Analysis
-
max time kernel
138s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
19/09/2024, 03:22
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
f2c5d5ed8edc15c3265aa1b152e7f1d2a4b60ebd65f5aa315e72fd5a024c4828.exe
Resource
win7-20240903-en
windows7-x64
9 signatures
150 seconds
Behavioral task
behavioral2
Sample
f2c5d5ed8edc15c3265aa1b152e7f1d2a4b60ebd65f5aa315e72fd5a024c4828.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
f2c5d5ed8edc15c3265aa1b152e7f1d2a4b60ebd65f5aa315e72fd5a024c4828.exe
-
Size
80KB
-
MD5
514436bf1d9991f9baeefdade1d49c62
-
SHA1
9ab84f276165dc6170d9000ee10288d0642acfe9
-
SHA256
f2c5d5ed8edc15c3265aa1b152e7f1d2a4b60ebd65f5aa315e72fd5a024c4828
-
SHA512
5ad9e18595b8b4db2205f200da9ab6471d97ed76982d23cfb153ef9f05a105b2600c284fdffbe463ff1eacc949f520f0902cf460d032d4cd3ba4f78f6fabd440
-
SSDEEP
1536:5NCpYQ7NX2qB2E9Z1eywLd7000oZMfGtPcZPU2LGCYrum8SPG2:S9N2t4ZIywLd7000oBtPcZ1GVT8SL
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Moecghdl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkmddmop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbdihbbn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jpmoki32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Inihff32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Colgpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mkpkplih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bakkad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkpkplih.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjlhcegl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iejkel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hfnjlj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddmaak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cknikooe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfbnfcli.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cijmjn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lglfed32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmfnbohm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eehpoaaf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Faegda32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nfpphp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmgfli32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhqnnk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ominjg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfijmdbh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhqico32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dlmqip32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mjialchg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cffnpdip.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccinpa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhdnbipf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cffejk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogjjie32.exe -
Executes dropped EXE 64 IoCs
pid Process 2532 Fbpihafp.exe 2972 Faefim32.exe 2752 Fajpdmgb.exe 2824 Fnnpma32.exe 2628 Gmcmomjc.exe 2636 Glhjpjok.exe 2092 Gpfbfh32.exe 2576 Glmckikf.exe 2852 Ghcdpjqj.exe 1744 Hgbdge32.exe 2088 Igdqmeke.exe 2568 Ianambhc.exe 2032 Iaqnbb32.exe 632 Ifngiqlg.exe 2384 Injlmcib.exe 2144 Jknlfg32.exe 2388 Jgdmkhnp.exe 2392 Jfijmdbh.exe 1808 Jobnej32.exe 1084 Jqakompl.exe 2224 Jfnchd32.exe 916 Kcbcah32.exe 3024 Kkmhej32.exe 1908 Kiaiooja.exe 1492 Kbjmhd32.exe 2036 Kjeblf32.exe 2120 Kaagnp32.exe 2536 Lpfdpmho.exe 2740 Lpiqel32.exe 2884 Liaenblm.exe 2968 Lfeegfkf.exe 2592 Lblflgqk.exe 2612 Lldkem32.exe 1524 Mihkoa32.exe 2192 Moecghdl.exe 1820 Mdbloobc.exe 2024 Mknaahhn.exe 1128 Nmccnc32.exe 612 Nliqoofa.exe 1088 Nhpadpke.exe 2068 Nahemf32.exe 2236 Nnofbg32.exe 1104 Ohdkop32.exe 460 Onacgf32.exe 328 Ogldfl32.exe 1336 Olhmnb32.exe 1684 Omkidb32.exe 2980 Oceaql32.exe 2140 Ommfibdg.exe 2296 Pbjoaibo.exe 2904 Pidgnc32.exe 2444 Pcikllja.exe 2724 Pifcdbhi.exe 2796 Pncllifp.exe 1664 Pemdic32.exe 2708 Pqdend32.exe 1948 Pgnmjokn.exe 1720 Pafacd32.exe 2860 Qjofljho.exe 2940 Qedjib32.exe 1752 Qjacai32.exe 856 Qpnkjq32.exe 2484 Ajcpgi32.exe 2436 Apphpp32.exe -
Loads dropped DLL 64 IoCs
pid Process 2564 f2c5d5ed8edc15c3265aa1b152e7f1d2a4b60ebd65f5aa315e72fd5a024c4828.exe 2564 f2c5d5ed8edc15c3265aa1b152e7f1d2a4b60ebd65f5aa315e72fd5a024c4828.exe 2532 Fbpihafp.exe 2532 Fbpihafp.exe 2972 Faefim32.exe 2972 Faefim32.exe 2752 Fajpdmgb.exe 2752 Fajpdmgb.exe 2824 Fnnpma32.exe 2824 Fnnpma32.exe 2628 Gmcmomjc.exe 2628 Gmcmomjc.exe 2636 Glhjpjok.exe 2636 Glhjpjok.exe 2092 Gpfbfh32.exe 2092 Gpfbfh32.exe 2576 Glmckikf.exe 2576 Glmckikf.exe 2852 Ghcdpjqj.exe 2852 Ghcdpjqj.exe 1744 Hgbdge32.exe 1744 Hgbdge32.exe 2088 Igdqmeke.exe 2088 Igdqmeke.exe 2568 Ianambhc.exe 2568 Ianambhc.exe 2032 Iaqnbb32.exe 2032 Iaqnbb32.exe 632 Ifngiqlg.exe 632 Ifngiqlg.exe 2384 Injlmcib.exe 2384 Injlmcib.exe 2144 Jknlfg32.exe 2144 Jknlfg32.exe 2388 Jgdmkhnp.exe 2388 Jgdmkhnp.exe 2392 Jfijmdbh.exe 2392 Jfijmdbh.exe 1808 Jobnej32.exe 1808 Jobnej32.exe 1084 Jqakompl.exe 1084 Jqakompl.exe 2224 Jfnchd32.exe 2224 Jfnchd32.exe 916 Kcbcah32.exe 916 Kcbcah32.exe 3024 Kkmhej32.exe 3024 Kkmhej32.exe 1908 Kiaiooja.exe 1908 Kiaiooja.exe 1492 Kbjmhd32.exe 1492 Kbjmhd32.exe 1600 Kgibeklf.exe 1600 Kgibeklf.exe 2120 Kaagnp32.exe 2120 Kaagnp32.exe 2536 Lpfdpmho.exe 2536 Lpfdpmho.exe 2740 Lpiqel32.exe 2740 Lpiqel32.exe 2884 Liaenblm.exe 2884 Liaenblm.exe 2968 Lfeegfkf.exe 2968 Lfeegfkf.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Opmnle32.exe Ojpedn32.exe File created C:\Windows\SysWOW64\Mdfljc32.dll Cikocggb.exe File created C:\Windows\SysWOW64\Bjbeapph.dll Process not Found File created C:\Windows\SysWOW64\Pedaaimj.exe Process not Found File created C:\Windows\SysWOW64\Ljekog32.dll Eghcckld.exe File created C:\Windows\SysWOW64\Gjjoob32.exe Gcpfbhof.exe File created C:\Windows\SysWOW64\Aaedlm32.dll Process not Found File created C:\Windows\SysWOW64\Dhdoen32.dll Process not Found File created C:\Windows\SysWOW64\Gingqjgd.exe Gdanhchm.exe File created C:\Windows\SysWOW64\Dhbhloho.exe Dkngckie.exe File created C:\Windows\SysWOW64\Hanpnndb.exe Process not Found File created C:\Windows\SysWOW64\Eoccbm32.dll Process not Found File created C:\Windows\SysWOW64\Hkmnqdme.dll Depelp32.exe File created C:\Windows\SysWOW64\Qokjcc32.exe Pgionbbl.exe File created C:\Windows\SysWOW64\Edgbldch.dll Cbcgmi32.exe File opened for modification C:\Windows\SysWOW64\Pbhepfbq.exe Pcchoj32.exe File created C:\Windows\SysWOW64\Oigphf32.dll Odlpfblm.exe File opened for modification C:\Windows\SysWOW64\Oclkdd32.exe Oqkbbi32.exe File created C:\Windows\SysWOW64\Dphlkk32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Endlhn32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Effdef32.exe Ejodpedp.exe File created C:\Windows\SysWOW64\Hdnipi32.exe Process not Found File created C:\Windows\SysWOW64\Lagknhgp.dll Boohgk32.exe File opened for modification C:\Windows\SysWOW64\Qappbgkq.exe Process not Found File opened for modification C:\Windows\SysWOW64\Lklkco32.exe Process not Found File created C:\Windows\SysWOW64\Fplmcqhb.exe Process not Found File opened for modification C:\Windows\SysWOW64\Kkhdohnm.exe Kfklgape.exe File created C:\Windows\SysWOW64\Egdnjlcg.exe Enliaf32.exe File created C:\Windows\SysWOW64\Mqkked32.exe Mjabhjec.exe File created C:\Windows\SysWOW64\Hakmnh32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Mbigpo32.exe Process not Found File created C:\Windows\SysWOW64\Edghighp.exe Enmplm32.exe File opened for modification C:\Windows\SysWOW64\Ndofjq32.exe Njialh32.exe File opened for modification C:\Windows\SysWOW64\Hegdkkje.exe Hnlpghmj.exe File created C:\Windows\SysWOW64\Fjipic32.exe Process not Found File created C:\Windows\SysWOW64\Dmjkaf32.dll Ilicgl32.exe File created C:\Windows\SysWOW64\Gpgiod32.dll Mkdhlh32.exe File opened for modification C:\Windows\SysWOW64\Gmgcbdll.exe Process not Found File created C:\Windows\SysWOW64\Njmlnk32.dll Dhbhloho.exe File created C:\Windows\SysWOW64\Qccggfgh.exe Process not Found File created C:\Windows\SysWOW64\Eemgmgcg.dll Pkgonf32.exe File created C:\Windows\SysWOW64\Miocfn32.dll Eiapjq32.exe File opened for modification C:\Windows\SysWOW64\Gakchj32.exe Fahfcjfd.exe File created C:\Windows\SysWOW64\Fpamnb32.exe Fhfhip32.exe File opened for modification C:\Windows\SysWOW64\Llhgce32.exe Lbpcjpek.exe File created C:\Windows\SysWOW64\Jhnmkopa.dll Pakoam32.exe File created C:\Windows\SysWOW64\Fadmqm32.dll Process not Found File created C:\Windows\SysWOW64\Ommolblf.dll Process not Found File created C:\Windows\SysWOW64\Hocgoilb.dll Oaaklmao.exe File created C:\Windows\SysWOW64\Pbgniekp.dll Pkebig32.exe File created C:\Windows\SysWOW64\Qpdnfk32.dll Dmcidqlf.exe File created C:\Windows\SysWOW64\Hdfgejal.dll Plkgkn32.exe File created C:\Windows\SysWOW64\Olmgcf32.exe Process not Found File created C:\Windows\SysWOW64\Mqcbol32.dll Process not Found File created C:\Windows\SysWOW64\Flgaqgkd.dll Process not Found File created C:\Windows\SysWOW64\Jcffklfk.dll Process not Found File created C:\Windows\SysWOW64\Faceaj32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Ogldfl32.exe Onacgf32.exe File opened for modification C:\Windows\SysWOW64\Cokqfhpa.exe Cdflhppk.exe File opened for modification C:\Windows\SysWOW64\Gjjoob32.exe Gcpfbhof.exe File created C:\Windows\SysWOW64\Fgfjbhlf.exe Process not Found File opened for modification C:\Windows\SysWOW64\Oikpbklj.exe Ocnhjdnb.exe File opened for modification C:\Windows\SysWOW64\Indpfkhm.exe Process not Found File created C:\Windows\SysWOW64\Nlhjbi32.dll Dpocioad.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkggel32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjggnp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aidpgmfj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Effdef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khojqj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eqbflqad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkqgkcpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhjnmb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfbnfcli.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nphbhm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggmlffbo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jqckhffo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pifcdbhi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oimpppoj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qjaejbmq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjiemdgp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abcppcdc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cialng32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnbpgb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdbmnchk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpjmkhbo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpjoel32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nkpckeek.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mddjpbgl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdanhchm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pekhohfk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbqkmj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcfmnd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnoqbi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbecce32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Inbpnbbj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfpaqdnk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dajkjphd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bflghh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkechk32.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 4648 Process not Found -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hhaogp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Plbdfc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eighbdhe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbofngho.dll" f2c5d5ed8edc15c3265aa1b152e7f1d2a4b60ebd65f5aa315e72fd5a024c4828.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cbpbek32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hdbmnchk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hpcnmnnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bndpkcab.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdjnejka.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emidimje.dll" Fcnkemgi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fgpqnpjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlnjngmi.dll" Llefld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aejkhj32.dll" Jeldiolb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbpmlfek.dll" Kjpafanf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Amgggm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Donopmdn.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkaanogl.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apkkkn32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nagegjio.dll" Cialng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aomghchl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hmfjda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggepjbac.dll" Fpamnb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maopie32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lldkem32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lgnqbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dnlafm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gmgfli32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aehhenpj.dll" Nahhfoij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aiioanpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Llfiemfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mkeapgng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbgniekp.dll" Pkebig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpepif32.dll" Olfkge32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cpdeghgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhdbocme.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abgaqjhq.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pjlbld32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cijmjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkjadc32.dll" Ohmneokp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpbaobbh.dll" Bgepjejb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jbfalecf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mpaado32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdnaab32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcmpci32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eoccbm32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkqkdjbe.dll" Plpgqc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jbgdenjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkmemkfk.dll" Mlhdbhng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imicqd32.dll" Hamnee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfplbaim.dll" Dhknigfq.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2564 wrote to memory of 2532 2564 f2c5d5ed8edc15c3265aa1b152e7f1d2a4b60ebd65f5aa315e72fd5a024c4828.exe 29 PID 2564 wrote to memory of 2532 2564 f2c5d5ed8edc15c3265aa1b152e7f1d2a4b60ebd65f5aa315e72fd5a024c4828.exe 29 PID 2564 wrote to memory of 2532 2564 f2c5d5ed8edc15c3265aa1b152e7f1d2a4b60ebd65f5aa315e72fd5a024c4828.exe 29 PID 2564 wrote to memory of 2532 2564 f2c5d5ed8edc15c3265aa1b152e7f1d2a4b60ebd65f5aa315e72fd5a024c4828.exe 29 PID 2532 wrote to memory of 2972 2532 Fbpihafp.exe 30 PID 2532 wrote to memory of 2972 2532 Fbpihafp.exe 30 PID 2532 wrote to memory of 2972 2532 Fbpihafp.exe 30 PID 2532 wrote to memory of 2972 2532 Fbpihafp.exe 30 PID 2972 wrote to memory of 2752 2972 Faefim32.exe 31 PID 2972 wrote to memory of 2752 2972 Faefim32.exe 31 PID 2972 wrote to memory of 2752 2972 Faefim32.exe 31 PID 2972 wrote to memory of 2752 2972 Faefim32.exe 31 PID 2752 wrote to memory of 2824 2752 Fajpdmgb.exe 32 PID 2752 wrote to memory of 2824 2752 Fajpdmgb.exe 32 PID 2752 wrote to memory of 2824 2752 Fajpdmgb.exe 32 PID 2752 wrote to memory of 2824 2752 Fajpdmgb.exe 32 PID 2824 wrote to memory of 2628 2824 Fnnpma32.exe 33 PID 2824 wrote to memory of 2628 2824 Fnnpma32.exe 33 PID 2824 wrote to memory of 2628 2824 Fnnpma32.exe 33 PID 2824 wrote to memory of 2628 2824 Fnnpma32.exe 33 PID 2628 wrote to memory of 2636 2628 Gmcmomjc.exe 34 PID 2628 wrote to memory of 2636 2628 Gmcmomjc.exe 34 PID 2628 wrote to memory of 2636 2628 Gmcmomjc.exe 34 PID 2628 wrote to memory of 2636 2628 Gmcmomjc.exe 34 PID 2636 wrote to memory of 2092 2636 Glhjpjok.exe 35 PID 2636 wrote to memory of 2092 2636 Glhjpjok.exe 35 PID 2636 wrote to memory of 2092 2636 Glhjpjok.exe 35 PID 2636 wrote to memory of 2092 2636 Glhjpjok.exe 35 PID 2092 wrote to memory of 2576 2092 Gpfbfh32.exe 36 PID 2092 wrote to memory of 2576 2092 Gpfbfh32.exe 36 PID 2092 wrote to memory of 2576 2092 Gpfbfh32.exe 36 PID 2092 wrote to memory of 2576 2092 Gpfbfh32.exe 36 PID 2576 wrote to memory of 2852 2576 Glmckikf.exe 37 PID 2576 wrote to memory of 2852 2576 Glmckikf.exe 37 PID 2576 wrote to memory of 2852 2576 Glmckikf.exe 37 PID 2576 wrote to memory of 2852 2576 Glmckikf.exe 37 PID 2852 wrote to memory of 1744 2852 Ghcdpjqj.exe 38 PID 2852 wrote to memory of 1744 2852 Ghcdpjqj.exe 38 PID 2852 wrote to memory of 1744 2852 Ghcdpjqj.exe 38 PID 2852 wrote to memory of 1744 2852 Ghcdpjqj.exe 38 PID 1744 wrote to memory of 2088 1744 Hgbdge32.exe 39 PID 1744 wrote to memory of 2088 1744 Hgbdge32.exe 39 PID 1744 wrote to memory of 2088 1744 Hgbdge32.exe 39 PID 1744 wrote to memory of 2088 1744 Hgbdge32.exe 39 PID 2088 wrote to memory of 2568 2088 Igdqmeke.exe 40 PID 2088 wrote to memory of 2568 2088 Igdqmeke.exe 40 PID 2088 wrote to memory of 2568 2088 Igdqmeke.exe 40 PID 2088 wrote to memory of 2568 2088 Igdqmeke.exe 40 PID 2568 wrote to memory of 2032 2568 Ianambhc.exe 41 PID 2568 wrote to memory of 2032 2568 Ianambhc.exe 41 PID 2568 wrote to memory of 2032 2568 Ianambhc.exe 41 PID 2568 wrote to memory of 2032 2568 Ianambhc.exe 41 PID 2032 wrote to memory of 632 2032 Iaqnbb32.exe 42 PID 2032 wrote to memory of 632 2032 Iaqnbb32.exe 42 PID 2032 wrote to memory of 632 2032 Iaqnbb32.exe 42 PID 2032 wrote to memory of 632 2032 Iaqnbb32.exe 42 PID 632 wrote to memory of 2384 632 Ifngiqlg.exe 43 PID 632 wrote to memory of 2384 632 Ifngiqlg.exe 43 PID 632 wrote to memory of 2384 632 Ifngiqlg.exe 43 PID 632 wrote to memory of 2384 632 Ifngiqlg.exe 43 PID 2384 wrote to memory of 2144 2384 Injlmcib.exe 44 PID 2384 wrote to memory of 2144 2384 Injlmcib.exe 44 PID 2384 wrote to memory of 2144 2384 Injlmcib.exe 44 PID 2384 wrote to memory of 2144 2384 Injlmcib.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\f2c5d5ed8edc15c3265aa1b152e7f1d2a4b60ebd65f5aa315e72fd5a024c4828.exe"C:\Users\Admin\AppData\Local\Temp\f2c5d5ed8edc15c3265aa1b152e7f1d2a4b60ebd65f5aa315e72fd5a024c4828.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Windows\SysWOW64\Fbpihafp.exeC:\Windows\system32\Fbpihafp.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\Windows\SysWOW64\Faefim32.exeC:\Windows\system32\Faefim32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\SysWOW64\Fajpdmgb.exeC:\Windows\system32\Fajpdmgb.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\SysWOW64\Fnnpma32.exeC:\Windows\system32\Fnnpma32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\SysWOW64\Gmcmomjc.exeC:\Windows\system32\Gmcmomjc.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\SysWOW64\Glhjpjok.exeC:\Windows\system32\Glhjpjok.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\SysWOW64\Gpfbfh32.exeC:\Windows\system32\Gpfbfh32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2092 -
C:\Windows\SysWOW64\Glmckikf.exeC:\Windows\system32\Glmckikf.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\Windows\SysWOW64\Ghcdpjqj.exeC:\Windows\system32\Ghcdpjqj.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Windows\SysWOW64\Hgbdge32.exeC:\Windows\system32\Hgbdge32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1744 -
C:\Windows\SysWOW64\Igdqmeke.exeC:\Windows\system32\Igdqmeke.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Windows\SysWOW64\Ianambhc.exeC:\Windows\system32\Ianambhc.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Windows\SysWOW64\Iaqnbb32.exeC:\Windows\system32\Iaqnbb32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Windows\SysWOW64\Ifngiqlg.exeC:\Windows\system32\Ifngiqlg.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:632 -
C:\Windows\SysWOW64\Injlmcib.exeC:\Windows\system32\Injlmcib.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Windows\SysWOW64\Jknlfg32.exeC:\Windows\system32\Jknlfg32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2144 -
C:\Windows\SysWOW64\Jgdmkhnp.exeC:\Windows\system32\Jgdmkhnp.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2388 -
C:\Windows\SysWOW64\Jfijmdbh.exeC:\Windows\system32\Jfijmdbh.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2392 -
C:\Windows\SysWOW64\Jobnej32.exeC:\Windows\system32\Jobnej32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1808 -
C:\Windows\SysWOW64\Jqakompl.exeC:\Windows\system32\Jqakompl.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1084 -
C:\Windows\SysWOW64\Jfnchd32.exeC:\Windows\system32\Jfnchd32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2224 -
C:\Windows\SysWOW64\Kcbcah32.exeC:\Windows\system32\Kcbcah32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:916 -
C:\Windows\SysWOW64\Kkmhej32.exeC:\Windows\system32\Kkmhej32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3024 -
C:\Windows\SysWOW64\Kiaiooja.exeC:\Windows\system32\Kiaiooja.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1908 -
C:\Windows\SysWOW64\Kbjmhd32.exeC:\Windows\system32\Kbjmhd32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1492 -
C:\Windows\SysWOW64\Kjeblf32.exeC:\Windows\system32\Kjeblf32.exe27⤵
- Executes dropped EXE
PID:2036 -
C:\Windows\SysWOW64\Kgibeklf.exeC:\Windows\system32\Kgibeklf.exe28⤵
- Loads dropped DLL
PID:1600 -
C:\Windows\SysWOW64\Kaagnp32.exeC:\Windows\system32\Kaagnp32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2120 -
C:\Windows\SysWOW64\Lpfdpmho.exeC:\Windows\system32\Lpfdpmho.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2536 -
C:\Windows\SysWOW64\Lpiqel32.exeC:\Windows\system32\Lpiqel32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2740 -
C:\Windows\SysWOW64\Liaenblm.exeC:\Windows\system32\Liaenblm.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2884 -
C:\Windows\SysWOW64\Lfeegfkf.exeC:\Windows\system32\Lfeegfkf.exe33⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2968 -
C:\Windows\SysWOW64\Lblflgqk.exeC:\Windows\system32\Lblflgqk.exe34⤵
- Executes dropped EXE
PID:2592 -
C:\Windows\SysWOW64\Lldkem32.exeC:\Windows\system32\Lldkem32.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:2612 -
C:\Windows\SysWOW64\Mihkoa32.exeC:\Windows\system32\Mihkoa32.exe36⤵
- Executes dropped EXE
PID:1524 -
C:\Windows\SysWOW64\Moecghdl.exeC:\Windows\system32\Moecghdl.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2192 -
C:\Windows\SysWOW64\Mdbloobc.exeC:\Windows\system32\Mdbloobc.exe38⤵
- Executes dropped EXE
PID:1820 -
C:\Windows\SysWOW64\Mknaahhn.exeC:\Windows\system32\Mknaahhn.exe39⤵
- Executes dropped EXE
PID:2024 -
C:\Windows\SysWOW64\Nmccnc32.exeC:\Windows\system32\Nmccnc32.exe40⤵
- Executes dropped EXE
PID:1128 -
C:\Windows\SysWOW64\Nliqoofa.exeC:\Windows\system32\Nliqoofa.exe41⤵
- Executes dropped EXE
PID:612 -
C:\Windows\SysWOW64\Nhpadpke.exeC:\Windows\system32\Nhpadpke.exe42⤵
- Executes dropped EXE
PID:1088 -
C:\Windows\SysWOW64\Nahemf32.exeC:\Windows\system32\Nahemf32.exe43⤵
- Executes dropped EXE
PID:2068 -
C:\Windows\SysWOW64\Nnofbg32.exeC:\Windows\system32\Nnofbg32.exe44⤵
- Executes dropped EXE
PID:2236 -
C:\Windows\SysWOW64\Ohdkop32.exeC:\Windows\system32\Ohdkop32.exe45⤵
- Executes dropped EXE
PID:1104 -
C:\Windows\SysWOW64\Onacgf32.exeC:\Windows\system32\Onacgf32.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:460 -
C:\Windows\SysWOW64\Ogldfl32.exeC:\Windows\system32\Ogldfl32.exe47⤵
- Executes dropped EXE
PID:328 -
C:\Windows\SysWOW64\Olhmnb32.exeC:\Windows\system32\Olhmnb32.exe48⤵
- Executes dropped EXE
PID:1336 -
C:\Windows\SysWOW64\Omkidb32.exeC:\Windows\system32\Omkidb32.exe49⤵
- Executes dropped EXE
PID:1684 -
C:\Windows\SysWOW64\Oceaql32.exeC:\Windows\system32\Oceaql32.exe50⤵
- Executes dropped EXE
PID:2980 -
C:\Windows\SysWOW64\Ommfibdg.exeC:\Windows\system32\Ommfibdg.exe51⤵
- Executes dropped EXE
PID:2140 -
C:\Windows\SysWOW64\Pbjoaibo.exeC:\Windows\system32\Pbjoaibo.exe52⤵
- Executes dropped EXE
PID:2296 -
C:\Windows\SysWOW64\Pidgnc32.exeC:\Windows\system32\Pidgnc32.exe53⤵
- Executes dropped EXE
PID:2904 -
C:\Windows\SysWOW64\Pcikllja.exeC:\Windows\system32\Pcikllja.exe54⤵
- Executes dropped EXE
PID:2444 -
C:\Windows\SysWOW64\Pifcdbhi.exeC:\Windows\system32\Pifcdbhi.exe55⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2724 -
C:\Windows\SysWOW64\Pncllifp.exeC:\Windows\system32\Pncllifp.exe56⤵
- Executes dropped EXE
PID:2796 -
C:\Windows\SysWOW64\Pemdic32.exeC:\Windows\system32\Pemdic32.exe57⤵
- Executes dropped EXE
PID:1664 -
C:\Windows\SysWOW64\Pqdend32.exeC:\Windows\system32\Pqdend32.exe58⤵
- Executes dropped EXE
PID:2708 -
C:\Windows\SysWOW64\Pgnmjokn.exeC:\Windows\system32\Pgnmjokn.exe59⤵
- Executes dropped EXE
PID:1948 -
C:\Windows\SysWOW64\Pafacd32.exeC:\Windows\system32\Pafacd32.exe60⤵
- Executes dropped EXE
PID:1720 -
C:\Windows\SysWOW64\Qjofljho.exeC:\Windows\system32\Qjofljho.exe61⤵
- Executes dropped EXE
PID:2860 -
C:\Windows\SysWOW64\Qedjib32.exeC:\Windows\system32\Qedjib32.exe62⤵
- Executes dropped EXE
PID:2940 -
C:\Windows\SysWOW64\Qjacai32.exeC:\Windows\system32\Qjacai32.exe63⤵
- Executes dropped EXE
PID:1752 -
C:\Windows\SysWOW64\Qpnkjq32.exeC:\Windows\system32\Qpnkjq32.exe64⤵
- Executes dropped EXE
PID:856 -
C:\Windows\SysWOW64\Ajcpgi32.exeC:\Windows\system32\Ajcpgi32.exe65⤵
- Executes dropped EXE
PID:2484 -
C:\Windows\SysWOW64\Apphpp32.exeC:\Windows\system32\Apphpp32.exe66⤵
- Executes dropped EXE
PID:2436 -
C:\Windows\SysWOW64\Amdhidqk.exeC:\Windows\system32\Amdhidqk.exe67⤵PID:1016
-
C:\Windows\SysWOW64\Aflmbj32.exeC:\Windows\system32\Aflmbj32.exe68⤵PID:944
-
C:\Windows\SysWOW64\Amfeodoh.exeC:\Windows\system32\Amfeodoh.exe69⤵PID:1004
-
C:\Windows\SysWOW64\Afojgiei.exeC:\Windows\system32\Afojgiei.exe70⤵PID:2432
-
C:\Windows\SysWOW64\Allbpqcp.exeC:\Windows\system32\Allbpqcp.exe71⤵PID:2664
-
C:\Windows\SysWOW64\Aipbidbj.exeC:\Windows\system32\Aipbidbj.exe72⤵PID:2504
-
C:\Windows\SysWOW64\Bbhgbj32.exeC:\Windows\system32\Bbhgbj32.exe73⤵PID:2528
-
C:\Windows\SysWOW64\Bdiciboh.exeC:\Windows\system32\Bdiciboh.exe74⤵PID:3000
-
C:\Windows\SysWOW64\Boohgk32.exeC:\Windows\system32\Boohgk32.exe75⤵
- Drops file in System32 directory
PID:2768 -
C:\Windows\SysWOW64\Bdkpob32.exeC:\Windows\system32\Bdkpob32.exe76⤵PID:2764
-
C:\Windows\SysWOW64\Bjehlldb.exeC:\Windows\system32\Bjehlldb.exe77⤵PID:2668
-
C:\Windows\SysWOW64\Bpbadcbj.exeC:\Windows\system32\Bpbadcbj.exe78⤵PID:2416
-
C:\Windows\SysWOW64\Bfliqmjg.exeC:\Windows\system32\Bfliqmjg.exe79⤵PID:1580
-
C:\Windows\SysWOW64\Bmfamg32.exeC:\Windows\system32\Bmfamg32.exe80⤵PID:1312
-
C:\Windows\SysWOW64\Bdpjjaiq.exeC:\Windows\system32\Bdpjjaiq.exe81⤵PID:2920
-
C:\Windows\SysWOW64\Blkoocfl.exeC:\Windows\system32\Blkoocfl.exe82⤵PID:2312
-
C:\Windows\SysWOW64\Bbegkn32.exeC:\Windows\system32\Bbegkn32.exe83⤵PID:2168
-
C:\Windows\SysWOW64\Colgpo32.exeC:\Windows\system32\Colgpo32.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1932 -
C:\Windows\SysWOW64\Cialng32.exeC:\Windows\system32\Cialng32.exe85⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1540 -
C:\Windows\SysWOW64\Ccjpfmic.exeC:\Windows\system32\Ccjpfmic.exe86⤵PID:876
-
C:\Windows\SysWOW64\Cidhcg32.exeC:\Windows\system32\Cidhcg32.exe87⤵PID:864
-
C:\Windows\SysWOW64\Cclmlm32.exeC:\Windows\system32\Cclmlm32.exe88⤵PID:2040
-
C:\Windows\SysWOW64\Chiedc32.exeC:\Windows\system32\Chiedc32.exe89⤵PID:2136
-
C:\Windows\SysWOW64\Cdpfiekl.exeC:\Windows\system32\Cdpfiekl.exe90⤵PID:2804
-
C:\Windows\SysWOW64\Cnhjbjam.exeC:\Windows\system32\Cnhjbjam.exe91⤵PID:2712
-
C:\Windows\SysWOW64\Dgqokp32.exeC:\Windows\system32\Dgqokp32.exe92⤵PID:2596
-
C:\Windows\SysWOW64\Dnkggjpj.exeC:\Windows\system32\Dnkggjpj.exe93⤵PID:1028
-
C:\Windows\SysWOW64\Dddodd32.exeC:\Windows\system32\Dddodd32.exe94⤵PID:368
-
C:\Windows\SysWOW64\Djahmk32.exeC:\Windows\system32\Djahmk32.exe95⤵PID:2692
-
C:\Windows\SysWOW64\Ddgljced.exeC:\Windows\system32\Ddgljced.exe96⤵PID:2560
-
C:\Windows\SysWOW64\Dgehfodh.exeC:\Windows\system32\Dgehfodh.exe97⤵PID:1544
-
C:\Windows\SysWOW64\Dnoqbi32.exeC:\Windows\system32\Dnoqbi32.exe98⤵
- System Location Discovery: System Language Discovery
PID:2276 -
C:\Windows\SysWOW64\Doqmjaac.exeC:\Windows\system32\Doqmjaac.exe99⤵PID:2016
-
C:\Windows\SysWOW64\Dhiacg32.exeC:\Windows\system32\Dhiacg32.exe100⤵PID:1512
-
C:\Windows\SysWOW64\Docjpa32.exeC:\Windows\system32\Docjpa32.exe101⤵PID:1032
-
C:\Windows\SysWOW64\Dhknigfq.exeC:\Windows\system32\Dhknigfq.exe102⤵
- Modifies registry class
PID:1472 -
C:\Windows\SysWOW64\Eoefea32.exeC:\Windows\system32\Eoefea32.exe103⤵PID:3060
-
C:\Windows\SysWOW64\Eligoe32.exeC:\Windows\system32\Eligoe32.exe104⤵PID:2700
-
C:\Windows\SysWOW64\Ebfpglkn.exeC:\Windows\system32\Ebfpglkn.exe105⤵PID:2892
-
C:\Windows\SysWOW64\Enmplm32.exeC:\Windows\system32\Enmplm32.exe106⤵
- Drops file in System32 directory
PID:2624 -
C:\Windows\SysWOW64\Edghighp.exeC:\Windows\system32\Edghighp.exe107⤵PID:2128
-
C:\Windows\SysWOW64\Enomam32.exeC:\Windows\system32\Enomam32.exe108⤵PID:2500
-
C:\Windows\SysWOW64\Ekcmkamj.exeC:\Windows\system32\Ekcmkamj.exe109⤵PID:2784
-
C:\Windows\SysWOW64\Eqpfchka.exeC:\Windows\system32\Eqpfchka.exe110⤵PID:1556
-
C:\Windows\SysWOW64\Ecnbpcje.exeC:\Windows\system32\Ecnbpcje.exe111⤵PID:2240
-
C:\Windows\SysWOW64\Fjhjlm32.exeC:\Windows\system32\Fjhjlm32.exe112⤵PID:3004
-
C:\Windows\SysWOW64\Fqbbig32.exeC:\Windows\system32\Fqbbig32.exe113⤵PID:600
-
C:\Windows\SysWOW64\Fjkgampo.exeC:\Windows\system32\Fjkgampo.exe114⤵PID:2680
-
C:\Windows\SysWOW64\Gmmihk32.exeC:\Windows\system32\Gmmihk32.exe115⤵PID:2976
-
C:\Windows\SysWOW64\Hdjnje32.exeC:\Windows\system32\Hdjnje32.exe116⤵PID:2704
-
C:\Windows\SysWOW64\Hdlkpd32.exeC:\Windows\system32\Hdlkpd32.exe117⤵PID:2952
-
C:\Windows\SysWOW64\Hinlck32.exeC:\Windows\system32\Hinlck32.exe118⤵PID:2944
-
C:\Windows\SysWOW64\Hlliof32.exeC:\Windows\system32\Hlliof32.exe119⤵PID:1972
-
C:\Windows\SysWOW64\Hbfalpab.exeC:\Windows\system32\Hbfalpab.exe120⤵PID:1496
-
C:\Windows\SysWOW64\Ihcidgpj.exeC:\Windows\system32\Ihcidgpj.exe121⤵PID:2020
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-