Analysis
-
max time kernel
143s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
18-11-2024 19:55
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
28050b85e6e32d9bb7bfcb028132e480ca7da0c75f812d603e20f4457fbbd2a2.exe
Resource
win7-20241010-en
windows7-x64
12 signatures
150 seconds
Behavioral task
behavioral2
Sample
28050b85e6e32d9bb7bfcb028132e480ca7da0c75f812d603e20f4457fbbd2a2.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
28050b85e6e32d9bb7bfcb028132e480ca7da0c75f812d603e20f4457fbbd2a2.exe
-
Size
55KB
-
MD5
a1b3272b30b39e04be7239f3784f97f6
-
SHA1
394c05a6453c05f37f60737fdd6bf094020a5371
-
SHA256
28050b85e6e32d9bb7bfcb028132e480ca7da0c75f812d603e20f4457fbbd2a2
-
SHA512
6f56f0bb4b2591d4fc9a0125c0f25cc711647d4f708f18c603f9594866d96f396028fa385942ea5a17ace76b2e784ca124e7cb9371f707a48535cf534a22f67c
-
SSDEEP
768:WAlbk+bNCJdKBeMTsDxkETNeVtezf53ZXTesPb6W1VE/1H53NSoNSd0A3shxDfC:DbXbQ0ab/XTeckxNSoNSd0A3shxD6
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://tat-neftbank.ru/kkq.php
http://tat-neftbank.ru/wcmd.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Bkgchckl.exeDjoinbpm.exeOaaklmao.exeHffpiikm.exeAoamoefh.exeLhmjha32.exeBocckoom.exeHdbmnchk.exeJkbhjo32.exeCopljmpo.exeBkjbgk32.exeNijcgp32.exeEhonebqq.exeDhnoocab.exeOkhgaqfj.exeKfkjnh32.exeLgekdh32.exeHhhkbqea.exePfmeddag.exeNnknqpgi.exePnbcij32.exeHdlkpd32.exeHajdniep.exeBjgmka32.exeEbpgoh32.exeFnhnnc32.exeHaggkf32.exeAjnnipnc.exeFhlhmi32.exeGjeedcjh.exeHancef32.exeDilggefh.exeEfdohq32.exeMbqpgf32.exeCgkoejig.exeJgeoda32.exeDegage32.exeLlainlje.exeJennjblp.exeHekfpo32.exedescription ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkgchckl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djoinbpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oaaklmao.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hffpiikm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aoamoefh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lhmjha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bocckoom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hdbmnchk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkbhjo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Copljmpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkjbgk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nijcgp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehonebqq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhnoocab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okhgaqfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfkjnh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lgekdh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhhkbqea.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfmeddag.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnknqpgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pnbcij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdlkpd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hajdniep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjgmka32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebpgoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fnhnnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Haggkf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajnnipnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhlhmi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjeedcjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hancef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dilggefh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Efdohq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mbqpgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cgkoejig.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgeoda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Degage32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Llainlje.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhmjha32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jennjblp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hekfpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" -
Berbew family
-
Brute Ratel C4
A customized command and control framework for red teaming and adversary simulation.
-
Bruteratel family
-
Detect BruteRatel badger 1 IoCs
Processes:
resource yara_rule behavioral1/memory/3016-332-0x00000000003A0000-0x00000000003CF000-memory.dmp family_bruteratel -
Executes dropped EXE 64 IoCs
Processes:
Pghjqlmi.exePamnnemo.exePcagkmaj.exePdpcep32.exePnihneon.exePceqfl32.exeQakmghbm.exeQlpadaac.exeQhgbibgg.exeAndkbien.exeAkhkkmdh.exeAqddcdbo.exeAjmhljip.exeAdbmjbif.exeAjoebigm.exeAdeiobgc.exeAonjpp32.exeBqngjcje.exeBfkobj32.exeBocckoom.exeBeplcfmd.exeBnhqll32.exeBineidcj.exeBbfibj32.exeBgcbja32.exeBbhfgj32.exeCcjbobnf.exeCmbghgdg.exeCcolja32.exeCabldeik.exeCbcikn32.exeCbfeam32.exeCipnng32.exeDfdngl32.exeDplbpaim.exeDanohi32.exeDoapanne.exeDodlfmlb.exeDdqeodjj.exeEhonebqq.exeEagbnh32.exeEgfglocf.exeElcpdeam.exeEenabkfk.exeEkjikadb.exeFljfdd32.exeFebjmj32.exeFokofpif.exeFplknh32.exeFgfckbfa.exeFdjddf32.exeGghloe32.exeHgobpd32.exeHajdniep.exeHjbhgolp.exeIpoqofjh.exeIigehk32.exeIlfadg32.exeIenfml32.exeIpcjje32.exeIaegbmlq.exeIilocklc.exeIniglajj.exeIdepdhia.exepid Process 2484 Pghjqlmi.exe 3000 Pamnnemo.exe 3052 Pcagkmaj.exe 1384 Pdpcep32.exe 2748 Pnihneon.exe 2560 Pceqfl32.exe 2236 Qakmghbm.exe 2088 Qlpadaac.exe 2124 Qhgbibgg.exe 1744 Andkbien.exe 932 Akhkkmdh.exe 2220 Aqddcdbo.exe 940 Ajmhljip.exe 1320 Adbmjbif.exe 1860 Ajoebigm.exe 236 Adeiobgc.exe 2400 Aonjpp32.exe 1540 Bqngjcje.exe 1792 Bfkobj32.exe 108 Bocckoom.exe 964 Beplcfmd.exe 2404 Bnhqll32.exe 2332 Bineidcj.exe 1652 Bbfibj32.exe 2428 Bgcbja32.exe 2880 Bbhfgj32.exe 2872 Ccjbobnf.exe 3056 Cmbghgdg.exe 2920 Ccolja32.exe 2732 Cabldeik.exe 2764 Cbcikn32.exe 956 Cbfeam32.exe 1612 Cipnng32.exe 1380 Dfdngl32.exe 1276 Dplbpaim.exe 984 Danohi32.exe 952 Doapanne.exe 1732 Dodlfmlb.exe 2136 Ddqeodjj.exe 2076 Ehonebqq.exe 1260 Eagbnh32.exe 2156 Egfglocf.exe 616 Elcpdeam.exe 1812 Eenabkfk.exe 1904 Ekjikadb.exe 916 Fljfdd32.exe 2348 Febjmj32.exe 752 Fokofpif.exe 2876 Fplknh32.exe 1708 Fgfckbfa.exe 3064 Fdjddf32.exe 2988 Gghloe32.exe 2744 Hgobpd32.exe 2776 Hajdniep.exe 2688 Hjbhgolp.exe 796 Ipoqofjh.exe 1248 Iigehk32.exe 2556 Ilfadg32.exe 1344 Ienfml32.exe 1044 Ipcjje32.exe 2624 Iaegbmlq.exe 1868 Iilocklc.exe 396 Iniglajj.exe 2708 Idepdhia.exe -
Loads dropped DLL 64 IoCs
Processes:
28050b85e6e32d9bb7bfcb028132e480ca7da0c75f812d603e20f4457fbbd2a2.exePghjqlmi.exePamnnemo.exePcagkmaj.exePdpcep32.exePnihneon.exePceqfl32.exeQakmghbm.exeQlpadaac.exeQhgbibgg.exeAndkbien.exeAkhkkmdh.exeAqddcdbo.exeAjmhljip.exeAdbmjbif.exeAjoebigm.exeAdeiobgc.exeAonjpp32.exeBqngjcje.exeBfkobj32.exeBocckoom.exeBeplcfmd.exeBnhqll32.exeBineidcj.exeBbfibj32.exeBgcbja32.exeBbhfgj32.exeCcjbobnf.exeCmbghgdg.exeCcolja32.exeCabldeik.exeCbcikn32.exepid Process 3016 28050b85e6e32d9bb7bfcb028132e480ca7da0c75f812d603e20f4457fbbd2a2.exe 3016 28050b85e6e32d9bb7bfcb028132e480ca7da0c75f812d603e20f4457fbbd2a2.exe 2484 Pghjqlmi.exe 2484 Pghjqlmi.exe 3000 Pamnnemo.exe 3000 Pamnnemo.exe 3052 Pcagkmaj.exe 3052 Pcagkmaj.exe 1384 Pdpcep32.exe 1384 Pdpcep32.exe 2748 Pnihneon.exe 2748 Pnihneon.exe 2560 Pceqfl32.exe 2560 Pceqfl32.exe 2236 Qakmghbm.exe 2236 Qakmghbm.exe 2088 Qlpadaac.exe 2088 Qlpadaac.exe 2124 Qhgbibgg.exe 2124 Qhgbibgg.exe 1744 Andkbien.exe 1744 Andkbien.exe 932 Akhkkmdh.exe 932 Akhkkmdh.exe 2220 Aqddcdbo.exe 2220 Aqddcdbo.exe 940 Ajmhljip.exe 940 Ajmhljip.exe 1320 Adbmjbif.exe 1320 Adbmjbif.exe 1860 Ajoebigm.exe 1860 Ajoebigm.exe 236 Adeiobgc.exe 236 Adeiobgc.exe 2400 Aonjpp32.exe 2400 Aonjpp32.exe 1540 Bqngjcje.exe 1540 Bqngjcje.exe 1792 Bfkobj32.exe 1792 Bfkobj32.exe 108 Bocckoom.exe 108 Bocckoom.exe 964 Beplcfmd.exe 964 Beplcfmd.exe 2404 Bnhqll32.exe 2404 Bnhqll32.exe 2332 Bineidcj.exe 2332 Bineidcj.exe 1652 Bbfibj32.exe 1652 Bbfibj32.exe 2428 Bgcbja32.exe 2428 Bgcbja32.exe 2880 Bbhfgj32.exe 2880 Bbhfgj32.exe 2872 Ccjbobnf.exe 2872 Ccjbobnf.exe 3056 Cmbghgdg.exe 3056 Cmbghgdg.exe 2920 Ccolja32.exe 2920 Ccolja32.exe 2732 Cabldeik.exe 2732 Cabldeik.exe 2764 Cbcikn32.exe 2764 Cbcikn32.exe -
Drops file in System32 directory 64 IoCs
Processes:
Fpojlp32.exeDfjcncak.exeJlnadiko.exeMihngj32.exePjfdpckc.exeFpcghl32.exeKmnnblmj.exeBadlln32.exeKjngjj32.exeNglhghgj.exeCmkmao32.exeDadikaaj.exeDoapanne.exeAchlch32.exeBocckoom.exePmlngdhk.exeCfjdfg32.exeMhkkjnmo.exeIenfml32.exePhhonn32.exeJobnej32.exeDbqajk32.exeNogjbbma.exeFoqadnpq.exeBkgchckl.exeImifpagp.exeJnnehb32.exeAkdgmd32.exeBlgfml32.exeBpdkajic.exeBnkbcmaj.exeFenedlec.exePkgonf32.exePelpgb32.exeDlfina32.exedescription ioc Process File created C:\Windows\SysWOW64\Ngkqooop.exe File opened for modification C:\Windows\SysWOW64\Pggflobn.exe File created C:\Windows\SysWOW64\Fkdoii32.exe Fpojlp32.exe File opened for modification C:\Windows\SysWOW64\Dcnchg32.exe Dfjcncak.exe File created C:\Windows\SysWOW64\Jhbaboaj.dll Jlnadiko.exe File created C:\Windows\SysWOW64\Ejambd32.dll Mihngj32.exe File opened for modification C:\Windows\SysWOW64\Ghjncbch.exe File created C:\Windows\SysWOW64\Bcndjl32.dll File created C:\Windows\SysWOW64\Agjjjp32.dll File opened for modification C:\Windows\SysWOW64\Hbijhh32.exe File created C:\Windows\SysWOW64\Pfmeddag.exe Pjfdpckc.exe File created C:\Windows\SysWOW64\Feppqc32.exe Fpcghl32.exe File created C:\Windows\SysWOW64\Kchfpf32.exe Kmnnblmj.exe File opened for modification C:\Windows\SysWOW64\Cmkmao32.exe Badlln32.exe File opened for modification C:\Windows\SysWOW64\Kcflbpnn.exe Kjngjj32.exe File created C:\Windows\SysWOW64\Jfqeie32.exe File created C:\Windows\SysWOW64\Lmhlnjmi.dll File created C:\Windows\SysWOW64\Moemgild.dll File opened for modification C:\Windows\SysWOW64\Npdlpnnj.exe Nglhghgj.exe File opened for modification C:\Windows\SysWOW64\Cefbfa32.exe Cmkmao32.exe File created C:\Windows\SysWOW64\Aahfoa32.dll Dadikaaj.exe File created C:\Windows\SysWOW64\Opjjlo32.exe File created C:\Windows\SysWOW64\Mlenijej.exe File opened for modification C:\Windows\SysWOW64\Dodlfmlb.exe Doapanne.exe File created C:\Windows\SysWOW64\Ajabpehm.dll Achlch32.exe File created C:\Windows\SysWOW64\Moboof32.dll File created C:\Windows\SysWOW64\Ahlodfln.dll Bocckoom.exe File created C:\Windows\SysWOW64\Ppjjcogn.exe Pmlngdhk.exe File created C:\Windows\SysWOW64\Cgkanomj.exe Cfjdfg32.exe File created C:\Windows\SysWOW64\Nmoogpom.dll File opened for modification C:\Windows\SysWOW64\Dkkdcd32.exe File opened for modification C:\Windows\SysWOW64\Boolhikf.exe Achlch32.exe File created C:\Windows\SysWOW64\Mbqpgf32.exe Mhkkjnmo.exe File created C:\Windows\SysWOW64\Gcebjedc.dll File created C:\Windows\SysWOW64\Ipcjje32.exe Ienfml32.exe File created C:\Windows\SysWOW64\Geolck32.dll Phhonn32.exe File created C:\Windows\SysWOW64\Jflfbdqe.exe Jobnej32.exe File created C:\Windows\SysWOW64\Obahqbpf.dll File created C:\Windows\SysWOW64\Dchcdn32.exe File created C:\Windows\SysWOW64\Jjhfan32.dll Dbqajk32.exe File created C:\Windows\SysWOW64\Nolbcaeh.dll Nogjbbma.exe File opened for modification C:\Windows\SysWOW64\Aiaqie32.exe File created C:\Windows\SysWOW64\Pjhcphkf.exe File created C:\Windows\SysWOW64\Gmghdahd.exe File opened for modification C:\Windows\SysWOW64\Leqjcb32.exe File created C:\Windows\SysWOW64\Nmbldg32.dll File created C:\Windows\SysWOW64\Dcjpol32.dll File opened for modification C:\Windows\SysWOW64\Fldbnb32.exe Foqadnpq.exe File created C:\Windows\SysWOW64\Bpdkajic.exe Bkgchckl.exe File created C:\Windows\SysWOW64\Igojmjgf.exe Imifpagp.exe File created C:\Windows\SysWOW64\Jggiah32.exe Jnnehb32.exe File opened for modification C:\Windows\SysWOW64\Daidojeh.exe File created C:\Windows\SysWOW64\Cmfeokoo.dll File created C:\Windows\SysWOW64\Aqapek32.exe Akdgmd32.exe File created C:\Windows\SysWOW64\Iinadl32.exe File opened for modification C:\Windows\SysWOW64\Iqanbf32.exe File created C:\Windows\SysWOW64\Hnfaghha.dll Blgfml32.exe File created C:\Windows\SysWOW64\Bgndnd32.exe Bpdkajic.exe File created C:\Windows\SysWOW64\Cdejpg32.exe Bnkbcmaj.exe File created C:\Windows\SysWOW64\Fngjmb32.exe Fenedlec.exe File created C:\Windows\SysWOW64\Phkohkkh.exe Pkgonf32.exe File created C:\Windows\SysWOW64\Gqfpainh.dll Pelpgb32.exe File created C:\Windows\SysWOW64\Afggda32.dll Dlfina32.exe File opened for modification C:\Windows\SysWOW64\Bnplhm32.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Pegaje32.exeKdooij32.exeGaajfi32.exeCjqglf32.exeCkjnfobi.exeGkbplepn.exeJflfbdqe.exeFenedlec.exeMpkjjofe.exePpqqbjkm.exeEfdohq32.exeLfmhla32.exeMipjbokm.exeCipnng32.exeBbbckh32.exeCaligc32.exeDajiag32.exeOmbhgljn.exeMbqpgf32.exeMhopcl32.exeEkppjmia.exeKnnagehi.exeQgdbpi32.exeGeehcoaf.exeDjffihmp.exePfhghgie.exeHldldq32.exeDcpagg32.exeNcnmhajo.exeLbibla32.exeMheqie32.exeKkfjpemb.exeGgmldj32.exeOjnhdn32.exeIgioiacg.exeLpkmkl32.exeBfifqg32.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pegaje32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdooij32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaajfi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjqglf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckjnfobi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkbplepn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jflfbdqe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fenedlec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpkjjofe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppqqbjkm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efdohq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfmhla32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mipjbokm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cipnng32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbbckh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Caligc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dajiag32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ombhgljn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbqpgf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhopcl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekppjmia.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knnagehi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qgdbpi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Geehcoaf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djffihmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfhghgie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hldldq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcpagg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncnmhajo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbibla32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mheqie32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkfjpemb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggmldj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojnhdn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igioiacg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpkmkl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfifqg32.exe -
Modifies registry class 64 IoCs
Processes:
Kkfjpemb.exeNpbbcgga.exeEiclop32.exeHiahfo32.exeFaimkd32.exeKcmbco32.exeNglhghgj.exePfhghgie.exePnhegi32.exeNmglpjak.exeJfiekc32.exeAbaaakob.exeGenmab32.exeLkkckdhm.exeFondonbc.exeQjcmoqlf.exePnbcij32.exeNnknqpgi.exeElfakg32.exeCefbfa32.exeNagakhfn.exeJiinmnaa.exeHbepplkh.exeKjmeaa32.exeJpalmaad.exeFlmglfhk.exeLkjadh32.exeHpcnmnnh.exeQmomelml.exeAlicahno.exeQecejnco.exeAchlch32.exeDmgokcja.exeCgkanomj.exeFkpeojha.exeBpbokj32.exePcahga32.exeFobodn32.exeCmkmao32.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kkfjpemb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cahnhhpq.dll" Npbbcgga.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eiclop32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hiahfo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lefndc32.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Faimkd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kcmbco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcnlcn32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nglhghgj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pfhghgie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blhhag32.dll" Pnhegi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmnoih32.dll" Nmglpjak.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nckmqnaa.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jfiekc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihgpibnp.dll" Abaaakob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdndmmmb.dll" Genmab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lkkckdhm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fondonbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmjmmehk.dll" Qjcmoqlf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pnbcij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acgpih32.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nnknqpgi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Elfakg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cefbfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihlkogio.dll" Nagakhfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmohbdgo.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jiinmnaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hbepplkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kjmeaa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jpalmaad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Flmglfhk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lkjadh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcknnonh.dll" Hpcnmnnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjnikd32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjfahj32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acngdogp.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkhfmlhk.dll" Qmomelml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Alicahno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qecejnco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipfahd32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Achlch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nngobapl.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dmgokcja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cgkanomj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fkpeojha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jakoae32.dll" Bpbokj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pcahga32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fobodn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cmkmao32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
28050b85e6e32d9bb7bfcb028132e480ca7da0c75f812d603e20f4457fbbd2a2.exePghjqlmi.exePamnnemo.exePcagkmaj.exePdpcep32.exePnihneon.exePceqfl32.exeQakmghbm.exeQlpadaac.exeQhgbibgg.exeAndkbien.exeAkhkkmdh.exeAqddcdbo.exeAjmhljip.exeAdbmjbif.exeAjoebigm.exedescription pid Process procid_target PID 3016 wrote to memory of 2484 3016 28050b85e6e32d9bb7bfcb028132e480ca7da0c75f812d603e20f4457fbbd2a2.exe 29 PID 3016 wrote to memory of 2484 3016 28050b85e6e32d9bb7bfcb028132e480ca7da0c75f812d603e20f4457fbbd2a2.exe 29 PID 3016 wrote to memory of 2484 3016 28050b85e6e32d9bb7bfcb028132e480ca7da0c75f812d603e20f4457fbbd2a2.exe 29 PID 3016 wrote to memory of 2484 3016 28050b85e6e32d9bb7bfcb028132e480ca7da0c75f812d603e20f4457fbbd2a2.exe 29 PID 2484 wrote to memory of 3000 2484 Pghjqlmi.exe 30 PID 2484 wrote to memory of 3000 2484 Pghjqlmi.exe 30 PID 2484 wrote to memory of 3000 2484 Pghjqlmi.exe 30 PID 2484 wrote to memory of 3000 2484 Pghjqlmi.exe 30 PID 3000 wrote to memory of 3052 3000 Pamnnemo.exe 31 PID 3000 wrote to memory of 3052 3000 Pamnnemo.exe 31 PID 3000 wrote to memory of 3052 3000 Pamnnemo.exe 31 PID 3000 wrote to memory of 3052 3000 Pamnnemo.exe 31 PID 3052 wrote to memory of 1384 3052 Pcagkmaj.exe 32 PID 3052 wrote to memory of 1384 3052 Pcagkmaj.exe 32 PID 3052 wrote to memory of 1384 3052 Pcagkmaj.exe 32 PID 3052 wrote to memory of 1384 3052 Pcagkmaj.exe 32 PID 1384 wrote to memory of 2748 1384 Pdpcep32.exe 33 PID 1384 wrote to memory of 2748 1384 Pdpcep32.exe 33 PID 1384 wrote to memory of 2748 1384 Pdpcep32.exe 33 PID 1384 wrote to memory of 2748 1384 Pdpcep32.exe 33 PID 2748 wrote to memory of 2560 2748 Pnihneon.exe 34 PID 2748 wrote to memory of 2560 2748 Pnihneon.exe 34 PID 2748 wrote to memory of 2560 2748 Pnihneon.exe 34 PID 2748 wrote to memory of 2560 2748 Pnihneon.exe 34 PID 2560 wrote to memory of 2236 2560 Pceqfl32.exe 35 PID 2560 wrote to memory of 2236 2560 Pceqfl32.exe 35 PID 2560 wrote to memory of 2236 2560 Pceqfl32.exe 35 PID 2560 wrote to memory of 2236 2560 Pceqfl32.exe 35 PID 2236 wrote to memory of 2088 2236 Qakmghbm.exe 36 PID 2236 wrote to memory of 2088 2236 Qakmghbm.exe 36 PID 2236 wrote to memory of 2088 2236 Qakmghbm.exe 36 PID 2236 wrote to memory of 2088 2236 Qakmghbm.exe 36 PID 2088 wrote to memory of 2124 2088 Qlpadaac.exe 37 PID 2088 wrote to memory of 2124 2088 Qlpadaac.exe 37 PID 2088 wrote to memory of 2124 2088 Qlpadaac.exe 37 PID 2088 wrote to memory of 2124 2088 Qlpadaac.exe 37 PID 2124 wrote to memory of 1744 2124 Qhgbibgg.exe 38 PID 2124 wrote to memory of 1744 2124 Qhgbibgg.exe 38 PID 2124 wrote to memory of 1744 2124 Qhgbibgg.exe 38 PID 2124 wrote to memory of 1744 2124 Qhgbibgg.exe 38 PID 1744 wrote to memory of 932 1744 Andkbien.exe 39 PID 1744 wrote to memory of 932 1744 Andkbien.exe 39 PID 1744 wrote to memory of 932 1744 Andkbien.exe 39 PID 1744 wrote to memory of 932 1744 Andkbien.exe 39 PID 932 wrote to memory of 2220 932 Akhkkmdh.exe 40 PID 932 wrote to memory of 2220 932 Akhkkmdh.exe 40 PID 932 wrote to memory of 2220 932 Akhkkmdh.exe 40 PID 932 wrote to memory of 2220 932 Akhkkmdh.exe 40 PID 2220 wrote to memory of 940 2220 Aqddcdbo.exe 41 PID 2220 wrote to memory of 940 2220 Aqddcdbo.exe 41 PID 2220 wrote to memory of 940 2220 Aqddcdbo.exe 41 PID 2220 wrote to memory of 940 2220 Aqddcdbo.exe 41 PID 940 wrote to memory of 1320 940 Ajmhljip.exe 42 PID 940 wrote to memory of 1320 940 Ajmhljip.exe 42 PID 940 wrote to memory of 1320 940 Ajmhljip.exe 42 PID 940 wrote to memory of 1320 940 Ajmhljip.exe 42 PID 1320 wrote to memory of 1860 1320 Adbmjbif.exe 43 PID 1320 wrote to memory of 1860 1320 Adbmjbif.exe 43 PID 1320 wrote to memory of 1860 1320 Adbmjbif.exe 43 PID 1320 wrote to memory of 1860 1320 Adbmjbif.exe 43 PID 1860 wrote to memory of 236 1860 Ajoebigm.exe 44 PID 1860 wrote to memory of 236 1860 Ajoebigm.exe 44 PID 1860 wrote to memory of 236 1860 Ajoebigm.exe 44 PID 1860 wrote to memory of 236 1860 Ajoebigm.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\28050b85e6e32d9bb7bfcb028132e480ca7da0c75f812d603e20f4457fbbd2a2.exe"C:\Users\Admin\AppData\Local\Temp\28050b85e6e32d9bb7bfcb028132e480ca7da0c75f812d603e20f4457fbbd2a2.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Windows\SysWOW64\Pghjqlmi.exeC:\Windows\system32\Pghjqlmi.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2484 -
C:\Windows\SysWOW64\Pamnnemo.exeC:\Windows\system32\Pamnnemo.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Windows\SysWOW64\Pcagkmaj.exeC:\Windows\system32\Pcagkmaj.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Windows\SysWOW64\Pdpcep32.exeC:\Windows\system32\Pdpcep32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1384 -
C:\Windows\SysWOW64\Pnihneon.exeC:\Windows\system32\Pnihneon.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\SysWOW64\Pceqfl32.exeC:\Windows\system32\Pceqfl32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2560 -
C:\Windows\SysWOW64\Qakmghbm.exeC:\Windows\system32\Qakmghbm.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Windows\SysWOW64\Qlpadaac.exeC:\Windows\system32\Qlpadaac.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Windows\SysWOW64\Qhgbibgg.exeC:\Windows\system32\Qhgbibgg.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Windows\SysWOW64\Andkbien.exeC:\Windows\system32\Andkbien.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1744 -
C:\Windows\SysWOW64\Akhkkmdh.exeC:\Windows\system32\Akhkkmdh.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:932 -
C:\Windows\SysWOW64\Aqddcdbo.exeC:\Windows\system32\Aqddcdbo.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2220 -
C:\Windows\SysWOW64\Ajmhljip.exeC:\Windows\system32\Ajmhljip.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:940 -
C:\Windows\SysWOW64\Adbmjbif.exeC:\Windows\system32\Adbmjbif.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1320 -
C:\Windows\SysWOW64\Ajoebigm.exeC:\Windows\system32\Ajoebigm.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1860 -
C:\Windows\SysWOW64\Adeiobgc.exeC:\Windows\system32\Adeiobgc.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:236 -
C:\Windows\SysWOW64\Aonjpp32.exeC:\Windows\system32\Aonjpp32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2400 -
C:\Windows\SysWOW64\Bqngjcje.exeC:\Windows\system32\Bqngjcje.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1540 -
C:\Windows\SysWOW64\Bfkobj32.exeC:\Windows\system32\Bfkobj32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1792 -
C:\Windows\SysWOW64\Bocckoom.exeC:\Windows\system32\Bocckoom.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:108 -
C:\Windows\SysWOW64\Beplcfmd.exeC:\Windows\system32\Beplcfmd.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:964 -
C:\Windows\SysWOW64\Bnhqll32.exeC:\Windows\system32\Bnhqll32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2404 -
C:\Windows\SysWOW64\Bineidcj.exeC:\Windows\system32\Bineidcj.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2332 -
C:\Windows\SysWOW64\Bbfibj32.exeC:\Windows\system32\Bbfibj32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1652 -
C:\Windows\SysWOW64\Bgcbja32.exeC:\Windows\system32\Bgcbja32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2428 -
C:\Windows\SysWOW64\Bbhfgj32.exeC:\Windows\system32\Bbhfgj32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2880 -
C:\Windows\SysWOW64\Ccjbobnf.exeC:\Windows\system32\Ccjbobnf.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2872 -
C:\Windows\SysWOW64\Cmbghgdg.exeC:\Windows\system32\Cmbghgdg.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3056 -
C:\Windows\SysWOW64\Ccolja32.exeC:\Windows\system32\Ccolja32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2920 -
C:\Windows\SysWOW64\Cabldeik.exeC:\Windows\system32\Cabldeik.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2732 -
C:\Windows\SysWOW64\Cbcikn32.exeC:\Windows\system32\Cbcikn32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2764 -
C:\Windows\SysWOW64\Cbfeam32.exeC:\Windows\system32\Cbfeam32.exe33⤵
- Executes dropped EXE
PID:956 -
C:\Windows\SysWOW64\Cipnng32.exeC:\Windows\system32\Cipnng32.exe34⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1612 -
C:\Windows\SysWOW64\Dfdngl32.exeC:\Windows\system32\Dfdngl32.exe35⤵
- Executes dropped EXE
PID:1380 -
C:\Windows\SysWOW64\Dplbpaim.exeC:\Windows\system32\Dplbpaim.exe36⤵
- Executes dropped EXE
PID:1276 -
C:\Windows\SysWOW64\Danohi32.exeC:\Windows\system32\Danohi32.exe37⤵
- Executes dropped EXE
PID:984 -
C:\Windows\SysWOW64\Doapanne.exeC:\Windows\system32\Doapanne.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:952 -
C:\Windows\SysWOW64\Dodlfmlb.exeC:\Windows\system32\Dodlfmlb.exe39⤵
- Executes dropped EXE
PID:1732 -
C:\Windows\SysWOW64\Ddqeodjj.exeC:\Windows\system32\Ddqeodjj.exe40⤵
- Executes dropped EXE
PID:2136 -
C:\Windows\SysWOW64\Ehonebqq.exeC:\Windows\system32\Ehonebqq.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2076 -
C:\Windows\SysWOW64\Eagbnh32.exeC:\Windows\system32\Eagbnh32.exe42⤵
- Executes dropped EXE
PID:1260 -
C:\Windows\SysWOW64\Egfglocf.exeC:\Windows\system32\Egfglocf.exe43⤵
- Executes dropped EXE
PID:2156 -
C:\Windows\SysWOW64\Elcpdeam.exeC:\Windows\system32\Elcpdeam.exe44⤵
- Executes dropped EXE
PID:616 -
C:\Windows\SysWOW64\Eenabkfk.exeC:\Windows\system32\Eenabkfk.exe45⤵
- Executes dropped EXE
PID:1812 -
C:\Windows\SysWOW64\Ekjikadb.exeC:\Windows\system32\Ekjikadb.exe46⤵
- Executes dropped EXE
PID:1904 -
C:\Windows\SysWOW64\Fljfdd32.exeC:\Windows\system32\Fljfdd32.exe47⤵
- Executes dropped EXE
PID:916 -
C:\Windows\SysWOW64\Febjmj32.exeC:\Windows\system32\Febjmj32.exe48⤵
- Executes dropped EXE
PID:2348 -
C:\Windows\SysWOW64\Fokofpif.exeC:\Windows\system32\Fokofpif.exe49⤵
- Executes dropped EXE
PID:752 -
C:\Windows\SysWOW64\Fplknh32.exeC:\Windows\system32\Fplknh32.exe50⤵
- Executes dropped EXE
PID:2876 -
C:\Windows\SysWOW64\Fgfckbfa.exeC:\Windows\system32\Fgfckbfa.exe51⤵
- Executes dropped EXE
PID:1708 -
C:\Windows\SysWOW64\Fdjddf32.exeC:\Windows\system32\Fdjddf32.exe52⤵
- Executes dropped EXE
PID:3064 -
C:\Windows\SysWOW64\Gghloe32.exeC:\Windows\system32\Gghloe32.exe53⤵
- Executes dropped EXE
PID:2988 -
C:\Windows\SysWOW64\Hgobpd32.exeC:\Windows\system32\Hgobpd32.exe54⤵
- Executes dropped EXE
PID:2744 -
C:\Windows\SysWOW64\Hajdniep.exeC:\Windows\system32\Hajdniep.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2776 -
C:\Windows\SysWOW64\Hjbhgolp.exeC:\Windows\system32\Hjbhgolp.exe56⤵
- Executes dropped EXE
PID:2688 -
C:\Windows\SysWOW64\Ipoqofjh.exeC:\Windows\system32\Ipoqofjh.exe57⤵
- Executes dropped EXE
PID:796 -
C:\Windows\SysWOW64\Iigehk32.exeC:\Windows\system32\Iigehk32.exe58⤵
- Executes dropped EXE
PID:1248 -
C:\Windows\SysWOW64\Ilfadg32.exeC:\Windows\system32\Ilfadg32.exe59⤵
- Executes dropped EXE
PID:2556 -
C:\Windows\SysWOW64\Ienfml32.exeC:\Windows\system32\Ienfml32.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1344 -
C:\Windows\SysWOW64\Ipcjje32.exeC:\Windows\system32\Ipcjje32.exe61⤵
- Executes dropped EXE
PID:1044 -
C:\Windows\SysWOW64\Iaegbmlq.exeC:\Windows\system32\Iaegbmlq.exe62⤵
- Executes dropped EXE
PID:2624 -
C:\Windows\SysWOW64\Iilocklc.exeC:\Windows\system32\Iilocklc.exe63⤵
- Executes dropped EXE
PID:1868 -
C:\Windows\SysWOW64\Iniglajj.exeC:\Windows\system32\Iniglajj.exe64⤵
- Executes dropped EXE
PID:396 -
C:\Windows\SysWOW64\Idepdhia.exeC:\Windows\system32\Idepdhia.exe65⤵
- Executes dropped EXE
PID:2708 -
C:\Windows\SysWOW64\Imndmnob.exeC:\Windows\system32\Imndmnob.exe66⤵PID:2044
-
C:\Windows\SysWOW64\Jmpqbnmp.exeC:\Windows\system32\Jmpqbnmp.exe67⤵PID:2668
-
C:\Windows\SysWOW64\Jfiekc32.exeC:\Windows\system32\Jfiekc32.exe68⤵
- Modifies registry class
PID:2248 -
C:\Windows\SysWOW64\Janihlcf.exeC:\Windows\system32\Janihlcf.exe69⤵PID:596
-
C:\Windows\SysWOW64\Jiinmnaa.exeC:\Windows\system32\Jiinmnaa.exe70⤵
- Modifies registry class
PID:2584 -
C:\Windows\SysWOW64\Jdobjgqg.exeC:\Windows\system32\Jdobjgqg.exe71⤵PID:2856
-
C:\Windows\SysWOW64\Jilkbn32.exeC:\Windows\system32\Jilkbn32.exe72⤵PID:3036
-
C:\Windows\SysWOW64\Jljgni32.exeC:\Windows\system32\Jljgni32.exe73⤵PID:2796
-
C:\Windows\SysWOW64\Jgpklb32.exeC:\Windows\system32\Jgpklb32.exe74⤵PID:2712
-
C:\Windows\SysWOW64\Jhahcjcf.exeC:\Windows\system32\Jhahcjcf.exe75⤵PID:2828
-
C:\Windows\SysWOW64\Kaillp32.exeC:\Windows\system32\Kaillp32.exe76⤵PID:1764
-
C:\Windows\SysWOW64\Khcdijac.exeC:\Windows\system32\Khcdijac.exe77⤵PID:2908
-
C:\Windows\SysWOW64\Kegebn32.exeC:\Windows\system32\Kegebn32.exe78⤵PID:1232
-
C:\Windows\SysWOW64\Kkdnke32.exeC:\Windows\system32\Kkdnke32.exe79⤵PID:2080
-
C:\Windows\SysWOW64\Kdlbckee.exeC:\Windows\system32\Kdlbckee.exe80⤵PID:2540
-
C:\Windows\SysWOW64\Kkfjpemb.exeC:\Windows\system32\Kkfjpemb.exe81⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1352 -
C:\Windows\SysWOW64\Kdooij32.exeC:\Windows\system32\Kdooij32.exe82⤵
- System Location Discovery: System Language Discovery
PID:920 -
C:\Windows\SysWOW64\Kkigfdjo.exeC:\Windows\system32\Kkigfdjo.exe83⤵PID:2416
-
C:\Windows\SysWOW64\Kdakoj32.exeC:\Windows\system32\Kdakoj32.exe84⤵PID:1640
-
C:\Windows\SysWOW64\Lkkckdhm.exeC:\Windows\system32\Lkkckdhm.exe85⤵
- Modifies registry class
PID:1636 -
C:\Windows\SysWOW64\Lphlck32.exeC:\Windows\system32\Lphlck32.exe86⤵PID:2940
-
C:\Windows\SysWOW64\Lnlmmo32.exeC:\Windows\system32\Lnlmmo32.exe87⤵PID:2912
-
C:\Windows\SysWOW64\Lfgaaa32.exeC:\Windows\system32\Lfgaaa32.exe88⤵PID:2896
-
C:\Windows\SysWOW64\Llainlje.exeC:\Windows\system32\Llainlje.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2168 -
C:\Windows\SysWOW64\Lbnbfb32.exeC:\Windows\system32\Lbnbfb32.exe90⤵PID:1468
-
C:\Windows\SysWOW64\Llcfck32.exeC:\Windows\system32\Llcfck32.exe91⤵PID:2144
-
C:\Windows\SysWOW64\Mkkpjg32.exeC:\Windows\system32\Mkkpjg32.exe92⤵PID:2924
-
C:\Windows\SysWOW64\Mhopcl32.exeC:\Windows\system32\Mhopcl32.exe93⤵
- System Location Discovery: System Language Discovery
PID:2636 -
C:\Windows\SysWOW64\Mbgela32.exeC:\Windows\system32\Mbgela32.exe94⤵PID:2388
-
C:\Windows\SysWOW64\Mgdmeh32.exeC:\Windows\system32\Mgdmeh32.exe95⤵PID:2380
-
C:\Windows\SysWOW64\Mqlbnnej.exeC:\Windows\system32\Mqlbnnej.exe96⤵PID:1844
-
C:\Windows\SysWOW64\Mfijfdca.exeC:\Windows\system32\Mfijfdca.exe97⤵PID:2040
-
C:\Windows\SysWOW64\Mqoocmcg.exeC:\Windows\system32\Mqoocmcg.exe98⤵PID:2532
-
C:\Windows\SysWOW64\Mcmkoi32.exeC:\Windows\system32\Mcmkoi32.exe99⤵PID:2972
-
C:\Windows\SysWOW64\Nijcgp32.exeC:\Windows\system32\Nijcgp32.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2960 -
C:\Windows\SysWOW64\Npdkdjhp.exeC:\Windows\system32\Npdkdjhp.exe101⤵PID:2756
-
C:\Windows\SysWOW64\Njipabhe.exeC:\Windows\system32\Njipabhe.exe102⤵PID:2128
-
C:\Windows\SysWOW64\Nlklik32.exeC:\Windows\system32\Nlklik32.exe103⤵PID:1824
-
C:\Windows\SysWOW64\Ncbdjhnf.exeC:\Windows\system32\Ncbdjhnf.exe104⤵PID:2364
-
C:\Windows\SysWOW64\Niombolm.exeC:\Windows\system32\Niombolm.exe105⤵PID:1056
-
C:\Windows\SysWOW64\Npieoi32.exeC:\Windows\system32\Npieoi32.exe106⤵PID:2276
-
C:\Windows\SysWOW64\Niaihojk.exeC:\Windows\system32\Niaihojk.exe107⤵PID:1456
-
C:\Windows\SysWOW64\Npkaei32.exeC:\Windows\system32\Npkaei32.exe108⤵PID:472
-
C:\Windows\SysWOW64\Nalnmahf.exeC:\Windows\system32\Nalnmahf.exe109⤵PID:3044
-
C:\Windows\SysWOW64\Nhffikob.exeC:\Windows\system32\Nhffikob.exe110⤵PID:2008
-
C:\Windows\SysWOW64\Nbljfdoh.exeC:\Windows\system32\Nbljfdoh.exe111⤵PID:2932
-
C:\Windows\SysWOW64\Ohhcokmp.exeC:\Windows\system32\Ohhcokmp.exe112⤵PID:2904
-
C:\Windows\SysWOW64\Onbkle32.exeC:\Windows\system32\Onbkle32.exe113⤵PID:2728
-
C:\Windows\SysWOW64\Ododdlcd.exeC:\Windows\system32\Ododdlcd.exe114⤵PID:1252
-
C:\Windows\SysWOW64\Ofnppgbh.exeC:\Windows\system32\Ofnppgbh.exe115⤵PID:1560
-
C:\Windows\SysWOW64\Oacdmpan.exeC:\Windows\system32\Oacdmpan.exe116⤵PID:2304
-
C:\Windows\SysWOW64\Ohmljj32.exeC:\Windows\system32\Ohmljj32.exe117⤵PID:824
-
C:\Windows\SysWOW64\Oaeacppk.exeC:\Windows\system32\Oaeacppk.exe118⤵PID:1480
-
C:\Windows\SysWOW64\Ofbikf32.exeC:\Windows\system32\Ofbikf32.exe119⤵PID:1712
-
C:\Windows\SysWOW64\Obijpgcf.exeC:\Windows\system32\Obijpgcf.exe120⤵PID:2284
-
C:\Windows\SysWOW64\Plaoim32.exeC:\Windows\system32\Plaoim32.exe121⤵PID:3008
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-