Analysis
-
max time kernel
22s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
07-11-2024 00:45
Behavioral task
behavioral1
Sample
7a3c6467fe19ee76ae15be7cd3a1aae585e8a6e05c1bb4ee29e887b9121369f6.exe
Resource
win7-20241010-en
windows7-x64
12 signatures
150 seconds
Behavioral task
behavioral2
Sample
7a3c6467fe19ee76ae15be7cd3a1aae585e8a6e05c1bb4ee29e887b9121369f6.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
12 signatures
150 seconds
General
-
Target
7a3c6467fe19ee76ae15be7cd3a1aae585e8a6e05c1bb4ee29e887b9121369f6.exe
-
Size
163KB
-
MD5
f2b73817e29addda7788b3eb5e940a7d
-
SHA1
9b16b6712bacf97ef6e43436cdf16b3082a24a1d
-
SHA256
7a3c6467fe19ee76ae15be7cd3a1aae585e8a6e05c1bb4ee29e887b9121369f6
-
SHA512
cfa3b4a4884c8ae7469349f373d031b65a2fe81f6ffc86c51a9a30621c97bf681aa83e89a25be63ed2a3842d47c78a68d0cfb1ce993b6ab745bf0e56531477bc
-
SSDEEP
1536:P/r+0m/BybaYknb8Q7uJw7F4PUlProNVU4qNVUrk/9QbfBr+7GwKrPAsqNVU:r+XQeYk77uJKeUltOrWKDBr+yJb
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://master-x.com/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://crutop.ru/index.php
http://kaspersky.ru/index.php
http://color-bank.ru/index.php
http://adult-empire.com/index.php
http://virus-list.com/index.php
http://trojan.ru/index.php
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://fethard.biz/index.htm
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://kaspersky.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jbdadl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ogkbmcba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jjocoedg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgbcha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Appfggjm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjnaehgj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igoagpja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Emieflec.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qeihfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aodjdede.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jcekbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eeijpdbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Onggom32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdpdpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ijkjde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lafgdfbm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lllkaobc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhjngnod.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgffck32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iniidj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kebgea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fianpp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfcfob32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phhhchlp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgqqcd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jgdkbo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebcqicem.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgcpgl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elbkbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ijegeg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khkmba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojgado32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aajedn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lanmde32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dieiap32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llalgdbj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbnfdpge.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pifakj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmfdppia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hddoep32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adqbml32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbidof32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ioapnn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akmgoehg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khfcgbge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hfdbji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jgidnobg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogkbmcba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ocglmcdp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qahlpkhh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cmgblphf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fhlogo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjkdoh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hqhiab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Boqbcbeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ecnpgj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imkbeqem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ioapnn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phphgf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eedijo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cocbbk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Faimkd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghcbga32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apgcbmha.exe -
Berbew family
-
Brute Ratel C4
A customized command and control framework for red teaming and adversary simulation.
-
Bruteratel family
-
Detect BruteRatel badger 1 IoCs
resource yara_rule behavioral1/files/0x000400000001da25-2010.dat family_bruteratel -
Executes dropped EXE 64 IoCs
pid Process 1184 Mnakjaoc.exe 2868 Nndhpqma.exe 2456 Nfcfob32.exe 2848 Nqijmkfm.exe 2724 Njaoeq32.exe 2772 Olehbh32.exe 1660 Oiiilm32.exe 1172 Ofmiea32.exe 1168 Opennf32.exe 2172 Ojoood32.exe 2700 Odgchjhl.exe 2540 Pfhlie32.exe 1148 Phhhchlp.exe 2424 Pmgnan32.exe 2088 Pfobjdoe.exe 2432 Pipklo32.exe 952 Qeglqpaj.exe 2580 Qeihfp32.exe 288 Aapikqel.exe 1820 Aodjdede.exe 1724 Adqbml32.exe 1992 Apgcbmha.exe 1964 Akmgoehg.exe 2360 Apjpglfn.exe 1748 Ajbdpblo.exe 2124 Bhgaan32.exe 2468 Bhjngnod.exe 2944 Babbpc32.exe 2936 Bkjfhile.exe 2756 Bohoogbk.exe 2744 Bhqdgm32.exe 2196 Cbihpbpl.exe 2252 Cnpieceq.exe 1580 Cfknjfbl.exe 2600 Cocbbk32.exe 2180 Cmgblphf.exe 2972 Cfpgee32.exe 1584 Cmjoaofc.exe 2348 Deedfacn.exe 2204 Dbidof32.exe 1160 Dpmeij32.exe 2504 Dieiap32.exe 2236 Dbmnjenb.exe 2012 Edfqclni.exe 1636 Edhmhl32.exe 1488 Eeijpdbd.exe 1640 Ebmjihqn.exe 2392 Eelfedpa.exe 2368 Epakcm32.exe 2020 Fhlogo32.exe 2184 Faedpdcc.exe 2316 Foidii32.exe 3000 Fhaibnim.exe 2616 Faimkd32.exe 2084 Fgffck32.exe 2692 Faljqcmk.exe 2396 Fgibijkb.exe 2024 Fmbkfd32.exe 2612 Gcocnk32.exe 2888 Gmegkd32.exe 2192 Gpccgppq.exe 2808 Ggmldj32.exe 2156 Gljdlq32.exe 1056 Gcdmikma.exe -
Loads dropped DLL 64 IoCs
pid Process 2660 7a3c6467fe19ee76ae15be7cd3a1aae585e8a6e05c1bb4ee29e887b9121369f6.exe 2660 7a3c6467fe19ee76ae15be7cd3a1aae585e8a6e05c1bb4ee29e887b9121369f6.exe 1184 Mnakjaoc.exe 1184 Mnakjaoc.exe 2868 Nndhpqma.exe 2868 Nndhpqma.exe 2456 Nfcfob32.exe 2456 Nfcfob32.exe 2848 Nqijmkfm.exe 2848 Nqijmkfm.exe 2724 Njaoeq32.exe 2724 Njaoeq32.exe 2772 Olehbh32.exe 2772 Olehbh32.exe 1660 Oiiilm32.exe 1660 Oiiilm32.exe 1172 Ofmiea32.exe 1172 Ofmiea32.exe 1168 Opennf32.exe 1168 Opennf32.exe 2172 Ojoood32.exe 2172 Ojoood32.exe 2700 Odgchjhl.exe 2700 Odgchjhl.exe 2540 Pfhlie32.exe 2540 Pfhlie32.exe 1148 Phhhchlp.exe 1148 Phhhchlp.exe 2424 Pmgnan32.exe 2424 Pmgnan32.exe 2088 Pfobjdoe.exe 2088 Pfobjdoe.exe 2432 Pipklo32.exe 2432 Pipklo32.exe 952 Qeglqpaj.exe 952 Qeglqpaj.exe 2580 Qeihfp32.exe 2580 Qeihfp32.exe 288 Aapikqel.exe 288 Aapikqel.exe 1820 Aodjdede.exe 1820 Aodjdede.exe 1724 Adqbml32.exe 1724 Adqbml32.exe 1992 Apgcbmha.exe 1992 Apgcbmha.exe 1964 Akmgoehg.exe 1964 Akmgoehg.exe 2360 Apjpglfn.exe 2360 Apjpglfn.exe 1748 Ajbdpblo.exe 1748 Ajbdpblo.exe 2124 Bhgaan32.exe 2124 Bhgaan32.exe 2468 Bhjngnod.exe 2468 Bhjngnod.exe 2944 Babbpc32.exe 2944 Babbpc32.exe 2936 Bkjfhile.exe 2936 Bkjfhile.exe 2756 Bohoogbk.exe 2756 Bohoogbk.exe 2744 Bhqdgm32.exe 2744 Bhqdgm32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Cjmhanqn.dll Kejdqffo.exe File created C:\Windows\SysWOW64\Laenqg32.exe Lgpjcnhh.exe File opened for modification C:\Windows\SysWOW64\Laidie32.exe Lllkaobc.exe File created C:\Windows\SysWOW64\Qogcek32.dll Ldjmkq32.exe File created C:\Windows\SysWOW64\Fbgdlq32.dll Fmbkfd32.exe File created C:\Windows\SysWOW64\Nkadhg32.dll Ifgooikk.exe File opened for modification C:\Windows\SysWOW64\Kjdpcnfi.exe Khfcgbge.exe File created C:\Windows\SysWOW64\Anlbpigi.dll Clbbfj32.exe File opened for modification C:\Windows\SysWOW64\Gcdmikma.exe Gljdlq32.exe File created C:\Windows\SysWOW64\Mlmbmn32.dll Ojgado32.exe File created C:\Windows\SysWOW64\Pciiccbm.exe Pjqdjn32.exe File created C:\Windows\SysWOW64\Hignfnfk.dll Aahhoo32.exe File created C:\Windows\SysWOW64\Cijiejka.dll Bpfhfjgq.exe File created C:\Windows\SysWOW64\Ackoccaa.dll Djhldahb.exe File opened for modification C:\Windows\SysWOW64\Phhhchlp.exe Pfhlie32.exe File created C:\Windows\SysWOW64\Bgqqcd32.exe Bpfhfjgq.exe File opened for modification C:\Windows\SysWOW64\Kclmbm32.exe Kgcpgl32.exe File created C:\Windows\SysWOW64\Ddghpbab.dll Bhjngnod.exe File created C:\Windows\SysWOW64\Nlqgnc32.dll Dpmeij32.exe File opened for modification C:\Windows\SysWOW64\Ijegeg32.exe Ickoimie.exe File created C:\Windows\SysWOW64\Cknojl32.dll Iodlcnmf.exe File created C:\Windows\SysWOW64\Jfigdl32.exe Jnncoini.exe File opened for modification C:\Windows\SysWOW64\Khfcgbge.exe Kononm32.exe File created C:\Windows\SysWOW64\Moncom32.dll Ahpdficc.exe File opened for modification C:\Windows\SysWOW64\Boqbcbeh.exe Bambjnfn.exe File created C:\Windows\SysWOW64\Pfobjdoe.exe Pmgnan32.exe File opened for modification C:\Windows\SysWOW64\Jgjman32.exe Jnaihhgf.exe File opened for modification C:\Windows\SysWOW64\Kebgea32.exe Jjmchhhe.exe File created C:\Windows\SysWOW64\Epjlaj32.dll Ebemnc32.exe File opened for modification C:\Windows\SysWOW64\Gmegkd32.exe Gcocnk32.exe File created C:\Windows\SysWOW64\Ncpcapia.dll Ojoood32.exe File opened for modification C:\Windows\SysWOW64\Cmgblphf.exe Cocbbk32.exe File created C:\Windows\SysWOW64\Hnecjgch.exe Hgkknm32.exe File opened for modification C:\Windows\SysWOW64\Iecaad32.exe Iniidj32.exe File opened for modification C:\Windows\SysWOW64\Kldlmqml.exe Kejdqffo.exe File created C:\Windows\SysWOW64\Ojljdn32.dll Qifnjm32.exe File opened for modification C:\Windows\SysWOW64\Ahpdficc.exe Abbknb32.exe File opened for modification C:\Windows\SysWOW64\Cjaieoko.exe Colegflh.exe File created C:\Windows\SysWOW64\Pjkegjeg.dll Ofmiea32.exe File opened for modification C:\Windows\SysWOW64\Elbkbh32.exe Eeicenni.exe File created C:\Windows\SysWOW64\Ebemnc32.exe Emieflec.exe File created C:\Windows\SysWOW64\Bohoogbk.exe Bkjfhile.exe File created C:\Windows\SysWOW64\Kbnnhm32.dll Legcjjjm.exe File created C:\Windows\SysWOW64\Mgbcha32.exe Mnjnolap.exe File created C:\Windows\SysWOW64\Mhcdfiom.dll Imkbeqem.exe File created C:\Windows\SysWOW64\Adqbml32.exe Aodjdede.exe File opened for modification C:\Windows\SysWOW64\Dieiap32.exe Dpmeij32.exe File created C:\Windows\SysWOW64\Jelcgfbk.dll Gljdlq32.exe File created C:\Windows\SysWOW64\Acblea32.dll Iecaad32.exe File created C:\Windows\SysWOW64\Bcoddhio.dll Jgidnobg.exe File created C:\Windows\SysWOW64\Kjdpcnfi.exe Khfcgbge.exe File opened for modification C:\Windows\SysWOW64\Lhkiae32.exe Lcnqin32.exe File created C:\Windows\SysWOW64\Ndfppije.exe Nfqbol32.exe File opened for modification C:\Windows\SysWOW64\Oiiilm32.exe Olehbh32.exe File opened for modification C:\Windows\SysWOW64\Igeggkoq.exe Hddoep32.exe File created C:\Windows\SysWOW64\Qahlpkhh.exe Phphgf32.exe File opened for modification C:\Windows\SysWOW64\Cbihpbpl.exe Bhqdgm32.exe File created C:\Windows\SysWOW64\Fhaibnim.exe Foidii32.exe File opened for modification C:\Windows\SysWOW64\Galfpgpg.exe Ghcbga32.exe File opened for modification C:\Windows\SysWOW64\Iodlcnmf.exe Iflhjh32.exe File opened for modification C:\Windows\SysWOW64\Ndfppije.exe Nfqbol32.exe File created C:\Windows\SysWOW64\Ikembicd.exe Ijfpif32.exe File opened for modification C:\Windows\SysWOW64\Pipklo32.exe Pfobjdoe.exe File created C:\Windows\SysWOW64\Jgdkbo32.exe Ijpjik32.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qeihfp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgkknm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbblpf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfigdl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhhmle32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qhdabemb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnpieceq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhaibnim.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Coehnecn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfhlie32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebmjihqn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Faimkd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijpjik32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Laidie32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpmeij32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffeoid32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppbfmdfo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akpmhdqd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmfdppia.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpncbjqj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odgchjhl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aodjdede.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clbbfj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dclgbgbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iflhjh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bambjnfn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eeicenni.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdefgimi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnakjaoc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghcbga32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifndph32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igoagpja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcodcp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onggom32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnjnolap.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogpkhb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qjqqianh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edhmhl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpccgppq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggmldj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldfgbb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbnfdpge.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iqnlpq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbihpbpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgcpgl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edfqclni.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chickknc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enlncdio.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akmgoehg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmbkfd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnlkdk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocglmcdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldjmkq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khkmba32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikembicd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iogbllfc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iodlcnmf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phphgf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmjoaofc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbidof32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iecaad32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igeggkoq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opennf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcnqin32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjqigm32.dll" Nndhpqma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdfjnimm.dll" Oiiilm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iqidng32.dll" Cbihpbpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfchcq32.dll" Edfqclni.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gmegkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pjqdjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bhgaan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Babbpc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bhiglh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Migbkglj.dll" Ffoihepa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glanhbmn.dll" Phhhchlp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flfgiimk.dll" Eeijpdbd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jmcpqfba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jennjblp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Apgcbmha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cnpieceq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Faljqcmk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ebcqicem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdljncel.dll" Kmdbkbpn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ofmiea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhmcao32.dll" Kononm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pppihdha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkngmm32.dll" Cfknjfbl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kkiiom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aajedn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agljbf32.dll" Cblniaii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obfblk32.dll" Jbandfkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngnlaehe.dll" Faimkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlmbmn32.dll" Ojgado32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lijgiokj.dll" Lllkaobc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gadllf32.dll" Dbidof32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gljdlq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gljdlq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecbjdbcp.dll" Hjnaehgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppaldc32.dll" Kjdpcnfi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Abpohb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glclampi.dll" Dbfaopqo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lacmbg32.dll" Igoagpja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jgdkbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Phphgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Emieflec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Enokidgl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Igeggkoq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ijfpif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cocbbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hfdbji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lhkiae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlilmc32.dll" Qahlpkhh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aihjpman.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Colegflh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhgjjgoq.dll" Fpncbjqj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pipklo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hgkknm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iflhjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmnede32.dll" Lkcehkeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khggofme.dll" Nfcfob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkadhg32.dll" Ifgooikk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kiojqfdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nogjbbma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cijiejka.dll" Bpfhfjgq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dqpgll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fianpp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bhjngnod.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Babbpc32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2660 wrote to memory of 1184 2660 7a3c6467fe19ee76ae15be7cd3a1aae585e8a6e05c1bb4ee29e887b9121369f6.exe 29 PID 2660 wrote to memory of 1184 2660 7a3c6467fe19ee76ae15be7cd3a1aae585e8a6e05c1bb4ee29e887b9121369f6.exe 29 PID 2660 wrote to memory of 1184 2660 7a3c6467fe19ee76ae15be7cd3a1aae585e8a6e05c1bb4ee29e887b9121369f6.exe 29 PID 2660 wrote to memory of 1184 2660 7a3c6467fe19ee76ae15be7cd3a1aae585e8a6e05c1bb4ee29e887b9121369f6.exe 29 PID 1184 wrote to memory of 2868 1184 Mnakjaoc.exe 30 PID 1184 wrote to memory of 2868 1184 Mnakjaoc.exe 30 PID 1184 wrote to memory of 2868 1184 Mnakjaoc.exe 30 PID 1184 wrote to memory of 2868 1184 Mnakjaoc.exe 30 PID 2868 wrote to memory of 2456 2868 Nndhpqma.exe 31 PID 2868 wrote to memory of 2456 2868 Nndhpqma.exe 31 PID 2868 wrote to memory of 2456 2868 Nndhpqma.exe 31 PID 2868 wrote to memory of 2456 2868 Nndhpqma.exe 31 PID 2456 wrote to memory of 2848 2456 Nfcfob32.exe 32 PID 2456 wrote to memory of 2848 2456 Nfcfob32.exe 32 PID 2456 wrote to memory of 2848 2456 Nfcfob32.exe 32 PID 2456 wrote to memory of 2848 2456 Nfcfob32.exe 32 PID 2848 wrote to memory of 2724 2848 Nqijmkfm.exe 33 PID 2848 wrote to memory of 2724 2848 Nqijmkfm.exe 33 PID 2848 wrote to memory of 2724 2848 Nqijmkfm.exe 33 PID 2848 wrote to memory of 2724 2848 Nqijmkfm.exe 33 PID 2724 wrote to memory of 2772 2724 Njaoeq32.exe 34 PID 2724 wrote to memory of 2772 2724 Njaoeq32.exe 34 PID 2724 wrote to memory of 2772 2724 Njaoeq32.exe 34 PID 2724 wrote to memory of 2772 2724 Njaoeq32.exe 34 PID 2772 wrote to memory of 1660 2772 Olehbh32.exe 35 PID 2772 wrote to memory of 1660 2772 Olehbh32.exe 35 PID 2772 wrote to memory of 1660 2772 Olehbh32.exe 35 PID 2772 wrote to memory of 1660 2772 Olehbh32.exe 35 PID 1660 wrote to memory of 1172 1660 Oiiilm32.exe 36 PID 1660 wrote to memory of 1172 1660 Oiiilm32.exe 36 PID 1660 wrote to memory of 1172 1660 Oiiilm32.exe 36 PID 1660 wrote to memory of 1172 1660 Oiiilm32.exe 36 PID 1172 wrote to memory of 1168 1172 Ofmiea32.exe 37 PID 1172 wrote to memory of 1168 1172 Ofmiea32.exe 37 PID 1172 wrote to memory of 1168 1172 Ofmiea32.exe 37 PID 1172 wrote to memory of 1168 1172 Ofmiea32.exe 37 PID 1168 wrote to memory of 2172 1168 Opennf32.exe 38 PID 1168 wrote to memory of 2172 1168 Opennf32.exe 38 PID 1168 wrote to memory of 2172 1168 Opennf32.exe 38 PID 1168 wrote to memory of 2172 1168 Opennf32.exe 38 PID 2172 wrote to memory of 2700 2172 Ojoood32.exe 39 PID 2172 wrote to memory of 2700 2172 Ojoood32.exe 39 PID 2172 wrote to memory of 2700 2172 Ojoood32.exe 39 PID 2172 wrote to memory of 2700 2172 Ojoood32.exe 39 PID 2700 wrote to memory of 2540 2700 Odgchjhl.exe 40 PID 2700 wrote to memory of 2540 2700 Odgchjhl.exe 40 PID 2700 wrote to memory of 2540 2700 Odgchjhl.exe 40 PID 2700 wrote to memory of 2540 2700 Odgchjhl.exe 40 PID 2540 wrote to memory of 1148 2540 Pfhlie32.exe 41 PID 2540 wrote to memory of 1148 2540 Pfhlie32.exe 41 PID 2540 wrote to memory of 1148 2540 Pfhlie32.exe 41 PID 2540 wrote to memory of 1148 2540 Pfhlie32.exe 41 PID 1148 wrote to memory of 2424 1148 Phhhchlp.exe 42 PID 1148 wrote to memory of 2424 1148 Phhhchlp.exe 42 PID 1148 wrote to memory of 2424 1148 Phhhchlp.exe 42 PID 1148 wrote to memory of 2424 1148 Phhhchlp.exe 42 PID 2424 wrote to memory of 2088 2424 Pmgnan32.exe 43 PID 2424 wrote to memory of 2088 2424 Pmgnan32.exe 43 PID 2424 wrote to memory of 2088 2424 Pmgnan32.exe 43 PID 2424 wrote to memory of 2088 2424 Pmgnan32.exe 43 PID 2088 wrote to memory of 2432 2088 Pfobjdoe.exe 44 PID 2088 wrote to memory of 2432 2088 Pfobjdoe.exe 44 PID 2088 wrote to memory of 2432 2088 Pfobjdoe.exe 44 PID 2088 wrote to memory of 2432 2088 Pfobjdoe.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\7a3c6467fe19ee76ae15be7cd3a1aae585e8a6e05c1bb4ee29e887b9121369f6.exe"C:\Users\Admin\AppData\Local\Temp\7a3c6467fe19ee76ae15be7cd3a1aae585e8a6e05c1bb4ee29e887b9121369f6.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\SysWOW64\Mnakjaoc.exeC:\Windows\system32\Mnakjaoc.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1184 -
C:\Windows\SysWOW64\Nndhpqma.exeC:\Windows\system32\Nndhpqma.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\SysWOW64\Nfcfob32.exeC:\Windows\system32\Nfcfob32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2456 -
C:\Windows\SysWOW64\Nqijmkfm.exeC:\Windows\system32\Nqijmkfm.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Windows\SysWOW64\Njaoeq32.exeC:\Windows\system32\Njaoeq32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\SysWOW64\Olehbh32.exeC:\Windows\system32\Olehbh32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\SysWOW64\Oiiilm32.exeC:\Windows\system32\Oiiilm32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1660 -
C:\Windows\SysWOW64\Ofmiea32.exeC:\Windows\system32\Ofmiea32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1172 -
C:\Windows\SysWOW64\Opennf32.exeC:\Windows\system32\Opennf32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1168 -
C:\Windows\SysWOW64\Ojoood32.exeC:\Windows\system32\Ojoood32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Windows\SysWOW64\Odgchjhl.exeC:\Windows\system32\Odgchjhl.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Windows\SysWOW64\Pfhlie32.exeC:\Windows\system32\Pfhlie32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Windows\SysWOW64\Phhhchlp.exeC:\Windows\system32\Phhhchlp.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1148 -
C:\Windows\SysWOW64\Pmgnan32.exeC:\Windows\system32\Pmgnan32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Windows\SysWOW64\Pfobjdoe.exeC:\Windows\system32\Pfobjdoe.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Windows\SysWOW64\Pipklo32.exeC:\Windows\system32\Pipklo32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2432 -
C:\Windows\SysWOW64\Qeglqpaj.exeC:\Windows\system32\Qeglqpaj.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:952 -
C:\Windows\SysWOW64\Qeihfp32.exeC:\Windows\system32\Qeihfp32.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2580 -
C:\Windows\SysWOW64\Aapikqel.exeC:\Windows\system32\Aapikqel.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:288 -
C:\Windows\SysWOW64\Aodjdede.exeC:\Windows\system32\Aodjdede.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1820 -
C:\Windows\SysWOW64\Adqbml32.exeC:\Windows\system32\Adqbml32.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1724 -
C:\Windows\SysWOW64\Apgcbmha.exeC:\Windows\system32\Apgcbmha.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1992 -
C:\Windows\SysWOW64\Akmgoehg.exeC:\Windows\system32\Akmgoehg.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1964 -
C:\Windows\SysWOW64\Apjpglfn.exeC:\Windows\system32\Apjpglfn.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2360 -
C:\Windows\SysWOW64\Ajbdpblo.exeC:\Windows\system32\Ajbdpblo.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1748 -
C:\Windows\SysWOW64\Bhgaan32.exeC:\Windows\system32\Bhgaan32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2124 -
C:\Windows\SysWOW64\Bhjngnod.exeC:\Windows\system32\Bhjngnod.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2468 -
C:\Windows\SysWOW64\Babbpc32.exeC:\Windows\system32\Babbpc32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2944 -
C:\Windows\SysWOW64\Bkjfhile.exeC:\Windows\system32\Bkjfhile.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2936 -
C:\Windows\SysWOW64\Bohoogbk.exeC:\Windows\system32\Bohoogbk.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2756 -
C:\Windows\SysWOW64\Bhqdgm32.exeC:\Windows\system32\Bhqdgm32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2744 -
C:\Windows\SysWOW64\Cbihpbpl.exeC:\Windows\system32\Cbihpbpl.exe33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2196 -
C:\Windows\SysWOW64\Cnpieceq.exeC:\Windows\system32\Cnpieceq.exe34⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2252 -
C:\Windows\SysWOW64\Cfknjfbl.exeC:\Windows\system32\Cfknjfbl.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:1580 -
C:\Windows\SysWOW64\Cocbbk32.exeC:\Windows\system32\Cocbbk32.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2600 -
C:\Windows\SysWOW64\Cmgblphf.exeC:\Windows\system32\Cmgblphf.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2180 -
C:\Windows\SysWOW64\Cfpgee32.exeC:\Windows\system32\Cfpgee32.exe38⤵
- Executes dropped EXE
PID:2972 -
C:\Windows\SysWOW64\Cmjoaofc.exeC:\Windows\system32\Cmjoaofc.exe39⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1584 -
C:\Windows\SysWOW64\Deedfacn.exeC:\Windows\system32\Deedfacn.exe40⤵
- Executes dropped EXE
PID:2348 -
C:\Windows\SysWOW64\Dbidof32.exeC:\Windows\system32\Dbidof32.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2204 -
C:\Windows\SysWOW64\Dpmeij32.exeC:\Windows\system32\Dpmeij32.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1160 -
C:\Windows\SysWOW64\Dieiap32.exeC:\Windows\system32\Dieiap32.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2504 -
C:\Windows\SysWOW64\Dbmnjenb.exeC:\Windows\system32\Dbmnjenb.exe44⤵
- Executes dropped EXE
PID:2236 -
C:\Windows\SysWOW64\Edfqclni.exeC:\Windows\system32\Edfqclni.exe45⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2012 -
C:\Windows\SysWOW64\Edhmhl32.exeC:\Windows\system32\Edhmhl32.exe46⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1636 -
C:\Windows\SysWOW64\Eeijpdbd.exeC:\Windows\system32\Eeijpdbd.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1488 -
C:\Windows\SysWOW64\Ebmjihqn.exeC:\Windows\system32\Ebmjihqn.exe48⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1640 -
C:\Windows\SysWOW64\Eelfedpa.exeC:\Windows\system32\Eelfedpa.exe49⤵
- Executes dropped EXE
PID:2392 -
C:\Windows\SysWOW64\Epakcm32.exeC:\Windows\system32\Epakcm32.exe50⤵
- Executes dropped EXE
PID:2368 -
C:\Windows\SysWOW64\Fhlogo32.exeC:\Windows\system32\Fhlogo32.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2020 -
C:\Windows\SysWOW64\Faedpdcc.exeC:\Windows\system32\Faedpdcc.exe52⤵
- Executes dropped EXE
PID:2184 -
C:\Windows\SysWOW64\Foidii32.exeC:\Windows\system32\Foidii32.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2316 -
C:\Windows\SysWOW64\Fhaibnim.exeC:\Windows\system32\Fhaibnim.exe54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3000 -
C:\Windows\SysWOW64\Faimkd32.exeC:\Windows\system32\Faimkd32.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2616 -
C:\Windows\SysWOW64\Fgffck32.exeC:\Windows\system32\Fgffck32.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2084 -
C:\Windows\SysWOW64\Faljqcmk.exeC:\Windows\system32\Faljqcmk.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:2692 -
C:\Windows\SysWOW64\Fgibijkb.exeC:\Windows\system32\Fgibijkb.exe58⤵
- Executes dropped EXE
PID:2396 -
C:\Windows\SysWOW64\Fmbkfd32.exeC:\Windows\system32\Fmbkfd32.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2024 -
C:\Windows\SysWOW64\Gcocnk32.exeC:\Windows\system32\Gcocnk32.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2612 -
C:\Windows\SysWOW64\Gmegkd32.exeC:\Windows\system32\Gmegkd32.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:2888 -
C:\Windows\SysWOW64\Gpccgppq.exeC:\Windows\system32\Gpccgppq.exe62⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2192 -
C:\Windows\SysWOW64\Ggmldj32.exeC:\Windows\system32\Ggmldj32.exe63⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2808 -
C:\Windows\SysWOW64\Gljdlq32.exeC:\Windows\system32\Gljdlq32.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2156 -
C:\Windows\SysWOW64\Gcdmikma.exeC:\Windows\system32\Gcdmikma.exe65⤵
- Executes dropped EXE
PID:1056 -
C:\Windows\SysWOW64\Ghaeaaki.exeC:\Windows\system32\Ghaeaaki.exe66⤵PID:1552
-
C:\Windows\SysWOW64\Gokmnlcf.exeC:\Windows\system32\Gokmnlcf.exe67⤵PID:2060
-
C:\Windows\SysWOW64\Ghcbga32.exeC:\Windows\system32\Ghcbga32.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1116 -
C:\Windows\SysWOW64\Galfpgpg.exeC:\Windows\system32\Galfpgpg.exe69⤵PID:1600
-
C:\Windows\SysWOW64\Glajmppm.exeC:\Windows\system32\Glajmppm.exe70⤵PID:2680
-
C:\Windows\SysWOW64\Hancef32.exeC:\Windows\system32\Hancef32.exe71⤵PID:456
-
C:\Windows\SysWOW64\Hgkknm32.exeC:\Windows\system32\Hgkknm32.exe72⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2284 -
C:\Windows\SysWOW64\Hnecjgch.exeC:\Windows\system32\Hnecjgch.exe73⤵PID:2000
-
C:\Windows\SysWOW64\Hdolga32.exeC:\Windows\system32\Hdolga32.exe74⤵PID:2220
-
C:\Windows\SysWOW64\Hjkdoh32.exeC:\Windows\system32\Hjkdoh32.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2780 -
C:\Windows\SysWOW64\Hbblpf32.exeC:\Windows\system32\Hbblpf32.exe76⤵
- System Location Discovery: System Language Discovery
PID:1048 -
C:\Windows\SysWOW64\Hjnaehgj.exeC:\Windows\system32\Hjnaehgj.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2112 -
C:\Windows\SysWOW64\Hqhiab32.exeC:\Windows\system32\Hqhiab32.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1996 -
C:\Windows\SysWOW64\Hfdbji32.exeC:\Windows\system32\Hfdbji32.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1812 -
C:\Windows\SysWOW64\Hmojfcdk.exeC:\Windows\system32\Hmojfcdk.exe80⤵PID:436
-
C:\Windows\SysWOW64\Ifgooikk.exeC:\Windows\system32\Ifgooikk.exe81⤵
- Drops file in System32 directory
- Modifies registry class
PID:2080 -
C:\Windows\SysWOW64\Imaglc32.exeC:\Windows\system32\Imaglc32.exe82⤵PID:2052
-
C:\Windows\SysWOW64\Ickoimie.exeC:\Windows\system32\Ickoimie.exe83⤵
- Drops file in System32 directory
PID:1000 -
C:\Windows\SysWOW64\Ijegeg32.exeC:\Windows\system32\Ijegeg32.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1556 -
C:\Windows\SysWOW64\Ioapnn32.exeC:\Windows\system32\Ioapnn32.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2272 -
C:\Windows\SysWOW64\Iflhjh32.exeC:\Windows\system32\Iflhjh32.exe86⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1632 -
C:\Windows\SysWOW64\Iodlcnmf.exeC:\Windows\system32\Iodlcnmf.exe87⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1692 -
C:\Windows\SysWOW64\Ifndph32.exeC:\Windows\system32\Ifndph32.exe88⤵
- System Location Discovery: System Language Discovery
PID:2804 -
C:\Windows\SysWOW64\Igoagpja.exeC:\Windows\system32\Igoagpja.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1464 -
C:\Windows\SysWOW64\Iniidj32.exeC:\Windows\system32\Iniidj32.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1356 -
C:\Windows\SysWOW64\Iecaad32.exeC:\Windows\system32\Iecaad32.exe91⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2940 -
C:\Windows\SysWOW64\Ijpjik32.exeC:\Windows\system32\Ijpjik32.exe92⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1688 -
C:\Windows\SysWOW64\Jgdkbo32.exeC:\Windows\system32\Jgdkbo32.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2028 -
C:\Windows\SysWOW64\Jnncoini.exeC:\Windows\system32\Jnncoini.exe94⤵
- Drops file in System32 directory
PID:2880 -
C:\Windows\SysWOW64\Jfigdl32.exeC:\Windows\system32\Jfigdl32.exe95⤵
- System Location Discovery: System Language Discovery
PID:2264 -
C:\Windows\SysWOW64\Jmcpqfba.exeC:\Windows\system32\Jmcpqfba.exe96⤵
- Modifies registry class
PID:1296 -
C:\Windows\SysWOW64\Jgidnobg.exeC:\Windows\system32\Jgidnobg.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2260 -
C:\Windows\SysWOW64\Jijqeg32.exeC:\Windows\system32\Jijqeg32.exe98⤵PID:1124
-
C:\Windows\SysWOW64\Jcodcp32.exeC:\Windows\system32\Jcodcp32.exe99⤵
- System Location Discovery: System Language Discovery
PID:1528 -
C:\Windows\SysWOW64\Jjimpj32.exeC:\Windows\system32\Jjimpj32.exe100⤵PID:1396
-
C:\Windows\SysWOW64\Jpfehq32.exeC:\Windows\system32\Jpfehq32.exe101⤵PID:848
-
C:\Windows\SysWOW64\Jbdadl32.exeC:\Windows\system32\Jbdadl32.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2376 -
C:\Windows\SysWOW64\Kiojqfdp.exeC:\Windows\system32\Kiojqfdp.exe103⤵
- Modifies registry class
PID:1804 -
C:\Windows\SysWOW64\Kfbjjjci.exeC:\Windows\system32\Kfbjjjci.exe104⤵PID:1004
-
C:\Windows\SysWOW64\Klocba32.exeC:\Windows\system32\Klocba32.exe105⤵PID:2384
-
C:\Windows\SysWOW64\Kononm32.exeC:\Windows\system32\Kononm32.exe106⤵
- Drops file in System32 directory
- Modifies registry class
PID:2416 -
C:\Windows\SysWOW64\Khfcgbge.exeC:\Windows\system32\Khfcgbge.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1780 -
C:\Windows\SysWOW64\Kjdpcnfi.exeC:\Windows\system32\Kjdpcnfi.exe108⤵
- Modifies registry class
PID:2800 -
C:\Windows\SysWOW64\Kejdqffo.exeC:\Windows\system32\Kejdqffo.exe109⤵
- Drops file in System32 directory
PID:1704 -
C:\Windows\SysWOW64\Kldlmqml.exeC:\Windows\system32\Kldlmqml.exe110⤵PID:1408
-
C:\Windows\SysWOW64\Kaaeegkc.exeC:\Windows\system32\Kaaeegkc.exe111⤵PID:2684
-
C:\Windows\SysWOW64\Khkmba32.exeC:\Windows\system32\Khkmba32.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1932 -
C:\Windows\SysWOW64\Kkiiom32.exeC:\Windows\system32\Kkiiom32.exe113⤵
- Modifies registry class
PID:368 -
C:\Windows\SysWOW64\Lpfagd32.exeC:\Windows\system32\Lpfagd32.exe114⤵PID:2716
-
C:\Windows\SysWOW64\Lgpjcnhh.exeC:\Windows\system32\Lgpjcnhh.exe115⤵
- Drops file in System32 directory
PID:2096 -
C:\Windows\SysWOW64\Laenqg32.exeC:\Windows\system32\Laenqg32.exe116⤵PID:2836
-
C:\Windows\SysWOW64\Lgbfin32.exeC:\Windows\system32\Lgbfin32.exe117⤵PID:3032
-
C:\Windows\SysWOW64\Ldfgbb32.exeC:\Windows\system32\Ldfgbb32.exe118⤵
- System Location Discovery: System Language Discovery
PID:1132 -
C:\Windows\SysWOW64\Legcjjjm.exeC:\Windows\system32\Legcjjjm.exe119⤵
- Drops file in System32 directory
PID:2812 -
C:\Windows\SysWOW64\Llalgdbj.exeC:\Windows\system32\Llalgdbj.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2548 -
C:\Windows\SysWOW64\Lggpdmap.exeC:\Windows\system32\Lggpdmap.exe121⤵PID:2920
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-