Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
08-12-2024 02:12
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ae7de485016f934fb4489a605280da15cfc772cd4100eddc088bfadedb6a9c4dN.exe
Resource
win7-20241023-en
windows7-x64
12 signatures
120 seconds
Behavioral task
behavioral2
Sample
ae7de485016f934fb4489a605280da15cfc772cd4100eddc088bfadedb6a9c4dN.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
120 seconds
General
-
Target
ae7de485016f934fb4489a605280da15cfc772cd4100eddc088bfadedb6a9c4dN.exe
-
Size
96KB
-
MD5
e15bd99e6b358c3baf2aafd1394a1320
-
SHA1
bb600921291930d58983c6f4d8facd20b86355b7
-
SHA256
ae7de485016f934fb4489a605280da15cfc772cd4100eddc088bfadedb6a9c4d
-
SHA512
b752a6dc527783fba6822d66630500ddb16fcf300c75a4a0dac1db817a2c82bb3926d97cb3830689ecede7da52cd8ec91e9ac30f044f2060e5d4139f75b3a6ab
-
SSDEEP
1536:G0ln+KvlVEeIpyOh4VIrv13HuTt4S4Qy2LR7RZObZUUWaegPYAG:/NVEeIcO2Ij13OTto6RClUUWae9
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blkmdodf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkfojakp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnfpjc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khjgel32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmimcbja.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kipmhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qldjdlgb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jplfkjbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Clciod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Halcmn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbglpg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddkgbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fdnlcakk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkjnenbp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mndhnd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfpcblfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oiokholk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oehicoom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ejdfqogm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fiqibj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Npechhgd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcmoie32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmjlof32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpoejbhe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hibgkjee.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojndpqpq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ankedf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkehql32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aanibhoh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbdkbjkl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcnfdl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Binikb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nflfad32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qblfkgqb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcemnopj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfojpn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nchipb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lplbjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chgnneiq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjnjqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lpanne32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mneaacno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Odacbpee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Plpqim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Clkicbfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jbnlaqhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kfggkc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khagijcd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Meecaa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nommodjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nbpqmfmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmjlof32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Deeqch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Epeajo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fakglf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kpjhnfof.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbpqmfmd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Keango32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpkhoj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Boleejag.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iemalkgd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jqeomfgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Abbhje32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Codbqonk.exe -
Berbew family
-
Brute Ratel C4
A customized command and control framework for red teaming and adversary simulation.
-
Bruteratel family
-
Detect BruteRatel badger 3 IoCs
resource yara_rule behavioral1/files/0x000400000001ccc3-1407.dat family_bruteratel behavioral1/files/0x000400000001e0e5-3427.dat family_bruteratel behavioral1/files/0x0003000000020dd8-6472.dat family_bruteratel -
Executes dropped EXE 64 IoCs
pid Process 2500 Ieponofk.exe 1540 Iikkon32.exe 2752 Ioeclg32.exe 2812 Ibcphc32.exe 2824 Iaimipjl.exe 2844 Iediin32.exe 2832 Igceej32.exe 2740 Icifjk32.exe 892 Ikqnlh32.exe 2364 Iclbpj32.exe 2404 Jnagmc32.exe 2292 Jfmkbebl.exe 2304 Jpepkk32.exe 1944 Jbclgf32.exe 1548 Jpgmpk32.exe 2032 Jmkmjoec.exe 2564 Jbhebfck.exe 1384 Jplfkjbd.exe 1124 Kbjbge32.exe 760 Khgkpl32.exe 1288 Kjeglh32.exe 1720 Kekkiq32.exe 2652 Khjgel32.exe 2560 Kocpbfei.exe 2860 Kablnadm.exe 1592 Khldkllj.exe 2988 Kmimcbja.exe 2920 Khnapkjg.exe 2440 Kipmhc32.exe 2892 Libjncnc.exe 2472 Llpfjomf.exe 2724 Lplbjm32.exe 2712 Lpnopm32.exe 2392 Loaokjjg.exe 2268 Llepen32.exe 2376 Lpqlemaj.exe 1928 Lemdncoa.exe 1528 Lofifi32.exe 1156 Ladebd32.exe 1684 Lnkege32.exe 1964 Mdendpbg.exe 1208 Mnmbme32.exe 2632 Mainndaq.exe 1312 Mhcfjnhm.exe 1340 Makkcc32.exe 2348 Mclgklel.exe 2716 Mjfphf32.exe 2488 Mfmqmgbm.exe 1624 Mndhnd32.exe 2768 Mlgiiaij.exe 2908 Mcaafk32.exe 1668 Mgmmfjip.exe 2720 Mfpmbf32.exe 3044 Mlieoqgg.exe 2344 Nohaklfk.exe 2276 Nbfnggeo.exe 2416 Nhpfdaml.exe 2212 Nkobpmlo.exe 1544 Ncfjajma.exe 1780 Nfdfmfle.exe 2408 Nhbciaki.exe 2008 Nkaoemjm.exe 2116 Nbkgbg32.exe 1724 Nffccejb.exe -
Loads dropped DLL 64 IoCs
pid Process 2272 ae7de485016f934fb4489a605280da15cfc772cd4100eddc088bfadedb6a9c4dN.exe 2272 ae7de485016f934fb4489a605280da15cfc772cd4100eddc088bfadedb6a9c4dN.exe 2500 Ieponofk.exe 2500 Ieponofk.exe 1540 Iikkon32.exe 1540 Iikkon32.exe 2752 Ioeclg32.exe 2752 Ioeclg32.exe 2812 Ibcphc32.exe 2812 Ibcphc32.exe 2824 Iaimipjl.exe 2824 Iaimipjl.exe 2844 Iediin32.exe 2844 Iediin32.exe 2832 Igceej32.exe 2832 Igceej32.exe 2740 Icifjk32.exe 2740 Icifjk32.exe 892 Ikqnlh32.exe 892 Ikqnlh32.exe 2364 Iclbpj32.exe 2364 Iclbpj32.exe 2404 Jnagmc32.exe 2404 Jnagmc32.exe 2292 Jfmkbebl.exe 2292 Jfmkbebl.exe 2304 Jpepkk32.exe 2304 Jpepkk32.exe 1944 Jbclgf32.exe 1944 Jbclgf32.exe 1548 Jpgmpk32.exe 1548 Jpgmpk32.exe 2032 Jmkmjoec.exe 2032 Jmkmjoec.exe 2564 Jbhebfck.exe 2564 Jbhebfck.exe 1384 Jplfkjbd.exe 1384 Jplfkjbd.exe 1124 Kbjbge32.exe 1124 Kbjbge32.exe 760 Khgkpl32.exe 760 Khgkpl32.exe 1288 Kjeglh32.exe 1288 Kjeglh32.exe 1720 Kekkiq32.exe 1720 Kekkiq32.exe 2652 Khjgel32.exe 2652 Khjgel32.exe 2560 Kocpbfei.exe 2560 Kocpbfei.exe 2860 Kablnadm.exe 2860 Kablnadm.exe 1592 Khldkllj.exe 1592 Khldkllj.exe 2988 Kmimcbja.exe 2988 Kmimcbja.exe 2920 Khnapkjg.exe 2920 Khnapkjg.exe 2440 Kipmhc32.exe 2440 Kipmhc32.exe 2892 Libjncnc.exe 2892 Libjncnc.exe 2472 Llpfjomf.exe 2472 Llpfjomf.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Ieqili32.dll Qbafalph.exe File created C:\Windows\SysWOW64\Glnkcc32.exe Gedbfimc.exe File opened for modification C:\Windows\SysWOW64\Gekhgh32.exe Gbmlkl32.exe File created C:\Windows\SysWOW64\Feiepkmi.dll Fbimkpmm.exe File created C:\Windows\SysWOW64\Lblcge32.dll Fhhbif32.exe File opened for modification C:\Windows\SysWOW64\Kflafbak.exe Kcmdjgbh.exe File opened for modification C:\Windows\SysWOW64\Mejmmqpd.exe Mclqqeaq.exe File created C:\Windows\SysWOW64\Pbdipa32.exe Pkjqcg32.exe File created C:\Windows\SysWOW64\Hjkfmc32.dll Qmbqcf32.exe File created C:\Windows\SysWOW64\Malopkam.dll Akfnkmei.exe File created C:\Windows\SysWOW64\Cbbomjnn.exe Codbqonk.exe File created C:\Windows\SysWOW64\Agioom32.dll Kjeglh32.exe File created C:\Windows\SysWOW64\Pdhpdq32.exe Paiche32.exe File created C:\Windows\SysWOW64\Ebooboeb.dll Hememgdi.exe File created C:\Windows\SysWOW64\Jmdiahco.exe Jjfmem32.exe File created C:\Windows\SysWOW64\Ibddbplp.dll Offpbi32.exe File created C:\Windows\SysWOW64\Koibpd32.exe Kpfbegei.exe File created C:\Windows\SysWOW64\Bklpjlmc.exe Bhndnpnp.exe File created C:\Windows\SysWOW64\Hhimephj.dll Makkcc32.exe File opened for modification C:\Windows\SysWOW64\Bphooc32.exe Bnicbh32.exe File opened for modification C:\Windows\SysWOW64\Qbobaf32.exe Qldjdlgb.exe File created C:\Windows\SysWOW64\Idcnlffk.dll Bfbjdf32.exe File created C:\Windows\SysWOW64\Pfnoegaf.exe Pcpbik32.exe File opened for modification C:\Windows\SysWOW64\Dhklna32.exe Dqddmd32.exe File created C:\Windows\SysWOW64\Kmnlhg32.exe Jibpghbk.exe File created C:\Windows\SysWOW64\Kghmhegc.exe Keiqlihp.exe File opened for modification C:\Windows\SysWOW64\Pilbocej.exe Padjmfdg.exe File created C:\Windows\SysWOW64\Pfeeff32.exe Ppkmjlca.exe File created C:\Windows\SysWOW64\Hgfheodo.exe Hplphd32.exe File created C:\Windows\SysWOW64\Ngeogk32.dll Bggjjlnb.exe File opened for modification C:\Windows\SysWOW64\Ffjljmla.exe Feipbefb.exe File created C:\Windows\SysWOW64\Aejglo32.exe Abkkpd32.exe File created C:\Windows\SysWOW64\Bodhjdcc.exe Bfmqigba.exe File created C:\Windows\SysWOW64\Ainkcf32.exe Afpogk32.exe File created C:\Windows\SysWOW64\Aoaill32.exe Akfnkmei.exe File opened for modification C:\Windows\SysWOW64\Lglmefcg.exe Ldmaijdc.exe File created C:\Windows\SysWOW64\Gbfaddpc.dll Mlahdkjc.exe File created C:\Windows\SysWOW64\Mkjhmf32.dll Mhhiiloh.exe File created C:\Windows\SysWOW64\Ekghcq32.exe Efjpkj32.exe File created C:\Windows\SysWOW64\Ccpqjfnh.exe Clfhml32.exe File created C:\Windows\SysWOW64\Pcmade32.dll Qdlipplq.exe File created C:\Windows\SysWOW64\Fpmned32.exe Ficehj32.exe File created C:\Windows\SysWOW64\Jbcelp32.exe Jkimpfmg.exe File opened for modification C:\Windows\SysWOW64\Blniinac.exe Bdfahaaa.exe File created C:\Windows\SysWOW64\Klqddq32.dll Bdinnqon.exe File opened for modification C:\Windows\SysWOW64\Bknmok32.exe Blkmdodf.exe File created C:\Windows\SysWOW64\Ckinbali.dll Ccqhdmbc.exe File opened for modification C:\Windows\SysWOW64\Ainmlomf.exe Aebakp32.exe File created C:\Windows\SysWOW64\Ombddbah.exe Oekmceaf.exe File opened for modification C:\Windows\SysWOW64\Emjhmipi.exe Ehmpeb32.exe File created C:\Windows\SysWOW64\Fogdap32.exe Fkkhpadq.exe File created C:\Windows\SysWOW64\Phcleoho.exe Pdhpdq32.exe File created C:\Windows\SysWOW64\Eomohejp.dll Eikimeff.exe File created C:\Windows\SysWOW64\Aiaqle32.exe Ajnqphhe.exe File created C:\Windows\SysWOW64\Codbqonk.exe Clefdcog.exe File opened for modification C:\Windows\SysWOW64\Cjbmll32.exe Cdedde32.exe File opened for modification C:\Windows\SysWOW64\Abkkpd32.exe Alaccj32.exe File opened for modification C:\Windows\SysWOW64\Fdnlcakk.exe Fappgflg.exe File created C:\Windows\SysWOW64\Jingpl32.dll Lpnopm32.exe File opened for modification C:\Windows\SysWOW64\Goiafp32.exe Gdcmig32.exe File created C:\Windows\SysWOW64\Oiokholk.exe Ofaolcmh.exe File created C:\Windows\SysWOW64\Fnadkjlc.exe Ffjljmla.exe File created C:\Windows\SysWOW64\Ndnmialh.exe Nbpqmfmd.exe File created C:\Windows\SysWOW64\Bdjkbh32.dll Jgbjjf32.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clefdcog.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfnoegaf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adblnnbk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kndbko32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjfpdf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgmmfjip.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imhqbkbm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnodgbed.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjhckg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffjljmla.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lepclldc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmklak32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ladgkmlj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mainndaq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofafgipc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aohgfm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkdgecna.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ooggpiek.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bahelebm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbmafngi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjhfjpdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oplgeoea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pljnkodm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfpcblfp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Goiafp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gefolhja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkjnenbp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohjkcile.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pegnglnm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndjfgkha.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojkhjabc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikagogco.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijfqfj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgjmoace.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Joebccpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpjhnfof.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncdpdcfh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahhchk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfagemej.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ae7de485016f934fb4489a605280da15cfc772cd4100eddc088bfadedb6a9c4dN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Baneak32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcmcebkc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbbakc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcnfdl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcleiclo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hememgdi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nndgeplo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Loaokjjg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfpmbf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nohaklfk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emeobj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kihpmnbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ecnpdnho.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnkiebib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llpfjomf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnkege32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjpdhifk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jihdnk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkgifd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdaabk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qjfalj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clciod32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfqlkfoc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbkdpnil.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiefbk32.dll" Oqepgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejfmkamg.dll" Aanibhoh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ficehj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iklfia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oqennbbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cbpbgk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fnadkjlc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhjpkq32.dll" Qcmkhi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iaaekl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eglghm32.dll" Mdgmbhgh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qgfkchmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cdamao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nldpgbhe.dll" Cfknhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gmnngl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hadfah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aghijlbj.dll" Momapqgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Befddlni.dll" Cdcjgnbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pcpbik32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bbqkeioh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekpbgbme.dll" Kpoejbhe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pnkglj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cahcle32.dll" Khojcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nnjklb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhocol32.dll" Jbphgpfg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lbgkfbbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oehicoom.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ekghcq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ghidcceo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjonoenh.dll" Opaqpn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cdnncfoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ealahi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oapcfo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iqhfnifq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bblfonpc.dll" Mnhnfckm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njldiiel.dll" Lffmpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Macjgadf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Afeaei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lenffl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jmkmjoec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mgfiocfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ckkenikc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ecnpdnho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cgbfcjag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lkgifd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pbepkh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kbmafngi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ogohdeam.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pdjljpnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmmqln32.dll" Cbbomjnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kamlhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jbphgpfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpgpfmbb.dll" Nkehql32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Omcngamh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pbglpg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gedbfimc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdehcgni.dll" Iaaekl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Llpfjomf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpaphegf.dll" Mnmbme32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Codbqonk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jbnlaqhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhmdfm32.dll" Gplcia32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hdeoccgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hgfheodo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kccgheib.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2272 wrote to memory of 2500 2272 ae7de485016f934fb4489a605280da15cfc772cd4100eddc088bfadedb6a9c4dN.exe 30 PID 2272 wrote to memory of 2500 2272 ae7de485016f934fb4489a605280da15cfc772cd4100eddc088bfadedb6a9c4dN.exe 30 PID 2272 wrote to memory of 2500 2272 ae7de485016f934fb4489a605280da15cfc772cd4100eddc088bfadedb6a9c4dN.exe 30 PID 2272 wrote to memory of 2500 2272 ae7de485016f934fb4489a605280da15cfc772cd4100eddc088bfadedb6a9c4dN.exe 30 PID 2500 wrote to memory of 1540 2500 Ieponofk.exe 31 PID 2500 wrote to memory of 1540 2500 Ieponofk.exe 31 PID 2500 wrote to memory of 1540 2500 Ieponofk.exe 31 PID 2500 wrote to memory of 1540 2500 Ieponofk.exe 31 PID 1540 wrote to memory of 2752 1540 Iikkon32.exe 32 PID 1540 wrote to memory of 2752 1540 Iikkon32.exe 32 PID 1540 wrote to memory of 2752 1540 Iikkon32.exe 32 PID 1540 wrote to memory of 2752 1540 Iikkon32.exe 32 PID 2752 wrote to memory of 2812 2752 Ioeclg32.exe 33 PID 2752 wrote to memory of 2812 2752 Ioeclg32.exe 33 PID 2752 wrote to memory of 2812 2752 Ioeclg32.exe 33 PID 2752 wrote to memory of 2812 2752 Ioeclg32.exe 33 PID 2812 wrote to memory of 2824 2812 Ibcphc32.exe 34 PID 2812 wrote to memory of 2824 2812 Ibcphc32.exe 34 PID 2812 wrote to memory of 2824 2812 Ibcphc32.exe 34 PID 2812 wrote to memory of 2824 2812 Ibcphc32.exe 34 PID 2824 wrote to memory of 2844 2824 Iaimipjl.exe 35 PID 2824 wrote to memory of 2844 2824 Iaimipjl.exe 35 PID 2824 wrote to memory of 2844 2824 Iaimipjl.exe 35 PID 2824 wrote to memory of 2844 2824 Iaimipjl.exe 35 PID 2844 wrote to memory of 2832 2844 Iediin32.exe 36 PID 2844 wrote to memory of 2832 2844 Iediin32.exe 36 PID 2844 wrote to memory of 2832 2844 Iediin32.exe 36 PID 2844 wrote to memory of 2832 2844 Iediin32.exe 36 PID 2832 wrote to memory of 2740 2832 Igceej32.exe 37 PID 2832 wrote to memory of 2740 2832 Igceej32.exe 37 PID 2832 wrote to memory of 2740 2832 Igceej32.exe 37 PID 2832 wrote to memory of 2740 2832 Igceej32.exe 37 PID 2740 wrote to memory of 892 2740 Icifjk32.exe 38 PID 2740 wrote to memory of 892 2740 Icifjk32.exe 38 PID 2740 wrote to memory of 892 2740 Icifjk32.exe 38 PID 2740 wrote to memory of 892 2740 Icifjk32.exe 38 PID 892 wrote to memory of 2364 892 Ikqnlh32.exe 39 PID 892 wrote to memory of 2364 892 Ikqnlh32.exe 39 PID 892 wrote to memory of 2364 892 Ikqnlh32.exe 39 PID 892 wrote to memory of 2364 892 Ikqnlh32.exe 39 PID 2364 wrote to memory of 2404 2364 Iclbpj32.exe 40 PID 2364 wrote to memory of 2404 2364 Iclbpj32.exe 40 PID 2364 wrote to memory of 2404 2364 Iclbpj32.exe 40 PID 2364 wrote to memory of 2404 2364 Iclbpj32.exe 40 PID 2404 wrote to memory of 2292 2404 Jnagmc32.exe 41 PID 2404 wrote to memory of 2292 2404 Jnagmc32.exe 41 PID 2404 wrote to memory of 2292 2404 Jnagmc32.exe 41 PID 2404 wrote to memory of 2292 2404 Jnagmc32.exe 41 PID 2292 wrote to memory of 2304 2292 Jfmkbebl.exe 42 PID 2292 wrote to memory of 2304 2292 Jfmkbebl.exe 42 PID 2292 wrote to memory of 2304 2292 Jfmkbebl.exe 42 PID 2292 wrote to memory of 2304 2292 Jfmkbebl.exe 42 PID 2304 wrote to memory of 1944 2304 Jpepkk32.exe 43 PID 2304 wrote to memory of 1944 2304 Jpepkk32.exe 43 PID 2304 wrote to memory of 1944 2304 Jpepkk32.exe 43 PID 2304 wrote to memory of 1944 2304 Jpepkk32.exe 43 PID 1944 wrote to memory of 1548 1944 Jbclgf32.exe 44 PID 1944 wrote to memory of 1548 1944 Jbclgf32.exe 44 PID 1944 wrote to memory of 1548 1944 Jbclgf32.exe 44 PID 1944 wrote to memory of 1548 1944 Jbclgf32.exe 44 PID 1548 wrote to memory of 2032 1548 Jpgmpk32.exe 45 PID 1548 wrote to memory of 2032 1548 Jpgmpk32.exe 45 PID 1548 wrote to memory of 2032 1548 Jpgmpk32.exe 45 PID 1548 wrote to memory of 2032 1548 Jpgmpk32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\ae7de485016f934fb4489a605280da15cfc772cd4100eddc088bfadedb6a9c4dN.exe"C:\Users\Admin\AppData\Local\Temp\ae7de485016f934fb4489a605280da15cfc772cd4100eddc088bfadedb6a9c4dN.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2272 -
C:\Windows\SysWOW64\Ieponofk.exeC:\Windows\system32\Ieponofk.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Windows\SysWOW64\Iikkon32.exeC:\Windows\system32\Iikkon32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1540 -
C:\Windows\SysWOW64\Ioeclg32.exeC:\Windows\system32\Ioeclg32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\SysWOW64\Ibcphc32.exeC:\Windows\system32\Ibcphc32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Windows\SysWOW64\Iaimipjl.exeC:\Windows\system32\Iaimipjl.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\SysWOW64\Iediin32.exeC:\Windows\system32\Iediin32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\SysWOW64\Igceej32.exeC:\Windows\system32\Igceej32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Windows\SysWOW64\Icifjk32.exeC:\Windows\system32\Icifjk32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Windows\SysWOW64\Ikqnlh32.exeC:\Windows\system32\Ikqnlh32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:892 -
C:\Windows\SysWOW64\Iclbpj32.exeC:\Windows\system32\Iclbpj32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Windows\SysWOW64\Jnagmc32.exeC:\Windows\system32\Jnagmc32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2404 -
C:\Windows\SysWOW64\Jfmkbebl.exeC:\Windows\system32\Jfmkbebl.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2292 -
C:\Windows\SysWOW64\Jpepkk32.exeC:\Windows\system32\Jpepkk32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2304 -
C:\Windows\SysWOW64\Jbclgf32.exeC:\Windows\system32\Jbclgf32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1944 -
C:\Windows\SysWOW64\Jpgmpk32.exeC:\Windows\system32\Jpgmpk32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1548 -
C:\Windows\SysWOW64\Jmkmjoec.exeC:\Windows\system32\Jmkmjoec.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2032 -
C:\Windows\SysWOW64\Jbhebfck.exeC:\Windows\system32\Jbhebfck.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2564 -
C:\Windows\SysWOW64\Jplfkjbd.exeC:\Windows\system32\Jplfkjbd.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1384 -
C:\Windows\SysWOW64\Kbjbge32.exeC:\Windows\system32\Kbjbge32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1124 -
C:\Windows\SysWOW64\Khgkpl32.exeC:\Windows\system32\Khgkpl32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:760 -
C:\Windows\SysWOW64\Kjeglh32.exeC:\Windows\system32\Kjeglh32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1288 -
C:\Windows\SysWOW64\Kekkiq32.exeC:\Windows\system32\Kekkiq32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1720 -
C:\Windows\SysWOW64\Khjgel32.exeC:\Windows\system32\Khjgel32.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2652 -
C:\Windows\SysWOW64\Kocpbfei.exeC:\Windows\system32\Kocpbfei.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2560 -
C:\Windows\SysWOW64\Kablnadm.exeC:\Windows\system32\Kablnadm.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2860 -
C:\Windows\SysWOW64\Khldkllj.exeC:\Windows\system32\Khldkllj.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1592 -
C:\Windows\SysWOW64\Kmimcbja.exeC:\Windows\system32\Kmimcbja.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2988 -
C:\Windows\SysWOW64\Khnapkjg.exeC:\Windows\system32\Khnapkjg.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2920 -
C:\Windows\SysWOW64\Kipmhc32.exeC:\Windows\system32\Kipmhc32.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2440 -
C:\Windows\SysWOW64\Libjncnc.exeC:\Windows\system32\Libjncnc.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2892 -
C:\Windows\SysWOW64\Llpfjomf.exeC:\Windows\system32\Llpfjomf.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2472 -
C:\Windows\SysWOW64\Lplbjm32.exeC:\Windows\system32\Lplbjm32.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2724 -
C:\Windows\SysWOW64\Lpnopm32.exeC:\Windows\system32\Lpnopm32.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2712 -
C:\Windows\SysWOW64\Loaokjjg.exeC:\Windows\system32\Loaokjjg.exe35⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2392 -
C:\Windows\SysWOW64\Llepen32.exeC:\Windows\system32\Llepen32.exe36⤵
- Executes dropped EXE
PID:2268 -
C:\Windows\SysWOW64\Lpqlemaj.exeC:\Windows\system32\Lpqlemaj.exe37⤵
- Executes dropped EXE
PID:2376 -
C:\Windows\SysWOW64\Lemdncoa.exeC:\Windows\system32\Lemdncoa.exe38⤵
- Executes dropped EXE
PID:1928 -
C:\Windows\SysWOW64\Lofifi32.exeC:\Windows\system32\Lofifi32.exe39⤵
- Executes dropped EXE
PID:1528 -
C:\Windows\SysWOW64\Ladebd32.exeC:\Windows\system32\Ladebd32.exe40⤵
- Executes dropped EXE
PID:1156 -
C:\Windows\SysWOW64\Lnkege32.exeC:\Windows\system32\Lnkege32.exe41⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1684 -
C:\Windows\SysWOW64\Mdendpbg.exeC:\Windows\system32\Mdendpbg.exe42⤵
- Executes dropped EXE
PID:1964 -
C:\Windows\SysWOW64\Mnmbme32.exeC:\Windows\system32\Mnmbme32.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:1208 -
C:\Windows\SysWOW64\Mainndaq.exeC:\Windows\system32\Mainndaq.exe44⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2632 -
C:\Windows\SysWOW64\Mhcfjnhm.exeC:\Windows\system32\Mhcfjnhm.exe45⤵
- Executes dropped EXE
PID:1312 -
C:\Windows\SysWOW64\Makkcc32.exeC:\Windows\system32\Makkcc32.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1340 -
C:\Windows\SysWOW64\Mclgklel.exeC:\Windows\system32\Mclgklel.exe47⤵
- Executes dropped EXE
PID:2348 -
C:\Windows\SysWOW64\Mjfphf32.exeC:\Windows\system32\Mjfphf32.exe48⤵
- Executes dropped EXE
PID:2716 -
C:\Windows\SysWOW64\Mfmqmgbm.exeC:\Windows\system32\Mfmqmgbm.exe49⤵
- Executes dropped EXE
PID:2488 -
C:\Windows\SysWOW64\Mndhnd32.exeC:\Windows\system32\Mndhnd32.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1624 -
C:\Windows\SysWOW64\Mlgiiaij.exeC:\Windows\system32\Mlgiiaij.exe51⤵
- Executes dropped EXE
PID:2768 -
C:\Windows\SysWOW64\Mcaafk32.exeC:\Windows\system32\Mcaafk32.exe52⤵
- Executes dropped EXE
PID:2908 -
C:\Windows\SysWOW64\Mgmmfjip.exeC:\Windows\system32\Mgmmfjip.exe53⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1668 -
C:\Windows\SysWOW64\Mfpmbf32.exeC:\Windows\system32\Mfpmbf32.exe54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2720 -
C:\Windows\SysWOW64\Mlieoqgg.exeC:\Windows\system32\Mlieoqgg.exe55⤵
- Executes dropped EXE
PID:3044 -
C:\Windows\SysWOW64\Nohaklfk.exeC:\Windows\system32\Nohaklfk.exe56⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2344 -
C:\Windows\SysWOW64\Nbfnggeo.exeC:\Windows\system32\Nbfnggeo.exe57⤵
- Executes dropped EXE
PID:2276 -
C:\Windows\SysWOW64\Nhpfdaml.exeC:\Windows\system32\Nhpfdaml.exe58⤵
- Executes dropped EXE
PID:2416 -
C:\Windows\SysWOW64\Nkobpmlo.exeC:\Windows\system32\Nkobpmlo.exe59⤵
- Executes dropped EXE
PID:2212 -
C:\Windows\SysWOW64\Ncfjajma.exeC:\Windows\system32\Ncfjajma.exe60⤵
- Executes dropped EXE
PID:1544 -
C:\Windows\SysWOW64\Nfdfmfle.exeC:\Windows\system32\Nfdfmfle.exe61⤵
- Executes dropped EXE
PID:1780 -
C:\Windows\SysWOW64\Nhbciaki.exeC:\Windows\system32\Nhbciaki.exe62⤵
- Executes dropped EXE
PID:2408 -
C:\Windows\SysWOW64\Nkaoemjm.exeC:\Windows\system32\Nkaoemjm.exe63⤵
- Executes dropped EXE
PID:2008 -
C:\Windows\SysWOW64\Nbkgbg32.exeC:\Windows\system32\Nbkgbg32.exe64⤵
- Executes dropped EXE
PID:2116 -
C:\Windows\SysWOW64\Nffccejb.exeC:\Windows\system32\Nffccejb.exe65⤵
- Executes dropped EXE
PID:1724 -
C:\Windows\SysWOW64\Nhepoaif.exeC:\Windows\system32\Nhepoaif.exe66⤵PID:2884
-
C:\Windows\SysWOW64\Nghpjn32.exeC:\Windows\system32\Nghpjn32.exe67⤵PID:1060
-
C:\Windows\SysWOW64\Noohlkpc.exeC:\Windows\system32\Noohlkpc.exe68⤵PID:2912
-
C:\Windows\SysWOW64\Nbmdhfog.exeC:\Windows\system32\Nbmdhfog.exe69⤵PID:3004
-
C:\Windows\SysWOW64\Nqpdcc32.exeC:\Windows\system32\Nqpdcc32.exe70⤵PID:2872
-
C:\Windows\SysWOW64\Nigldq32.exeC:\Windows\system32\Nigldq32.exe71⤵PID:1744
-
C:\Windows\SysWOW64\Nkehql32.exeC:\Windows\system32\Nkehql32.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:112 -
C:\Windows\SysWOW64\Nbpqmfmd.exeC:\Windows\system32\Nbpqmfmd.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2264 -
C:\Windows\SysWOW64\Ndnmialh.exeC:\Windows\system32\Ndnmialh.exe74⤵PID:1184
-
C:\Windows\SysWOW64\Ojkeah32.exeC:\Windows\system32\Ojkeah32.exe75⤵PID:2624
-
C:\Windows\SysWOW64\Oqennbbl.exeC:\Windows\system32\Oqennbbl.exe76⤵
- Modifies registry class
PID:1576 -
C:\Windows\SysWOW64\Oepjoa32.exeC:\Windows\system32\Oepjoa32.exe77⤵PID:2412
-
C:\Windows\SysWOW64\Ofafgipc.exeC:\Windows\system32\Ofafgipc.exe78⤵
- System Location Discovery: System Language Discovery
PID:1396 -
C:\Windows\SysWOW64\Ojmbgh32.exeC:\Windows\system32\Ojmbgh32.exe79⤵PID:1652
-
C:\Windows\SysWOW64\Oqgjdbpi.exeC:\Windows\system32\Oqgjdbpi.exe80⤵PID:1796
-
C:\Windows\SysWOW64\Ocefpnom.exeC:\Windows\system32\Ocefpnom.exe81⤵PID:308
-
C:\Windows\SysWOW64\Ofdclinq.exeC:\Windows\system32\Ofdclinq.exe82⤵PID:1680
-
C:\Windows\SysWOW64\Oibohdmd.exeC:\Windows\system32\Oibohdmd.exe83⤵PID:2520
-
C:\Windows\SysWOW64\Oaigib32.exeC:\Windows\system32\Oaigib32.exe84⤵PID:3008
-
C:\Windows\SysWOW64\Oplgeoea.exeC:\Windows\system32\Oplgeoea.exe85⤵
- System Location Discovery: System Language Discovery
PID:2800 -
C:\Windows\SysWOW64\Offpbi32.exeC:\Windows\system32\Offpbi32.exe86⤵
- Drops file in System32 directory
PID:2692 -
C:\Windows\SysWOW64\Ojblbgdg.exeC:\Windows\system32\Ojblbgdg.exe87⤵PID:2184
-
C:\Windows\SysWOW64\Olchjp32.exeC:\Windows\system32\Olchjp32.exe88⤵PID:2340
-
C:\Windows\SysWOW64\Ofilgh32.exeC:\Windows\system32\Ofilgh32.exe89⤵PID:2172
-
C:\Windows\SysWOW64\Oekmceaf.exeC:\Windows\system32\Oekmceaf.exe90⤵
- Drops file in System32 directory
PID:1824 -
C:\Windows\SysWOW64\Ombddbah.exeC:\Windows\system32\Ombddbah.exe91⤵PID:304
-
C:\Windows\SysWOW64\Opaqpn32.exeC:\Windows\system32\Opaqpn32.exe92⤵
- Modifies registry class
PID:1956 -
C:\Windows\SysWOW64\Pbomli32.exeC:\Windows\system32\Pbomli32.exe93⤵PID:1560
-
C:\Windows\SysWOW64\Piieicgl.exeC:\Windows\system32\Piieicgl.exe94⤵PID:1656
-
C:\Windows\SysWOW64\Plhaeofp.exeC:\Windows\system32\Plhaeofp.exe95⤵PID:596
-
C:\Windows\SysWOW64\Pnfnajed.exeC:\Windows\system32\Pnfnajed.exe96⤵PID:2916
-
C:\Windows\SysWOW64\Padjmfdg.exeC:\Windows\system32\Padjmfdg.exe97⤵
- Drops file in System32 directory
PID:2888 -
C:\Windows\SysWOW64\Pilbocej.exeC:\Windows\system32\Pilbocej.exe98⤵PID:2788
-
C:\Windows\SysWOW64\Pljnkodm.exeC:\Windows\system32\Pljnkodm.exe99⤵
- System Location Discovery: System Language Discovery
PID:2592 -
C:\Windows\SysWOW64\Pnhjgj32.exeC:\Windows\system32\Pnhjgj32.exe100⤵PID:2424
-
C:\Windows\SysWOW64\Paggce32.exeC:\Windows\system32\Paggce32.exe101⤵PID:1676
-
C:\Windows\SysWOW64\Pebbcdkn.exeC:\Windows\system32\Pebbcdkn.exe102⤵PID:1924
-
C:\Windows\SysWOW64\Pllkpn32.exeC:\Windows\system32\Pllkpn32.exe103⤵PID:620
-
C:\Windows\SysWOW64\Pnkglj32.exeC:\Windows\system32\Pnkglj32.exe104⤵
- Modifies registry class
PID:884 -
C:\Windows\SysWOW64\Paiche32.exeC:\Windows\system32\Paiche32.exe105⤵
- Drops file in System32 directory
PID:2536 -
C:\Windows\SysWOW64\Pdhpdq32.exeC:\Windows\system32\Pdhpdq32.exe106⤵
- Drops file in System32 directory
PID:1308 -
C:\Windows\SysWOW64\Phcleoho.exeC:\Windows\system32\Phcleoho.exe107⤵PID:2948
-
C:\Windows\SysWOW64\Pnmdbi32.exeC:\Windows\system32\Pnmdbi32.exe108⤵PID:2924
-
C:\Windows\SysWOW64\Pmpdmfff.exeC:\Windows\system32\Pmpdmfff.exe109⤵PID:2208
-
C:\Windows\SysWOW64\Pdjljpnc.exeC:\Windows\system32\Pdjljpnc.exe110⤵
- Modifies registry class
PID:2936 -
C:\Windows\SysWOW64\Phehko32.exeC:\Windows\system32\Phehko32.exe111⤵PID:1880
-
C:\Windows\SysWOW64\Qjddgj32.exeC:\Windows\system32\Qjddgj32.exe112⤵PID:1736
-
C:\Windows\SysWOW64\Qmbqcf32.exeC:\Windows\system32\Qmbqcf32.exe113⤵
- Drops file in System32 directory
PID:1556 -
C:\Windows\SysWOW64\Qdlipplq.exeC:\Windows\system32\Qdlipplq.exe114⤵
- Drops file in System32 directory
PID:2124 -
C:\Windows\SysWOW64\Qjfalj32.exeC:\Windows\system32\Qjfalj32.exe115⤵
- System Location Discovery: System Language Discovery
PID:592 -
C:\Windows\SysWOW64\Qiiahgjh.exeC:\Windows\system32\Qiiahgjh.exe116⤵PID:3048
-
C:\Windows\SysWOW64\Qlgndbil.exeC:\Windows\system32\Qlgndbil.exe117⤵PID:2840
-
C:\Windows\SysWOW64\Qbafalph.exeC:\Windows\system32\Qbafalph.exe118⤵
- Drops file in System32 directory
PID:2784 -
C:\Windows\SysWOW64\Aepbmhpl.exeC:\Windows\system32\Aepbmhpl.exe119⤵PID:2204
-
C:\Windows\SysWOW64\Amgjnepn.exeC:\Windows\system32\Amgjnepn.exe120⤵PID:1256
-
C:\Windows\SysWOW64\Apefjqob.exeC:\Windows\system32\Apefjqob.exe121⤵PID:2112
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-