Analysis
-
max time kernel
94s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
07-12-2024 10:16
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
3842909d6e085d7cef61bb352a003467aeb9b6e318d641b542e10aab0052380d.exe
Resource
win7-20240903-en
windows7-x64
10 signatures
120 seconds
Behavioral task
behavioral2
Sample
3842909d6e085d7cef61bb352a003467aeb9b6e318d641b542e10aab0052380d.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
120 seconds
General
-
Target
3842909d6e085d7cef61bb352a003467aeb9b6e318d641b542e10aab0052380d.exe
-
Size
242KB
-
MD5
0d1fc368eb2eb79b99118ac32819f4d9
-
SHA1
4e331a054f13df133ff60cf29e1aa2211c00fdec
-
SHA256
3842909d6e085d7cef61bb352a003467aeb9b6e318d641b542e10aab0052380d
-
SHA512
02f9f6db5c56962e16b904b1bd410780befb86104328c98c43aa4745fdfd35b1ef82f9a4963c937f18db5512e7b2218449e1ed301f5426c81a7a7b2f9b3c5909
-
SSDEEP
3072:uOgsZiwvKd0lV6V8ZLB6V16VKcWmjRrzKbKcWmjRrzK8VHkdYaM88KCb:XZiwK0lV66LB6X62UyHEYa0b
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nimbkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Phincl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pdkoch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bnoknihb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hifcgion.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfoplpla.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjffdalb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbchdp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfnjpfcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdbfab32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljdceo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hkpqkcpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Neqopnhb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgbloglj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgeakekd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plagcbdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Knhakh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjjnifbl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckmonl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qpeahb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nebmekoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Acokhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmfhkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bffcpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aknbkjfh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dflmlj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jqhafffk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ihnkel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Akglloai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kpoalo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lgibpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Loglacfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Leadnm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eleepoob.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hildmn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mccfdmmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddnfmqng.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gncchb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhbfff32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Piijno32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpiecd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlkngo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkmdecbg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glbjggof.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knnhjcog.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhdohp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jkimho32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nagpeo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kppici32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohnohn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gdfoio32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oaajed32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijqmhnko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ekkkoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dikpbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nliaao32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjgpfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ahfmpnql.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oocddono.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cobkhb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjlpjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lnjgfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ljdceo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mngegmbc.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 456 Ikfabm32.exe 4444 Ifleoe32.exe 3304 Jkhngl32.exe 3172 Jilnqqbj.exe 672 Jkkjmlan.exe 2788 Jecofa32.exe 2424 Joiccj32.exe 3712 Jbgoof32.exe 2488 Jgdhgmep.exe 2308 Jpkphjeb.exe 652 Jehhaaci.exe 3964 Jgfdmlcm.exe 4688 Jfgdkd32.exe 1772 Kppici32.exe 2844 Kelalp32.exe 5008 Kpbfii32.exe 5068 Kijjbofj.exe 2208 Kbbokdlk.exe 5116 Keakgpko.exe 776 Kpgodhkd.exe 4952 Kbekqdjh.exe 876 Kiodmn32.exe 2752 Kpiljh32.exe 4204 Kefdbo32.exe 3924 Lpkiph32.exe 1144 Lidmhmnp.exe 2848 Lhfmdj32.exe 3628 Lpneegel.exe 332 Lblaabdp.exe 1544 Lldfjh32.exe 1520 Locbfd32.exe 1196 Lfjjga32.exe 1392 Llgcph32.exe 2312 Loeolc32.exe 64 Lbqklb32.exe 2608 Leoghn32.exe 4388 Likcilhh.exe 1340 Loglacfo.exe 4384 Leadnm32.exe 4372 Mhppji32.exe 4772 Mojhgbdl.exe 3688 Mfaqhp32.exe 868 Mhbmphjm.exe 4816 Mlnipg32.exe 2616 Mpieqeko.exe 832 Mhdjehhj.exe 3516 Mbjnbqhp.exe 2736 Mffjcopi.exe 4076 Moaogand.exe 636 Mleoafmn.exe 1344 Mbognp32.exe 372 Nemcjk32.exe 1696 Npchgdcd.exe 1044 Neppokal.exe 2012 Nlihle32.exe 3840 Nebmekoi.exe 4464 Nhpiafnm.exe 2932 Ncfmno32.exe 2688 Nhbfff32.exe 2976 Nchjdo32.exe 1640 Nibbqicm.exe 3816 Nplkmckj.exe 2588 Ogfcjm32.exe 4524 Oidofh32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Llgcph32.exe Lfjjga32.exe File created C:\Windows\SysWOW64\Dfoplpla.exe Ddadpdmn.exe File opened for modification C:\Windows\SysWOW64\Kageaj32.exe Kniieo32.exe File created C:\Windows\SysWOW64\Ffclcgfn.exe Fdepgkgj.exe File opened for modification C:\Windows\SysWOW64\Hpofii32.exe Hmpjmn32.exe File created C:\Windows\SysWOW64\Pgihfj32.exe Plcdiabk.exe File created C:\Windows\SysWOW64\Fabibb32.dll Cjliajmo.exe File created C:\Windows\SysWOW64\Dclkee32.exe Dannij32.exe File created C:\Windows\SysWOW64\Fmjaphek.exe Fkkeclfh.exe File created C:\Windows\SysWOW64\Fmqgpgoc.exe Fhdohp32.exe File created C:\Windows\SysWOW64\Ijadbdoj.exe Igchfiof.exe File created C:\Windows\SysWOW64\Lehhlb32.dll Iahlcaol.exe File opened for modification C:\Windows\SysWOW64\Neoieenp.exe Nbqmiinl.exe File created C:\Windows\SysWOW64\Dpifba32.dll Pkcadhgm.exe File created C:\Windows\SysWOW64\Aobbbd32.dll Idahjg32.exe File created C:\Windows\SysWOW64\Adkgje32.exe Aamknj32.exe File opened for modification C:\Windows\SysWOW64\Ekdnei32.exe Eifaim32.exe File created C:\Windows\SysWOW64\Nagbfo32.dll Ogmijllo.exe File created C:\Windows\SysWOW64\Obonfmck.dll Kgamnded.exe File created C:\Windows\SysWOW64\Hkjmbk32.dll Qcaofebg.exe File created C:\Windows\SysWOW64\Qhmqdemc.exe Qeodhjmo.exe File created C:\Windows\SysWOW64\Hmkigh32.exe Hedafk32.exe File created C:\Windows\SysWOW64\Joiccj32.exe Jecofa32.exe File opened for modification C:\Windows\SysWOW64\Kkhpdcab.exe Kgmcce32.exe File created C:\Windows\SysWOW64\Mldhfpib.exe Mifljdjo.exe File created C:\Windows\SysWOW64\Nlphbnoe.exe Nefped32.exe File opened for modification C:\Windows\SysWOW64\Jgkdbacp.exe Jdmgfedl.exe File created C:\Windows\SysWOW64\Bcbbjj32.dll Deqcbpld.exe File created C:\Windows\SysWOW64\Lfipab32.dll Eiokinbk.exe File opened for modification C:\Windows\SysWOW64\Chkobkod.exe Cpdgqmnb.exe File opened for modification C:\Windows\SysWOW64\Ipgbdbqb.exe Illfdc32.exe File created C:\Windows\SysWOW64\Algpao32.dll Jpkphjeb.exe File created C:\Windows\SysWOW64\Qeocld32.dll Bqmeal32.exe File opened for modification C:\Windows\SysWOW64\Ccgjopal.exe Coknoaic.exe File created C:\Windows\SysWOW64\Djfoankj.dll Dkbocbog.exe File created C:\Windows\SysWOW64\Jcoong32.dll Elbhjp32.exe File created C:\Windows\SysWOW64\Dnbokg32.dll Hcmbee32.exe File opened for modification C:\Windows\SysWOW64\Mgehfkop.exe Malpia32.exe File created C:\Windows\SysWOW64\Kghlhg32.dll Ikfabm32.exe File created C:\Windows\SysWOW64\Dhhfedil.exe Dclkee32.exe File created C:\Windows\SysWOW64\Fknbil32.exe Fhofmq32.exe File created C:\Windows\SysWOW64\Indfca32.exe Igjngh32.exe File created C:\Windows\SysWOW64\Mieced32.dll Mehcdfch.exe File created C:\Windows\SysWOW64\Jcikgacl.exe Jlobkg32.exe File created C:\Windows\SysWOW64\Loglacfo.exe Likcilhh.exe File opened for modification C:\Windows\SysWOW64\Hgnoki32.exe Hpdfnolo.exe File created C:\Windows\SysWOW64\Ngbjmd32.dll Pahilmoc.exe File created C:\Windows\SysWOW64\Epmmqheb.exe Ekaapi32.exe File created C:\Windows\SysWOW64\Ookjdn32.exe Ollnhb32.exe File created C:\Windows\SysWOW64\Jqlefl32.exe Jnmijq32.exe File created C:\Windows\SysWOW64\Efjikc32.dll Majjng32.exe File opened for modification C:\Windows\SysWOW64\Oifeab32.exe Oaompd32.exe File created C:\Windows\SysWOW64\Fealin32.exe Fngcmcfe.exe File opened for modification C:\Windows\SysWOW64\Imnocf32.exe Ibhkfm32.exe File created C:\Windows\SysWOW64\Jcfggkac.exe Jphkkpbp.exe File opened for modification C:\Windows\SysWOW64\Mpieqeko.exe Mlnipg32.exe File created C:\Windows\SysWOW64\Dpckjfgg.exe Dapkni32.exe File created C:\Windows\SysWOW64\Glcaambb.exe Fideeaco.exe File created C:\Windows\SysWOW64\Pdhkcb32.exe Paiogf32.exe File created C:\Windows\SysWOW64\Ifaohg32.dll Aaoaic32.exe File opened for modification C:\Windows\SysWOW64\Chnlgjlb.exe Cdbpgl32.exe File opened for modification C:\Windows\SysWOW64\Ddgibkpc.exe Dpkmal32.exe File created C:\Windows\SysWOW64\Fhoaad32.dll Ncfmno32.exe File created C:\Windows\SysWOW64\Qfmjef32.dll Pibdmp32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1420 17484 WerFault.exe 1106 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkchelci.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knkekn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnjejjgh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odjeljhd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahbjoe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dodjjimm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcigeooj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hckeoeno.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omegjomb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpoalo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oakbehfe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfoann32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmipblaq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Empoiimf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcdciiec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nagiji32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qpcecb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpdgqmnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epagkd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfjpfj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmafajfi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Geohklaa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lggejg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ackigjmh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Injcmc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofhknodl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icnklbmj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhokljge.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlobkg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfaemp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkpool32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlhccj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhdohp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcgnbaeo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlepcdoa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nflkbanj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcndbp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Paoollik.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlihle32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iknmla32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfhndpol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnhmnn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcpjnjii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chnlgjlb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdcjlb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjjghcfp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkegpb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qklmpalf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hffken32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jniood32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfbped32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cflkpblf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kqphfe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpqjglii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgnqgqan.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmlfqh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgffic32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejlbhh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Albpkc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnlmhc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mifljdjo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gigaka32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkfglb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aglnbhal.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Glldgljg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Angdnk32.dll" Dmohno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Knqepc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ooagno32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hcblpdgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Knooej32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mjokgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ffceip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iepaaico.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Klhnfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nihipdhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nlihle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bfedoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Edjgfcec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbmoin32.dll" Hdilnojp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Algheg32.dll" Kqnbkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iefeek32.dll" Imnocf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nnhmnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Locbfd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bhpofl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgnnnnod.dll" Jbaojpgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olojcl32.dll" Lldopb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Leopnglc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oaompd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Papfgbmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Accimdgp.dll" Jekqmhia.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jlgepanl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lhfmdj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cceddf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmhkgijk.dll" Mjdebfnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffiipfmi.dll" Ekdnei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbpcnkaj.dll" Gmafajfi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lqkqhm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pmlfqh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qpcecb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kidiae32.dll" Amfjeobf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iklgah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Akhcfe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qhhpop32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ollnhb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipgiebei.dll" Fpjjac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Elgaeolp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lflbkcll.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kbekqdjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dccledea.dll" Cjnffjkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qnidao32.dll" Ilmmni32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oodcdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ephccnmj.dll" Bcfahbpo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kjffdalb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nondlbmd.dll" Blhpqhlh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ghhhcomg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ffpicn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcdepb32.dll" Fmqgpgoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hkbdki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iddljmpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lippqp32.dll" Ffceip32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gmimai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfdhao32.dll" 3842909d6e085d7cef61bb352a003467aeb9b6e318d641b542e10aab0052380d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmhqnncg.dll" Cgcmjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kqnbkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecbfdd32.dll" Lieccf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bhldpj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bmofagfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fllkqn32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4028 wrote to memory of 456 4028 3842909d6e085d7cef61bb352a003467aeb9b6e318d641b542e10aab0052380d.exe 84 PID 4028 wrote to memory of 456 4028 3842909d6e085d7cef61bb352a003467aeb9b6e318d641b542e10aab0052380d.exe 84 PID 4028 wrote to memory of 456 4028 3842909d6e085d7cef61bb352a003467aeb9b6e318d641b542e10aab0052380d.exe 84 PID 456 wrote to memory of 4444 456 Ikfabm32.exe 85 PID 456 wrote to memory of 4444 456 Ikfabm32.exe 85 PID 456 wrote to memory of 4444 456 Ikfabm32.exe 85 PID 4444 wrote to memory of 3304 4444 Ifleoe32.exe 86 PID 4444 wrote to memory of 3304 4444 Ifleoe32.exe 86 PID 4444 wrote to memory of 3304 4444 Ifleoe32.exe 86 PID 3304 wrote to memory of 3172 3304 Jkhngl32.exe 87 PID 3304 wrote to memory of 3172 3304 Jkhngl32.exe 87 PID 3304 wrote to memory of 3172 3304 Jkhngl32.exe 87 PID 3172 wrote to memory of 672 3172 Jilnqqbj.exe 88 PID 3172 wrote to memory of 672 3172 Jilnqqbj.exe 88 PID 3172 wrote to memory of 672 3172 Jilnqqbj.exe 88 PID 672 wrote to memory of 2788 672 Jkkjmlan.exe 89 PID 672 wrote to memory of 2788 672 Jkkjmlan.exe 89 PID 672 wrote to memory of 2788 672 Jkkjmlan.exe 89 PID 2788 wrote to memory of 2424 2788 Jecofa32.exe 90 PID 2788 wrote to memory of 2424 2788 Jecofa32.exe 90 PID 2788 wrote to memory of 2424 2788 Jecofa32.exe 90 PID 2424 wrote to memory of 3712 2424 Joiccj32.exe 91 PID 2424 wrote to memory of 3712 2424 Joiccj32.exe 91 PID 2424 wrote to memory of 3712 2424 Joiccj32.exe 91 PID 3712 wrote to memory of 2488 3712 Jbgoof32.exe 92 PID 3712 wrote to memory of 2488 3712 Jbgoof32.exe 92 PID 3712 wrote to memory of 2488 3712 Jbgoof32.exe 92 PID 2488 wrote to memory of 2308 2488 Jgdhgmep.exe 93 PID 2488 wrote to memory of 2308 2488 Jgdhgmep.exe 93 PID 2488 wrote to memory of 2308 2488 Jgdhgmep.exe 93 PID 2308 wrote to memory of 652 2308 Jpkphjeb.exe 94 PID 2308 wrote to memory of 652 2308 Jpkphjeb.exe 94 PID 2308 wrote to memory of 652 2308 Jpkphjeb.exe 94 PID 652 wrote to memory of 3964 652 Jehhaaci.exe 95 PID 652 wrote to memory of 3964 652 Jehhaaci.exe 95 PID 652 wrote to memory of 3964 652 Jehhaaci.exe 95 PID 3964 wrote to memory of 4688 3964 Jgfdmlcm.exe 96 PID 3964 wrote to memory of 4688 3964 Jgfdmlcm.exe 96 PID 3964 wrote to memory of 4688 3964 Jgfdmlcm.exe 96 PID 4688 wrote to memory of 1772 4688 Jfgdkd32.exe 97 PID 4688 wrote to memory of 1772 4688 Jfgdkd32.exe 97 PID 4688 wrote to memory of 1772 4688 Jfgdkd32.exe 97 PID 1772 wrote to memory of 2844 1772 Kppici32.exe 98 PID 1772 wrote to memory of 2844 1772 Kppici32.exe 98 PID 1772 wrote to memory of 2844 1772 Kppici32.exe 98 PID 2844 wrote to memory of 5008 2844 Kelalp32.exe 99 PID 2844 wrote to memory of 5008 2844 Kelalp32.exe 99 PID 2844 wrote to memory of 5008 2844 Kelalp32.exe 99 PID 5008 wrote to memory of 5068 5008 Kpbfii32.exe 100 PID 5008 wrote to memory of 5068 5008 Kpbfii32.exe 100 PID 5008 wrote to memory of 5068 5008 Kpbfii32.exe 100 PID 5068 wrote to memory of 2208 5068 Kijjbofj.exe 101 PID 5068 wrote to memory of 2208 5068 Kijjbofj.exe 101 PID 5068 wrote to memory of 2208 5068 Kijjbofj.exe 101 PID 2208 wrote to memory of 5116 2208 Kbbokdlk.exe 102 PID 2208 wrote to memory of 5116 2208 Kbbokdlk.exe 102 PID 2208 wrote to memory of 5116 2208 Kbbokdlk.exe 102 PID 5116 wrote to memory of 776 5116 Keakgpko.exe 103 PID 5116 wrote to memory of 776 5116 Keakgpko.exe 103 PID 5116 wrote to memory of 776 5116 Keakgpko.exe 103 PID 776 wrote to memory of 4952 776 Kpgodhkd.exe 104 PID 776 wrote to memory of 4952 776 Kpgodhkd.exe 104 PID 776 wrote to memory of 4952 776 Kpgodhkd.exe 104 PID 4952 wrote to memory of 876 4952 Kbekqdjh.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\3842909d6e085d7cef61bb352a003467aeb9b6e318d641b542e10aab0052380d.exe"C:\Users\Admin\AppData\Local\Temp\3842909d6e085d7cef61bb352a003467aeb9b6e318d641b542e10aab0052380d.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4028 -
C:\Windows\SysWOW64\Ikfabm32.exeC:\Windows\system32\Ikfabm32.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:456 -
C:\Windows\SysWOW64\Ifleoe32.exeC:\Windows\system32\Ifleoe32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4444 -
C:\Windows\SysWOW64\Jkhngl32.exeC:\Windows\system32\Jkhngl32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3304 -
C:\Windows\SysWOW64\Jilnqqbj.exeC:\Windows\system32\Jilnqqbj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3172 -
C:\Windows\SysWOW64\Jkkjmlan.exeC:\Windows\system32\Jkkjmlan.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:672 -
C:\Windows\SysWOW64\Jecofa32.exeC:\Windows\system32\Jecofa32.exe7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Windows\SysWOW64\Joiccj32.exeC:\Windows\system32\Joiccj32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Windows\SysWOW64\Jbgoof32.exeC:\Windows\system32\Jbgoof32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3712 -
C:\Windows\SysWOW64\Jgdhgmep.exeC:\Windows\system32\Jgdhgmep.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\Windows\SysWOW64\Jpkphjeb.exeC:\Windows\system32\Jpkphjeb.exe11⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2308 -
C:\Windows\SysWOW64\Jehhaaci.exeC:\Windows\system32\Jehhaaci.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:652 -
C:\Windows\SysWOW64\Jgfdmlcm.exeC:\Windows\system32\Jgfdmlcm.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3964 -
C:\Windows\SysWOW64\Jfgdkd32.exeC:\Windows\system32\Jfgdkd32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4688 -
C:\Windows\SysWOW64\Kppici32.exeC:\Windows\system32\Kppici32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1772 -
C:\Windows\SysWOW64\Kelalp32.exeC:\Windows\system32\Kelalp32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\SysWOW64\Kpbfii32.exeC:\Windows\system32\Kpbfii32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5008 -
C:\Windows\SysWOW64\Kijjbofj.exeC:\Windows\system32\Kijjbofj.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5068 -
C:\Windows\SysWOW64\Kbbokdlk.exeC:\Windows\system32\Kbbokdlk.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Windows\SysWOW64\Keakgpko.exeC:\Windows\system32\Keakgpko.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5116 -
C:\Windows\SysWOW64\Kpgodhkd.exeC:\Windows\system32\Kpgodhkd.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:776 -
C:\Windows\SysWOW64\Kbekqdjh.exeC:\Windows\system32\Kbekqdjh.exe22⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4952 -
C:\Windows\SysWOW64\Kiodmn32.exeC:\Windows\system32\Kiodmn32.exe23⤵
- Executes dropped EXE
PID:876 -
C:\Windows\SysWOW64\Kpiljh32.exeC:\Windows\system32\Kpiljh32.exe24⤵
- Executes dropped EXE
PID:2752 -
C:\Windows\SysWOW64\Kefdbo32.exeC:\Windows\system32\Kefdbo32.exe25⤵
- Executes dropped EXE
PID:4204 -
C:\Windows\SysWOW64\Lpkiph32.exeC:\Windows\system32\Lpkiph32.exe26⤵
- Executes dropped EXE
PID:3924 -
C:\Windows\SysWOW64\Lidmhmnp.exeC:\Windows\system32\Lidmhmnp.exe27⤵
- Executes dropped EXE
PID:1144 -
C:\Windows\SysWOW64\Lhfmdj32.exeC:\Windows\system32\Lhfmdj32.exe28⤵
- Executes dropped EXE
- Modifies registry class
PID:2848 -
C:\Windows\SysWOW64\Lpneegel.exeC:\Windows\system32\Lpneegel.exe29⤵
- Executes dropped EXE
PID:3628 -
C:\Windows\SysWOW64\Lblaabdp.exeC:\Windows\system32\Lblaabdp.exe30⤵
- Executes dropped EXE
PID:332 -
C:\Windows\SysWOW64\Lldfjh32.exeC:\Windows\system32\Lldfjh32.exe31⤵
- Executes dropped EXE
PID:1544 -
C:\Windows\SysWOW64\Locbfd32.exeC:\Windows\system32\Locbfd32.exe32⤵
- Executes dropped EXE
- Modifies registry class
PID:1520 -
C:\Windows\SysWOW64\Lfjjga32.exeC:\Windows\system32\Lfjjga32.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1196 -
C:\Windows\SysWOW64\Llgcph32.exeC:\Windows\system32\Llgcph32.exe34⤵
- Executes dropped EXE
PID:1392 -
C:\Windows\SysWOW64\Loeolc32.exeC:\Windows\system32\Loeolc32.exe35⤵
- Executes dropped EXE
PID:2312 -
C:\Windows\SysWOW64\Lbqklb32.exeC:\Windows\system32\Lbqklb32.exe36⤵
- Executes dropped EXE
PID:64 -
C:\Windows\SysWOW64\Leoghn32.exeC:\Windows\system32\Leoghn32.exe37⤵
- Executes dropped EXE
PID:2608 -
C:\Windows\SysWOW64\Likcilhh.exeC:\Windows\system32\Likcilhh.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4388 -
C:\Windows\SysWOW64\Loglacfo.exeC:\Windows\system32\Loglacfo.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1340 -
C:\Windows\SysWOW64\Leadnm32.exeC:\Windows\system32\Leadnm32.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4384 -
C:\Windows\SysWOW64\Mhppji32.exeC:\Windows\system32\Mhppji32.exe41⤵
- Executes dropped EXE
PID:4372 -
C:\Windows\SysWOW64\Mojhgbdl.exeC:\Windows\system32\Mojhgbdl.exe42⤵
- Executes dropped EXE
PID:4772 -
C:\Windows\SysWOW64\Mfaqhp32.exeC:\Windows\system32\Mfaqhp32.exe43⤵
- Executes dropped EXE
PID:3688 -
C:\Windows\SysWOW64\Mhbmphjm.exeC:\Windows\system32\Mhbmphjm.exe44⤵
- Executes dropped EXE
PID:868 -
C:\Windows\SysWOW64\Mlnipg32.exeC:\Windows\system32\Mlnipg32.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4816 -
C:\Windows\SysWOW64\Mpieqeko.exeC:\Windows\system32\Mpieqeko.exe46⤵
- Executes dropped EXE
PID:2616 -
C:\Windows\SysWOW64\Mhdjehhj.exeC:\Windows\system32\Mhdjehhj.exe47⤵
- Executes dropped EXE
PID:832 -
C:\Windows\SysWOW64\Mbjnbqhp.exeC:\Windows\system32\Mbjnbqhp.exe48⤵
- Executes dropped EXE
PID:3516 -
C:\Windows\SysWOW64\Mffjcopi.exeC:\Windows\system32\Mffjcopi.exe49⤵
- Executes dropped EXE
PID:2736 -
C:\Windows\SysWOW64\Moaogand.exeC:\Windows\system32\Moaogand.exe50⤵
- Executes dropped EXE
PID:4076 -
C:\Windows\SysWOW64\Mleoafmn.exeC:\Windows\system32\Mleoafmn.exe51⤵
- Executes dropped EXE
PID:636 -
C:\Windows\SysWOW64\Mbognp32.exeC:\Windows\system32\Mbognp32.exe52⤵
- Executes dropped EXE
PID:1344 -
C:\Windows\SysWOW64\Nemcjk32.exeC:\Windows\system32\Nemcjk32.exe53⤵
- Executes dropped EXE
PID:372 -
C:\Windows\SysWOW64\Npchgdcd.exeC:\Windows\system32\Npchgdcd.exe54⤵
- Executes dropped EXE
PID:1696 -
C:\Windows\SysWOW64\Neppokal.exeC:\Windows\system32\Neppokal.exe55⤵
- Executes dropped EXE
PID:1044 -
C:\Windows\SysWOW64\Nlihle32.exeC:\Windows\system32\Nlihle32.exe56⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2012 -
C:\Windows\SysWOW64\Nebmekoi.exeC:\Windows\system32\Nebmekoi.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3840 -
C:\Windows\SysWOW64\Nhpiafnm.exeC:\Windows\system32\Nhpiafnm.exe58⤵
- Executes dropped EXE
PID:4464 -
C:\Windows\SysWOW64\Ncfmno32.exeC:\Windows\system32\Ncfmno32.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2932 -
C:\Windows\SysWOW64\Nhbfff32.exeC:\Windows\system32\Nhbfff32.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2688 -
C:\Windows\SysWOW64\Nchjdo32.exeC:\Windows\system32\Nchjdo32.exe61⤵
- Executes dropped EXE
PID:2976 -
C:\Windows\SysWOW64\Nibbqicm.exeC:\Windows\system32\Nibbqicm.exe62⤵
- Executes dropped EXE
PID:1640 -
C:\Windows\SysWOW64\Nplkmckj.exeC:\Windows\system32\Nplkmckj.exe63⤵
- Executes dropped EXE
PID:3816 -
C:\Windows\SysWOW64\Ogfcjm32.exeC:\Windows\system32\Ogfcjm32.exe64⤵
- Executes dropped EXE
PID:2588 -
C:\Windows\SysWOW64\Oidofh32.exeC:\Windows\system32\Oidofh32.exe65⤵
- Executes dropped EXE
PID:4524 -
C:\Windows\SysWOW64\Olckbd32.exeC:\Windows\system32\Olckbd32.exe66⤵PID:4292
-
C:\Windows\SysWOW64\Ooagno32.exeC:\Windows\system32\Ooagno32.exe67⤵
- Modifies registry class
PID:1508 -
C:\Windows\SysWOW64\Oigllh32.exeC:\Windows\system32\Oigllh32.exe68⤵PID:3936
-
C:\Windows\SysWOW64\Oocddono.exeC:\Windows\system32\Oocddono.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2996 -
C:\Windows\SysWOW64\Ohlimd32.exeC:\Windows\system32\Ohlimd32.exe70⤵PID:2540
-
C:\Windows\SysWOW64\Ocamjm32.exeC:\Windows\system32\Ocamjm32.exe71⤵PID:2416
-
C:\Windows\SysWOW64\Ogmijllo.exeC:\Windows\system32\Ogmijllo.exe72⤵
- Drops file in System32 directory
PID:2472 -
C:\Windows\SysWOW64\Ocdjpmac.exeC:\Windows\system32\Ocdjpmac.exe73⤵PID:3276
-
C:\Windows\SysWOW64\Ojnblg32.exeC:\Windows\system32\Ojnblg32.exe74⤵PID:1860
-
C:\Windows\SysWOW64\Ollnhb32.exeC:\Windows\system32\Ollnhb32.exe75⤵
- Drops file in System32 directory
- Modifies registry class
PID:1784 -
C:\Windows\SysWOW64\Ookjdn32.exeC:\Windows\system32\Ookjdn32.exe76⤵PID:2796
-
C:\Windows\SysWOW64\Ppjgoaoj.exeC:\Windows\system32\Ppjgoaoj.exe77⤵PID:1216
-
C:\Windows\SysWOW64\Pgdokkfg.exeC:\Windows\system32\Pgdokkfg.exe78⤵PID:752
-
C:\Windows\SysWOW64\Pjbkgfej.exeC:\Windows\system32\Pjbkgfej.exe79⤵PID:2204
-
C:\Windows\SysWOW64\Plagcbdn.exeC:\Windows\system32\Plagcbdn.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4236 -
C:\Windows\SysWOW64\Pfillg32.exeC:\Windows\system32\Pfillg32.exe81⤵PID:4168
-
C:\Windows\SysWOW64\Phhhhc32.exeC:\Windows\system32\Phhhhc32.exe82⤵PID:3432
-
C:\Windows\SysWOW64\Plcdiabk.exeC:\Windows\system32\Plcdiabk.exe83⤵
- Drops file in System32 directory
PID:1524 -
C:\Windows\SysWOW64\Pgihfj32.exeC:\Windows\system32\Pgihfj32.exe84⤵PID:1916
-
C:\Windows\SysWOW64\Podmkm32.exeC:\Windows\system32\Podmkm32.exe85⤵PID:2244
-
C:\Windows\SysWOW64\Plhnda32.exeC:\Windows\system32\Plhnda32.exe86⤵PID:5060
-
C:\Windows\SysWOW64\Qgnbaj32.exeC:\Windows\system32\Qgnbaj32.exe87⤵PID:116
-
C:\Windows\SysWOW64\Qjlnnemp.exeC:\Windows\system32\Qjlnnemp.exe88⤵PID:4200
-
C:\Windows\SysWOW64\Qjnkcekm.exeC:\Windows\system32\Qjnkcekm.exe89⤵PID:3828
-
C:\Windows\SysWOW64\Afelhf32.exeC:\Windows\system32\Afelhf32.exe90⤵PID:3012
-
C:\Windows\SysWOW64\Afghneoo.exeC:\Windows\system32\Afghneoo.exe91⤵PID:3868
-
C:\Windows\SysWOW64\Aqmlknnd.exeC:\Windows\system32\Aqmlknnd.exe92⤵PID:4652
-
C:\Windows\SysWOW64\Ackigjmh.exeC:\Windows\system32\Ackigjmh.exe93⤵
- System Location Discovery: System Language Discovery
PID:4844 -
C:\Windows\SysWOW64\Ajeadd32.exeC:\Windows\system32\Ajeadd32.exe94⤵PID:4312
-
C:\Windows\SysWOW64\Amcmpodi.exeC:\Windows\system32\Amcmpodi.exe95⤵PID:388
-
C:\Windows\SysWOW64\Aobilkcl.exeC:\Windows\system32\Aobilkcl.exe96⤵PID:2960
-
C:\Windows\SysWOW64\Acnemi32.exeC:\Windows\system32\Acnemi32.exe97⤵PID:3492
-
C:\Windows\SysWOW64\Aijnep32.exeC:\Windows\system32\Aijnep32.exe98⤵PID:5112
-
C:\Windows\SysWOW64\Amfjeobf.exeC:\Windows\system32\Amfjeobf.exe99⤵
- Modifies registry class
PID:4288 -
C:\Windows\SysWOW64\Aodfajaj.exeC:\Windows\system32\Aodfajaj.exe100⤵PID:3640
-
C:\Windows\SysWOW64\Aglnbhal.exeC:\Windows\system32\Aglnbhal.exe101⤵
- System Location Discovery: System Language Discovery
PID:4708 -
C:\Windows\SysWOW64\Ajjjocap.exeC:\Windows\system32\Ajjjocap.exe102⤵PID:1028
-
C:\Windows\SysWOW64\Amhfkopc.exeC:\Windows\system32\Amhfkopc.exe103⤵PID:2036
-
C:\Windows\SysWOW64\Bogcgj32.exeC:\Windows\system32\Bogcgj32.exe104⤵PID:3268
-
C:\Windows\SysWOW64\Bcbohigp.exeC:\Windows\system32\Bcbohigp.exe105⤵PID:4568
-
C:\Windows\SysWOW64\Bjlgdc32.exeC:\Windows\system32\Bjlgdc32.exe106⤵PID:2604
-
C:\Windows\SysWOW64\Bmkcqn32.exeC:\Windows\system32\Bmkcqn32.exe107⤵PID:2228
-
C:\Windows\SysWOW64\Boipmj32.exeC:\Windows\system32\Boipmj32.exe108⤵PID:3168
-
C:\Windows\SysWOW64\Bcelmhen.exeC:\Windows\system32\Bcelmhen.exe109⤵PID:5044
-
C:\Windows\SysWOW64\Biadeoce.exeC:\Windows\system32\Biadeoce.exe110⤵PID:2368
-
C:\Windows\SysWOW64\Bqilgmdg.exeC:\Windows\system32\Bqilgmdg.exe111⤵PID:2920
-
C:\Windows\SysWOW64\Bgbdcgld.exeC:\Windows\system32\Bgbdcgld.exe112⤵PID:2900
-
C:\Windows\SysWOW64\Bfedoc32.exeC:\Windows\system32\Bfedoc32.exe113⤵
- Modifies registry class
PID:2940 -
C:\Windows\SysWOW64\Bmomlnjk.exeC:\Windows\system32\Bmomlnjk.exe114⤵PID:3972
-
C:\Windows\SysWOW64\Bqkill32.exeC:\Windows\system32\Bqkill32.exe115⤵PID:1212
-
C:\Windows\SysWOW64\Bgeaifia.exeC:\Windows\system32\Bgeaifia.exe116⤵PID:5136
-
C:\Windows\SysWOW64\Bifmqo32.exeC:\Windows\system32\Bifmqo32.exe117⤵PID:5184
-
C:\Windows\SysWOW64\Bqmeal32.exeC:\Windows\system32\Bqmeal32.exe118⤵
- Drops file in System32 directory
PID:5228 -
C:\Windows\SysWOW64\Bclang32.exeC:\Windows\system32\Bclang32.exe119⤵PID:5272
-
C:\Windows\SysWOW64\Bfjnjcni.exeC:\Windows\system32\Bfjnjcni.exe120⤵PID:5316
-
C:\Windows\SysWOW64\Bihjfnmm.exeC:\Windows\system32\Bihjfnmm.exe121⤵PID:5360
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-