Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
07-12-2024 21:46
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
3e902377470f2c5252ca4675c0a3fb831942b2c76956dc71c8e2ed62c4d8672f.exe
Resource
win7-20240903-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
3e902377470f2c5252ca4675c0a3fb831942b2c76956dc71c8e2ed62c4d8672f.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
3e902377470f2c5252ca4675c0a3fb831942b2c76956dc71c8e2ed62c4d8672f.exe
-
Size
96KB
-
MD5
d639c63e15954cca35779da42693a937
-
SHA1
e1698e25885c6c3ffb9956666ca003f067441aa3
-
SHA256
3e902377470f2c5252ca4675c0a3fb831942b2c76956dc71c8e2ed62c4d8672f
-
SHA512
669c039af6cf6c4fe46cdffc51105b5b677ed172919057254ed10cbdfe189ad169555e3dbdc4bb672c57a18ca0882c41a51aed8d7bc44fdf73b75e3611f7c612
-
SSDEEP
1536:kvmTHwsno/ca4C37r74aVcdZ2JVQBKoC/CKniTCvVAva61hLDnePhVsWzRADTi4Z:qm0snoUCL4aVqZ2fQkbn1vVAva63HeP+
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogklelna.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mifljdjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Codhnb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elnoopdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qmeigg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pgbbek32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ackigjmh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjedffig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djcoai32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdigadjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oanfen32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nefped32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oeoblb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oohgdhfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Emphocjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmadco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kgdpni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhmofj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qfpbmfdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ackigjmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kjpijpdg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Malgcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nbqmiinl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igbalblk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kcbnnpka.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dflfac32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdbfab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ogklelna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Blqllqqa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Goglcahb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Medqcmki.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pedbahod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kbbhqn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emoadlfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pdenmbkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mkhapk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mblkhq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jgadgf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmjemflb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdmgfedl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojdnid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Emoadlfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ahfmpnql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eiobceef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lmgabcge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nclikl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nclbpf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlihle32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bqmeal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hhiajmod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Najceeoo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lqbncb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aaoaic32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llipehgk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngaionfl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajeadd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhlgfj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpfcfmlp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gfeaopqo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlklkgei.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjbkgfej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Podmkm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kenggi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgbjbp32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 4664 Lflgmqhd.exe 3200 Llipehgk.exe 1608 Lfodbqfa.exe 2248 Leadnm32.exe 1612 Mlklkgei.exe 1780 Mpghkf32.exe 4752 Mbedga32.exe 4268 Medqcmki.exe 2440 Molelb32.exe 3680 Mhdjehhj.exe 724 Mbjnbqhp.exe 2928 Mehjol32.exe 3412 Mblkhq32.exe 4188 Mpqkad32.exe 468 Mbognp32.exe 3656 Npchgdcd.exe 4864 Nbadcpbh.exe 4988 Neppokal.exe 4320 Nhnlkfpp.exe 1088 Nlihle32.exe 2580 Npedmdab.exe 1564 Nbcqiope.exe 3448 Ngomin32.exe 1896 Nebmekoi.exe 2836 Nhpiafnm.exe 4128 Nlleaeff.exe 2368 Npgabc32.exe 3724 Ncfmno32.exe 2588 Ngaionfl.exe 3020 Nipekiep.exe 4796 Nlnbgddc.exe 3624 Nomncpcg.exe 3952 Nchjdo32.exe 2356 Neffpj32.exe 1312 Nibbqicm.exe 4364 Nlqomd32.exe 1096 Nplkmckj.exe 4780 Nookip32.exe 4720 Ogfcjm32.exe 3208 Oeicejia.exe 3992 Ohgoaehe.exe 3168 Olckbd32.exe 1496 Ooagno32.exe 432 Ocmconhk.exe 3564 Oekpkigo.exe 2912 Oigllh32.exe 2868 Olehhc32.exe 4896 Opadhb32.exe 4668 Oocddono.exe 4108 Ogklelna.exe 3184 Oenlqi32.exe 2760 Ohlimd32.exe 4600 Opcqnb32.exe 3272 Oofaiokl.exe 1668 Ocamjm32.exe 1316 Oepifi32.exe 1004 Oileggkb.exe 2284 Oljaccjf.exe 4856 Opemca32.exe 2972 Ocdjpmac.exe 4384 Ogpepl32.exe 1840 Oebflhaf.exe 4228 Ohqbhdpj.exe 1428 Ollnhb32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Oeicejia.exe Ogfcjm32.exe File created C:\Windows\SysWOW64\Bfendmoc.exe Bcfahbpo.exe File created C:\Windows\SysWOW64\Mdpmoppk.dll Ponfka32.exe File created C:\Windows\SysWOW64\Jpcapp32.exe Jmeede32.exe File created C:\Windows\SysWOW64\Mfgomdnj.dll Amjbbfgo.exe File created C:\Windows\SysWOW64\Gdodhh32.dll Oepifi32.exe File opened for modification C:\Windows\SysWOW64\Ddcqedkk.exe Daediilg.exe File created C:\Windows\SysWOW64\Ndlapjeg.dll Jgadgf32.exe File created C:\Windows\SysWOW64\Boeebnhp.exe Bhkmec32.exe File opened for modification C:\Windows\SysWOW64\Koodbl32.exe Knnhjcog.exe File created C:\Windows\SysWOW64\Ikaqhj32.dll Mlklkgei.exe File created C:\Windows\SysWOW64\Jbnnbmfj.dll Olbdhn32.exe File opened for modification C:\Windows\SysWOW64\Jcikgacl.exe Jdfjld32.exe File created C:\Windows\SysWOW64\Fpbflg32.exe Felbnn32.exe File created C:\Windows\SysWOW64\Pfnmog32.dll Gifkpknp.exe File created C:\Windows\SysWOW64\Qeidhb32.dll Indfca32.exe File created C:\Windows\SysWOW64\Plpqil32.exe Phedhmhi.exe File created C:\Windows\SysWOW64\Qlimed32.exe Qeodhjmo.exe File created C:\Windows\SysWOW64\Pialao32.dll Mpqkad32.exe File opened for modification C:\Windows\SysWOW64\Nhpiafnm.exe Nebmekoi.exe File created C:\Windows\SysWOW64\Bghakj32.dll Pfillg32.exe File created C:\Windows\SysWOW64\Gigheh32.exe Fpodlbng.exe File created C:\Windows\SysWOW64\Cmjemflb.exe Cimmggfl.exe File created C:\Windows\SysWOW64\Dbcmakpl.exe Dlieda32.exe File created C:\Windows\SysWOW64\Idcepgmg.exe Iphioh32.exe File created C:\Windows\SysWOW64\Lgcjdd32.exe Leenhhdn.exe File opened for modification C:\Windows\SysWOW64\Iplkpa32.exe Imnocf32.exe File opened for modification C:\Windows\SysWOW64\Hjjnae32.exe Hhiajmod.exe File created C:\Windows\SysWOW64\Aplhmakj.dll Dbndfl32.exe File opened for modification C:\Windows\SysWOW64\Kcbnnpka.exe Kmieae32.exe File opened for modification C:\Windows\SysWOW64\Aggpfkjj.exe Adhdjpjf.exe File created C:\Windows\SysWOW64\Qabjcina.dll Glldgljg.exe File created C:\Windows\SysWOW64\Cbgpnkdm.dll Nihipdhl.exe File opened for modification C:\Windows\SysWOW64\Aakebqbj.exe Ajpqnneo.exe File created C:\Windows\SysWOW64\Fiboaq32.dll Dmadco32.exe File created C:\Windows\SysWOW64\Ogpepl32.exe Ocdjpmac.exe File created C:\Windows\SysWOW64\Hgagmm32.dll Qgpogili.exe File created C:\Windows\SysWOW64\Bqfoamfj.exe Bfqkddfd.exe File opened for modification C:\Windows\SysWOW64\Ealkjh32.exe Ehcfaboo.exe File created C:\Windows\SysWOW64\Kjpijpdg.exe Kkmioc32.exe File created C:\Windows\SysWOW64\Dmcain32.exe Ddligq32.exe File created C:\Windows\SysWOW64\Fmjhedep.dll Lqbncb32.exe File opened for modification C:\Windows\SysWOW64\Jedccfqg.exe Jokkgl32.exe File opened for modification C:\Windows\SysWOW64\Pnfiplog.exe Pjkmomfn.exe File created C:\Windows\SysWOW64\Kbjpeo32.dll Nqmfdj32.exe File created C:\Windows\SysWOW64\Oigllh32.exe Oekpkigo.exe File created C:\Windows\SysWOW64\Qiginoqd.dll Aqmlknnd.exe File created C:\Windows\SysWOW64\Kninjc32.dll Ealkjh32.exe File opened for modification C:\Windows\SysWOW64\Ajdjin32.exe Aanbhp32.exe File created C:\Windows\SysWOW64\Dmohno32.exe Dfdpad32.exe File opened for modification C:\Windows\SysWOW64\Ngaionfl.exe Ncfmno32.exe File created C:\Windows\SysWOW64\Amjjnh32.dll Nimbkc32.exe File created C:\Windows\SysWOW64\Bheffh32.exe Bjbfklei.exe File opened for modification C:\Windows\SysWOW64\Cammjakm.exe Chdialdl.exe File opened for modification C:\Windows\SysWOW64\Ookjdn32.exe Ollnhb32.exe File created C:\Windows\SysWOW64\Jdnoplhh.exe Indfca32.exe File opened for modification C:\Windows\SysWOW64\Fpbmfn32.exe Eiieicml.exe File opened for modification C:\Windows\SysWOW64\Fdqfll32.exe Fmfnpa32.exe File created C:\Windows\SysWOW64\Ilcldb32.exe Ieidhh32.exe File created C:\Windows\SysWOW64\Cppnfc32.dll Gigheh32.exe File opened for modification C:\Windows\SysWOW64\Jdedak32.exe Jnkldqkc.exe File created C:\Windows\SysWOW64\Eciplm32.exe Emphocjj.exe File opened for modification C:\Windows\SysWOW64\Ikdcmpnl.exe Idkkpf32.exe File created C:\Windows\SysWOW64\Cbpajgmf.exe Ckeimm32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5516 3536 WerFault.exe 862 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpbflg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hblkjo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgkfnh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjlopc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpnihiio.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjchaf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aleckinj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjkblhfo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epmmqheb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjaqpbkh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idbodn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbqmiinl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhkmec32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlkngo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aknifq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qjfmkk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Palbgl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhmbqm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bqmeal32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddadpdmn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikejgf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbcmakpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkpmdbfd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blnoga32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdmdnadc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pflibgil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldipha32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohcegi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omqmop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Inainbcn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdnoplhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkbmqb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogekbb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aogiap32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfchlbfd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oplfkeob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aggegh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ecbjkngo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fllkqn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgobel32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhcjqinf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjjiej32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oacoqnci.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emoadlfo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpqkad32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbpdblmo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phedhmhi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aanbhp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlbcnd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljhnlb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdokdg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahdged32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lqkqhm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njmqnobn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nibbqicm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cimcan32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iakiia32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Miaboe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjbcplpe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acpbbi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilcldb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adcjop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kqbdldnq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmgabcge.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pjjahe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gigheh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gbdoof32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nhmofj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kpcjgnhb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Amlogfel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odnknc32.dll" Caienjfd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ijhjcchb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nahgoe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jgbjbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qdoacabq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kajimagp.dll" Apmhiq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekbmje32.dll" Adhdjpjf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bddcenpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Doogdl32.dll" Napjdpcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gofdmmgd.dll" Bojomm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ekodjiol.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hpqldc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nclbpf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Acnemi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ojigdcll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pijmiq32.dll" Kpanan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nncccnol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ajeadd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egcjff32.dll" Djhpgofm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cfigpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hloqml32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nefped32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Akpoaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bkafmd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jjoiil32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kgdpni32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dmcain32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Chkobkod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lglfodah.dll" Mbedga32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bjcmebie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kjpijpdg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nihipdhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gpecbk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Llhikacp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mqimikfj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nbadcpbh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nlqomd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Acpbbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Acpbbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bqmeal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Micgbemj.dll" Clgbmp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Glipgf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qhonib32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nojjcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jebiel32.dll" Nmigoagp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nhokljge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbopqlen.dll" Pldcjeia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hiipmhmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ocamjm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Plndcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hkpqkcpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejoaandc.dll" Aekddhcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oqadgkdb.dll" Chqogq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gigheh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Keqdmihc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbjodaqj.dll" Fiaael32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hipmfjee.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bnoddcef.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 872 wrote to memory of 4664 872 3e902377470f2c5252ca4675c0a3fb831942b2c76956dc71c8e2ed62c4d8672f.exe 85 PID 872 wrote to memory of 4664 872 3e902377470f2c5252ca4675c0a3fb831942b2c76956dc71c8e2ed62c4d8672f.exe 85 PID 872 wrote to memory of 4664 872 3e902377470f2c5252ca4675c0a3fb831942b2c76956dc71c8e2ed62c4d8672f.exe 85 PID 4664 wrote to memory of 3200 4664 Lflgmqhd.exe 86 PID 4664 wrote to memory of 3200 4664 Lflgmqhd.exe 86 PID 4664 wrote to memory of 3200 4664 Lflgmqhd.exe 86 PID 3200 wrote to memory of 1608 3200 Llipehgk.exe 87 PID 3200 wrote to memory of 1608 3200 Llipehgk.exe 87 PID 3200 wrote to memory of 1608 3200 Llipehgk.exe 87 PID 1608 wrote to memory of 2248 1608 Lfodbqfa.exe 88 PID 1608 wrote to memory of 2248 1608 Lfodbqfa.exe 88 PID 1608 wrote to memory of 2248 1608 Lfodbqfa.exe 88 PID 2248 wrote to memory of 1612 2248 Leadnm32.exe 89 PID 2248 wrote to memory of 1612 2248 Leadnm32.exe 89 PID 2248 wrote to memory of 1612 2248 Leadnm32.exe 89 PID 1612 wrote to memory of 1780 1612 Mlklkgei.exe 90 PID 1612 wrote to memory of 1780 1612 Mlklkgei.exe 90 PID 1612 wrote to memory of 1780 1612 Mlklkgei.exe 90 PID 1780 wrote to memory of 4752 1780 Mpghkf32.exe 91 PID 1780 wrote to memory of 4752 1780 Mpghkf32.exe 91 PID 1780 wrote to memory of 4752 1780 Mpghkf32.exe 91 PID 4752 wrote to memory of 4268 4752 Mbedga32.exe 92 PID 4752 wrote to memory of 4268 4752 Mbedga32.exe 92 PID 4752 wrote to memory of 4268 4752 Mbedga32.exe 92 PID 4268 wrote to memory of 2440 4268 Medqcmki.exe 93 PID 4268 wrote to memory of 2440 4268 Medqcmki.exe 93 PID 4268 wrote to memory of 2440 4268 Medqcmki.exe 93 PID 2440 wrote to memory of 3680 2440 Molelb32.exe 94 PID 2440 wrote to memory of 3680 2440 Molelb32.exe 94 PID 2440 wrote to memory of 3680 2440 Molelb32.exe 94 PID 3680 wrote to memory of 724 3680 Mhdjehhj.exe 95 PID 3680 wrote to memory of 724 3680 Mhdjehhj.exe 95 PID 3680 wrote to memory of 724 3680 Mhdjehhj.exe 95 PID 724 wrote to memory of 2928 724 Mbjnbqhp.exe 96 PID 724 wrote to memory of 2928 724 Mbjnbqhp.exe 96 PID 724 wrote to memory of 2928 724 Mbjnbqhp.exe 96 PID 2928 wrote to memory of 3412 2928 Mehjol32.exe 97 PID 2928 wrote to memory of 3412 2928 Mehjol32.exe 97 PID 2928 wrote to memory of 3412 2928 Mehjol32.exe 97 PID 3412 wrote to memory of 4188 3412 Mblkhq32.exe 98 PID 3412 wrote to memory of 4188 3412 Mblkhq32.exe 98 PID 3412 wrote to memory of 4188 3412 Mblkhq32.exe 98 PID 4188 wrote to memory of 468 4188 Mpqkad32.exe 99 PID 4188 wrote to memory of 468 4188 Mpqkad32.exe 99 PID 4188 wrote to memory of 468 4188 Mpqkad32.exe 99 PID 468 wrote to memory of 3656 468 Mbognp32.exe 100 PID 468 wrote to memory of 3656 468 Mbognp32.exe 100 PID 468 wrote to memory of 3656 468 Mbognp32.exe 100 PID 3656 wrote to memory of 4864 3656 Npchgdcd.exe 101 PID 3656 wrote to memory of 4864 3656 Npchgdcd.exe 101 PID 3656 wrote to memory of 4864 3656 Npchgdcd.exe 101 PID 4864 wrote to memory of 4988 4864 Nbadcpbh.exe 102 PID 4864 wrote to memory of 4988 4864 Nbadcpbh.exe 102 PID 4864 wrote to memory of 4988 4864 Nbadcpbh.exe 102 PID 4988 wrote to memory of 4320 4988 Neppokal.exe 103 PID 4988 wrote to memory of 4320 4988 Neppokal.exe 103 PID 4988 wrote to memory of 4320 4988 Neppokal.exe 103 PID 4320 wrote to memory of 1088 4320 Nhnlkfpp.exe 104 PID 4320 wrote to memory of 1088 4320 Nhnlkfpp.exe 104 PID 4320 wrote to memory of 1088 4320 Nhnlkfpp.exe 104 PID 1088 wrote to memory of 2580 1088 Nlihle32.exe 105 PID 1088 wrote to memory of 2580 1088 Nlihle32.exe 105 PID 1088 wrote to memory of 2580 1088 Nlihle32.exe 105 PID 2580 wrote to memory of 1564 2580 Npedmdab.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\3e902377470f2c5252ca4675c0a3fb831942b2c76956dc71c8e2ed62c4d8672f.exe"C:\Users\Admin\AppData\Local\Temp\3e902377470f2c5252ca4675c0a3fb831942b2c76956dc71c8e2ed62c4d8672f.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:872 -
C:\Windows\SysWOW64\Lflgmqhd.exeC:\Windows\system32\Lflgmqhd.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4664 -
C:\Windows\SysWOW64\Llipehgk.exeC:\Windows\system32\Llipehgk.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3200 -
C:\Windows\SysWOW64\Lfodbqfa.exeC:\Windows\system32\Lfodbqfa.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1608 -
C:\Windows\SysWOW64\Leadnm32.exeC:\Windows\system32\Leadnm32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Windows\SysWOW64\Mlklkgei.exeC:\Windows\system32\Mlklkgei.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1612 -
C:\Windows\SysWOW64\Mpghkf32.exeC:\Windows\system32\Mpghkf32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1780 -
C:\Windows\SysWOW64\Mbedga32.exeC:\Windows\system32\Mbedga32.exe8⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4752 -
C:\Windows\SysWOW64\Medqcmki.exeC:\Windows\system32\Medqcmki.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4268 -
C:\Windows\SysWOW64\Molelb32.exeC:\Windows\system32\Molelb32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2440 -
C:\Windows\SysWOW64\Mhdjehhj.exeC:\Windows\system32\Mhdjehhj.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3680 -
C:\Windows\SysWOW64\Mbjnbqhp.exeC:\Windows\system32\Mbjnbqhp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:724 -
C:\Windows\SysWOW64\Mehjol32.exeC:\Windows\system32\Mehjol32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Windows\SysWOW64\Mblkhq32.exeC:\Windows\system32\Mblkhq32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3412 -
C:\Windows\SysWOW64\Mpqkad32.exeC:\Windows\system32\Mpqkad32.exe15⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4188 -
C:\Windows\SysWOW64\Mbognp32.exeC:\Windows\system32\Mbognp32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:468 -
C:\Windows\SysWOW64\Npchgdcd.exeC:\Windows\system32\Npchgdcd.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3656 -
C:\Windows\SysWOW64\Nbadcpbh.exeC:\Windows\system32\Nbadcpbh.exe18⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4864 -
C:\Windows\SysWOW64\Neppokal.exeC:\Windows\system32\Neppokal.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4988 -
C:\Windows\SysWOW64\Nhnlkfpp.exeC:\Windows\system32\Nhnlkfpp.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4320 -
C:\Windows\SysWOW64\Nlihle32.exeC:\Windows\system32\Nlihle32.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1088 -
C:\Windows\SysWOW64\Npedmdab.exeC:\Windows\system32\Npedmdab.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Windows\SysWOW64\Nbcqiope.exeC:\Windows\system32\Nbcqiope.exe23⤵
- Executes dropped EXE
PID:1564 -
C:\Windows\SysWOW64\Ngomin32.exeC:\Windows\system32\Ngomin32.exe24⤵
- Executes dropped EXE
PID:3448 -
C:\Windows\SysWOW64\Nebmekoi.exeC:\Windows\system32\Nebmekoi.exe25⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1896 -
C:\Windows\SysWOW64\Nhpiafnm.exeC:\Windows\system32\Nhpiafnm.exe26⤵
- Executes dropped EXE
PID:2836 -
C:\Windows\SysWOW64\Nlleaeff.exeC:\Windows\system32\Nlleaeff.exe27⤵
- Executes dropped EXE
PID:4128 -
C:\Windows\SysWOW64\Npgabc32.exeC:\Windows\system32\Npgabc32.exe28⤵
- Executes dropped EXE
PID:2368 -
C:\Windows\SysWOW64\Ncfmno32.exeC:\Windows\system32\Ncfmno32.exe29⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3724 -
C:\Windows\SysWOW64\Ngaionfl.exeC:\Windows\system32\Ngaionfl.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2588 -
C:\Windows\SysWOW64\Nipekiep.exeC:\Windows\system32\Nipekiep.exe31⤵
- Executes dropped EXE
PID:3020 -
C:\Windows\SysWOW64\Nlnbgddc.exeC:\Windows\system32\Nlnbgddc.exe32⤵
- Executes dropped EXE
PID:4796 -
C:\Windows\SysWOW64\Nomncpcg.exeC:\Windows\system32\Nomncpcg.exe33⤵
- Executes dropped EXE
PID:3624 -
C:\Windows\SysWOW64\Nchjdo32.exeC:\Windows\system32\Nchjdo32.exe34⤵
- Executes dropped EXE
PID:3952 -
C:\Windows\SysWOW64\Neffpj32.exeC:\Windows\system32\Neffpj32.exe35⤵
- Executes dropped EXE
PID:2356 -
C:\Windows\SysWOW64\Nibbqicm.exeC:\Windows\system32\Nibbqicm.exe36⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1312 -
C:\Windows\SysWOW64\Nlqomd32.exeC:\Windows\system32\Nlqomd32.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:4364 -
C:\Windows\SysWOW64\Nplkmckj.exeC:\Windows\system32\Nplkmckj.exe38⤵
- Executes dropped EXE
PID:1096 -
C:\Windows\SysWOW64\Nookip32.exeC:\Windows\system32\Nookip32.exe39⤵
- Executes dropped EXE
PID:4780 -
C:\Windows\SysWOW64\Ogfcjm32.exeC:\Windows\system32\Ogfcjm32.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4720 -
C:\Windows\SysWOW64\Oeicejia.exeC:\Windows\system32\Oeicejia.exe41⤵
- Executes dropped EXE
PID:3208 -
C:\Windows\SysWOW64\Ohgoaehe.exeC:\Windows\system32\Ohgoaehe.exe42⤵
- Executes dropped EXE
PID:3992 -
C:\Windows\SysWOW64\Olckbd32.exeC:\Windows\system32\Olckbd32.exe43⤵
- Executes dropped EXE
PID:3168 -
C:\Windows\SysWOW64\Ooagno32.exeC:\Windows\system32\Ooagno32.exe44⤵
- Executes dropped EXE
PID:1496 -
C:\Windows\SysWOW64\Ocmconhk.exeC:\Windows\system32\Ocmconhk.exe45⤵
- Executes dropped EXE
PID:432 -
C:\Windows\SysWOW64\Oekpkigo.exeC:\Windows\system32\Oekpkigo.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3564 -
C:\Windows\SysWOW64\Oigllh32.exeC:\Windows\system32\Oigllh32.exe47⤵
- Executes dropped EXE
PID:2912 -
C:\Windows\SysWOW64\Olehhc32.exeC:\Windows\system32\Olehhc32.exe48⤵
- Executes dropped EXE
PID:2868 -
C:\Windows\SysWOW64\Opadhb32.exeC:\Windows\system32\Opadhb32.exe49⤵
- Executes dropped EXE
PID:4896 -
C:\Windows\SysWOW64\Oocddono.exeC:\Windows\system32\Oocddono.exe50⤵
- Executes dropped EXE
PID:4668 -
C:\Windows\SysWOW64\Ogklelna.exeC:\Windows\system32\Ogklelna.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4108 -
C:\Windows\SysWOW64\Oenlqi32.exeC:\Windows\system32\Oenlqi32.exe52⤵
- Executes dropped EXE
PID:3184 -
C:\Windows\SysWOW64\Ohlimd32.exeC:\Windows\system32\Ohlimd32.exe53⤵
- Executes dropped EXE
PID:2760 -
C:\Windows\SysWOW64\Opcqnb32.exeC:\Windows\system32\Opcqnb32.exe54⤵
- Executes dropped EXE
PID:4600 -
C:\Windows\SysWOW64\Oofaiokl.exeC:\Windows\system32\Oofaiokl.exe55⤵
- Executes dropped EXE
PID:3272 -
C:\Windows\SysWOW64\Ocamjm32.exeC:\Windows\system32\Ocamjm32.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:1668 -
C:\Windows\SysWOW64\Oepifi32.exeC:\Windows\system32\Oepifi32.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1316 -
C:\Windows\SysWOW64\Oileggkb.exeC:\Windows\system32\Oileggkb.exe58⤵
- Executes dropped EXE
PID:1004 -
C:\Windows\SysWOW64\Oljaccjf.exeC:\Windows\system32\Oljaccjf.exe59⤵
- Executes dropped EXE
PID:2284 -
C:\Windows\SysWOW64\Opemca32.exeC:\Windows\system32\Opemca32.exe60⤵
- Executes dropped EXE
PID:4856 -
C:\Windows\SysWOW64\Ocdjpmac.exeC:\Windows\system32\Ocdjpmac.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2972 -
C:\Windows\SysWOW64\Ogpepl32.exeC:\Windows\system32\Ogpepl32.exe62⤵
- Executes dropped EXE
PID:4384 -
C:\Windows\SysWOW64\Oebflhaf.exeC:\Windows\system32\Oebflhaf.exe63⤵
- Executes dropped EXE
PID:1840 -
C:\Windows\SysWOW64\Ohqbhdpj.exeC:\Windows\system32\Ohqbhdpj.exe64⤵
- Executes dropped EXE
PID:4228 -
C:\Windows\SysWOW64\Ollnhb32.exeC:\Windows\system32\Ollnhb32.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1428 -
C:\Windows\SysWOW64\Ookjdn32.exeC:\Windows\system32\Ookjdn32.exe66⤵PID:4136
-
C:\Windows\SysWOW64\Pgbbek32.exeC:\Windows\system32\Pgbbek32.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1224 -
C:\Windows\SysWOW64\Pedbahod.exeC:\Windows\system32\Pedbahod.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4608 -
C:\Windows\SysWOW64\Pjpobg32.exeC:\Windows\system32\Pjpobg32.exe69⤵PID:4912
-
C:\Windows\SysWOW64\Ploknb32.exeC:\Windows\system32\Ploknb32.exe70⤵PID:3652
-
C:\Windows\SysWOW64\Ppjgoaoj.exeC:\Windows\system32\Ppjgoaoj.exe71⤵PID:552
-
C:\Windows\SysWOW64\Pcicklnn.exeC:\Windows\system32\Pcicklnn.exe72⤵PID:3536
-
C:\Windows\SysWOW64\Pgdokkfg.exeC:\Windows\system32\Pgdokkfg.exe73⤵PID:4044
-
C:\Windows\SysWOW64\Pjbkgfej.exeC:\Windows\system32\Pjbkgfej.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4968 -
C:\Windows\SysWOW64\Plagcbdn.exeC:\Windows\system32\Plagcbdn.exe75⤵PID:3100
-
C:\Windows\SysWOW64\Ppmcdq32.exeC:\Windows\system32\Ppmcdq32.exe76⤵PID:3324
-
C:\Windows\SysWOW64\Pckppl32.exeC:\Windows\system32\Pckppl32.exe77⤵PID:4984
-
C:\Windows\SysWOW64\Pfillg32.exeC:\Windows\system32\Pfillg32.exe78⤵
- Drops file in System32 directory
PID:2192 -
C:\Windows\SysWOW64\Pjehmfch.exeC:\Windows\system32\Pjehmfch.exe79⤵PID:4316
-
C:\Windows\SysWOW64\Plcdiabk.exeC:\Windows\system32\Plcdiabk.exe80⤵PID:3192
-
C:\Windows\SysWOW64\Ppopjp32.exeC:\Windows\system32\Ppopjp32.exe81⤵PID:2084
-
C:\Windows\SysWOW64\Pcmlfl32.exeC:\Windows\system32\Pcmlfl32.exe82⤵PID:4416
-
C:\Windows\SysWOW64\Pflibgil.exeC:\Windows\system32\Pflibgil.exe83⤵
- System Location Discovery: System Language Discovery
PID:1012 -
C:\Windows\SysWOW64\Pjgebf32.exeC:\Windows\system32\Pjgebf32.exe84⤵PID:3024
-
C:\Windows\SysWOW64\Pleaoa32.exeC:\Windows\system32\Pleaoa32.exe85⤵PID:3372
-
C:\Windows\SysWOW64\Podmkm32.exeC:\Windows\system32\Podmkm32.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4328 -
C:\Windows\SysWOW64\Pcpikkge.exeC:\Windows\system32\Pcpikkge.exe87⤵PID:2408
-
C:\Windows\SysWOW64\Pgkelj32.exeC:\Windows\system32\Pgkelj32.exe88⤵PID:4528
-
C:\Windows\SysWOW64\Pjjahe32.exeC:\Windows\system32\Pjjahe32.exe89⤵
- Modifies registry class
PID:2636 -
C:\Windows\SysWOW64\Plhnda32.exeC:\Windows\system32\Plhnda32.exe90⤵PID:1100
-
C:\Windows\SysWOW64\Pqcjepfo.exeC:\Windows\system32\Pqcjepfo.exe91⤵PID:412
-
C:\Windows\SysWOW64\Pofjpl32.exeC:\Windows\system32\Pofjpl32.exe92⤵PID:1856
-
C:\Windows\SysWOW64\Qgnbaj32.exeC:\Windows\system32\Qgnbaj32.exe93⤵PID:2824
-
C:\Windows\SysWOW64\Qfpbmfdf.exeC:\Windows\system32\Qfpbmfdf.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4820 -
C:\Windows\SysWOW64\Qhonib32.exeC:\Windows\system32\Qhonib32.exe95⤵
- Modifies registry class
PID:3392 -
C:\Windows\SysWOW64\Qqffjo32.exeC:\Windows\system32\Qqffjo32.exe96⤵PID:3572
-
C:\Windows\SysWOW64\Qoifflkg.exeC:\Windows\system32\Qoifflkg.exe97⤵PID:3676
-
C:\Windows\SysWOW64\Qgpogili.exeC:\Windows\system32\Qgpogili.exe98⤵
- Drops file in System32 directory
PID:4216 -
C:\Windows\SysWOW64\Qlmgopjq.exeC:\Windows\system32\Qlmgopjq.exe99⤵PID:4748
-
C:\Windows\SysWOW64\Ajqgidij.exeC:\Windows\system32\Ajqgidij.exe100⤵PID:3948
-
C:\Windows\SysWOW64\Amodep32.exeC:\Windows\system32\Amodep32.exe101⤵PID:3596
-
C:\Windows\SysWOW64\Aompak32.exeC:\Windows\system32\Aompak32.exe102⤵PID:2584
-
C:\Windows\SysWOW64\Agdhbi32.exeC:\Windows\system32\Agdhbi32.exe103⤵PID:1292
-
C:\Windows\SysWOW64\Ahfdjanb.exeC:\Windows\system32\Ahfdjanb.exe104⤵PID:2544
-
C:\Windows\SysWOW64\Aqmlknnd.exeC:\Windows\system32\Aqmlknnd.exe105⤵
- Drops file in System32 directory
PID:2056 -
C:\Windows\SysWOW64\Ackigjmh.exeC:\Windows\system32\Ackigjmh.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1028 -
C:\Windows\SysWOW64\Aggegh32.exeC:\Windows\system32\Aggegh32.exe107⤵
- System Location Discovery: System Language Discovery
PID:4304 -
C:\Windows\SysWOW64\Ajeadd32.exeC:\Windows\system32\Ajeadd32.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3936 -
C:\Windows\SysWOW64\Aihaoqlp.exeC:\Windows\system32\Aihaoqlp.exe109⤵PID:3648
-
C:\Windows\SysWOW64\Aqoiqn32.exeC:\Windows\system32\Aqoiqn32.exe110⤵PID:632
-
C:\Windows\SysWOW64\Acnemi32.exeC:\Windows\system32\Acnemi32.exe111⤵
- Modifies registry class
PID:4544 -
C:\Windows\SysWOW64\Ajhniccb.exeC:\Windows\system32\Ajhniccb.exe112⤵PID:3492
-
C:\Windows\SysWOW64\Amfjeobf.exeC:\Windows\system32\Amfjeobf.exe113⤵PID:1764
-
C:\Windows\SysWOW64\Aqaffn32.exeC:\Windows\system32\Aqaffn32.exe114⤵PID:5136
-
C:\Windows\SysWOW64\Acpbbi32.exeC:\Windows\system32\Acpbbi32.exe115⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5188 -
C:\Windows\SysWOW64\Afnnnd32.exeC:\Windows\system32\Afnnnd32.exe116⤵PID:5240
-
C:\Windows\SysWOW64\Amhfkopc.exeC:\Windows\system32\Amhfkopc.exe117⤵PID:5284
-
C:\Windows\SysWOW64\Bcbohigp.exeC:\Windows\system32\Bcbohigp.exe118⤵PID:5328
-
C:\Windows\SysWOW64\Bfqkddfd.exeC:\Windows\system32\Bfqkddfd.exe119⤵
- Drops file in System32 directory
PID:5368 -
C:\Windows\SysWOW64\Bqfoamfj.exeC:\Windows\system32\Bqfoamfj.exe120⤵PID:5412
-
C:\Windows\SysWOW64\Bjodjb32.exeC:\Windows\system32\Bjodjb32.exe121⤵PID:5456
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-