Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
93s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25/12/2024, 17:20
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
bb206a425f48258a0eb4e59b6151fcfe6ccafcc3259790861a5f46a90afb05ac.exe
Resource
win7-20240903-en
windows7-x64
10 signatures
120 seconds
Behavioral task
behavioral2
Sample
bb206a425f48258a0eb4e59b6151fcfe6ccafcc3259790861a5f46a90afb05ac.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
120 seconds
General
-
Target
bb206a425f48258a0eb4e59b6151fcfe6ccafcc3259790861a5f46a90afb05ac.exe
-
Size
295KB
-
MD5
1ac30401f338976dd6a974c50a7826cf
-
SHA1
64628f532c952018f0a46ed01db0dda472a010d2
-
SHA256
bb206a425f48258a0eb4e59b6151fcfe6ccafcc3259790861a5f46a90afb05ac
-
SHA512
5f7bd86038480c819ce500ea1f9076281858a5f0f0fb0a772c1a582da30166aefe4e7d5ac4dfb11ffa82db901b5dbd276cd8dc0fd0c8263318f7f06a627a901c
-
SSDEEP
6144:fyREBBn46BoWKz61PY1PRe19V+tbFOLM77OLY:aR0ntRx6fe0tsNM
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjamia32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fipkjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Chiigadc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnljkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ihkjno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cfqmpl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdodkebj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bdgged32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dokgdkeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ekmhejao.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jocefm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mmhgmmbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jldbpl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdkdibjp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gppcmeem.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppahmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kcjjhdjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kjkpoq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acfhad32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcniglmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gfhndpol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kcidmkpq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekljpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Noeahkfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gnjjfegi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Plbmokop.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flinkojm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Enhpao32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjcikejg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nklbmllg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cofecami.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klhnfo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Feenjgfq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oophlo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Famhmfkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hhiajmod.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icknfcol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hffken32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipeeobbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ilfennic.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amkhmoap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Phfjcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Flpmagqi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nklbmllg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljpaqmgb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkkaiphj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gkiaej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dpphjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iedjmioj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmkofa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecikjoep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hkpqkcpd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjblje32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kapfiqoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Okchnk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfheof32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odmbaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Poimpapp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ebimgcfi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjoppf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cbgnemjj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igdnabjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cpfcfmlp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gacjadad.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 828 Filiii32.exe 1468 Fhmigagd.exe 816 Fphnlcdo.exe 3728 Fipbdikp.exe 836 Fdffbake.exe 436 Fgdbnmji.exe 1156 Fdhcgaic.exe 2800 Falcae32.exe 4492 Ggilil32.exe 2292 Gmcdffmq.exe 4396 Ghhhcomg.exe 2780 Gkgeoklj.exe 3352 Ghkeio32.exe 4032 Gkiaej32.exe 3228 Gilapgqb.exe 740 Gacjadad.exe 2224 Gdafnpqh.exe 4568 Ggpbjkpl.exe 3348 Gklnjj32.exe 3176 Gnjjfegi.exe 3456 Hhbkinel.exe 5036 Hpmpnp32.exe 368 Hammhcij.exe 2220 Hpbiip32.exe 3276 Hhiajmod.exe 4088 Hkjjlhle.exe 3260 Ihnkel32.exe 1784 Ijogmdqm.exe 2572 Iqipio32.exe 3112 Ikqqlgem.exe 4904 Ihdafkdg.exe 3000 Idkbkl32.exe 2352 Ibobdqid.exe 3500 Jdnoplhh.exe 4408 Jjjghcfp.exe 336 Jbaojpgb.exe 3392 Jgogbgei.exe 632 Jjmcnbdm.exe 4536 Jdbhkk32.exe 2308 Jhndljll.exe 3904 Jbfheo32.exe 2436 Jhpqaiji.exe 3060 Jjamia32.exe 2416 Jdgafjpn.exe 2500 Jgenbfoa.exe 4260 Jnpfop32.exe 1832 Kqnbkl32.exe 1236 Kkcfid32.exe 5088 Kbmoen32.exe 2288 Kiggbhda.exe 2336 Kjhcjq32.exe 4280 Kbpkkn32.exe 2036 Kgmcce32.exe 3712 Kjkpoq32.exe 3588 Kilpmh32.exe 4972 Kjmmepfj.exe 4692 Kbddfmgl.exe 3268 Kgamnded.exe 1764 Knkekn32.exe 3972 Liqihglg.exe 2344 Lnnbqnjn.exe 1528 Legjmh32.exe 4200 Ljdceo32.exe 4668 Lejgch32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Gklnjj32.exe Ggpbjkpl.exe File opened for modification C:\Windows\SysWOW64\Ljobpiql.exe Lgqfdnah.exe File created C:\Windows\SysWOW64\Olekop32.dll Hbnaeh32.exe File created C:\Windows\SysWOW64\Iankhggi.dll Mapppn32.exe File created C:\Windows\SysWOW64\Gkcigjel.exe Gdiakp32.exe File created C:\Windows\SysWOW64\Gefchq32.dll Hckeoeno.exe File created C:\Windows\SysWOW64\Nagpeo32.exe Nnicid32.exe File created C:\Windows\SysWOW64\Dibkjmof.dll Gmfplibd.exe File opened for modification C:\Windows\SysWOW64\Ojhiogdd.exe Ocnabm32.exe File created C:\Windows\SysWOW64\Oifeab32.exe Oekiqccc.exe File opened for modification C:\Windows\SysWOW64\Bhcjqinf.exe Bbiado32.exe File created C:\Windows\SysWOW64\Agchinmk.dll Badanigc.exe File created C:\Windows\SysWOW64\Holfoqcm.exe Hlnjbedi.exe File created C:\Windows\SysWOW64\Pjmdlh32.dll Holfoqcm.exe File created C:\Windows\SysWOW64\Plikcm32.dll Bmeandma.exe File created C:\Windows\SysWOW64\Pghien32.dll Chiblk32.exe File opened for modification C:\Windows\SysWOW64\Piphgq32.exe Pahpfc32.exe File opened for modification C:\Windows\SysWOW64\Pkcadhgm.exe Phedhmhi.exe File opened for modification C:\Windows\SysWOW64\Popbpqjh.exe Phfjcf32.exe File created C:\Windows\SysWOW64\Ogakfe32.dll Pffgom32.exe File opened for modification C:\Windows\SysWOW64\Kgamnded.exe Kbddfmgl.exe File created C:\Windows\SysWOW64\Ffobhg32.exe Fdqfll32.exe File created C:\Windows\SysWOW64\Jpcapp32.exe Jmeede32.exe File opened for modification C:\Windows\SysWOW64\Kiggbhda.exe Kbmoen32.exe File created C:\Windows\SysWOW64\Plejdkmm.exe Pekbga32.exe File created C:\Windows\SysWOW64\Qdphngfl.exe Pkgcea32.exe File opened for modification C:\Windows\SysWOW64\Jekqmhia.exe Jcmdaljn.exe File opened for modification C:\Windows\SysWOW64\Coqncejg.exe Cgifbhid.exe File created C:\Windows\SysWOW64\Lhpapf32.dll Fgjhpcmo.exe File created C:\Windows\SysWOW64\Obafpg32.exe Olgncmim.exe File opened for modification C:\Windows\SysWOW64\Qikgco32.exe Qadoba32.exe File created C:\Windows\SysWOW64\Oihagaji.exe Oocmii32.exe File created C:\Windows\SysWOW64\Omjpeo32.exe Okkdic32.exe File opened for modification C:\Windows\SysWOW64\Ckeimm32.exe Clchbqoo.exe File created C:\Windows\SysWOW64\Ickglm32.exe Iplkpa32.exe File created C:\Windows\SysWOW64\Mnbepb32.dll Eqdpgk32.exe File created C:\Windows\SysWOW64\Ocnabm32.exe Omdieb32.exe File opened for modification C:\Windows\SysWOW64\Ihnkel32.exe Hkjjlhle.exe File created C:\Windows\SysWOW64\Mlbkap32.exe Mbighjdd.exe File opened for modification C:\Windows\SysWOW64\Amfobp32.exe Qbajeg32.exe File created C:\Windows\SysWOW64\Ocgjojai.dll Nbebbk32.exe File created C:\Windows\SysWOW64\Nhfjcpfb.dll Flpmagqi.exe File opened for modification C:\Windows\SysWOW64\Iajdgcab.exe Ipihpkkd.exe File created C:\Windows\SysWOW64\Pciqnk32.exe Pakdbp32.exe File created C:\Windows\SysWOW64\Efoope32.dll Cacmpj32.exe File opened for modification C:\Windows\SysWOW64\Eqkondfl.exe Enlcahgh.exe File opened for modification C:\Windows\SysWOW64\Mejpje32.exe Mlbkap32.exe File opened for modification C:\Windows\SysWOW64\Qljcoj32.exe Qikgco32.exe File opened for modification C:\Windows\SysWOW64\Qdphngfl.exe Pkgcea32.exe File created C:\Windows\SysWOW64\Ojmjcf32.dll Gnqfcbnj.exe File created C:\Windows\SysWOW64\Figfoijn.dll Mgbefe32.exe File opened for modification C:\Windows\SysWOW64\Qhhpop32.exe Ppahmb32.exe File created C:\Windows\SysWOW64\Hkhcdb32.dll Hhdcmp32.exe File created C:\Windows\SysWOW64\Ilfennic.exe Ihkjno32.exe File created C:\Windows\SysWOW64\Dmfeidbe.exe Dikihe32.exe File created C:\Windows\SysWOW64\Bfkegm32.dll Mgclpkac.exe File created C:\Windows\SysWOW64\Ldjcfk32.dll Kpoalo32.exe File opened for modification C:\Windows\SysWOW64\Legben32.exe Lomjicei.exe File created C:\Windows\SysWOW64\Afhfaddk.exe Aalmimfd.exe File created C:\Windows\SysWOW64\Iqipio32.exe Ijogmdqm.exe File opened for modification C:\Windows\SysWOW64\Fdepgkgj.exe Flngfn32.exe File created C:\Windows\SysWOW64\Adcjop32.exe Amjbbfgo.exe File created C:\Windows\SysWOW64\Jdnoplhh.exe Ibobdqid.exe File created C:\Windows\SysWOW64\Pemomqcn.exe Pocfpf32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 6264 7204 WerFault.exe 1089 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljdceo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mejpje32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aojefobm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jekqmhia.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofgdcipq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pplobcpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppahmb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnicid32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbaojpgb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olfghg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebimgcfi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iliinc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Boenhgdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekqckmfb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kilpmh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddnfmqng.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkdcbd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bafndi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgnjqm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghkeio32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipoopgnf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apmhiq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfnhfm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ommceclc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhnikc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkhnjk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hicpgc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpacqg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmenca32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Caageq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dqnjgl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhgonidg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhnhajba.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlkfbocp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llflea32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlegnjbm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbgihaji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gppcmeem.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jocefm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qacameaj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cocacl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkcpql32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdgdeppb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkcadhgm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Coknoaic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kglmio32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aonoao32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iimcma32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qfjjpf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmfplibd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlnjbedi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kofkbk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lggejg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofckhj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmpjoloh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbiado32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idahjg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chlflabp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcidmkpq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Johggfha.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aadghn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jldbpl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejlnfjbd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lldopb32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khoana32.dll" Nhokljge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgddkelm.dll" Bpkdjofm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Laahglpp.dll" Gkiaej32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Liqihglg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kalhafbk.dll" Okchnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lalbjhdj.dll" Pllgnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghqomgid.dll" Fjadje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icpkgc32.dll" Hpcodihc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hbnaeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Joqafgni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Amfobp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dkbocbog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokpod32.dll" Ickglm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Doagjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbjnhape.dll" Hhimhobl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Klpakj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jicchk32.dll" Llnnmhfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnhekleo.dll" Afhfaddk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bdapehop.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iqipio32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kbddfmgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jofabneq.dll" Njghbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pkpmdbfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iomoenej.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nmcpoedn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fbaahf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lafmjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lpochfji.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gdobnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mcqjon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bomfgoah.dll" Mnpabe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ponfka32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eppjfgcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nqgnfcmm.dll" Eojiqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cdjblf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kgnbdh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iajdgcab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nbcjnilj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Akhcfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hkpqkcpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gefchq32.dll" Hckeoeno.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Njpdnedf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Amjillkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gokfdpdo.dll" Fdmaoahm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mjneln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fjadje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Onpjichj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enhodk32.dll" Aednci32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dodjjimm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Amqhbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Linhgilm.dll" Fpgpgfmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jjpode32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggpenegb.dll" Phajna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oihagaji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Malhfo32.dll" Qlggjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agchinmk.dll" Badanigc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hbohpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgqaip32.dll" Dkkaiphj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leboon32.dll" Koajmepf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qecffhdo.dll" Cmpjoloh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Llflea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qljcoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjjfgb32.dll" Bljlfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bhcjqinf.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3832 wrote to memory of 828 3832 bb206a425f48258a0eb4e59b6151fcfe6ccafcc3259790861a5f46a90afb05ac.exe 82 PID 3832 wrote to memory of 828 3832 bb206a425f48258a0eb4e59b6151fcfe6ccafcc3259790861a5f46a90afb05ac.exe 82 PID 3832 wrote to memory of 828 3832 bb206a425f48258a0eb4e59b6151fcfe6ccafcc3259790861a5f46a90afb05ac.exe 82 PID 828 wrote to memory of 1468 828 Filiii32.exe 83 PID 828 wrote to memory of 1468 828 Filiii32.exe 83 PID 828 wrote to memory of 1468 828 Filiii32.exe 83 PID 1468 wrote to memory of 816 1468 Fhmigagd.exe 84 PID 1468 wrote to memory of 816 1468 Fhmigagd.exe 84 PID 1468 wrote to memory of 816 1468 Fhmigagd.exe 84 PID 816 wrote to memory of 3728 816 Fphnlcdo.exe 85 PID 816 wrote to memory of 3728 816 Fphnlcdo.exe 85 PID 816 wrote to memory of 3728 816 Fphnlcdo.exe 85 PID 3728 wrote to memory of 836 3728 Fipbdikp.exe 86 PID 3728 wrote to memory of 836 3728 Fipbdikp.exe 86 PID 3728 wrote to memory of 836 3728 Fipbdikp.exe 86 PID 836 wrote to memory of 436 836 Fdffbake.exe 87 PID 836 wrote to memory of 436 836 Fdffbake.exe 87 PID 836 wrote to memory of 436 836 Fdffbake.exe 87 PID 436 wrote to memory of 1156 436 Fgdbnmji.exe 88 PID 436 wrote to memory of 1156 436 Fgdbnmji.exe 88 PID 436 wrote to memory of 1156 436 Fgdbnmji.exe 88 PID 1156 wrote to memory of 2800 1156 Fdhcgaic.exe 89 PID 1156 wrote to memory of 2800 1156 Fdhcgaic.exe 89 PID 1156 wrote to memory of 2800 1156 Fdhcgaic.exe 89 PID 2800 wrote to memory of 4492 2800 Falcae32.exe 90 PID 2800 wrote to memory of 4492 2800 Falcae32.exe 90 PID 2800 wrote to memory of 4492 2800 Falcae32.exe 90 PID 4492 wrote to memory of 2292 4492 Ggilil32.exe 91 PID 4492 wrote to memory of 2292 4492 Ggilil32.exe 91 PID 4492 wrote to memory of 2292 4492 Ggilil32.exe 91 PID 2292 wrote to memory of 4396 2292 Gmcdffmq.exe 92 PID 2292 wrote to memory of 4396 2292 Gmcdffmq.exe 92 PID 2292 wrote to memory of 4396 2292 Gmcdffmq.exe 92 PID 4396 wrote to memory of 2780 4396 Ghhhcomg.exe 93 PID 4396 wrote to memory of 2780 4396 Ghhhcomg.exe 93 PID 4396 wrote to memory of 2780 4396 Ghhhcomg.exe 93 PID 2780 wrote to memory of 3352 2780 Gkgeoklj.exe 94 PID 2780 wrote to memory of 3352 2780 Gkgeoklj.exe 94 PID 2780 wrote to memory of 3352 2780 Gkgeoklj.exe 94 PID 3352 wrote to memory of 4032 3352 Ghkeio32.exe 95 PID 3352 wrote to memory of 4032 3352 Ghkeio32.exe 95 PID 3352 wrote to memory of 4032 3352 Ghkeio32.exe 95 PID 4032 wrote to memory of 3228 4032 Gkiaej32.exe 96 PID 4032 wrote to memory of 3228 4032 Gkiaej32.exe 96 PID 4032 wrote to memory of 3228 4032 Gkiaej32.exe 96 PID 3228 wrote to memory of 740 3228 Gilapgqb.exe 97 PID 3228 wrote to memory of 740 3228 Gilapgqb.exe 97 PID 3228 wrote to memory of 740 3228 Gilapgqb.exe 97 PID 740 wrote to memory of 2224 740 Gacjadad.exe 98 PID 740 wrote to memory of 2224 740 Gacjadad.exe 98 PID 740 wrote to memory of 2224 740 Gacjadad.exe 98 PID 2224 wrote to memory of 4568 2224 Gdafnpqh.exe 99 PID 2224 wrote to memory of 4568 2224 Gdafnpqh.exe 99 PID 2224 wrote to memory of 4568 2224 Gdafnpqh.exe 99 PID 4568 wrote to memory of 3348 4568 Ggpbjkpl.exe 100 PID 4568 wrote to memory of 3348 4568 Ggpbjkpl.exe 100 PID 4568 wrote to memory of 3348 4568 Ggpbjkpl.exe 100 PID 3348 wrote to memory of 3176 3348 Gklnjj32.exe 101 PID 3348 wrote to memory of 3176 3348 Gklnjj32.exe 101 PID 3348 wrote to memory of 3176 3348 Gklnjj32.exe 101 PID 3176 wrote to memory of 3456 3176 Gnjjfegi.exe 102 PID 3176 wrote to memory of 3456 3176 Gnjjfegi.exe 102 PID 3176 wrote to memory of 3456 3176 Gnjjfegi.exe 102 PID 3456 wrote to memory of 5036 3456 Hhbkinel.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\bb206a425f48258a0eb4e59b6151fcfe6ccafcc3259790861a5f46a90afb05ac.exe"C:\Users\Admin\AppData\Local\Temp\bb206a425f48258a0eb4e59b6151fcfe6ccafcc3259790861a5f46a90afb05ac.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3832 -
C:\Windows\SysWOW64\Filiii32.exeC:\Windows\system32\Filiii32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:828 -
C:\Windows\SysWOW64\Fhmigagd.exeC:\Windows\system32\Fhmigagd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1468 -
C:\Windows\SysWOW64\Fphnlcdo.exeC:\Windows\system32\Fphnlcdo.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:816 -
C:\Windows\SysWOW64\Fipbdikp.exeC:\Windows\system32\Fipbdikp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3728 -
C:\Windows\SysWOW64\Fdffbake.exeC:\Windows\system32\Fdffbake.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:836 -
C:\Windows\SysWOW64\Fgdbnmji.exeC:\Windows\system32\Fgdbnmji.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:436 -
C:\Windows\SysWOW64\Fdhcgaic.exeC:\Windows\system32\Fdhcgaic.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1156 -
C:\Windows\SysWOW64\Falcae32.exeC:\Windows\system32\Falcae32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Windows\SysWOW64\Ggilil32.exeC:\Windows\system32\Ggilil32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4492 -
C:\Windows\SysWOW64\Gmcdffmq.exeC:\Windows\system32\Gmcdffmq.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2292 -
C:\Windows\SysWOW64\Ghhhcomg.exeC:\Windows\system32\Ghhhcomg.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4396 -
C:\Windows\SysWOW64\Gkgeoklj.exeC:\Windows\system32\Gkgeoklj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\SysWOW64\Ghkeio32.exeC:\Windows\system32\Ghkeio32.exe14⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3352 -
C:\Windows\SysWOW64\Gkiaej32.exeC:\Windows\system32\Gkiaej32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4032 -
C:\Windows\SysWOW64\Gilapgqb.exeC:\Windows\system32\Gilapgqb.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3228 -
C:\Windows\SysWOW64\Gacjadad.exeC:\Windows\system32\Gacjadad.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:740 -
C:\Windows\SysWOW64\Gdafnpqh.exeC:\Windows\system32\Gdafnpqh.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\Windows\SysWOW64\Ggpbjkpl.exeC:\Windows\system32\Ggpbjkpl.exe19⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4568 -
C:\Windows\SysWOW64\Gklnjj32.exeC:\Windows\system32\Gklnjj32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3348 -
C:\Windows\SysWOW64\Gnjjfegi.exeC:\Windows\system32\Gnjjfegi.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3176 -
C:\Windows\SysWOW64\Hhbkinel.exeC:\Windows\system32\Hhbkinel.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3456 -
C:\Windows\SysWOW64\Hpmpnp32.exeC:\Windows\system32\Hpmpnp32.exe23⤵
- Executes dropped EXE
PID:5036 -
C:\Windows\SysWOW64\Hammhcij.exeC:\Windows\system32\Hammhcij.exe24⤵
- Executes dropped EXE
PID:368 -
C:\Windows\SysWOW64\Hpbiip32.exeC:\Windows\system32\Hpbiip32.exe25⤵
- Executes dropped EXE
PID:2220 -
C:\Windows\SysWOW64\Hhiajmod.exeC:\Windows\system32\Hhiajmod.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3276 -
C:\Windows\SysWOW64\Hkjjlhle.exeC:\Windows\system32\Hkjjlhle.exe27⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4088 -
C:\Windows\SysWOW64\Ihnkel32.exeC:\Windows\system32\Ihnkel32.exe28⤵
- Executes dropped EXE
PID:3260 -
C:\Windows\SysWOW64\Ijogmdqm.exeC:\Windows\system32\Ijogmdqm.exe29⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1784 -
C:\Windows\SysWOW64\Iqipio32.exeC:\Windows\system32\Iqipio32.exe30⤵
- Executes dropped EXE
- Modifies registry class
PID:2572 -
C:\Windows\SysWOW64\Ikqqlgem.exeC:\Windows\system32\Ikqqlgem.exe31⤵
- Executes dropped EXE
PID:3112 -
C:\Windows\SysWOW64\Ihdafkdg.exeC:\Windows\system32\Ihdafkdg.exe32⤵
- Executes dropped EXE
PID:4904 -
C:\Windows\SysWOW64\Idkbkl32.exeC:\Windows\system32\Idkbkl32.exe33⤵
- Executes dropped EXE
PID:3000 -
C:\Windows\SysWOW64\Ibobdqid.exeC:\Windows\system32\Ibobdqid.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2352 -
C:\Windows\SysWOW64\Jdnoplhh.exeC:\Windows\system32\Jdnoplhh.exe35⤵
- Executes dropped EXE
PID:3500 -
C:\Windows\SysWOW64\Jjjghcfp.exeC:\Windows\system32\Jjjghcfp.exe36⤵
- Executes dropped EXE
PID:4408 -
C:\Windows\SysWOW64\Jbaojpgb.exeC:\Windows\system32\Jbaojpgb.exe37⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:336 -
C:\Windows\SysWOW64\Jgogbgei.exeC:\Windows\system32\Jgogbgei.exe38⤵
- Executes dropped EXE
PID:3392 -
C:\Windows\SysWOW64\Jjmcnbdm.exeC:\Windows\system32\Jjmcnbdm.exe39⤵
- Executes dropped EXE
PID:632 -
C:\Windows\SysWOW64\Jdbhkk32.exeC:\Windows\system32\Jdbhkk32.exe40⤵
- Executes dropped EXE
PID:4536 -
C:\Windows\SysWOW64\Jhndljll.exeC:\Windows\system32\Jhndljll.exe41⤵
- Executes dropped EXE
PID:2308 -
C:\Windows\SysWOW64\Jbfheo32.exeC:\Windows\system32\Jbfheo32.exe42⤵
- Executes dropped EXE
PID:3904 -
C:\Windows\SysWOW64\Jhpqaiji.exeC:\Windows\system32\Jhpqaiji.exe43⤵
- Executes dropped EXE
PID:2436 -
C:\Windows\SysWOW64\Jjamia32.exeC:\Windows\system32\Jjamia32.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3060 -
C:\Windows\SysWOW64\Jdgafjpn.exeC:\Windows\system32\Jdgafjpn.exe45⤵
- Executes dropped EXE
PID:2416 -
C:\Windows\SysWOW64\Jgenbfoa.exeC:\Windows\system32\Jgenbfoa.exe46⤵
- Executes dropped EXE
PID:2500 -
C:\Windows\SysWOW64\Jnpfop32.exeC:\Windows\system32\Jnpfop32.exe47⤵
- Executes dropped EXE
PID:4260 -
C:\Windows\SysWOW64\Kqnbkl32.exeC:\Windows\system32\Kqnbkl32.exe48⤵
- Executes dropped EXE
PID:1832 -
C:\Windows\SysWOW64\Kkcfid32.exeC:\Windows\system32\Kkcfid32.exe49⤵
- Executes dropped EXE
PID:1236 -
C:\Windows\SysWOW64\Kbmoen32.exeC:\Windows\system32\Kbmoen32.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5088 -
C:\Windows\SysWOW64\Kiggbhda.exeC:\Windows\system32\Kiggbhda.exe51⤵
- Executes dropped EXE
PID:2288 -
C:\Windows\SysWOW64\Kjhcjq32.exeC:\Windows\system32\Kjhcjq32.exe52⤵
- Executes dropped EXE
PID:2336 -
C:\Windows\SysWOW64\Kbpkkn32.exeC:\Windows\system32\Kbpkkn32.exe53⤵
- Executes dropped EXE
PID:4280 -
C:\Windows\SysWOW64\Kgmcce32.exeC:\Windows\system32\Kgmcce32.exe54⤵
- Executes dropped EXE
PID:2036 -
C:\Windows\SysWOW64\Kjkpoq32.exeC:\Windows\system32\Kjkpoq32.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3712 -
C:\Windows\SysWOW64\Kilpmh32.exeC:\Windows\system32\Kilpmh32.exe56⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3588 -
C:\Windows\SysWOW64\Kjmmepfj.exeC:\Windows\system32\Kjmmepfj.exe57⤵
- Executes dropped EXE
PID:4972 -
C:\Windows\SysWOW64\Kbddfmgl.exeC:\Windows\system32\Kbddfmgl.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4692 -
C:\Windows\SysWOW64\Kgamnded.exeC:\Windows\system32\Kgamnded.exe59⤵
- Executes dropped EXE
PID:3268 -
C:\Windows\SysWOW64\Knkekn32.exeC:\Windows\system32\Knkekn32.exe60⤵
- Executes dropped EXE
PID:1764 -
C:\Windows\SysWOW64\Liqihglg.exeC:\Windows\system32\Liqihglg.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:3972 -
C:\Windows\SysWOW64\Lnnbqnjn.exeC:\Windows\system32\Lnnbqnjn.exe62⤵
- Executes dropped EXE
PID:2344 -
C:\Windows\SysWOW64\Legjmh32.exeC:\Windows\system32\Legjmh32.exe63⤵
- Executes dropped EXE
PID:1528 -
C:\Windows\SysWOW64\Ljdceo32.exeC:\Windows\system32\Ljdceo32.exe64⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4200 -
C:\Windows\SysWOW64\Lejgch32.exeC:\Windows\system32\Lejgch32.exe65⤵
- Executes dropped EXE
PID:4668 -
C:\Windows\SysWOW64\Lldopb32.exeC:\Windows\system32\Lldopb32.exe66⤵
- System Location Discovery: System Language Discovery
PID:208 -
C:\Windows\SysWOW64\Laqhhi32.exeC:\Windows\system32\Laqhhi32.exe67⤵PID:1376
-
C:\Windows\SysWOW64\Lelchgne.exeC:\Windows\system32\Lelchgne.exe68⤵PID:3204
-
C:\Windows\SysWOW64\Llflea32.exeC:\Windows\system32\Llflea32.exe69⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4028 -
C:\Windows\SysWOW64\Lbpdblmo.exeC:\Windows\system32\Lbpdblmo.exe70⤵PID:3788
-
C:\Windows\SysWOW64\Lijlof32.exeC:\Windows\system32\Lijlof32.exe71⤵PID:1380
-
C:\Windows\SysWOW64\Mngegmbc.exeC:\Windows\system32\Mngegmbc.exe72⤵PID:2304
-
C:\Windows\SysWOW64\Meamcg32.exeC:\Windows\system32\Meamcg32.exe73⤵PID:1708
-
C:\Windows\SysWOW64\Mjneln32.exeC:\Windows\system32\Mjneln32.exe74⤵
- Modifies registry class
PID:856 -
C:\Windows\SysWOW64\Mahnhhod.exeC:\Windows\system32\Mahnhhod.exe75⤵PID:332
-
C:\Windows\SysWOW64\Miofjepg.exeC:\Windows\system32\Miofjepg.exe76⤵PID:1184
-
C:\Windows\SysWOW64\Mnlnbl32.exeC:\Windows\system32\Mnlnbl32.exe77⤵PID:1940
-
C:\Windows\SysWOW64\Majjng32.exeC:\Windows\system32\Majjng32.exe78⤵PID:4148
-
C:\Windows\SysWOW64\Miaboe32.exeC:\Windows\system32\Miaboe32.exe79⤵PID:4120
-
C:\Windows\SysWOW64\Mlpokp32.exeC:\Windows\system32\Mlpokp32.exe80⤵PID:3128
-
C:\Windows\SysWOW64\Mbighjdd.exeC:\Windows\system32\Mbighjdd.exe81⤵
- Drops file in System32 directory
PID:4128 -
C:\Windows\SysWOW64\Mlbkap32.exeC:\Windows\system32\Mlbkap32.exe82⤵
- Drops file in System32 directory
PID:3476 -
C:\Windows\SysWOW64\Mejpje32.exeC:\Windows\system32\Mejpje32.exe83⤵
- System Location Discovery: System Language Discovery
PID:4420 -
C:\Windows\SysWOW64\Njghbl32.exeC:\Windows\system32\Njghbl32.exe84⤵
- Modifies registry class
PID:2256 -
C:\Windows\SysWOW64\Nihipdhl.exeC:\Windows\system32\Nihipdhl.exe85⤵PID:4988
-
C:\Windows\SysWOW64\Nhkikq32.exeC:\Windows\system32\Nhkikq32.exe86⤵PID:2052
-
C:\Windows\SysWOW64\Noeahkfc.exeC:\Windows\system32\Noeahkfc.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3772 -
C:\Windows\SysWOW64\Nklbmllg.exeC:\Windows\system32\Nklbmllg.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3088 -
C:\Windows\SysWOW64\Nbcjnilj.exeC:\Windows\system32\Nbcjnilj.exe89⤵
- Modifies registry class
PID:1552 -
C:\Windows\SysWOW64\Nimbkc32.exeC:\Windows\system32\Nimbkc32.exe90⤵PID:2828
-
C:\Windows\SysWOW64\Nlkngo32.exeC:\Windows\system32\Nlkngo32.exe91⤵PID:956
-
C:\Windows\SysWOW64\Nbefdijg.exeC:\Windows\system32\Nbefdijg.exe92⤵PID:2348
-
C:\Windows\SysWOW64\Nlnkmnah.exeC:\Windows\system32\Nlnkmnah.exe93⤵PID:100
-
C:\Windows\SysWOW64\Nbgcih32.exeC:\Windows\system32\Nbgcih32.exe94⤵PID:2316
-
C:\Windows\SysWOW64\Nefped32.exeC:\Windows\system32\Nefped32.exe95⤵PID:1628
-
C:\Windows\SysWOW64\Okchnk32.exeC:\Windows\system32\Okchnk32.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3700 -
C:\Windows\SysWOW64\Objpoh32.exeC:\Windows\system32\Objpoh32.exe97⤵PID:3784
-
C:\Windows\SysWOW64\Oehlkc32.exeC:\Windows\system32\Oehlkc32.exe98⤵PID:2232
-
C:\Windows\SysWOW64\Olbdhn32.exeC:\Windows\system32\Olbdhn32.exe99⤵PID:3916
-
C:\Windows\SysWOW64\Ooqqdi32.exeC:\Windows\system32\Ooqqdi32.exe100⤵PID:2668
-
C:\Windows\SysWOW64\Oekiqccc.exeC:\Windows\system32\Oekiqccc.exe101⤵
- Drops file in System32 directory
PID:4676 -
C:\Windows\SysWOW64\Oifeab32.exeC:\Windows\system32\Oifeab32.exe102⤵PID:1980
-
C:\Windows\SysWOW64\Oocmii32.exeC:\Windows\system32\Oocmii32.exe103⤵
- Drops file in System32 directory
PID:2108 -
C:\Windows\SysWOW64\Oihagaji.exeC:\Windows\system32\Oihagaji.exe104⤵
- Modifies registry class
PID:4700 -
C:\Windows\SysWOW64\Olgncmim.exeC:\Windows\system32\Olgncmim.exe105⤵
- Drops file in System32 directory
PID:3604 -
C:\Windows\SysWOW64\Obafpg32.exeC:\Windows\system32\Obafpg32.exe106⤵PID:3416
-
C:\Windows\SysWOW64\Oadfkdgd.exeC:\Windows\system32\Oadfkdgd.exe107⤵PID:1484
-
C:\Windows\SysWOW64\Olijhmgj.exeC:\Windows\system32\Olijhmgj.exe108⤵PID:4212
-
C:\Windows\SysWOW64\Oklkdi32.exeC:\Windows\system32\Oklkdi32.exe109⤵PID:4140
-
C:\Windows\SysWOW64\Obcceg32.exeC:\Windows\system32\Obcceg32.exe110⤵PID:3612
-
C:\Windows\SysWOW64\Oimkbaed.exeC:\Windows\system32\Oimkbaed.exe111⤵PID:4532
-
C:\Windows\SysWOW64\Pllgnl32.exeC:\Windows\system32\Pllgnl32.exe112⤵
- Modifies registry class
PID:1600 -
C:\Windows\SysWOW64\Pahpfc32.exeC:\Windows\system32\Pahpfc32.exe113⤵
- Drops file in System32 directory
PID:3652 -
C:\Windows\SysWOW64\Piphgq32.exeC:\Windows\system32\Piphgq32.exe114⤵PID:3872
-
C:\Windows\SysWOW64\Plndcl32.exeC:\Windows\system32\Plndcl32.exe115⤵PID:1012
-
C:\Windows\SysWOW64\Polppg32.exeC:\Windows\system32\Polppg32.exe116⤵PID:1436
-
C:\Windows\SysWOW64\Pefhlaie.exeC:\Windows\system32\Pefhlaie.exe117⤵PID:3840
-
C:\Windows\SysWOW64\Phedhmhi.exeC:\Windows\system32\Phedhmhi.exe118⤵
- Drops file in System32 directory
PID:5132 -
C:\Windows\SysWOW64\Pkcadhgm.exeC:\Windows\system32\Pkcadhgm.exe119⤵
- System Location Discovery: System Language Discovery
PID:5176 -
C:\Windows\SysWOW64\Pamiaboj.exeC:\Windows\system32\Pamiaboj.exe120⤵PID:5220
-
C:\Windows\SysWOW64\Plbmokop.exeC:\Windows\system32\Plbmokop.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5264
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-