Analysis
-
max time kernel
93s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
13-11-2024 16:46
Static task
static1
Behavioral task
behavioral1
Sample
804c965d367ac52f14c32155ff5a7617091165bb2b4ae9d962345c804bc35db7.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
804c965d367ac52f14c32155ff5a7617091165bb2b4ae9d962345c804bc35db7.exe
Resource
win10v2004-20241007-en
General
-
Target
804c965d367ac52f14c32155ff5a7617091165bb2b4ae9d962345c804bc35db7.exe
-
Size
89KB
-
MD5
a09d1b978872c276bff088615102465d
-
SHA1
799dacce742ddd21ae7b1efac55e1fb35f50ad43
-
SHA256
804c965d367ac52f14c32155ff5a7617091165bb2b4ae9d962345c804bc35db7
-
SHA512
782c004fecab4483f1f9bf79ae11fd75b34439b0d59ccf45229d2382e056c39fc8064b01cccda94b958de4a0ceb7758c4434c614cb6e5e56300dc2ccfebc0bef
-
SSDEEP
1536:Agc/l50QbMlHQ1LxTDBMHs/YAglVjhjSVq+QLoBlSoV0s2RQwD68a+VMKKTRVGFL:AgEfbMpmLxTDBAMY9lxhj6q+1QoKs2ek
Malware Config
Extracted
berbew
http://viruslist.com/wcmd.txt
http://viruslist.com/ppslog.php
http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Plbmokop.exeBhamkipi.exeOjdnid32.exeJgkmgk32.exeOgekbb32.exePjpobg32.exeGhkeio32.exeFbhpch32.exeOmqmop32.exePhfcipoo.exeCaojpaij.exeChiblk32.exeOhghgodi.exeFjjnifbl.exeCkeimm32.exeGnqfcbnj.exeDhikci32.exeKkhpdcab.exePakllc32.exeAeddnp32.exeNgjbaj32.exeBfngdn32.exeEcefqnel.exeQodeajbg.exeGaebef32.exeCmdfgm32.exeCpeohh32.exeGjfnedho.exeApmhiq32.exeIcfekc32.exePhodcg32.exeGlfmgp32.exeHpioin32.exeKofkbk32.exeInebjihf.exeEjbbmnnb.exeLgkpdcmi.exeCioilg32.exeNmgjia32.exeDmpfbk32.exeIphioh32.exeFnipbc32.exeKlahfp32.exeFacqkg32.exeMjneln32.exeCbphdn32.exeBnoddcef.exeNcchae32.exeCocjiehd.exedescription ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Plbmokop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bhamkipi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojdnid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jgkmgk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogekbb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjpobg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ghkeio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fbhpch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Omqmop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Phfcipoo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Caojpaij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Chiblk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohghgodi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjjnifbl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckeimm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gnqfcbnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dhikci32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkhpdcab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pakllc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aeddnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ngjbaj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfngdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ecefqnel.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qodeajbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gaebef32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cmdfgm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cpeohh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjfnedho.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apmhiq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Icfekc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Phodcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Glfmgp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hpioin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kofkbk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Inebjihf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ejbbmnnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lgkpdcmi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cioilg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmgjia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmpfbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Iphioh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fnipbc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klahfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Facqkg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjneln32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbphdn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnoddcef.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncchae32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cocjiehd.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
Processes:
Jfgdkd32.exeJieagojp.exeKppici32.exeKbnepe32.exeKihnmohm.exeKlfjijgq.exeKpbfii32.exeKflnfcgg.exeKlifnj32.exeKngcje32.exeKhpgckkb.exeKpgodhkd.exeKbekqdjh.exeKhbdikip.exeKpiljh32.exeKbghfc32.exeKefdbo32.exeLhdqnj32.exeLpkiph32.exeLpneegel.exeLejnmncd.exeLocbfd32.exeLfjjga32.exeLhkgoiqe.exeLbqklb32.exeLeoghn32.exeLlipehgk.exeLbchba32.exeLfodbqfa.exeMpghkf32.exeMojhgbdl.exeMedqcmki.exeMlnipg32.exeMbhamajc.exeMefmimif.exeMplafeil.exeMbjnbqhp.exeMhgfkg32.exeMlbbkfoq.exeMblkhq32.exeMfhfhong.exeMbognp32.exeNemcjk32.exeNhlpfgbb.exeNeppokal.exeNlihle32.exeNohehq32.exeNbcqiope.exeNiniei32.exeNhpiafnm.exeNojanpej.exeNedjjj32.exeNlnbgddc.exeNchjdo32.exeNibbqicm.exeNlqomd32.exeOgfcjm32.exeOlckbd32.exeOpogbbig.exeOoagno32.exeOghppm32.exeOekpkigo.exeOhjlgefb.exeOlehhc32.exepid Process 4984 Jfgdkd32.exe 1204 Jieagojp.exe 2136 Kppici32.exe 4584 Kbnepe32.exe 4992 Kihnmohm.exe 4652 Klfjijgq.exe 2860 Kpbfii32.exe 1016 Kflnfcgg.exe 1668 Klifnj32.exe 3200 Kngcje32.exe 2832 Khpgckkb.exe 4444 Kpgodhkd.exe 4544 Kbekqdjh.exe 2012 Khbdikip.exe 4988 Kpiljh32.exe 592 Kbghfc32.exe 4812 Kefdbo32.exe 736 Lhdqnj32.exe 4704 Lpkiph32.exe 3224 Lpneegel.exe 3280 Lejnmncd.exe 3952 Locbfd32.exe 2712 Lfjjga32.exe 3096 Lhkgoiqe.exe 3044 Lbqklb32.exe 2024 Leoghn32.exe 2228 Llipehgk.exe 1816 Lbchba32.exe 3356 Lfodbqfa.exe 1756 Mpghkf32.exe 3756 Mojhgbdl.exe 1212 Medqcmki.exe 2348 Mlnipg32.exe 2896 Mbhamajc.exe 2844 Mefmimif.exe 5032 Mplafeil.exe 3896 Mbjnbqhp.exe 3172 Mhgfkg32.exe 1620 Mlbbkfoq.exe 1076 Mblkhq32.exe 3156 Mfhfhong.exe 2512 Mbognp32.exe 3452 Nemcjk32.exe 2224 Nhlpfgbb.exe 708 Neppokal.exe 4844 Nlihle32.exe 5012 Nohehq32.exe 3604 Nbcqiope.exe 3128 Niniei32.exe 3012 Nhpiafnm.exe 4176 Nojanpej.exe 4940 Nedjjj32.exe 1320 Nlnbgddc.exe 3828 Nchjdo32.exe 1904 Nibbqicm.exe 1468 Nlqomd32.exe 1144 Ogfcjm32.exe 452 Olckbd32.exe 4676 Opogbbig.exe 3484 Ooagno32.exe 3592 Oghppm32.exe 1064 Oekpkigo.exe 3652 Ohjlgefb.exe 4236 Olehhc32.exe -
Drops file in System32 directory 64 IoCs
Processes:
Dfnbgc32.exeGmafajfi.exeFajbjh32.exeBphgeo32.exeLeoghn32.exeKkcfid32.exeNiooqcad.exeAlqjpi32.exeEiloco32.exeAdndoe32.exeEnmjlojd.exeQqffjo32.exeHpmpnp32.exeEokqkh32.exeHjchaf32.exeLbinam32.exeMeamcg32.exeNmnqjp32.exeHaoimcgg.exeMhdckaeo.exeLgcjdd32.exeBokehc32.exeKfpcoefj.exeGphphj32.exeCglgjeci.exeNhpbfpka.exeOpogbbig.exeIhnkel32.exeDpphjp32.exeKjepjkhf.exeLfodbqfa.exeMhafeb32.exeCmflbf32.exeKqnbkl32.exeFnipbc32.exeKlhnfo32.exeGnpphljo.exeNgndaccj.exeBkibgh32.exeKinmcg32.exeMbgjbkfg.exePcmeke32.exeCfkmkf32.exeFijkdmhn.exeNojanpej.exeCgqlcg32.exedescription ioc Process File created C:\Windows\SysWOW64\Npdpachh.dll Dfnbgc32.exe File opened for modification C:\Windows\SysWOW64\Gppcmeem.exe Gmafajfi.exe File opened for modification C:\Windows\SysWOW64\Feenjgfq.exe Fajbjh32.exe File opened for modification C:\Windows\SysWOW64\Bddcenpi.exe Bphgeo32.exe File created C:\Windows\SysWOW64\Llipehgk.exe Leoghn32.exe File opened for modification C:\Windows\SysWOW64\Knbbep32.exe Kkcfid32.exe File created C:\Windows\SysWOW64\Hpopgneq.dll Niooqcad.exe File opened for modification C:\Windows\SysWOW64\Aanbhp32.exe Alqjpi32.exe File created C:\Windows\SysWOW64\Bjqlnnkp.dll Eiloco32.exe File created C:\Windows\SysWOW64\Icajjnkn.dll File created C:\Windows\SysWOW64\Lpamfo32.dll Adndoe32.exe File created C:\Windows\SysWOW64\Edgbii32.exe Enmjlojd.exe File opened for modification C:\Windows\SysWOW64\Hnmeodjc.exe File created C:\Windows\SysWOW64\Emekpbca.dll Qqffjo32.exe File created C:\Windows\SysWOW64\Hgghjjid.exe Hpmpnp32.exe File created C:\Windows\SysWOW64\Nkopekaa.dll Eokqkh32.exe File created C:\Windows\SysWOW64\Jjfaml32.dll File opened for modification C:\Windows\SysWOW64\Hpmpnp32.exe Hjchaf32.exe File opened for modification C:\Windows\SysWOW64\Lalnmiia.exe Lbinam32.exe File created C:\Windows\SysWOW64\Mjneln32.exe Meamcg32.exe File created C:\Windows\SysWOW64\Mlmadjhb.dll File created C:\Windows\SysWOW64\Aldjigql.dll File created C:\Windows\SysWOW64\Cdbijb32.dll Nmnqjp32.exe File opened for modification C:\Windows\SysWOW64\Fglnkm32.exe File opened for modification C:\Windows\SysWOW64\Hdmein32.exe Haoimcgg.exe File opened for modification C:\Windows\SysWOW64\Mnnkgl32.exe Mhdckaeo.exe File created C:\Windows\SysWOW64\Hqdkkp32.exe File created C:\Windows\SysWOW64\Hpmpnp32.exe Hjchaf32.exe File opened for modification C:\Windows\SysWOW64\Ljbfpo32.exe Lgcjdd32.exe File created C:\Windows\SysWOW64\Ihaidhgf.exe File created C:\Windows\SysWOW64\Inbhocbm.dll Bokehc32.exe File opened for modification C:\Windows\SysWOW64\Kjlopc32.exe Kfpcoefj.exe File opened for modification C:\Windows\SysWOW64\Hqdkkp32.exe File opened for modification C:\Windows\SysWOW64\Pfppoa32.exe File created C:\Windows\SysWOW64\Qgklej32.dll Haoimcgg.exe File opened for modification C:\Windows\SysWOW64\Gbfldf32.exe Gphphj32.exe File created C:\Windows\SysWOW64\Nijmbbnl.dll File opened for modification C:\Windows\SysWOW64\Cjjcfabm.exe Cglgjeci.exe File created C:\Windows\SysWOW64\Nknobkje.exe Nhpbfpka.exe File created C:\Windows\SysWOW64\Aafjpc32.dll File created C:\Windows\SysWOW64\Hmimkinm.dll Opogbbig.exe File created C:\Windows\SysWOW64\Iklgah32.exe Ihnkel32.exe File created C:\Windows\SysWOW64\Dfjpfj32.exe Dpphjp32.exe File created C:\Windows\SysWOW64\Inmabofh.dll Kjepjkhf.exe File opened for modification C:\Windows\SysWOW64\Apeknk32.exe File created C:\Windows\SysWOW64\Jdaaqg32.dll File created C:\Windows\SysWOW64\Ikaqhj32.dll Lfodbqfa.exe File opened for modification C:\Windows\SysWOW64\Mbgjbkfg.exe Mhafeb32.exe File opened for modification C:\Windows\SysWOW64\Ckilmcgb.exe Cmflbf32.exe File opened for modification C:\Windows\SysWOW64\Mkocol32.exe File created C:\Windows\SysWOW64\Logooemi.dll Kqnbkl32.exe File created C:\Windows\SysWOW64\Ffqhcq32.exe Fnipbc32.exe File created C:\Windows\SysWOW64\Kofkbk32.exe Klhnfo32.exe File opened for modification C:\Windows\SysWOW64\Ganldgib.exe Gnpphljo.exe File created C:\Windows\SysWOW64\Njmqnobn.exe Ngndaccj.exe File created C:\Windows\SysWOW64\Bmhocd32.exe Bkibgh32.exe File created C:\Windows\SysWOW64\Feenjgfq.exe Fajbjh32.exe File created C:\Windows\SysWOW64\Hijjli32.dll Kinmcg32.exe File created C:\Windows\SysWOW64\Mhdckaeo.exe Mbgjbkfg.exe File created C:\Windows\SysWOW64\Pekbga32.exe Pcmeke32.exe File opened for modification C:\Windows\SysWOW64\Cleegp32.exe Cfkmkf32.exe File created C:\Windows\SysWOW64\Fligqhga.exe Fijkdmhn.exe File created C:\Windows\SysWOW64\Menbeg32.dll Nojanpej.exe File created C:\Windows\SysWOW64\Oblknjim.dll Cgqlcg32.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Pdfehh32.exeEbfign32.exeLjgpkonp.exeHiipmhmk.exeLeoghn32.exeKofkbk32.exeCpfcfmlp.exeFkkeclfh.exeKlcekpdo.exeMcelpggq.exeMbhamajc.exePhelcc32.exeAqmlknnd.exeGnhnaf32.exeKageaj32.exeMcpcdg32.exeEgohdegl.exeFeqeog32.exeHpiecd32.exeIlnbicff.exeKfpcoefj.exeCnindhpg.exeEofgpikj.exeEhndnh32.exeHiacacpg.exeMojhgbdl.exeHifcgion.exeJleijb32.exeModgdicm.exeAhfmpnql.exeKppici32.exePpamophb.exeOohgdhfn.exePakllc32.exeBlnoga32.exePjdpelnc.exeLfjjga32.exeJcgnbaeo.exeOpqofe32.exeOeoblb32.exeMqkiok32.exeIdfaefkd.exeQmhlgmmm.exeQlimed32.exeMfnoqc32.exeApjkcadp.exeCfcqpa32.exeGgilil32.exeGphphj32.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdfehh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebfign32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljgpkonp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hiipmhmk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Leoghn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kofkbk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpfcfmlp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkkeclfh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klcekpdo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcelpggq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbhamajc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phelcc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aqmlknnd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnhnaf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kageaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcpcdg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egohdegl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Feqeog32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpiecd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilnbicff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfpcoefj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnindhpg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eofgpikj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehndnh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hiacacpg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mojhgbdl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hifcgion.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jleijb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Modgdicm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahfmpnql.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kppici32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppamophb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oohgdhfn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pakllc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blnoga32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjdpelnc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfjjga32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcgnbaeo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opqofe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oeoblb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mqkiok32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idfaefkd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qmhlgmmm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qlimed32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfnoqc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apjkcadp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfcqpa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggilil32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gphphj32.exe -
Modifies registry class 64 IoCs
Processes:
Bjcmebie.exeAhqddk32.exeJgbchj32.exeMbighjdd.exeOdoogi32.exeAonoao32.exeKbghfc32.exeOenlqi32.exeAfnnnd32.exeLjgpkonp.exePolppg32.exePajeam32.exeImgicgca.exeJphkkpbp.exeDpphjp32.exeBffcpg32.exeFbbicl32.exeDhikci32.exeJifecp32.exeKppici32.exeOpogbbig.exeOhnohn32.exeHfjdqmng.exeNqmfdj32.exeNcqlkemc.exeBfqkddfd.exeBhoqeibl.exeAkepfpcl.exeGojiiafp.exeOpqofe32.exeHjchaf32.exeFpkibf32.exeKjepjkhf.exeMnkggfkb.exeOmqmop32.exeEbdcld32.exeEiekog32.exeOebflhaf.exeAmodep32.exeJjamia32.exeEiieicml.exeIphioh32.exeLjhefhha.exe804c965d367ac52f14c32155ff5a7617091165bb2b4ae9d962345c804bc35db7.exeOaompd32.exeHdokdg32.exeMadjhb32.exeGehbjm32.exeIlphdlqh.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bjcmebie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfinqm32.dll" Ahqddk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jgbchj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mbighjdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Odoogi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlgaff32.dll" Aonoao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcominjm.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kbghfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lajdegod.dll" Oenlqi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Afnnnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkpkgebb.dll" Ljgpkonp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Polppg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlgfga32.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pajeam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Imgicgca.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jphkkpbp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dpphjp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bffcpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paoinm32.dll" Fbbicl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljkdeeod.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dhikci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiacog32.dll" Jifecp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kppici32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmimkinm.dll" Opogbbig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ohnohn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hfjdqmng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbjpeo32.dll" Nqmfdj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ncqlkemc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bfqkddfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfcnkn32.dll" Bhoqeibl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Akepfpcl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gojiiafp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Opqofe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjdjokcd.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hjchaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Akepfpcl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fpkibf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kjepjkhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mnkggfkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgnqimah.dll" Omqmop32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ebdcld32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Eiekog32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Oebflhaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgdlndji.dll" Amodep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mapmipen.dll" Jjamia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Eiieicml.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Iphioh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ljhefhha.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831} 804c965d367ac52f14c32155ff5a7617091165bb2b4ae9d962345c804bc35db7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Oaompd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hdokdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odgpqgeo.dll" Madjhb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gehbjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pboglh32.dll" Ilphdlqh.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
804c965d367ac52f14c32155ff5a7617091165bb2b4ae9d962345c804bc35db7.exeJfgdkd32.exeJieagojp.exeKppici32.exeKbnepe32.exeKihnmohm.exeKlfjijgq.exeKpbfii32.exeKflnfcgg.exeKlifnj32.exeKngcje32.exeKhpgckkb.exeKpgodhkd.exeKbekqdjh.exeKhbdikip.exeKpiljh32.exeKbghfc32.exeKefdbo32.exeLhdqnj32.exeLpkiph32.exeLpneegel.exeLejnmncd.exedescription pid Process procid_target PID 5108 wrote to memory of 4984 5108 804c965d367ac52f14c32155ff5a7617091165bb2b4ae9d962345c804bc35db7.exe 83 PID 5108 wrote to memory of 4984 5108 804c965d367ac52f14c32155ff5a7617091165bb2b4ae9d962345c804bc35db7.exe 83 PID 5108 wrote to memory of 4984 5108 804c965d367ac52f14c32155ff5a7617091165bb2b4ae9d962345c804bc35db7.exe 83 PID 4984 wrote to memory of 1204 4984 Jfgdkd32.exe 84 PID 4984 wrote to memory of 1204 4984 Jfgdkd32.exe 84 PID 4984 wrote to memory of 1204 4984 Jfgdkd32.exe 84 PID 1204 wrote to memory of 2136 1204 Jieagojp.exe 85 PID 1204 wrote to memory of 2136 1204 Jieagojp.exe 85 PID 1204 wrote to memory of 2136 1204 Jieagojp.exe 85 PID 2136 wrote to memory of 4584 2136 Kppici32.exe 86 PID 2136 wrote to memory of 4584 2136 Kppici32.exe 86 PID 2136 wrote to memory of 4584 2136 Kppici32.exe 86 PID 4584 wrote to memory of 4992 4584 Kbnepe32.exe 87 PID 4584 wrote to memory of 4992 4584 Kbnepe32.exe 87 PID 4584 wrote to memory of 4992 4584 Kbnepe32.exe 87 PID 4992 wrote to memory of 4652 4992 Kihnmohm.exe 88 PID 4992 wrote to memory of 4652 4992 Kihnmohm.exe 88 PID 4992 wrote to memory of 4652 4992 Kihnmohm.exe 88 PID 4652 wrote to memory of 2860 4652 Klfjijgq.exe 89 PID 4652 wrote to memory of 2860 4652 Klfjijgq.exe 89 PID 4652 wrote to memory of 2860 4652 Klfjijgq.exe 89 PID 2860 wrote to memory of 1016 2860 Kpbfii32.exe 90 PID 2860 wrote to memory of 1016 2860 Kpbfii32.exe 90 PID 2860 wrote to memory of 1016 2860 Kpbfii32.exe 90 PID 1016 wrote to memory of 1668 1016 Kflnfcgg.exe 91 PID 1016 wrote to memory of 1668 1016 Kflnfcgg.exe 91 PID 1016 wrote to memory of 1668 1016 Kflnfcgg.exe 91 PID 1668 wrote to memory of 3200 1668 Klifnj32.exe 92 PID 1668 wrote to memory of 3200 1668 Klifnj32.exe 92 PID 1668 wrote to memory of 3200 1668 Klifnj32.exe 92 PID 3200 wrote to memory of 2832 3200 Kngcje32.exe 93 PID 3200 wrote to memory of 2832 3200 Kngcje32.exe 93 PID 3200 wrote to memory of 2832 3200 Kngcje32.exe 93 PID 2832 wrote to memory of 4444 2832 Khpgckkb.exe 94 PID 2832 wrote to memory of 4444 2832 Khpgckkb.exe 94 PID 2832 wrote to memory of 4444 2832 Khpgckkb.exe 94 PID 4444 wrote to memory of 4544 4444 Kpgodhkd.exe 96 PID 4444 wrote to memory of 4544 4444 Kpgodhkd.exe 96 PID 4444 wrote to memory of 4544 4444 Kpgodhkd.exe 96 PID 4544 wrote to memory of 2012 4544 Kbekqdjh.exe 97 PID 4544 wrote to memory of 2012 4544 Kbekqdjh.exe 97 PID 4544 wrote to memory of 2012 4544 Kbekqdjh.exe 97 PID 2012 wrote to memory of 4988 2012 Khbdikip.exe 98 PID 2012 wrote to memory of 4988 2012 Khbdikip.exe 98 PID 2012 wrote to memory of 4988 2012 Khbdikip.exe 98 PID 4988 wrote to memory of 592 4988 Kpiljh32.exe 99 PID 4988 wrote to memory of 592 4988 Kpiljh32.exe 99 PID 4988 wrote to memory of 592 4988 Kpiljh32.exe 99 PID 592 wrote to memory of 4812 592 Kbghfc32.exe 100 PID 592 wrote to memory of 4812 592 Kbghfc32.exe 100 PID 592 wrote to memory of 4812 592 Kbghfc32.exe 100 PID 4812 wrote to memory of 736 4812 Kefdbo32.exe 101 PID 4812 wrote to memory of 736 4812 Kefdbo32.exe 101 PID 4812 wrote to memory of 736 4812 Kefdbo32.exe 101 PID 736 wrote to memory of 4704 736 Lhdqnj32.exe 102 PID 736 wrote to memory of 4704 736 Lhdqnj32.exe 102 PID 736 wrote to memory of 4704 736 Lhdqnj32.exe 102 PID 4704 wrote to memory of 3224 4704 Lpkiph32.exe 105 PID 4704 wrote to memory of 3224 4704 Lpkiph32.exe 105 PID 4704 wrote to memory of 3224 4704 Lpkiph32.exe 105 PID 3224 wrote to memory of 3280 3224 Lpneegel.exe 106 PID 3224 wrote to memory of 3280 3224 Lpneegel.exe 106 PID 3224 wrote to memory of 3280 3224 Lpneegel.exe 106 PID 3280 wrote to memory of 3952 3280 Lejnmncd.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\804c965d367ac52f14c32155ff5a7617091165bb2b4ae9d962345c804bc35db7.exe"C:\Users\Admin\AppData\Local\Temp\804c965d367ac52f14c32155ff5a7617091165bb2b4ae9d962345c804bc35db7.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5108 -
C:\Windows\SysWOW64\Jfgdkd32.exeC:\Windows\system32\Jfgdkd32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4984 -
C:\Windows\SysWOW64\Jieagojp.exeC:\Windows\system32\Jieagojp.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1204 -
C:\Windows\SysWOW64\Kppici32.exeC:\Windows\system32\Kppici32.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2136 -
C:\Windows\SysWOW64\Kbnepe32.exeC:\Windows\system32\Kbnepe32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4584 -
C:\Windows\SysWOW64\Kihnmohm.exeC:\Windows\system32\Kihnmohm.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4992 -
C:\Windows\SysWOW64\Klfjijgq.exeC:\Windows\system32\Klfjijgq.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4652 -
C:\Windows\SysWOW64\Kpbfii32.exeC:\Windows\system32\Kpbfii32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\SysWOW64\Kflnfcgg.exeC:\Windows\system32\Kflnfcgg.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1016 -
C:\Windows\SysWOW64\Klifnj32.exeC:\Windows\system32\Klifnj32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1668 -
C:\Windows\SysWOW64\Kngcje32.exeC:\Windows\system32\Kngcje32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3200 -
C:\Windows\SysWOW64\Khpgckkb.exeC:\Windows\system32\Khpgckkb.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Windows\SysWOW64\Kpgodhkd.exeC:\Windows\system32\Kpgodhkd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4444 -
C:\Windows\SysWOW64\Kbekqdjh.exeC:\Windows\system32\Kbekqdjh.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4544 -
C:\Windows\SysWOW64\Khbdikip.exeC:\Windows\system32\Khbdikip.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Windows\SysWOW64\Kpiljh32.exeC:\Windows\system32\Kpiljh32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4988 -
C:\Windows\SysWOW64\Kbghfc32.exeC:\Windows\system32\Kbghfc32.exe17⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:592 -
C:\Windows\SysWOW64\Kefdbo32.exeC:\Windows\system32\Kefdbo32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4812 -
C:\Windows\SysWOW64\Lhdqnj32.exeC:\Windows\system32\Lhdqnj32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:736 -
C:\Windows\SysWOW64\Lpkiph32.exeC:\Windows\system32\Lpkiph32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4704 -
C:\Windows\SysWOW64\Lpneegel.exeC:\Windows\system32\Lpneegel.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3224 -
C:\Windows\SysWOW64\Lejnmncd.exeC:\Windows\system32\Lejnmncd.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3280 -
C:\Windows\SysWOW64\Locbfd32.exeC:\Windows\system32\Locbfd32.exe23⤵
- Executes dropped EXE
PID:3952 -
C:\Windows\SysWOW64\Lfjjga32.exeC:\Windows\system32\Lfjjga32.exe24⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2712 -
C:\Windows\SysWOW64\Lhkgoiqe.exeC:\Windows\system32\Lhkgoiqe.exe25⤵
- Executes dropped EXE
PID:3096 -
C:\Windows\SysWOW64\Lbqklb32.exeC:\Windows\system32\Lbqklb32.exe26⤵
- Executes dropped EXE
PID:3044 -
C:\Windows\SysWOW64\Leoghn32.exeC:\Windows\system32\Leoghn32.exe27⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2024 -
C:\Windows\SysWOW64\Llipehgk.exeC:\Windows\system32\Llipehgk.exe28⤵
- Executes dropped EXE
PID:2228 -
C:\Windows\SysWOW64\Lbchba32.exeC:\Windows\system32\Lbchba32.exe29⤵
- Executes dropped EXE
PID:1816 -
C:\Windows\SysWOW64\Lfodbqfa.exeC:\Windows\system32\Lfodbqfa.exe30⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3356 -
C:\Windows\SysWOW64\Mpghkf32.exeC:\Windows\system32\Mpghkf32.exe31⤵
- Executes dropped EXE
PID:1756 -
C:\Windows\SysWOW64\Mojhgbdl.exeC:\Windows\system32\Mojhgbdl.exe32⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3756 -
C:\Windows\SysWOW64\Medqcmki.exeC:\Windows\system32\Medqcmki.exe33⤵
- Executes dropped EXE
PID:1212 -
C:\Windows\SysWOW64\Mlnipg32.exeC:\Windows\system32\Mlnipg32.exe34⤵
- Executes dropped EXE
PID:2348 -
C:\Windows\SysWOW64\Mbhamajc.exeC:\Windows\system32\Mbhamajc.exe35⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2896 -
C:\Windows\SysWOW64\Mefmimif.exeC:\Windows\system32\Mefmimif.exe36⤵
- Executes dropped EXE
PID:2844 -
C:\Windows\SysWOW64\Mplafeil.exeC:\Windows\system32\Mplafeil.exe37⤵
- Executes dropped EXE
PID:5032 -
C:\Windows\SysWOW64\Mbjnbqhp.exeC:\Windows\system32\Mbjnbqhp.exe38⤵
- Executes dropped EXE
PID:3896 -
C:\Windows\SysWOW64\Mhgfkg32.exeC:\Windows\system32\Mhgfkg32.exe39⤵
- Executes dropped EXE
PID:3172 -
C:\Windows\SysWOW64\Mlbbkfoq.exeC:\Windows\system32\Mlbbkfoq.exe40⤵
- Executes dropped EXE
PID:1620 -
C:\Windows\SysWOW64\Mblkhq32.exeC:\Windows\system32\Mblkhq32.exe41⤵
- Executes dropped EXE
PID:1076 -
C:\Windows\SysWOW64\Mfhfhong.exeC:\Windows\system32\Mfhfhong.exe42⤵
- Executes dropped EXE
PID:3156 -
C:\Windows\SysWOW64\Mbognp32.exeC:\Windows\system32\Mbognp32.exe43⤵
- Executes dropped EXE
PID:2512 -
C:\Windows\SysWOW64\Nemcjk32.exeC:\Windows\system32\Nemcjk32.exe44⤵
- Executes dropped EXE
PID:3452 -
C:\Windows\SysWOW64\Nhlpfgbb.exeC:\Windows\system32\Nhlpfgbb.exe45⤵
- Executes dropped EXE
PID:2224 -
C:\Windows\SysWOW64\Neppokal.exeC:\Windows\system32\Neppokal.exe46⤵
- Executes dropped EXE
PID:708 -
C:\Windows\SysWOW64\Nlihle32.exeC:\Windows\system32\Nlihle32.exe47⤵
- Executes dropped EXE
PID:4844 -
C:\Windows\SysWOW64\Nohehq32.exeC:\Windows\system32\Nohehq32.exe48⤵
- Executes dropped EXE
PID:5012 -
C:\Windows\SysWOW64\Nbcqiope.exeC:\Windows\system32\Nbcqiope.exe49⤵
- Executes dropped EXE
PID:3604 -
C:\Windows\SysWOW64\Niniei32.exeC:\Windows\system32\Niniei32.exe50⤵
- Executes dropped EXE
PID:3128 -
C:\Windows\SysWOW64\Nhpiafnm.exeC:\Windows\system32\Nhpiafnm.exe51⤵
- Executes dropped EXE
PID:3012 -
C:\Windows\SysWOW64\Nojanpej.exeC:\Windows\system32\Nojanpej.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4176 -
C:\Windows\SysWOW64\Nedjjj32.exeC:\Windows\system32\Nedjjj32.exe53⤵
- Executes dropped EXE
PID:4940 -
C:\Windows\SysWOW64\Nlnbgddc.exeC:\Windows\system32\Nlnbgddc.exe54⤵
- Executes dropped EXE
PID:1320 -
C:\Windows\SysWOW64\Nchjdo32.exeC:\Windows\system32\Nchjdo32.exe55⤵
- Executes dropped EXE
PID:3828 -
C:\Windows\SysWOW64\Nibbqicm.exeC:\Windows\system32\Nibbqicm.exe56⤵
- Executes dropped EXE
PID:1904 -
C:\Windows\SysWOW64\Nlqomd32.exeC:\Windows\system32\Nlqomd32.exe57⤵
- Executes dropped EXE
PID:1468 -
C:\Windows\SysWOW64\Ogfcjm32.exeC:\Windows\system32\Ogfcjm32.exe58⤵
- Executes dropped EXE
PID:1144 -
C:\Windows\SysWOW64\Ohgoaehe.exeC:\Windows\system32\Ohgoaehe.exe59⤵PID:1280
-
C:\Windows\SysWOW64\Olckbd32.exeC:\Windows\system32\Olckbd32.exe60⤵
- Executes dropped EXE
PID:452 -
C:\Windows\SysWOW64\Opogbbig.exeC:\Windows\system32\Opogbbig.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4676 -
C:\Windows\SysWOW64\Ooagno32.exeC:\Windows\system32\Ooagno32.exe62⤵
- Executes dropped EXE
PID:3484 -
C:\Windows\SysWOW64\Oghppm32.exeC:\Windows\system32\Oghppm32.exe63⤵
- Executes dropped EXE
PID:3592 -
C:\Windows\SysWOW64\Oekpkigo.exeC:\Windows\system32\Oekpkigo.exe64⤵
- Executes dropped EXE
PID:1064 -
C:\Windows\SysWOW64\Ohjlgefb.exeC:\Windows\system32\Ohjlgefb.exe65⤵
- Executes dropped EXE
PID:3652 -
C:\Windows\SysWOW64\Olehhc32.exeC:\Windows\system32\Olehhc32.exe66⤵
- Executes dropped EXE
PID:4236 -
C:\Windows\SysWOW64\Opadhb32.exeC:\Windows\system32\Opadhb32.exe67⤵PID:4024
-
C:\Windows\SysWOW64\Ocopdn32.exeC:\Windows\system32\Ocopdn32.exe68⤵PID:2560
-
C:\Windows\SysWOW64\Ogklelna.exeC:\Windows\system32\Ogklelna.exe69⤵PID:3108
-
C:\Windows\SysWOW64\Oenlqi32.exeC:\Windows\system32\Oenlqi32.exe70⤵
- Modifies registry class
PID:1360 -
C:\Windows\SysWOW64\Ohlimd32.exeC:\Windows\system32\Ohlimd32.exe71⤵PID:1940
-
C:\Windows\SysWOW64\Opcqnb32.exeC:\Windows\system32\Opcqnb32.exe72⤵PID:4052
-
C:\Windows\SysWOW64\Oofaiokl.exeC:\Windows\system32\Oofaiokl.exe73⤵PID:5008
-
C:\Windows\SysWOW64\Ogmijllo.exeC:\Windows\system32\Ogmijllo.exe74⤵PID:2904
-
C:\Windows\SysWOW64\Oileggkb.exeC:\Windows\system32\Oileggkb.exe75⤵PID:2424
-
C:\Windows\SysWOW64\Ohnebd32.exeC:\Windows\system32\Ohnebd32.exe76⤵PID:4064
-
C:\Windows\SysWOW64\Oljaccjf.exeC:\Windows\system32\Oljaccjf.exe77⤵PID:848
-
C:\Windows\SysWOW64\Oohnonij.exeC:\Windows\system32\Oohnonij.exe78⤵PID:2744
-
C:\Windows\SysWOW64\Ogpepl32.exeC:\Windows\system32\Ogpepl32.exe79⤵PID:4948
-
C:\Windows\SysWOW64\Oebflhaf.exeC:\Windows\system32\Oebflhaf.exe80⤵
- Modifies registry class
PID:2284 -
C:\Windows\SysWOW64\Ohqbhdpj.exeC:\Windows\system32\Ohqbhdpj.exe81⤵PID:856
-
C:\Windows\SysWOW64\Ophjiaql.exeC:\Windows\system32\Ophjiaql.exe82⤵PID:1588
-
C:\Windows\SysWOW64\Ookjdn32.exeC:\Windows\system32\Ookjdn32.exe83⤵PID:3708
-
C:\Windows\SysWOW64\Pedbahod.exeC:\Windows\system32\Pedbahod.exe84⤵PID:1644
-
C:\Windows\SysWOW64\Pjpobg32.exeC:\Windows\system32\Pjpobg32.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4160 -
C:\Windows\SysWOW64\Ploknb32.exeC:\Windows\system32\Ploknb32.exe86⤵PID:2664
-
C:\Windows\SysWOW64\Pomgjn32.exeC:\Windows\system32\Pomgjn32.exe87⤵PID:3628
-
C:\Windows\SysWOW64\Pcicklnn.exeC:\Windows\system32\Pcicklnn.exe88⤵PID:3516
-
C:\Windows\SysWOW64\Phelcc32.exeC:\Windows\system32\Phelcc32.exe89⤵
- System Location Discovery: System Language Discovery
PID:1924 -
C:\Windows\SysWOW64\Ppmcdq32.exeC:\Windows\system32\Ppmcdq32.exe90⤵PID:2760
-
C:\Windows\SysWOW64\Poodpmca.exeC:\Windows\system32\Poodpmca.exe91⤵PID:1368
-
C:\Windows\SysWOW64\Pgflqkdd.exeC:\Windows\system32\Pgflqkdd.exe92⤵PID:4464
-
C:\Windows\SysWOW64\Pjehmfch.exeC:\Windows\system32\Pjehmfch.exe93⤵PID:4952
-
C:\Windows\SysWOW64\Phhhhc32.exeC:\Windows\system32\Phhhhc32.exe94⤵PID:4076
-
C:\Windows\SysWOW64\Poaqemao.exeC:\Windows\system32\Poaqemao.exe95⤵PID:1192
-
C:\Windows\SysWOW64\Phjenbhp.exeC:\Windows\system32\Phjenbhp.exe96⤵PID:3320
-
C:\Windows\SysWOW64\Ppamophb.exeC:\Windows\system32\Ppamophb.exe97⤵
- System Location Discovery: System Language Discovery
PID:3684 -
C:\Windows\SysWOW64\Plhnda32.exeC:\Windows\system32\Plhnda32.exe98⤵PID:2040
-
C:\Windows\SysWOW64\Qfpbmfdf.exeC:\Windows\system32\Qfpbmfdf.exe99⤵PID:5156
-
C:\Windows\SysWOW64\Qqffjo32.exeC:\Windows\system32\Qqffjo32.exe100⤵
- Drops file in System32 directory
PID:5200 -
C:\Windows\SysWOW64\Qfbobf32.exeC:\Windows\system32\Qfbobf32.exe101⤵PID:5248
-
C:\Windows\SysWOW64\Qlmgopjq.exeC:\Windows\system32\Qlmgopjq.exe102⤵PID:5292
-
C:\Windows\SysWOW64\Qqhcpo32.exeC:\Windows\system32\Qqhcpo32.exe103⤵PID:5336
-
C:\Windows\SysWOW64\Agbkmijg.exeC:\Windows\system32\Agbkmijg.exe104⤵PID:5380
-
C:\Windows\SysWOW64\Amodep32.exeC:\Windows\system32\Amodep32.exe105⤵
- Modifies registry class
PID:5424 -
C:\Windows\SysWOW64\Acilajpk.exeC:\Windows\system32\Acilajpk.exe106⤵PID:5472
-
C:\Windows\SysWOW64\Ajcdnd32.exeC:\Windows\system32\Ajcdnd32.exe107⤵PID:5516
-
C:\Windows\SysWOW64\Aqmlknnd.exeC:\Windows\system32\Aqmlknnd.exe108⤵
- System Location Discovery: System Language Discovery
PID:5564 -
C:\Windows\SysWOW64\Aggegh32.exeC:\Windows\system32\Aggegh32.exe109⤵PID:5608
-
C:\Windows\SysWOW64\Amcmpodi.exeC:\Windows\system32\Amcmpodi.exe110⤵PID:5660
-
C:\Windows\SysWOW64\Aobilkcl.exeC:\Windows\system32\Aobilkcl.exe111⤵PID:5712
-
C:\Windows\SysWOW64\Agiamhdo.exeC:\Windows\system32\Agiamhdo.exe112⤵PID:5764
-
C:\Windows\SysWOW64\Aflaie32.exeC:\Windows\system32\Aflaie32.exe113⤵PID:5816
-
C:\Windows\SysWOW64\Aijnep32.exeC:\Windows\system32\Aijnep32.exe114⤵PID:5864
-
C:\Windows\SysWOW64\Aqaffn32.exeC:\Windows\system32\Aqaffn32.exe115⤵PID:5928
-
C:\Windows\SysWOW64\Aodfajaj.exeC:\Windows\system32\Aodfajaj.exe116⤵PID:5988
-
C:\Windows\SysWOW64\Aglnbhal.exeC:\Windows\system32\Aglnbhal.exe117⤵PID:6036
-
C:\Windows\SysWOW64\Afnnnd32.exeC:\Windows\system32\Afnnnd32.exe118⤵
- Modifies registry class
PID:6080 -
C:\Windows\SysWOW64\Aimkjp32.exeC:\Windows\system32\Aimkjp32.exe119⤵PID:5140
-
C:\Windows\SysWOW64\Amhfkopc.exeC:\Windows\system32\Amhfkopc.exe120⤵PID:5264
-
C:\Windows\SysWOW64\Bogcgj32.exeC:\Windows\system32\Bogcgj32.exe121⤵PID:5344
-
C:\Windows\SysWOW64\Bcbohigp.exeC:\Windows\system32\Bcbohigp.exe122⤵PID:5412
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-