Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
13-10-2024 02:23
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
b9fa47cb3627feb0332aaf5eef79c1c125d0f5ebaa7abb0bc71a8773771e9b67.exe
Resource
win7-20240708-en
windows7-x64
9 signatures
150 seconds
Behavioral task
behavioral2
Sample
b9fa47cb3627feb0332aaf5eef79c1c125d0f5ebaa7abb0bc71a8773771e9b67.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
b9fa47cb3627feb0332aaf5eef79c1c125d0f5ebaa7abb0bc71a8773771e9b67.exe
-
Size
96KB
-
MD5
d7c52264627457b07cba9358eaac64a5
-
SHA1
cad1120a5fce26ede2fe92cdf2ae6aa2aeb3ffcc
-
SHA256
b9fa47cb3627feb0332aaf5eef79c1c125d0f5ebaa7abb0bc71a8773771e9b67
-
SHA512
889164480b584e47fdcee9ed742410efa4b5381730984648fbd332a7355f75e41c4c7266cfd732b3089970e738ace6972093e0b33feb6e5958a1e99fa01e160b
-
SSDEEP
1536:qotJRaDFRnmXG62LmjPwIm3FQg2OLQBCsduV9jojTIvjr:qoLRaJRn/swIm3FpeBCsd69jc0v
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljilqnlm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Allpejfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ohmhmh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmcclm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddgplado.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Olgncmim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jdmgfedl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmpkadnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mnhkbfme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Plkpcfal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eiokinbk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpbflg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffqhcq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jnhpoamf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obcceg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aakebqbj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djelgied.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mogcihaj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lelchgne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jokkgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qfkqjmdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Adkgje32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgdidgjg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahaceo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbkbpoog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fdglmkeg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omgcpokp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plpjoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Agimkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bokehc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dkhnjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fealin32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oakbehfe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijqmhnko.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncofplba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Alelqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fpbflg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhdhon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oaajed32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alqjpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iphioh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlbcnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mfchlbfd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oghghb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qaqegecm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hdpbon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nliaao32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkhkjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pmlfqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bkphhgfc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Haoimcgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pcmeke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gbdoof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pocpfphe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Apodoq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlhljhbg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lqikmc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcelpggq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pdmdnadc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jokkgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kcpahpmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ojgjndno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fpimlfke.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gihgfk32.exe -
Executes dropped EXE 64 IoCs
pid Process 2640 Gacjadad.exe 5072 Ghmbno32.exe 4372 Gklnjj32.exe 4576 Gnjjfegi.exe 4160 Ghpocngo.exe 452 Gknkpjfb.exe 3264 Gpkchqdj.exe 3296 Hgelek32.exe 4960 Hjchaf32.exe 4104 Hajpbckl.exe 3580 Hhdhon32.exe 660 Hjedffig.exe 4692 Hammhcij.exe 1844 Hdkidohn.exe 1608 Hgiepjga.exe 3756 Haoimcgg.exe 2432 Hdmein32.exe 1856 Hnfjbdmk.exe 1044 Hdpbon32.exe 2404 Hjlkge32.exe 3604 Idbodn32.exe 2488 Iddljmpc.exe 928 Iahlcaol.exe 4704 Igedlh32.exe 5068 Ijcahd32.exe 4352 Idieem32.exe 4204 Ikcmbfcj.exe 1728 Ibmeoq32.exe 392 Ikejgf32.exe 1116 Ibobdqid.exe 1284 Jhijqj32.exe 1112 Jnfcia32.exe 3664 Jdpkflfe.exe 2036 Jkjcbe32.exe 4992 Jnhpoamf.exe 1012 Jdbhkk32.exe 32 Jgadgf32.exe 3536 Jjopcb32.exe 4432 Jqiipljg.exe 3328 Jgcamf32.exe 3188 Jjamia32.exe 776 Jbiejoaj.exe 2484 Jibmgi32.exe 3656 Jkaicd32.exe 1880 Jbkbpoog.exe 2784 Kiejmi32.exe 2140 Kbmoen32.exe 224 Kelkaj32.exe 1900 Kkfcndce.exe 3124 Kijchhbo.exe 1152 Kjkpoq32.exe 4980 Kaehljpj.exe 4776 Kgopidgf.exe 4556 Kbddfmgl.exe 364 Kecabifp.exe 3436 Kjpijpdg.exe 4584 Liqihglg.exe 3108 Lbinam32.exe 2892 Legjmh32.exe 2888 Lkabjbih.exe 2180 Lnpofnhk.exe 2316 Lieccf32.exe 3764 Ljgpkonp.exe 2840 Lelchgne.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Mgaokl32.exe Mebcop32.exe File created C:\Windows\SysWOW64\Aknhkd32.dll Fbjena32.exe File created C:\Windows\SysWOW64\Ldldehjm.dll Hedafk32.exe File created C:\Windows\SysWOW64\Ifomef32.dll Ocjoadei.exe File created C:\Windows\SysWOW64\Bkamodje.dll Bklomh32.exe File opened for modification C:\Windows\SysWOW64\Oaajed32.exe Okgaijaj.exe File created C:\Windows\SysWOW64\Fmpqfq32.exe Fffhifdk.exe File created C:\Windows\SysWOW64\Akccap32.exe Ahdged32.exe File opened for modification C:\Windows\SysWOW64\Cnkkjh32.exe Ckmonl32.exe File opened for modification C:\Windows\SysWOW64\Fnipbc32.exe Fmhdkknd.exe File created C:\Windows\SysWOW64\Fiodpl32.exe Ffqhcq32.exe File created C:\Windows\SysWOW64\Imgicgca.exe Ifmqfm32.exe File created C:\Windows\SysWOW64\Ooejohhq.exe Olgncmim.exe File created C:\Windows\SysWOW64\Kgnbdh32.exe Kpcjgnhb.exe File created C:\Windows\SysWOW64\Gkoafbld.dll Lmaamn32.exe File created C:\Windows\SysWOW64\Aopemh32.exe Agimkk32.exe File created C:\Windows\SysWOW64\Chflphjh.dll Iefgbh32.exe File created C:\Windows\SysWOW64\Efpgoecp.dll Hbhijepa.exe File created C:\Windows\SysWOW64\Aajohjon.exe Aolblopj.exe File created C:\Windows\SysWOW64\Nbalhp32.dll Bkobmnka.exe File created C:\Windows\SysWOW64\Gbeejp32.exe Gpgind32.exe File opened for modification C:\Windows\SysWOW64\Bjnmpl32.exe Bcddcbab.exe File created C:\Windows\SysWOW64\Ogcnmc32.exe Oplfkeob.exe File created C:\Windows\SysWOW64\Dbdjofbi.dll Ppjbmc32.exe File created C:\Windows\SysWOW64\Dcgmfg32.dll Lqpamb32.exe File opened for modification C:\Windows\SysWOW64\Polppg32.exe Phbhcmjl.exe File created C:\Windows\SysWOW64\Lbekag32.dll Bbdhiojo.exe File created C:\Windows\SysWOW64\Dfgcakon.exe Dblgpl32.exe File opened for modification C:\Windows\SysWOW64\Ijqmhnko.exe Icfekc32.exe File created C:\Windows\SysWOW64\Mmmqhl32.exe Mfchlbfd.exe File created C:\Windows\SysWOW64\Dgeaknci.dll Aokkahlo.exe File opened for modification C:\Windows\SysWOW64\Hajpbckl.exe Hjchaf32.exe File created C:\Windows\SysWOW64\Cnkkjh32.exe Ckmonl32.exe File opened for modification C:\Windows\SysWOW64\Mfnoqc32.exe Mcpcdg32.exe File opened for modification C:\Windows\SysWOW64\Lacdmh32.exe Ljilqnlm.exe File opened for modification C:\Windows\SysWOW64\Lqhdbm32.exe Lnjgfb32.exe File created C:\Windows\SysWOW64\Hkjefc32.dll Aeaanjkl.exe File created C:\Windows\SysWOW64\Acpklg32.dll Cijpahho.exe File created C:\Windows\SysWOW64\Kmeddp32.dll Bochmn32.exe File created C:\Windows\SysWOW64\Pgpecj32.dll Kgiiiidd.exe File created C:\Windows\SysWOW64\Mnhdgpii.exe Mgnlkfal.exe File created C:\Windows\SysWOW64\Amqhbe32.exe Akblfj32.exe File opened for modification C:\Windows\SysWOW64\Dkndie32.exe Dddllkbf.exe File created C:\Windows\SysWOW64\Hjchaf32.exe Hgelek32.exe File created C:\Windows\SysWOW64\Qeodhjmo.exe Qkipkani.exe File created C:\Windows\SysWOW64\Iikikigb.dll Cfpffeaj.exe File opened for modification C:\Windows\SysWOW64\Mfhbga32.exe Mcifkf32.exe File opened for modification C:\Windows\SysWOW64\Alqjpi32.exe Aakebqbj.exe File opened for modification C:\Windows\SysWOW64\Ijcahd32.exe Igedlh32.exe File created C:\Windows\SysWOW64\Hkjmbk32.dll Qofcff32.exe File created C:\Windows\SysWOW64\Eifhdd32.exe Ejchhgid.exe File opened for modification C:\Windows\SysWOW64\Gfokoelp.exe Gbdoof32.exe File created C:\Windows\SysWOW64\Gbqcnc32.dll Gncchb32.exe File created C:\Windows\SysWOW64\Idieem32.exe Ijcahd32.exe File created C:\Windows\SysWOW64\Flcmfp32.dll Mbighjdd.exe File created C:\Windows\SysWOW64\Fkldkg32.dll Nmgjia32.exe File opened for modification C:\Windows\SysWOW64\Jgbchj32.exe Jokkgl32.exe File created C:\Windows\SysWOW64\Mfnoqc32.exe Mcpcdg32.exe File opened for modification C:\Windows\SysWOW64\Mbenmk32.exe Mlkepaam.exe File opened for modification C:\Windows\SysWOW64\Hlnjbedi.exe Hedafk32.exe File opened for modification C:\Windows\SysWOW64\Bhmbqm32.exe Bpfkpp32.exe File opened for modification C:\Windows\SysWOW64\Aeddnp32.exe Acfhad32.exe File created C:\Windows\SysWOW64\Pkcadhgm.exe Pibdmp32.exe File created C:\Windows\SysWOW64\Emmkiclm.exe Efccmidp.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 15484 15368 WerFault.exe 826 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfendmoc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npbceggm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nolgijpk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knooej32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkobmnka.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmadco32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okchnk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bakgoh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Coohhlpe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njhgbp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnfiplog.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cogddd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcepkfld.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epikpo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idkkpf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcanll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Koaagkcb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nclbpf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkphhgfc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lieccf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbbagk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jddnfd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plbfdekd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmhdkknd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iidphgcn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Haoimcgg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfnqklgh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fffhifdk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjgchm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhkfkmmg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dddllkbf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cihclh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohpkmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alqjpi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhldpj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Coknoaic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnhkbfme.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omgcpokp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdfehh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjopcb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpenfp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Koodbl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfgipd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akblfj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahpmjejp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bokehc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmfnpa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfokoelp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdmgfedl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpdhkf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iinjhh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfjfecno.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljilqnlm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jqknkedi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlkgmh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mogcihaj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdkifmjq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Piphgq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nliaao32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oaajed32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aleckinj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flqdlnde.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hibafp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpofii32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldhikb32.dll" Fmpqfq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mmkdcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgeaknci.dll" Aokkahlo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mbenmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kqbdldnq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fnipbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Apmhiq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efeichoo.dll" Cofecami.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fajbad32.dll" Higjaoci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Idfaefkd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gidnkkpc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Niakfbpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmpockdl.dll" Aoioli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnbddbhk.dll" Apmhiq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iaejbl32.dll" Kgopidgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ahcajk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbekag32.dll" Bbdhiojo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hgiepjga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnofdl32.dll" Dmfeidbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ffmfchle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbofpe32.dll" Nceefd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pcmeke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mokmdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ofhknodl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbobfjdp.dll" Pakllc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfkafocc.dll" Iphioh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fngjep32.dll" Mjkblhfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iekkfckg.dll" Kmdlffhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pknqoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kfnfjehl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ldipha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pocpfphe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgnfmhaj.dll" Nbqmiinl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qhlkilba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aplhmakj.dll" Dbndfl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jdaaaeqg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kjccdkki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfghnikc.dll" Lmmolepp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ngndaccj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pneall32.dll" Phfcipoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cammjakm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cgifbhid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejjlbppk.dll" Jkjcbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgfeip32.dll" Cnkkjh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kjpijpdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jppadk32.dll" Objpoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbqaei32.dll" Dpbdopck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Efccmidp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kmdlffhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfmifiap.dll" Fligqhga.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Baegibae.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ohghgodi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lnjgfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mogcihaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nqbpojnp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qdoacabq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnkdmlfj.dll" Apjkcadp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hjedffig.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dbcmakpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Glgjlm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jknfcofa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nobdbkhf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jcikgacl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mgaokl32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1400 wrote to memory of 2640 1400 b9fa47cb3627feb0332aaf5eef79c1c125d0f5ebaa7abb0bc71a8773771e9b67.exe 84 PID 1400 wrote to memory of 2640 1400 b9fa47cb3627feb0332aaf5eef79c1c125d0f5ebaa7abb0bc71a8773771e9b67.exe 84 PID 1400 wrote to memory of 2640 1400 b9fa47cb3627feb0332aaf5eef79c1c125d0f5ebaa7abb0bc71a8773771e9b67.exe 84 PID 2640 wrote to memory of 5072 2640 Gacjadad.exe 85 PID 2640 wrote to memory of 5072 2640 Gacjadad.exe 85 PID 2640 wrote to memory of 5072 2640 Gacjadad.exe 85 PID 5072 wrote to memory of 4372 5072 Ghmbno32.exe 86 PID 5072 wrote to memory of 4372 5072 Ghmbno32.exe 86 PID 5072 wrote to memory of 4372 5072 Ghmbno32.exe 86 PID 4372 wrote to memory of 4576 4372 Gklnjj32.exe 87 PID 4372 wrote to memory of 4576 4372 Gklnjj32.exe 87 PID 4372 wrote to memory of 4576 4372 Gklnjj32.exe 87 PID 4576 wrote to memory of 4160 4576 Gnjjfegi.exe 89 PID 4576 wrote to memory of 4160 4576 Gnjjfegi.exe 89 PID 4576 wrote to memory of 4160 4576 Gnjjfegi.exe 89 PID 4160 wrote to memory of 452 4160 Ghpocngo.exe 90 PID 4160 wrote to memory of 452 4160 Ghpocngo.exe 90 PID 4160 wrote to memory of 452 4160 Ghpocngo.exe 90 PID 452 wrote to memory of 3264 452 Gknkpjfb.exe 91 PID 452 wrote to memory of 3264 452 Gknkpjfb.exe 91 PID 452 wrote to memory of 3264 452 Gknkpjfb.exe 91 PID 3264 wrote to memory of 3296 3264 Gpkchqdj.exe 92 PID 3264 wrote to memory of 3296 3264 Gpkchqdj.exe 92 PID 3264 wrote to memory of 3296 3264 Gpkchqdj.exe 92 PID 3296 wrote to memory of 4960 3296 Hgelek32.exe 93 PID 3296 wrote to memory of 4960 3296 Hgelek32.exe 93 PID 3296 wrote to memory of 4960 3296 Hgelek32.exe 93 PID 4960 wrote to memory of 4104 4960 Hjchaf32.exe 94 PID 4960 wrote to memory of 4104 4960 Hjchaf32.exe 94 PID 4960 wrote to memory of 4104 4960 Hjchaf32.exe 94 PID 4104 wrote to memory of 3580 4104 Hajpbckl.exe 95 PID 4104 wrote to memory of 3580 4104 Hajpbckl.exe 95 PID 4104 wrote to memory of 3580 4104 Hajpbckl.exe 95 PID 3580 wrote to memory of 660 3580 Hhdhon32.exe 96 PID 3580 wrote to memory of 660 3580 Hhdhon32.exe 96 PID 3580 wrote to memory of 660 3580 Hhdhon32.exe 96 PID 660 wrote to memory of 4692 660 Hjedffig.exe 97 PID 660 wrote to memory of 4692 660 Hjedffig.exe 97 PID 660 wrote to memory of 4692 660 Hjedffig.exe 97 PID 4692 wrote to memory of 1844 4692 Hammhcij.exe 98 PID 4692 wrote to memory of 1844 4692 Hammhcij.exe 98 PID 4692 wrote to memory of 1844 4692 Hammhcij.exe 98 PID 1844 wrote to memory of 1608 1844 Hdkidohn.exe 99 PID 1844 wrote to memory of 1608 1844 Hdkidohn.exe 99 PID 1844 wrote to memory of 1608 1844 Hdkidohn.exe 99 PID 1608 wrote to memory of 3756 1608 Hgiepjga.exe 100 PID 1608 wrote to memory of 3756 1608 Hgiepjga.exe 100 PID 1608 wrote to memory of 3756 1608 Hgiepjga.exe 100 PID 3756 wrote to memory of 2432 3756 Haoimcgg.exe 101 PID 3756 wrote to memory of 2432 3756 Haoimcgg.exe 101 PID 3756 wrote to memory of 2432 3756 Haoimcgg.exe 101 PID 2432 wrote to memory of 1856 2432 Hdmein32.exe 102 PID 2432 wrote to memory of 1856 2432 Hdmein32.exe 102 PID 2432 wrote to memory of 1856 2432 Hdmein32.exe 102 PID 1856 wrote to memory of 1044 1856 Hnfjbdmk.exe 103 PID 1856 wrote to memory of 1044 1856 Hnfjbdmk.exe 103 PID 1856 wrote to memory of 1044 1856 Hnfjbdmk.exe 103 PID 1044 wrote to memory of 2404 1044 Hdpbon32.exe 104 PID 1044 wrote to memory of 2404 1044 Hdpbon32.exe 104 PID 1044 wrote to memory of 2404 1044 Hdpbon32.exe 104 PID 2404 wrote to memory of 3604 2404 Hjlkge32.exe 105 PID 2404 wrote to memory of 3604 2404 Hjlkge32.exe 105 PID 2404 wrote to memory of 3604 2404 Hjlkge32.exe 105 PID 3604 wrote to memory of 2488 3604 Idbodn32.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\b9fa47cb3627feb0332aaf5eef79c1c125d0f5ebaa7abb0bc71a8773771e9b67.exe"C:\Users\Admin\AppData\Local\Temp\b9fa47cb3627feb0332aaf5eef79c1c125d0f5ebaa7abb0bc71a8773771e9b67.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1400 -
C:\Windows\SysWOW64\Gacjadad.exeC:\Windows\system32\Gacjadad.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\SysWOW64\Ghmbno32.exeC:\Windows\system32\Ghmbno32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5072 -
C:\Windows\SysWOW64\Gklnjj32.exeC:\Windows\system32\Gklnjj32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4372 -
C:\Windows\SysWOW64\Gnjjfegi.exeC:\Windows\system32\Gnjjfegi.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4576 -
C:\Windows\SysWOW64\Ghpocngo.exeC:\Windows\system32\Ghpocngo.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4160 -
C:\Windows\SysWOW64\Gknkpjfb.exeC:\Windows\system32\Gknkpjfb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:452 -
C:\Windows\SysWOW64\Gpkchqdj.exeC:\Windows\system32\Gpkchqdj.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3264 -
C:\Windows\SysWOW64\Hgelek32.exeC:\Windows\system32\Hgelek32.exe9⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3296 -
C:\Windows\SysWOW64\Hjchaf32.exeC:\Windows\system32\Hjchaf32.exe10⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4960 -
C:\Windows\SysWOW64\Hajpbckl.exeC:\Windows\system32\Hajpbckl.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4104 -
C:\Windows\SysWOW64\Hhdhon32.exeC:\Windows\system32\Hhdhon32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3580 -
C:\Windows\SysWOW64\Hjedffig.exeC:\Windows\system32\Hjedffig.exe13⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:660 -
C:\Windows\SysWOW64\Hammhcij.exeC:\Windows\system32\Hammhcij.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4692 -
C:\Windows\SysWOW64\Hdkidohn.exeC:\Windows\system32\Hdkidohn.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1844 -
C:\Windows\SysWOW64\Hgiepjga.exeC:\Windows\system32\Hgiepjga.exe16⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1608 -
C:\Windows\SysWOW64\Haoimcgg.exeC:\Windows\system32\Haoimcgg.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3756 -
C:\Windows\SysWOW64\Hdmein32.exeC:\Windows\system32\Hdmein32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Windows\SysWOW64\Hnfjbdmk.exeC:\Windows\system32\Hnfjbdmk.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1856 -
C:\Windows\SysWOW64\Hdpbon32.exeC:\Windows\system32\Hdpbon32.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1044 -
C:\Windows\SysWOW64\Hjlkge32.exeC:\Windows\system32\Hjlkge32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2404 -
C:\Windows\SysWOW64\Idbodn32.exeC:\Windows\system32\Idbodn32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3604 -
C:\Windows\SysWOW64\Iddljmpc.exeC:\Windows\system32\Iddljmpc.exe23⤵
- Executes dropped EXE
PID:2488 -
C:\Windows\SysWOW64\Iahlcaol.exeC:\Windows\system32\Iahlcaol.exe24⤵
- Executes dropped EXE
PID:928 -
C:\Windows\SysWOW64\Igedlh32.exeC:\Windows\system32\Igedlh32.exe25⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4704 -
C:\Windows\SysWOW64\Ijcahd32.exeC:\Windows\system32\Ijcahd32.exe26⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5068 -
C:\Windows\SysWOW64\Idieem32.exeC:\Windows\system32\Idieem32.exe27⤵
- Executes dropped EXE
PID:4352 -
C:\Windows\SysWOW64\Ikcmbfcj.exeC:\Windows\system32\Ikcmbfcj.exe28⤵
- Executes dropped EXE
PID:4204 -
C:\Windows\SysWOW64\Ibmeoq32.exeC:\Windows\system32\Ibmeoq32.exe29⤵
- Executes dropped EXE
PID:1728 -
C:\Windows\SysWOW64\Ikejgf32.exeC:\Windows\system32\Ikejgf32.exe30⤵
- Executes dropped EXE
PID:392 -
C:\Windows\SysWOW64\Ibobdqid.exeC:\Windows\system32\Ibobdqid.exe31⤵
- Executes dropped EXE
PID:1116 -
C:\Windows\SysWOW64\Jhijqj32.exeC:\Windows\system32\Jhijqj32.exe32⤵
- Executes dropped EXE
PID:1284 -
C:\Windows\SysWOW64\Jnfcia32.exeC:\Windows\system32\Jnfcia32.exe33⤵
- Executes dropped EXE
PID:1112 -
C:\Windows\SysWOW64\Jdpkflfe.exeC:\Windows\system32\Jdpkflfe.exe34⤵
- Executes dropped EXE
PID:3664 -
C:\Windows\SysWOW64\Jkjcbe32.exeC:\Windows\system32\Jkjcbe32.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:2036 -
C:\Windows\SysWOW64\Jnhpoamf.exeC:\Windows\system32\Jnhpoamf.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4992 -
C:\Windows\SysWOW64\Jdbhkk32.exeC:\Windows\system32\Jdbhkk32.exe37⤵
- Executes dropped EXE
PID:1012 -
C:\Windows\SysWOW64\Jgadgf32.exeC:\Windows\system32\Jgadgf32.exe38⤵
- Executes dropped EXE
PID:32 -
C:\Windows\SysWOW64\Jjopcb32.exeC:\Windows\system32\Jjopcb32.exe39⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3536 -
C:\Windows\SysWOW64\Jqiipljg.exeC:\Windows\system32\Jqiipljg.exe40⤵
- Executes dropped EXE
PID:4432 -
C:\Windows\SysWOW64\Jgcamf32.exeC:\Windows\system32\Jgcamf32.exe41⤵
- Executes dropped EXE
PID:3328 -
C:\Windows\SysWOW64\Jjamia32.exeC:\Windows\system32\Jjamia32.exe42⤵
- Executes dropped EXE
PID:3188 -
C:\Windows\SysWOW64\Jbiejoaj.exeC:\Windows\system32\Jbiejoaj.exe43⤵
- Executes dropped EXE
PID:776 -
C:\Windows\SysWOW64\Jibmgi32.exeC:\Windows\system32\Jibmgi32.exe44⤵
- Executes dropped EXE
PID:2484 -
C:\Windows\SysWOW64\Jkaicd32.exeC:\Windows\system32\Jkaicd32.exe45⤵
- Executes dropped EXE
PID:3656 -
C:\Windows\SysWOW64\Jbkbpoog.exeC:\Windows\system32\Jbkbpoog.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1880 -
C:\Windows\SysWOW64\Kiejmi32.exeC:\Windows\system32\Kiejmi32.exe47⤵
- Executes dropped EXE
PID:2784 -
C:\Windows\SysWOW64\Kbmoen32.exeC:\Windows\system32\Kbmoen32.exe48⤵
- Executes dropped EXE
PID:2140 -
C:\Windows\SysWOW64\Kelkaj32.exeC:\Windows\system32\Kelkaj32.exe49⤵
- Executes dropped EXE
PID:224 -
C:\Windows\SysWOW64\Kkfcndce.exeC:\Windows\system32\Kkfcndce.exe50⤵
- Executes dropped EXE
PID:1900 -
C:\Windows\SysWOW64\Kijchhbo.exeC:\Windows\system32\Kijchhbo.exe51⤵
- Executes dropped EXE
PID:3124 -
C:\Windows\SysWOW64\Kjkpoq32.exeC:\Windows\system32\Kjkpoq32.exe52⤵
- Executes dropped EXE
PID:1152 -
C:\Windows\SysWOW64\Kaehljpj.exeC:\Windows\system32\Kaehljpj.exe53⤵
- Executes dropped EXE
PID:4980 -
C:\Windows\SysWOW64\Kgopidgf.exeC:\Windows\system32\Kgopidgf.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:4776 -
C:\Windows\SysWOW64\Kbddfmgl.exeC:\Windows\system32\Kbddfmgl.exe55⤵
- Executes dropped EXE
PID:4556 -
C:\Windows\SysWOW64\Kecabifp.exeC:\Windows\system32\Kecabifp.exe56⤵
- Executes dropped EXE
PID:364 -
C:\Windows\SysWOW64\Kjpijpdg.exeC:\Windows\system32\Kjpijpdg.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:3436 -
C:\Windows\SysWOW64\Liqihglg.exeC:\Windows\system32\Liqihglg.exe58⤵
- Executes dropped EXE
PID:4584 -
C:\Windows\SysWOW64\Lbinam32.exeC:\Windows\system32\Lbinam32.exe59⤵
- Executes dropped EXE
PID:3108 -
C:\Windows\SysWOW64\Legjmh32.exeC:\Windows\system32\Legjmh32.exe60⤵
- Executes dropped EXE
PID:2892 -
C:\Windows\SysWOW64\Lkabjbih.exeC:\Windows\system32\Lkabjbih.exe61⤵
- Executes dropped EXE
PID:2888 -
C:\Windows\SysWOW64\Lnpofnhk.exeC:\Windows\system32\Lnpofnhk.exe62⤵
- Executes dropped EXE
PID:2180 -
C:\Windows\SysWOW64\Lieccf32.exeC:\Windows\system32\Lieccf32.exe63⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2316 -
C:\Windows\SysWOW64\Ljgpkonp.exeC:\Windows\system32\Ljgpkonp.exe64⤵
- Executes dropped EXE
PID:3764 -
C:\Windows\SysWOW64\Lelchgne.exeC:\Windows\system32\Lelchgne.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2840 -
C:\Windows\SysWOW64\Ljilqnlm.exeC:\Windows\system32\Ljilqnlm.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2936 -
C:\Windows\SysWOW64\Lacdmh32.exeC:\Windows\system32\Lacdmh32.exe67⤵PID:3008
-
C:\Windows\SysWOW64\Lhmmjbkf.exeC:\Windows\system32\Lhmmjbkf.exe68⤵PID:1428
-
C:\Windows\SysWOW64\Mbbagk32.exeC:\Windows\system32\Mbbagk32.exe69⤵
- System Location Discovery: System Language Discovery
PID:5060 -
C:\Windows\SysWOW64\Milidebi.exeC:\Windows\system32\Milidebi.exe70⤵PID:3152
-
C:\Windows\SysWOW64\Mlkepaam.exeC:\Windows\system32\Mlkepaam.exe71⤵
- Drops file in System32 directory
PID:3728 -
C:\Windows\SysWOW64\Mbenmk32.exeC:\Windows\system32\Mbenmk32.exe72⤵
- Modifies registry class
PID:1708 -
C:\Windows\SysWOW64\Miaboe32.exeC:\Windows\system32\Miaboe32.exe73⤵PID:2680
-
C:\Windows\SysWOW64\Mbighjdd.exeC:\Windows\system32\Mbighjdd.exe74⤵
- Drops file in System32 directory
PID:2308 -
C:\Windows\SysWOW64\Micoed32.exeC:\Windows\system32\Micoed32.exe75⤵PID:4624
-
C:\Windows\SysWOW64\Maodigil.exeC:\Windows\system32\Maodigil.exe76⤵PID:4896
-
C:\Windows\SysWOW64\Mejpje32.exeC:\Windows\system32\Mejpje32.exe77⤵PID:4864
-
C:\Windows\SysWOW64\Njghbl32.exeC:\Windows\system32\Njghbl32.exe78⤵PID:4220
-
C:\Windows\SysWOW64\Nobdbkhf.exeC:\Windows\system32\Nobdbkhf.exe79⤵
- Modifies registry class
PID:3584 -
C:\Windows\SysWOW64\Nemmoe32.exeC:\Windows\system32\Nemmoe32.exe80⤵PID:4384
-
C:\Windows\SysWOW64\Noeahkfc.exeC:\Windows\system32\Noeahkfc.exe81⤵PID:2548
-
C:\Windows\SysWOW64\Nbqmiinl.exeC:\Windows\system32\Nbqmiinl.exe82⤵
- Modifies registry class
PID:3968 -
C:\Windows\SysWOW64\Nliaao32.exeC:\Windows\system32\Nliaao32.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:4608 -
C:\Windows\SysWOW64\Nafjjf32.exeC:\Windows\system32\Nafjjf32.exe84⤵PID:3696
-
C:\Windows\SysWOW64\Nlkngo32.exeC:\Windows\system32\Nlkngo32.exe85⤵PID:2208
-
C:\Windows\SysWOW64\Nojjcj32.exeC:\Windows\system32\Nojjcj32.exe86⤵PID:4116
-
C:\Windows\SysWOW64\Nhbolp32.exeC:\Windows\system32\Nhbolp32.exe87⤵PID:2116
-
C:\Windows\SysWOW64\Nolgijpk.exeC:\Windows\system32\Nolgijpk.exe88⤵
- System Location Discovery: System Language Discovery
PID:4876 -
C:\Windows\SysWOW64\Niakfbpa.exeC:\Windows\system32\Niakfbpa.exe89⤵
- Modifies registry class
PID:4632 -
C:\Windows\SysWOW64\Okchnk32.exeC:\Windows\system32\Okchnk32.exe90⤵
- System Location Discovery: System Language Discovery
PID:4792 -
C:\Windows\SysWOW64\Objpoh32.exeC:\Windows\system32\Objpoh32.exe91⤵
- Modifies registry class
PID:4156 -
C:\Windows\SysWOW64\Oehlkc32.exeC:\Windows\system32\Oehlkc32.exe92⤵PID:2392
-
C:\Windows\SysWOW64\Ohghgodi.exeC:\Windows\system32\Ohghgodi.exe93⤵
- Modifies registry class
PID:1776 -
C:\Windows\SysWOW64\Ooqqdi32.exeC:\Windows\system32\Ooqqdi32.exe94⤵PID:1560
-
C:\Windows\SysWOW64\Oblmdhdo.exeC:\Windows\system32\Oblmdhdo.exe95⤵PID:2560
-
C:\Windows\SysWOW64\Oifeab32.exeC:\Windows\system32\Oifeab32.exe96⤵PID:3088
-
C:\Windows\SysWOW64\Ohiemobf.exeC:\Windows\system32\Ohiemobf.exe97⤵PID:4176
-
C:\Windows\SysWOW64\Okgaijaj.exeC:\Windows\system32\Okgaijaj.exe98⤵
- Drops file in System32 directory
PID:2796 -
C:\Windows\SysWOW64\Oaajed32.exeC:\Windows\system32\Oaajed32.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:4284 -
C:\Windows\SysWOW64\Olgncmim.exeC:\Windows\system32\Olgncmim.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:4020 -
C:\Windows\SysWOW64\Ooejohhq.exeC:\Windows\system32\Ooejohhq.exe101⤵PID:2896
-
C:\Windows\SysWOW64\Oadfkdgd.exeC:\Windows\system32\Oadfkdgd.exe102⤵PID:4908
-
C:\Windows\SysWOW64\Oiknlagg.exeC:\Windows\system32\Oiknlagg.exe103⤵PID:64
-
C:\Windows\SysWOW64\Olijhmgj.exeC:\Windows\system32\Olijhmgj.exe104⤵PID:3432
-
C:\Windows\SysWOW64\Obcceg32.exeC:\Windows\system32\Obcceg32.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3400 -
C:\Windows\SysWOW64\Oafcqcea.exeC:\Windows\system32\Oafcqcea.exe106⤵PID:716
-
C:\Windows\SysWOW64\Ohpkmn32.exeC:\Windows\system32\Ohpkmn32.exe107⤵
- System Location Discovery: System Language Discovery
PID:1692 -
C:\Windows\SysWOW64\Pllgnl32.exeC:\Windows\system32\Pllgnl32.exe108⤵PID:772
-
C:\Windows\SysWOW64\Pcepkfld.exeC:\Windows\system32\Pcepkfld.exe109⤵
- System Location Discovery: System Language Discovery
PID:4540 -
C:\Windows\SysWOW64\Piphgq32.exeC:\Windows\system32\Piphgq32.exe110⤵
- System Location Discovery: System Language Discovery
PID:2764 -
C:\Windows\SysWOW64\Phbhcmjl.exeC:\Windows\system32\Phbhcmjl.exe111⤵
- Drops file in System32 directory
PID:2440 -
C:\Windows\SysWOW64\Polppg32.exeC:\Windows\system32\Polppg32.exe112⤵PID:5132
-
C:\Windows\SysWOW64\Pakllc32.exeC:\Windows\system32\Pakllc32.exe113⤵
- Modifies registry class
PID:5176 -
C:\Windows\SysWOW64\Pibdmp32.exeC:\Windows\system32\Pibdmp32.exe114⤵
- Drops file in System32 directory
PID:5224 -
C:\Windows\SysWOW64\Pkcadhgm.exeC:\Windows\system32\Pkcadhgm.exe115⤵PID:5268
-
C:\Windows\SysWOW64\Pcjiff32.exeC:\Windows\system32\Pcjiff32.exe116⤵PID:5312
-
C:\Windows\SysWOW64\Peieba32.exeC:\Windows\system32\Peieba32.exe117⤵PID:5356
-
C:\Windows\SysWOW64\Plbmokop.exeC:\Windows\system32\Plbmokop.exe118⤵PID:5400
-
C:\Windows\SysWOW64\Pcmeke32.exeC:\Windows\system32\Pcmeke32.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5444 -
C:\Windows\SysWOW64\Pifnhpmi.exeC:\Windows\system32\Pifnhpmi.exe120⤵PID:5488
-
C:\Windows\SysWOW64\Plejdkmm.exeC:\Windows\system32\Plejdkmm.exe121⤵PID:5532
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-