Analysis
-
max time kernel
94s -
max time network
124s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
23-12-2024 23:36
Static task
static1
Behavioral task
behavioral1
Sample
92dfb97006d38b7092ffe770660b5f31f21035abdcd202f626d67c453c49a5ec.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
92dfb97006d38b7092ffe770660b5f31f21035abdcd202f626d67c453c49a5ec.exe
Resource
win10v2004-20241007-en
General
-
Target
92dfb97006d38b7092ffe770660b5f31f21035abdcd202f626d67c453c49a5ec.exe
-
Size
92KB
-
MD5
1360fefdc0b9b44d7972400ccb5488b3
-
SHA1
2eb687b5130b67bc6aacfb61503114a172bedf9a
-
SHA256
92dfb97006d38b7092ffe770660b5f31f21035abdcd202f626d67c453c49a5ec
-
SHA512
97dd5149dcd18d04305033aa74a583ad54a47b2f6cb92f395b51aced8896bd8fe3db8f6b8dc065ccddb8913795c5fe2a32a755a5ce0a5239c205cfcbfc1a8eb9
-
SSDEEP
1536:BIkAT06VRb8qeurQT1ezIPAC2LvJ9VqDlzVxyh+CbxMQgn:5AT06v8PozlPvJ9IDlRxyhTbhgn
Malware Config
Extracted
berbew
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oepifi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amhfkopc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkpbin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jgcamf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjnmpl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Meepdp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajcdnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhilfa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffclcgfn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgamnded.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Phfjcf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alnfpcag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lohqnd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohlimd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hacbhb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nflkbanj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohnohn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cmflbf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbdehlip.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Foapaa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jahqiaeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fipbdikp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Omqmop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Flmqlg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlkgmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qhmqdemc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lhqefjpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Naaqofgj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oafcqcea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahgjejhd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hlambk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Monjjgkb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djhpgofm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dnbakghm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpnfge32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gdoihpbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Npepkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fgoakc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Damfao32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hihibbjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kkhpdcab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ffobhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bgkiaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Plpjoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ogjdmbil.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhlgfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mnnkgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jjafok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kdpmbc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekaapi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjeiodek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njjdho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ipkdek32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epokedmj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oimkbaed.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 3780 Oocddono.exe 3160 Ohlimd32.exe 824 Oofaiokl.exe 2092 Oepifi32.exe 1044 Oljaccjf.exe 3220 Ocdjpmac.exe 3292 Ojnblg32.exe 624 Ophjiaql.exe 1968 Ookjdn32.exe 544 Pjpobg32.exe 1744 Ppjgoaoj.exe 4400 Pfgogh32.exe 2332 Pckppl32.exe 2652 Ppopjp32.exe 1100 Phjenbhp.exe 2160 Podmkm32.exe 4296 Pjjahe32.exe 4940 Pofjpl32.exe 2912 Qfpbmfdf.exe 4192 Qqffjo32.exe 1720 Qfbobf32.exe 880 Qhakoa32.exe 4148 Aokcklid.exe 612 Agbkmijg.exe 1328 Ahchda32.exe 876 Amodep32.exe 3176 Acilajpk.exe 3100 Ajcdnd32.exe 3728 Ahfdjanb.exe 2232 Amaqjp32.exe 1064 Ackigjmh.exe 3256 Afjeceml.exe 3832 Ajeadd32.exe 4048 Amcmpodi.exe 2536 Acnemi32.exe 636 Aflaie32.exe 4440 Amfjeobf.exe 740 Acpbbi32.exe 912 Ajjjocap.exe 5036 Amhfkopc.exe 2196 Bgnkhg32.exe 1524 Boipmj32.exe 2164 Bjodjb32.exe 1484 Bjaqpbkh.exe 3988 Bciehh32.exe 1748 Bmbiamhi.exe 4752 Bppfmigl.exe 3312 Bfjnjcni.exe 1888 Bjfjka32.exe 1124 Cpbbch32.exe 2848 Cflkpblf.exe 2448 Cmfclm32.exe 1204 Ccqkigkp.exe 3744 Cjjcfabm.exe 760 Cimcan32.exe 4220 Cpglnhad.exe 1936 Cfadkb32.exe 3836 Cjmpkqqj.exe 4736 Caghhk32.exe 4024 Cgqqdeod.exe 364 Cjomap32.exe 2552 Cpleig32.exe 4176 Cffmfadl.exe 1728 Dakacjdb.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Jcoaglhk.exe Jleijb32.exe File opened for modification C:\Windows\SysWOW64\Filapfbo.exe Fqeioiam.exe File created C:\Windows\SysWOW64\Gcnobqph.dll Jnfcia32.exe File created C:\Windows\SysWOW64\Kdohflaf.dll Lplfcf32.exe File created C:\Windows\SysWOW64\Elnoopdj.exe Ejlbhh32.exe File opened for modification C:\Windows\SysWOW64\Ejchhgid.exe Efhlhh32.exe File created C:\Windows\SysWOW64\Kideagnd.dll Hkbmqb32.exe File opened for modification C:\Windows\SysWOW64\Fimhjl32.exe Ffnknafg.exe File created C:\Windows\SysWOW64\Ablmdkdf.dll Kefiopki.exe File created C:\Windows\SysWOW64\Kabcopmg.exe Kocgbend.exe File opened for modification C:\Windows\SysWOW64\Haoimcgg.exe Hkeaqi32.exe File created C:\Windows\SysWOW64\Cgdojhec.dll Iljpij32.exe File opened for modification C:\Windows\SysWOW64\Iogopi32.exe Ihmfco32.exe File created C:\Windows\SysWOW64\Cnhgjaml.exe Ckjknfnh.exe File created C:\Windows\SysWOW64\Hgeqca32.dll Fqppci32.exe File opened for modification C:\Windows\SysWOW64\Lhgkgijg.exe Lfiokmkc.exe File created C:\Windows\SysWOW64\Pjjahe32.exe Podmkm32.exe File created C:\Windows\SysWOW64\Oihgmo32.dll Fdqfll32.exe File created C:\Windows\SysWOW64\Ojidbohn.dll Ekonpckp.exe File created C:\Windows\SysWOW64\Addaif32.exe Amjillkj.exe File created C:\Windows\SysWOW64\Enigke32.exe Ekkkoj32.exe File opened for modification C:\Windows\SysWOW64\Mfnhfm32.exe Process not Found File created C:\Windows\SysWOW64\Ggbook32.exe Gphgbafl.exe File created C:\Windows\SysWOW64\Jcemmf32.dll Ggbook32.exe File created C:\Windows\SysWOW64\Mjneln32.exe Mlkepaam.exe File created C:\Windows\SysWOW64\Cqichhmn.dll Poliea32.exe File created C:\Windows\SysWOW64\Gikkfqmf.exe Gfmojenc.exe File created C:\Windows\SysWOW64\Ejhfdb32.dll Kakmna32.exe File created C:\Windows\SysWOW64\Nagfjh32.dll Dhjckcgi.exe File created C:\Windows\SysWOW64\Edopabqn.exe Epcdqd32.exe File opened for modification C:\Windows\SysWOW64\Jhndljll.exe Jdbhkk32.exe File opened for modification C:\Windows\SysWOW64\Pidlqb32.exe Process not Found File created C:\Windows\SysWOW64\Aedkdf32.dll Kbmoen32.exe File created C:\Windows\SysWOW64\Epllglpf.dll Ebejfk32.exe File opened for modification C:\Windows\SysWOW64\Ckilmcgb.exe Cmflbf32.exe File created C:\Windows\SysWOW64\Bdlhkf32.dll Cocacl32.exe File opened for modification C:\Windows\SysWOW64\Cdhffg32.exe Process not Found File created C:\Windows\SysWOW64\Mkfepj32.dll Ackigjmh.exe File created C:\Windows\SysWOW64\Kocgbend.exe Klekfinp.exe File opened for modification C:\Windows\SysWOW64\Lbpdblmo.exe Ljilqnlm.exe File created C:\Windows\SysWOW64\Meepdp32.exe Maiccajf.exe File created C:\Windows\SysWOW64\Gkaclqkk.exe Gicgpelg.exe File created C:\Windows\SysWOW64\Pemomqcn.exe Pabblb32.exe File created C:\Windows\SysWOW64\Plpodked.dll Process not Found File created C:\Windows\SysWOW64\Oifppdpd.exe Process not Found File created C:\Windows\SysWOW64\Oefmflff.dll Mlkepaam.exe File created C:\Windows\SysWOW64\Gdobnj32.exe Glgjlm32.exe File created C:\Windows\SysWOW64\Pfepdg32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Gaebef32.exe Gpdennml.exe File created C:\Windows\SysWOW64\Licfngjd.exe Lbinam32.exe File opened for modification C:\Windows\SysWOW64\Nefped32.exe Nolgijpk.exe File created C:\Windows\SysWOW64\Gpbkpm32.dll Dkbocbog.exe File opened for modification C:\Windows\SysWOW64\Iebngial.exe Ipeeobbe.exe File opened for modification C:\Windows\SysWOW64\Hdkidohn.exe Hpomcp32.exe File opened for modification C:\Windows\SysWOW64\Abcgjg32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Gojiiafp.exe Gimqajgh.exe File created C:\Windows\SysWOW64\Chflphjh.dll Ibhkfm32.exe File opened for modification C:\Windows\SysWOW64\Lplfcf32.exe Lhenai32.exe File created C:\Windows\SysWOW64\Eagaoh32.exe Eipinkib.exe File created C:\Windows\SysWOW64\Gpnmbl32.exe Fideeaco.exe File opened for modification C:\Windows\SysWOW64\Igigla32.exe Ipoopgnf.exe File created C:\Windows\SysWOW64\Kjjiej32.exe Kglmio32.exe File opened for modification C:\Windows\SysWOW64\Kiphjo32.exe Jahqiaeb.exe File created C:\Windows\SysWOW64\Jiooia32.dll Mngegmbc.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 10200 8660 Process not Found 1307 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afinioip.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcdjbk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enmjlojd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fipbdikp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhndljll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kiejmi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mccfdmmo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjedffig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Miofjepg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcmeke32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Coiaiakf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Poimpapp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbdehlip.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Miaboe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chglab32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnmhpg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgamnded.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkgcea32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mqfpckhm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lklbdm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnkpnclp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qhkdof32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glbjggof.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nijeec32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qoelkp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alkijdci.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aaohcj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Boldhf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dakacjdb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjmmepfj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ingpmmgm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgninn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bojomm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Halhfe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahgjejhd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkbocbog.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efhlhh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gigaka32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efpomccg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qmeigg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bknlbhhe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmlilh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cofecami.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pehngkcg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chqogq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Felbnn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehbnigjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhmmjbkf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncabfkqo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cqopkcbn.dll" Flfkkhid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ibhkfm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bphgeo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfkcaoef.dll" Nmdgikhi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lbinam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gefchq32.dll" Hplicjok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hlhccj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ffnknafg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Chfegk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lohqnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oafcqcea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fplpll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plpodked.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnidqf32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ejchhgid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eehicoel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fmfgek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Agdcpkll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eplnpeol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Njkkbehl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lcgpni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dhikci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Plkpcfal.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ffceip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfdaia32.dll" Glipgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnebjidl.dll" Lohqnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bjodjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fjjnifbl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gdlfhj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bahdob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjnafk32.dll" Mnnkgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kdkdgchl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gojiiafp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jpcapp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bogkmgba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ijhjcchb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cofecami.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mebcop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdabnm32.dll" Oeheqm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kjblje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbackgod.dll" Cffmfadl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hdokdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhlkdj32.dll" Pmcclm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fbpchb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Apmhiq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bghgmioe.dll" Cklhcfle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfjjlc32.dll" Fbpchb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gaebef32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kabcopmg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmpdfl32.dll" Ccqkigkp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fdqfll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fclbolkk.dll" Jgogbgei.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pffgom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mjokgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Libmeq32.dll" Gghdaa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dmbbhkjf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cjomap32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nahgoe32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2920 wrote to memory of 3780 2920 92dfb97006d38b7092ffe770660b5f31f21035abdcd202f626d67c453c49a5ec.exe 83 PID 2920 wrote to memory of 3780 2920 92dfb97006d38b7092ffe770660b5f31f21035abdcd202f626d67c453c49a5ec.exe 83 PID 2920 wrote to memory of 3780 2920 92dfb97006d38b7092ffe770660b5f31f21035abdcd202f626d67c453c49a5ec.exe 83 PID 3780 wrote to memory of 3160 3780 Oocddono.exe 84 PID 3780 wrote to memory of 3160 3780 Oocddono.exe 84 PID 3780 wrote to memory of 3160 3780 Oocddono.exe 84 PID 3160 wrote to memory of 824 3160 Ohlimd32.exe 85 PID 3160 wrote to memory of 824 3160 Ohlimd32.exe 85 PID 3160 wrote to memory of 824 3160 Ohlimd32.exe 85 PID 824 wrote to memory of 2092 824 Oofaiokl.exe 86 PID 824 wrote to memory of 2092 824 Oofaiokl.exe 86 PID 824 wrote to memory of 2092 824 Oofaiokl.exe 86 PID 2092 wrote to memory of 1044 2092 Oepifi32.exe 87 PID 2092 wrote to memory of 1044 2092 Oepifi32.exe 87 PID 2092 wrote to memory of 1044 2092 Oepifi32.exe 87 PID 1044 wrote to memory of 3220 1044 Oljaccjf.exe 88 PID 1044 wrote to memory of 3220 1044 Oljaccjf.exe 88 PID 1044 wrote to memory of 3220 1044 Oljaccjf.exe 88 PID 3220 wrote to memory of 3292 3220 Ocdjpmac.exe 89 PID 3220 wrote to memory of 3292 3220 Ocdjpmac.exe 89 PID 3220 wrote to memory of 3292 3220 Ocdjpmac.exe 89 PID 3292 wrote to memory of 624 3292 Ojnblg32.exe 90 PID 3292 wrote to memory of 624 3292 Ojnblg32.exe 90 PID 3292 wrote to memory of 624 3292 Ojnblg32.exe 90 PID 624 wrote to memory of 1968 624 Ophjiaql.exe 91 PID 624 wrote to memory of 1968 624 Ophjiaql.exe 91 PID 624 wrote to memory of 1968 624 Ophjiaql.exe 91 PID 1968 wrote to memory of 544 1968 Ookjdn32.exe 92 PID 1968 wrote to memory of 544 1968 Ookjdn32.exe 92 PID 1968 wrote to memory of 544 1968 Ookjdn32.exe 92 PID 544 wrote to memory of 1744 544 Pjpobg32.exe 93 PID 544 wrote to memory of 1744 544 Pjpobg32.exe 93 PID 544 wrote to memory of 1744 544 Pjpobg32.exe 93 PID 1744 wrote to memory of 4400 1744 Ppjgoaoj.exe 94 PID 1744 wrote to memory of 4400 1744 Ppjgoaoj.exe 94 PID 1744 wrote to memory of 4400 1744 Ppjgoaoj.exe 94 PID 4400 wrote to memory of 2332 4400 Pfgogh32.exe 95 PID 4400 wrote to memory of 2332 4400 Pfgogh32.exe 95 PID 4400 wrote to memory of 2332 4400 Pfgogh32.exe 95 PID 2332 wrote to memory of 2652 2332 Pckppl32.exe 96 PID 2332 wrote to memory of 2652 2332 Pckppl32.exe 96 PID 2332 wrote to memory of 2652 2332 Pckppl32.exe 96 PID 2652 wrote to memory of 1100 2652 Ppopjp32.exe 97 PID 2652 wrote to memory of 1100 2652 Ppopjp32.exe 97 PID 2652 wrote to memory of 1100 2652 Ppopjp32.exe 97 PID 1100 wrote to memory of 2160 1100 Phjenbhp.exe 98 PID 1100 wrote to memory of 2160 1100 Phjenbhp.exe 98 PID 1100 wrote to memory of 2160 1100 Phjenbhp.exe 98 PID 2160 wrote to memory of 4296 2160 Podmkm32.exe 99 PID 2160 wrote to memory of 4296 2160 Podmkm32.exe 99 PID 2160 wrote to memory of 4296 2160 Podmkm32.exe 99 PID 4296 wrote to memory of 4940 4296 Pjjahe32.exe 100 PID 4296 wrote to memory of 4940 4296 Pjjahe32.exe 100 PID 4296 wrote to memory of 4940 4296 Pjjahe32.exe 100 PID 4940 wrote to memory of 2912 4940 Pofjpl32.exe 101 PID 4940 wrote to memory of 2912 4940 Pofjpl32.exe 101 PID 4940 wrote to memory of 2912 4940 Pofjpl32.exe 101 PID 2912 wrote to memory of 4192 2912 Qfpbmfdf.exe 102 PID 2912 wrote to memory of 4192 2912 Qfpbmfdf.exe 102 PID 2912 wrote to memory of 4192 2912 Qfpbmfdf.exe 102 PID 4192 wrote to memory of 1720 4192 Qqffjo32.exe 103 PID 4192 wrote to memory of 1720 4192 Qqffjo32.exe 103 PID 4192 wrote to memory of 1720 4192 Qqffjo32.exe 103 PID 1720 wrote to memory of 880 1720 Qfbobf32.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\92dfb97006d38b7092ffe770660b5f31f21035abdcd202f626d67c453c49a5ec.exe"C:\Users\Admin\AppData\Local\Temp\92dfb97006d38b7092ffe770660b5f31f21035abdcd202f626d67c453c49a5ec.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\SysWOW64\Oocddono.exeC:\Windows\system32\Oocddono.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3780 -
C:\Windows\SysWOW64\Ohlimd32.exeC:\Windows\system32\Ohlimd32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3160 -
C:\Windows\SysWOW64\Oofaiokl.exeC:\Windows\system32\Oofaiokl.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:824 -
C:\Windows\SysWOW64\Oepifi32.exeC:\Windows\system32\Oepifi32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2092 -
C:\Windows\SysWOW64\Oljaccjf.exeC:\Windows\system32\Oljaccjf.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1044 -
C:\Windows\SysWOW64\Ocdjpmac.exeC:\Windows\system32\Ocdjpmac.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3220 -
C:\Windows\SysWOW64\Ojnblg32.exeC:\Windows\system32\Ojnblg32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3292 -
C:\Windows\SysWOW64\Ophjiaql.exeC:\Windows\system32\Ophjiaql.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:624 -
C:\Windows\SysWOW64\Ookjdn32.exeC:\Windows\system32\Ookjdn32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\Windows\SysWOW64\Pjpobg32.exeC:\Windows\system32\Pjpobg32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:544 -
C:\Windows\SysWOW64\Ppjgoaoj.exeC:\Windows\system32\Ppjgoaoj.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1744 -
C:\Windows\SysWOW64\Pfgogh32.exeC:\Windows\system32\Pfgogh32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4400 -
C:\Windows\SysWOW64\Pckppl32.exeC:\Windows\system32\Pckppl32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Windows\SysWOW64\Ppopjp32.exeC:\Windows\system32\Ppopjp32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Windows\SysWOW64\Phjenbhp.exeC:\Windows\system32\Phjenbhp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1100 -
C:\Windows\SysWOW64\Podmkm32.exeC:\Windows\system32\Podmkm32.exe17⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2160 -
C:\Windows\SysWOW64\Pjjahe32.exeC:\Windows\system32\Pjjahe32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4296 -
C:\Windows\SysWOW64\Pofjpl32.exeC:\Windows\system32\Pofjpl32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4940 -
C:\Windows\SysWOW64\Qfpbmfdf.exeC:\Windows\system32\Qfpbmfdf.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Windows\SysWOW64\Qqffjo32.exeC:\Windows\system32\Qqffjo32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4192 -
C:\Windows\SysWOW64\Qfbobf32.exeC:\Windows\system32\Qfbobf32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1720 -
C:\Windows\SysWOW64\Qhakoa32.exeC:\Windows\system32\Qhakoa32.exe23⤵
- Executes dropped EXE
PID:880 -
C:\Windows\SysWOW64\Aokcklid.exeC:\Windows\system32\Aokcklid.exe24⤵
- Executes dropped EXE
PID:4148 -
C:\Windows\SysWOW64\Agbkmijg.exeC:\Windows\system32\Agbkmijg.exe25⤵
- Executes dropped EXE
PID:612 -
C:\Windows\SysWOW64\Ahchda32.exeC:\Windows\system32\Ahchda32.exe26⤵
- Executes dropped EXE
PID:1328 -
C:\Windows\SysWOW64\Amodep32.exeC:\Windows\system32\Amodep32.exe27⤵
- Executes dropped EXE
PID:876 -
C:\Windows\SysWOW64\Acilajpk.exeC:\Windows\system32\Acilajpk.exe28⤵
- Executes dropped EXE
PID:3176 -
C:\Windows\SysWOW64\Ajcdnd32.exeC:\Windows\system32\Ajcdnd32.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3100 -
C:\Windows\SysWOW64\Ahfdjanb.exeC:\Windows\system32\Ahfdjanb.exe30⤵
- Executes dropped EXE
PID:3728 -
C:\Windows\SysWOW64\Amaqjp32.exeC:\Windows\system32\Amaqjp32.exe31⤵
- Executes dropped EXE
PID:2232 -
C:\Windows\SysWOW64\Ackigjmh.exeC:\Windows\system32\Ackigjmh.exe32⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1064 -
C:\Windows\SysWOW64\Afjeceml.exeC:\Windows\system32\Afjeceml.exe33⤵
- Executes dropped EXE
PID:3256 -
C:\Windows\SysWOW64\Ajeadd32.exeC:\Windows\system32\Ajeadd32.exe34⤵
- Executes dropped EXE
PID:3832 -
C:\Windows\SysWOW64\Amcmpodi.exeC:\Windows\system32\Amcmpodi.exe35⤵
- Executes dropped EXE
PID:4048 -
C:\Windows\SysWOW64\Acnemi32.exeC:\Windows\system32\Acnemi32.exe36⤵
- Executes dropped EXE
PID:2536 -
C:\Windows\SysWOW64\Aflaie32.exeC:\Windows\system32\Aflaie32.exe37⤵
- Executes dropped EXE
PID:636 -
C:\Windows\SysWOW64\Amfjeobf.exeC:\Windows\system32\Amfjeobf.exe38⤵
- Executes dropped EXE
PID:4440 -
C:\Windows\SysWOW64\Acpbbi32.exeC:\Windows\system32\Acpbbi32.exe39⤵
- Executes dropped EXE
PID:740 -
C:\Windows\SysWOW64\Ajjjocap.exeC:\Windows\system32\Ajjjocap.exe40⤵
- Executes dropped EXE
PID:912 -
C:\Windows\SysWOW64\Amhfkopc.exeC:\Windows\system32\Amhfkopc.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5036 -
C:\Windows\SysWOW64\Bgnkhg32.exeC:\Windows\system32\Bgnkhg32.exe42⤵
- Executes dropped EXE
PID:2196 -
C:\Windows\SysWOW64\Boipmj32.exeC:\Windows\system32\Boipmj32.exe43⤵
- Executes dropped EXE
PID:1524 -
C:\Windows\SysWOW64\Bjodjb32.exeC:\Windows\system32\Bjodjb32.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:2164 -
C:\Windows\SysWOW64\Bjaqpbkh.exeC:\Windows\system32\Bjaqpbkh.exe45⤵
- Executes dropped EXE
PID:1484 -
C:\Windows\SysWOW64\Bciehh32.exeC:\Windows\system32\Bciehh32.exe46⤵
- Executes dropped EXE
PID:3988 -
C:\Windows\SysWOW64\Bmbiamhi.exeC:\Windows\system32\Bmbiamhi.exe47⤵
- Executes dropped EXE
PID:1748 -
C:\Windows\SysWOW64\Bppfmigl.exeC:\Windows\system32\Bppfmigl.exe48⤵
- Executes dropped EXE
PID:4752 -
C:\Windows\SysWOW64\Bfjnjcni.exeC:\Windows\system32\Bfjnjcni.exe49⤵
- Executes dropped EXE
PID:3312 -
C:\Windows\SysWOW64\Bjfjka32.exeC:\Windows\system32\Bjfjka32.exe50⤵
- Executes dropped EXE
PID:1888 -
C:\Windows\SysWOW64\Cpbbch32.exeC:\Windows\system32\Cpbbch32.exe51⤵
- Executes dropped EXE
PID:1124 -
C:\Windows\SysWOW64\Cflkpblf.exeC:\Windows\system32\Cflkpblf.exe52⤵
- Executes dropped EXE
PID:2848 -
C:\Windows\SysWOW64\Cmfclm32.exeC:\Windows\system32\Cmfclm32.exe53⤵
- Executes dropped EXE
PID:2448 -
C:\Windows\SysWOW64\Ccqkigkp.exeC:\Windows\system32\Ccqkigkp.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:1204 -
C:\Windows\SysWOW64\Cjjcfabm.exeC:\Windows\system32\Cjjcfabm.exe55⤵
- Executes dropped EXE
PID:3744 -
C:\Windows\SysWOW64\Cimcan32.exeC:\Windows\system32\Cimcan32.exe56⤵
- Executes dropped EXE
PID:760 -
C:\Windows\SysWOW64\Cpglnhad.exeC:\Windows\system32\Cpglnhad.exe57⤵
- Executes dropped EXE
PID:4220 -
C:\Windows\SysWOW64\Cfadkb32.exeC:\Windows\system32\Cfadkb32.exe58⤵
- Executes dropped EXE
PID:1936 -
C:\Windows\SysWOW64\Cjmpkqqj.exeC:\Windows\system32\Cjmpkqqj.exe59⤵
- Executes dropped EXE
PID:3836 -
C:\Windows\SysWOW64\Caghhk32.exeC:\Windows\system32\Caghhk32.exe60⤵
- Executes dropped EXE
PID:4736 -
C:\Windows\SysWOW64\Cgqqdeod.exeC:\Windows\system32\Cgqqdeod.exe61⤵
- Executes dropped EXE
PID:4024 -
C:\Windows\SysWOW64\Cjomap32.exeC:\Windows\system32\Cjomap32.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:364 -
C:\Windows\SysWOW64\Cpleig32.exeC:\Windows\system32\Cpleig32.exe63⤵
- Executes dropped EXE
PID:2552 -
C:\Windows\SysWOW64\Cffmfadl.exeC:\Windows\system32\Cffmfadl.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:4176 -
C:\Windows\SysWOW64\Dakacjdb.exeC:\Windows\system32\Dakacjdb.exe65⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1728 -
C:\Windows\SysWOW64\Dpnbog32.exeC:\Windows\system32\Dpnbog32.exe66⤵PID:1580
-
C:\Windows\SysWOW64\Djdflp32.exeC:\Windows\system32\Djdflp32.exe67⤵PID:1584
-
C:\Windows\SysWOW64\Dmbbhkjf.exeC:\Windows\system32\Dmbbhkjf.exe68⤵
- Modifies registry class
PID:4432 -
C:\Windows\SysWOW64\Dhhfedil.exeC:\Windows\system32\Dhhfedil.exe69⤵PID:3732
-
C:\Windows\SysWOW64\Djfcaohp.exeC:\Windows\system32\Djfcaohp.exe70⤵PID:2024
-
C:\Windows\SysWOW64\Dmdonkgc.exeC:\Windows\system32\Dmdonkgc.exe71⤵PID:3952
-
C:\Windows\SysWOW64\Dhjckcgi.exeC:\Windows\system32\Dhjckcgi.exe72⤵
- Drops file in System32 directory
PID:2424 -
C:\Windows\SysWOW64\Djhpgofm.exeC:\Windows\system32\Djhpgofm.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2492 -
C:\Windows\SysWOW64\Dmglcj32.exeC:\Windows\system32\Dmglcj32.exe74⤵PID:3660
-
C:\Windows\SysWOW64\Dpehof32.exeC:\Windows\system32\Dpehof32.exe75⤵PID:3188
-
C:\Windows\SysWOW64\Djklmo32.exeC:\Windows\system32\Djklmo32.exe76⤵PID:3212
-
C:\Windows\SysWOW64\Dmihij32.exeC:\Windows\system32\Dmihij32.exe77⤵PID:3080
-
C:\Windows\SysWOW64\Dfamapjo.exeC:\Windows\system32\Dfamapjo.exe78⤵PID:4032
-
C:\Windows\SysWOW64\Eipinkib.exeC:\Windows\system32\Eipinkib.exe79⤵
- Drops file in System32 directory
PID:1444 -
C:\Windows\SysWOW64\Eagaoh32.exeC:\Windows\system32\Eagaoh32.exe80⤵PID:2648
-
C:\Windows\SysWOW64\Edemkd32.exeC:\Windows\system32\Edemkd32.exe81⤵PID:4884
-
C:\Windows\SysWOW64\Emnbdioi.exeC:\Windows\system32\Emnbdioi.exe82⤵PID:3916
-
C:\Windows\SysWOW64\Eplnpeol.exeC:\Windows\system32\Eplnpeol.exe83⤵
- Modifies registry class
PID:1852 -
C:\Windows\SysWOW64\Eidbij32.exeC:\Windows\system32\Eidbij32.exe84⤵PID:1776
-
C:\Windows\SysWOW64\Epokedmj.exeC:\Windows\system32\Epokedmj.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4360 -
C:\Windows\SysWOW64\Ehfcfb32.exeC:\Windows\system32\Ehfcfb32.exe86⤵PID:4604
-
C:\Windows\SysWOW64\Eigonjcj.exeC:\Windows\system32\Eigonjcj.exe87⤵PID:4648
-
C:\Windows\SysWOW64\Epagkd32.exeC:\Windows\system32\Epagkd32.exe88⤵PID:4788
-
C:\Windows\SysWOW64\Eiildjag.exeC:\Windows\system32\Eiildjag.exe89⤵PID:404
-
C:\Windows\SysWOW64\Epcdqd32.exeC:\Windows\system32\Epcdqd32.exe90⤵
- Drops file in System32 directory
PID:4968 -
C:\Windows\SysWOW64\Edopabqn.exeC:\Windows\system32\Edopabqn.exe91⤵PID:2008
-
C:\Windows\SysWOW64\Fkihnmhj.exeC:\Windows\system32\Fkihnmhj.exe92⤵PID:4820
-
C:\Windows\SysWOW64\Fmgejhgn.exeC:\Windows\system32\Fmgejhgn.exe93⤵PID:2908
-
C:\Windows\SysWOW64\Fdamgb32.exeC:\Windows\system32\Fdamgb32.exe94⤵PID:2716
-
C:\Windows\SysWOW64\Ffpicn32.exeC:\Windows\system32\Ffpicn32.exe95⤵PID:1340
-
C:\Windows\SysWOW64\Fineoi32.exeC:\Windows\system32\Fineoi32.exe96⤵PID:2604
-
C:\Windows\SysWOW64\Faenpf32.exeC:\Windows\system32\Faenpf32.exe97⤵PID:2020
-
C:\Windows\SysWOW64\Fdcjlb32.exeC:\Windows\system32\Fdcjlb32.exe98⤵PID:4128
-
C:\Windows\SysWOW64\Fipbdikp.exeC:\Windows\system32\Fipbdikp.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1908 -
C:\Windows\SysWOW64\Fagjfflb.exeC:\Windows\system32\Fagjfflb.exe100⤵PID:3252
-
C:\Windows\SysWOW64\Fdffbake.exeC:\Windows\system32\Fdffbake.exe101⤵PID:440
-
C:\Windows\SysWOW64\Fgdbnmji.exeC:\Windows\system32\Fgdbnmji.exe102⤵PID:4064
-
C:\Windows\SysWOW64\Fibojhim.exeC:\Windows\system32\Fibojhim.exe103⤵PID:2804
-
C:\Windows\SysWOW64\Fpmggb32.exeC:\Windows\system32\Fpmggb32.exe104⤵PID:2812
-
C:\Windows\SysWOW64\Fhdohp32.exeC:\Windows\system32\Fhdohp32.exe105⤵PID:1396
-
C:\Windows\SysWOW64\Fielph32.exeC:\Windows\system32\Fielph32.exe106⤵PID:2548
-
C:\Windows\SysWOW64\Falcae32.exeC:\Windows\system32\Falcae32.exe107⤵PID:2300
-
C:\Windows\SysWOW64\Fdkpma32.exeC:\Windows\system32\Fdkpma32.exe108⤵PID:1148
-
C:\Windows\SysWOW64\Gkdhjknm.exeC:\Windows\system32\Gkdhjknm.exe109⤵PID:4152
-
C:\Windows\SysWOW64\Gmcdffmq.exeC:\Windows\system32\Gmcdffmq.exe110⤵PID:800
-
C:\Windows\SysWOW64\Gdmmbq32.exeC:\Windows\system32\Gdmmbq32.exe111⤵PID:2644
-
C:\Windows\SysWOW64\Ggkiol32.exeC:\Windows\system32\Ggkiol32.exe112⤵PID:3172
-
C:\Windows\SysWOW64\Gijekg32.exeC:\Windows\system32\Gijekg32.exe113⤵PID:3664
-
C:\Windows\SysWOW64\Gmeakf32.exeC:\Windows\system32\Gmeakf32.exe114⤵PID:4216
-
C:\Windows\SysWOW64\Gdoihpbk.exeC:\Windows\system32\Gdoihpbk.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4792 -
C:\Windows\SysWOW64\Gkiaej32.exeC:\Windows\system32\Gkiaej32.exe116⤵PID:1984
-
C:\Windows\SysWOW64\Gilapgqb.exeC:\Windows\system32\Gilapgqb.exe117⤵PID:5144
-
C:\Windows\SysWOW64\Gacjadad.exeC:\Windows\system32\Gacjadad.exe118⤵PID:5188
-
C:\Windows\SysWOW64\Ggpbjkpl.exeC:\Windows\system32\Ggpbjkpl.exe119⤵PID:5232
-
C:\Windows\SysWOW64\Ginnfgop.exeC:\Windows\system32\Ginnfgop.exe120⤵PID:5276
-
C:\Windows\SysWOW64\Gaefgd32.exeC:\Windows\system32\Gaefgd32.exe121⤵PID:5320
-
C:\Windows\SysWOW64\Gphgbafl.exeC:\Windows\system32\Gphgbafl.exe122⤵
- Drops file in System32 directory
PID:5364
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-