Analysis
-
max time kernel
117s -
max time network
117s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
07-12-2024 23:28
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
6a0311375ae9d59a50b588fb799d6e8ceceb3de7016af5afcc9c8ba238530456.exe
Resource
win7-20240903-en
windows7-x64
9 signatures
150 seconds
Behavioral task
behavioral2
Sample
6a0311375ae9d59a50b588fb799d6e8ceceb3de7016af5afcc9c8ba238530456.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
6a0311375ae9d59a50b588fb799d6e8ceceb3de7016af5afcc9c8ba238530456.exe
-
Size
92KB
-
MD5
a228b7bd8e8dd2bacc846bc0498780fa
-
SHA1
ac3b775aa0a389012e348adaaa88b3dc17b63bc0
-
SHA256
6a0311375ae9d59a50b588fb799d6e8ceceb3de7016af5afcc9c8ba238530456
-
SHA512
262ce2078516b2b0b1fecb0422b8b984bd43386c0e261d0c39dbf6790784dcadb557c5b4f2012f85b6ccf7b965cb244f33a6393440da7a985abe416ee3af0e39
-
SSDEEP
1536:BqI7ZWurXsEiGP1OQFGsiqRQq9nIfqitYNQQgyoORXnKQrUoR24HsUc:BmurXviaPTiFzfqitYWKoH6THsB
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Klkfdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gbjpem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kigibh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Peqhgmdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Njeelc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bihgmdih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dhiphb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgpndg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlmoilni.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnodgbed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qpniokan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ajldkhjh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfcmlg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hehhqk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojndpqpq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddkgbc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcajceke.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlanhh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afbnec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kmclmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fmfalg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kaggbihl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pgodcich.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eqngcc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmbabj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pajeanhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kmficl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbffjmmp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmibmhoj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jecnnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Epeajo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nndgeplo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ohjkcile.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pgcnnh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Feipbefb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jmdiahco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jcoanb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qnpcpa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckmbdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Okbapi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nipefmkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ainmlomf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eqkjmcmq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lidilk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mmndfnpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ongckp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qaablcej.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ioefdpne.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lepclldc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbdcepcm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcofid32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdojnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pcpbik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bkqiek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fnjnkkbk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fipbhd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iaaekl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pecelm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmclmm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebcmfj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibkhak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jcandb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ncdpdcfh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aiaqle32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 2716 Iifghk32.exe 2728 Jkdcdf32.exe 2612 Jfjhbo32.exe 2632 Jnemfa32.exe 1632 Jbphgpfg.exe 3048 Jkimpfmg.exe 448 Jngilalk.exe 2880 Jgpndg32.exe 2672 Jkkjeeke.exe 2900 Jecnnk32.exe 668 Jgbjjf32.exe 2068 Jpmooind.exe 2132 Kfggkc32.exe 2196 Kmaphmln.exe 2364 Kppldhla.exe 1156 Kihpmnbb.exe 2100 Kmclmm32.exe 2304 Kijmbnpo.exe 1640 Kmficl32.exe 2056 Kfnnlboi.exe 1992 Klkfdi32.exe 1460 Kiofnm32.exe 2080 Khagijcd.exe 1064 Kjpceebh.exe 2320 Leegbnan.exe 1596 Lmalgq32.exe 2788 Lalhgogb.exe 2836 Lophacfl.exe 2740 Lmcilp32.exe 2696 Ldmaijdc.exe 2620 Lijiaabk.exe 2884 Ldpnoj32.exe 1648 Lkifkdjm.exe 2408 Lgpfpe32.exe 2876 Miocmq32.exe 2220 Mlmoilni.exe 2188 Meecaa32.exe 1008 Mehpga32.exe 2268 Miclhpjp.exe 1928 Mopdpg32.exe 1280 Mldeik32.exe 1660 Mkgeehnl.exe 280 Mobaef32.exe 1664 Maanab32.exe 2660 Mdojnm32.exe 712 Mhkfnlme.exe 2336 Mkibjgli.exe 904 Moenkf32.exe 2948 Macjgadf.exe 2792 Npfjbn32.exe 1824 Nhmbdl32.exe 2812 Ngpcohbm.exe 2580 Nnjklb32.exe 2004 Naegmabc.exe 2552 Nddcimag.exe 2376 Ncgcdi32.exe 2676 Nknkeg32.exe 1392 Njalacon.exe 2096 Nlohmonb.exe 2368 Ncipjieo.exe 2420 Nfglfdeb.exe 960 Nnodgbed.exe 1764 Nqmqcmdh.exe 1720 Nopaoj32.exe -
Loads dropped DLL 64 IoCs
pid Process 2032 6a0311375ae9d59a50b588fb799d6e8ceceb3de7016af5afcc9c8ba238530456.exe 2032 6a0311375ae9d59a50b588fb799d6e8ceceb3de7016af5afcc9c8ba238530456.exe 2716 Iifghk32.exe 2716 Iifghk32.exe 2728 Jkdcdf32.exe 2728 Jkdcdf32.exe 2612 Jfjhbo32.exe 2612 Jfjhbo32.exe 2632 Jnemfa32.exe 2632 Jnemfa32.exe 1632 Jbphgpfg.exe 1632 Jbphgpfg.exe 3048 Jkimpfmg.exe 3048 Jkimpfmg.exe 448 Jngilalk.exe 448 Jngilalk.exe 2880 Jgpndg32.exe 2880 Jgpndg32.exe 2672 Jkkjeeke.exe 2672 Jkkjeeke.exe 2900 Jecnnk32.exe 2900 Jecnnk32.exe 668 Jgbjjf32.exe 668 Jgbjjf32.exe 2068 Jpmooind.exe 2068 Jpmooind.exe 2132 Kfggkc32.exe 2132 Kfggkc32.exe 2196 Kmaphmln.exe 2196 Kmaphmln.exe 2364 Kppldhla.exe 2364 Kppldhla.exe 1156 Kihpmnbb.exe 1156 Kihpmnbb.exe 2100 Kmclmm32.exe 2100 Kmclmm32.exe 2304 Kijmbnpo.exe 2304 Kijmbnpo.exe 1640 Kmficl32.exe 1640 Kmficl32.exe 2056 Kfnnlboi.exe 2056 Kfnnlboi.exe 1992 Klkfdi32.exe 1992 Klkfdi32.exe 1460 Kiofnm32.exe 1460 Kiofnm32.exe 2080 Khagijcd.exe 2080 Khagijcd.exe 1064 Kjpceebh.exe 1064 Kjpceebh.exe 2320 Leegbnan.exe 2320 Leegbnan.exe 1596 Lmalgq32.exe 1596 Lmalgq32.exe 2788 Lalhgogb.exe 2788 Lalhgogb.exe 2836 Lophacfl.exe 2836 Lophacfl.exe 2740 Lmcilp32.exe 2740 Lmcilp32.exe 2696 Ldmaijdc.exe 2696 Ldmaijdc.exe 2620 Lijiaabk.exe 2620 Lijiaabk.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Ainmlomf.exe Afpapcnc.exe File opened for modification C:\Windows\SysWOW64\Ojceef32.exe Ogdhik32.exe File opened for modification C:\Windows\SysWOW64\Qpniokan.exe Pehebbbh.exe File created C:\Windows\SysWOW64\Dlpbna32.exe Djafaf32.exe File created C:\Windows\SysWOW64\Gaplfinb.exe Goapjnoo.exe File created C:\Windows\SysWOW64\Idghhf32.exe Inmpklpj.exe File opened for modification C:\Windows\SysWOW64\Jegdgj32.exe Jbhhkn32.exe File created C:\Windows\SysWOW64\Kiemmh32.exe Kffqqm32.exe File opened for modification C:\Windows\SysWOW64\Almihjlj.exe Ainmlomf.exe File opened for modification C:\Windows\SysWOW64\Jecnnk32.exe Jkkjeeke.exe File opened for modification C:\Windows\SysWOW64\Maanab32.exe Mobaef32.exe File created C:\Windows\SysWOW64\Dnfhqi32.exe Dkgldm32.exe File created C:\Windows\SysWOW64\Pcmoie32.exe Pkfghh32.exe File created C:\Windows\SysWOW64\Kmclmm32.exe Kihpmnbb.exe File opened for modification C:\Windows\SysWOW64\Leegbnan.exe Kjpceebh.exe File created C:\Windows\SysWOW64\Cdeffdbl.dll Omcngamh.exe File opened for modification C:\Windows\SysWOW64\Pbepkh32.exe Pcbookpp.exe File created C:\Windows\SysWOW64\Fnmjpk32.exe Fjaoplho.exe File created C:\Windows\SysWOW64\Ajbdocdh.dll Iklfia32.exe File created C:\Windows\SysWOW64\Jagmhnkn.dll Mmndfnpl.exe File created C:\Windows\SysWOW64\Dcming32.dll Pajeanhf.exe File opened for modification C:\Windows\SysWOW64\Ahhchk32.exe Aankkqfl.exe File opened for modification C:\Windows\SysWOW64\Miocmq32.exe Lgpfpe32.exe File opened for modification C:\Windows\SysWOW64\Plndcmmj.exe Piohgbng.exe File created C:\Windows\SysWOW64\Qdpohodn.exe Qaablcej.exe File opened for modification C:\Windows\SysWOW64\Bkqiek32.exe Bdfahaaa.exe File created C:\Windows\SysWOW64\Jcoanb32.exe Jqpebg32.exe File created C:\Windows\SysWOW64\Npechhgd.exe Nljhhi32.exe File created C:\Windows\SysWOW64\Njhhcpnk.dll Ongckp32.exe File created C:\Windows\SysWOW64\Jgpndg32.exe Jngilalk.exe File opened for modification C:\Windows\SysWOW64\Meecaa32.exe Mlmoilni.exe File opened for modification C:\Windows\SysWOW64\Chggdoee.exe Cdkkcp32.exe File created C:\Windows\SysWOW64\Jcngcc32.dll Faijggao.exe File opened for modification C:\Windows\SysWOW64\Inmpklpj.exe Ikocoa32.exe File created C:\Windows\SysWOW64\Pdleiobf.dll Lidilk32.exe File created C:\Windows\SysWOW64\Ccligqak.dll Nikkkn32.exe File created C:\Windows\SysWOW64\Pgodcich.exe Peqhgmdd.exe File opened for modification C:\Windows\SysWOW64\Biqfpb32.exe Bfbjdf32.exe File opened for modification C:\Windows\SysWOW64\Bbikig32.exe Bpjnmlel.exe File created C:\Windows\SysWOW64\Fjkjgclg.dll Kijmbnpo.exe File created C:\Windows\SysWOW64\Edoblfhf.dll Ghekhd32.exe File created C:\Windows\SysWOW64\Okhgod32.exe Ohjkcile.exe File created C:\Windows\SysWOW64\Efffpjmk.exe Ecgjdong.exe File created C:\Windows\SysWOW64\Dqgchlio.dll Gfoeel32.exe File opened for modification C:\Windows\SysWOW64\Gdnibdmf.exe Gaplfinb.exe File created C:\Windows\SysWOW64\Jfmnkn32.exe Jcoanb32.exe File opened for modification C:\Windows\SysWOW64\Nikkkn32.exe Nepokogo.exe File created C:\Windows\SysWOW64\Dhkqcl32.dll Pqgilnji.exe File created C:\Windows\SysWOW64\Bchmahjj.dll Palbgn32.exe File opened for modification C:\Windows\SysWOW64\Bjfpdf32.exe Ahhchk32.exe File created C:\Windows\SysWOW64\Kmaphmln.exe Kfggkc32.exe File created C:\Windows\SysWOW64\Jjfmem32.exe Jkcmjpma.exe File created C:\Windows\SysWOW64\Lknpan32.dll Kndbko32.exe File opened for modification C:\Windows\SysWOW64\Lpanne32.exe Lmbabj32.exe File created C:\Windows\SysWOW64\Ikeaokpb.dll Mhalngad.exe File opened for modification C:\Windows\SysWOW64\Mmpakm32.exe Momapqgn.exe File created C:\Windows\SysWOW64\Pfekjn32.dll Qcjoci32.exe File created C:\Windows\SysWOW64\Mnmcojmg.dll Ebcmfj32.exe File created C:\Windows\SysWOW64\Gllnei32.dll Omqjgl32.exe File opened for modification C:\Windows\SysWOW64\Baealp32.exe Bmjekahk.exe File opened for modification C:\Windows\SysWOW64\Pjhnqfla.exe Pcnfdl32.exe File created C:\Windows\SysWOW64\Epcddopf.exe Emdhhdqb.exe File created C:\Windows\SysWOW64\Pobiicng.dll Gaplfinb.exe File created C:\Windows\SysWOW64\Odfhpd32.dll Idbnmgll.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jngilalk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ablbjj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qmepanje.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abgaeddg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjhckg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enmnahnm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fllaopcg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kepgmh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Liblfl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afbnec32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egebjmdn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkogpn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mebpakbq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Peqhgmdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Macjgadf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ioefdpne.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pehebbbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igcgnbim.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbkdpnil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6a0311375ae9d59a50b588fb799d6e8ceceb3de7016af5afcc9c8ba238530456.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcajceke.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Podpoffm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Coindgbi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cofaog32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcichb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfabkl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajipkb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahfgbkpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdojnm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnodgbed.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pijgbl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnfpjc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qnpcpa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qdpohodn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kffqqm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkkjeeke.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omfnnnhj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oqepgk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmklak32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhjpnj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbglpg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajldkhjh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdnibdmf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnmcli32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnppaill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbffjmmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdidmf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfglfdeb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eifobe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibkhak32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpoaheja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmcilp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djoeki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmddgg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijdppm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kiemmh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eqkjmcmq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kelmbifm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mobaef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkefoc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmbnam32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Miiofn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nakikpin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odflmp32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oddphp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfpqgmpi.dll" Gkedjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgocef32.dll" Hhlaiccm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bjfpdf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717} 6a0311375ae9d59a50b588fb799d6e8ceceb3de7016af5afcc9c8ba238530456.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Neajod32.dll" Lgpfpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aeganjdl.dll" Ohmoco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pcpbik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hefqbobh.dll" Qjgjpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fabmmejd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ilemce32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ncfmjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pilkle32.dll" Oqjibkek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opdnpmio.dll" Ohengmcf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pigklmqc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Podpoffm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Apclnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gdnibdmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aengebaf.dll" Hnmcli32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Liibgkoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnoipg32.dll" Qcmkhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gbcien32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kfnhec32.dll" Hekefkig.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iohbjpkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anfdhfiq.dll" Bmelpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnfnahkp.dll" Clclhmin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jkimpfmg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eebibf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hchoop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifekkdfq.dll" Inmpklpj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kelmbifm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bpmkbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Adblnnbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apafhqnp.dll" Dlboca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olahgd32.dll" Dmmbge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Neblqoel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bmgifa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cenmfbml.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cdamao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgdojnle.dll" Bahelebm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gminbfoh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ifbkgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lflppehm.dll" Ainmlomf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nqpmimbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qaablcej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fefcmehe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iemanlnj.dll" Jcoanb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qnpcpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmkhejmb.dll" Gidhbgag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jmdiahco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pcmoie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pqgilnji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgppdkib.dll" 6a0311375ae9d59a50b588fb799d6e8ceceb3de7016af5afcc9c8ba238530456.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kppldhla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbndmh32.dll" Jjmcfl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Liblfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokalbod.dll" Mpqjmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnbaaioa.dll" Pcmoie32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node 6a0311375ae9d59a50b588fb799d6e8ceceb3de7016af5afcc9c8ba238530456.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibafjo32.dll" Fhjhdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hememgdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odfhpd32.dll" Idbnmgll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mgkbjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lalhgogb.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2032 wrote to memory of 2716 2032 6a0311375ae9d59a50b588fb799d6e8ceceb3de7016af5afcc9c8ba238530456.exe 30 PID 2032 wrote to memory of 2716 2032 6a0311375ae9d59a50b588fb799d6e8ceceb3de7016af5afcc9c8ba238530456.exe 30 PID 2032 wrote to memory of 2716 2032 6a0311375ae9d59a50b588fb799d6e8ceceb3de7016af5afcc9c8ba238530456.exe 30 PID 2032 wrote to memory of 2716 2032 6a0311375ae9d59a50b588fb799d6e8ceceb3de7016af5afcc9c8ba238530456.exe 30 PID 2716 wrote to memory of 2728 2716 Iifghk32.exe 31 PID 2716 wrote to memory of 2728 2716 Iifghk32.exe 31 PID 2716 wrote to memory of 2728 2716 Iifghk32.exe 31 PID 2716 wrote to memory of 2728 2716 Iifghk32.exe 31 PID 2728 wrote to memory of 2612 2728 Jkdcdf32.exe 32 PID 2728 wrote to memory of 2612 2728 Jkdcdf32.exe 32 PID 2728 wrote to memory of 2612 2728 Jkdcdf32.exe 32 PID 2728 wrote to memory of 2612 2728 Jkdcdf32.exe 32 PID 2612 wrote to memory of 2632 2612 Jfjhbo32.exe 33 PID 2612 wrote to memory of 2632 2612 Jfjhbo32.exe 33 PID 2612 wrote to memory of 2632 2612 Jfjhbo32.exe 33 PID 2612 wrote to memory of 2632 2612 Jfjhbo32.exe 33 PID 2632 wrote to memory of 1632 2632 Jnemfa32.exe 34 PID 2632 wrote to memory of 1632 2632 Jnemfa32.exe 34 PID 2632 wrote to memory of 1632 2632 Jnemfa32.exe 34 PID 2632 wrote to memory of 1632 2632 Jnemfa32.exe 34 PID 1632 wrote to memory of 3048 1632 Jbphgpfg.exe 35 PID 1632 wrote to memory of 3048 1632 Jbphgpfg.exe 35 PID 1632 wrote to memory of 3048 1632 Jbphgpfg.exe 35 PID 1632 wrote to memory of 3048 1632 Jbphgpfg.exe 35 PID 3048 wrote to memory of 448 3048 Jkimpfmg.exe 36 PID 3048 wrote to memory of 448 3048 Jkimpfmg.exe 36 PID 3048 wrote to memory of 448 3048 Jkimpfmg.exe 36 PID 3048 wrote to memory of 448 3048 Jkimpfmg.exe 36 PID 448 wrote to memory of 2880 448 Jngilalk.exe 37 PID 448 wrote to memory of 2880 448 Jngilalk.exe 37 PID 448 wrote to memory of 2880 448 Jngilalk.exe 37 PID 448 wrote to memory of 2880 448 Jngilalk.exe 37 PID 2880 wrote to memory of 2672 2880 Jgpndg32.exe 38 PID 2880 wrote to memory of 2672 2880 Jgpndg32.exe 38 PID 2880 wrote to memory of 2672 2880 Jgpndg32.exe 38 PID 2880 wrote to memory of 2672 2880 Jgpndg32.exe 38 PID 2672 wrote to memory of 2900 2672 Jkkjeeke.exe 39 PID 2672 wrote to memory of 2900 2672 Jkkjeeke.exe 39 PID 2672 wrote to memory of 2900 2672 Jkkjeeke.exe 39 PID 2672 wrote to memory of 2900 2672 Jkkjeeke.exe 39 PID 2900 wrote to memory of 668 2900 Jecnnk32.exe 40 PID 2900 wrote to memory of 668 2900 Jecnnk32.exe 40 PID 2900 wrote to memory of 668 2900 Jecnnk32.exe 40 PID 2900 wrote to memory of 668 2900 Jecnnk32.exe 40 PID 668 wrote to memory of 2068 668 Jgbjjf32.exe 41 PID 668 wrote to memory of 2068 668 Jgbjjf32.exe 41 PID 668 wrote to memory of 2068 668 Jgbjjf32.exe 41 PID 668 wrote to memory of 2068 668 Jgbjjf32.exe 41 PID 2068 wrote to memory of 2132 2068 Jpmooind.exe 42 PID 2068 wrote to memory of 2132 2068 Jpmooind.exe 42 PID 2068 wrote to memory of 2132 2068 Jpmooind.exe 42 PID 2068 wrote to memory of 2132 2068 Jpmooind.exe 42 PID 2132 wrote to memory of 2196 2132 Kfggkc32.exe 43 PID 2132 wrote to memory of 2196 2132 Kfggkc32.exe 43 PID 2132 wrote to memory of 2196 2132 Kfggkc32.exe 43 PID 2132 wrote to memory of 2196 2132 Kfggkc32.exe 43 PID 2196 wrote to memory of 2364 2196 Kmaphmln.exe 44 PID 2196 wrote to memory of 2364 2196 Kmaphmln.exe 44 PID 2196 wrote to memory of 2364 2196 Kmaphmln.exe 44 PID 2196 wrote to memory of 2364 2196 Kmaphmln.exe 44 PID 2364 wrote to memory of 1156 2364 Kppldhla.exe 45 PID 2364 wrote to memory of 1156 2364 Kppldhla.exe 45 PID 2364 wrote to memory of 1156 2364 Kppldhla.exe 45 PID 2364 wrote to memory of 1156 2364 Kppldhla.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\6a0311375ae9d59a50b588fb799d6e8ceceb3de7016af5afcc9c8ba238530456.exe"C:\Users\Admin\AppData\Local\Temp\6a0311375ae9d59a50b588fb799d6e8ceceb3de7016af5afcc9c8ba238530456.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Windows\SysWOW64\Iifghk32.exeC:\Windows\system32\Iifghk32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\SysWOW64\Jkdcdf32.exeC:\Windows\system32\Jkdcdf32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\SysWOW64\Jfjhbo32.exeC:\Windows\system32\Jfjhbo32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\SysWOW64\Jnemfa32.exeC:\Windows\system32\Jnemfa32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\SysWOW64\Jbphgpfg.exeC:\Windows\system32\Jbphgpfg.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\Windows\SysWOW64\Jkimpfmg.exeC:\Windows\system32\Jkimpfmg.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Windows\SysWOW64\Jngilalk.exeC:\Windows\system32\Jngilalk.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:448 -
C:\Windows\SysWOW64\Jgpndg32.exeC:\Windows\system32\Jgpndg32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Windows\SysWOW64\Jkkjeeke.exeC:\Windows\system32\Jkkjeeke.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\SysWOW64\Jecnnk32.exeC:\Windows\system32\Jecnnk32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Windows\SysWOW64\Jgbjjf32.exeC:\Windows\system32\Jgbjjf32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:668 -
C:\Windows\SysWOW64\Jpmooind.exeC:\Windows\system32\Jpmooind.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Windows\SysWOW64\Kfggkc32.exeC:\Windows\system32\Kfggkc32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Windows\SysWOW64\Kmaphmln.exeC:\Windows\system32\Kmaphmln.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Windows\SysWOW64\Kppldhla.exeC:\Windows\system32\Kppldhla.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Windows\SysWOW64\Kihpmnbb.exeC:\Windows\system32\Kihpmnbb.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1156 -
C:\Windows\SysWOW64\Kmclmm32.exeC:\Windows\system32\Kmclmm32.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2100 -
C:\Windows\SysWOW64\Kijmbnpo.exeC:\Windows\system32\Kijmbnpo.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2304 -
C:\Windows\SysWOW64\Kmficl32.exeC:\Windows\system32\Kmficl32.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1640 -
C:\Windows\SysWOW64\Kfnnlboi.exeC:\Windows\system32\Kfnnlboi.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2056 -
C:\Windows\SysWOW64\Klkfdi32.exeC:\Windows\system32\Klkfdi32.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1992 -
C:\Windows\SysWOW64\Kiofnm32.exeC:\Windows\system32\Kiofnm32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1460 -
C:\Windows\SysWOW64\Khagijcd.exeC:\Windows\system32\Khagijcd.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2080 -
C:\Windows\SysWOW64\Kjpceebh.exeC:\Windows\system32\Kjpceebh.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1064 -
C:\Windows\SysWOW64\Leegbnan.exeC:\Windows\system32\Leegbnan.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2320 -
C:\Windows\SysWOW64\Lmalgq32.exeC:\Windows\system32\Lmalgq32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1596 -
C:\Windows\SysWOW64\Lalhgogb.exeC:\Windows\system32\Lalhgogb.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2788 -
C:\Windows\SysWOW64\Lophacfl.exeC:\Windows\system32\Lophacfl.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2836 -
C:\Windows\SysWOW64\Lmcilp32.exeC:\Windows\system32\Lmcilp32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2740 -
C:\Windows\SysWOW64\Ldmaijdc.exeC:\Windows\system32\Ldmaijdc.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2696 -
C:\Windows\SysWOW64\Lijiaabk.exeC:\Windows\system32\Lijiaabk.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2620 -
C:\Windows\SysWOW64\Ldpnoj32.exeC:\Windows\system32\Ldpnoj32.exe33⤵
- Executes dropped EXE
PID:2884 -
C:\Windows\SysWOW64\Lkifkdjm.exeC:\Windows\system32\Lkifkdjm.exe34⤵
- Executes dropped EXE
PID:1648 -
C:\Windows\SysWOW64\Lgpfpe32.exeC:\Windows\system32\Lgpfpe32.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2408 -
C:\Windows\SysWOW64\Miocmq32.exeC:\Windows\system32\Miocmq32.exe36⤵
- Executes dropped EXE
PID:2876 -
C:\Windows\SysWOW64\Mlmoilni.exeC:\Windows\system32\Mlmoilni.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2220 -
C:\Windows\SysWOW64\Meecaa32.exeC:\Windows\system32\Meecaa32.exe38⤵
- Executes dropped EXE
PID:2188 -
C:\Windows\SysWOW64\Mehpga32.exeC:\Windows\system32\Mehpga32.exe39⤵
- Executes dropped EXE
PID:1008 -
C:\Windows\SysWOW64\Miclhpjp.exeC:\Windows\system32\Miclhpjp.exe40⤵
- Executes dropped EXE
PID:2268 -
C:\Windows\SysWOW64\Mopdpg32.exeC:\Windows\system32\Mopdpg32.exe41⤵
- Executes dropped EXE
PID:1928 -
C:\Windows\SysWOW64\Mldeik32.exeC:\Windows\system32\Mldeik32.exe42⤵
- Executes dropped EXE
PID:1280 -
C:\Windows\SysWOW64\Mkgeehnl.exeC:\Windows\system32\Mkgeehnl.exe43⤵
- Executes dropped EXE
PID:1660 -
C:\Windows\SysWOW64\Mobaef32.exeC:\Windows\system32\Mobaef32.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:280 -
C:\Windows\SysWOW64\Maanab32.exeC:\Windows\system32\Maanab32.exe45⤵
- Executes dropped EXE
PID:1664 -
C:\Windows\SysWOW64\Mdojnm32.exeC:\Windows\system32\Mdojnm32.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2660 -
C:\Windows\SysWOW64\Mhkfnlme.exeC:\Windows\system32\Mhkfnlme.exe47⤵
- Executes dropped EXE
PID:712 -
C:\Windows\SysWOW64\Mkibjgli.exeC:\Windows\system32\Mkibjgli.exe48⤵
- Executes dropped EXE
PID:2336 -
C:\Windows\SysWOW64\Moenkf32.exeC:\Windows\system32\Moenkf32.exe49⤵
- Executes dropped EXE
PID:904 -
C:\Windows\SysWOW64\Macjgadf.exeC:\Windows\system32\Macjgadf.exe50⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2948 -
C:\Windows\SysWOW64\Npfjbn32.exeC:\Windows\system32\Npfjbn32.exe51⤵
- Executes dropped EXE
PID:2792 -
C:\Windows\SysWOW64\Nhmbdl32.exeC:\Windows\system32\Nhmbdl32.exe52⤵
- Executes dropped EXE
PID:1824 -
C:\Windows\SysWOW64\Ngpcohbm.exeC:\Windows\system32\Ngpcohbm.exe53⤵
- Executes dropped EXE
PID:2812 -
C:\Windows\SysWOW64\Nnjklb32.exeC:\Windows\system32\Nnjklb32.exe54⤵
- Executes dropped EXE
PID:2580 -
C:\Windows\SysWOW64\Naegmabc.exeC:\Windows\system32\Naegmabc.exe55⤵
- Executes dropped EXE
PID:2004 -
C:\Windows\SysWOW64\Nddcimag.exeC:\Windows\system32\Nddcimag.exe56⤵
- Executes dropped EXE
PID:2552 -
C:\Windows\SysWOW64\Ncgcdi32.exeC:\Windows\system32\Ncgcdi32.exe57⤵
- Executes dropped EXE
PID:2376 -
C:\Windows\SysWOW64\Nknkeg32.exeC:\Windows\system32\Nknkeg32.exe58⤵
- Executes dropped EXE
PID:2676 -
C:\Windows\SysWOW64\Njalacon.exeC:\Windows\system32\Njalacon.exe59⤵
- Executes dropped EXE
PID:1392 -
C:\Windows\SysWOW64\Nlohmonb.exeC:\Windows\system32\Nlohmonb.exe60⤵
- Executes dropped EXE
PID:2096 -
C:\Windows\SysWOW64\Ncipjieo.exeC:\Windows\system32\Ncipjieo.exe61⤵
- Executes dropped EXE
PID:2368 -
C:\Windows\SysWOW64\Nfglfdeb.exeC:\Windows\system32\Nfglfdeb.exe62⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2420 -
C:\Windows\SysWOW64\Nnodgbed.exeC:\Windows\system32\Nnodgbed.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:960 -
C:\Windows\SysWOW64\Nqmqcmdh.exeC:\Windows\system32\Nqmqcmdh.exe64⤵
- Executes dropped EXE
PID:1764 -
C:\Windows\SysWOW64\Nopaoj32.exeC:\Windows\system32\Nopaoj32.exe65⤵
- Executes dropped EXE
PID:1720 -
C:\Windows\SysWOW64\Nggipg32.exeC:\Windows\system32\Nggipg32.exe66⤵PID:572
-
C:\Windows\SysWOW64\Njeelc32.exeC:\Windows\system32\Njeelc32.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:948 -
C:\Windows\SysWOW64\Nldahn32.exeC:\Windows\system32\Nldahn32.exe68⤵PID:1048
-
C:\Windows\SysWOW64\Nqpmimbe.exeC:\Windows\system32\Nqpmimbe.exe69⤵
- Modifies registry class
PID:1608 -
C:\Windows\SysWOW64\Nbqjqehd.exeC:\Windows\system32\Nbqjqehd.exe70⤵PID:2960
-
C:\Windows\SysWOW64\Njhbabif.exeC:\Windows\system32\Njhbabif.exe71⤵PID:2688
-
C:\Windows\SysWOW64\Omfnnnhj.exeC:\Windows\system32\Omfnnnhj.exe72⤵
- System Location Discovery: System Language Discovery
PID:2628 -
C:\Windows\SysWOW64\Okinik32.exeC:\Windows\system32\Okinik32.exe73⤵PID:900
-
C:\Windows\SysWOW64\Ocpfkh32.exeC:\Windows\system32\Ocpfkh32.exe74⤵PID:2908
-
C:\Windows\SysWOW64\Ohmoco32.exeC:\Windows\system32\Ohmoco32.exe75⤵
- Modifies registry class
PID:2988 -
C:\Windows\SysWOW64\Okkkoj32.exeC:\Windows\system32\Okkkoj32.exe76⤵PID:1692
-
C:\Windows\SysWOW64\Obecld32.exeC:\Windows\system32\Obecld32.exe77⤵PID:1960
-
C:\Windows\SysWOW64\Oddphp32.exeC:\Windows\system32\Oddphp32.exe78⤵
- Modifies registry class
PID:692 -
C:\Windows\SysWOW64\Ogbldk32.exeC:\Windows\system32\Ogbldk32.exe79⤵PID:1812
-
C:\Windows\SysWOW64\Onldqejb.exeC:\Windows\system32\Onldqejb.exe80⤵PID:2040
-
C:\Windows\SysWOW64\Odflmp32.exeC:\Windows\system32\Odflmp32.exe81⤵
- System Location Discovery: System Language Discovery
PID:628 -
C:\Windows\SysWOW64\Ogdhik32.exeC:\Windows\system32\Ogdhik32.exe82⤵
- Drops file in System32 directory
PID:964 -
C:\Windows\SysWOW64\Ojceef32.exeC:\Windows\system32\Ojceef32.exe83⤵PID:1464
-
C:\Windows\SysWOW64\Objmgd32.exeC:\Windows\system32\Objmgd32.exe84⤵PID:332
-
C:\Windows\SysWOW64\Ockinl32.exeC:\Windows\system32\Ockinl32.exe85⤵PID:1744
-
C:\Windows\SysWOW64\Okbapi32.exeC:\Windows\system32\Okbapi32.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:896 -
C:\Windows\SysWOW64\Omcngamh.exeC:\Windows\system32\Omcngamh.exe87⤵
- Drops file in System32 directory
PID:2784 -
C:\Windows\SysWOW64\Pcnfdl32.exeC:\Windows\system32\Pcnfdl32.exe88⤵
- Drops file in System32 directory
PID:2736 -
C:\Windows\SysWOW64\Pjhnqfla.exeC:\Windows\system32\Pjhnqfla.exe89⤵PID:3028
-
C:\Windows\SysWOW64\Ppdfimji.exeC:\Windows\system32\Ppdfimji.exe90⤵PID:1848
-
C:\Windows\SysWOW64\Pcpbik32.exeC:\Windows\system32\Pcpbik32.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2536 -
C:\Windows\SysWOW64\Pimkbbpi.exeC:\Windows\system32\Pimkbbpi.exe92⤵PID:2904
-
C:\Windows\SysWOW64\Pmhgba32.exeC:\Windows\system32\Pmhgba32.exe93⤵PID:2128
-
C:\Windows\SysWOW64\Pcbookpp.exeC:\Windows\system32\Pcbookpp.exe94⤵
- Drops file in System32 directory
PID:2372 -
C:\Windows\SysWOW64\Pbepkh32.exeC:\Windows\system32\Pbepkh32.exe95⤵PID:1776
-
C:\Windows\SysWOW64\Piohgbng.exeC:\Windows\system32\Piohgbng.exe96⤵
- Drops file in System32 directory
PID:1616 -
C:\Windows\SysWOW64\Plndcmmj.exeC:\Windows\system32\Plndcmmj.exe97⤵PID:1104
-
C:\Windows\SysWOW64\Pbglpg32.exeC:\Windows\system32\Pbglpg32.exe98⤵
- System Location Discovery: System Language Discovery
PID:1688 -
C:\Windows\SysWOW64\Pefhlcdk.exeC:\Windows\system32\Pefhlcdk.exe99⤵PID:340
-
C:\Windows\SysWOW64\Ppkmjlca.exeC:\Windows\system32\Ppkmjlca.exe100⤵PID:2724
-
C:\Windows\SysWOW64\Pbjifgcd.exeC:\Windows\system32\Pbjifgcd.exe101⤵PID:2680
-
C:\Windows\SysWOW64\Pehebbbh.exeC:\Windows\system32\Pehebbbh.exe102⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2848 -
C:\Windows\SysWOW64\Qpniokan.exeC:\Windows\system32\Qpniokan.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1340 -
C:\Windows\SysWOW64\Qblfkgqb.exeC:\Windows\system32\Qblfkgqb.exe104⤵PID:3012
-
C:\Windows\SysWOW64\Qifnhaho.exeC:\Windows\system32\Qifnhaho.exe105⤵PID:2752
-
C:\Windows\SysWOW64\Qjgjpi32.exeC:\Windows\system32\Qjgjpi32.exe106⤵
- Modifies registry class
PID:560 -
C:\Windows\SysWOW64\Qaablcej.exeC:\Windows\system32\Qaablcej.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2184 -
C:\Windows\SysWOW64\Qdpohodn.exeC:\Windows\system32\Qdpohodn.exe108⤵
- System Location Discovery: System Language Discovery
PID:1364 -
C:\Windows\SysWOW64\Qlggjlep.exeC:\Windows\system32\Qlggjlep.exe109⤵PID:2088
-
C:\Windows\SysWOW64\Aadobccg.exeC:\Windows\system32\Aadobccg.exe110⤵PID:536
-
C:\Windows\SysWOW64\Adblnnbk.exeC:\Windows\system32\Adblnnbk.exe111⤵
- Modifies registry class
PID:2052 -
C:\Windows\SysWOW64\Ajldkhjh.exeC:\Windows\system32\Ajldkhjh.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2820 -
C:\Windows\SysWOW64\Amjpgdik.exeC:\Windows\system32\Amjpgdik.exe113⤵PID:2584
-
C:\Windows\SysWOW64\Apilcoho.exeC:\Windows\system32\Apilcoho.exe114⤵PID:2572
-
C:\Windows\SysWOW64\Afcdpi32.exeC:\Windows\system32\Afcdpi32.exe115⤵PID:1276
-
C:\Windows\SysWOW64\Aiaqle32.exeC:\Windows\system32\Aiaqle32.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1492 -
C:\Windows\SysWOW64\Apkihofl.exeC:\Windows\system32\Apkihofl.exe117⤵PID:2916
-
C:\Windows\SysWOW64\Afeaei32.exeC:\Windows\system32\Afeaei32.exe118⤵PID:568
-
C:\Windows\SysWOW64\Apnfno32.exeC:\Windows\system32\Apnfno32.exe119⤵PID:2208
-
C:\Windows\SysWOW64\Ablbjj32.exeC:\Windows\system32\Ablbjj32.exe120⤵
- System Location Discovery: System Language Discovery
PID:2996 -
C:\Windows\SysWOW64\Aejnfe32.exeC:\Windows\system32\Aejnfe32.exe121⤵PID:1268
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-