege 3416 chrome.exe Token: SeCreatePagefilePrivilege 3416 chrome.exe Token: SeShutdownPrivilege 3416 chrome.exe Token: SeCreatePagefilePrivilege 3416 chrome.exe Token: SeShutdownPrivilege 3416 chrome.exe Token: SeCreatePagefilePrivilege 3416 chrome.exe Token: SeShutdownPrivilege 3416 chrome.exe Token: SeCreatePagefilePrivilege 3416 chrome.exe Token: SeShutdownPrivilege 3416 chrome.exe Token: SeCreatePagefilePrivilege 3416 chrome.exe Token: SeShutdownPrivilege 3416 chrome.exe Token: SeCreatePagefilePrivilege 3416 chrome.exe Token: SeShutdownPrivilege 3416 chrome.exe Token: SeCreatePagefilePrivilege 3416 chrome.exe Token: SeShutdownPrivilege 3416 chrome.exe Token: SeCreatePagefilePrivilege 3416 chrome.exe Token: SeShutdownPrivilege 3416 chrome.exe Token: SeCreatePagefilePrivilege 3416 chrome.exe Token: SeShutdownPrivilege 3416 chrome.exe Token: SeCreatePagefilePrivilege 3416 chrome.exe Token: SeShutdownPrivilege 3416 chrome.exe Token: SeCreatePagefilePrivilege 3416 chrome.exe Token: SeShutdownPrivilege 3416 chrome.exe Token: SeCreatePagefilePrivilege 3416 chrome.exe Token: 33 9408 Process not Found Token: SeIncBasePriorityPrivilege 9408 Process not Found Token: SeBackupPrivilege 11700 Process not Found Token: SeRestorePrivilege 11700 Process not Found Token: SeAuditPrivilege 11700 Process not Found Token: SeBackupPrivilege 10972 Process not Found Token: SeRestorePrivilege 10972 Process not Found Token: SeSecurityPrivilege 10972 Process not Found Token: SeTakeOwnershipPrivilege 10972 Process not Found Token: SeBackupPrivilege 10972 Process not Found Token: SeRestorePrivilege 10972 Process not Found Token: SeSecurityPrivilege 10972 Process not Found Token: SeTakeOwnershipPrivilege 10972 Process not Found Token: SeShutdownPrivilege 10872 Process not Found Token: SeIncreaseQuotaPrivilege 10872 Process not Found Token: SeSecurityPrivilege 9480 Process not Found Token: SeCreateTokenPrivilege 10872 Process not Found Token: SeAssignPrimaryTokenPrivilege 10872 Process not Found Token: SeLockMemoryPrivilege 10872 Process not Found Token: SeIncreaseQuotaPrivilege 10872 Process not Found Token: SeMachineAccountPrivilege 10872 Process not Found Token: SeTcbPrivilege 10872 Process not Found Token: SeSecurityPrivilege 10872 Process not Found Token: SeTakeOwnershipPrivilege 10872 Process not Found Token: SeLoadDriverPrivilege 10872 Process not Found Token: SeSystemProfilePrivilege 10872 Process not Found Token: SeSystemtimePrivilege 10872 Process not Found Token: SeProfSingleProcessPrivilege 10872 Process not Found Token: SeIncBasePriorityPrivilege 10872 Process not Found Token: SeCreatePagefilePrivilege 10872 Process not Found Token: SeCreatePermanentPrivilege 10872 Process not Found Token: SeBackupPrivilege 10872 Process not Found -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 3416 chrome.exe 3416 chrome.exe 3416 chrome.exe 3416 chrome.exe 3416 chrome.exe 3416 chrome.exe 3416 chrome.exe 3416 chrome.exe 3416 chrome.exe 3416 chrome.exe 3416 chrome.exe 3416 chrome.exe 3416 chrome.exe 3416 chrome.exe 3416 chrome.exe 3416 chrome.exe 3416 chrome.exe 3416 chrome.exe 3416 chrome.exe 3416 chrome.exe 3416 chrome.exe 3416 chrome.exe 3416 chrome.exe 3416 chrome.exe 3416 chrome.exe 3416 chrome.exe 3416 chrome.exe 14168 msedge.exe 14168 msedge.exe 14168 msedge.exe 14168 msedge.exe 14168 msedge.exe 14168 msedge.exe 14168 msedge.exe 14168 msedge.exe 14168 msedge.exe 14168 msedge.exe 14168 msedge.exe 14168 msedge.exe 14168 msedge.exe 14168 msedge.exe 14168 msedge.exe 14168 msedge.exe 14168 msedge.exe 14168 msedge.exe 14168 msedge.exe 14168 msedge.exe 14168 msedge.exe 14168 msedge.exe 14168 msedge.exe 14168 msedge.exe 14168 msedge.exe 14168 msedge.exe 10772 Process not Found 10772 Process not Found 10772 Process not Found 10772 Process not Found 10772 Process not Found 10772 Process not Found 10772 Process not Found 10772 Process not Found 10772 Process not Found 10772 Process not Found 10772 Process not Found -
Suspicious use of SendNotifyMessage 36 IoCs
pid Process 3416 chrome.exe 3416 chrome.exe 3416 chrome.exe 3416 chrome.exe 3416 chrome.exe 3416 chrome.exe 3416 chrome.exe 3416 chrome.exe 3416 chrome.exe 3416 chrome.exe 3416 chrome.exe 3416 chrome.exe 14168 msedge.exe 14168 msedge.exe 14168 msedge.exe 14168 msedge.exe 14168 msedge.exe 14168 msedge.exe 14168 msedge.exe 14168 msedge.exe 14168 msedge.exe 14168 msedge.exe 14168 msedge.exe 14168 msedge.exe 10772 Process not Found 10772 Process not Found 10772 Process not Found 10772 Process not Found 10772 Process not Found 10772 Process not Found 10772 Process not Found 10772 Process not Found 10772 Process not Found 10772 Process not Found 10772 Process not Found 10772 Process not Found -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 12232 Process not Found 15656 Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4948 wrote to memory of 4720 4948 6c877082236f4df3b1174a6e3977f0e3f7c345fa517d5daf55018f6cc11049c7.exe 77 PID 4948 wrote to memory of 4720 4948 6c877082236f4df3b1174a6e3977f0e3f7c345fa517d5daf55018f6cc11049c7.exe 77 PID 4948 wrote to memory of 4720 4948 6c877082236f4df3b1174a6e3977f0e3f7c345fa517d5daf55018f6cc11049c7.exe 77 PID 4720 wrote to memory of 4244 4720 Lifjnm32.exe 78 PID 4720 wrote to memory of 4244 4720 Lifjnm32.exe 78 PID 4720 wrote to memory of 4244 4720 Lifjnm32.exe 78 PID 4244 wrote to memory of 1780 4244 Lldfjh32.exe 79 PID 4244 wrote to memory of 1780 4244 Lldfjh32.exe 79 PID 4244 wrote to memory of 1780 4244 Lldfjh32.exe 79 PID 1780 wrote to memory of 1492 1780 Locbfd32.exe 80 PID 1780 wrote to memory of 1492 1780 Locbfd32.exe 80 PID 1780 wrote to memory of 1492 1780 Locbfd32.exe 80 PID 1492 wrote to memory of 1256 1492 Lihfcm32.exe 81 PID 1492 wrote to memory of 1256 1492 Lihfcm32.exe 81 PID 1492 wrote to memory of 1256 1492 Lihfcm32.exe 81 PID 1256 wrote to memory of 3380 1256 Llgcph32.exe 82 PID 1256 wrote to memory of 3380 1256 Llgcph32.exe 82 PID 1256 wrote to memory of 3380 1256 Llgcph32.exe 82 PID 3380 wrote to memory of 1364 3380 Lbqklb32.exe 83 PID 3380 wrote to memory of 1364 3380 Lbqklb32.exe 83 PID 3380 wrote to memory of 1364 3380 Lbqklb32.exe 83 PID 1364 wrote to memory of 4608 1364 Likcilhh.exe 84 PID 1364 wrote to memory of 4608 1364 Likcilhh.exe 84 PID 1364 wrote to memory of 4608 1364 Likcilhh.exe 84 PID 4608 wrote to memory of 1688 4608 Llipehgk.exe 85 PID 4608 wrote to memory of 1688 4608 Llipehgk.exe 85 PID 4608 wrote to memory of 1688 4608 Llipehgk.exe 85 PID 1688 wrote to memory of 4188 1688 Lbchba32.exe 86 PID 1688 wrote to memory of 4188 1688 Lbchba32.exe 86 PID 1688 wrote to memory of 4188 1688 Lbchba32.exe 86 PID 4188 wrote to memory of 916 4188 Leadnm32.exe 87 PID 4188 wrote to memory of 916 4188 Leadnm32.exe 87 PID 4188 wrote to memory of 916 4188 Leadnm32.exe 87 PID 916 wrote to memory of 4596 916 Mlklkgei.exe 88 PID 916 wrote to memory of 4596 916 Mlklkgei.exe 88 PID 916 wrote to memory of 4596 916 Mlklkgei.exe 88 PID 4596 wrote to memory of 2076 4596 Mbedga32.exe 89 PID 4596 wrote to memory of 2076 4596 Mbedga32.exe 89 PID 4596 wrote to memory of 2076 4596 Mbedga32.exe 89 PID 2076 wrote to memory of 2656 2076 Mfaqhp32.exe 90 PID 2076 wrote to memory of 2656 2076 Mfaqhp32.exe 90 PID 2076 wrote to memory of 2656 2076 Mfaqhp32.exe 90 PID 2656 wrote to memory of 3996 2656 Miomdk32.exe 91 PID 2656 wrote to memory of 3996 2656 Miomdk32.exe 91 PID 2656 wrote to memory of 3996 2656 Miomdk32.exe 91 PID 3996 wrote to memory of 5112 3996 Mpieqeko.exe 92 PID 3996 wrote to memory of 5112 3996 Mpieqeko.exe 92 PID 3996 wrote to memory of 5112 3996 Mpieqeko.exe 92 PID 5112 wrote to memory of 4140 5112 Mhdjehhj.exe 93 PID 5112 wrote to memory of 4140 5112 Mhdjehhj.exe 93 PID 5112 wrote to memory of 4140 5112 Mhdjehhj.exe 93 PID 4140 wrote to memory of 4920 4140 Moobbb32.exe 94 PID 4140 wrote to memory of 4920 4140 Moobbb32.exe 94 PID 4140 wrote to memory of 4920 4140 Moobbb32.exe 94 PID 4920 wrote to memory of 2948 4920 Mehjol32.exe 95 PID 4920 wrote to memory of 2948 4920 Mehjol32.exe 95 PID 4920 wrote to memory of 2948 4920 Mehjol32.exe 95 PID 2948 wrote to memory of 4688 2948 Mpnnle32.exe 96 PID 2948 wrote to memory of 4688 2948 Mpnnle32.exe 96 PID 2948 wrote to memory of 4688 2948 Mpnnle32.exe 96 PID 4688 wrote to memory of 2012 4688 Mfhfhong.exe 97 PID 4688 wrote to memory of 2012 4688 Mfhfhong.exe 97 PID 4688 wrote to memory of 2012 4688 Mfhfhong.exe 97 PID 2012 wrote to memory of 2220 2012 Mhicpg32.exe 98 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\6c877082236f4df3b1174a6e3977f0e3f7c345fa517d5daf55018f6cc11049c7.exe"C:\Users\Admin\AppData\Local\Temp\6c877082236f4df3b1174a6e3977f0e3f7c345fa517d5daf55018f6cc11049c7.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4948 -
C:\Windows\SysWOW64\Lifjnm32.exeC:\Windows\system32\Lifjnm32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4720 -
C:\Windows\SysWOW64\Lldfjh32.exeC:\Windows\system32\Lldfjh32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4244 -
C:\Windows\SysWOW64\Locbfd32.exeC:\Windows\system32\Locbfd32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1780 -
C:\Windows\SysWOW64\Lihfcm32.exeC:\Windows\system32\Lihfcm32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1492 -
C:\Windows\SysWOW64\Llgcph32.exeC:\Windows\system32\Llgcph32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1256 -
C:\Windows\SysWOW64\Lbqklb32.exeC:\Windows\system32\Lbqklb32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3380 -
C:\Windows\SysWOW64\Likcilhh.exeC:\Windows\system32\Likcilhh.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1364 -
C:\Windows\SysWOW64\Llipehgk.exeC:\Windows\system32\Llipehgk.exe9⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4608 -
C:\Windows\SysWOW64\Lbchba32.exeC:\Windows\system32\Lbchba32.exe10⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Windows\SysWOW64\Leadnm32.exeC:\Windows\system32\Leadnm32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4188 -
C:\Windows\SysWOW64\Mlklkgei.exeC:\Windows\system32\Mlklkgei.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:916 -
C:\Windows\SysWOW64\Mbedga32.exeC:\Windows\system32\Mbedga32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4596 -
C:\Windows\SysWOW64\Mfaqhp32.exeC:\Windows\system32\Mfaqhp32.exe14⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2076 -
C:\Windows\SysWOW64\Miomdk32.exeC:\Windows\system32\Miomdk32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\SysWOW64\Mpieqeko.exeC:\Windows\system32\Mpieqeko.exe16⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3996 -
C:\Windows\SysWOW64\Mhdjehhj.exeC:\Windows\system32\Mhdjehhj.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5112 -
C:\Windows\SysWOW64\Moobbb32.exeC:\Windows\system32\Moobbb32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4140 -
C:\Windows\SysWOW64\Mehjol32.exeC:\Windows\system32\Mehjol32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4920 -
C:\Windows\SysWOW64\Mpnnle32.exeC:\Windows\system32\Mpnnle32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\Windows\SysWOW64\Mfhfhong.exeC:\Windows\system32\Mfhfhong.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4688 -
C:\Windows\SysWOW64\Mhicpg32.exeC:\Windows\system32\Mhicpg32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Windows\SysWOW64\Mleoafmn.exeC:\Windows\system32\Mleoafmn.exe23⤵
- Executes dropped EXE
PID:2220 -
C:\Windows\SysWOW64\Mbognp32.exeC:\Windows\system32\Mbognp32.exe24⤵
- Executes dropped EXE
PID:2080 -
C:\Windows\SysWOW64\Nemcjk32.exeC:\Windows\system32\Nemcjk32.exe25⤵
- Executes dropped EXE
PID:4552 -
C:\Windows\SysWOW64\Npchgdcd.exeC:\Windows\system32\Npchgdcd.exe26⤵
- Executes dropped EXE
PID:3296 -
C:\Windows\SysWOW64\Nbadcpbh.exeC:\Windows\system32\Nbadcpbh.exe27⤵
- Executes dropped EXE
PID:3012 -
C:\Windows\SysWOW64\Neppokal.exeC:\Windows\system32\Neppokal.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2472 -
C:\Windows\SysWOW64\Nlihle32.exeC:\Windows\system32\Nlihle32.exe29⤵
- Executes dropped EXE
PID:5096 -
C:\Windows\SysWOW64\Ngomin32.exeC:\Windows\system32\Ngomin32.exe30⤵
- Executes dropped EXE
PID:764 -
C:\Windows\SysWOW64\Nhpiafnm.exeC:\Windows\system32\Nhpiafnm.exe31⤵
- Executes dropped EXE
PID:2104 -
C:\Windows\SysWOW64\Ncfmno32.exeC:\Windows\system32\Ncfmno32.exe32⤵
- Executes dropped EXE
PID:1860 -
C:\Windows\SysWOW64\Nedjjj32.exeC:\Windows\system32\Nedjjj32.exe33⤵
- Executes dropped EXE
PID:3988 -
C:\Windows\SysWOW64\Npjnhc32.exeC:\Windows\system32\Npjnhc32.exe34⤵
- Executes dropped EXE
PID:1508 -
C:\Windows\SysWOW64\Neffpj32.exeC:\Windows\system32\Neffpj32.exe35⤵
- Executes dropped EXE
PID:4904 -
C:\Windows\SysWOW64\Nlqomd32.exeC:\Windows\system32\Nlqomd32.exe36⤵
- Executes dropped EXE
PID:1040 -
C:\Windows\SysWOW64\Ncjginjn.exeC:\Windows\system32\Ncjginjn.exe37⤵
- Executes dropped EXE
PID:2272 -
C:\Windows\SysWOW64\Ohgoaehe.exeC:\Windows\system32\Ohgoaehe.exe38⤵
- Executes dropped EXE
PID:3028 -
C:\Windows\SysWOW64\Oghppm32.exeC:\Windows\system32\Oghppm32.exe39⤵
- Executes dropped EXE
PID:1812 -
C:\Windows\SysWOW64\Oigllh32.exeC:\Windows\system32\Oigllh32.exe40⤵
- Executes dropped EXE
PID:2784 -
C:\Windows\SysWOW64\Olehhc32.exeC:\Windows\system32\Olehhc32.exe41⤵
- Executes dropped EXE
PID:3624 -
C:\Windows\SysWOW64\Ocopdn32.exeC:\Windows\system32\Ocopdn32.exe42⤵
- Executes dropped EXE
PID:4880 -
C:\Windows\SysWOW64\Ohlimd32.exeC:\Windows\system32\Ohlimd32.exe43⤵
- Executes dropped EXE
PID:4968 -
C:\Windows\SysWOW64\Opcqnb32.exeC:\Windows\system32\Opcqnb32.exe44⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2676 -
C:\Windows\SysWOW64\Ogmijllo.exeC:\Windows\system32\Ogmijllo.exe45⤵
- Executes dropped EXE
PID:3864 -
C:\Windows\SysWOW64\Oileggkb.exeC:\Windows\system32\Oileggkb.exe46⤵
- Executes dropped EXE
PID:2620 -
C:\Windows\SysWOW64\Ohnebd32.exeC:\Windows\system32\Ohnebd32.exe47⤵
- Executes dropped EXE
PID:1856 -
C:\Windows\SysWOW64\Opemca32.exeC:\Windows\system32\Opemca32.exe48⤵
- Executes dropped EXE
PID:3332 -
C:\Windows\SysWOW64\Ojnblg32.exeC:\Windows\system32\Ojnblg32.exe49⤵
- Executes dropped EXE
PID:4184 -
C:\Windows\SysWOW64\Ollnhb32.exeC:\Windows\system32\Ollnhb32.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4784 -
C:\Windows\SysWOW64\Ocffempp.exeC:\Windows\system32\Ocffempp.exe51⤵
- Executes dropped EXE
PID:3808 -
C:\Windows\SysWOW64\Pedbahod.exeC:\Windows\system32\Pedbahod.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4340 -
C:\Windows\SysWOW64\Phcomcng.exeC:\Windows\system32\Phcomcng.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1216 -
C:\Windows\SysWOW64\Pomgjn32.exeC:\Windows\system32\Pomgjn32.exe54⤵
- Executes dropped EXE
PID:2528 -
C:\Windows\SysWOW64\Pgdokkfg.exeC:\Windows\system32\Pgdokkfg.exe55⤵
- Executes dropped EXE
PID:440 -
C:\Windows\SysWOW64\Pjbkgfej.exeC:\Windows\system32\Pjbkgfej.exe56⤵
- Executes dropped EXE
PID:2776 -
C:\Windows\SysWOW64\Ppmcdq32.exeC:\Windows\system32\Ppmcdq32.exe57⤵
- Executes dropped EXE
PID:1804 -
C:\Windows\SysWOW64\Pckppl32.exeC:\Windows\system32\Pckppl32.exe58⤵
- Executes dropped EXE
PID:2812 -
C:\Windows\SysWOW64\Pjehmfch.exeC:\Windows\system32\Pjehmfch.exe59⤵
- Executes dropped EXE
PID:4460 -
C:\Windows\SysWOW64\Phhhhc32.exeC:\Windows\system32\Phhhhc32.exe60⤵
- Executes dropped EXE
PID:2552 -
C:\Windows\SysWOW64\Poaqemao.exeC:\Windows\system32\Poaqemao.exe61⤵
- Executes dropped EXE
PID:3576 -
C:\Windows\SysWOW64\Pgihfj32.exeC:\Windows\system32\Pgihfj32.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2828 -
C:\Windows\SysWOW64\Phjenbhp.exeC:\Windows\system32\Phjenbhp.exe63⤵
- Executes dropped EXE
PID:4944 -
C:\Windows\SysWOW64\Podmkm32.exeC:\Windows\system32\Podmkm32.exe64⤵
- Executes dropped EXE
PID:4744 -
C:\Windows\SysWOW64\Pgkelj32.exeC:\Windows\system32\Pgkelj32.exe65⤵
- Executes dropped EXE
PID:2636 -
C:\Windows\SysWOW64\Pqcjepfo.exeC:\Windows\system32\Pqcjepfo.exe66⤵PID:2484
-
C:\Windows\SysWOW64\Pofjpl32.exeC:\Windows\system32\Pofjpl32.exe67⤵PID:2856
-
C:\Windows\SysWOW64\Qgnbaj32.exeC:\Windows\system32\Qgnbaj32.exe68⤵PID:2096
-
C:\Windows\SysWOW64\Qjlnnemp.exeC:\Windows\system32\Qjlnnemp.exe69⤵
- Modifies registry class
PID:5052 -
C:\Windows\SysWOW64\Qljjjqlc.exeC:\Windows\system32\Qljjjqlc.exe70⤵PID:4916
-
C:\Windows\SysWOW64\Qcdbfk32.exeC:\Windows\system32\Qcdbfk32.exe71⤵PID:2212
-
C:\Windows\SysWOW64\Qjnkcekm.exeC:\Windows\system32\Qjnkcekm.exe72⤵PID:2760
-
C:\Windows\SysWOW64\Acgolj32.exeC:\Windows\system32\Acgolj32.exe73⤵PID:1928
-
C:\Windows\SysWOW64\Ajqgidij.exeC:\Windows\system32\Ajqgidij.exe74⤵PID:3568
-
C:\Windows\SysWOW64\Aqkpeopg.exeC:\Windows\system32\Aqkpeopg.exe75⤵PID:4052
-
C:\Windows\SysWOW64\Aompak32.exeC:\Windows\system32\Aompak32.exe76⤵PID:1944
-
C:\Windows\SysWOW64\Agdhbi32.exeC:\Windows\system32\Agdhbi32.exe77⤵PID:1532
-
C:\Windows\SysWOW64\Ajcdnd32.exeC:\Windows\system32\Ajcdnd32.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2580 -
C:\Windows\SysWOW64\Aopmfk32.exeC:\Windows\system32\Aopmfk32.exe79⤵PID:1396
-
C:\Windows\SysWOW64\Ajeadd32.exeC:\Windows\system32\Ajeadd32.exe80⤵PID:1704
-
C:\Windows\SysWOW64\Amcmpodi.exeC:\Windows\system32\Amcmpodi.exe81⤵PID:2556
-
C:\Windows\SysWOW64\Aobilkcl.exeC:\Windows\system32\Aobilkcl.exe82⤵PID:1368
-
C:\Windows\SysWOW64\Agiamhdo.exeC:\Windows\system32\Agiamhdo.exe83⤵PID:2140
-
C:\Windows\SysWOW64\Ajhniccb.exeC:\Windows\system32\Ajhniccb.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3148 -
C:\Windows\SysWOW64\Amfjeobf.exeC:\Windows\system32\Amfjeobf.exe85⤵PID:3692
-
C:\Windows\SysWOW64\Aodfajaj.exeC:\Windows\system32\Aodfajaj.exe86⤵PID:1044
-
C:\Windows\SysWOW64\Aglnbhal.exeC:\Windows\system32\Aglnbhal.exe87⤵PID:408
-
C:\Windows\SysWOW64\Amhfkopc.exeC:\Windows\system32\Amhfkopc.exe88⤵PID:576
-
C:\Windows\SysWOW64\Bgnkhg32.exeC:\Windows\system32\Bgnkhg32.exe89⤵PID:3552
-
C:\Windows\SysWOW64\Bmkcqn32.exeC:\Windows\system32\Bmkcqn32.exe90⤵PID:252
-
C:\Windows\SysWOW64\Boipmj32.exeC:\Windows\system32\Boipmj32.exe91⤵PID:4056
-
C:\Windows\SysWOW64\Bfchidda.exeC:\Windows\system32\Bfchidda.exe92⤵
- Modifies registry class
PID:4488 -
C:\Windows\SysWOW64\Biadeoce.exeC:\Windows\system32\Biadeoce.exe93⤵PID:1752
-
C:\Windows\SysWOW64\Bqilgmdg.exeC:\Windows\system32\Bqilgmdg.exe94⤵PID:4704
-
C:\Windows\SysWOW64\Bfedoc32.exeC:\Windows\system32\Bfedoc32.exe95⤵PID:3068
-
C:\Windows\SysWOW64\Bmomlnjk.exeC:\Windows\system32\Bmomlnjk.exe96⤵PID:3844
-
C:\Windows\SysWOW64\Bfhadc32.exeC:\Windows\system32\Bfhadc32.exe97⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1388 -
C:\Windows\SysWOW64\Bjcmebie.exeC:\Windows\system32\Bjcmebie.exe98⤵PID:1756
-
C:\Windows\SysWOW64\Bppfmigl.exeC:\Windows\system32\Bppfmigl.exe99⤵PID:1696
-
C:\Windows\SysWOW64\Bggnof32.exeC:\Windows\system32\Bggnof32.exe100⤵PID:1668
-
C:\Windows\SysWOW64\Cmdfgm32.exeC:\Windows\system32\Cmdfgm32.exe101⤵PID:848
-
C:\Windows\SysWOW64\Cpbbch32.exeC:\Windows\system32\Cpbbch32.exe102⤵PID:4896
-
C:\Windows\SysWOW64\Cflkpblf.exeC:\Windows\system32\Cflkpblf.exe103⤵PID:1964
-
C:\Windows\SysWOW64\Cikglnkj.exeC:\Windows\system32\Cikglnkj.exe104⤵PID:3804
-
C:\Windows\SysWOW64\Cabomkll.exeC:\Windows\system32\Cabomkll.exe105⤵PID:4260
-
C:\Windows\SysWOW64\Cpeohh32.exeC:\Windows\system32\Cpeohh32.exe106⤵
- Modifies registry class
PID:2068 -
C:\Windows\SysWOW64\Cfogeb32.exeC:\Windows\system32\Cfogeb32.exe107⤵PID:2372
-
C:\Windows\SysWOW64\Cmipblaq.exeC:\Windows\system32\Cmipblaq.exe108⤵PID:2328
-
C:\Windows\SysWOW64\Cpglnhad.exeC:\Windows\system32\Cpglnhad.exe109⤵
- System Location Discovery: System Language Discovery
PID:4860 -
C:\Windows\SysWOW64\Cgndoeag.exeC:\Windows\system32\Cgndoeag.exe110⤵PID:4008
-
C:\Windows\SysWOW64\Cippgm32.exeC:\Windows\system32\Cippgm32.exe111⤵PID:1768
-
C:\Windows\SysWOW64\Caghhk32.exeC:\Windows\system32\Caghhk32.exe112⤵PID:4768
-
C:\Windows\SysWOW64\Cgqqdeod.exeC:\Windows\system32\Cgqqdeod.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4612 -
C:\Windows\SysWOW64\Cjomap32.exeC:\Windows\system32\Cjomap32.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:980 -
C:\Windows\SysWOW64\Cmniml32.exeC:\Windows\system32\Cmniml32.exe115⤵PID:2904
-
C:\Windows\SysWOW64\Cpleig32.exeC:\Windows\system32\Cpleig32.exe116⤵PID:1572
-
C:\Windows\SysWOW64\Cgcmjd32.exeC:\Windows\system32\Cgcmjd32.exe117⤵
- Drops file in System32 directory
PID:5016 -
C:\Windows\SysWOW64\Cffmfadl.exeC:\Windows\system32\Cffmfadl.exe118⤵PID:1184
-
C:\Windows\SysWOW64\Dmpfbk32.exeC:\Windows\system32\Dmpfbk32.exe119⤵PID:4988
-
C:\Windows\SysWOW64\Dpnbog32.exeC:\Windows\system32\Dpnbog32.exe120⤵
- System Location Discovery: System Language Discovery
PID:828 -
C:\Windows\SysWOW64\Diffglam.exeC:\Windows\system32\Diffglam.exe121⤵PID:4468
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-