Analysis
-
max time kernel
143s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
10-11-2024 01:10
Behavioral task
behavioral1
Sample
a209abf47de2449d8676a064ffbd52f59255f9d8119f013ffd044f88a8259499.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
a209abf47de2449d8676a064ffbd52f59255f9d8119f013ffd044f88a8259499.exe
Resource
win10v2004-20241007-en
General
-
Target
a209abf47de2449d8676a064ffbd52f59255f9d8119f013ffd044f88a8259499.exe
-
Size
256KB
-
MD5
811d19cd18309332b941e2e3184b6797
-
SHA1
57524cd8fe87564ae259a8e3dff2779f62f6a719
-
SHA256
a209abf47de2449d8676a064ffbd52f59255f9d8119f013ffd044f88a8259499
-
SHA512
9c4f7f28f887abe53f2985c4964ed5b026ff26b0a1b3f965a8429fb22665f41588aa06f3189abea24494b93530a64ae2d8f25488fd2c1994a25f6df4eb5ec117
-
SSDEEP
6144:1mi0vsVrXVD/vlWZV4U/vlf0DrBqvl8ZV4U/vlfl+9X:4i0vsVrXVDvO6IveDVqvQ6Ivk
Malware Config
Extracted
berbew
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Hmglajcd.exeImokehhl.exeHihjhl32.exeKqdhhm32.exeBoidnh32.exeIaonhm32.exeIpokcdjn.exeJdpgjhbm.exePldebkhj.exeBgdibkam.exeDkpkfooh.exeGcjbna32.exeIjnbcmkk.exeOkgjodmi.exeMjfnomde.exeBadnhbce.exeJlkngc32.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmglajcd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imokehhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hihjhl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kqdhhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Boidnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iaonhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ipokcdjn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jdpgjhbm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pldebkhj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgdibkam.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dkpkfooh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcjbna32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijnbcmkk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Okgjodmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mjfnomde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Badnhbce.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlkngc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad -
Berbew family
-
Executes dropped EXE 64 IoCs
Processes:
Ohendqhd.exeOopfakpa.exeOopfakpa.exeOqacic32.exeOnecbg32.exeOdoloalf.exePjldghjm.exePmjqcc32.exePfbelipa.exePqhijbog.exePomfkndo.exePfgngh32.exePoocpnbm.exePbnoliap.exePdlkiepd.exeQbplbi32.exeQngmgjeb.exeQqeicede.exeQgoapp32.exeQkkmqnck.exeQjnmlk32.exeAbeemhkh.exeAecaidjl.exeAnlfbi32.exeAmnfnfgg.exeAgdjkogm.exeAjbggjfq.exeApoooa32.exeAfiglkle.exeAigchgkh.exeAcmhepko.exeAfkdakjb.exeAmelne32.exeAcpdko32.exeBmhideol.exeBpfeppop.exeBiojif32.exeBhajdblk.exeBnkbam32.exeBeejng32.exeBiafnecn.exeBlobjaba.exeBonoflae.exeBalkchpi.exeBhfcpb32.exeBjdplm32.exeBmclhi32.exeBdmddc32.exeBfkpqn32.exeBobhal32.exeCpceidcn.exeChkmkacq.exeCfnmfn32.exeCmgechbh.exeCdanpb32.exeCgpjlnhh.exeCmjbhh32.exeClmbddgp.exeCddjebgb.exeCgbfamff.exeCiqcmiei.exeClooiddm.exeCcigfn32.exeCgdcgm32.exepid process 2720 Ohendqhd.exe 2236 Oopfakpa.exe 2796 Oopfakpa.exe 2600 Oqacic32.exe 2320 Onecbg32.exe 560 Odoloalf.exe 556 Pjldghjm.exe 2508 Pmjqcc32.exe 3032 Pfbelipa.exe 2676 Pqhijbog.exe 2936 Pomfkndo.exe 2280 Pfgngh32.exe 876 Poocpnbm.exe 2792 Pbnoliap.exe 2172 Pdlkiepd.exe 1148 Qbplbi32.exe 2552 Qngmgjeb.exe 868 Qqeicede.exe 2144 Qgoapp32.exe 1260 Qkkmqnck.exe 852 Qjnmlk32.exe 1292 Abeemhkh.exe 1864 Aecaidjl.exe 2164 Anlfbi32.exe 892 Amnfnfgg.exe 2192 Agdjkogm.exe 2712 Ajbggjfq.exe 2592 Apoooa32.exe 2616 Afiglkle.exe 2756 Aigchgkh.exe 2256 Acmhepko.exe 2980 Afkdakjb.exe 1860 Amelne32.exe 3024 Acpdko32.exe 2864 Bmhideol.exe 2308 Bpfeppop.exe 2276 Biojif32.exe 2940 Bhajdblk.exe 2136 Bnkbam32.exe 2252 Beejng32.exe 408 Biafnecn.exe 2848 Blobjaba.exe 1328 Bonoflae.exe 1908 Balkchpi.exe 928 Bhfcpb32.exe 2388 Bjdplm32.exe 2100 Bmclhi32.exe 1600 Bdmddc32.exe 1620 Bfkpqn32.exe 1556 Bobhal32.exe 1244 Cpceidcn.exe 3020 Chkmkacq.exe 320 Cfnmfn32.exe 592 Cmgechbh.exe 400 Cdanpb32.exe 2932 Cgpjlnhh.exe 2688 Cmjbhh32.exe 2772 Clmbddgp.exe 2776 Cddjebgb.exe 1612 Cgbfamff.exe 1940 Ciqcmiei.exe 704 Clooiddm.exe 2304 Ccigfn32.exe 1536 Cgdcgm32.exe -
Loads dropped DLL 64 IoCs
Processes:
a209abf47de2449d8676a064ffbd52f59255f9d8119f013ffd044f88a8259499.exeOhendqhd.exeOopfakpa.exeOopfakpa.exeOqacic32.exeOnecbg32.exeOdoloalf.exePjldghjm.exePmjqcc32.exePfbelipa.exePqhijbog.exePomfkndo.exePfgngh32.exePoocpnbm.exePbnoliap.exePdlkiepd.exeQbplbi32.exeQngmgjeb.exeQqeicede.exeQgoapp32.exeQkkmqnck.exeQjnmlk32.exeAbeemhkh.exeAecaidjl.exeAnlfbi32.exeAmnfnfgg.exeAgdjkogm.exeAjbggjfq.exeApoooa32.exeAfiglkle.exeAigchgkh.exeAcmhepko.exepid process 2828 a209abf47de2449d8676a064ffbd52f59255f9d8119f013ffd044f88a8259499.exe 2828 a209abf47de2449d8676a064ffbd52f59255f9d8119f013ffd044f88a8259499.exe 2720 Ohendqhd.exe 2720 Ohendqhd.exe 2236 Oopfakpa.exe 2236 Oopfakpa.exe 2796 Oopfakpa.exe 2796 Oopfakpa.exe 2600 Oqacic32.exe 2600 Oqacic32.exe 2320 Onecbg32.exe 2320 Onecbg32.exe 560 Odoloalf.exe 560 Odoloalf.exe 556 Pjldghjm.exe 556 Pjldghjm.exe 2508 Pmjqcc32.exe 2508 Pmjqcc32.exe 3032 Pfbelipa.exe 3032 Pfbelipa.exe 2676 Pqhijbog.exe 2676 Pqhijbog.exe 2936 Pomfkndo.exe 2936 Pomfkndo.exe 2280 Pfgngh32.exe 2280 Pfgngh32.exe 876 Poocpnbm.exe 876 Poocpnbm.exe 2792 Pbnoliap.exe 2792 Pbnoliap.exe 2172 Pdlkiepd.exe 2172 Pdlkiepd.exe 1148 Qbplbi32.exe 1148 Qbplbi32.exe 2552 Qngmgjeb.exe 2552 Qngmgjeb.exe 868 Qqeicede.exe 868 Qqeicede.exe 2144 Qgoapp32.exe 2144 Qgoapp32.exe 1260 Qkkmqnck.exe 1260 Qkkmqnck.exe 852 Qjnmlk32.exe 852 Qjnmlk32.exe 1292 Abeemhkh.exe 1292 Abeemhkh.exe 1864 Aecaidjl.exe 1864 Aecaidjl.exe 2164 Anlfbi32.exe 2164 Anlfbi32.exe 892 Amnfnfgg.exe 892 Amnfnfgg.exe 2192 Agdjkogm.exe 2192 Agdjkogm.exe 2712 Ajbggjfq.exe 2712 Ajbggjfq.exe 2592 Apoooa32.exe 2592 Apoooa32.exe 2616 Afiglkle.exe 2616 Afiglkle.exe 2756 Aigchgkh.exe 2756 Aigchgkh.exe 2256 Acmhepko.exe 2256 Acmhepko.exe -
Drops file in System32 directory 64 IoCs
Processes:
Pnalad32.exeGacbmk32.exeBfhmqhkd.exeMbpipp32.exeKlngkfge.exeMlpneh32.exeGpabcbdb.exePnjfae32.exePdldnomh.exeEdfbaabj.exeFqmpni32.exeDpjgifpa.exeNefbga32.exeOgqaehak.exePkacpihj.exeQbplbi32.exeBmclhi32.exeMdiefffn.exeBonoflae.exeLqqpgj32.exeOeehln32.exeFdkklp32.exeHpkldg32.exeOlkfmi32.exedescription ioc process File created C:\Windows\SysWOW64\Okipkm32.dll File created C:\Windows\SysWOW64\Bhpqcpkm.exe File created C:\Windows\SysWOW64\Cjqkgfdn.dll File created C:\Windows\SysWOW64\Lmlepi32.dll File created C:\Windows\SysWOW64\Iaehhqjh.dll Pnalad32.exe File created C:\Windows\SysWOW64\Fgmkef32.dll File opened for modification C:\Windows\SysWOW64\Edcnakpa.exe File created C:\Windows\SysWOW64\Jnpojnle.dll File created C:\Windows\SysWOW64\Fcmmdp32.dll Gacbmk32.exe File created C:\Windows\SysWOW64\Bigimdjh.exe Bfhmqhkd.exe File created C:\Windows\SysWOW64\Pfnmmn32.exe File opened for modification C:\Windows\SysWOW64\Aohgfm32.exe File created C:\Windows\SysWOW64\Oaonla32.dll File opened for modification C:\Windows\SysWOW64\Mijamjnm.exe Mbpipp32.exe File created C:\Windows\SysWOW64\Knbbpakg.dll Klngkfge.exe File created C:\Windows\SysWOW64\Fhgmfb32.dll File created C:\Windows\SysWOW64\Mlpneh32.exe Mlpneh32.exe File created C:\Windows\SysWOW64\Qjeeidhg.dll File created C:\Windows\SysWOW64\Gcmoda32.exe Gpabcbdb.exe File created C:\Windows\SysWOW64\Oopqjabc.dll File opened for modification C:\Windows\SysWOW64\Mdendpbg.exe File opened for modification C:\Windows\SysWOW64\Peanbblf.exe Pnjfae32.exe File opened for modification C:\Windows\SysWOW64\Qgjqjjll.exe Pdldnomh.exe File created C:\Windows\SysWOW64\Dochelmj.exe File opened for modification C:\Windows\SysWOW64\Bogjaamh.exe File created C:\Windows\SysWOW64\Kneoni32.dll File opened for modification C:\Windows\SysWOW64\Ailqfooi.exe File created C:\Windows\SysWOW64\Kljdkpfl.exe File created C:\Windows\SysWOW64\Mcacochk.exe File created C:\Windows\SysWOW64\Fgdnnl32.exe Edfbaabj.exe File created C:\Windows\SysWOW64\Fnkjpo32.dll Fqmpni32.exe File created C:\Windows\SysWOW64\Okfimp32.dll File created C:\Windows\SysWOW64\Dgnminke.exe File created C:\Windows\SysWOW64\Jmgghnmp.dll File created C:\Windows\SysWOW64\Eldhjg32.dll File created C:\Windows\SysWOW64\Dciceaoe.exe Dpjgifpa.exe File created C:\Windows\SysWOW64\Nianhplq.exe Nefbga32.exe File created C:\Windows\SysWOW64\Oklnff32.exe Ogqaehak.exe File created C:\Windows\SysWOW64\Pnopldgn.exe Pkacpihj.exe File created C:\Windows\SysWOW64\Hnbbcale.dll File created C:\Windows\SysWOW64\Bopknhjd.exe File created C:\Windows\SysWOW64\Cmelgapq.dll Qbplbi32.exe File created C:\Windows\SysWOW64\Bdmddc32.exe Bmclhi32.exe File created C:\Windows\SysWOW64\Khagijcd.exe File opened for modification C:\Windows\SysWOW64\Nipefmkb.exe File opened for modification C:\Windows\SysWOW64\Mclebc32.exe Mdiefffn.exe File opened for modification C:\Windows\SysWOW64\Alageg32.exe File opened for modification C:\Windows\SysWOW64\Lljpjchg.exe File created C:\Windows\SysWOW64\Bbjpil32.exe File opened for modification C:\Windows\SysWOW64\Balkchpi.exe Bonoflae.exe File created C:\Windows\SysWOW64\Bjbndpmd.exe File opened for modification C:\Windows\SysWOW64\Fgfdie32.exe File created C:\Windows\SysWOW64\Pgdekc32.dll File created C:\Windows\SysWOW64\Dnoldn32.dll Lqqpgj32.exe File created C:\Windows\SysWOW64\Odhhgkib.exe Oeehln32.exe File opened for modification C:\Windows\SysWOW64\Colpld32.exe File created C:\Windows\SysWOW64\Jlpfci32.dll File created C:\Windows\SysWOW64\Fjlcglnk.dll Fdkklp32.exe File opened for modification C:\Windows\SysWOW64\Popgboae.exe File created C:\Windows\SysWOW64\Ffbhcq32.dll File opened for modification C:\Windows\SysWOW64\Obecld32.exe File created C:\Windows\SysWOW64\Hfedqagp.exe Hpkldg32.exe File opened for modification C:\Windows\SysWOW64\Opfbngfb.exe Olkfmi32.exe File opened for modification C:\Windows\SysWOW64\Meljbqna.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Najpll32.exeLbfook32.exeDaejhjkj.exeLnlnlc32.exeNigafnck.exeEelkeeah.exeElfaifaq.exePincfpoo.exeKjoifb32.exeCmpdgf32.exeHqfaldbo.exeAjnpecbj.exeKobkpdfa.exeOpifnm32.exeOpkccm32.exeJdhgnf32.exeAodkci32.exeIfjlcmmj.exeLoqmba32.exeDldhdc32.exeIdadnd32.exeClmbddgp.exeNoemqe32.exeKcdjoaee.exeHihjhl32.exeAkqpom32.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Najpll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbfook32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Daejhjkj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnlnlc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nigafnck.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eelkeeah.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elfaifaq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pincfpoo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjoifb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmpdgf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hqfaldbo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajnpecbj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kobkpdfa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opifnm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opkccm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdhgnf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aodkci32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifjlcmmj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Loqmba32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dldhdc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idadnd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clmbddgp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Noemqe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcdjoaee.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hihjhl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akqpom32.exe -
Modifies registry class 64 IoCs
Processes:
Fdhlnhhc.exeFoccjood.exePalepb32.exeFncpef32.exeHemqpf32.exeJbhcim32.exeHcigco32.exeJdcmbgkj.exeCaidaeak.exeDpqnhadq.exeHmkeke32.exeHfhcoj32.exeCpfdhl32.exeMjfnomde.exePadeldeo.exeNbpeoc32.exeMnomjl32.exeHpkldg32.exeAjhiei32.exeQdaglmcb.exeBjoofhgc.exeFqlicclo.exePgnjde32.exeOokpodkj.exeJfcqgpfi.exeFheabelm.exeKdhcli32.exeAqhhanig.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fdhlnhhc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikcljcke.dll" Foccjood.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iennnogo.dll" Palepb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Palepb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afhgaocl.dll" Fncpef32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmgphhbi.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hemqpf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmknff32.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jbhcim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajcbch32.dll" Hcigco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jdcmbgkj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Caidaeak.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dpqnhadq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hmkeke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hfhcoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkclcjqj.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cpfdhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mjfnomde.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Padeldeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epilaieh.dll" Nbpeoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Padqpaec.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mnomjl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hpkldg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eohcninh.dll" Ajhiei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qdaglmcb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bjoofhgc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fqlicclo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pgnjde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agpdah32.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ookpodkj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gljmpigg.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jfcqgpfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efcjeo32.dll" Fheabelm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaoplfhc.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iajpndmp.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kdhcli32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aqhhanig.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
a209abf47de2449d8676a064ffbd52f59255f9d8119f013ffd044f88a8259499.exeOhendqhd.exeOopfakpa.exeOopfakpa.exeOqacic32.exeOnecbg32.exeOdoloalf.exePjldghjm.exePmjqcc32.exePfbelipa.exePqhijbog.exePomfkndo.exePfgngh32.exePoocpnbm.exePbnoliap.exePdlkiepd.exedescription pid process target process PID 2828 wrote to memory of 2720 2828 a209abf47de2449d8676a064ffbd52f59255f9d8119f013ffd044f88a8259499.exe Ohendqhd.exe PID 2828 wrote to memory of 2720 2828 a209abf47de2449d8676a064ffbd52f59255f9d8119f013ffd044f88a8259499.exe Ohendqhd.exe PID 2828 wrote to memory of 2720 2828 a209abf47de2449d8676a064ffbd52f59255f9d8119f013ffd044f88a8259499.exe Ohendqhd.exe PID 2828 wrote to memory of 2720 2828 a209abf47de2449d8676a064ffbd52f59255f9d8119f013ffd044f88a8259499.exe Ohendqhd.exe PID 2720 wrote to memory of 2236 2720 Ohendqhd.exe Oopfakpa.exe PID 2720 wrote to memory of 2236 2720 Ohendqhd.exe Oopfakpa.exe PID 2720 wrote to memory of 2236 2720 Ohendqhd.exe Oopfakpa.exe PID 2720 wrote to memory of 2236 2720 Ohendqhd.exe Oopfakpa.exe PID 2236 wrote to memory of 2796 2236 Oopfakpa.exe Oopfakpa.exe PID 2236 wrote to memory of 2796 2236 Oopfakpa.exe Oopfakpa.exe PID 2236 wrote to memory of 2796 2236 Oopfakpa.exe Oopfakpa.exe PID 2236 wrote to memory of 2796 2236 Oopfakpa.exe Oopfakpa.exe PID 2796 wrote to memory of 2600 2796 Oopfakpa.exe Oqacic32.exe PID 2796 wrote to memory of 2600 2796 Oopfakpa.exe Oqacic32.exe PID 2796 wrote to memory of 2600 2796 Oopfakpa.exe Oqacic32.exe PID 2796 wrote to memory of 2600 2796 Oopfakpa.exe Oqacic32.exe PID 2600 wrote to memory of 2320 2600 Oqacic32.exe Onecbg32.exe PID 2600 wrote to memory of 2320 2600 Oqacic32.exe Onecbg32.exe PID 2600 wrote to memory of 2320 2600 Oqacic32.exe Onecbg32.exe PID 2600 wrote to memory of 2320 2600 Oqacic32.exe Onecbg32.exe PID 2320 wrote to memory of 560 2320 Onecbg32.exe Odoloalf.exe PID 2320 wrote to memory of 560 2320 Onecbg32.exe Odoloalf.exe PID 2320 wrote to memory of 560 2320 Onecbg32.exe Odoloalf.exe PID 2320 wrote to memory of 560 2320 Onecbg32.exe Odoloalf.exe PID 560 wrote to memory of 556 560 Odoloalf.exe Pjldghjm.exe PID 560 wrote to memory of 556 560 Odoloalf.exe Pjldghjm.exe PID 560 wrote to memory of 556 560 Odoloalf.exe Pjldghjm.exe PID 560 wrote to memory of 556 560 Odoloalf.exe Pjldghjm.exe PID 556 wrote to memory of 2508 556 Pjldghjm.exe Pmjqcc32.exe PID 556 wrote to memory of 2508 556 Pjldghjm.exe Pmjqcc32.exe PID 556 wrote to memory of 2508 556 Pjldghjm.exe Pmjqcc32.exe PID 556 wrote to memory of 2508 556 Pjldghjm.exe Pmjqcc32.exe PID 2508 wrote to memory of 3032 2508 Pmjqcc32.exe Pfbelipa.exe PID 2508 wrote to memory of 3032 2508 Pmjqcc32.exe Pfbelipa.exe PID 2508 wrote to memory of 3032 2508 Pmjqcc32.exe Pfbelipa.exe PID 2508 wrote to memory of 3032 2508 Pmjqcc32.exe Pfbelipa.exe PID 3032 wrote to memory of 2676 3032 Pfbelipa.exe Pqhijbog.exe PID 3032 wrote to memory of 2676 3032 Pfbelipa.exe Pqhijbog.exe PID 3032 wrote to memory of 2676 3032 Pfbelipa.exe Pqhijbog.exe PID 3032 wrote to memory of 2676 3032 Pfbelipa.exe Pqhijbog.exe PID 2676 wrote to memory of 2936 2676 Pqhijbog.exe Pomfkndo.exe PID 2676 wrote to memory of 2936 2676 Pqhijbog.exe Pomfkndo.exe PID 2676 wrote to memory of 2936 2676 Pqhijbog.exe Pomfkndo.exe PID 2676 wrote to memory of 2936 2676 Pqhijbog.exe Pomfkndo.exe PID 2936 wrote to memory of 2280 2936 Pomfkndo.exe Pfgngh32.exe PID 2936 wrote to memory of 2280 2936 Pomfkndo.exe Pfgngh32.exe PID 2936 wrote to memory of 2280 2936 Pomfkndo.exe Pfgngh32.exe PID 2936 wrote to memory of 2280 2936 Pomfkndo.exe Pfgngh32.exe PID 2280 wrote to memory of 876 2280 Pfgngh32.exe Poocpnbm.exe PID 2280 wrote to memory of 876 2280 Pfgngh32.exe Poocpnbm.exe PID 2280 wrote to memory of 876 2280 Pfgngh32.exe Poocpnbm.exe PID 2280 wrote to memory of 876 2280 Pfgngh32.exe Poocpnbm.exe PID 876 wrote to memory of 2792 876 Poocpnbm.exe Pbnoliap.exe PID 876 wrote to memory of 2792 876 Poocpnbm.exe Pbnoliap.exe PID 876 wrote to memory of 2792 876 Poocpnbm.exe Pbnoliap.exe PID 876 wrote to memory of 2792 876 Poocpnbm.exe Pbnoliap.exe PID 2792 wrote to memory of 2172 2792 Pbnoliap.exe Pdlkiepd.exe PID 2792 wrote to memory of 2172 2792 Pbnoliap.exe Pdlkiepd.exe PID 2792 wrote to memory of 2172 2792 Pbnoliap.exe Pdlkiepd.exe PID 2792 wrote to memory of 2172 2792 Pbnoliap.exe Pdlkiepd.exe PID 2172 wrote to memory of 1148 2172 Pdlkiepd.exe Qbplbi32.exe PID 2172 wrote to memory of 1148 2172 Pdlkiepd.exe Qbplbi32.exe PID 2172 wrote to memory of 1148 2172 Pdlkiepd.exe Qbplbi32.exe PID 2172 wrote to memory of 1148 2172 Pdlkiepd.exe Qbplbi32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a209abf47de2449d8676a064ffbd52f59255f9d8119f013ffd044f88a8259499.exe"C:\Users\Admin\AppData\Local\Temp\a209abf47de2449d8676a064ffbd52f59255f9d8119f013ffd044f88a8259499.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Windows\SysWOW64\Ohendqhd.exeC:\Windows\system32\Ohendqhd.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\SysWOW64\Oopfakpa.exeC:\Windows\system32\Oopfakpa.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Windows\SysWOW64\Oopfakpa.exeC:\Windows\system32\Oopfakpa.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Windows\SysWOW64\Oqacic32.exeC:\Windows\system32\Oqacic32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\SysWOW64\Onecbg32.exeC:\Windows\system32\Onecbg32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\Windows\SysWOW64\Odoloalf.exeC:\Windows\system32\Odoloalf.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:560 -
C:\Windows\SysWOW64\Pjldghjm.exeC:\Windows\system32\Pjldghjm.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:556 -
C:\Windows\SysWOW64\Pmjqcc32.exeC:\Windows\system32\Pmjqcc32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Windows\SysWOW64\Pfbelipa.exeC:\Windows\system32\Pfbelipa.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Windows\SysWOW64\Pqhijbog.exeC:\Windows\system32\Pqhijbog.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Windows\SysWOW64\Pomfkndo.exeC:\Windows\system32\Pomfkndo.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Windows\SysWOW64\Pfgngh32.exeC:\Windows\system32\Pfgngh32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Windows\SysWOW64\Poocpnbm.exeC:\Windows\system32\Poocpnbm.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:876 -
C:\Windows\SysWOW64\Pbnoliap.exeC:\Windows\system32\Pbnoliap.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\SysWOW64\Pdlkiepd.exeC:\Windows\system32\Pdlkiepd.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Windows\SysWOW64\Qbplbi32.exeC:\Windows\system32\Qbplbi32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1148 -
C:\Windows\SysWOW64\Qngmgjeb.exeC:\Windows\system32\Qngmgjeb.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2552 -
C:\Windows\SysWOW64\Qqeicede.exeC:\Windows\system32\Qqeicede.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:868 -
C:\Windows\SysWOW64\Qgoapp32.exeC:\Windows\system32\Qgoapp32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2144 -
C:\Windows\SysWOW64\Qkkmqnck.exeC:\Windows\system32\Qkkmqnck.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1260 -
C:\Windows\SysWOW64\Qjnmlk32.exeC:\Windows\system32\Qjnmlk32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:852 -
C:\Windows\SysWOW64\Abeemhkh.exeC:\Windows\system32\Abeemhkh.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1292 -
C:\Windows\SysWOW64\Aecaidjl.exeC:\Windows\system32\Aecaidjl.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1864 -
C:\Windows\SysWOW64\Anlfbi32.exeC:\Windows\system32\Anlfbi32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2164 -
C:\Windows\SysWOW64\Amnfnfgg.exeC:\Windows\system32\Amnfnfgg.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:892 -
C:\Windows\SysWOW64\Agdjkogm.exeC:\Windows\system32\Agdjkogm.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2192 -
C:\Windows\SysWOW64\Ajbggjfq.exeC:\Windows\system32\Ajbggjfq.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2712 -
C:\Windows\SysWOW64\Apoooa32.exeC:\Windows\system32\Apoooa32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2592 -
C:\Windows\SysWOW64\Afiglkle.exeC:\Windows\system32\Afiglkle.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2616 -
C:\Windows\SysWOW64\Aigchgkh.exeC:\Windows\system32\Aigchgkh.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2756 -
C:\Windows\SysWOW64\Acmhepko.exeC:\Windows\system32\Acmhepko.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2256 -
C:\Windows\SysWOW64\Afkdakjb.exeC:\Windows\system32\Afkdakjb.exe33⤵
- Executes dropped EXE
PID:2980 -
C:\Windows\SysWOW64\Amelne32.exeC:\Windows\system32\Amelne32.exe34⤵
- Executes dropped EXE
PID:1860 -
C:\Windows\SysWOW64\Acpdko32.exeC:\Windows\system32\Acpdko32.exe35⤵
- Executes dropped EXE
PID:3024 -
C:\Windows\SysWOW64\Bmhideol.exeC:\Windows\system32\Bmhideol.exe36⤵
- Executes dropped EXE
PID:2864 -
C:\Windows\SysWOW64\Bpfeppop.exeC:\Windows\system32\Bpfeppop.exe37⤵
- Executes dropped EXE
PID:2308 -
C:\Windows\SysWOW64\Biojif32.exeC:\Windows\system32\Biojif32.exe38⤵
- Executes dropped EXE
PID:2276 -
C:\Windows\SysWOW64\Bhajdblk.exeC:\Windows\system32\Bhajdblk.exe39⤵
- Executes dropped EXE
PID:2940 -
C:\Windows\SysWOW64\Bnkbam32.exeC:\Windows\system32\Bnkbam32.exe40⤵
- Executes dropped EXE
PID:2136 -
C:\Windows\SysWOW64\Beejng32.exeC:\Windows\system32\Beejng32.exe41⤵
- Executes dropped EXE
PID:2252 -
C:\Windows\SysWOW64\Biafnecn.exeC:\Windows\system32\Biafnecn.exe42⤵
- Executes dropped EXE
PID:408 -
C:\Windows\SysWOW64\Blobjaba.exeC:\Windows\system32\Blobjaba.exe43⤵
- Executes dropped EXE
PID:2848 -
C:\Windows\SysWOW64\Bonoflae.exeC:\Windows\system32\Bonoflae.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1328 -
C:\Windows\SysWOW64\Balkchpi.exeC:\Windows\system32\Balkchpi.exe45⤵
- Executes dropped EXE
PID:1908 -
C:\Windows\SysWOW64\Bhfcpb32.exeC:\Windows\system32\Bhfcpb32.exe46⤵
- Executes dropped EXE
PID:928 -
C:\Windows\SysWOW64\Bjdplm32.exeC:\Windows\system32\Bjdplm32.exe47⤵
- Executes dropped EXE
PID:2388 -
C:\Windows\SysWOW64\Bmclhi32.exeC:\Windows\system32\Bmclhi32.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2100 -
C:\Windows\SysWOW64\Bdmddc32.exeC:\Windows\system32\Bdmddc32.exe49⤵
- Executes dropped EXE
PID:1600 -
C:\Windows\SysWOW64\Bfkpqn32.exeC:\Windows\system32\Bfkpqn32.exe50⤵
- Executes dropped EXE
PID:1620 -
C:\Windows\SysWOW64\Bobhal32.exeC:\Windows\system32\Bobhal32.exe51⤵
- Executes dropped EXE
PID:1556 -
C:\Windows\SysWOW64\Cpceidcn.exeC:\Windows\system32\Cpceidcn.exe52⤵
- Executes dropped EXE
PID:1244 -
C:\Windows\SysWOW64\Chkmkacq.exeC:\Windows\system32\Chkmkacq.exe53⤵
- Executes dropped EXE
PID:3020 -
C:\Windows\SysWOW64\Cfnmfn32.exeC:\Windows\system32\Cfnmfn32.exe54⤵
- Executes dropped EXE
PID:320 -
C:\Windows\SysWOW64\Cmgechbh.exeC:\Windows\system32\Cmgechbh.exe55⤵
- Executes dropped EXE
PID:592 -
C:\Windows\SysWOW64\Cdanpb32.exeC:\Windows\system32\Cdanpb32.exe56⤵
- Executes dropped EXE
PID:400 -
C:\Windows\SysWOW64\Cgpjlnhh.exeC:\Windows\system32\Cgpjlnhh.exe57⤵
- Executes dropped EXE
PID:2932 -
C:\Windows\SysWOW64\Cmjbhh32.exeC:\Windows\system32\Cmjbhh32.exe58⤵
- Executes dropped EXE
PID:2688 -
C:\Windows\SysWOW64\Clmbddgp.exeC:\Windows\system32\Clmbddgp.exe59⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2772 -
C:\Windows\SysWOW64\Cddjebgb.exeC:\Windows\system32\Cddjebgb.exe60⤵
- Executes dropped EXE
PID:2776 -
C:\Windows\SysWOW64\Cgbfamff.exeC:\Windows\system32\Cgbfamff.exe61⤵
- Executes dropped EXE
PID:1612 -
C:\Windows\SysWOW64\Ciqcmiei.exeC:\Windows\system32\Ciqcmiei.exe62⤵
- Executes dropped EXE
PID:1940 -
C:\Windows\SysWOW64\Clooiddm.exeC:\Windows\system32\Clooiddm.exe63⤵
- Executes dropped EXE
PID:704 -
C:\Windows\SysWOW64\Ccigfn32.exeC:\Windows\system32\Ccigfn32.exe64⤵
- Executes dropped EXE
PID:2304 -
C:\Windows\SysWOW64\Cgdcgm32.exeC:\Windows\system32\Cgdcgm32.exe65⤵
- Executes dropped EXE
PID:1536 -
C:\Windows\SysWOW64\Cegcbjkn.exeC:\Windows\system32\Cegcbjkn.exe66⤵PID:2012
-
C:\Windows\SysWOW64\Chfpoeja.exeC:\Windows\system32\Chfpoeja.exe67⤵PID:2492
-
C:\Windows\SysWOW64\Cpmhpbkc.exeC:\Windows\system32\Cpmhpbkc.exe68⤵PID:1092
-
C:\Windows\SysWOW64\Candgk32.exeC:\Windows\system32\Candgk32.exe69⤵PID:2732
-
C:\Windows\SysWOW64\Cielhh32.exeC:\Windows\system32\Cielhh32.exe70⤵PID:2764
-
C:\Windows\SysWOW64\Dldhdc32.exeC:\Windows\system32\Dldhdc32.exe71⤵
- System Location Discovery: System Language Discovery
PID:2752 -
C:\Windows\SysWOW64\Dobdqo32.exeC:\Windows\system32\Dobdqo32.exe72⤵PID:1868
-
C:\Windows\SysWOW64\Daqamj32.exeC:\Windows\system32\Daqamj32.exe73⤵PID:2560
-
C:\Windows\SysWOW64\Delmmigh.exeC:\Windows\system32\Delmmigh.exe74⤵PID:2924
-
C:\Windows\SysWOW64\Dhkiid32.exeC:\Windows\system32\Dhkiid32.exe75⤵PID:1672
-
C:\Windows\SysWOW64\Dodafoni.exeC:\Windows\system32\Dodafoni.exe76⤵PID:2540
-
C:\Windows\SysWOW64\Dacnbjml.exeC:\Windows\system32\Dacnbjml.exe77⤵PID:2868
-
C:\Windows\SysWOW64\Ddajoelp.exeC:\Windows\system32\Ddajoelp.exe78⤵PID:2188
-
C:\Windows\SysWOW64\Dhmfod32.exeC:\Windows\system32\Dhmfod32.exe79⤵PID:1288
-
C:\Windows\SysWOW64\Dognlnlf.exeC:\Windows\system32\Dognlnlf.exe80⤵PID:1880
-
C:\Windows\SysWOW64\Daejhjkj.exeC:\Windows\system32\Daejhjkj.exe81⤵
- System Location Discovery: System Language Discovery
PID:1956 -
C:\Windows\SysWOW64\Dddfdejn.exeC:\Windows\system32\Dddfdejn.exe82⤵PID:1056
-
C:\Windows\SysWOW64\Dgbcpq32.exeC:\Windows\system32\Dgbcpq32.exe83⤵PID:2364
-
C:\Windows\SysWOW64\Dknoaoaj.exeC:\Windows\system32\Dknoaoaj.exe84⤵PID:1704
-
C:\Windows\SysWOW64\Dahgni32.exeC:\Windows\system32\Dahgni32.exe85⤵PID:1616
-
C:\Windows\SysWOW64\Dpjgifpa.exeC:\Windows\system32\Dpjgifpa.exe86⤵
- Drops file in System32 directory
PID:2900 -
C:\Windows\SysWOW64\Dciceaoe.exeC:\Windows\system32\Dciceaoe.exe87⤵PID:1588
-
C:\Windows\SysWOW64\Dkpkfooh.exeC:\Windows\system32\Dkpkfooh.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2808 -
C:\Windows\SysWOW64\Dnnhbjnk.exeC:\Windows\system32\Dnnhbjnk.exe89⤵PID:380
-
C:\Windows\SysWOW64\Ddhpod32.exeC:\Windows\system32\Ddhpod32.exe90⤵PID:792
-
C:\Windows\SysWOW64\Eckpkamb.exeC:\Windows\system32\Eckpkamb.exe91⤵PID:2084
-
C:\Windows\SysWOW64\Efjlgmlf.exeC:\Windows\system32\Efjlgmlf.exe92⤵PID:2964
-
C:\Windows\SysWOW64\Enqdhj32.exeC:\Windows\system32\Enqdhj32.exe93⤵PID:2944
-
C:\Windows\SysWOW64\Eobapbbg.exeC:\Windows\system32\Eobapbbg.exe94⤵PID:2284
-
C:\Windows\SysWOW64\Egiiapci.exeC:\Windows\system32\Egiiapci.exe95⤵PID:2016
-
C:\Windows\SysWOW64\Ejgemkbm.exeC:\Windows\system32\Ejgemkbm.exe96⤵PID:1060
-
C:\Windows\SysWOW64\Elfaifaq.exeC:\Windows\system32\Elfaifaq.exe97⤵
- System Location Discovery: System Language Discovery
PID:1568 -
C:\Windows\SysWOW64\Eodnebpd.exeC:\Windows\system32\Eodnebpd.exe98⤵PID:1720
-
C:\Windows\SysWOW64\Ebcjamoh.exeC:\Windows\system32\Ebcjamoh.exe99⤵PID:1548
-
C:\Windows\SysWOW64\Efnfbl32.exeC:\Windows\system32\Efnfbl32.exe100⤵PID:2524
-
C:\Windows\SysWOW64\Elhnof32.exeC:\Windows\system32\Elhnof32.exe101⤵PID:2248
-
C:\Windows\SysWOW64\Ekknjcfh.exeC:\Windows\system32\Ekknjcfh.exe102⤵PID:2132
-
C:\Windows\SysWOW64\Ecbfkpfk.exeC:\Windows\system32\Ecbfkpfk.exe103⤵PID:2840
-
C:\Windows\SysWOW64\Efqbglen.exeC:\Windows\system32\Efqbglen.exe104⤵PID:2708
-
C:\Windows\SysWOW64\Emkkdf32.exeC:\Windows\system32\Emkkdf32.exe105⤵PID:1480
-
C:\Windows\SysWOW64\Eoigpa32.exeC:\Windows\system32\Eoigpa32.exe106⤵PID:816
-
C:\Windows\SysWOW64\Efcomkcl.exeC:\Windows\system32\Efcomkcl.exe107⤵PID:2908
-
C:\Windows\SysWOW64\Edfpih32.exeC:\Windows\system32\Edfpih32.exe108⤵PID:1980
-
C:\Windows\SysWOW64\Egdlec32.exeC:\Windows\system32\Egdlec32.exe109⤵PID:1132
-
C:\Windows\SysWOW64\Fnndan32.exeC:\Windows\system32\Fnndan32.exe110⤵PID:864
-
C:\Windows\SysWOW64\Fqmpni32.exeC:\Windows\system32\Fqmpni32.exe111⤵
- Drops file in System32 directory
PID:1604 -
C:\Windows\SysWOW64\Fdhlnhhc.exeC:\Windows\system32\Fdhlnhhc.exe112⤵
- Modifies registry class
PID:924 -
C:\Windows\SysWOW64\Fkbdkb32.exeC:\Windows\system32\Fkbdkb32.exe113⤵PID:2564
-
C:\Windows\SysWOW64\Fnqqgm32.exeC:\Windows\system32\Fnqqgm32.exe114⤵PID:568
-
C:\Windows\SysWOW64\Fblmglgm.exeC:\Windows\system32\Fblmglgm.exe115⤵PID:2896
-
C:\Windows\SysWOW64\Fcmiod32.exeC:\Windows\system32\Fcmiod32.exe116⤵PID:2892
-
C:\Windows\SysWOW64\Fkdaqa32.exeC:\Windows\system32\Fkdaqa32.exe117⤵PID:580
-
C:\Windows\SysWOW64\Fncmmmma.exeC:\Windows\system32\Fncmmmma.exe118⤵PID:3016
-
C:\Windows\SysWOW64\Fqajihle.exeC:\Windows\system32\Fqajihle.exe119⤵PID:2264
-
C:\Windows\SysWOW64\Femeig32.exeC:\Windows\system32\Femeig32.exe120⤵PID:832
-
C:\Windows\SysWOW64\Ffnbaojm.exeC:\Windows\system32\Ffnbaojm.exe121⤵PID:1376
-
C:\Windows\SysWOW64\Fmhjni32.exeC:\Windows\system32\Fmhjni32.exe122⤵PID:1748
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-