Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
08/03/2025, 02:48
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
92cbb1f5bb999eea5bc30d5e0ee327a63e3d4563092edc9b9130b9ae5019ff54.exe
Resource
win7-20240903-en
windows7-x64
9 signatures
150 seconds
Behavioral task
behavioral2
Sample
92cbb1f5bb999eea5bc30d5e0ee327a63e3d4563092edc9b9130b9ae5019ff54.exe
Resource
win10v2004-20250217-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
92cbb1f5bb999eea5bc30d5e0ee327a63e3d4563092edc9b9130b9ae5019ff54.exe
-
Size
128KB
-
MD5
b048d18a265ecf050ba8fe8e56f7307e
-
SHA1
48ea272924fa883bd8035e8c4a83d888c8f183cf
-
SHA256
92cbb1f5bb999eea5bc30d5e0ee327a63e3d4563092edc9b9130b9ae5019ff54
-
SHA512
1c952df4caa59ea4001b6cb6d94a6f03723bef9a52e497f0350c544822da9026f03a6ac0fbfba7f66733653366020bb546b04ea7520260d77ad756aa4d796d4a
-
SSDEEP
3072:yBKrR3NFNrvAigMqAlUFd1PsrDEznYfzB9BSwW:ysN3ZvAiJqt1PsrDYOzLc
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjepaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pbglpg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpicbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ijimli32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jghqia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mgkbjb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mebpakbq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Chjmmnnb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abkkpd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcjldp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pmcgmkil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pioamlkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pmqffonj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acohnhab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aphehidc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Capdpcge.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Coladm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dlboca32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nljhhi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pchbmigj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Miapbpmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cpiaipmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iaaekl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aankkqfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Okkkoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Okpdjjil.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijimli32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjfmem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oqmmbqgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pfnoegaf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihnjmf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbgefa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmlbaqfh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cggcofkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cdkkcp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Celpqbon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dhiphb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffjljmla.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjfhkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Inplqlng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jgpndg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lfippfej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nhkbmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mdgmbhgh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kiofnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Donojm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajipkb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldbjdj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Meecaa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ooidei32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ablbjj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejabqi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ffjljmla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Icoepohq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngjoif32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aiaqle32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adgein32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hnppaill.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ojkhjabc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ochenfdn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ooofcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hpnlndkp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kkalcdao.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmpeljkm.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 2784 Ifgklp32.exe 2228 Jfjhbo32.exe 2600 Jkfpjf32.exe 2592 Jnemfa32.exe 1528 Jacibm32.exe 2004 Jgmaog32.exe 1496 Jjlmkb32.exe 2984 Jbcelp32.exe 2760 Jeaahk32.exe 2240 Jgpndg32.exe 2912 Jjnjqb32.exe 2144 Jahbmlil.exe 1784 Jgbjjf32.exe 2384 Jfekec32.exe 928 Jcikog32.exe 2060 Kfggkc32.exe 1464 Kiecgo32.exe 1640 Kamlhl32.exe 2456 Kppldhla.exe 1656 Kbnhpdke.exe 1268 Kjepaa32.exe 2300 Kihpmnbb.exe 320 Klfmijae.exe 2348 Kcmdjgbh.exe 2412 Kflafbak.exe 1604 Keoabo32.exe 2764 Kmficl32.exe 2588 Kpdeoh32.exe 2620 Khojcj32.exe 1676 Kpfbegei.exe 2560 Koibpd32.exe 2616 Kbenacdm.exe 2940 Kiofnm32.exe 2536 Lolofd32.exe 1716 Lajkbp32.exe 2124 Lhdcojaa.exe 2160 Lkbpke32.exe 2116 Lehdhn32.exe 2200 Lfippfej.exe 2064 Lkelpd32.exe 2204 Lophacfl.exe 2224 Laodmoep.exe 2092 Lglmefcg.exe 1992 Lijiaabk.exe 820 Laaabo32.exe 2996 Lpdankjg.exe 2172 Ldpnoj32.exe 2088 Lgnjke32.exe 468 Lkifkdjm.exe 2712 Lilfgq32.exe 1628 Llkbcl32.exe 1672 Lpfnckhe.exe 324 Ldbjdj32.exe 2444 Lcdjpfgh.exe 2664 Miocmq32.exe 2676 Mlmoilni.exe 1536 Mpikik32.exe 2236 Mokkegmm.exe 1272 Mgbcfdmo.exe 2024 Meecaa32.exe 1944 Miapbpmb.exe 2292 Mlolnllf.exe 1548 Mpkhoj32.exe 2972 Monhjgkj.exe -
Loads dropped DLL 64 IoCs
pid Process 2244 92cbb1f5bb999eea5bc30d5e0ee327a63e3d4563092edc9b9130b9ae5019ff54.exe 2244 92cbb1f5bb999eea5bc30d5e0ee327a63e3d4563092edc9b9130b9ae5019ff54.exe 2784 Ifgklp32.exe 2784 Ifgklp32.exe 2228 Jfjhbo32.exe 2228 Jfjhbo32.exe 2600 Jkfpjf32.exe 2600 Jkfpjf32.exe 2592 Jnemfa32.exe 2592 Jnemfa32.exe 1528 Jacibm32.exe 1528 Jacibm32.exe 2004 Jgmaog32.exe 2004 Jgmaog32.exe 1496 Jjlmkb32.exe 1496 Jjlmkb32.exe 2984 Jbcelp32.exe 2984 Jbcelp32.exe 2760 Jeaahk32.exe 2760 Jeaahk32.exe 2240 Jgpndg32.exe 2240 Jgpndg32.exe 2912 Jjnjqb32.exe 2912 Jjnjqb32.exe 2144 Jahbmlil.exe 2144 Jahbmlil.exe 1784 Jgbjjf32.exe 1784 Jgbjjf32.exe 2384 Jfekec32.exe 2384 Jfekec32.exe 928 Jcikog32.exe 928 Jcikog32.exe 2060 Kfggkc32.exe 2060 Kfggkc32.exe 1464 Kiecgo32.exe 1464 Kiecgo32.exe 1640 Kamlhl32.exe 1640 Kamlhl32.exe 2456 Kppldhla.exe 2456 Kppldhla.exe 1656 Kbnhpdke.exe 1656 Kbnhpdke.exe 1268 Kjepaa32.exe 1268 Kjepaa32.exe 2300 Kihpmnbb.exe 2300 Kihpmnbb.exe 320 Klfmijae.exe 320 Klfmijae.exe 2348 Kcmdjgbh.exe 2348 Kcmdjgbh.exe 2412 Kflafbak.exe 2412 Kflafbak.exe 1604 Keoabo32.exe 1604 Keoabo32.exe 2764 Kmficl32.exe 2764 Kmficl32.exe 2588 Kpdeoh32.exe 2588 Kpdeoh32.exe 2620 Khojcj32.exe 2620 Khojcj32.exe 1676 Kpfbegei.exe 1676 Kpfbegei.exe 2560 Koibpd32.exe 2560 Koibpd32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Pjlncjhk.dll Mdgmbhgh.exe File created C:\Windows\SysWOW64\Nljhhi32.exe Nikkkn32.exe File created C:\Windows\SysWOW64\Ogmkne32.exe Odnobj32.exe File opened for modification C:\Windows\SysWOW64\Omnmal32.exe Ojpaeq32.exe File created C:\Windows\SysWOW64\Qfikod32.exe Qgfkchmp.exe File opened for modification C:\Windows\SysWOW64\Apnfno32.exe Amoibc32.exe File created C:\Windows\SysWOW64\Endjeihi.dll Cccdjl32.exe File created C:\Windows\SysWOW64\Ajbdocdh.dll Iklfia32.exe File opened for modification C:\Windows\SysWOW64\Inplqlng.exe Ijdppm32.exe File created C:\Windows\SysWOW64\Monann32.dll Kgjjndeq.exe File created C:\Windows\SysWOW64\Ncfmjc32.exe Nphpng32.exe File created C:\Windows\SysWOW64\Pmqffonj.exe Pnnfkb32.exe File created C:\Windows\SysWOW64\Cpoodc32.dll Mlolnllf.exe File opened for modification C:\Windows\SysWOW64\Pjjkfe32.exe Pfnoegaf.exe File created C:\Windows\SysWOW64\Qnqjkh32.exe Phgannal.exe File created C:\Windows\SysWOW64\Efmlqigc.exe Ebappk32.exe File opened for modification C:\Windows\SysWOW64\Kmnlhg32.exe Jegdgj32.exe File created C:\Windows\SysWOW64\Fmdpcpjb.dll Ogdaod32.exe File created C:\Windows\SysWOW64\Bfmqigba.exe Bdodmlcm.exe File opened for modification C:\Windows\SysWOW64\Ndfpnl32.exe Nknkeg32.exe File created C:\Windows\SysWOW64\Beadgdli.exe Bbchkime.exe File opened for modification C:\Windows\SysWOW64\Eqkjmcmq.exe Enmnahnm.exe File opened for modification C:\Windows\SysWOW64\Efjpkj32.exe Ebockkal.exe File created C:\Windows\SysWOW64\Jqnocncd.dll Kcajceke.exe File created C:\Windows\SysWOW64\Nfhkkc32.dll Kepgmh32.exe File created C:\Windows\SysWOW64\Gbmdoe32.dll Lhoohgdg.exe File opened for modification C:\Windows\SysWOW64\Ojpaeq32.exe Ogaeieoj.exe File created C:\Windows\SysWOW64\Ebooboeb.dll Hememgdi.exe File created C:\Windows\SysWOW64\Lfobnd32.dll Jcleiclo.exe File opened for modification C:\Windows\SysWOW64\Ockbdebl.exe Ooofcg32.exe File created C:\Windows\SysWOW64\Fbjhhm32.dll Ooofcg32.exe File created C:\Windows\SysWOW64\Dbidpo32.dll Ajipkb32.exe File created C:\Windows\SysWOW64\Jafjpdlm.dll Ajdcofop.exe File created C:\Windows\SysWOW64\Mfeilp32.dll Kpdeoh32.exe File created C:\Windows\SysWOW64\Bhpqcpkm.exe Beadgdli.exe File created C:\Windows\SysWOW64\Knaeeo32.exe Kpoejbhe.exe File created C:\Windows\SysWOW64\Eejanc32.dll Qanolm32.exe File created C:\Windows\SysWOW64\Bmhdihjd.dll Meecaa32.exe File opened for modification C:\Windows\SysWOW64\Njeelc32.exe Nckmpicl.exe File created C:\Windows\SysWOW64\Apnfno32.exe Amoibc32.exe File opened for modification C:\Windows\SysWOW64\Hplphd32.exe Hnmcli32.exe File created C:\Windows\SysWOW64\Pmcgmkil.exe Pigklmqc.exe File created C:\Windows\SysWOW64\Aolgka32.dll Oddphp32.exe File created C:\Windows\SysWOW64\Cnhhge32.exe Cfaqfh32.exe File created C:\Windows\SysWOW64\Elfkmcdp.dll Ddbmcb32.exe File created C:\Windows\SysWOW64\Ehameajg.dll Gbhcpmkm.exe File created C:\Windows\SysWOW64\Egqcce32.dll Liibgkoo.exe File created C:\Windows\SysWOW64\Nohefjhb.dll Pgaahh32.exe File created C:\Windows\SysWOW64\Fmdkki32.dll Amglgn32.exe File opened for modification C:\Windows\SysWOW64\Bfmqigba.exe Bdodmlcm.exe File created C:\Windows\SysWOW64\Bdjkbh32.dll Jgbjjf32.exe File opened for modification C:\Windows\SysWOW64\Lehdhn32.exe Lkbpke32.exe File created C:\Windows\SysWOW64\Pbepkh32.exe Pcbookpp.exe File created C:\Windows\SysWOW64\Adgein32.exe Aiaqle32.exe File opened for modification C:\Windows\SysWOW64\Bnofaf32.exe Bkqiek32.exe File opened for modification C:\Windows\SysWOW64\Dbadagln.exe Dnfhqi32.exe File created C:\Windows\SysWOW64\Iaaekl32.exe Icoepohq.exe File created C:\Windows\SysWOW64\Odnobj32.exe Oapcfo32.exe File opened for modification C:\Windows\SysWOW64\Kiecgo32.exe Kfggkc32.exe File opened for modification C:\Windows\SysWOW64\Ofobgc32.exe Obcffefa.exe File created C:\Windows\SysWOW64\Ckecpjdh.exe Cgjgol32.exe File created C:\Windows\SysWOW64\Oomjld32.dll Emdhhdqb.exe File opened for modification C:\Windows\SysWOW64\Lenffl32.exe Llebnfpe.exe File opened for modification C:\Windows\SysWOW64\Lpckce32.exe Llhocfnb.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkelpd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfeeff32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhlaiccm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkjnenbp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ioefdpne.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpmkbl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ooidei32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oqmmbqgd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifpnaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbfkeo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcacochk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jahbmlil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpnlndkp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnbifl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chjmmnnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Meecaa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdkkcp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmfalg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iaaekl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhdcojaa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bedamd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfcmlg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnppaill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkohjbah.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndjfgkha.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojbnkp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmelpa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebappk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbkdpnil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fllaopcg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibkhak32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Miiofn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlldmimi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhebhipj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ockbdebl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmgifa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lglmefcg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llkbcl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjhnqfla.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hoalia32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idekbgji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mebpakbq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpqjmh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aiqjao32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Beogaenl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbhcpmkm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nphpng32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnkffi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbnhpdke.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chbihc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eebibf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogaeieoj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cggcofkf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qemomb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhbmip32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcichb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igeddb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ongckp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apkbnibq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Padccpal.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epeajo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omqjgl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chofhm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lajkbp32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lajkbp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oddphp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Comhgndh.dll" Okpdjjil.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Adgein32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Obnbpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djiiddfd.dll" Acohnhab.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Beggec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jgmaog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iclafh32.dll" Ppdfimji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dbmkfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bceclhel.dll" Idekbgji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Igeddb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mlmoilni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdedod32.dll" Mhkfnlme.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pbglpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Amoibc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nacgfd32.dll" Beadgdli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bceeqi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dnfhqi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jqnocncd.dll" Kcajceke.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mokkegmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glgkjp32.dll" Ejabqi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Icabeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmgkii32.dll" Lmpeljkm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lekjal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mbdcepcm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ogmkne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Poacighp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pjjkfe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jmibmhoj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mmpakm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Doijgpba.dll" Pqgilnji.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pkojoghl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhhdmc32.dll" Chhpgn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pfnoegaf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dbdagg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Epeajo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnqnoqah.dll" Fjckelfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hmijajbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nomklqkm.dll" Jegdgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nloachkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pphkcaig.dll" Pnfpjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lkelpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mlahdkjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbfaddpc.dll" Mopdpg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ooidei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Adgein32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ddppmclb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nakikpin.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Peqhgmdd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jjlmkb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lfippfej.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Meljbqna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojdlmb32.dll" Dgqion32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fjaoplho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ffjljmla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ninhamne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ngjoif32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lijiaabk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Meecaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nhkbmo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Padccpal.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pfchqf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ckecpjdh.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2244 wrote to memory of 2784 2244 92cbb1f5bb999eea5bc30d5e0ee327a63e3d4563092edc9b9130b9ae5019ff54.exe 30 PID 2244 wrote to memory of 2784 2244 92cbb1f5bb999eea5bc30d5e0ee327a63e3d4563092edc9b9130b9ae5019ff54.exe 30 PID 2244 wrote to memory of 2784 2244 92cbb1f5bb999eea5bc30d5e0ee327a63e3d4563092edc9b9130b9ae5019ff54.exe 30 PID 2244 wrote to memory of 2784 2244 92cbb1f5bb999eea5bc30d5e0ee327a63e3d4563092edc9b9130b9ae5019ff54.exe 30 PID 2784 wrote to memory of 2228 2784 Ifgklp32.exe 31 PID 2784 wrote to memory of 2228 2784 Ifgklp32.exe 31 PID 2784 wrote to memory of 2228 2784 Ifgklp32.exe 31 PID 2784 wrote to memory of 2228 2784 Ifgklp32.exe 31 PID 2228 wrote to memory of 2600 2228 Jfjhbo32.exe 32 PID 2228 wrote to memory of 2600 2228 Jfjhbo32.exe 32 PID 2228 wrote to memory of 2600 2228 Jfjhbo32.exe 32 PID 2228 wrote to memory of 2600 2228 Jfjhbo32.exe 32 PID 2600 wrote to memory of 2592 2600 Jkfpjf32.exe 33 PID 2600 wrote to memory of 2592 2600 Jkfpjf32.exe 33 PID 2600 wrote to memory of 2592 2600 Jkfpjf32.exe 33 PID 2600 wrote to memory of 2592 2600 Jkfpjf32.exe 33 PID 2592 wrote to memory of 1528 2592 Jnemfa32.exe 34 PID 2592 wrote to memory of 1528 2592 Jnemfa32.exe 34 PID 2592 wrote to memory of 1528 2592 Jnemfa32.exe 34 PID 2592 wrote to memory of 1528 2592 Jnemfa32.exe 34 PID 1528 wrote to memory of 2004 1528 Jacibm32.exe 35 PID 1528 wrote to memory of 2004 1528 Jacibm32.exe 35 PID 1528 wrote to memory of 2004 1528 Jacibm32.exe 35 PID 1528 wrote to memory of 2004 1528 Jacibm32.exe 35 PID 2004 wrote to memory of 1496 2004 Jgmaog32.exe 36 PID 2004 wrote to memory of 1496 2004 Jgmaog32.exe 36 PID 2004 wrote to memory of 1496 2004 Jgmaog32.exe 36 PID 2004 wrote to memory of 1496 2004 Jgmaog32.exe 36 PID 1496 wrote to memory of 2984 1496 Jjlmkb32.exe 37 PID 1496 wrote to memory of 2984 1496 Jjlmkb32.exe 37 PID 1496 wrote to memory of 2984 1496 Jjlmkb32.exe 37 PID 1496 wrote to memory of 2984 1496 Jjlmkb32.exe 37 PID 2984 wrote to memory of 2760 2984 Jbcelp32.exe 38 PID 2984 wrote to memory of 2760 2984 Jbcelp32.exe 38 PID 2984 wrote to memory of 2760 2984 Jbcelp32.exe 38 PID 2984 wrote to memory of 2760 2984 Jbcelp32.exe 38 PID 2760 wrote to memory of 2240 2760 Jeaahk32.exe 39 PID 2760 wrote to memory of 2240 2760 Jeaahk32.exe 39 PID 2760 wrote to memory of 2240 2760 Jeaahk32.exe 39 PID 2760 wrote to memory of 2240 2760 Jeaahk32.exe 39 PID 2240 wrote to memory of 2912 2240 Jgpndg32.exe 40 PID 2240 wrote to memory of 2912 2240 Jgpndg32.exe 40 PID 2240 wrote to memory of 2912 2240 Jgpndg32.exe 40 PID 2240 wrote to memory of 2912 2240 Jgpndg32.exe 40 PID 2912 wrote to memory of 2144 2912 Jjnjqb32.exe 41 PID 2912 wrote to memory of 2144 2912 Jjnjqb32.exe 41 PID 2912 wrote to memory of 2144 2912 Jjnjqb32.exe 41 PID 2912 wrote to memory of 2144 2912 Jjnjqb32.exe 41 PID 2144 wrote to memory of 1784 2144 Jahbmlil.exe 42 PID 2144 wrote to memory of 1784 2144 Jahbmlil.exe 42 PID 2144 wrote to memory of 1784 2144 Jahbmlil.exe 42 PID 2144 wrote to memory of 1784 2144 Jahbmlil.exe 42 PID 1784 wrote to memory of 2384 1784 Jgbjjf32.exe 43 PID 1784 wrote to memory of 2384 1784 Jgbjjf32.exe 43 PID 1784 wrote to memory of 2384 1784 Jgbjjf32.exe 43 PID 1784 wrote to memory of 2384 1784 Jgbjjf32.exe 43 PID 2384 wrote to memory of 928 2384 Jfekec32.exe 44 PID 2384 wrote to memory of 928 2384 Jfekec32.exe 44 PID 2384 wrote to memory of 928 2384 Jfekec32.exe 44 PID 2384 wrote to memory of 928 2384 Jfekec32.exe 44 PID 928 wrote to memory of 2060 928 Jcikog32.exe 45 PID 928 wrote to memory of 2060 928 Jcikog32.exe 45 PID 928 wrote to memory of 2060 928 Jcikog32.exe 45 PID 928 wrote to memory of 2060 928 Jcikog32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\92cbb1f5bb999eea5bc30d5e0ee327a63e3d4563092edc9b9130b9ae5019ff54.exe"C:\Users\Admin\AppData\Local\Temp\92cbb1f5bb999eea5bc30d5e0ee327a63e3d4563092edc9b9130b9ae5019ff54.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Windows\SysWOW64\Ifgklp32.exeC:\Windows\system32\Ifgklp32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\SysWOW64\Jfjhbo32.exeC:\Windows\system32\Jfjhbo32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2228 -
C:\Windows\SysWOW64\Jkfpjf32.exeC:\Windows\system32\Jkfpjf32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\SysWOW64\Jnemfa32.exeC:\Windows\system32\Jnemfa32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Windows\SysWOW64\Jacibm32.exeC:\Windows\system32\Jacibm32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1528 -
C:\Windows\SysWOW64\Jgmaog32.exeC:\Windows\system32\Jgmaog32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Windows\SysWOW64\Jjlmkb32.exeC:\Windows\system32\Jjlmkb32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1496 -
C:\Windows\SysWOW64\Jbcelp32.exeC:\Windows\system32\Jbcelp32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Windows\SysWOW64\Jeaahk32.exeC:\Windows\system32\Jeaahk32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\SysWOW64\Jgpndg32.exeC:\Windows\system32\Jgpndg32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Windows\SysWOW64\Jjnjqb32.exeC:\Windows\system32\Jjnjqb32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Windows\SysWOW64\Jahbmlil.exeC:\Windows\system32\Jahbmlil.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2144 -
C:\Windows\SysWOW64\Jgbjjf32.exeC:\Windows\system32\Jgbjjf32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1784 -
C:\Windows\SysWOW64\Jfekec32.exeC:\Windows\system32\Jfekec32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Windows\SysWOW64\Jcikog32.exeC:\Windows\system32\Jcikog32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:928 -
C:\Windows\SysWOW64\Kfggkc32.exeC:\Windows\system32\Kfggkc32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2060 -
C:\Windows\SysWOW64\Kiecgo32.exeC:\Windows\system32\Kiecgo32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1464 -
C:\Windows\SysWOW64\Kamlhl32.exeC:\Windows\system32\Kamlhl32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1640 -
C:\Windows\SysWOW64\Kppldhla.exeC:\Windows\system32\Kppldhla.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2456 -
C:\Windows\SysWOW64\Kbnhpdke.exeC:\Windows\system32\Kbnhpdke.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1656 -
C:\Windows\SysWOW64\Kjepaa32.exeC:\Windows\system32\Kjepaa32.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1268 -
C:\Windows\SysWOW64\Kihpmnbb.exeC:\Windows\system32\Kihpmnbb.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2300 -
C:\Windows\SysWOW64\Klfmijae.exeC:\Windows\system32\Klfmijae.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:320 -
C:\Windows\SysWOW64\Kcmdjgbh.exeC:\Windows\system32\Kcmdjgbh.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2348 -
C:\Windows\SysWOW64\Kflafbak.exeC:\Windows\system32\Kflafbak.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2412 -
C:\Windows\SysWOW64\Keoabo32.exeC:\Windows\system32\Keoabo32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1604 -
C:\Windows\SysWOW64\Kmficl32.exeC:\Windows\system32\Kmficl32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2764 -
C:\Windows\SysWOW64\Kpdeoh32.exeC:\Windows\system32\Kpdeoh32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2588 -
C:\Windows\SysWOW64\Khojcj32.exeC:\Windows\system32\Khojcj32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2620 -
C:\Windows\SysWOW64\Kpfbegei.exeC:\Windows\system32\Kpfbegei.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1676 -
C:\Windows\SysWOW64\Koibpd32.exeC:\Windows\system32\Koibpd32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2560 -
C:\Windows\SysWOW64\Kbenacdm.exeC:\Windows\system32\Kbenacdm.exe33⤵
- Executes dropped EXE
PID:2616 -
C:\Windows\SysWOW64\Kiofnm32.exeC:\Windows\system32\Kiofnm32.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2940 -
C:\Windows\SysWOW64\Lolofd32.exeC:\Windows\system32\Lolofd32.exe35⤵
- Executes dropped EXE
PID:2536 -
C:\Windows\SysWOW64\Lajkbp32.exeC:\Windows\system32\Lajkbp32.exe36⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1716 -
C:\Windows\SysWOW64\Lhdcojaa.exeC:\Windows\system32\Lhdcojaa.exe37⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2124 -
C:\Windows\SysWOW64\Lkbpke32.exeC:\Windows\system32\Lkbpke32.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2160 -
C:\Windows\SysWOW64\Lehdhn32.exeC:\Windows\system32\Lehdhn32.exe39⤵
- Executes dropped EXE
PID:2116 -
C:\Windows\SysWOW64\Lfippfej.exeC:\Windows\system32\Lfippfej.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2200 -
C:\Windows\SysWOW64\Lkelpd32.exeC:\Windows\system32\Lkelpd32.exe41⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2064 -
C:\Windows\SysWOW64\Lophacfl.exeC:\Windows\system32\Lophacfl.exe42⤵
- Executes dropped EXE
PID:2204 -
C:\Windows\SysWOW64\Laodmoep.exeC:\Windows\system32\Laodmoep.exe43⤵
- Executes dropped EXE
PID:2224 -
C:\Windows\SysWOW64\Lglmefcg.exeC:\Windows\system32\Lglmefcg.exe44⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2092 -
C:\Windows\SysWOW64\Lijiaabk.exeC:\Windows\system32\Lijiaabk.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:1992 -
C:\Windows\SysWOW64\Laaabo32.exeC:\Windows\system32\Laaabo32.exe46⤵
- Executes dropped EXE
PID:820 -
C:\Windows\SysWOW64\Lpdankjg.exeC:\Windows\system32\Lpdankjg.exe47⤵
- Executes dropped EXE
PID:2996 -
C:\Windows\SysWOW64\Ldpnoj32.exeC:\Windows\system32\Ldpnoj32.exe48⤵
- Executes dropped EXE
PID:2172 -
C:\Windows\SysWOW64\Lgnjke32.exeC:\Windows\system32\Lgnjke32.exe49⤵
- Executes dropped EXE
PID:2088 -
C:\Windows\SysWOW64\Lkifkdjm.exeC:\Windows\system32\Lkifkdjm.exe50⤵
- Executes dropped EXE
PID:468 -
C:\Windows\SysWOW64\Lilfgq32.exeC:\Windows\system32\Lilfgq32.exe51⤵
- Executes dropped EXE
PID:2712 -
C:\Windows\SysWOW64\Llkbcl32.exeC:\Windows\system32\Llkbcl32.exe52⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1628 -
C:\Windows\SysWOW64\Lpfnckhe.exeC:\Windows\system32\Lpfnckhe.exe53⤵
- Executes dropped EXE
PID:1672 -
C:\Windows\SysWOW64\Ldbjdj32.exeC:\Windows\system32\Ldbjdj32.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:324 -
C:\Windows\SysWOW64\Lcdjpfgh.exeC:\Windows\system32\Lcdjpfgh.exe55⤵
- Executes dropped EXE
PID:2444 -
C:\Windows\SysWOW64\Mecglbfl.exeC:\Windows\system32\Mecglbfl.exe56⤵PID:2724
-
C:\Windows\SysWOW64\Miocmq32.exeC:\Windows\system32\Miocmq32.exe57⤵
- Executes dropped EXE
PID:2664 -
C:\Windows\SysWOW64\Mlmoilni.exeC:\Windows\system32\Mlmoilni.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:2676 -
C:\Windows\SysWOW64\Mpikik32.exeC:\Windows\system32\Mpikik32.exe59⤵
- Executes dropped EXE
PID:1536 -
C:\Windows\SysWOW64\Mokkegmm.exeC:\Windows\system32\Mokkegmm.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:2236 -
C:\Windows\SysWOW64\Mgbcfdmo.exeC:\Windows\system32\Mgbcfdmo.exe61⤵
- Executes dropped EXE
PID:1272 -
C:\Windows\SysWOW64\Meecaa32.exeC:\Windows\system32\Meecaa32.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2024 -
C:\Windows\SysWOW64\Miapbpmb.exeC:\Windows\system32\Miapbpmb.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1944 -
C:\Windows\SysWOW64\Mlolnllf.exeC:\Windows\system32\Mlolnllf.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2292 -
C:\Windows\SysWOW64\Mpkhoj32.exeC:\Windows\system32\Mpkhoj32.exe65⤵
- Executes dropped EXE
PID:1548 -
C:\Windows\SysWOW64\Monhjgkj.exeC:\Windows\system32\Monhjgkj.exe66⤵
- Executes dropped EXE
PID:2972 -
C:\Windows\SysWOW64\Maldfbjn.exeC:\Windows\system32\Maldfbjn.exe67⤵PID:2840
-
C:\Windows\SysWOW64\Mehpga32.exeC:\Windows\system32\Mehpga32.exe68⤵PID:2796
-
C:\Windows\SysWOW64\Mlahdkjc.exeC:\Windows\system32\Mlahdkjc.exe69⤵
- Modifies registry class
PID:2756 -
C:\Windows\SysWOW64\Mopdpg32.exeC:\Windows\system32\Mopdpg32.exe70⤵
- Modifies registry class
PID:1948 -
C:\Windows\SysWOW64\Mclqqeaq.exeC:\Windows\system32\Mclqqeaq.exe71⤵PID:1112
-
C:\Windows\SysWOW64\Maoalb32.exeC:\Windows\system32\Maoalb32.exe72⤵PID:2376
-
C:\Windows\SysWOW64\Mdmmhn32.exeC:\Windows\system32\Mdmmhn32.exe73⤵PID:2056
-
C:\Windows\SysWOW64\Mhhiiloh.exeC:\Windows\system32\Mhhiiloh.exe74⤵PID:2368
-
C:\Windows\SysWOW64\Mkgeehnl.exeC:\Windows\system32\Mkgeehnl.exe75⤵PID:2480
-
C:\Windows\SysWOW64\Mobaef32.exeC:\Windows\system32\Mobaef32.exe76⤵PID:588
-
C:\Windows\SysWOW64\Mneaacno.exeC:\Windows\system32\Mneaacno.exe77⤵PID:1012
-
C:\Windows\SysWOW64\Meljbqna.exeC:\Windows\system32\Meljbqna.exe78⤵
- Modifies registry class
PID:1776 -
C:\Windows\SysWOW64\Mdojnm32.exeC:\Windows\system32\Mdojnm32.exe79⤵PID:592
-
C:\Windows\SysWOW64\Mhkfnlme.exeC:\Windows\system32\Mhkfnlme.exe80⤵
- Modifies registry class
PID:1660 -
C:\Windows\SysWOW64\Mkibjgli.exeC:\Windows\system32\Mkibjgli.exe81⤵PID:1540
-
C:\Windows\SysWOW64\Moenkf32.exeC:\Windows\system32\Moenkf32.exe82⤵PID:2028
-
C:\Windows\SysWOW64\Npfjbn32.exeC:\Windows\system32\Npfjbn32.exe83⤵PID:2500
-
C:\Windows\SysWOW64\Ngpcohbm.exeC:\Windows\system32\Ngpcohbm.exe84⤵PID:2400
-
C:\Windows\SysWOW64\Njnokdaq.exeC:\Windows\system32\Njnokdaq.exe85⤵PID:2868
-
C:\Windows\SysWOW64\Nphghn32.exeC:\Windows\system32\Nphghn32.exe86⤵PID:2696
-
C:\Windows\SysWOW64\Nddcimag.exeC:\Windows\system32\Nddcimag.exe87⤵PID:1564
-
C:\Windows\SysWOW64\Nknkeg32.exeC:\Windows\system32\Nknkeg32.exe88⤵
- Drops file in System32 directory
PID:2608 -
C:\Windows\SysWOW64\Ndfpnl32.exeC:\Windows\system32\Ndfpnl32.exe89⤵PID:2188
-
C:\Windows\SysWOW64\Nfglfdeb.exeC:\Windows\system32\Nfglfdeb.exe90⤵PID:2096
-
C:\Windows\SysWOW64\Nnodgbed.exeC:\Windows\system32\Nnodgbed.exe91⤵PID:2164
-
C:\Windows\SysWOW64\Nopaoj32.exeC:\Windows\system32\Nopaoj32.exe92⤵PID:2944
-
C:\Windows\SysWOW64\Nckmpicl.exeC:\Windows\system32\Nckmpicl.exe93⤵
- Drops file in System32 directory
PID:1624 -
C:\Windows\SysWOW64\Njeelc32.exeC:\Windows\system32\Njeelc32.exe94⤵PID:2564
-
C:\Windows\SysWOW64\Nhhehpbc.exeC:\Windows\system32\Nhhehpbc.exe95⤵PID:2692
-
C:\Windows\SysWOW64\Nqpmimbe.exeC:\Windows\system32\Nqpmimbe.exe96⤵PID:2848
-
C:\Windows\SysWOW64\Nbqjqehd.exeC:\Windows\system32\Nbqjqehd.exe97⤵PID:1132
-
C:\Windows\SysWOW64\Nhkbmo32.exeC:\Windows\system32\Nhkbmo32.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1772 -
C:\Windows\SysWOW64\Okinik32.exeC:\Windows\system32\Okinik32.exe99⤵PID:2132
-
C:\Windows\SysWOW64\Obcffefa.exeC:\Windows\system32\Obcffefa.exe100⤵
- Drops file in System32 directory
PID:2708 -
C:\Windows\SysWOW64\Ofobgc32.exeC:\Windows\system32\Ofobgc32.exe101⤵PID:2580
-
C:\Windows\SysWOW64\Ohmoco32.exeC:\Windows\system32\Ohmoco32.exe102⤵PID:1308
-
C:\Windows\SysWOW64\Okkkoj32.exeC:\Windows\system32\Okkkoj32.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:568 -
C:\Windows\SysWOW64\Ofaolcmh.exeC:\Windows\system32\Ofaolcmh.exe104⤵PID:1156
-
C:\Windows\SysWOW64\Oddphp32.exeC:\Windows\system32\Oddphp32.exe105⤵
- Drops file in System32 directory
- Modifies registry class
PID:2672 -
C:\Windows\SysWOW64\Oknhdjko.exeC:\Windows\system32\Oknhdjko.exe106⤵PID:1952
-
C:\Windows\SysWOW64\Ooidei32.exeC:\Windows\system32\Ooidei32.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1596 -
C:\Windows\SysWOW64\Odflmp32.exeC:\Windows\system32\Odflmp32.exe108⤵PID:2080
-
C:\Windows\SysWOW64\Okpdjjil.exeC:\Windows\system32\Okpdjjil.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2928 -
C:\Windows\SysWOW64\Objmgd32.exeC:\Windows\system32\Objmgd32.exe110⤵PID:2980
-
C:\Windows\SysWOW64\Oqmmbqgd.exeC:\Windows\system32\Oqmmbqgd.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2872 -
C:\Windows\SysWOW64\Oggeokoq.exeC:\Windows\system32\Oggeokoq.exe112⤵PID:608
-
C:\Windows\SysWOW64\Okbapi32.exeC:\Windows\system32\Okbapi32.exe113⤵PID:2852
-
C:\Windows\SysWOW64\Omcngamh.exeC:\Windows\system32\Omcngamh.exe114⤵PID:448
-
C:\Windows\SysWOW64\Oekehomj.exeC:\Windows\system32\Oekehomj.exe115⤵PID:3008
-
C:\Windows\SysWOW64\Pflbpg32.exeC:\Windows\system32\Pflbpg32.exe116⤵PID:2900
-
C:\Windows\SysWOW64\Pjhnqfla.exeC:\Windows\system32\Pjhnqfla.exe117⤵
- System Location Discovery: System Language Discovery
PID:576 -
C:\Windows\SysWOW64\Paafmp32.exeC:\Windows\system32\Paafmp32.exe118⤵PID:1664
-
C:\Windows\SysWOW64\Ppdfimji.exeC:\Windows\system32\Ppdfimji.exe119⤵
- Modifies registry class
PID:2856 -
C:\Windows\SysWOW64\Pfnoegaf.exeC:\Windows\system32\Pfnoegaf.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:1820 -
C:\Windows\SysWOW64\Pjjkfe32.exeC:\Windows\system32\Pjjkfe32.exe121⤵
- Modifies registry class
PID:2524
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-