Analysis
-
max time kernel
95s -
max time network
98s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
07-12-2024 20:24
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
dc252a2dd2286162da8b56f182c812bfa94d6b249b631b8c536a6e2a9850291dN.exe
Resource
win7-20241023-en
windows7-x64
10 signatures
120 seconds
Behavioral task
behavioral2
Sample
dc252a2dd2286162da8b56f182c812bfa94d6b249b631b8c536a6e2a9850291dN.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
120 seconds
General
-
Target
dc252a2dd2286162da8b56f182c812bfa94d6b249b631b8c536a6e2a9850291dN.exe
-
Size
97KB
-
MD5
ffd4eddf1aa2dab5e508e7876cb2b2f0
-
SHA1
1a08d197e9f134d278a59bdee3ae143678753992
-
SHA256
dc252a2dd2286162da8b56f182c812bfa94d6b249b631b8c536a6e2a9850291d
-
SHA512
85c18bca1f0d9becaa3c65fcd1d01e2e74271bced196ea8a3bb03c5b06d6f2584aca3a9c4695f865bae6b6930c31871938a128cd819a101553cd6bf0fd614609
-
SSDEEP
1536:KoOIQObpE3zvYilc1LhI5yEM7O74SgCkBXUwXfzwE57pvJXeYZE:nQObe3vg9aMKzgCkVPzwm7pJXeKE
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://tat-neftbank.ru/kkq.php
http://tat-neftbank.ru/wcmd.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ciafbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qemhbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckeimm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Moipoh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pifnhpmi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alqjpi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lqojclne.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qmgelf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgbpaipl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkhkjd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iepaaico.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jghpbk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfnoqc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdimqm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qlggjk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eiobceef.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfokoelp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbajbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gigaka32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gphphj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hdehni32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmcclm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbfgkffn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ibfnqmpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dpdaepai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jcdala32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjcngpjh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpkibf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iipfmggc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jekqmhia.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpanan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Afpjel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajdjin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckkiccep.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpggamqc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ljaoeini.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elbhjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmiclo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Knhakh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Goglcahb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njhgbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cpfcfmlp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oghghb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aeddnp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjhacf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcpahpmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fbjena32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nadleilm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Phfcipoo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfnqklgh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emmkiclm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eplgeokq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oejbfmpg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohkkhhmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aolblopj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ppjbmc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apjkcadp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipgbdbqb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebommi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iciaqc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnlbojee.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pknqoc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qemhbj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fngcmcfe.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 1792 Poomegpf.exe 732 Peieba32.exe 2208 Phganm32.exe 4972 Poajkgnc.exe 4668 Pifnhpmi.exe 5084 Plejdkmm.exe 3956 Pocfpf32.exe 4816 Pemomqcn.exe 996 Qlggjk32.exe 4212 Qofcff32.exe 1980 Qepkbpak.exe 5040 Qljcoj32.exe 532 Qcclld32.exe 2144 Qebhhp32.exe 4088 Aojlaeei.exe 3384 Aeddnp32.exe 4108 Alnmjjdb.exe 3196 Aomifecf.exe 3192 Afgacokc.exe 456 Ajbmdn32.exe 1600 Alqjpi32.exe 3544 Akcjkfij.exe 1612 Ackbmcjl.exe 4560 Ajdjin32.exe 3496 Akffafgg.exe 2028 Afkknogn.exe 3124 Ahjgjj32.exe 3548 Abbkcpma.exe 1604 Bkkple32.exe 3788 Bbdhiojo.exe 4220 Bljlfh32.exe 3136 Bhamkipi.exe 968 Bbiado32.exe 2412 Bhcjqinf.exe 4408 Bfgjjm32.exe 5028 Bckkca32.exe 2324 Cjecpkcg.exe 1944 Ckfphc32.exe 4304 Cbphdn32.exe 2708 Ckilmcgb.exe 4340 Cbbdjm32.exe 2584 Cfnqklgh.exe 4588 Cimmggfl.exe 2304 Ckkiccep.exe 4676 Cfqmpl32.exe 756 Cmjemflb.exe 4544 Ciafbg32.exe 1060 Cmmbbejp.exe 2896 Coknoaic.exe 3776 Diccgfpd.exe 4488 Dmoohe32.exe 5108 Dcigeooj.exe 3608 Dfgcakon.exe 3096 Dmalne32.exe 3708 Dpphjp32.exe 3008 Djelgied.exe 3560 Dihlbf32.exe 2444 Dcnqpo32.exe 2016 Djhimica.exe 4776 Dikihe32.exe 4480 Dpdaepai.exe 4984 Dbcmakpl.exe 3716 Dimenegi.exe 1824 Dlkbjqgm.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Plbhknkl.dll Hmpjmn32.exe File opened for modification C:\Windows\SysWOW64\Kjblje32.exe Kcidmkpq.exe File created C:\Windows\SysWOW64\Bljlfh32.exe Bbdhiojo.exe File created C:\Windows\SysWOW64\Egqbff32.dll Cfqmpl32.exe File opened for modification C:\Windows\SysWOW64\Ngjbaj32.exe Napjdpcn.exe File opened for modification C:\Windows\SysWOW64\Geaepk32.exe Goglcahb.exe File created C:\Windows\SysWOW64\Ejphhm32.dll Amlogfel.exe File created C:\Windows\SysWOW64\Cgnomg32.exe Caageq32.exe File created C:\Windows\SysWOW64\Iliinc32.exe Iepaaico.exe File created C:\Windows\SysWOW64\Nmocfo32.dll Qhhpop32.exe File opened for modification C:\Windows\SysWOW64\Ahfmpnql.exe Apodoq32.exe File created C:\Windows\SysWOW64\Ffclcgfn.exe Fpjcgm32.exe File created C:\Windows\SysWOW64\Dbdplc32.dll Ljaoeini.exe File created C:\Windows\SysWOW64\Pneall32.dll Phfcipoo.exe File created C:\Windows\SysWOW64\Gimqajgh.exe Geaepk32.exe File created C:\Windows\SysWOW64\Knhakh32.exe Kjmfjj32.exe File created C:\Windows\SysWOW64\Nmiadaea.dll Njhgbp32.exe File created C:\Windows\SysWOW64\Cpfcfmlp.exe Cnhgjaml.exe File created C:\Windows\SysWOW64\Ofgjophm.dll Gmggfp32.exe File created C:\Windows\SysWOW64\Bkaobnio.exe Bhbcfbjk.exe File opened for modification C:\Windows\SysWOW64\Mfqlfb32.exe Mgnlkfal.exe File created C:\Windows\SysWOW64\Cpbjkn32.exe Coqncejg.exe File created C:\Windows\SysWOW64\Pjdhbppo.dll Jcanll32.exe File created C:\Windows\SysWOW64\Dnbdlf32.dll Ljceqb32.exe File created C:\Windows\SysWOW64\Ojnkocdc.dll Mgnlkfal.exe File opened for modification C:\Windows\SysWOW64\Ocjoadei.exe Ompfej32.exe File created C:\Windows\SysWOW64\Ppahmb32.exe Pmblagmf.exe File opened for modification C:\Windows\SysWOW64\Nnkpnclp.exe Nlmdbh32.exe File opened for modification C:\Windows\SysWOW64\Aednci32.exe Anmfbl32.exe File created C:\Windows\SysWOW64\Bacjdbch.exe Bkibgh32.exe File created C:\Windows\SysWOW64\Hikemehi.dll Ckbemgcp.exe File created C:\Windows\SysWOW64\Ekkkoj32.exe Emhkdmlg.exe File created C:\Windows\SysWOW64\Ibaeen32.exe Hmdlmg32.exe File created C:\Windows\SysWOW64\Kgffoo32.dll Iidphgcn.exe File created C:\Windows\SysWOW64\Fidhnlin.dll Pjmjdm32.exe File created C:\Windows\SysWOW64\Mnpofk32.dll Dddllkbf.exe File created C:\Windows\SysWOW64\Dahmfpap.exe Dkndie32.exe File created C:\Windows\SysWOW64\Fbociolq.dll Bkkple32.exe File created C:\Windows\SysWOW64\Kcpahpmd.exe Kqbdldnq.exe File opened for modification C:\Windows\SysWOW64\Dngjff32.exe Dodjjimm.exe File created C:\Windows\SysWOW64\Ffqhcq32.exe Flkdfh32.exe File created C:\Windows\SysWOW64\Qljcoj32.exe Qepkbpak.exe File opened for modification C:\Windows\SysWOW64\Hlhccj32.exe Hiiggoaf.exe File created C:\Windows\SysWOW64\Oddfcg32.dll Aednci32.exe File opened for modification C:\Windows\SysWOW64\Djhimica.exe Dcnqpo32.exe File created C:\Windows\SysWOW64\Hginecde.exe Hpofii32.exe File created C:\Windows\SysWOW64\Lkalplel.exe Lmpkadnm.exe File opened for modification C:\Windows\SysWOW64\Nmigoagp.exe Njkkbehl.exe File created C:\Windows\SysWOW64\Eglmfnhm.dll Bemqih32.exe File created C:\Windows\SysWOW64\Ofhknodl.exe Ocjoadei.exe File created C:\Windows\SysWOW64\Aogbfi32.exe Afpjel32.exe File opened for modification C:\Windows\SysWOW64\Paoollik.exe Pmcclm32.exe File opened for modification C:\Windows\SysWOW64\Boeebnhp.exe Blgifbil.exe File created C:\Windows\SysWOW64\Ipgijcij.dll Lcdciiec.exe File created C:\Windows\SysWOW64\Ifomef32.dll Ocjoadei.exe File opened for modification C:\Windows\SysWOW64\Pffgom32.exe Pplobcpp.exe File opened for modification C:\Windows\SysWOW64\Jpfepf32.exe Jgnqgqan.exe File opened for modification C:\Windows\SysWOW64\Lmpkadnm.exe Ljaoeini.exe File created C:\Windows\SysWOW64\Aoalgn32.exe Akepfpcl.exe File created C:\Windows\SysWOW64\Mfnoqc32.exe Modgdicm.exe File created C:\Windows\SysWOW64\Lfebfnqn.dll Gbeejp32.exe File created C:\Windows\SysWOW64\Ldjcfk32.dll Klcekpdo.exe File created C:\Windows\SysWOW64\Mjaabq32.exe Mfeeabda.exe File opened for modification C:\Windows\SysWOW64\Pemomqcn.exe Pocfpf32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 12652 12464 WerFault.exe 672 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akcjkfij.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abbkcpma.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebgpad32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omnjojpo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahaceo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahdpjn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ackbmcjl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dngjff32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ondljl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkndie32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgmjmjnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmmbbejp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejoomhmi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igpdfb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgehfkop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnpabe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hidgai32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcnqpo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eejeiocj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmpqfq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmbfbn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iidphgcn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enpmld32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jenmcggo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdfpkm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bochmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glipgf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Embddb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpejlmcf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fplpll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnjnqh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkchelci.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plpjoe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glkmmefl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imiehfao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lopmii32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npiiffqe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akpoaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fffhifdk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgmgqc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lqndhcdc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omegjomb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aefjii32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ickglm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Poomegpf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdaociml.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oalipoiq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bemqih32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpkmal32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckclhn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnindhpg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpbflg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcoaglhk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhpofl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lklbdm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aggpfkjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkibgh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cocjiehd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iciaqc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjmfjj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dndnpf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibfnqmpf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkconn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pplobcpp.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfjkjgbh.dll" Efepbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckhain32.dll" Ggahedjn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Glkmmefl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hfjdqmng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjinodke.dll" Akepfpcl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eokqkh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hmdlmg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Onmfimga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qhhpop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lcgpni32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bkibgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnclimck.dll" Qljcoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nabfjpak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dbpjaeoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Deqcbpld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mmhgmmbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bkibgh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bacjdbch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bacjdbch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cgnomg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cnhgjaml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aajohjon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lmmolepp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pmaffnce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ojdgnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejphhm32.dll" Amlogfel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gjfnedho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hgmgqc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Amnlme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aqjpajgi.dll" Cdmfllhn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpaolmbc.dll" Afgacokc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hllbndih.dll" Hgdejd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ncqlkemc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlihmi32.dll" Mmnhcb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffchaq32.dll" Anaomkdb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bnoddcef.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cbphdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glienb32.dll" Elbhjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ddjmba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omjbpn32.dll" Dahmfpap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Igpdfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hpofii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kpcjgnhb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nfjola32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Alqjpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlmkgk32.dll" Ahbjoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipgijcij.dll" Lcdciiec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aknbkjfh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cjecpkcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ginacp32.dll" Alpbecod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khblgpag.dll" Dnmhpg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jmbhoeid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chlcgfff.dll" Ojgjndno.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bhpfqcln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcgplk32.dll" Ahaceo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Apaadpng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bgbpaipl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gfokoelp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jnelok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Malhfo32.dll" Qlggjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbicmh32.dll" Fibhpbea.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fpdcag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmocfo32.dll" Qhhpop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Amlogfel.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2468 wrote to memory of 1792 2468 dc252a2dd2286162da8b56f182c812bfa94d6b249b631b8c536a6e2a9850291dN.exe 82 PID 2468 wrote to memory of 1792 2468 dc252a2dd2286162da8b56f182c812bfa94d6b249b631b8c536a6e2a9850291dN.exe 82 PID 2468 wrote to memory of 1792 2468 dc252a2dd2286162da8b56f182c812bfa94d6b249b631b8c536a6e2a9850291dN.exe 82 PID 1792 wrote to memory of 732 1792 Poomegpf.exe 83 PID 1792 wrote to memory of 732 1792 Poomegpf.exe 83 PID 1792 wrote to memory of 732 1792 Poomegpf.exe 83 PID 732 wrote to memory of 2208 732 Peieba32.exe 84 PID 732 wrote to memory of 2208 732 Peieba32.exe 84 PID 732 wrote to memory of 2208 732 Peieba32.exe 84 PID 2208 wrote to memory of 4972 2208 Phganm32.exe 85 PID 2208 wrote to memory of 4972 2208 Phganm32.exe 85 PID 2208 wrote to memory of 4972 2208 Phganm32.exe 85 PID 4972 wrote to memory of 4668 4972 Poajkgnc.exe 86 PID 4972 wrote to memory of 4668 4972 Poajkgnc.exe 86 PID 4972 wrote to memory of 4668 4972 Poajkgnc.exe 86 PID 4668 wrote to memory of 5084 4668 Pifnhpmi.exe 87 PID 4668 wrote to memory of 5084 4668 Pifnhpmi.exe 87 PID 4668 wrote to memory of 5084 4668 Pifnhpmi.exe 87 PID 5084 wrote to memory of 3956 5084 Plejdkmm.exe 88 PID 5084 wrote to memory of 3956 5084 Plejdkmm.exe 88 PID 5084 wrote to memory of 3956 5084 Plejdkmm.exe 88 PID 3956 wrote to memory of 4816 3956 Pocfpf32.exe 89 PID 3956 wrote to memory of 4816 3956 Pocfpf32.exe 89 PID 3956 wrote to memory of 4816 3956 Pocfpf32.exe 89 PID 4816 wrote to memory of 996 4816 Pemomqcn.exe 90 PID 4816 wrote to memory of 996 4816 Pemomqcn.exe 90 PID 4816 wrote to memory of 996 4816 Pemomqcn.exe 90 PID 996 wrote to memory of 4212 996 Qlggjk32.exe 91 PID 996 wrote to memory of 4212 996 Qlggjk32.exe 91 PID 996 wrote to memory of 4212 996 Qlggjk32.exe 91 PID 4212 wrote to memory of 1980 4212 Qofcff32.exe 92 PID 4212 wrote to memory of 1980 4212 Qofcff32.exe 92 PID 4212 wrote to memory of 1980 4212 Qofcff32.exe 92 PID 1980 wrote to memory of 5040 1980 Qepkbpak.exe 93 PID 1980 wrote to memory of 5040 1980 Qepkbpak.exe 93 PID 1980 wrote to memory of 5040 1980 Qepkbpak.exe 93 PID 5040 wrote to memory of 532 5040 Qljcoj32.exe 94 PID 5040 wrote to memory of 532 5040 Qljcoj32.exe 94 PID 5040 wrote to memory of 532 5040 Qljcoj32.exe 94 PID 532 wrote to memory of 2144 532 Qcclld32.exe 95 PID 532 wrote to memory of 2144 532 Qcclld32.exe 95 PID 532 wrote to memory of 2144 532 Qcclld32.exe 95 PID 2144 wrote to memory of 4088 2144 Qebhhp32.exe 96 PID 2144 wrote to memory of 4088 2144 Qebhhp32.exe 96 PID 2144 wrote to memory of 4088 2144 Qebhhp32.exe 96 PID 4088 wrote to memory of 3384 4088 Aojlaeei.exe 97 PID 4088 wrote to memory of 3384 4088 Aojlaeei.exe 97 PID 4088 wrote to memory of 3384 4088 Aojlaeei.exe 97 PID 3384 wrote to memory of 4108 3384 Aeddnp32.exe 98 PID 3384 wrote to memory of 4108 3384 Aeddnp32.exe 98 PID 3384 wrote to memory of 4108 3384 Aeddnp32.exe 98 PID 4108 wrote to memory of 3196 4108 Alnmjjdb.exe 99 PID 4108 wrote to memory of 3196 4108 Alnmjjdb.exe 99 PID 4108 wrote to memory of 3196 4108 Alnmjjdb.exe 99 PID 3196 wrote to memory of 3192 3196 Aomifecf.exe 100 PID 3196 wrote to memory of 3192 3196 Aomifecf.exe 100 PID 3196 wrote to memory of 3192 3196 Aomifecf.exe 100 PID 3192 wrote to memory of 456 3192 Afgacokc.exe 101 PID 3192 wrote to memory of 456 3192 Afgacokc.exe 101 PID 3192 wrote to memory of 456 3192 Afgacokc.exe 101 PID 456 wrote to memory of 1600 456 Ajbmdn32.exe 102 PID 456 wrote to memory of 1600 456 Ajbmdn32.exe 102 PID 456 wrote to memory of 1600 456 Ajbmdn32.exe 102 PID 1600 wrote to memory of 3544 1600 Alqjpi32.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\dc252a2dd2286162da8b56f182c812bfa94d6b249b631b8c536a6e2a9850291dN.exe"C:\Users\Admin\AppData\Local\Temp\dc252a2dd2286162da8b56f182c812bfa94d6b249b631b8c536a6e2a9850291dN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Windows\SysWOW64\Poomegpf.exeC:\Windows\system32\Poomegpf.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1792 -
C:\Windows\SysWOW64\Peieba32.exeC:\Windows\system32\Peieba32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:732 -
C:\Windows\SysWOW64\Phganm32.exeC:\Windows\system32\Phganm32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Windows\SysWOW64\Poajkgnc.exeC:\Windows\system32\Poajkgnc.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4972 -
C:\Windows\SysWOW64\Pifnhpmi.exeC:\Windows\system32\Pifnhpmi.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4668 -
C:\Windows\SysWOW64\Plejdkmm.exeC:\Windows\system32\Plejdkmm.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5084 -
C:\Windows\SysWOW64\Pocfpf32.exeC:\Windows\system32\Pocfpf32.exe8⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3956 -
C:\Windows\SysWOW64\Pemomqcn.exeC:\Windows\system32\Pemomqcn.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4816 -
C:\Windows\SysWOW64\Qlggjk32.exeC:\Windows\system32\Qlggjk32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:996 -
C:\Windows\SysWOW64\Qofcff32.exeC:\Windows\system32\Qofcff32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4212 -
C:\Windows\SysWOW64\Qepkbpak.exeC:\Windows\system32\Qepkbpak.exe12⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Windows\SysWOW64\Qljcoj32.exeC:\Windows\system32\Qljcoj32.exe13⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5040 -
C:\Windows\SysWOW64\Qcclld32.exeC:\Windows\system32\Qcclld32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:532 -
C:\Windows\SysWOW64\Qebhhp32.exeC:\Windows\system32\Qebhhp32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2144 -
C:\Windows\SysWOW64\Aojlaeei.exeC:\Windows\system32\Aojlaeei.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4088 -
C:\Windows\SysWOW64\Aeddnp32.exeC:\Windows\system32\Aeddnp32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3384 -
C:\Windows\SysWOW64\Alnmjjdb.exeC:\Windows\system32\Alnmjjdb.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4108 -
C:\Windows\SysWOW64\Aomifecf.exeC:\Windows\system32\Aomifecf.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3196 -
C:\Windows\SysWOW64\Afgacokc.exeC:\Windows\system32\Afgacokc.exe20⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3192 -
C:\Windows\SysWOW64\Ajbmdn32.exeC:\Windows\system32\Ajbmdn32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:456 -
C:\Windows\SysWOW64\Alqjpi32.exeC:\Windows\system32\Alqjpi32.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1600 -
C:\Windows\SysWOW64\Akcjkfij.exeC:\Windows\system32\Akcjkfij.exe23⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3544 -
C:\Windows\SysWOW64\Ackbmcjl.exeC:\Windows\system32\Ackbmcjl.exe24⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1612 -
C:\Windows\SysWOW64\Ajdjin32.exeC:\Windows\system32\Ajdjin32.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4560 -
C:\Windows\SysWOW64\Akffafgg.exeC:\Windows\system32\Akffafgg.exe26⤵
- Executes dropped EXE
PID:3496 -
C:\Windows\SysWOW64\Afkknogn.exeC:\Windows\system32\Afkknogn.exe27⤵
- Executes dropped EXE
PID:2028 -
C:\Windows\SysWOW64\Ahjgjj32.exeC:\Windows\system32\Ahjgjj32.exe28⤵
- Executes dropped EXE
PID:3124 -
C:\Windows\SysWOW64\Abbkcpma.exeC:\Windows\system32\Abbkcpma.exe29⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3548 -
C:\Windows\SysWOW64\Bkkple32.exeC:\Windows\system32\Bkkple32.exe30⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1604 -
C:\Windows\SysWOW64\Bbdhiojo.exeC:\Windows\system32\Bbdhiojo.exe31⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3788 -
C:\Windows\SysWOW64\Bljlfh32.exeC:\Windows\system32\Bljlfh32.exe32⤵
- Executes dropped EXE
PID:4220 -
C:\Windows\SysWOW64\Bhamkipi.exeC:\Windows\system32\Bhamkipi.exe33⤵
- Executes dropped EXE
PID:3136 -
C:\Windows\SysWOW64\Bbiado32.exeC:\Windows\system32\Bbiado32.exe34⤵
- Executes dropped EXE
PID:968 -
C:\Windows\SysWOW64\Bhcjqinf.exeC:\Windows\system32\Bhcjqinf.exe35⤵
- Executes dropped EXE
PID:2412 -
C:\Windows\SysWOW64\Bfgjjm32.exeC:\Windows\system32\Bfgjjm32.exe36⤵
- Executes dropped EXE
PID:4408 -
C:\Windows\SysWOW64\Bckkca32.exeC:\Windows\system32\Bckkca32.exe37⤵
- Executes dropped EXE
PID:5028 -
C:\Windows\SysWOW64\Cjecpkcg.exeC:\Windows\system32\Cjecpkcg.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:2324 -
C:\Windows\SysWOW64\Ckfphc32.exeC:\Windows\system32\Ckfphc32.exe39⤵
- Executes dropped EXE
PID:1944 -
C:\Windows\SysWOW64\Cbphdn32.exeC:\Windows\system32\Cbphdn32.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:4304 -
C:\Windows\SysWOW64\Ckilmcgb.exeC:\Windows\system32\Ckilmcgb.exe41⤵
- Executes dropped EXE
PID:2708 -
C:\Windows\SysWOW64\Cbbdjm32.exeC:\Windows\system32\Cbbdjm32.exe42⤵
- Executes dropped EXE
PID:4340 -
C:\Windows\SysWOW64\Cfnqklgh.exeC:\Windows\system32\Cfnqklgh.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2584 -
C:\Windows\SysWOW64\Cimmggfl.exeC:\Windows\system32\Cimmggfl.exe44⤵
- Executes dropped EXE
PID:4588 -
C:\Windows\SysWOW64\Ckkiccep.exeC:\Windows\system32\Ckkiccep.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2304 -
C:\Windows\SysWOW64\Cfqmpl32.exeC:\Windows\system32\Cfqmpl32.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4676 -
C:\Windows\SysWOW64\Cmjemflb.exeC:\Windows\system32\Cmjemflb.exe47⤵
- Executes dropped EXE
PID:756 -
C:\Windows\SysWOW64\Ciafbg32.exeC:\Windows\system32\Ciafbg32.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4544 -
C:\Windows\SysWOW64\Cmmbbejp.exeC:\Windows\system32\Cmmbbejp.exe49⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1060 -
C:\Windows\SysWOW64\Coknoaic.exeC:\Windows\system32\Coknoaic.exe50⤵
- Executes dropped EXE
PID:2896 -
C:\Windows\SysWOW64\Diccgfpd.exeC:\Windows\system32\Diccgfpd.exe51⤵
- Executes dropped EXE
PID:3776 -
C:\Windows\SysWOW64\Dmoohe32.exeC:\Windows\system32\Dmoohe32.exe52⤵
- Executes dropped EXE
PID:4488 -
C:\Windows\SysWOW64\Dcigeooj.exeC:\Windows\system32\Dcigeooj.exe53⤵
- Executes dropped EXE
PID:5108 -
C:\Windows\SysWOW64\Dfgcakon.exeC:\Windows\system32\Dfgcakon.exe54⤵
- Executes dropped EXE
PID:3608 -
C:\Windows\SysWOW64\Dmalne32.exeC:\Windows\system32\Dmalne32.exe55⤵
- Executes dropped EXE
PID:3096 -
C:\Windows\SysWOW64\Dpphjp32.exeC:\Windows\system32\Dpphjp32.exe56⤵
- Executes dropped EXE
PID:3708 -
C:\Windows\SysWOW64\Djelgied.exeC:\Windows\system32\Djelgied.exe57⤵
- Executes dropped EXE
PID:3008 -
C:\Windows\SysWOW64\Dihlbf32.exeC:\Windows\system32\Dihlbf32.exe58⤵
- Executes dropped EXE
PID:3560 -
C:\Windows\SysWOW64\Dcnqpo32.exeC:\Windows\system32\Dcnqpo32.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2444 -
C:\Windows\SysWOW64\Djhimica.exeC:\Windows\system32\Djhimica.exe60⤵
- Executes dropped EXE
PID:2016 -
C:\Windows\SysWOW64\Dikihe32.exeC:\Windows\system32\Dikihe32.exe61⤵
- Executes dropped EXE
PID:4776 -
C:\Windows\SysWOW64\Dpdaepai.exeC:\Windows\system32\Dpdaepai.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4480 -
C:\Windows\SysWOW64\Dbcmakpl.exeC:\Windows\system32\Dbcmakpl.exe63⤵
- Executes dropped EXE
PID:4984 -
C:\Windows\SysWOW64\Dimenegi.exeC:\Windows\system32\Dimenegi.exe64⤵
- Executes dropped EXE
PID:3716 -
C:\Windows\SysWOW64\Dlkbjqgm.exeC:\Windows\system32\Dlkbjqgm.exe65⤵
- Executes dropped EXE
PID:1824 -
C:\Windows\SysWOW64\Ebejfk32.exeC:\Windows\system32\Ebejfk32.exe66⤵PID:2736
-
C:\Windows\SysWOW64\Efafgifc.exeC:\Windows\system32\Efafgifc.exe67⤵PID:2012
-
C:\Windows\SysWOW64\Eiobceef.exeC:\Windows\system32\Eiobceef.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:964 -
C:\Windows\SysWOW64\Emkndc32.exeC:\Windows\system32\Emkndc32.exe69⤵PID:2956
-
C:\Windows\SysWOW64\Ejoomhmi.exeC:\Windows\system32\Ejoomhmi.exe70⤵
- System Location Discovery: System Language Discovery
PID:864 -
C:\Windows\SysWOW64\Emmkiclm.exeC:\Windows\system32\Emmkiclm.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4316 -
C:\Windows\SysWOW64\Eplgeokq.exeC:\Windows\system32\Eplgeokq.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:8 -
C:\Windows\SysWOW64\Efepbi32.exeC:\Windows\system32\Efepbi32.exe73⤵
- Modifies registry class
PID:612 -
C:\Windows\SysWOW64\Emphocjj.exeC:\Windows\system32\Emphocjj.exe74⤵PID:3276
-
C:\Windows\SysWOW64\Elbhjp32.exeC:\Windows\system32\Elbhjp32.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:4944 -
C:\Windows\SysWOW64\Efhlhh32.exeC:\Windows\system32\Efhlhh32.exe76⤵PID:1424
-
C:\Windows\SysWOW64\Embddb32.exeC:\Windows\system32\Embddb32.exe77⤵
- System Location Discovery: System Language Discovery
PID:2132 -
C:\Windows\SysWOW64\Eclmamod.exeC:\Windows\system32\Eclmamod.exe78⤵PID:5012
-
C:\Windows\SysWOW64\Ebommi32.exeC:\Windows\system32\Ebommi32.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1432 -
C:\Windows\SysWOW64\Ejfeng32.exeC:\Windows\system32\Ejfeng32.exe80⤵PID:5100
-
C:\Windows\SysWOW64\Elgaeolp.exeC:\Windows\system32\Elgaeolp.exe81⤵PID:3636
-
C:\Windows\SysWOW64\Fbajbi32.exeC:\Windows\system32\Fbajbi32.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2916 -
C:\Windows\SysWOW64\Fjhacf32.exeC:\Windows\system32\Fjhacf32.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2104 -
C:\Windows\SysWOW64\Fpejlmcf.exeC:\Windows\system32\Fpejlmcf.exe84⤵
- System Location Discovery: System Language Discovery
PID:3792 -
C:\Windows\SysWOW64\Fdqfll32.exeC:\Windows\system32\Fdqfll32.exe85⤵PID:4760
-
C:\Windows\SysWOW64\Fbcfhibj.exeC:\Windows\system32\Fbcfhibj.exe86⤵PID:2400
-
C:\Windows\SysWOW64\Fpggamqc.exeC:\Windows\system32\Fpggamqc.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3516 -
C:\Windows\SysWOW64\Fipkjb32.exeC:\Windows\system32\Fipkjb32.exe88⤵PID:3248
-
C:\Windows\SysWOW64\Fpjcgm32.exeC:\Windows\system32\Fpjcgm32.exe89⤵
- Drops file in System32 directory
PID:3612 -
C:\Windows\SysWOW64\Ffclcgfn.exeC:\Windows\system32\Ffclcgfn.exe90⤵PID:3168
-
C:\Windows\SysWOW64\Fibhpbea.exeC:\Windows\system32\Fibhpbea.exe91⤵
- Modifies registry class
PID:3184 -
C:\Windows\SysWOW64\Fplpll32.exeC:\Windows\system32\Fplpll32.exe92⤵
- System Location Discovery: System Language Discovery
PID:2052 -
C:\Windows\SysWOW64\Fbjmhh32.exeC:\Windows\system32\Fbjmhh32.exe93⤵PID:4368
-
C:\Windows\SysWOW64\Fffhifdk.exeC:\Windows\system32\Fffhifdk.exe94⤵
- System Location Discovery: System Language Discovery
PID:1464 -
C:\Windows\SysWOW64\Fmpqfq32.exeC:\Windows\system32\Fmpqfq32.exe95⤵
- System Location Discovery: System Language Discovery
PID:3624 -
C:\Windows\SysWOW64\Gpnmbl32.exeC:\Windows\system32\Gpnmbl32.exe96⤵PID:5020
-
C:\Windows\SysWOW64\Gfheof32.exeC:\Windows\system32\Gfheof32.exe97⤵PID:1620
-
C:\Windows\SysWOW64\Gigaka32.exeC:\Windows\system32\Gigaka32.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1696 -
C:\Windows\SysWOW64\Gmbmkpie.exeC:\Windows\system32\Gmbmkpie.exe99⤵PID:232
-
C:\Windows\SysWOW64\Gpqjglii.exeC:\Windows\system32\Gpqjglii.exe100⤵PID:100
-
C:\Windows\SysWOW64\Gjfnedho.exeC:\Windows\system32\Gjfnedho.exe101⤵
- Modifies registry class
PID:2300 -
C:\Windows\SysWOW64\Gmdjapgb.exeC:\Windows\system32\Gmdjapgb.exe102⤵PID:3852
-
C:\Windows\SysWOW64\Gdobnj32.exeC:\Windows\system32\Gdobnj32.exe103⤵PID:1904
-
C:\Windows\SysWOW64\Gkhkjd32.exeC:\Windows\system32\Gkhkjd32.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1352 -
C:\Windows\SysWOW64\Gmggfp32.exeC:\Windows\system32\Gmggfp32.exe105⤵
- Drops file in System32 directory
PID:1156 -
C:\Windows\SysWOW64\Gdaociml.exeC:\Windows\system32\Gdaociml.exe106⤵
- System Location Discovery: System Language Discovery
PID:4716 -
C:\Windows\SysWOW64\Gfokoelp.exeC:\Windows\system32\Gfokoelp.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2328 -
C:\Windows\SysWOW64\Gmiclo32.exeC:\Windows\system32\Gmiclo32.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2148 -
C:\Windows\SysWOW64\Gphphj32.exeC:\Windows\system32\Gphphj32.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1592 -
C:\Windows\SysWOW64\Ggahedjn.exeC:\Windows\system32\Ggahedjn.exe110⤵
- Modifies registry class
PID:4956 -
C:\Windows\SysWOW64\Hmlpaoaj.exeC:\Windows\system32\Hmlpaoaj.exe111⤵PID:1216
-
C:\Windows\SysWOW64\Hdehni32.exeC:\Windows\system32\Hdehni32.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3220 -
C:\Windows\SysWOW64\Hgdejd32.exeC:\Windows\system32\Hgdejd32.exe113⤵
- Modifies registry class
PID:4432 -
C:\Windows\SysWOW64\Hlambk32.exeC:\Windows\system32\Hlambk32.exe114⤵PID:4600
-
C:\Windows\SysWOW64\Hdhedh32.exeC:\Windows\system32\Hdhedh32.exe115⤵PID:3356
-
C:\Windows\SysWOW64\Hgfapd32.exeC:\Windows\system32\Hgfapd32.exe116⤵PID:1184
-
C:\Windows\SysWOW64\Hmpjmn32.exeC:\Windows\system32\Hmpjmn32.exe117⤵
- Drops file in System32 directory
PID:4056 -
C:\Windows\SysWOW64\Hpofii32.exeC:\Windows\system32\Hpofii32.exe118⤵
- Drops file in System32 directory
- Modifies registry class
PID:4328 -
C:\Windows\SysWOW64\Hginecde.exeC:\Windows\system32\Hginecde.exe119⤵PID:5152
-
C:\Windows\SysWOW64\Higjaoci.exeC:\Windows\system32\Higjaoci.exe120⤵PID:5196
-
C:\Windows\SysWOW64\Hmbfbn32.exeC:\Windows\system32\Hmbfbn32.exe121⤵
- System Location Discovery: System Language Discovery
PID:5232
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-