Analysis
-
max time kernel
92s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
25-12-2024 17:32
Behavioral task
behavioral1
Sample
822dc18dd36ff66b1dc7f7754838d038299ba566dacf4a0f7f05347b7037d8c1.exe
Resource
win7-20241010-en
windows7-x64
9 signatures
120 seconds
Behavioral task
behavioral2
Sample
822dc18dd36ff66b1dc7f7754838d038299ba566dacf4a0f7f05347b7037d8c1.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
120 seconds
General
-
Target
822dc18dd36ff66b1dc7f7754838d038299ba566dacf4a0f7f05347b7037d8c1.exe
-
Size
391KB
-
MD5
42459ff798e07c28c9af3bf6e85ce525
-
SHA1
6d8865df0512a47139e6b7965b0f35a87078222c
-
SHA256
822dc18dd36ff66b1dc7f7754838d038299ba566dacf4a0f7f05347b7037d8c1
-
SHA512
5ef3279a12ed4219a9c59fe69eb63517b99c3d56ffe6174b16c99d0d752dd4a1b0f2a216de4a1ad5aede53133927f2c9a9595366d405530a485f2c63e5c7ce96
-
SSDEEP
12288:vk6lcEuqzerI6kvDm2EbcDamNtuhUNP3cOK3D:RtRPyD
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jfnaok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bkjpncii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Icidlf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ikfffh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aacjba32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lceond32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mjnohc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Olfnpnfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Degage32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eloekf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gqgmdkgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fknnfp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dabkla32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dddodd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lagjhc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmmommnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eedijo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Deckeo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehklpbam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Klapha32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eckcak32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlikkbga.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnidchqp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lpbkpa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhbnjpic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Febmfcjj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikfffh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebccal32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eagdimif.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjjfbikh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfkagc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ockhpgbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mnnecoah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nhjcgccc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjeacf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdgkkppm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojgado32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Polbemck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qokjcc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lophcpam.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nflidmic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kfqpmc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhgeao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Okhgaqfj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gaghcjhd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahbcda32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ialbon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pqlfjfni.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kejfio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Glkjif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ifhdlo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jandikbp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kaigmoiq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lmjbphod.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfkjnh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flnpoe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajcbpbkn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gqgmdkgm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkdjol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jpbmhf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iohiafag.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngiikmmj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Honpqaff.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfjnja32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 1516 Kekkkm32.exe 2856 Kemgqm32.exe 2864 Koelibnh.exe 1720 Mjkmfn32.exe 2716 Mjmiknng.exe 2596 Njjieace.exe 1060 Nkjeod32.exe 2396 Ofklpa32.exe 2224 Obffpa32.exe 3068 Pjfdpckc.exe 2152 Pjhaec32.exe 2900 Qeihfp32.exe 1744 Aapikqel.exe 2272 Aniffaim.exe 2404 Alncgn32.exe 848 Cqlhlo32.exe 660 Cdjabn32.exe 2420 Cmjoaofc.exe 2564 Dmllgo32.exe 2164 Dgjfbllj.exe 948 Dabkla32.exe 920 Ebhani32.exe 2280 Edhmhl32.exe 2680 Eelfedpa.exe 2384 Fofhdidp.exe 2660 Febmfcjj.exe 2468 Fpojlp32.exe 2296 Gdmcbojl.exe 2312 Gngdadoj.exe 2996 Ggphji32.exe 2848 Gcifdj32.exe 2592 Glajmppm.exe 2692 Hbblpf32.exe 1172 Hjnaehgj.exe 580 Ifgooikk.exe 2172 Imepgbnc.exe 1984 Ifndph32.exe 1296 Iionacad.exe 2348 Jchobqnc.exe 1728 Jgfghodj.exe 2480 Jfnaok32.exe 2192 Jpfehq32.exe 1776 Jbdadl32.exe 1716 Kiojqfdp.exe 2032 Kpkocpjj.exe 640 Kbikokin.exe 2524 Klapha32.exe 1724 Kkiiom32.exe 472 Lmjbphod.exe 2648 Ldfgbb32.exe 876 Lophcpam.exe 780 Lielphqc.exe 2184 Lobehpok.exe 2736 Mlfebcnd.exe 2768 Meojkide.exe 2028 Mdcfle32.exe 2104 Mdfcaegj.exe 2092 Mnqdpj32.exe 2972 Nflidmic.exe 2248 Ncpjnahm.exe 1096 Nogjbbma.exe 2236 Noighakn.exe 2684 Nhalag32.exe 2052 Ndhlfh32.exe -
Loads dropped DLL 64 IoCs
pid Process 1680 822dc18dd36ff66b1dc7f7754838d038299ba566dacf4a0f7f05347b7037d8c1.exe 1680 822dc18dd36ff66b1dc7f7754838d038299ba566dacf4a0f7f05347b7037d8c1.exe 1516 Kekkkm32.exe 1516 Kekkkm32.exe 2856 Kemgqm32.exe 2856 Kemgqm32.exe 2864 Koelibnh.exe 2864 Koelibnh.exe 1720 Mjkmfn32.exe 1720 Mjkmfn32.exe 2716 Mjmiknng.exe 2716 Mjmiknng.exe 2596 Njjieace.exe 2596 Njjieace.exe 1060 Nkjeod32.exe 1060 Nkjeod32.exe 2396 Ofklpa32.exe 2396 Ofklpa32.exe 2224 Obffpa32.exe 2224 Obffpa32.exe 3068 Pjfdpckc.exe 3068 Pjfdpckc.exe 2152 Pjhaec32.exe 2152 Pjhaec32.exe 2900 Qeihfp32.exe 2900 Qeihfp32.exe 1744 Aapikqel.exe 1744 Aapikqel.exe 2272 Aniffaim.exe 2272 Aniffaim.exe 2404 Alncgn32.exe 2404 Alncgn32.exe 848 Cqlhlo32.exe 848 Cqlhlo32.exe 660 Cdjabn32.exe 660 Cdjabn32.exe 2420 Cmjoaofc.exe 2420 Cmjoaofc.exe 2564 Dmllgo32.exe 2564 Dmllgo32.exe 2164 Dgjfbllj.exe 2164 Dgjfbllj.exe 948 Dabkla32.exe 948 Dabkla32.exe 920 Ebhani32.exe 920 Ebhani32.exe 2280 Edhmhl32.exe 2280 Edhmhl32.exe 2680 Eelfedpa.exe 2680 Eelfedpa.exe 2384 Fofhdidp.exe 2384 Fofhdidp.exe 2660 Febmfcjj.exe 2660 Febmfcjj.exe 2468 Fpojlp32.exe 2468 Fpojlp32.exe 2296 Gdmcbojl.exe 2296 Gdmcbojl.exe 2312 Gngdadoj.exe 2312 Gngdadoj.exe 2996 Ggphji32.exe 2996 Ggphji32.exe 2848 Gcifdj32.exe 2848 Gcifdj32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Oambdf32.dll Ifndph32.exe File opened for modification C:\Windows\SysWOW64\Bkjpncii.exe Bpdkajic.exe File opened for modification C:\Windows\SysWOW64\Hpbilmop.exe Hjhaob32.exe File created C:\Windows\SysWOW64\Fcpinlpk.dll Nmiakdll.exe File opened for modification C:\Windows\SysWOW64\Hnnjco32.exe Hgdagelg.exe File opened for modification C:\Windows\SysWOW64\Cggffocg.exe Cjcflkdm.exe File opened for modification C:\Windows\SysWOW64\Bckidl32.exe Bfgikgjq.exe File opened for modification C:\Windows\SysWOW64\Clmdjmpm.exe Blkgdmbp.exe File created C:\Windows\SysWOW64\Paojeafn.exe Pkebig32.exe File created C:\Windows\SysWOW64\Kmblcp32.dll Kjbqei32.exe File opened for modification C:\Windows\SysWOW64\Epfnkk32.exe Egnjbfqc.exe File created C:\Windows\SysWOW64\Jfecfb32.exe Jmmommnl.exe File opened for modification C:\Windows\SysWOW64\Alncgn32.exe Aniffaim.exe File created C:\Windows\SysWOW64\Hignfnfk.dll Apglgfde.exe File created C:\Windows\SysWOW64\Dkollo32.dll Gphokhco.exe File created C:\Windows\SysWOW64\Nbeeolfd.dll Belhem32.exe File created C:\Windows\SysWOW64\Kkcfbkfj.exe Kkqjmlhm.exe File created C:\Windows\SysWOW64\Kniigilp.dll Lkgpmj32.exe File created C:\Windows\SysWOW64\Mkjibnbn.exe Mdpqec32.exe File created C:\Windows\SysWOW64\Bcoafcjk.exe Bjfmmnck.exe File opened for modification C:\Windows\SysWOW64\Lielphqc.exe Lophcpam.exe File created C:\Windows\SysWOW64\Holgpe32.dll Jimodo32.exe File opened for modification C:\Windows\SysWOW64\Kehidp32.exe Kpkali32.exe File created C:\Windows\SysWOW64\Eomfiobe.exe Enliaf32.exe File created C:\Windows\SysWOW64\Gpfeoqmf.exe Gijplg32.exe File opened for modification C:\Windows\SysWOW64\Ckhdihlp.exe Ciggap32.exe File created C:\Windows\SysWOW64\Ehklpbam.exe Eldkkali.exe File created C:\Windows\SysWOW64\Kbikokin.exe Kpkocpjj.exe File opened for modification C:\Windows\SysWOW64\Mdcfle32.exe Meojkide.exe File created C:\Windows\SysWOW64\Eedijo32.exe Epgabhdg.exe File opened for modification C:\Windows\SysWOW64\Jennjblp.exe Jfhqiegh.exe File created C:\Windows\SysWOW64\Hiopaj32.dll Fnfekdpl.exe File created C:\Windows\SysWOW64\Khbjhk32.dll Ehklpbam.exe File opened for modification C:\Windows\SysWOW64\Hdpadg32.exe Hjjmgo32.exe File created C:\Windows\SysWOW64\Gooqml32.dll Gnocdb32.exe File created C:\Windows\SysWOW64\Djhnmj32.exe Dhiacg32.exe File created C:\Windows\SysWOW64\Kbnmam32.dll Kbjpqmhf.exe File opened for modification C:\Windows\SysWOW64\Ihnhfmjc.exe Ilggal32.exe File created C:\Windows\SysWOW64\Odfloh32.dll Jlofejig.exe File opened for modification C:\Windows\SysWOW64\Looajf32.exe Lpidii32.exe File created C:\Windows\SysWOW64\Pnbcij32.exe Pnpfckmc.exe File created C:\Windows\SysWOW64\Gnqolikm.exe Fehjcc32.exe File created C:\Windows\SysWOW64\Mmadag32.dll Ediggoma.exe File created C:\Windows\SysWOW64\Goadik32.exe Goohckob.exe File created C:\Windows\SysWOW64\Ehlidiph.dll Jbfpcl32.exe File created C:\Windows\SysWOW64\Jmbiakap.dll Jlgcqp32.exe File created C:\Windows\SysWOW64\Daghjj32.exe Dljoac32.exe File opened for modification C:\Windows\SysWOW64\Daognhlc.exe Dehfig32.exe File opened for modification C:\Windows\SysWOW64\Lkahbkgk.exe Laidie32.exe File created C:\Windows\SysWOW64\Qhbhgbhm.dll Mcoioi32.exe File opened for modification C:\Windows\SysWOW64\Dmimkc32.exe Chldbl32.exe File created C:\Windows\SysWOW64\Lmlleofb.dll Ipqmgbbf.exe File created C:\Windows\SysWOW64\Kabljfoi.dll Ijodiedi.exe File opened for modification C:\Windows\SysWOW64\Aniffaim.exe Aapikqel.exe File created C:\Windows\SysWOW64\Ggphji32.exe Gngdadoj.exe File opened for modification C:\Windows\SysWOW64\Iionacad.exe Ifndph32.exe File created C:\Windows\SysWOW64\Jlleni32.exe Ijklmn32.exe File opened for modification C:\Windows\SysWOW64\Qcgmnh32.exe Qjoheb32.exe File created C:\Windows\SysWOW64\Dknejb32.exe Dmhhie32.exe File created C:\Windows\SysWOW64\Lkckqpej.dll Dknejb32.exe File created C:\Windows\SysWOW64\Hdgkkppm.exe Hddoep32.exe File opened for modification C:\Windows\SysWOW64\Ncbilimn.exe Ncplfj32.exe File opened for modification C:\Windows\SysWOW64\Ojpedn32.exe Ndfmgdeb.exe File created C:\Windows\SysWOW64\Jfpagd32.exe Iilqnp32.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Napdpchk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kakdpb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llbnpm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpngec32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pqlfjfni.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Neocahbm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnnehb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abacjd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ciggap32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpanffhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opmpenbj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmmppm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aapkdi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qmmbhegc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofmknifp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kogehdqp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhlonk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhaogp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjeedcjh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oqiidg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djhnmj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajcbpbkn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jifjod32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfbjlgnk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iilqnp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibehna32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oamaan32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Deckeo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkgpmj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Foccfp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifajif32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dohiefpc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkoikcaq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgogbano.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffeoid32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhgeao32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhlmef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pqlhbo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qeihfp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obngnphg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akpmhdqd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpbmhf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogkbmcba.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibmhjc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndnbeclb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdchifik.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Goadik32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cplkehnk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnpgmp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffokan32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjbqei32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kaigmoiq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlamfh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnqolikm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpbajggh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpejnj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofehiocd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdonpjbi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Holqbipe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjfmmnck.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghpngkhm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjdiigbm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ceeibbgn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alncgn32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lfmhla32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Coofoghn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eklbid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cgicko32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dghlfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Neghha32.dll" Ibnppn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epfgko32.dll" Dglmmf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ojhehlag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dehfig32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nhalag32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Genmab32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Napdpchk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mhnkdjhl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kekkkm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohmpbkmo.dll" Ebnlba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kncmknkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdpaan32.dll" Cidklp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hbdfoiki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alqfjdgq.dll" Flgdod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ingike32.dll" Jandikbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlejbj32.dll" Ffeoid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dkdjol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mmgmhngk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Liohhbno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fcckjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebcfiddj.dll" Ndoenlcf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kncmknkg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Llhcad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pdhhepmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bkjpncii.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bfgikgjq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bfldopno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlilbhqp.dll" Hnimgcjd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fdgboe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ahpdficc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ofcnmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lnhffm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gbhpidak.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bdidegec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aajedn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmiapobg.dll" Hdonpjbi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fjhjlm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgjjgfpd.dll" Hnnoempk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jkhjin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghfpmopi.dll" Gogggi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cipcii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bdogceln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dbfaopqo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Amcfpl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kfqpmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdgikn32.dll" Pnphlc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bcnomjbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Noiljd32.dll" Hgfnlejd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lijinaed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phfenn32.dll" Bloidc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ogkbmcba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jandikbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bldbococ.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ogqpjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klghoe32.dll" Angmdoho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kapemg32.dll" Bmacqj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pboihm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbjgcbja.dll" Dpanffhn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Olfnpnfl.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1680 wrote to memory of 1516 1680 822dc18dd36ff66b1dc7f7754838d038299ba566dacf4a0f7f05347b7037d8c1.exe 29 PID 1680 wrote to memory of 1516 1680 822dc18dd36ff66b1dc7f7754838d038299ba566dacf4a0f7f05347b7037d8c1.exe 29 PID 1680 wrote to memory of 1516 1680 822dc18dd36ff66b1dc7f7754838d038299ba566dacf4a0f7f05347b7037d8c1.exe 29 PID 1680 wrote to memory of 1516 1680 822dc18dd36ff66b1dc7f7754838d038299ba566dacf4a0f7f05347b7037d8c1.exe 29 PID 1516 wrote to memory of 2856 1516 Kekkkm32.exe 30 PID 1516 wrote to memory of 2856 1516 Kekkkm32.exe 30 PID 1516 wrote to memory of 2856 1516 Kekkkm32.exe 30 PID 1516 wrote to memory of 2856 1516 Kekkkm32.exe 30 PID 2856 wrote to memory of 2864 2856 Kemgqm32.exe 31 PID 2856 wrote to memory of 2864 2856 Kemgqm32.exe 31 PID 2856 wrote to memory of 2864 2856 Kemgqm32.exe 31 PID 2856 wrote to memory of 2864 2856 Kemgqm32.exe 31 PID 2864 wrote to memory of 1720 2864 Koelibnh.exe 32 PID 2864 wrote to memory of 1720 2864 Koelibnh.exe 32 PID 2864 wrote to memory of 1720 2864 Koelibnh.exe 32 PID 2864 wrote to memory of 1720 2864 Koelibnh.exe 32 PID 1720 wrote to memory of 2716 1720 Mjkmfn32.exe 33 PID 1720 wrote to memory of 2716 1720 Mjkmfn32.exe 33 PID 1720 wrote to memory of 2716 1720 Mjkmfn32.exe 33 PID 1720 wrote to memory of 2716 1720 Mjkmfn32.exe 33 PID 2716 wrote to memory of 2596 2716 Mjmiknng.exe 34 PID 2716 wrote to memory of 2596 2716 Mjmiknng.exe 34 PID 2716 wrote to memory of 2596 2716 Mjmiknng.exe 34 PID 2716 wrote to memory of 2596 2716 Mjmiknng.exe 34 PID 2596 wrote to memory of 1060 2596 Njjieace.exe 35 PID 2596 wrote to memory of 1060 2596 Njjieace.exe 35 PID 2596 wrote to memory of 1060 2596 Njjieace.exe 35 PID 2596 wrote to memory of 1060 2596 Njjieace.exe 35 PID 1060 wrote to memory of 2396 1060 Nkjeod32.exe 36 PID 1060 wrote to memory of 2396 1060 Nkjeod32.exe 36 PID 1060 wrote to memory of 2396 1060 Nkjeod32.exe 36 PID 1060 wrote to memory of 2396 1060 Nkjeod32.exe 36 PID 2396 wrote to memory of 2224 2396 Ofklpa32.exe 37 PID 2396 wrote to memory of 2224 2396 Ofklpa32.exe 37 PID 2396 wrote to memory of 2224 2396 Ofklpa32.exe 37 PID 2396 wrote to memory of 2224 2396 Ofklpa32.exe 37 PID 2224 wrote to memory of 3068 2224 Obffpa32.exe 38 PID 2224 wrote to memory of 3068 2224 Obffpa32.exe 38 PID 2224 wrote to memory of 3068 2224 Obffpa32.exe 38 PID 2224 wrote to memory of 3068 2224 Obffpa32.exe 38 PID 3068 wrote to memory of 2152 3068 Pjfdpckc.exe 39 PID 3068 wrote to memory of 2152 3068 Pjfdpckc.exe 39 PID 3068 wrote to memory of 2152 3068 Pjfdpckc.exe 39 PID 3068 wrote to memory of 2152 3068 Pjfdpckc.exe 39 PID 2152 wrote to memory of 2900 2152 Pjhaec32.exe 40 PID 2152 wrote to memory of 2900 2152 Pjhaec32.exe 40 PID 2152 wrote to memory of 2900 2152 Pjhaec32.exe 40 PID 2152 wrote to memory of 2900 2152 Pjhaec32.exe 40 PID 2900 wrote to memory of 1744 2900 Qeihfp32.exe 41 PID 2900 wrote to memory of 1744 2900 Qeihfp32.exe 41 PID 2900 wrote to memory of 1744 2900 Qeihfp32.exe 41 PID 2900 wrote to memory of 1744 2900 Qeihfp32.exe 41 PID 1744 wrote to memory of 2272 1744 Aapikqel.exe 42 PID 1744 wrote to memory of 2272 1744 Aapikqel.exe 42 PID 1744 wrote to memory of 2272 1744 Aapikqel.exe 42 PID 1744 wrote to memory of 2272 1744 Aapikqel.exe 42 PID 2272 wrote to memory of 2404 2272 Aniffaim.exe 43 PID 2272 wrote to memory of 2404 2272 Aniffaim.exe 43 PID 2272 wrote to memory of 2404 2272 Aniffaim.exe 43 PID 2272 wrote to memory of 2404 2272 Aniffaim.exe 43 PID 2404 wrote to memory of 848 2404 Alncgn32.exe 44 PID 2404 wrote to memory of 848 2404 Alncgn32.exe 44 PID 2404 wrote to memory of 848 2404 Alncgn32.exe 44 PID 2404 wrote to memory of 848 2404 Alncgn32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\822dc18dd36ff66b1dc7f7754838d038299ba566dacf4a0f7f05347b7037d8c1.exe"C:\Users\Admin\AppData\Local\Temp\822dc18dd36ff66b1dc7f7754838d038299ba566dacf4a0f7f05347b7037d8c1.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Windows\SysWOW64\Kekkkm32.exeC:\Windows\system32\Kekkkm32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1516 -
C:\Windows\SysWOW64\Kemgqm32.exeC:\Windows\system32\Kemgqm32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Windows\SysWOW64\Koelibnh.exeC:\Windows\system32\Koelibnh.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Windows\SysWOW64\Mjkmfn32.exeC:\Windows\system32\Mjkmfn32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1720 -
C:\Windows\SysWOW64\Mjmiknng.exeC:\Windows\system32\Mjmiknng.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\SysWOW64\Njjieace.exeC:\Windows\system32\Njjieace.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\SysWOW64\Nkjeod32.exeC:\Windows\system32\Nkjeod32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1060 -
C:\Windows\SysWOW64\Ofklpa32.exeC:\Windows\system32\Ofklpa32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2396 -
C:\Windows\SysWOW64\Obffpa32.exeC:\Windows\system32\Obffpa32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\Windows\SysWOW64\Pjfdpckc.exeC:\Windows\system32\Pjfdpckc.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Windows\SysWOW64\Pjhaec32.exeC:\Windows\system32\Pjhaec32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2152 -
C:\Windows\SysWOW64\Qeihfp32.exeC:\Windows\system32\Qeihfp32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Windows\SysWOW64\Aapikqel.exeC:\Windows\system32\Aapikqel.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1744 -
C:\Windows\SysWOW64\Aniffaim.exeC:\Windows\system32\Aniffaim.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2272 -
C:\Windows\SysWOW64\Alncgn32.exeC:\Windows\system32\Alncgn32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2404 -
C:\Windows\SysWOW64\Cqlhlo32.exeC:\Windows\system32\Cqlhlo32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:848 -
C:\Windows\SysWOW64\Cdjabn32.exeC:\Windows\system32\Cdjabn32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:660 -
C:\Windows\SysWOW64\Cmjoaofc.exeC:\Windows\system32\Cmjoaofc.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2420 -
C:\Windows\SysWOW64\Dmllgo32.exeC:\Windows\system32\Dmllgo32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2564 -
C:\Windows\SysWOW64\Dgjfbllj.exeC:\Windows\system32\Dgjfbllj.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2164 -
C:\Windows\SysWOW64\Dabkla32.exeC:\Windows\system32\Dabkla32.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:948 -
C:\Windows\SysWOW64\Ebhani32.exeC:\Windows\system32\Ebhani32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:920 -
C:\Windows\SysWOW64\Edhmhl32.exeC:\Windows\system32\Edhmhl32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2280 -
C:\Windows\SysWOW64\Eelfedpa.exeC:\Windows\system32\Eelfedpa.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2680 -
C:\Windows\SysWOW64\Fofhdidp.exeC:\Windows\system32\Fofhdidp.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2384 -
C:\Windows\SysWOW64\Febmfcjj.exeC:\Windows\system32\Febmfcjj.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2660 -
C:\Windows\SysWOW64\Fpojlp32.exeC:\Windows\system32\Fpojlp32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2468 -
C:\Windows\SysWOW64\Gdmcbojl.exeC:\Windows\system32\Gdmcbojl.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2296 -
C:\Windows\SysWOW64\Gngdadoj.exeC:\Windows\system32\Gngdadoj.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2312 -
C:\Windows\SysWOW64\Ggphji32.exeC:\Windows\system32\Ggphji32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2996 -
C:\Windows\SysWOW64\Gcifdj32.exeC:\Windows\system32\Gcifdj32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2848 -
C:\Windows\SysWOW64\Glajmppm.exeC:\Windows\system32\Glajmppm.exe33⤵
- Executes dropped EXE
PID:2592 -
C:\Windows\SysWOW64\Hbblpf32.exeC:\Windows\system32\Hbblpf32.exe34⤵
- Executes dropped EXE
PID:2692 -
C:\Windows\SysWOW64\Hjnaehgj.exeC:\Windows\system32\Hjnaehgj.exe35⤵
- Executes dropped EXE
PID:1172 -
C:\Windows\SysWOW64\Ifgooikk.exeC:\Windows\system32\Ifgooikk.exe36⤵
- Executes dropped EXE
PID:580 -
C:\Windows\SysWOW64\Imepgbnc.exeC:\Windows\system32\Imepgbnc.exe37⤵
- Executes dropped EXE
PID:2172 -
C:\Windows\SysWOW64\Ifndph32.exeC:\Windows\system32\Ifndph32.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1984 -
C:\Windows\SysWOW64\Iionacad.exeC:\Windows\system32\Iionacad.exe39⤵
- Executes dropped EXE
PID:1296 -
C:\Windows\SysWOW64\Jchobqnc.exeC:\Windows\system32\Jchobqnc.exe40⤵
- Executes dropped EXE
PID:2348 -
C:\Windows\SysWOW64\Jgfghodj.exeC:\Windows\system32\Jgfghodj.exe41⤵
- Executes dropped EXE
PID:1728 -
C:\Windows\SysWOW64\Jfnaok32.exeC:\Windows\system32\Jfnaok32.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2480 -
C:\Windows\SysWOW64\Jpfehq32.exeC:\Windows\system32\Jpfehq32.exe43⤵
- Executes dropped EXE
PID:2192 -
C:\Windows\SysWOW64\Jbdadl32.exeC:\Windows\system32\Jbdadl32.exe44⤵
- Executes dropped EXE
PID:1776 -
C:\Windows\SysWOW64\Kiojqfdp.exeC:\Windows\system32\Kiojqfdp.exe45⤵
- Executes dropped EXE
PID:1716 -
C:\Windows\SysWOW64\Kpkocpjj.exeC:\Windows\system32\Kpkocpjj.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2032 -
C:\Windows\SysWOW64\Kbikokin.exeC:\Windows\system32\Kbikokin.exe47⤵
- Executes dropped EXE
PID:640 -
C:\Windows\SysWOW64\Klapha32.exeC:\Windows\system32\Klapha32.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2524 -
C:\Windows\SysWOW64\Kkiiom32.exeC:\Windows\system32\Kkiiom32.exe49⤵
- Executes dropped EXE
PID:1724 -
C:\Windows\SysWOW64\Lmjbphod.exeC:\Windows\system32\Lmjbphod.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:472 -
C:\Windows\SysWOW64\Ldfgbb32.exeC:\Windows\system32\Ldfgbb32.exe51⤵
- Executes dropped EXE
PID:2648 -
C:\Windows\SysWOW64\Lophcpam.exeC:\Windows\system32\Lophcpam.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:876 -
C:\Windows\SysWOW64\Lielphqc.exeC:\Windows\system32\Lielphqc.exe53⤵
- Executes dropped EXE
PID:780 -
C:\Windows\SysWOW64\Lobehpok.exeC:\Windows\system32\Lobehpok.exe54⤵
- Executes dropped EXE
PID:2184 -
C:\Windows\SysWOW64\Mlfebcnd.exeC:\Windows\system32\Mlfebcnd.exe55⤵
- Executes dropped EXE
PID:2736 -
C:\Windows\SysWOW64\Meojkide.exeC:\Windows\system32\Meojkide.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2768 -
C:\Windows\SysWOW64\Mdcfle32.exeC:\Windows\system32\Mdcfle32.exe57⤵
- Executes dropped EXE
PID:2028 -
C:\Windows\SysWOW64\Mdfcaegj.exeC:\Windows\system32\Mdfcaegj.exe58⤵
- Executes dropped EXE
PID:2104 -
C:\Windows\SysWOW64\Mnqdpj32.exeC:\Windows\system32\Mnqdpj32.exe59⤵
- Executes dropped EXE
PID:2092 -
C:\Windows\SysWOW64\Nflidmic.exeC:\Windows\system32\Nflidmic.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2972 -
C:\Windows\SysWOW64\Ncpjnahm.exeC:\Windows\system32\Ncpjnahm.exe61⤵
- Executes dropped EXE
PID:2248 -
C:\Windows\SysWOW64\Nogjbbma.exeC:\Windows\system32\Nogjbbma.exe62⤵
- Executes dropped EXE
PID:1096 -
C:\Windows\SysWOW64\Noighakn.exeC:\Windows\system32\Noighakn.exe63⤵
- Executes dropped EXE
PID:2236 -
C:\Windows\SysWOW64\Nhalag32.exeC:\Windows\system32\Nhalag32.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:2684 -
C:\Windows\SysWOW64\Ndhlfh32.exeC:\Windows\system32\Ndhlfh32.exe65⤵
- Executes dropped EXE
PID:2052 -
C:\Windows\SysWOW64\Oifelfni.exeC:\Windows\system32\Oifelfni.exe66⤵PID:1932
-
C:\Windows\SysWOW64\Ojgado32.exeC:\Windows\system32\Ojgado32.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2436 -
C:\Windows\SysWOW64\Ogkbmcba.exeC:\Windows\system32\Ogkbmcba.exe68⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1992 -
C:\Windows\SysWOW64\Ognobcqo.exeC:\Windows\system32\Ognobcqo.exe69⤵PID:2256
-
C:\Windows\SysWOW64\Opicgenj.exeC:\Windows\system32\Opicgenj.exe70⤵PID:836
-
C:\Windows\SysWOW64\Ofehiocd.exeC:\Windows\system32\Ofehiocd.exe71⤵
- System Location Discovery: System Language Discovery
PID:2920 -
C:\Windows\SysWOW64\Ppnmbd32.exeC:\Windows\system32\Ppnmbd32.exe72⤵PID:2912
-
C:\Windows\SysWOW64\Pppihdha.exeC:\Windows\system32\Pppihdha.exe73⤵PID:3032
-
C:\Windows\SysWOW64\Plfjme32.exeC:\Windows\system32\Plfjme32.exe74⤵PID:2532
-
C:\Windows\SysWOW64\Peakkj32.exeC:\Windows\system32\Peakkj32.exe75⤵PID:1600
-
C:\Windows\SysWOW64\Pmmppm32.exeC:\Windows\system32\Pmmppm32.exe76⤵
- System Location Discovery: System Language Discovery
PID:1484 -
C:\Windows\SysWOW64\Qjqqianh.exeC:\Windows\system32\Qjqqianh.exe77⤵PID:1020
-
C:\Windows\SysWOW64\Qjcmoqlf.exeC:\Windows\system32\Qjcmoqlf.exe78⤵PID:1200
-
C:\Windows\SysWOW64\Appfggjm.exeC:\Windows\system32\Appfggjm.exe79⤵PID:2300
-
C:\Windows\SysWOW64\Amcfpl32.exeC:\Windows\system32\Amcfpl32.exe80⤵
- Modifies registry class
PID:1148 -
C:\Windows\SysWOW64\Amfcfk32.exeC:\Windows\system32\Amfcfk32.exe81⤵PID:2240
-
C:\Windows\SysWOW64\Ahpdficc.exeC:\Windows\system32\Ahpdficc.exe82⤵
- Modifies registry class
PID:1712 -
C:\Windows\SysWOW64\Apglgfde.exeC:\Windows\system32\Apglgfde.exe83⤵
- Drops file in System32 directory
PID:1124 -
C:\Windows\SysWOW64\Akpmhdqd.exeC:\Windows\system32\Akpmhdqd.exe84⤵
- System Location Discovery: System Language Discovery
PID:288 -
C:\Windows\SysWOW64\Aajedn32.exeC:\Windows\system32\Aajedn32.exe85⤵
- Modifies registry class
PID:1736 -
C:\Windows\SysWOW64\Blpibghg.exeC:\Windows\system32\Blpibghg.exe86⤵PID:1656
-
C:\Windows\SysWOW64\Bgijbede.exeC:\Windows\system32\Bgijbede.exe87⤵PID:2132
-
C:\Windows\SysWOW64\Bdmklico.exeC:\Windows\system32\Bdmklico.exe88⤵PID:2392
-
C:\Windows\SysWOW64\Bpdkajic.exeC:\Windows\system32\Bpdkajic.exe89⤵
- Drops file in System32 directory
PID:2380 -
C:\Windows\SysWOW64\Bkjpncii.exeC:\Windows\system32\Bkjpncii.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3004 -
C:\Windows\SysWOW64\Bfcqoqeh.exeC:\Windows\system32\Bfcqoqeh.exe91⤵PID:3016
-
C:\Windows\SysWOW64\Bpieli32.exeC:\Windows\system32\Bpieli32.exe92⤵PID:2780
-
C:\Windows\SysWOW64\Chdjpl32.exeC:\Windows\system32\Chdjpl32.exe93⤵PID:3020
-
C:\Windows\SysWOW64\Cjcfjoil.exeC:\Windows\system32\Cjcfjoil.exe94⤵PID:3048
-
C:\Windows\SysWOW64\Ckebbgoj.exeC:\Windows\system32\Ckebbgoj.exe95⤵PID:2424
-
C:\Windows\SysWOW64\Cnekcblk.exeC:\Windows\system32\Cnekcblk.exe96⤵PID:1608
-
C:\Windows\SysWOW64\Cgnpmg32.exeC:\Windows\system32\Cgnpmg32.exe97⤵PID:2484
-
C:\Windows\SysWOW64\Cgpmbgai.exeC:\Windows\system32\Cgpmbgai.exe98⤵PID:1636
-
C:\Windows\SysWOW64\Dbfaopqo.exeC:\Windows\system32\Dbfaopqo.exe99⤵
- Modifies registry class
PID:844 -
C:\Windows\SysWOW64\Dgbiggof.exeC:\Windows\system32\Dgbiggof.exe100⤵PID:524
-
C:\Windows\SysWOW64\Eeameodq.exeC:\Windows\system32\Eeameodq.exe101⤵PID:2324
-
C:\Windows\SysWOW64\Epgabhdg.exeC:\Windows\system32\Epgabhdg.exe102⤵
- Drops file in System32 directory
PID:2932 -
C:\Windows\SysWOW64\Eedijo32.exeC:\Windows\system32\Eedijo32.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2588 -
C:\Windows\SysWOW64\Eakjophb.exeC:\Windows\system32\Eakjophb.exe104⤵PID:2356
-
C:\Windows\SysWOW64\Eckcak32.exeC:\Windows\system32\Eckcak32.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2812 -
C:\Windows\SysWOW64\Eekpknlf.exeC:\Windows\system32\Eekpknlf.exe106⤵PID:2176
-
C:\Windows\SysWOW64\Fhlhmi32.exeC:\Windows\system32\Fhlhmi32.exe107⤵PID:2180
-
C:\Windows\SysWOW64\Fadmenpg.exeC:\Windows\system32\Fadmenpg.exe108⤵PID:2332
-
C:\Windows\SysWOW64\Flnnfllf.exeC:\Windows\system32\Flnnfllf.exe109⤵PID:2188
-
C:\Windows\SysWOW64\Ffcbce32.exeC:\Windows\system32\Ffcbce32.exe110⤵PID:2512
-
C:\Windows\SysWOW64\Ffeoid32.exeC:\Windows\system32\Ffeoid32.exe111⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1160 -
C:\Windows\SysWOW64\Fpncbjqj.exeC:\Windows\system32\Fpncbjqj.exe112⤵PID:2244
-
C:\Windows\SysWOW64\Gbolce32.exeC:\Windows\system32\Gbolce32.exe113⤵PID:1052
-
C:\Windows\SysWOW64\Ghlell32.exeC:\Windows\system32\Ghlell32.exe114⤵PID:568
-
C:\Windows\SysWOW64\Ghpngkhm.exeC:\Windows\system32\Ghpngkhm.exe115⤵
- System Location Discovery: System Language Discovery
PID:2376 -
C:\Windows\SysWOW64\Gpkckneh.exeC:\Windows\system32\Gpkckneh.exe116⤵PID:884
-
C:\Windows\SysWOW64\Gnocdb32.exeC:\Windows\system32\Gnocdb32.exe117⤵
- Drops file in System32 directory
PID:1388 -
C:\Windows\SysWOW64\Hnapja32.exeC:\Windows\system32\Hnapja32.exe118⤵PID:2904
-
C:\Windows\SysWOW64\Hjhaob32.exeC:\Windows\system32\Hjhaob32.exe119⤵
- Drops file in System32 directory
PID:2196 -
C:\Windows\SysWOW64\Hpbilmop.exeC:\Windows\system32\Hpbilmop.exe120⤵PID:2440
-
C:\Windows\SysWOW64\Hlijan32.exeC:\Windows\system32\Hlijan32.exe121⤵PID:2616
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-