Analysis
-
max time kernel
93s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 05:45
Static task
static1
Behavioral task
behavioral1
Sample
28032d876050069a0df2705e1e2e6e0419a6b49321a2c73f1bc815663e6efc21N.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
28032d876050069a0df2705e1e2e6e0419a6b49321a2c73f1bc815663e6efc21N.exe
Resource
win10v2004-20241007-en
General
-
Target
28032d876050069a0df2705e1e2e6e0419a6b49321a2c73f1bc815663e6efc21N.exe
-
Size
72KB
-
MD5
74aff1573014439d46e29af61e9437f0
-
SHA1
2939cf4f5badbd8fc510f49dcf5afcce39ae1012
-
SHA256
28032d876050069a0df2705e1e2e6e0419a6b49321a2c73f1bc815663e6efc21
-
SHA512
da7e209ce0b23a1f67afd8c791c54fa02edb9d1e2b61b7f6d9ac43c89ff5fb06e6db31f8391af75bb3e7c4665c2b214dd5b03b541e25d4f67bcab84eea62a998
-
SSDEEP
1536:1NG/96qMGvC886L9j8fjUwFVM3gSiKzSMsO2SP8Wsgv4S2k/6+4AbK6Q9LVo:1NGF6AP5j8fjlG1v2+4o6G
Malware Config
Extracted
berbew
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjdkhmcd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojecok32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obphcm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qadnna32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbhqbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qpgoinaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ajalaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Amdbiahp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckkhocgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mfkkmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ppkonp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfgdpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pamhmb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Moacqdbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nfbanm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qcbjjm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpbjbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mhbaijod.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nomclbho.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpcglj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dckfnd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jicija32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Laacka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nmjmeg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pifple32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cmidknfh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjpamn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qcbjjm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aiaphc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Apkhdn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbkfap32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjbnbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nhldoifj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfpehmec.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lidbao32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhioblgo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mohpjejf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhpeckqg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oqlofeoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Afcclh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afjjlg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Apbnemgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kpbjbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lhioblgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ooalga32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Piagafda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Abjdqi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amdbiahp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Baiqpo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmopgdjh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qimfmdjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qadnna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qmkobbpk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qafkca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qbggkiob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aiaphc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apbnemgd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcqgnfbe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncailbfp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omjfle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pifple32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccfmcedp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdeimhkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bpggpl32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 3336 Jicija32.exe 868 Jpnagl32.exe 1968 Kblmcg32.exe 228 Kejipb32.exe 3756 Khifln32.exe 4824 Kppnmk32.exe 3612 Kbnjig32.exe 2344 Khkban32.exe 440 Kpbjbk32.exe 4964 Kcqgnfbe.exe 2900 Keocjbai.exe 4024 Khmogmal.exe 1520 Kpdghkao.exe 2480 Kafcpc32.exe 372 Kimlqp32.exe 4436 Kpgdmjpl.exe 3208 Kahpebej.exe 4548 Kedlea32.exe 4760 Klndbkep.exe 1580 Lajmkbcg.exe 1312 Lhdegl32.exe 1152 Llpahkcm.exe 880 Lonndfba.exe 4040 Lamjpbae.exe 4200 Lidbao32.exe 4600 Lpnjniid.exe 2392 Laoffa32.exe 2324 Ljfogo32.exe 5056 Lhioblgo.exe 2680 Laacka32.exe 4844 Loeceeli.exe 3236 Ladpaakm.exe 1888 Ljkhbnlo.exe 3580 Lhnhnk32.exe 1324 Mohpjejf.exe 4392 Mafmfqij.exe 2348 Mfbigo32.exe 4032 Mhpeckqg.exe 1896 Mpgmdhai.exe 4256 Mcfipcpm.exe 4100 Mbhilp32.exe 4444 Mjpamn32.exe 2544 Mhbaijod.exe 1080 Mpjijhof.exe 2984 Mchffcnj.exe 4580 Mbkfap32.exe 2740 Mjbnbm32.exe 3816 Mplfog32.exe 2700 Moofkddo.exe 4472 Mbmcgpcb.exe 756 Mjdkhmcd.exe 3904 Mhgkdj32.exe 336 Moacqdbl.exe 3424 Mbppmoap.exe 2024 Mfkkmn32.exe 4616 Mhihii32.exe 2976 Nqqpjgio.exe 2384 Nocpfc32.exe 3340 Nfnhbngf.exe 4876 Nhldoifj.exe 4084 Nqclpfgl.exe 212 Ncailbfp.exe 696 Nfpehmec.exe 3144 Nmjmeg32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Kdgfml32.dll Cgjbcebq.exe File opened for modification C:\Windows\SysWOW64\Mchffcnj.exe Mpjijhof.exe File opened for modification C:\Windows\SysWOW64\Oqlofeoa.exe Nfgkilok.exe File opened for modification C:\Windows\SysWOW64\Ajalaf32.exe Abjdqi32.exe File created C:\Windows\SysWOW64\Liggem32.dll Aidlmcdl.exe File created C:\Windows\SysWOW64\Afbmdp32.dll Mhpeckqg.exe File opened for modification C:\Windows\SysWOW64\Obphcm32.exe Ooalga32.exe File opened for modification C:\Windows\SysWOW64\Qcbjjm32.exe Qpgoinaa.exe File opened for modification C:\Windows\SysWOW64\Afjjlg32.exe Aamadpbl.exe File created C:\Windows\SysWOW64\Edlagnqg.dll Loeceeli.exe File created C:\Windows\SysWOW64\Agbghi32.dll Nfbanm32.exe File opened for modification C:\Windows\SysWOW64\Omhifeqp.exe Ojimjjal.exe File created C:\Windows\SysWOW64\Mmoifl32.dll Pjgikh32.exe File opened for modification C:\Windows\SysWOW64\Kimlqp32.exe Kafcpc32.exe File created C:\Windows\SysWOW64\Mchffcnj.exe Mpjijhof.exe File created C:\Windows\SysWOW64\Ddmnpj32.dll Ppkonp32.exe File created C:\Windows\SysWOW64\Dhheiima.dll Cmdkpo32.exe File opened for modification C:\Windows\SysWOW64\Dckfnd32.exe Cibaeoij.exe File opened for modification C:\Windows\SysWOW64\Kpbjbk32.exe Khkban32.exe File created C:\Windows\SysWOW64\Kafcpc32.exe Kpdghkao.exe File opened for modification C:\Windows\SysWOW64\Nqclpfgl.exe Nhldoifj.exe File opened for modification C:\Windows\SysWOW64\Adiqjlcb.exe Aidlmcdl.exe File opened for modification C:\Windows\SysWOW64\Bimocbla.exe Abcgghde.exe File created C:\Windows\SysWOW64\Liahpe32.dll Llpahkcm.exe File created C:\Windows\SysWOW64\Ffnfml32.dll Nfgkilok.exe File created C:\Windows\SysWOW64\Pckdin32.exe Pamhmb32.exe File created C:\Windows\SysWOW64\Keoeidjd.dll Ofbjdken.exe File created C:\Windows\SysWOW64\Mbhilp32.exe Mcfipcpm.exe File created C:\Windows\SysWOW64\Mjbnbm32.exe Mbkfap32.exe File opened for modification C:\Windows\SysWOW64\Qimfmdjd.exe Pfnjqikq.exe File created C:\Windows\SysWOW64\Cpedajgo.exe Ckhkic32.exe File created C:\Windows\SysWOW64\Jedbjneh.dll Cibaeoij.exe File opened for modification C:\Windows\SysWOW64\Kblmcg32.exe Jpnagl32.exe File created C:\Windows\SysWOW64\Klndbkep.exe Kedlea32.exe File created C:\Windows\SysWOW64\Aeinaj32.dll Klndbkep.exe File created C:\Windows\SysWOW64\Qhpboedn.dll Obnlnm32.exe File opened for modification C:\Windows\SysWOW64\Amfooafm.exe Abajahfg.exe File created C:\Windows\SysWOW64\Baiqpo32.exe Bbhqbg32.exe File opened for modification C:\Windows\SysWOW64\Ocpemp32.exe Oqaiad32.exe File opened for modification C:\Windows\SysWOW64\Pfgdpj32.exe Pblhokip.exe File created C:\Windows\SysWOW64\Oedgpbbf.dll Bipliajo.exe File created C:\Windows\SysWOW64\Cmidknfh.exe Ckkhocgd.exe File created C:\Windows\SysWOW64\Cginjcme.dll Dckfnd32.exe File created C:\Windows\SysWOW64\Aikcfk32.dll Kimlqp32.exe File created C:\Windows\SysWOW64\Kedlea32.exe Kahpebej.exe File created C:\Windows\SysWOW64\Mhihii32.exe Mfkkmn32.exe File created C:\Windows\SysWOW64\Dnbgamnm.exe Dghodc32.exe File created C:\Windows\SysWOW64\Qfqgfh32.exe Qcbjjm32.exe File opened for modification C:\Windows\SysWOW64\Aamadpbl.exe Afhmggcf.exe File created C:\Windows\SysWOW64\Dmpjlm32.exe Dkanob32.exe File opened for modification C:\Windows\SysWOW64\Loeceeli.exe Laacka32.exe File created C:\Windows\SysWOW64\Nomclbho.exe Njpjdkig.exe File created C:\Windows\SysWOW64\Ofbjdken.exe Opibhq32.exe File created C:\Windows\SysWOW64\Dckfnd32.exe Cibaeoij.exe File created C:\Windows\SysWOW64\Igalkpeb.dll Pamhmb32.exe File created C:\Windows\SysWOW64\Dokimi32.dll Abjdqi32.exe File created C:\Windows\SysWOW64\Aidlmcdl.exe Ajalaf32.exe File created C:\Windows\SysWOW64\Mfickphb.dll Bideda32.exe File opened for modification C:\Windows\SysWOW64\Ckhkic32.exe Cpcglj32.exe File created C:\Windows\SysWOW64\Cdeimhkb.exe Ckmedbeb.exe File opened for modification C:\Windows\SysWOW64\Lajmkbcg.exe Klndbkep.exe File opened for modification C:\Windows\SysWOW64\Nohiacld.exe Nmjmeg32.exe File created C:\Windows\SysWOW64\Ddnfhcjq.dll Njpjdkig.exe File created C:\Windows\SysWOW64\Ppmlcpil.exe Pajkgc32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 6620 6536 WerFault.exe 256 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nomclbho.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpqjfk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmdkpo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llpahkcm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mchffcnj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aidlmcdl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abcgghde.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpedajgo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dckfnd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lonndfba.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfegjjck.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbibcnie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jicija32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Loeceeli.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfpehmec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apbnemgd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbkfap32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncailbfp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhnhnk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmjmeg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pajkgc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pamhmb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qfqgfh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afjjlg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 28032d876050069a0df2705e1e2e6e0419a6b49321a2c73f1bc815663e6efc21N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khifln32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckkhocgd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amdbiahp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckhkic32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opibhq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Piagafda.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kimlqp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Laacka32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Moacqdbl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obnlnm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdeimhkb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khmogmal.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpdghkao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjgikh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qpgoinaa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Keocjbai.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opfebqpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbjmggnm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njpjdkig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcfknodh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mohpjejf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mplfog32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbppmoap.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nqhfkf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qimfmdjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qadnna32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lajmkbcg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ladpaakm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmpjlm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omcpkf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pifple32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afcclh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhihii32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nocpfc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kejipb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbhqbg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oijqpg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfgdpj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfapmfkk.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckoega32.dll" Apekklea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ckkhocgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pjgikh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lpnjniid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgqpbc32.dll" Mcfipcpm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nohiacld.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ablafi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pmfegc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bideda32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node 28032d876050069a0df2705e1e2e6e0419a6b49321a2c73f1bc815663e6efc21N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abigbemk.dll" Njnnnllj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cphfbgja.dll" Aahhia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kpgdmjpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbepla32.dll" Pifple32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nbibcnie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olkjco32.dll" Lamjpbae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Difbepij.dll" Mjpamn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Omhifeqp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ablafi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kahpebej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Klndbkep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mhihii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pamhmb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pfnjqikq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpcgabjo.dll" Qjlcfgag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdebhm32.dll" Bbhqbg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Khifln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bopehnkn.dll" Laacka32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bpqjfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dkanob32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Moacqdbl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mfkkmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ofbjdken.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ckmedbeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dmpjlm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qmaahjld.dll" Dghodc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofamgchd.dll" Ladpaakm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Moofkddo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Liahpe32.dll" Llpahkcm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aahhia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmejibbn.dll" Dkanob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eckbob32.dll" Kbnjig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eaalppbq.dll" Keocjbai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lonndfba.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mohpjejf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mfbigo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Omhifeqp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mjdkhmcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nqqpjgio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Moacqdbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Obnlnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkmomhoc.dll" Piagafda.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kpdghkao.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mbkfap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Baiqpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Njnnnllj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ojecok32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ppkonp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aidlmcdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iokalh32.dll" Ckkhocgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mpgmdhai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Opibhq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Laoffa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Foljjfdj.dll" Afhmggcf.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2648 wrote to memory of 3336 2648 28032d876050069a0df2705e1e2e6e0419a6b49321a2c73f1bc815663e6efc21N.exe 83 PID 2648 wrote to memory of 3336 2648 28032d876050069a0df2705e1e2e6e0419a6b49321a2c73f1bc815663e6efc21N.exe 83 PID 2648 wrote to memory of 3336 2648 28032d876050069a0df2705e1e2e6e0419a6b49321a2c73f1bc815663e6efc21N.exe 83 PID 3336 wrote to memory of 868 3336 Jicija32.exe 84 PID 3336 wrote to memory of 868 3336 Jicija32.exe 84 PID 3336 wrote to memory of 868 3336 Jicija32.exe 84 PID 868 wrote to memory of 1968 868 Jpnagl32.exe 85 PID 868 wrote to memory of 1968 868 Jpnagl32.exe 85 PID 868 wrote to memory of 1968 868 Jpnagl32.exe 85 PID 1968 wrote to memory of 228 1968 Kblmcg32.exe 87 PID 1968 wrote to memory of 228 1968 Kblmcg32.exe 87 PID 1968 wrote to memory of 228 1968 Kblmcg32.exe 87 PID 228 wrote to memory of 3756 228 Kejipb32.exe 88 PID 228 wrote to memory of 3756 228 Kejipb32.exe 88 PID 228 wrote to memory of 3756 228 Kejipb32.exe 88 PID 3756 wrote to memory of 4824 3756 Khifln32.exe 89 PID 3756 wrote to memory of 4824 3756 Khifln32.exe 89 PID 3756 wrote to memory of 4824 3756 Khifln32.exe 89 PID 4824 wrote to memory of 3612 4824 Kppnmk32.exe 90 PID 4824 wrote to memory of 3612 4824 Kppnmk32.exe 90 PID 4824 wrote to memory of 3612 4824 Kppnmk32.exe 90 PID 3612 wrote to memory of 2344 3612 Kbnjig32.exe 91 PID 3612 wrote to memory of 2344 3612 Kbnjig32.exe 91 PID 3612 wrote to memory of 2344 3612 Kbnjig32.exe 91 PID 2344 wrote to memory of 440 2344 Khkban32.exe 93 PID 2344 wrote to memory of 440 2344 Khkban32.exe 93 PID 2344 wrote to memory of 440 2344 Khkban32.exe 93 PID 440 wrote to memory of 4964 440 Kpbjbk32.exe 94 PID 440 wrote to memory of 4964 440 Kpbjbk32.exe 94 PID 440 wrote to memory of 4964 440 Kpbjbk32.exe 94 PID 4964 wrote to memory of 2900 4964 Kcqgnfbe.exe 95 PID 4964 wrote to memory of 2900 4964 Kcqgnfbe.exe 95 PID 4964 wrote to memory of 2900 4964 Kcqgnfbe.exe 95 PID 2900 wrote to memory of 4024 2900 Keocjbai.exe 96 PID 2900 wrote to memory of 4024 2900 Keocjbai.exe 96 PID 2900 wrote to memory of 4024 2900 Keocjbai.exe 96 PID 4024 wrote to memory of 1520 4024 Khmogmal.exe 97 PID 4024 wrote to memory of 1520 4024 Khmogmal.exe 97 PID 4024 wrote to memory of 1520 4024 Khmogmal.exe 97 PID 1520 wrote to memory of 2480 1520 Kpdghkao.exe 98 PID 1520 wrote to memory of 2480 1520 Kpdghkao.exe 98 PID 1520 wrote to memory of 2480 1520 Kpdghkao.exe 98 PID 2480 wrote to memory of 372 2480 Kafcpc32.exe 99 PID 2480 wrote to memory of 372 2480 Kafcpc32.exe 99 PID 2480 wrote to memory of 372 2480 Kafcpc32.exe 99 PID 372 wrote to memory of 4436 372 Kimlqp32.exe 100 PID 372 wrote to memory of 4436 372 Kimlqp32.exe 100 PID 372 wrote to memory of 4436 372 Kimlqp32.exe 100 PID 4436 wrote to memory of 3208 4436 Kpgdmjpl.exe 102 PID 4436 wrote to memory of 3208 4436 Kpgdmjpl.exe 102 PID 4436 wrote to memory of 3208 4436 Kpgdmjpl.exe 102 PID 3208 wrote to memory of 4548 3208 Kahpebej.exe 103 PID 3208 wrote to memory of 4548 3208 Kahpebej.exe 103 PID 3208 wrote to memory of 4548 3208 Kahpebej.exe 103 PID 4548 wrote to memory of 4760 4548 Kedlea32.exe 104 PID 4548 wrote to memory of 4760 4548 Kedlea32.exe 104 PID 4548 wrote to memory of 4760 4548 Kedlea32.exe 104 PID 4760 wrote to memory of 1580 4760 Klndbkep.exe 105 PID 4760 wrote to memory of 1580 4760 Klndbkep.exe 105 PID 4760 wrote to memory of 1580 4760 Klndbkep.exe 105 PID 1580 wrote to memory of 1312 1580 Lajmkbcg.exe 106 PID 1580 wrote to memory of 1312 1580 Lajmkbcg.exe 106 PID 1580 wrote to memory of 1312 1580 Lajmkbcg.exe 106 PID 1312 wrote to memory of 1152 1312 Lhdegl32.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\28032d876050069a0df2705e1e2e6e0419a6b49321a2c73f1bc815663e6efc21N.exe"C:\Users\Admin\AppData\Local\Temp\28032d876050069a0df2705e1e2e6e0419a6b49321a2c73f1bc815663e6efc21N.exe"1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\SysWOW64\Jicija32.exeC:\Windows\system32\Jicija32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3336 -
C:\Windows\SysWOW64\Jpnagl32.exeC:\Windows\system32\Jpnagl32.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:868 -
C:\Windows\SysWOW64\Kblmcg32.exeC:\Windows\system32\Kblmcg32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\Windows\SysWOW64\Kejipb32.exeC:\Windows\system32\Kejipb32.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:228 -
C:\Windows\SysWOW64\Khifln32.exeC:\Windows\system32\Khifln32.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3756 -
C:\Windows\SysWOW64\Kppnmk32.exeC:\Windows\system32\Kppnmk32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4824 -
C:\Windows\SysWOW64\Kbnjig32.exeC:\Windows\system32\Kbnjig32.exe8⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3612 -
C:\Windows\SysWOW64\Khkban32.exeC:\Windows\system32\Khkban32.exe9⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\Windows\SysWOW64\Kpbjbk32.exeC:\Windows\system32\Kpbjbk32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:440 -
C:\Windows\SysWOW64\Kcqgnfbe.exeC:\Windows\system32\Kcqgnfbe.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4964 -
C:\Windows\SysWOW64\Keocjbai.exeC:\Windows\system32\Keocjbai.exe12⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Windows\SysWOW64\Khmogmal.exeC:\Windows\system32\Khmogmal.exe13⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4024 -
C:\Windows\SysWOW64\Kpdghkao.exeC:\Windows\system32\Kpdghkao.exe14⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1520 -
C:\Windows\SysWOW64\Kafcpc32.exeC:\Windows\system32\Kafcpc32.exe15⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Windows\SysWOW64\Kimlqp32.exeC:\Windows\system32\Kimlqp32.exe16⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:372 -
C:\Windows\SysWOW64\Kpgdmjpl.exeC:\Windows\system32\Kpgdmjpl.exe17⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4436 -
C:\Windows\SysWOW64\Kahpebej.exeC:\Windows\system32\Kahpebej.exe18⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3208 -
C:\Windows\SysWOW64\Kedlea32.exeC:\Windows\system32\Kedlea32.exe19⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4548 -
C:\Windows\SysWOW64\Klndbkep.exeC:\Windows\system32\Klndbkep.exe20⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4760 -
C:\Windows\SysWOW64\Lajmkbcg.exeC:\Windows\system32\Lajmkbcg.exe21⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1580 -
C:\Windows\SysWOW64\Lhdegl32.exeC:\Windows\system32\Lhdegl32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1312 -
C:\Windows\SysWOW64\Llpahkcm.exeC:\Windows\system32\Llpahkcm.exe23⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1152 -
C:\Windows\SysWOW64\Lonndfba.exeC:\Windows\system32\Lonndfba.exe24⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:880 -
C:\Windows\SysWOW64\Lamjpbae.exeC:\Windows\system32\Lamjpbae.exe25⤵
- Executes dropped EXE
- Modifies registry class
PID:4040 -
C:\Windows\SysWOW64\Lidbao32.exeC:\Windows\system32\Lidbao32.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4200 -
C:\Windows\SysWOW64\Lpnjniid.exeC:\Windows\system32\Lpnjniid.exe27⤵
- Executes dropped EXE
- Modifies registry class
PID:4600 -
C:\Windows\SysWOW64\Laoffa32.exeC:\Windows\system32\Laoffa32.exe28⤵
- Executes dropped EXE
- Modifies registry class
PID:2392 -
C:\Windows\SysWOW64\Ljfogo32.exeC:\Windows\system32\Ljfogo32.exe29⤵
- Executes dropped EXE
PID:2324 -
C:\Windows\SysWOW64\Lhioblgo.exeC:\Windows\system32\Lhioblgo.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5056 -
C:\Windows\SysWOW64\Laacka32.exeC:\Windows\system32\Laacka32.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2680 -
C:\Windows\SysWOW64\Loeceeli.exeC:\Windows\system32\Loeceeli.exe32⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4844 -
C:\Windows\SysWOW64\Ladpaakm.exeC:\Windows\system32\Ladpaakm.exe33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3236 -
C:\Windows\SysWOW64\Ljkhbnlo.exeC:\Windows\system32\Ljkhbnlo.exe34⤵
- Executes dropped EXE
PID:1888 -
C:\Windows\SysWOW64\Lhnhnk32.exeC:\Windows\system32\Lhnhnk32.exe35⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3580 -
C:\Windows\SysWOW64\Mohpjejf.exeC:\Windows\system32\Mohpjejf.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1324 -
C:\Windows\SysWOW64\Mafmfqij.exeC:\Windows\system32\Mafmfqij.exe37⤵
- Executes dropped EXE
PID:4392 -
C:\Windows\SysWOW64\Mfbigo32.exeC:\Windows\system32\Mfbigo32.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:2348 -
C:\Windows\SysWOW64\Mhpeckqg.exeC:\Windows\system32\Mhpeckqg.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4032 -
C:\Windows\SysWOW64\Mpgmdhai.exeC:\Windows\system32\Mpgmdhai.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:1896 -
C:\Windows\SysWOW64\Mcfipcpm.exeC:\Windows\system32\Mcfipcpm.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4256 -
C:\Windows\SysWOW64\Mbhilp32.exeC:\Windows\system32\Mbhilp32.exe42⤵
- Executes dropped EXE
PID:4100 -
C:\Windows\SysWOW64\Mjpamn32.exeC:\Windows\system32\Mjpamn32.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4444 -
C:\Windows\SysWOW64\Mhbaijod.exeC:\Windows\system32\Mhbaijod.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2544 -
C:\Windows\SysWOW64\Mpjijhof.exeC:\Windows\system32\Mpjijhof.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1080 -
C:\Windows\SysWOW64\Mchffcnj.exeC:\Windows\system32\Mchffcnj.exe46⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2984 -
C:\Windows\SysWOW64\Mbkfap32.exeC:\Windows\system32\Mbkfap32.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4580 -
C:\Windows\SysWOW64\Mjbnbm32.exeC:\Windows\system32\Mjbnbm32.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2740 -
C:\Windows\SysWOW64\Mplfog32.exeC:\Windows\system32\Mplfog32.exe49⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3816 -
C:\Windows\SysWOW64\Moofkddo.exeC:\Windows\system32\Moofkddo.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:2700 -
C:\Windows\SysWOW64\Mbmcgpcb.exeC:\Windows\system32\Mbmcgpcb.exe51⤵
- Executes dropped EXE
PID:4472 -
C:\Windows\SysWOW64\Mjdkhmcd.exeC:\Windows\system32\Mjdkhmcd.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:756 -
C:\Windows\SysWOW64\Mhgkdj32.exeC:\Windows\system32\Mhgkdj32.exe53⤵
- Executes dropped EXE
PID:3904 -
C:\Windows\SysWOW64\Moacqdbl.exeC:\Windows\system32\Moacqdbl.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:336 -
C:\Windows\SysWOW64\Mbppmoap.exeC:\Windows\system32\Mbppmoap.exe55⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3424 -
C:\Windows\SysWOW64\Mfkkmn32.exeC:\Windows\system32\Mfkkmn32.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2024 -
C:\Windows\SysWOW64\Mhihii32.exeC:\Windows\system32\Mhihii32.exe57⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4616 -
C:\Windows\SysWOW64\Nqqpjgio.exeC:\Windows\system32\Nqqpjgio.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:2976 -
C:\Windows\SysWOW64\Nocpfc32.exeC:\Windows\system32\Nocpfc32.exe59⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2384 -
C:\Windows\SysWOW64\Nfnhbngf.exeC:\Windows\system32\Nfnhbngf.exe60⤵
- Executes dropped EXE
PID:3340 -
C:\Windows\SysWOW64\Nhldoifj.exeC:\Windows\system32\Nhldoifj.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4876 -
C:\Windows\SysWOW64\Nqclpfgl.exeC:\Windows\system32\Nqclpfgl.exe62⤵
- Executes dropped EXE
PID:4084 -
C:\Windows\SysWOW64\Ncailbfp.exeC:\Windows\system32\Ncailbfp.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:212 -
C:\Windows\SysWOW64\Nfpehmec.exeC:\Windows\system32\Nfpehmec.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:696 -
C:\Windows\SysWOW64\Nmjmeg32.exeC:\Windows\system32\Nmjmeg32.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3144 -
C:\Windows\SysWOW64\Nohiacld.exeC:\Windows\system32\Nohiacld.exe66⤵
- Modifies registry class
PID:1468 -
C:\Windows\SysWOW64\Nfbanm32.exeC:\Windows\system32\Nfbanm32.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2028 -
C:\Windows\SysWOW64\Njnnnllj.exeC:\Windows\system32\Njnnnllj.exe68⤵
- Modifies registry class
PID:2160 -
C:\Windows\SysWOW64\Nqhfkf32.exeC:\Windows\system32\Nqhfkf32.exe69⤵
- System Location Discovery: System Language Discovery
PID:4336 -
C:\Windows\SysWOW64\Nbibcnie.exeC:\Windows\system32\Nbibcnie.exe70⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4900 -
C:\Windows\SysWOW64\Njpjdkig.exeC:\Windows\system32\Njpjdkig.exe71⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4492 -
C:\Windows\SysWOW64\Nomclbho.exeC:\Windows\system32\Nomclbho.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:4700 -
C:\Windows\SysWOW64\Nfgkilok.exeC:\Windows\system32\Nfgkilok.exe73⤵
- Drops file in System32 directory
PID:4704 -
C:\Windows\SysWOW64\Oqlofeoa.exeC:\Windows\system32\Oqlofeoa.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4564 -
C:\Windows\SysWOW64\Obnlnm32.exeC:\Windows\system32\Obnlnm32.exe75⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5048 -
C:\Windows\SysWOW64\Ojecok32.exeC:\Windows\system32\Ojecok32.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2356 -
C:\Windows\SysWOW64\Omcpkf32.exeC:\Windows\system32\Omcpkf32.exe77⤵
- System Location Discovery: System Language Discovery
PID:3940 -
C:\Windows\SysWOW64\Ooalga32.exeC:\Windows\system32\Ooalga32.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1064 -
C:\Windows\SysWOW64\Obphcm32.exeC:\Windows\system32\Obphcm32.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:220 -
C:\Windows\SysWOW64\Oijqpg32.exeC:\Windows\system32\Oijqpg32.exe80⤵
- System Location Discovery: System Language Discovery
PID:1696 -
C:\Windows\SysWOW64\Oqaiad32.exeC:\Windows\system32\Oqaiad32.exe81⤵
- Drops file in System32 directory
PID:4328 -
C:\Windows\SysWOW64\Ocpemp32.exeC:\Windows\system32\Ocpemp32.exe82⤵PID:5064
-
C:\Windows\SysWOW64\Ojimjjal.exeC:\Windows\system32\Ojimjjal.exe83⤵
- Drops file in System32 directory
PID:408 -
C:\Windows\SysWOW64\Omhifeqp.exeC:\Windows\system32\Omhifeqp.exe84⤵
- Modifies registry class
PID:1380 -
C:\Windows\SysWOW64\Opfebqpd.exeC:\Windows\system32\Opfebqpd.exe85⤵
- System Location Discovery: System Language Discovery
PID:1240 -
C:\Windows\SysWOW64\Ojljpi32.exeC:\Windows\system32\Ojljpi32.exe86⤵PID:3624
-
C:\Windows\SysWOW64\Omjfle32.exeC:\Windows\system32\Omjfle32.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4968 -
C:\Windows\SysWOW64\Opibhq32.exeC:\Windows\system32\Opibhq32.exe88⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4296 -
C:\Windows\SysWOW64\Ofbjdken.exeC:\Windows\system32\Ofbjdken.exe89⤵
- Drops file in System32 directory
- Modifies registry class
PID:432 -
C:\Windows\SysWOW64\Piagafda.exeC:\Windows\system32\Piagafda.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3132 -
C:\Windows\SysWOW64\Pmmcad32.exeC:\Windows\system32\Pmmcad32.exe91⤵PID:2472
-
C:\Windows\SysWOW64\Ppkonp32.exeC:\Windows\system32\Ppkonp32.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:912 -
C:\Windows\SysWOW64\Pcfknodh.exeC:\Windows\system32\Pcfknodh.exe93⤵
- System Location Discovery: System Language Discovery
PID:4280 -
C:\Windows\SysWOW64\Pfegjjck.exeC:\Windows\system32\Pfegjjck.exe94⤵
- System Location Discovery: System Language Discovery
PID:2000 -
C:\Windows\SysWOW64\Pjqckikd.exeC:\Windows\system32\Pjqckikd.exe95⤵PID:844
-
C:\Windows\SysWOW64\Pmopgdjh.exeC:\Windows\system32\Pmopgdjh.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4384 -
C:\Windows\SysWOW64\Pajkgc32.exeC:\Windows\system32\Pajkgc32.exe97⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:612 -
C:\Windows\SysWOW64\Ppmlcpil.exeC:\Windows\system32\Ppmlcpil.exe98⤵PID:1444
-
C:\Windows\SysWOW64\Pblhokip.exeC:\Windows\system32\Pblhokip.exe99⤵
- Drops file in System32 directory
PID:1252 -
C:\Windows\SysWOW64\Pfgdpj32.exeC:\Windows\system32\Pfgdpj32.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:5032 -
C:\Windows\SysWOW64\Pifple32.exeC:\Windows\system32\Pifple32.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3412 -
C:\Windows\SysWOW64\Pamhmb32.exeC:\Windows\system32\Pamhmb32.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1620 -
C:\Windows\SysWOW64\Pckdin32.exeC:\Windows\system32\Pckdin32.exe103⤵PID:996
-
C:\Windows\SysWOW64\Pihmae32.exeC:\Windows\system32\Pihmae32.exe104⤵PID:2540
-
C:\Windows\SysWOW64\Pcnaonnp.exeC:\Windows\system32\Pcnaonnp.exe105⤵PID:4796
-
C:\Windows\SysWOW64\Pjgikh32.exeC:\Windows\system32\Pjgikh32.exe106⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3776 -
C:\Windows\SysWOW64\Pmfegc32.exeC:\Windows\system32\Pmfegc32.exe107⤵
- Modifies registry class
PID:5156 -
C:\Windows\SysWOW64\Ppdbdo32.exeC:\Windows\system32\Ppdbdo32.exe108⤵PID:5212
-
C:\Windows\SysWOW64\Pfnjqikq.exeC:\Windows\system32\Pfnjqikq.exe109⤵
- Drops file in System32 directory
- Modifies registry class
PID:5272 -
C:\Windows\SysWOW64\Qimfmdjd.exeC:\Windows\system32\Qimfmdjd.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:5328 -
C:\Windows\SysWOW64\Qadnna32.exeC:\Windows\system32\Qadnna32.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:5392 -
C:\Windows\SysWOW64\Qpgoinaa.exeC:\Windows\system32\Qpgoinaa.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:5436 -
C:\Windows\SysWOW64\Qcbjjm32.exeC:\Windows\system32\Qcbjjm32.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5480 -
C:\Windows\SysWOW64\Qfqgfh32.exeC:\Windows\system32\Qfqgfh32.exe114⤵
- System Location Discovery: System Language Discovery
PID:5524 -
C:\Windows\SysWOW64\Qjlcfgag.exeC:\Windows\system32\Qjlcfgag.exe115⤵
- Modifies registry class
PID:5600 -
C:\Windows\SysWOW64\Qmkobbpk.exeC:\Windows\system32\Qmkobbpk.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5684 -
C:\Windows\SysWOW64\Qafkca32.exeC:\Windows\system32\Qafkca32.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5736 -
C:\Windows\SysWOW64\Qpikonoo.exeC:\Windows\system32\Qpikonoo.exe118⤵PID:5780
-
C:\Windows\SysWOW64\Qbggkiob.exeC:\Windows\system32\Qbggkiob.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5812 -
C:\Windows\SysWOW64\Afcclh32.exeC:\Windows\system32\Afcclh32.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:5868 -
C:\Windows\SysWOW64\Aiaphc32.exeC:\Windows\system32\Aiaphc32.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5912 -
C:\Windows\SysWOW64\Aahhia32.exeC:\Windows\system32\Aahhia32.exe122⤵
- Modifies registry class
PID:5956
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-