Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20250217-en -
resource tags
arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system -
submitted
05/03/2025, 13:00
Behavioral task
behavioral1
Sample
f6fb48bd2e52682b24cf14839a3538bd055c000aab1949abeadb4b949bf7a623.exe
Resource
win7-20240903-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
f6fb48bd2e52682b24cf14839a3538bd055c000aab1949abeadb4b949bf7a623.exe
Resource
win10v2004-20250217-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
f6fb48bd2e52682b24cf14839a3538bd055c000aab1949abeadb4b949bf7a623.exe
-
Size
187KB
-
MD5
a81eaae6c4caef7ae52d2a86675fcf17
-
SHA1
303a11ff2fea1ea71293d172d101021da24c2606
-
SHA256
f6fb48bd2e52682b24cf14839a3538bd055c000aab1949abeadb4b949bf7a623
-
SHA512
db205be2357aa5cbcc4595663eb0b1818af2c77ffe834182adbabce8f0e5941e309f54860248dc04bd09cf94664fe0bee6536573b12814866e675d9a4cded879
-
SSDEEP
3072:5KC4SRQWIfQOkZTTgr/feXZl2NkzwH5GJks8WYlOWe7VsayDZVZev1N:5L4YTrp9zwZ9s8SZq/svL
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://viruslist.com/wcmd.txt
http://viruslist.com/ppslog.php
http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Feenjgfq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbnhoj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Inidkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mmfkhmdi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khiofk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qcnjijoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bbfmgd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdiakp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mqfpckhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Edeeci32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kedlip32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dahfkimd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggmmlamj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hpmhdmea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mljmhflh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnbnjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Chfegk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ilphdlqh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Figgdg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkmjaa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpegkj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dinael32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ncchae32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Paeelgnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Apaadpng.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enfckp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Khlklj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Amlogfel.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnaaib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Egohdegl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lomjicei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lokdnjkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Finnef32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbpedjnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Modpib32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gnaecedp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Knqepc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Monjjgkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eoepebho.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbiockdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hemmac32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbphglbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oflmnh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnbeeiji.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Paiogf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glfmgp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekgqennl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Njjdho32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aimogakj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahdpjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ckebcg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hqghqpnl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfaemp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpaihooo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlmchoan.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjaabq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cogddd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpolbo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcoccc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ooibkpmi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcgpni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mfqlfb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmiikh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Keifdpif.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 2088 Komhll32.exe 3352 Knnhjcog.exe 5056 Kckqbj32.exe 1096 Knqepc32.exe 2432 Kcmmhj32.exe 4480 Kflide32.exe 4884 Kncaec32.exe 2820 Kpanan32.exe 940 Kcpjnjii.exe 2572 Kfnfjehl.exe 2272 Kjjbjd32.exe 4752 Klhnfo32.exe 232 Kpcjgnhb.exe 4848 Kgnbdh32.exe 2424 Kjlopc32.exe 4872 Kngkqbgl.exe 5116 Lljklo32.exe 2672 Loighj32.exe 1592 Lcdciiec.exe 1424 Lfbped32.exe 4720 Lnjgfb32.exe 1908 Llmhaold.exe 4836 Lokdnjkg.exe 4960 Lcgpni32.exe 3436 Lfeljd32.exe 4788 Ljqhkckn.exe 1992 Lnldla32.exe 2236 Lqkqhm32.exe 1556 Lcimdh32.exe 2768 Lfgipd32.exe 4260 Lmaamn32.exe 5104 Lqmmmmph.exe 4344 Lckiihok.exe 3064 Lfjfecno.exe 1692 Ljeafb32.exe 3356 Lmdnbn32.exe 1912 Lobjni32.exe 2224 Lgibpf32.exe 4180 Ljhnlb32.exe 1712 Lncjlq32.exe 100 Mmfkhmdi.exe 5012 Modgdicm.exe 2472 Mcpcdg32.exe 2456 Mgloefco.exe 4972 Mnegbp32.exe 2244 Mqdcnl32.exe 4912 Mcbpjg32.exe 3900 Mfqlfb32.exe 4288 Mnhdgpii.exe 1616 Mqfpckhm.exe 1528 Moipoh32.exe 3944 Mgphpe32.exe 4076 Mfchlbfd.exe 4536 Mnjqmpgg.exe 1704 Mqimikfj.exe 2020 Mokmdh32.exe 2348 Mgbefe32.exe 708 Mjaabq32.exe 1792 Mnmmboed.exe 2560 Mqkiok32.exe 2544 Monjjgkb.exe 1648 Mgeakekd.exe 5144 Mjcngpjh.exe 5184 Nnojho32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Aopemh32.exe Agimkk32.exe File created C:\Windows\SysWOW64\Ccegpn32.dll Eqncnj32.exe File opened for modification C:\Windows\SysWOW64\Pnmopk32.exe Pffgom32.exe File opened for modification C:\Windows\SysWOW64\Qmgelf32.exe Qjiipk32.exe File opened for modification C:\Windows\SysWOW64\Jbepme32.exe Jpgdai32.exe File created C:\Windows\SysWOW64\Bbhildae.exe Bipecnkd.exe File opened for modification C:\Windows\SysWOW64\Edaaccbj.exe Eaceghcg.exe File opened for modification C:\Windows\SysWOW64\Ehlhih32.exe Edplhjhi.exe File opened for modification C:\Windows\SysWOW64\Cmnnimak.exe Bbhildae.exe File opened for modification C:\Windows\SysWOW64\Nceefd32.exe Nagiji32.exe File created C:\Windows\SysWOW64\Kibohd32.dll Ofkgcobj.exe File created C:\Windows\SysWOW64\Pghien32.dll Cglbhhga.exe File opened for modification C:\Windows\SysWOW64\Ibjqaf32.exe Ipkdek32.exe File created C:\Windows\SysWOW64\Pekihfdc.dll Jimldogg.exe File created C:\Windows\SysWOW64\Fpnkah32.dll Ncpeaoih.exe File opened for modification C:\Windows\SysWOW64\Kpcjgnhb.exe Klhnfo32.exe File created C:\Windows\SysWOW64\Ijikdfig.dll Akpoaj32.exe File created C:\Windows\SysWOW64\Jlkidpke.dll Ckebcg32.exe File created C:\Windows\SysWOW64\Doojec32.exe Dhdbhifj.exe File created C:\Windows\SysWOW64\Ebfign32.exe Enkmfolf.exe File created C:\Windows\SysWOW64\Aobmce32.dll Fgoakc32.exe File created C:\Windows\SysWOW64\Falmlm32.dll Jeocna32.exe File created C:\Windows\SysWOW64\Jafdcbge.exe Johggfha.exe File opened for modification C:\Windows\SysWOW64\Nfjola32.exe Nclbpf32.exe File created C:\Windows\SysWOW64\Ckebcg32.exe Chfegk32.exe File opened for modification C:\Windows\SysWOW64\Egcaod32.exe Edeeci32.exe File created C:\Windows\SysWOW64\Fqeioiam.exe Fnfmbmbi.exe File created C:\Windows\SysWOW64\Fgcodk32.dll Khiofk32.exe File created C:\Windows\SysWOW64\Nohjfifo.dll Paihlpfi.exe File created C:\Windows\SysWOW64\Fhcbhh32.dll Qcnjijoe.exe File opened for modification C:\Windows\SysWOW64\Kbnlim32.exe Klbgfc32.exe File opened for modification C:\Windows\SysWOW64\Ocaebc32.exe Oabhfg32.exe File created C:\Windows\SysWOW64\Apaadpng.exe Amcehdod.exe File created C:\Windows\SysWOW64\Cldaec32.dll Aimogakj.exe File created C:\Windows\SysWOW64\Famkjfqd.dll Lqmmmmph.exe File created C:\Windows\SysWOW64\Cklgfgfg.dll Apaadpng.exe File created C:\Windows\SysWOW64\Hajkqfoe.exe Hnlodjpa.exe File created C:\Windows\SysWOW64\Nlhego32.dll Njjmni32.exe File created C:\Windows\SysWOW64\Dkedonpo.exe Dgihop32.exe File created C:\Windows\SysWOW64\Enemaimp.exe Ekgqennl.exe File created C:\Windows\SysWOW64\Hnbnjc32.exe Hnpaec32.exe File created C:\Windows\SysWOW64\Ldnemdgd.dll Jnnnfalp.exe File opened for modification C:\Windows\SysWOW64\Lfbped32.exe Lcdciiec.exe File created C:\Windows\SysWOW64\Jgqjbf32.dll Mqfpckhm.exe File created C:\Windows\SysWOW64\Cpfoag32.dll Caageq32.exe File opened for modification C:\Windows\SysWOW64\Ihpcinld.exe Ieagmcmq.exe File created C:\Windows\SysWOW64\Pfojdh32.exe Pbcncibp.exe File created C:\Windows\SysWOW64\Lgahlk32.dll Hnbnjc32.exe File opened for modification C:\Windows\SysWOW64\Ilmedf32.exe Inidkb32.exe File created C:\Windows\SysWOW64\Lqmmmmph.exe Lmaamn32.exe File created C:\Windows\SysWOW64\Phajna32.exe Pdenmbkk.exe File created C:\Windows\SysWOW64\Ahofoogd.exe Aaenbd32.exe File created C:\Windows\SysWOW64\Hbldphde.exe Hpmhdmea.exe File created C:\Windows\SysWOW64\Ibegfglj.exe Ipgkjlmg.exe File created C:\Windows\SysWOW64\Aglmllpq.dll Ipgkjlmg.exe File created C:\Windows\SysWOW64\Ilphdlqh.exe Iefphb32.exe File opened for modification C:\Windows\SysWOW64\Bbfmgd32.exe Bfolacnc.exe File created C:\Windows\SysWOW64\Fihgkk32.dll Lmdnbn32.exe File created C:\Windows\SysWOW64\Ocohmc32.exe Oaplqh32.exe File created C:\Windows\SysWOW64\Ekajec32.exe Egened32.exe File created C:\Windows\SysWOW64\Fpmfmgnc.dll Enpfan32.exe File opened for modification C:\Windows\SysWOW64\Ibcjqgnm.exe Ipdndloi.exe File created C:\Windows\SysWOW64\Nnojho32.exe Mjcngpjh.exe File created C:\Windows\SysWOW64\Nqmfdj32.exe Nnojho32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 11600 3604 WerFault.exe 591 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmaamn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdenmbkk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcpcdg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogcnmc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Paeelgnj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Feenjgfq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggmmlamj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjcngpjh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekajec32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocnabm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcmmhj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qdoacabq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aokkahlo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edplhjhi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbfmgd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcdciiec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfdjinjo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfojdh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Caqpkjcl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apaadpng.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhphmj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlbejloe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcjjhdjb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pqbala32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Offnhpfo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggkqgaol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipgkjlmg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nqmfdj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfcabp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phcgcqab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Caageq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbdehlip.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibegfglj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njbgmjgl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lobjni32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjkmomfn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qmeigg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cocjiehd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpfcfmlp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lafmjp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Panhbfep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qmgelf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Finnef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhnhajba.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lckiihok.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mqkiok32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgeakekd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opnbae32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oghghb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmiikh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Calfpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dahfkimd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfeljd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcphdqmj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jeaiij32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kajfdk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpcjgnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lljklo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpmapodj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Doagjc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jppnpjel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khgbqkhj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofkgcobj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aajhndkb.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lnldla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Moipoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akkeajoj.dll" Mokmdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Phfcipoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlkidpke.dll" Ckebcg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jeocna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Khbiello.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ddklbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mcpcdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmephjke.dll" Pdhkcb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ekonpckp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gokbgpeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gbkkik32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kpqggh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ampaho32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dgihop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kfnfjehl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Badjai32.dll" Foapaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbdcakkc.dll" Gokbgpeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Falmlm32.dll" Jeocna32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kapfiqoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kcoccc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fljloomi.dll" Hqghqpnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ledoegkm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lfjfecno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fenpmnno.dll" Offnhpfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ogekbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkpqlc32.dll" Fbplml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qikbaaml.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ejojljqa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gndbie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Figmglee.dll" Ofhknodl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Qdoacabq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cnaaib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nchkcb32.dll" Dahmfpap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dagdgfkf.dll" Ibegfglj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Foniaq32.dll" Lepleocn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Oflmnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Oikjkc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nceefd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcknij32.dll" Ddgibkpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnckgmik.dll" Fecadghc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpnkah32.dll" Ncpeaoih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Biklho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdglhf32.dll" Njmqnobn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pagbaglh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Aaldccip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddlnnc32.dll" Hnbeeiji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hnbeeiji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpmenm32.dll" Iahgad32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mokfja32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node f6fb48bd2e52682b24cf14839a3538bd055c000aab1949abeadb4b949bf7a623.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ncnofeof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enfqikef.dll" Panhbfep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emamkgpg.dll" Eiekog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjehdpem.dll" Hlblcn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hnbeeiji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfenigce.dll" Mcaipa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldicpljn.dll" Fcbnpnme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eelche32.dll" Kcpjnjii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckkpjkai.dll" Ncchae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Afbgkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnebjidl.dll" Lohqnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Denlcd32.dll" Ibbcfa32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4380 wrote to memory of 2088 4380 f6fb48bd2e52682b24cf14839a3538bd055c000aab1949abeadb4b949bf7a623.exe 88 PID 4380 wrote to memory of 2088 4380 f6fb48bd2e52682b24cf14839a3538bd055c000aab1949abeadb4b949bf7a623.exe 88 PID 4380 wrote to memory of 2088 4380 f6fb48bd2e52682b24cf14839a3538bd055c000aab1949abeadb4b949bf7a623.exe 88 PID 2088 wrote to memory of 3352 2088 Komhll32.exe 89 PID 2088 wrote to memory of 3352 2088 Komhll32.exe 89 PID 2088 wrote to memory of 3352 2088 Komhll32.exe 89 PID 3352 wrote to memory of 5056 3352 Knnhjcog.exe 90 PID 3352 wrote to memory of 5056 3352 Knnhjcog.exe 90 PID 3352 wrote to memory of 5056 3352 Knnhjcog.exe 90 PID 5056 wrote to memory of 1096 5056 Kckqbj32.exe 91 PID 5056 wrote to memory of 1096 5056 Kckqbj32.exe 91 PID 5056 wrote to memory of 1096 5056 Kckqbj32.exe 91 PID 1096 wrote to memory of 2432 1096 Knqepc32.exe 92 PID 1096 wrote to memory of 2432 1096 Knqepc32.exe 92 PID 1096 wrote to memory of 2432 1096 Knqepc32.exe 92 PID 2432 wrote to memory of 4480 2432 Kcmmhj32.exe 93 PID 2432 wrote to memory of 4480 2432 Kcmmhj32.exe 93 PID 2432 wrote to memory of 4480 2432 Kcmmhj32.exe 93 PID 4480 wrote to memory of 4884 4480 Kflide32.exe 94 PID 4480 wrote to memory of 4884 4480 Kflide32.exe 94 PID 4480 wrote to memory of 4884 4480 Kflide32.exe 94 PID 4884 wrote to memory of 2820 4884 Kncaec32.exe 95 PID 4884 wrote to memory of 2820 4884 Kncaec32.exe 95 PID 4884 wrote to memory of 2820 4884 Kncaec32.exe 95 PID 2820 wrote to memory of 940 2820 Kpanan32.exe 96 PID 2820 wrote to memory of 940 2820 Kpanan32.exe 96 PID 2820 wrote to memory of 940 2820 Kpanan32.exe 96 PID 940 wrote to memory of 2572 940 Kcpjnjii.exe 97 PID 940 wrote to memory of 2572 940 Kcpjnjii.exe 97 PID 940 wrote to memory of 2572 940 Kcpjnjii.exe 97 PID 2572 wrote to memory of 2272 2572 Kfnfjehl.exe 98 PID 2572 wrote to memory of 2272 2572 Kfnfjehl.exe 98 PID 2572 wrote to memory of 2272 2572 Kfnfjehl.exe 98 PID 2272 wrote to memory of 4752 2272 Kjjbjd32.exe 99 PID 2272 wrote to memory of 4752 2272 Kjjbjd32.exe 99 PID 2272 wrote to memory of 4752 2272 Kjjbjd32.exe 99 PID 4752 wrote to memory of 232 4752 Klhnfo32.exe 100 PID 4752 wrote to memory of 232 4752 Klhnfo32.exe 100 PID 4752 wrote to memory of 232 4752 Klhnfo32.exe 100 PID 232 wrote to memory of 4848 232 Kpcjgnhb.exe 101 PID 232 wrote to memory of 4848 232 Kpcjgnhb.exe 101 PID 232 wrote to memory of 4848 232 Kpcjgnhb.exe 101 PID 4848 wrote to memory of 2424 4848 Kgnbdh32.exe 102 PID 4848 wrote to memory of 2424 4848 Kgnbdh32.exe 102 PID 4848 wrote to memory of 2424 4848 Kgnbdh32.exe 102 PID 2424 wrote to memory of 4872 2424 Kjlopc32.exe 103 PID 2424 wrote to memory of 4872 2424 Kjlopc32.exe 103 PID 2424 wrote to memory of 4872 2424 Kjlopc32.exe 103 PID 4872 wrote to memory of 5116 4872 Kngkqbgl.exe 104 PID 4872 wrote to memory of 5116 4872 Kngkqbgl.exe 104 PID 4872 wrote to memory of 5116 4872 Kngkqbgl.exe 104 PID 5116 wrote to memory of 2672 5116 Lljklo32.exe 105 PID 5116 wrote to memory of 2672 5116 Lljklo32.exe 105 PID 5116 wrote to memory of 2672 5116 Lljklo32.exe 105 PID 2672 wrote to memory of 1592 2672 Loighj32.exe 106 PID 2672 wrote to memory of 1592 2672 Loighj32.exe 106 PID 2672 wrote to memory of 1592 2672 Loighj32.exe 106 PID 1592 wrote to memory of 1424 1592 Lcdciiec.exe 107 PID 1592 wrote to memory of 1424 1592 Lcdciiec.exe 107 PID 1592 wrote to memory of 1424 1592 Lcdciiec.exe 107 PID 1424 wrote to memory of 4720 1424 Lfbped32.exe 108 PID 1424 wrote to memory of 4720 1424 Lfbped32.exe 108 PID 1424 wrote to memory of 4720 1424 Lfbped32.exe 108 PID 4720 wrote to memory of 1908 4720 Lnjgfb32.exe 109
Processes
-
C:\Users\Admin\AppData\Local\Temp\f6fb48bd2e52682b24cf14839a3538bd055c000aab1949abeadb4b949bf7a623.exe"C:\Users\Admin\AppData\Local\Temp\f6fb48bd2e52682b24cf14839a3538bd055c000aab1949abeadb4b949bf7a623.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4380 -
C:\Windows\SysWOW64\Komhll32.exeC:\Windows\system32\Komhll32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Windows\SysWOW64\Knnhjcog.exeC:\Windows\system32\Knnhjcog.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3352 -
C:\Windows\SysWOW64\Kckqbj32.exeC:\Windows\system32\Kckqbj32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5056 -
C:\Windows\SysWOW64\Knqepc32.exeC:\Windows\system32\Knqepc32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1096 -
C:\Windows\SysWOW64\Kcmmhj32.exeC:\Windows\system32\Kcmmhj32.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Windows\SysWOW64\Kflide32.exeC:\Windows\system32\Kflide32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4480 -
C:\Windows\SysWOW64\Kncaec32.exeC:\Windows\system32\Kncaec32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4884 -
C:\Windows\SysWOW64\Kpanan32.exeC:\Windows\system32\Kpanan32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Windows\SysWOW64\Kcpjnjii.exeC:\Windows\system32\Kcpjnjii.exe10⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:940 -
C:\Windows\SysWOW64\Kfnfjehl.exeC:\Windows\system32\Kfnfjehl.exe11⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Windows\SysWOW64\Kjjbjd32.exeC:\Windows\system32\Kjjbjd32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2272 -
C:\Windows\SysWOW64\Klhnfo32.exeC:\Windows\system32\Klhnfo32.exe13⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4752 -
C:\Windows\SysWOW64\Kpcjgnhb.exeC:\Windows\system32\Kpcjgnhb.exe14⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:232 -
C:\Windows\SysWOW64\Kgnbdh32.exeC:\Windows\system32\Kgnbdh32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4848 -
C:\Windows\SysWOW64\Kjlopc32.exeC:\Windows\system32\Kjlopc32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Windows\SysWOW64\Kngkqbgl.exeC:\Windows\system32\Kngkqbgl.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4872 -
C:\Windows\SysWOW64\Lljklo32.exeC:\Windows\system32\Lljklo32.exe18⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5116 -
C:\Windows\SysWOW64\Loighj32.exeC:\Windows\system32\Loighj32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\SysWOW64\Lcdciiec.exeC:\Windows\system32\Lcdciiec.exe20⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1592 -
C:\Windows\SysWOW64\Lfbped32.exeC:\Windows\system32\Lfbped32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1424 -
C:\Windows\SysWOW64\Lnjgfb32.exeC:\Windows\system32\Lnjgfb32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4720 -
C:\Windows\SysWOW64\Llmhaold.exeC:\Windows\system32\Llmhaold.exe23⤵
- Executes dropped EXE
PID:1908 -
C:\Windows\SysWOW64\Lokdnjkg.exeC:\Windows\system32\Lokdnjkg.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4836 -
C:\Windows\SysWOW64\Lcgpni32.exeC:\Windows\system32\Lcgpni32.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4960 -
C:\Windows\SysWOW64\Lfeljd32.exeC:\Windows\system32\Lfeljd32.exe26⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3436 -
C:\Windows\SysWOW64\Ljqhkckn.exeC:\Windows\system32\Ljqhkckn.exe27⤵
- Executes dropped EXE
PID:4788 -
C:\Windows\SysWOW64\Lnldla32.exeC:\Windows\system32\Lnldla32.exe28⤵
- Executes dropped EXE
- Modifies registry class
PID:1992 -
C:\Windows\SysWOW64\Lqkqhm32.exeC:\Windows\system32\Lqkqhm32.exe29⤵
- Executes dropped EXE
PID:2236 -
C:\Windows\SysWOW64\Lcimdh32.exeC:\Windows\system32\Lcimdh32.exe30⤵
- Executes dropped EXE
PID:1556 -
C:\Windows\SysWOW64\Lfgipd32.exeC:\Windows\system32\Lfgipd32.exe31⤵
- Executes dropped EXE
PID:2768 -
C:\Windows\SysWOW64\Lmaamn32.exeC:\Windows\system32\Lmaamn32.exe32⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4260 -
C:\Windows\SysWOW64\Lqmmmmph.exeC:\Windows\system32\Lqmmmmph.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5104 -
C:\Windows\SysWOW64\Lckiihok.exeC:\Windows\system32\Lckiihok.exe34⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4344 -
C:\Windows\SysWOW64\Lfjfecno.exeC:\Windows\system32\Lfjfecno.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:3064 -
C:\Windows\SysWOW64\Ljeafb32.exeC:\Windows\system32\Ljeafb32.exe36⤵
- Executes dropped EXE
PID:1692 -
C:\Windows\SysWOW64\Lmdnbn32.exeC:\Windows\system32\Lmdnbn32.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3356 -
C:\Windows\SysWOW64\Lobjni32.exeC:\Windows\system32\Lobjni32.exe38⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1912 -
C:\Windows\SysWOW64\Lgibpf32.exeC:\Windows\system32\Lgibpf32.exe39⤵
- Executes dropped EXE
PID:2224 -
C:\Windows\SysWOW64\Ljhnlb32.exeC:\Windows\system32\Ljhnlb32.exe40⤵
- Executes dropped EXE
PID:4180 -
C:\Windows\SysWOW64\Lncjlq32.exeC:\Windows\system32\Lncjlq32.exe41⤵
- Executes dropped EXE
PID:1712 -
C:\Windows\SysWOW64\Mmfkhmdi.exeC:\Windows\system32\Mmfkhmdi.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:100 -
C:\Windows\SysWOW64\Modgdicm.exeC:\Windows\system32\Modgdicm.exe43⤵
- Executes dropped EXE
PID:5012 -
C:\Windows\SysWOW64\Mcpcdg32.exeC:\Windows\system32\Mcpcdg32.exe44⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2472 -
C:\Windows\SysWOW64\Mgloefco.exeC:\Windows\system32\Mgloefco.exe45⤵
- Executes dropped EXE
PID:2456 -
C:\Windows\SysWOW64\Mnegbp32.exeC:\Windows\system32\Mnegbp32.exe46⤵
- Executes dropped EXE
PID:4972 -
C:\Windows\SysWOW64\Mqdcnl32.exeC:\Windows\system32\Mqdcnl32.exe47⤵
- Executes dropped EXE
PID:2244 -
C:\Windows\SysWOW64\Mcbpjg32.exeC:\Windows\system32\Mcbpjg32.exe48⤵
- Executes dropped EXE
PID:4912 -
C:\Windows\SysWOW64\Mfqlfb32.exeC:\Windows\system32\Mfqlfb32.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3900 -
C:\Windows\SysWOW64\Mnhdgpii.exeC:\Windows\system32\Mnhdgpii.exe50⤵
- Executes dropped EXE
PID:4288 -
C:\Windows\SysWOW64\Mqfpckhm.exeC:\Windows\system32\Mqfpckhm.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1616 -
C:\Windows\SysWOW64\Moipoh32.exeC:\Windows\system32\Moipoh32.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:1528 -
C:\Windows\SysWOW64\Mgphpe32.exeC:\Windows\system32\Mgphpe32.exe53⤵
- Executes dropped EXE
PID:3944 -
C:\Windows\SysWOW64\Mfchlbfd.exeC:\Windows\system32\Mfchlbfd.exe54⤵
- Executes dropped EXE
PID:4076 -
C:\Windows\SysWOW64\Mnjqmpgg.exeC:\Windows\system32\Mnjqmpgg.exe55⤵
- Executes dropped EXE
PID:4536 -
C:\Windows\SysWOW64\Mqimikfj.exeC:\Windows\system32\Mqimikfj.exe56⤵
- Executes dropped EXE
PID:1704 -
C:\Windows\SysWOW64\Mokmdh32.exeC:\Windows\system32\Mokmdh32.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:2020 -
C:\Windows\SysWOW64\Mgbefe32.exeC:\Windows\system32\Mgbefe32.exe58⤵
- Executes dropped EXE
PID:2348 -
C:\Windows\SysWOW64\Mjaabq32.exeC:\Windows\system32\Mjaabq32.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:708 -
C:\Windows\SysWOW64\Mnmmboed.exeC:\Windows\system32\Mnmmboed.exe60⤵
- Executes dropped EXE
PID:1792 -
C:\Windows\SysWOW64\Mqkiok32.exeC:\Windows\system32\Mqkiok32.exe61⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2560 -
C:\Windows\SysWOW64\Monjjgkb.exeC:\Windows\system32\Monjjgkb.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2544 -
C:\Windows\SysWOW64\Mgeakekd.exeC:\Windows\system32\Mgeakekd.exe63⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1648 -
C:\Windows\SysWOW64\Mjcngpjh.exeC:\Windows\system32\Mjcngpjh.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:5144 -
C:\Windows\SysWOW64\Nnojho32.exeC:\Windows\system32\Nnojho32.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5184 -
C:\Windows\SysWOW64\Nqmfdj32.exeC:\Windows\system32\Nqmfdj32.exe66⤵
- System Location Discovery: System Language Discovery
PID:5224 -
C:\Windows\SysWOW64\Nopfpgip.exeC:\Windows\system32\Nopfpgip.exe67⤵PID:5264
-
C:\Windows\SysWOW64\Nclbpf32.exeC:\Windows\system32\Nclbpf32.exe68⤵
- Drops file in System32 directory
PID:5304 -
C:\Windows\SysWOW64\Nfjola32.exeC:\Windows\system32\Nfjola32.exe69⤵PID:5344
-
C:\Windows\SysWOW64\Nnafno32.exeC:\Windows\system32\Nnafno32.exe70⤵PID:5384
-
C:\Windows\SysWOW64\Nmdgikhi.exeC:\Windows\system32\Nmdgikhi.exe71⤵PID:5424
-
C:\Windows\SysWOW64\Npbceggm.exeC:\Windows\system32\Npbceggm.exe72⤵PID:5464
-
C:\Windows\SysWOW64\Ncnofeof.exeC:\Windows\system32\Ncnofeof.exe73⤵
- Modifies registry class
PID:5504 -
C:\Windows\SysWOW64\Nflkbanj.exeC:\Windows\system32\Nflkbanj.exe74⤵PID:5552
-
C:\Windows\SysWOW64\Ncqlkemc.exeC:\Windows\system32\Ncqlkemc.exe75⤵PID:5584
-
C:\Windows\SysWOW64\Nglhld32.exeC:\Windows\system32\Nglhld32.exe76⤵PID:5624
-
C:\Windows\SysWOW64\Njjdho32.exeC:\Windows\system32\Njjdho32.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5664 -
C:\Windows\SysWOW64\Nmipdk32.exeC:\Windows\system32\Nmipdk32.exe78⤵PID:5704
-
C:\Windows\SysWOW64\Npgmpf32.exeC:\Windows\system32\Npgmpf32.exe79⤵PID:5744
-
C:\Windows\SysWOW64\Ncchae32.exeC:\Windows\system32\Ncchae32.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5784 -
C:\Windows\SysWOW64\Nfaemp32.exeC:\Windows\system32\Nfaemp32.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5824 -
C:\Windows\SysWOW64\Njmqnobn.exeC:\Windows\system32\Njmqnobn.exe82⤵
- Modifies registry class
PID:5864 -
C:\Windows\SysWOW64\Nmkmjjaa.exeC:\Windows\system32\Nmkmjjaa.exe83⤵PID:5904
-
C:\Windows\SysWOW64\Nagiji32.exeC:\Windows\system32\Nagiji32.exe84⤵
- Drops file in System32 directory
PID:5944 -
C:\Windows\SysWOW64\Nceefd32.exeC:\Windows\system32\Nceefd32.exe85⤵
- Modifies registry class
PID:5984 -
C:\Windows\SysWOW64\Nfcabp32.exeC:\Windows\system32\Nfcabp32.exe86⤵
- System Location Discovery: System Language Discovery
PID:6024 -
C:\Windows\SysWOW64\Ojomcopk.exeC:\Windows\system32\Ojomcopk.exe87⤵PID:6064
-
C:\Windows\SysWOW64\Omnjojpo.exeC:\Windows\system32\Omnjojpo.exe88⤵PID:6104
-
C:\Windows\SysWOW64\Oplfkeob.exeC:\Windows\system32\Oplfkeob.exe89⤵PID:3180
-
C:\Windows\SysWOW64\Ogcnmc32.exeC:\Windows\system32\Ogcnmc32.exe90⤵
- System Location Discovery: System Language Discovery
PID:1168 -
C:\Windows\SysWOW64\Offnhpfo.exeC:\Windows\system32\Offnhpfo.exe91⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2944 -
C:\Windows\SysWOW64\Onmfimga.exeC:\Windows\system32\Onmfimga.exe92⤵PID:3716
-
C:\Windows\SysWOW64\Oakbehfe.exeC:\Windows\system32\Oakbehfe.exe93⤵PID:4944
-
C:\Windows\SysWOW64\Opnbae32.exeC:\Windows\system32\Opnbae32.exe94⤵
- System Location Discovery: System Language Discovery
PID:3448 -
C:\Windows\SysWOW64\Ogekbb32.exeC:\Windows\system32\Ogekbb32.exe95⤵
- Modifies registry class
PID:4328 -
C:\Windows\SysWOW64\Ofhknodl.exeC:\Windows\system32\Ofhknodl.exe96⤵
- Modifies registry class
PID:1176 -
C:\Windows\SysWOW64\Onocomdo.exeC:\Windows\system32\Onocomdo.exe97⤵PID:5152
-
C:\Windows\SysWOW64\Oanokhdb.exeC:\Windows\system32\Oanokhdb.exe98⤵PID:5220
-
C:\Windows\SysWOW64\Opqofe32.exeC:\Windows\system32\Opqofe32.exe99⤵PID:5288
-
C:\Windows\SysWOW64\Oghghb32.exeC:\Windows\system32\Oghghb32.exe100⤵
- System Location Discovery: System Language Discovery
PID:5336 -
C:\Windows\SysWOW64\Ofkgcobj.exeC:\Windows\system32\Ofkgcobj.exe101⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3928 -
C:\Windows\SysWOW64\Onapdl32.exeC:\Windows\system32\Onapdl32.exe102⤵PID:2216
-
C:\Windows\SysWOW64\Oaplqh32.exeC:\Windows\system32\Oaplqh32.exe103⤵
- Drops file in System32 directory
PID:5540 -
C:\Windows\SysWOW64\Ocohmc32.exeC:\Windows\system32\Ocohmc32.exe104⤵PID:5580
-
C:\Windows\SysWOW64\Ofmdio32.exeC:\Windows\system32\Ofmdio32.exe105⤵PID:5648
-
C:\Windows\SysWOW64\Ondljl32.exeC:\Windows\system32\Ondljl32.exe106⤵PID:5712
-
C:\Windows\SysWOW64\Oabhfg32.exeC:\Windows\system32\Oabhfg32.exe107⤵
- Drops file in System32 directory
PID:5752 -
C:\Windows\SysWOW64\Ocaebc32.exeC:\Windows\system32\Ocaebc32.exe108⤵PID:5808
-
C:\Windows\SysWOW64\Pjkmomfn.exeC:\Windows\system32\Pjkmomfn.exe109⤵
- System Location Discovery: System Language Discovery
PID:5900 -
C:\Windows\SysWOW64\Pmiikh32.exeC:\Windows\system32\Pmiikh32.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:5316 -
C:\Windows\SysWOW64\Paeelgnj.exeC:\Windows\system32\Paeelgnj.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:6016 -
C:\Windows\SysWOW64\Pccahbmn.exeC:\Windows\system32\Pccahbmn.exe112⤵PID:6088
-
C:\Windows\SysWOW64\Pfandnla.exeC:\Windows\system32\Pfandnla.exe113⤵PID:6132
-
C:\Windows\SysWOW64\Pnifekmd.exeC:\Windows\system32\Pnifekmd.exe114⤵PID:2912
-
C:\Windows\SysWOW64\Pagbaglh.exeC:\Windows\system32\Pagbaglh.exe115⤵
- Modifies registry class
PID:2856 -
C:\Windows\SysWOW64\Pdenmbkk.exeC:\Windows\system32\Pdenmbkk.exe116⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3856 -
C:\Windows\SysWOW64\Phajna32.exeC:\Windows\system32\Phajna32.exe117⤵PID:4452
-
C:\Windows\SysWOW64\Pfdjinjo.exeC:\Windows\system32\Pfdjinjo.exe118⤵
- System Location Discovery: System Language Discovery
PID:5208 -
C:\Windows\SysWOW64\Pnkbkk32.exeC:\Windows\system32\Pnkbkk32.exe119⤵PID:324
-
C:\Windows\SysWOW64\Paiogf32.exeC:\Windows\system32\Paiogf32.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5376 -
C:\Windows\SysWOW64\Pdhkcb32.exeC:\Windows\system32\Pdhkcb32.exe121⤵
- Modifies registry class
PID:3144
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-