Analysis
-
max time kernel
60s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
21-10-2024 22:17
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
2fabe3cdd25bf1d66c93dc94c615c9b6abfe4fe4b9ef72421cdb0fd2fa1cb67dN.exe
Resource
win7-20241010-en
windows7-x64
10 signatures
120 seconds
Behavioral task
behavioral2
Sample
2fabe3cdd25bf1d66c93dc94c615c9b6abfe4fe4b9ef72421cdb0fd2fa1cb67dN.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
8 signatures
120 seconds
General
-
Target
2fabe3cdd25bf1d66c93dc94c615c9b6abfe4fe4b9ef72421cdb0fd2fa1cb67dN.exe
-
Size
163KB
-
MD5
50710b80a9b5fb2bf2f52e528d564a60
-
SHA1
a117104493aea0d4a37cbc3fb590d4a5cde0e18e
-
SHA256
2fabe3cdd25bf1d66c93dc94c615c9b6abfe4fe4b9ef72421cdb0fd2fa1cb67d
-
SHA512
f9b82f408fa1f28bc4f12f1a43f9c8180ce943a17cb74b56868a9f22b8473f255cf23a5154940c750d8375d0075ff2d7b921d910638c47e7a37b41f4974ed594
-
SSDEEP
1536:PhgmknnkDSbwPi2ZqPWE5cDe1FDUxlProNVU4qNVUrk/9QbfBr+7GwKrPAsqNVU:JWnLc62ZqP51FD2ltOrWKDBr+yJb
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://master-x.com/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://crutop.ru/index.php
http://kaspersky.ru/index.php
http://color-bank.ru/index.php
http://adult-empire.com/index.php
http://virus-list.com/index.php
http://trojan.ru/index.php
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://fethard.biz/index.htm
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://kaspersky.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Khcbpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aqimoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cmmcae32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khkdmh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onfadc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhpclica.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mginjnnp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpeoakhc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lcfhpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjljpjjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bfpkfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfhficcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iaaaiobc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Infjfblm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oiiilm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ingmoj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpjgag32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eekpknlf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmjaddii.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pldknmhd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gqkqbe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfmmanif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lnmcge32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oimpnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pllhib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Anmnhhmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kejahn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oelcho32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omonmpcm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcdele32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phknlfem.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecbhfeip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lfaocc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cabldeik.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fadagl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hccfoehi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aogpmcmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qifpqi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oncndnlq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fjlaod32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdkmld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jpqgkpcl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbkpfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lbmicc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Boqgep32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhchjgoh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aglhph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Flphccbp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfaopc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mnlkdk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgpmbgai.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjdnne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Emlhfb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndhlfh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okgnna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eamgeo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pabncj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgodjico.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gqkqbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkfkoi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apbblg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ccgahe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hpbilmop.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Liekddkh.exe -
Brute Ratel C4
A customized command and control framework for red teaming and adversary simulation.
-
Detect BruteRatel badger 1 IoCs
resource yara_rule behavioral1/files/0x000300000002091e-5816.dat family_bruteratel -
Executes dropped EXE 64 IoCs
pid Process 2568 Qonlhd32.exe 2968 Qifpqi32.exe 2904 Qqbeel32.exe 2804 Akgibd32.exe 3028 Aepnkjcd.exe 2364 Ammoel32.exe 1836 Ajcldpkd.exe 1472 Bepjjn32.exe 1392 Blibghmm.exe 1984 Bhpclica.exe 1148 Baigen32.exe 2084 Bjalndpb.exe 548 Befpkmph.exe 2428 Ckchcc32.exe 2256 Chgimh32.exe 2492 Cpbnaj32.exe 2444 Ckhbnb32.exe 720 Cdqfgh32.exe 1496 Dapjdq32.exe 1052 Docjne32.exe 456 Dgoobg32.exe 2664 Dadcppbp.exe 1592 Dgalhgpg.exe 1532 Elpqemll.exe 1680 Ehgaknbp.exe 2576 Efmoib32.exe 1620 Ekjgbi32.exe 604 Fhngkm32.exe 2144 Fqilppic.exe 2972 Fnmmidhm.exe 2800 Fjdnne32.exe 2748 Fnafdc32.exe 1720 Ffmkhe32.exe 316 Gpeoakhc.exe 2952 Gjkcod32.exe 272 Gcchgini.exe 2432 Geddoa32.exe 892 Gfdaid32.exe 1964 Gbkaneao.exe 792 Gbmoceol.exe 2360 Hnflnfbm.exe 2400 Hplbamdf.exe 1356 Iigcobid.exe 436 Iencdc32.exe 1468 Ibadnhmb.exe 1436 Ikmibjkm.exe 2012 Ihqilnig.exe 2028 Idgjqook.exe 2076 Jnpoie32.exe 1616 Jghcbjll.exe 2880 Jpqgkpcl.exe 2936 Jjilde32.exe 2208 Jfpmifoa.exe 860 Johaalea.exe 1656 Jafmngde.exe 2348 Jojnglco.exe 2232 Khcbpa32.exe 1804 Knpkhhhg.exe 1624 Kghoan32.exe 2188 Kqqdjceh.exe 3056 Kjihci32.exe 2440 Kgmilmkb.exe 2640 Kmjaddii.exe 1544 Kccian32.exe -
Loads dropped DLL 64 IoCs
pid Process 2496 2fabe3cdd25bf1d66c93dc94c615c9b6abfe4fe4b9ef72421cdb0fd2fa1cb67dN.exe 2496 2fabe3cdd25bf1d66c93dc94c615c9b6abfe4fe4b9ef72421cdb0fd2fa1cb67dN.exe 2568 Qonlhd32.exe 2568 Qonlhd32.exe 2968 Qifpqi32.exe 2968 Qifpqi32.exe 2904 Qqbeel32.exe 2904 Qqbeel32.exe 2804 Akgibd32.exe 2804 Akgibd32.exe 3028 Aepnkjcd.exe 3028 Aepnkjcd.exe 2364 Ammoel32.exe 2364 Ammoel32.exe 1836 Ajcldpkd.exe 1836 Ajcldpkd.exe 1472 Bepjjn32.exe 1472 Bepjjn32.exe 1392 Blibghmm.exe 1392 Blibghmm.exe 1984 Bhpclica.exe 1984 Bhpclica.exe 1148 Baigen32.exe 1148 Baigen32.exe 2084 Bjalndpb.exe 2084 Bjalndpb.exe 548 Befpkmph.exe 548 Befpkmph.exe 2428 Ckchcc32.exe 2428 Ckchcc32.exe 2256 Chgimh32.exe 2256 Chgimh32.exe 2492 Cpbnaj32.exe 2492 Cpbnaj32.exe 2444 Ckhbnb32.exe 2444 Ckhbnb32.exe 720 Cdqfgh32.exe 720 Cdqfgh32.exe 1496 Dapjdq32.exe 1496 Dapjdq32.exe 1052 Docjne32.exe 1052 Docjne32.exe 456 Dgoobg32.exe 456 Dgoobg32.exe 2664 Dadcppbp.exe 2664 Dadcppbp.exe 1592 Dgalhgpg.exe 1592 Dgalhgpg.exe 1532 Elpqemll.exe 1532 Elpqemll.exe 1680 Ehgaknbp.exe 1680 Ehgaknbp.exe 2576 Efmoib32.exe 2576 Efmoib32.exe 1620 Ekjgbi32.exe 1620 Ekjgbi32.exe 604 Fhngkm32.exe 604 Fhngkm32.exe 2144 Fqilppic.exe 2144 Fqilppic.exe 2972 Fnmmidhm.exe 2972 Fnmmidhm.exe 2800 Fjdnne32.exe 2800 Fjdnne32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Jnnkddfe.dll Aadbfp32.exe File created C:\Windows\SysWOW64\Onjakoig.dll Jlmddi32.exe File created C:\Windows\SysWOW64\Cccgni32.exe Cfpgee32.exe File opened for modification C:\Windows\SysWOW64\Odgqoa32.exe Oimpnc32.exe File opened for modification C:\Windows\SysWOW64\Panpgn32.exe Ompgqonl.exe File opened for modification C:\Windows\SysWOW64\Jmhile32.exe Jaahgd32.exe File created C:\Windows\SysWOW64\Pejkdm32.dll Cclkcdpl.exe File opened for modification C:\Windows\SysWOW64\Fmhaep32.exe Fhlhmi32.exe File created C:\Windows\SysWOW64\Elkdakmp.dll Flpkll32.exe File created C:\Windows\SysWOW64\Efoddg32.dll Fonbff32.exe File created C:\Windows\SysWOW64\Lfonlg32.exe Ljhngfkh.exe File created C:\Windows\SysWOW64\Mfglbp32.dll Jgnflmia.exe File created C:\Windows\SysWOW64\Kceganoe.exe Kmkodd32.exe File created C:\Windows\SysWOW64\Fmengo32.dll Pldknmhd.exe File created C:\Windows\SysWOW64\Lijgiokj.dll Linoeccp.exe File opened for modification C:\Windows\SysWOW64\Iigcobid.exe Hplbamdf.exe File created C:\Windows\SysWOW64\Jgcfpd32.dll Aioodg32.exe File created C:\Windows\SysWOW64\Jibcja32.exe Jbhkngcd.exe File created C:\Windows\SysWOW64\Nqbdik32.dll Fhcjilcb.exe File created C:\Windows\SysWOW64\Nelglc32.dll Bjlpjp32.exe File created C:\Windows\SysWOW64\Bcnllf32.dll Ebcqicem.exe File created C:\Windows\SysWOW64\Ghplbi32.dll Eehndm32.exe File created C:\Windows\SysWOW64\Lpbhmiji.exe Lcnhcdkp.exe File created C:\Windows\SysWOW64\Ndagjbio.dll Lbpolb32.exe File opened for modification C:\Windows\SysWOW64\Hfdbji32.exe Hmlmacfn.exe File created C:\Windows\SysWOW64\Hidnidah.dll Oeegnj32.exe File created C:\Windows\SysWOW64\Elpjkgip.exe Ecgeba32.exe File created C:\Windows\SysWOW64\Fillabde.exe Flhkhnel.exe File opened for modification C:\Windows\SysWOW64\Efmoib32.exe Ehgaknbp.exe File created C:\Windows\SysWOW64\Emnagfnn.dll Adbmjbif.exe File created C:\Windows\SysWOW64\Chohqebq.exe Cogdhpkp.exe File opened for modification C:\Windows\SysWOW64\Fkeedo32.exe Falakjag.exe File created C:\Windows\SysWOW64\Mpmfdi32.dll Maejpj32.exe File opened for modification C:\Windows\SysWOW64\Fjdnne32.exe Fnmmidhm.exe File created C:\Windows\SysWOW64\Ekhfpeai.dll Liekddkh.exe File created C:\Windows\SysWOW64\Hjkbfpah.exe Henjnica.exe File opened for modification C:\Windows\SysWOW64\Gnoaliln.exe Gqkqbe32.exe File created C:\Windows\SysWOW64\Okmkebdg.dll Ephhmn32.exe File created C:\Windows\SysWOW64\Hhcheobh.dll Gegbpe32.exe File opened for modification C:\Windows\SysWOW64\Kfbjjjci.exe Kphbmp32.exe File created C:\Windows\SysWOW64\Liboodmk.exe Lgabgl32.exe File created C:\Windows\SysWOW64\Qqbhmi32.dll Opjlkc32.exe File created C:\Windows\SysWOW64\Jgjgfacn.dll Oiiilm32.exe File created C:\Windows\SysWOW64\Kmkodd32.exe Jgnflmia.exe File created C:\Windows\SysWOW64\Djbfepid.dll Dlfgehqk.exe File created C:\Windows\SysWOW64\Gkkilfjk.exe Gngiba32.exe File created C:\Windows\SysWOW64\Qhbpfk32.dll Joepjokm.exe File created C:\Windows\SysWOW64\Kmjaddii.exe Kgmilmkb.exe File created C:\Windows\SysWOW64\Nffhad32.dll Pdamhocm.exe File created C:\Windows\SysWOW64\Pgacaaij.exe Pgogla32.exe File created C:\Windows\SysWOW64\Ifnheoak.dll Mnlkdk32.exe File created C:\Windows\SysWOW64\Dgalhgpg.exe Dadcppbp.exe File created C:\Windows\SysWOW64\Lilfchel.dll Gfdaid32.exe File created C:\Windows\SysWOW64\Jcdfbkkf.dll Ofbikf32.exe File opened for modification C:\Windows\SysWOW64\Fnafdc32.exe Fjdnne32.exe File created C:\Windows\SysWOW64\Cjllgppm.dll Mmkcoq32.exe File opened for modification C:\Windows\SysWOW64\Qgdbpi32.exe Poinkg32.exe File created C:\Windows\SysWOW64\Apfamf32.dll Qdhqpe32.exe File created C:\Windows\SysWOW64\Aqimoc32.exe Aklefm32.exe File opened for modification C:\Windows\SysWOW64\Lolpah32.exe Lnmcge32.exe File opened for modification C:\Windows\SysWOW64\Hccfoehi.exe Hjkbfpah.exe File created C:\Windows\SysWOW64\Meeopdhb.exe Mmngof32.exe File created C:\Windows\SysWOW64\Dlfgehqk.exe Dbnblb32.exe File created C:\Windows\SysWOW64\Ponfcl32.dll Kfbjjjci.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aialjgbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chohqebq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opbopn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pglclk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbhkngcd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fonbff32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhhblgim.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iiekkdjo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfbjjjci.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmeiei32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcfbfaao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohjmlaci.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfonlg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmocha32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfookk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eodknifb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jaahgd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blibghmm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hajkip32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aqimoc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apdminod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcnhcdkp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgemgm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khkmba32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikcpmieg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjkcod32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idgjqook.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Joicje32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpaoojjb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oaeacppk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjfjjd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iencdc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbnblb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ecgeba32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hccfoehi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iglkoaad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kppmpmal.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jehklc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgdpgqgg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abjcleqm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggcnbh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgpnjkgi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jocceo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdkmld32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dknehe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dplbpaim.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjeffc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Baigen32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkfcqo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gofajcog.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kacakgip.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndhlfh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okgnna32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apbblg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhngkm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljhngfkh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjanfl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohkpdj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjcajn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jephgi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eekpknlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npcika32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anmnhhmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jennjblp.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Baiingae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ekmjanpd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lobehpok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glfiinip.dll" Mmngof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghplbi32.dll" Eehndm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fcbjon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ponioeij.dll" Fcbjon32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Llainlje.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hikobfgj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mfdjpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pdnihiad.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pooaaink.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bghpdqdc.dll" Nmhlnngi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kaieai32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lhpmhgbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjlejm32.dll" Hccbnhla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jeidob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dgoobg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dajiok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cjljpjjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Joepjokm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nakjff32.dll" Jephgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jaahgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbpoboge.dll" Qpmgho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Apbblg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mpnifkae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mpnifkae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlqoffkq.dll" Oolelj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Phbinc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Henjnica.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bifmdh32.dll" Mpjgag32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pppihdha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emnpgaai.dll" Jeidob32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bgkbfcck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlpcafgp.dll" Lbjlnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmifml32.dll" Jadnoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mlhbgc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iijlqlam.dll" Fmhaep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kidlodkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Omgfdhbq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Coiqmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Npieoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cfjdfg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgmlfo32.dll" Onfadc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dlcfnk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dqiakm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kjihci32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pabncj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khmpbemc.dll" Hfookk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Flpkll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lpqnpacp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdmlljbm.dll" Jpqgkpcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lknbgnog.dll" Lolpah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffofoi32.dll" Bokcom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bfieec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bkjfhile.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epblob32.dll" Hemeod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fafeln32.dll" Ophoecoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olbpmelm.dll" Flkohc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Igeggkoq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofnbdi32.dll" Gngiba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljiqml32.dll" Afhbljko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ohkpdj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hobcok32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2496 wrote to memory of 2568 2496 2fabe3cdd25bf1d66c93dc94c615c9b6abfe4fe4b9ef72421cdb0fd2fa1cb67dN.exe 30 PID 2496 wrote to memory of 2568 2496 2fabe3cdd25bf1d66c93dc94c615c9b6abfe4fe4b9ef72421cdb0fd2fa1cb67dN.exe 30 PID 2496 wrote to memory of 2568 2496 2fabe3cdd25bf1d66c93dc94c615c9b6abfe4fe4b9ef72421cdb0fd2fa1cb67dN.exe 30 PID 2496 wrote to memory of 2568 2496 2fabe3cdd25bf1d66c93dc94c615c9b6abfe4fe4b9ef72421cdb0fd2fa1cb67dN.exe 30 PID 2568 wrote to memory of 2968 2568 Qonlhd32.exe 31 PID 2568 wrote to memory of 2968 2568 Qonlhd32.exe 31 PID 2568 wrote to memory of 2968 2568 Qonlhd32.exe 31 PID 2568 wrote to memory of 2968 2568 Qonlhd32.exe 31 PID 2968 wrote to memory of 2904 2968 Qifpqi32.exe 32 PID 2968 wrote to memory of 2904 2968 Qifpqi32.exe 32 PID 2968 wrote to memory of 2904 2968 Qifpqi32.exe 32 PID 2968 wrote to memory of 2904 2968 Qifpqi32.exe 32 PID 2904 wrote to memory of 2804 2904 Qqbeel32.exe 33 PID 2904 wrote to memory of 2804 2904 Qqbeel32.exe 33 PID 2904 wrote to memory of 2804 2904 Qqbeel32.exe 33 PID 2904 wrote to memory of 2804 2904 Qqbeel32.exe 33 PID 2804 wrote to memory of 3028 2804 Akgibd32.exe 34 PID 2804 wrote to memory of 3028 2804 Akgibd32.exe 34 PID 2804 wrote to memory of 3028 2804 Akgibd32.exe 34 PID 2804 wrote to memory of 3028 2804 Akgibd32.exe 34 PID 3028 wrote to memory of 2364 3028 Aepnkjcd.exe 35 PID 3028 wrote to memory of 2364 3028 Aepnkjcd.exe 35 PID 3028 wrote to memory of 2364 3028 Aepnkjcd.exe 35 PID 3028 wrote to memory of 2364 3028 Aepnkjcd.exe 35 PID 2364 wrote to memory of 1836 2364 Ammoel32.exe 36 PID 2364 wrote to memory of 1836 2364 Ammoel32.exe 36 PID 2364 wrote to memory of 1836 2364 Ammoel32.exe 36 PID 2364 wrote to memory of 1836 2364 Ammoel32.exe 36 PID 1836 wrote to memory of 1472 1836 Ajcldpkd.exe 37 PID 1836 wrote to memory of 1472 1836 Ajcldpkd.exe 37 PID 1836 wrote to memory of 1472 1836 Ajcldpkd.exe 37 PID 1836 wrote to memory of 1472 1836 Ajcldpkd.exe 37 PID 1472 wrote to memory of 1392 1472 Bepjjn32.exe 38 PID 1472 wrote to memory of 1392 1472 Bepjjn32.exe 38 PID 1472 wrote to memory of 1392 1472 Bepjjn32.exe 38 PID 1472 wrote to memory of 1392 1472 Bepjjn32.exe 38 PID 1392 wrote to memory of 1984 1392 Blibghmm.exe 39 PID 1392 wrote to memory of 1984 1392 Blibghmm.exe 39 PID 1392 wrote to memory of 1984 1392 Blibghmm.exe 39 PID 1392 wrote to memory of 1984 1392 Blibghmm.exe 39 PID 1984 wrote to memory of 1148 1984 Bhpclica.exe 40 PID 1984 wrote to memory of 1148 1984 Bhpclica.exe 40 PID 1984 wrote to memory of 1148 1984 Bhpclica.exe 40 PID 1984 wrote to memory of 1148 1984 Bhpclica.exe 40 PID 1148 wrote to memory of 2084 1148 Baigen32.exe 41 PID 1148 wrote to memory of 2084 1148 Baigen32.exe 41 PID 1148 wrote to memory of 2084 1148 Baigen32.exe 41 PID 1148 wrote to memory of 2084 1148 Baigen32.exe 41 PID 2084 wrote to memory of 548 2084 Bjalndpb.exe 42 PID 2084 wrote to memory of 548 2084 Bjalndpb.exe 42 PID 2084 wrote to memory of 548 2084 Bjalndpb.exe 42 PID 2084 wrote to memory of 548 2084 Bjalndpb.exe 42 PID 548 wrote to memory of 2428 548 Befpkmph.exe 43 PID 548 wrote to memory of 2428 548 Befpkmph.exe 43 PID 548 wrote to memory of 2428 548 Befpkmph.exe 43 PID 548 wrote to memory of 2428 548 Befpkmph.exe 43 PID 2428 wrote to memory of 2256 2428 Ckchcc32.exe 44 PID 2428 wrote to memory of 2256 2428 Ckchcc32.exe 44 PID 2428 wrote to memory of 2256 2428 Ckchcc32.exe 44 PID 2428 wrote to memory of 2256 2428 Ckchcc32.exe 44 PID 2256 wrote to memory of 2492 2256 Chgimh32.exe 45 PID 2256 wrote to memory of 2492 2256 Chgimh32.exe 45 PID 2256 wrote to memory of 2492 2256 Chgimh32.exe 45 PID 2256 wrote to memory of 2492 2256 Chgimh32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\2fabe3cdd25bf1d66c93dc94c615c9b6abfe4fe4b9ef72421cdb0fd2fa1cb67dN.exe"C:\Users\Admin\AppData\Local\Temp\2fabe3cdd25bf1d66c93dc94c615c9b6abfe4fe4b9ef72421cdb0fd2fa1cb67dN.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2496 -
C:\Windows\SysWOW64\Qonlhd32.exeC:\Windows\system32\Qonlhd32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Windows\SysWOW64\Qifpqi32.exeC:\Windows\system32\Qifpqi32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Windows\SysWOW64\Qqbeel32.exeC:\Windows\system32\Qqbeel32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Windows\SysWOW64\Akgibd32.exeC:\Windows\system32\Akgibd32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Windows\SysWOW64\Aepnkjcd.exeC:\Windows\system32\Aepnkjcd.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Windows\SysWOW64\Ammoel32.exeC:\Windows\system32\Ammoel32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Windows\SysWOW64\Ajcldpkd.exeC:\Windows\system32\Ajcldpkd.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1836 -
C:\Windows\SysWOW64\Bepjjn32.exeC:\Windows\system32\Bepjjn32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1472 -
C:\Windows\SysWOW64\Blibghmm.exeC:\Windows\system32\Blibghmm.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1392 -
C:\Windows\SysWOW64\Bhpclica.exeC:\Windows\system32\Bhpclica.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\Windows\SysWOW64\Baigen32.exeC:\Windows\system32\Baigen32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1148 -
C:\Windows\SysWOW64\Bjalndpb.exeC:\Windows\system32\Bjalndpb.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\Windows\SysWOW64\Befpkmph.exeC:\Windows\system32\Befpkmph.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:548 -
C:\Windows\SysWOW64\Ckchcc32.exeC:\Windows\system32\Ckchcc32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Windows\SysWOW64\Chgimh32.exeC:\Windows\system32\Chgimh32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2256 -
C:\Windows\SysWOW64\Cpbnaj32.exeC:\Windows\system32\Cpbnaj32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2492 -
C:\Windows\SysWOW64\Ckhbnb32.exeC:\Windows\system32\Ckhbnb32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2444 -
C:\Windows\SysWOW64\Cdqfgh32.exeC:\Windows\system32\Cdqfgh32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:720 -
C:\Windows\SysWOW64\Dapjdq32.exeC:\Windows\system32\Dapjdq32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1496 -
C:\Windows\SysWOW64\Docjne32.exeC:\Windows\system32\Docjne32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1052 -
C:\Windows\SysWOW64\Dgoobg32.exeC:\Windows\system32\Dgoobg32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:456 -
C:\Windows\SysWOW64\Dadcppbp.exeC:\Windows\system32\Dadcppbp.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2664 -
C:\Windows\SysWOW64\Dgalhgpg.exeC:\Windows\system32\Dgalhgpg.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1592 -
C:\Windows\SysWOW64\Elpqemll.exeC:\Windows\system32\Elpqemll.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1532 -
C:\Windows\SysWOW64\Ehgaknbp.exeC:\Windows\system32\Ehgaknbp.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1680 -
C:\Windows\SysWOW64\Efmoib32.exeC:\Windows\system32\Efmoib32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2576 -
C:\Windows\SysWOW64\Ekjgbi32.exeC:\Windows\system32\Ekjgbi32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1620 -
C:\Windows\SysWOW64\Fhngkm32.exeC:\Windows\system32\Fhngkm32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:604 -
C:\Windows\SysWOW64\Fqilppic.exeC:\Windows\system32\Fqilppic.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2144 -
C:\Windows\SysWOW64\Fnmmidhm.exeC:\Windows\system32\Fnmmidhm.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2972 -
C:\Windows\SysWOW64\Fjdnne32.exeC:\Windows\system32\Fjdnne32.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2800 -
C:\Windows\SysWOW64\Fnafdc32.exeC:\Windows\system32\Fnafdc32.exe33⤵
- Executes dropped EXE
PID:2748 -
C:\Windows\SysWOW64\Ffmkhe32.exeC:\Windows\system32\Ffmkhe32.exe34⤵
- Executes dropped EXE
PID:1720 -
C:\Windows\SysWOW64\Gpeoakhc.exeC:\Windows\system32\Gpeoakhc.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:316 -
C:\Windows\SysWOW64\Gjkcod32.exeC:\Windows\system32\Gjkcod32.exe36⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2952 -
C:\Windows\SysWOW64\Gcchgini.exeC:\Windows\system32\Gcchgini.exe37⤵
- Executes dropped EXE
PID:272 -
C:\Windows\SysWOW64\Geddoa32.exeC:\Windows\system32\Geddoa32.exe38⤵
- Executes dropped EXE
PID:2432 -
C:\Windows\SysWOW64\Gfdaid32.exeC:\Windows\system32\Gfdaid32.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:892 -
C:\Windows\SysWOW64\Gbkaneao.exeC:\Windows\system32\Gbkaneao.exe40⤵
- Executes dropped EXE
PID:1964 -
C:\Windows\SysWOW64\Gbmoceol.exeC:\Windows\system32\Gbmoceol.exe41⤵
- Executes dropped EXE
PID:792 -
C:\Windows\SysWOW64\Hnflnfbm.exeC:\Windows\system32\Hnflnfbm.exe42⤵
- Executes dropped EXE
PID:2360 -
C:\Windows\SysWOW64\Hplbamdf.exeC:\Windows\system32\Hplbamdf.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2400 -
C:\Windows\SysWOW64\Iigcobid.exeC:\Windows\system32\Iigcobid.exe44⤵
- Executes dropped EXE
PID:1356 -
C:\Windows\SysWOW64\Iencdc32.exeC:\Windows\system32\Iencdc32.exe45⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:436 -
C:\Windows\SysWOW64\Ibadnhmb.exeC:\Windows\system32\Ibadnhmb.exe46⤵
- Executes dropped EXE
PID:1468 -
C:\Windows\SysWOW64\Ikmibjkm.exeC:\Windows\system32\Ikmibjkm.exe47⤵
- Executes dropped EXE
PID:1436 -
C:\Windows\SysWOW64\Ihqilnig.exeC:\Windows\system32\Ihqilnig.exe48⤵
- Executes dropped EXE
PID:2012 -
C:\Windows\SysWOW64\Idgjqook.exeC:\Windows\system32\Idgjqook.exe49⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2028 -
C:\Windows\SysWOW64\Jnpoie32.exeC:\Windows\system32\Jnpoie32.exe50⤵
- Executes dropped EXE
PID:2076 -
C:\Windows\SysWOW64\Jghcbjll.exeC:\Windows\system32\Jghcbjll.exe51⤵
- Executes dropped EXE
PID:1616 -
C:\Windows\SysWOW64\Jpqgkpcl.exeC:\Windows\system32\Jpqgkpcl.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2880 -
C:\Windows\SysWOW64\Jjilde32.exeC:\Windows\system32\Jjilde32.exe53⤵
- Executes dropped EXE
PID:2936 -
C:\Windows\SysWOW64\Jfpmifoa.exeC:\Windows\system32\Jfpmifoa.exe54⤵
- Executes dropped EXE
PID:2208 -
C:\Windows\SysWOW64\Johaalea.exeC:\Windows\system32\Johaalea.exe55⤵
- Executes dropped EXE
PID:860 -
C:\Windows\SysWOW64\Jafmngde.exeC:\Windows\system32\Jafmngde.exe56⤵
- Executes dropped EXE
PID:1656 -
C:\Windows\SysWOW64\Jojnglco.exeC:\Windows\system32\Jojnglco.exe57⤵
- Executes dropped EXE
PID:2348 -
C:\Windows\SysWOW64\Khcbpa32.exeC:\Windows\system32\Khcbpa32.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2232 -
C:\Windows\SysWOW64\Knpkhhhg.exeC:\Windows\system32\Knpkhhhg.exe59⤵
- Executes dropped EXE
PID:1804 -
C:\Windows\SysWOW64\Kghoan32.exeC:\Windows\system32\Kghoan32.exe60⤵
- Executes dropped EXE
PID:1624 -
C:\Windows\SysWOW64\Kqqdjceh.exeC:\Windows\system32\Kqqdjceh.exe61⤵
- Executes dropped EXE
PID:2188 -
C:\Windows\SysWOW64\Kjihci32.exeC:\Windows\system32\Kjihci32.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:3056 -
C:\Windows\SysWOW64\Kgmilmkb.exeC:\Windows\system32\Kgmilmkb.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2440 -
C:\Windows\SysWOW64\Kmjaddii.exeC:\Windows\system32\Kmjaddii.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2640 -
C:\Windows\SysWOW64\Kccian32.exeC:\Windows\system32\Kccian32.exe65⤵
- Executes dropped EXE
PID:1544 -
C:\Windows\SysWOW64\Kninog32.exeC:\Windows\system32\Kninog32.exe66⤵PID:816
-
C:\Windows\SysWOW64\Lgabgl32.exeC:\Windows\system32\Lgabgl32.exe67⤵
- Drops file in System32 directory
PID:1688 -
C:\Windows\SysWOW64\Liboodmk.exeC:\Windows\system32\Liboodmk.exe68⤵PID:704
-
C:\Windows\SysWOW64\Lchclmla.exeC:\Windows\system32\Lchclmla.exe69⤵PID:3068
-
C:\Windows\SysWOW64\Liekddkh.exeC:\Windows\system32\Liekddkh.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2964 -
C:\Windows\SysWOW64\Lfilnh32.exeC:\Windows\system32\Lfilnh32.exe71⤵PID:2236
-
C:\Windows\SysWOW64\Lndqbk32.exeC:\Windows\system32\Lndqbk32.exe72⤵PID:1920
-
C:\Windows\SysWOW64\Lijepc32.exeC:\Windows\system32\Lijepc32.exe73⤵PID:2828
-
C:\Windows\SysWOW64\Lnfmhj32.exeC:\Windows\system32\Lnfmhj32.exe74⤵PID:2228
-
C:\Windows\SysWOW64\Mljnaocd.exeC:\Windows\system32\Mljnaocd.exe75⤵PID:880
-
C:\Windows\SysWOW64\Mcfbfaao.exeC:\Windows\system32\Mcfbfaao.exe76⤵
- System Location Discovery: System Language Discovery
PID:760 -
C:\Windows\SysWOW64\Mmngof32.exeC:\Windows\system32\Mmngof32.exe77⤵
- Drops file in System32 directory
- Modifies registry class
PID:2624 -
C:\Windows\SysWOW64\Meeopdhb.exeC:\Windows\system32\Meeopdhb.exe78⤵PID:2380
-
C:\Windows\SysWOW64\Mmpcdfem.exeC:\Windows\system32\Mmpcdfem.exe79⤵PID:2408
-
C:\Windows\SysWOW64\Migdig32.exeC:\Windows\system32\Migdig32.exe80⤵PID:2356
-
C:\Windows\SysWOW64\Mfkebkjk.exeC:\Windows\system32\Mfkebkjk.exe81⤵PID:904
-
C:\Windows\SysWOW64\Npcika32.exeC:\Windows\system32\Npcika32.exe82⤵
- System Location Discovery: System Language Discovery
PID:1512 -
C:\Windows\SysWOW64\Nepach32.exeC:\Windows\system32\Nepach32.exe83⤵PID:2580
-
C:\Windows\SysWOW64\Nhakecld.exeC:\Windows\system32\Nhakecld.exe84⤵PID:2148
-
C:\Windows\SysWOW64\Nbfobllj.exeC:\Windows\system32\Nbfobllj.exe85⤵PID:1492
-
C:\Windows\SysWOW64\Nlocka32.exeC:\Windows\system32\Nlocka32.exe86⤵PID:3012
-
C:\Windows\SysWOW64\Nbilhkig.exeC:\Windows\system32\Nbilhkig.exe87⤵PID:2924
-
C:\Windows\SysWOW64\Nhhqfb32.exeC:\Windows\system32\Nhhqfb32.exe88⤵PID:1476
-
C:\Windows\SysWOW64\Omeini32.exeC:\Windows\system32\Omeini32.exe89⤵PID:3000
-
C:\Windows\SysWOW64\Ohjmlaci.exeC:\Windows\system32\Ohjmlaci.exe90⤵
- System Location Discovery: System Language Discovery
PID:1824 -
C:\Windows\SysWOW64\Omgfdhbq.exeC:\Windows\system32\Omgfdhbq.exe91⤵
- Modifies registry class
PID:2124 -
C:\Windows\SysWOW64\Ocdnloph.exeC:\Windows\system32\Ocdnloph.exe92⤵PID:1348
-
C:\Windows\SysWOW64\Ophoecoa.exeC:\Windows\system32\Ophoecoa.exe93⤵
- Modifies registry class
PID:2564 -
C:\Windows\SysWOW64\Oeegnj32.exeC:\Windows\system32\Oeegnj32.exe94⤵
- Drops file in System32 directory
PID:2200 -
C:\Windows\SysWOW64\Opjlkc32.exeC:\Windows\system32\Opjlkc32.exe95⤵
- Drops file in System32 directory
PID:1524 -
C:\Windows\SysWOW64\Plcied32.exeC:\Windows\system32\Plcied32.exe96⤵PID:2092
-
C:\Windows\SysWOW64\Papank32.exeC:\Windows\system32\Papank32.exe97⤵PID:620
-
C:\Windows\SysWOW64\Phjjkefd.exeC:\Windows\system32\Phjjkefd.exe98⤵PID:2596
-
C:\Windows\SysWOW64\Pabncj32.exeC:\Windows\system32\Pabncj32.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2912 -
C:\Windows\SysWOW64\Pgogla32.exeC:\Windows\system32\Pgogla32.exe100⤵
- Drops file in System32 directory
PID:2636 -
C:\Windows\SysWOW64\Pgacaaij.exeC:\Windows\system32\Pgacaaij.exe101⤵PID:1388
-
C:\Windows\SysWOW64\Paghojip.exeC:\Windows\system32\Paghojip.exe102⤵PID:1996
-
C:\Windows\SysWOW64\Pdfdkehc.exeC:\Windows\system32\Pdfdkehc.exe103⤵PID:2760
-
C:\Windows\SysWOW64\Pgdpgqgg.exeC:\Windows\system32\Pgdpgqgg.exe104⤵
- System Location Discovery: System Language Discovery
PID:2300 -
C:\Windows\SysWOW64\Qnnhcknd.exeC:\Windows\system32\Qnnhcknd.exe105⤵PID:3008
-
C:\Windows\SysWOW64\Qdhqpe32.exeC:\Windows\system32\Qdhqpe32.exe106⤵
- Drops file in System32 directory
PID:1208 -
C:\Windows\SysWOW64\Aioodg32.exeC:\Windows\system32\Aioodg32.exe107⤵
- Drops file in System32 directory
PID:1872 -
C:\Windows\SysWOW64\Ankhmncb.exeC:\Windows\system32\Ankhmncb.exe108⤵PID:1156
-
C:\Windows\SysWOW64\Aialjgbh.exeC:\Windows\system32\Aialjgbh.exe109⤵
- System Location Discovery: System Language Discovery
PID:2016 -
C:\Windows\SysWOW64\Akbelbpi.exeC:\Windows\system32\Akbelbpi.exe110⤵PID:2412
-
C:\Windows\SysWOW64\Anpahn32.exeC:\Windows\system32\Anpahn32.exe111⤵PID:2060
-
C:\Windows\SysWOW64\Bejiehfi.exeC:\Windows\system32\Bejiehfi.exe112⤵PID:384
-
C:\Windows\SysWOW64\Bkdbab32.exeC:\Windows\system32\Bkdbab32.exe113⤵PID:1236
-
C:\Windows\SysWOW64\Bgkbfcck.exeC:\Windows\system32\Bgkbfcck.exe114⤵
- Modifies registry class
PID:1288 -
C:\Windows\SysWOW64\Bjiobnbn.exeC:\Windows\system32\Bjiobnbn.exe115⤵PID:1036
-
C:\Windows\SysWOW64\Bgmolb32.exeC:\Windows\system32\Bgmolb32.exe116⤵PID:2704
-
C:\Windows\SysWOW64\Bjnhnn32.exeC:\Windows\system32\Bjnhnn32.exe117⤵PID:836
-
C:\Windows\SysWOW64\Bcfmfc32.exeC:\Windows\system32\Bcfmfc32.exe118⤵PID:1948
-
C:\Windows\SysWOW64\Biceoj32.exeC:\Windows\system32\Biceoj32.exe119⤵PID:2928
-
C:\Windows\SysWOW64\Cnpnga32.exeC:\Windows\system32\Cnpnga32.exe120⤵PID:2988
-
C:\Windows\SysWOW64\Cejfckie.exeC:\Windows\system32\Cejfckie.exe121⤵PID:1868
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-