Analysis
-
max time kernel
148s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
03-08-2024 01:57
Static task
static1
Behavioral task
behavioral1
Sample
b47a3c2d4ba2e47b217d57322458710fa0d07192d59c6771f9112dbd66e5275d.exe
Resource
win7-20240704-en
General
-
Target
b47a3c2d4ba2e47b217d57322458710fa0d07192d59c6771f9112dbd66e5275d.exe
-
Size
163KB
-
MD5
e2514715cd1b41ade12cf4c8f0843d0e
-
SHA1
8005a2b927c178ccd770fec78dd0406b160a6802
-
SHA256
b47a3c2d4ba2e47b217d57322458710fa0d07192d59c6771f9112dbd66e5275d
-
SHA512
f66d71cb03deb635444421fd6e6177c3e8506cb624d01e2226160f4249a44a93709189dc46ba84f7c6f91db64bc226061f0b5ea077dbb3b4f8c641136b02eba7
-
SSDEEP
1536:PvJSp5xLudO4Be4XV9wobY1Y3HlWlProNVU4qNVUrk/9QbfBr+7GwKrPAsqNVU:nJSp5aQWV9wo81yoltOrWKDBr+yJb
Malware Config
Extracted
gozi
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Pconjjql.exeMakhlkel.exeEnmbeehg.exeCamlpldf.exeNdclpb32.exeHafdbmjp.exeJlckoh32.exeNdaaclac.exeBdcmjg32.exeIhmcelkk.exeLpiqel32.exePbqbioeb.exeAfebpmal.exeAbqlpn32.exeAjhkka32.exeQbiamm32.exeKfcmcckn.exeGfadeaho.exeAbpjgekf.exeOijlpjma.exeEhnieaoj.exeGpncdfkl.exeAihjpman.exeOekaab32.exeOijbkpqm.exeEepakc32.exeJbnogjqj.exePmefidoj.exeCnoamj32.exeOnipbl32.exeBkkiab32.exeFidmniqa.exeJodmdboj.exeJkpfcnoe.exeHegdinpd.exeNlibhhme.exeIgqjfb32.exeBngicb32.exeDfcigk32.exeDdbbod32.exeAkdedkfl.exeGmqlgppo.exeNdcqbdge.exeKopldl32.exeHjgnhf32.exeEhaleg32.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pconjjql.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Makhlkel.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enmbeehg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Camlpldf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndclpb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hafdbmjp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlckoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ndaaclac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bdcmjg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihmcelkk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpiqel32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbqbioeb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afebpmal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Abqlpn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajhkka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qbiamm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kfcmcckn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfadeaho.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abpjgekf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oijlpjma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ehnieaoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gpncdfkl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aihjpman.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oekaab32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oijbkpqm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eepakc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jbnogjqj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmefidoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cnoamj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onipbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkkiab32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fidmniqa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jodmdboj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkpfcnoe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hegdinpd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlibhhme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Igqjfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bngicb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfcigk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddbbod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Akdedkfl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmqlgppo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ndcqbdge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kopldl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjgnhf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehaleg32.exe -
Executes dropped EXE 64 IoCs
Processes:
Dfpcdh32.exeEaegaaah.exeEiplecnc.exeEbhani32.exeElaego32.exeEbmjihqn.exeEhjbaooe.exeFijolbfh.exeFbbcdh32.exeFoidii32.exeFlmecm32.exeFeeilbhg.exeFaljqcmk.exeFmbkfd32.exeGmegkd32.exeGeplpfnh.exeGgphji32.exeGcfioj32.exeGkancm32.exeHkdkhl32.exeHkfgnldd.exeHhjhgpcn.exeHngppgae.exeHgbanlfc.exeHmojfcdk.exeHchbcmlh.exeIoochn32.exeImccab32.exeIbplji32.exeIkhqbo32.exeIfndph32.exeIionacad.exeJnlfjjpl.exeJkpfcnoe.exeJfigdl32.exeJaolad32.exeJijqeg32.exeJcodcp32.exeJlkigbef.exeJecnpg32.exeKfbjjjci.exeKononm32.exeKiccle32.exeKopldl32.exeKkglim32.exeKelqff32.exeKoeeoljm.exeLgpjcnhh.exeLmjbphod.exeLphnlcnh.exeLlooad32.exeNhalag32.exeOifelfni.exeOkdahbmm.exeOemfahcn.exeOjjnioae.exeOqcffi32.exeOgnobcqo.exeOmjgkjof.exeOjnhdn32.exeOpkpme32.exeOfehiocd.exePmoqfi32.exePfgeoo32.exepid process 1956 Dfpcdh32.exe 1936 Eaegaaah.exe 2616 Eiplecnc.exe 2732 Ebhani32.exe 2772 Elaego32.exe 2984 Ebmjihqn.exe 2640 Ehjbaooe.exe 2988 Fijolbfh.exe 2504 Fbbcdh32.exe 1964 Foidii32.exe 844 Flmecm32.exe 1312 Feeilbhg.exe 840 Faljqcmk.exe 1692 Fmbkfd32.exe 320 Gmegkd32.exe 2196 Geplpfnh.exe 1220 Ggphji32.exe 1804 Gcfioj32.exe 1828 Gkancm32.exe 1528 Hkdkhl32.exe 1712 Hkfgnldd.exe 2204 Hhjhgpcn.exe 3068 Hngppgae.exe 3024 Hgbanlfc.exe 2972 Hmojfcdk.exe 1276 Hchbcmlh.exe 1160 Ioochn32.exe 2728 Imccab32.exe 2660 Ibplji32.exe 2548 Ikhqbo32.exe 2532 Ifndph32.exe 2508 Iionacad.exe 1096 Jnlfjjpl.exe 1460 Jkpfcnoe.exe 2512 Jfigdl32.exe 568 Jaolad32.exe 2836 Jijqeg32.exe 2356 Jcodcp32.exe 1380 Jlkigbef.exe 2180 Jecnpg32.exe 1200 Kfbjjjci.exe 1784 Kononm32.exe 1164 Kiccle32.exe 972 Kopldl32.exe 2044 Kkglim32.exe 2384 Kelqff32.exe 2964 Koeeoljm.exe 2020 Lgpjcnhh.exe 2376 Lmjbphod.exe 2768 Lphnlcnh.exe 2300 Llooad32.exe 2572 Nhalag32.exe 2800 Oifelfni.exe 2664 Okdahbmm.exe 2908 Oemfahcn.exe 1396 Ojjnioae.exe 1116 Oqcffi32.exe 2336 Ognobcqo.exe 1204 Omjgkjof.exe 276 Ojnhdn32.exe 1544 Opkpme32.exe 1548 Ofehiocd.exe 2860 Pmoqfi32.exe 2432 Pfgeoo32.exe -
Loads dropped DLL 64 IoCs
Processes:
b47a3c2d4ba2e47b217d57322458710fa0d07192d59c6771f9112dbd66e5275d.exeDfpcdh32.exeEaegaaah.exeEiplecnc.exeEbhani32.exeElaego32.exeEbmjihqn.exeEhjbaooe.exeFijolbfh.exeFbbcdh32.exeFoidii32.exeFlmecm32.exeFeeilbhg.exeFaljqcmk.exeFmbkfd32.exeGmegkd32.exeGeplpfnh.exeGgphji32.exeGcfioj32.exeGkancm32.exeHkdkhl32.exeHkfgnldd.exeHhjhgpcn.exeHngppgae.exeHgbanlfc.exeHmojfcdk.exeHchbcmlh.exeIoochn32.exeImccab32.exeIbplji32.exeIkhqbo32.exeIfndph32.exepid process 1568 b47a3c2d4ba2e47b217d57322458710fa0d07192d59c6771f9112dbd66e5275d.exe 1568 b47a3c2d4ba2e47b217d57322458710fa0d07192d59c6771f9112dbd66e5275d.exe 1956 Dfpcdh32.exe 1956 Dfpcdh32.exe 1936 Eaegaaah.exe 1936 Eaegaaah.exe 2616 Eiplecnc.exe 2616 Eiplecnc.exe 2732 Ebhani32.exe 2732 Ebhani32.exe 2772 Elaego32.exe 2772 Elaego32.exe 2984 Ebmjihqn.exe 2984 Ebmjihqn.exe 2640 Ehjbaooe.exe 2640 Ehjbaooe.exe 2988 Fijolbfh.exe 2988 Fijolbfh.exe 2504 Fbbcdh32.exe 2504 Fbbcdh32.exe 1964 Foidii32.exe 1964 Foidii32.exe 844 Flmecm32.exe 844 Flmecm32.exe 1312 Feeilbhg.exe 1312 Feeilbhg.exe 840 Faljqcmk.exe 840 Faljqcmk.exe 1692 Fmbkfd32.exe 1692 Fmbkfd32.exe 320 Gmegkd32.exe 320 Gmegkd32.exe 2196 Geplpfnh.exe 2196 Geplpfnh.exe 1220 Ggphji32.exe 1220 Ggphji32.exe 1804 Gcfioj32.exe 1804 Gcfioj32.exe 1828 Gkancm32.exe 1828 Gkancm32.exe 1528 Hkdkhl32.exe 1528 Hkdkhl32.exe 1712 Hkfgnldd.exe 1712 Hkfgnldd.exe 2204 Hhjhgpcn.exe 2204 Hhjhgpcn.exe 3068 Hngppgae.exe 3068 Hngppgae.exe 3024 Hgbanlfc.exe 3024 Hgbanlfc.exe 2972 Hmojfcdk.exe 2972 Hmojfcdk.exe 1276 Hchbcmlh.exe 1276 Hchbcmlh.exe 1160 Ioochn32.exe 1160 Ioochn32.exe 2728 Imccab32.exe 2728 Imccab32.exe 2660 Ibplji32.exe 2660 Ibplji32.exe 2548 Ikhqbo32.exe 2548 Ikhqbo32.exe 2532 Ifndph32.exe 2532 Ifndph32.exe -
Drops file in System32 directory 64 IoCs
Processes:
Pdhflg32.exeDjkcgpaa.exeFedinobh.exeChoejien.exePobhfl32.exeFadmenpg.exeKamooe32.exePjmnck32.exeEfmchp32.exeDddodd32.exeDopfpkng.exeFaefim32.exeJngfei32.exeOicfpkci.exeKlkmkoce.exeLkahbkgk.exeNeagan32.exeAbcppcdc.exeCelnjj32.exeBbakgjmj.exeGcfioj32.exeHchbcmlh.exeLfanep32.exeAjhkka32.exeJfdgnf32.exeIlcfjkgj.exeDebcjiod.exeAcncngpl.exeAhlnpg32.exeHngppgae.exeAbpjgekf.exeMmgkoe32.exeIobdopna.exeFikkcnog.exeKmnnblmj.exePkdiehca.exeQloiqcbn.exeAngafl32.exeHjglpncm.exeEobenc32.exeNhalag32.exeDcijmhdj.exeOhljcnlh.exeNifmqm32.exeJbfpcl32.exeBnemnbmm.exeDgdfocge.exeJcjffc32.exePqcncnpe.exeJbmdig32.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Pmqkellk.exe Pdhflg32.exe File created C:\Windows\SysWOW64\Depgeiag.exe Djkcgpaa.exe File created C:\Windows\SysWOW64\Aohoja32.dll Fedinobh.exe File created C:\Windows\SysWOW64\Dbgjbo32.exe Choejien.exe File opened for modification C:\Windows\SysWOW64\Pgnmjokn.exe Pobhfl32.exe File created C:\Windows\SysWOW64\Fjlaod32.exe Fadmenpg.exe File opened for modification C:\Windows\SysWOW64\Kkechk32.exe Kamooe32.exe File opened for modification C:\Windows\SysWOW64\Chcdqj32.exe File created C:\Windows\SysWOW64\Kgegnglk.dll Pjmnck32.exe File created C:\Windows\SysWOW64\Cfhapbkg.dll Efmchp32.exe File created C:\Windows\SysWOW64\Dcnmddbf.dll File created C:\Windows\SysWOW64\Hkebokco.exe File created C:\Windows\SysWOW64\Dgbgbmnl.dll Dddodd32.exe File opened for modification C:\Windows\SysWOW64\Dgkkdnkb.exe Dopfpkng.exe File created C:\Windows\SysWOW64\Bpqgcq32.exe File opened for modification C:\Windows\SysWOW64\Djkepi32.exe File created C:\Windows\SysWOW64\Kdimaeid.dll File created C:\Windows\SysWOW64\Ohpgbe32.dll File opened for modification C:\Windows\SysWOW64\Idkpfn32.exe File created C:\Windows\SysWOW64\Fhonegbd.exe Faefim32.exe File created C:\Windows\SysWOW64\Kkkgnmqb.exe Jngfei32.exe File created C:\Windows\SysWOW64\Jcffhn32.dll Oicfpkci.exe File created C:\Windows\SysWOW64\Bqnhll32.dll Klkmkoce.exe File opened for modification C:\Windows\SysWOW64\Lheilofe.exe Lkahbkgk.exe File created C:\Windows\SysWOW64\Nahhfoij.exe Neagan32.exe File opened for modification C:\Windows\SysWOW64\Aogqihcm.exe Abcppcdc.exe File opened for modification C:\Windows\SysWOW64\Cpabgb32.exe Celnjj32.exe File created C:\Windows\SysWOW64\Bkiopock.exe Bbakgjmj.exe File opened for modification C:\Windows\SysWOW64\Gkancm32.exe Gcfioj32.exe File created C:\Windows\SysWOW64\Ioochn32.exe Hchbcmlh.exe File created C:\Windows\SysWOW64\Ijekcf32.dll Lfanep32.exe File opened for modification C:\Windows\SysWOW64\Amgggm32.exe Ajhkka32.exe File created C:\Windows\SysWOW64\Jmnpkp32.exe Jfdgnf32.exe File opened for modification C:\Windows\SysWOW64\Ikibkhla.exe Ilcfjkgj.exe File opened for modification C:\Windows\SysWOW64\Dnkhcnfe.exe Debcjiod.exe File created C:\Windows\SysWOW64\Hkkmploq.dll File created C:\Windows\SysWOW64\Ajhkka32.exe Acncngpl.exe File opened for modification C:\Windows\SysWOW64\Ajkjij32.exe Ahlnpg32.exe File created C:\Windows\SysWOW64\Iodnncol.exe File opened for modification C:\Windows\SysWOW64\Mfqgnj32.exe File created C:\Windows\SysWOW64\Inofameg.dll Hngppgae.exe File created C:\Windows\SysWOW64\Ajnlqgfo.exe Abpjgekf.exe File opened for modification C:\Windows\SysWOW64\Mdqclpgd.exe Mmgkoe32.exe File created C:\Windows\SysWOW64\Pqlmam32.dll Iobdopna.exe File created C:\Windows\SysWOW64\Fdapqgom.exe Fikkcnog.exe File created C:\Windows\SysWOW64\Cmggkmfg.exe File created C:\Windows\SysWOW64\Jahnpd32.dll Kmnnblmj.exe File opened for modification C:\Windows\SysWOW64\Pconjjql.exe Pkdiehca.exe File created C:\Windows\SysWOW64\Jcfgfe32.dll Qloiqcbn.exe File created C:\Windows\SysWOW64\Lbkmanki.dll Angafl32.exe File opened for modification C:\Windows\SysWOW64\Hhklibbf.exe Hjglpncm.exe File created C:\Windows\SysWOW64\Edpnfjap.exe Eobenc32.exe File created C:\Windows\SysWOW64\Oifelfni.exe Nhalag32.exe File created C:\Windows\SysWOW64\Iicbdnjn.dll Dcijmhdj.exe File created C:\Windows\SysWOW64\Dqmefm32.dll Ohljcnlh.exe File created C:\Windows\SysWOW64\Pikcdj32.dll File created C:\Windows\SysWOW64\Nppemgjd.exe Nifmqm32.exe File created C:\Windows\SysWOW64\Eppbgh32.dll Jbfpcl32.exe File opened for modification C:\Windows\SysWOW64\Beoekl32.exe Bnemnbmm.exe File created C:\Windows\SysWOW64\Ifgpaqpb.dll Dgdfocge.exe File created C:\Windows\SysWOW64\Apakdmpp.exe File opened for modification C:\Windows\SysWOW64\Jlckoh32.exe Jcjffc32.exe File created C:\Windows\SysWOW64\Hmlfcjfd.dll Pqcncnpe.exe File opened for modification C:\Windows\SysWOW64\Jigmeagl.exe Jbmdig32.exe -
Program crash 1 IoCs
Processes:
pid pid_target process target process 3228 3896 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Glckehfp.exeIbehna32.exeKgienc32.exeLjadqn32.exeNlieqa32.exeOigokj32.exeEmhbop32.exeCfmceomm.exeGhcdpjqj.exeHfmcapna.exeGfnpek32.exeGpncdfkl.exeHhpjfoji.exePcmadj32.exeQcdinbdk.exeFanjil32.exeOccgce32.exePkjkdfjk.exeQhoeqide.exeEkiaac32.exeGndgmq32.exeNdclpb32.exePejnpe32.exeBdbfpafn.exeKgcbpemp.exeMnnecoah.exeJcdaah32.exeCbebjpaa.exeElahkl32.exeGfkagc32.exeIdncdgai.exeIoeaeolo.exeIeglfd32.exeCcoplcii.exeDgphpi32.exeFphqehda.exeObllai32.exeAgpdfmfc.exeGigjch32.exeAjhkka32.exeClcghk32.exeAkadmnlg.exeLohlcoid.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glckehfp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibehna32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgienc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljadqn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlieqa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oigokj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emhbop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfmceomm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghcdpjqj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfmcapna.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfnpek32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpncdfkl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhpjfoji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcmadj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qcdinbdk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fanjil32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Occgce32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkjkdfjk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qhoeqide.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekiaac32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gndgmq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndclpb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pejnpe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdbfpafn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgcbpemp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnnecoah.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcdaah32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbebjpaa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elahkl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfkagc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idncdgai.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ioeaeolo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ieglfd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccoplcii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgphpi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fphqehda.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obllai32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agpdfmfc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gigjch32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajhkka32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clcghk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akadmnlg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lohlcoid.exe -
Modifies registry class 64 IoCs
Processes:
Odhjmc32.exeFahdja32.exeEempcfbi.exeJcjffc32.exeQajiek32.exeLbmknipc.exeMphfji32.exeLgpkobnb.exeFjmdgmnl.exeGhdfhc32.exeLmkgajnm.exeNmlekj32.exeGdimlllq.exeMefiog32.exeQibjjgag.exeCnoamj32.exeDcmkciap.exeBeoekl32.exeJckiolgm.exeLkahbkgk.exeIdhplaoe.exeFfdgef32.exeAfebpmal.exePconjjql.exeJnlkkkod.exeJecnpg32.exeAgpdfmfc.exeJcodcp32.exeFpliec32.exePcbmhb32.exeDnkhcnfe.exeAmaiklki.exeJmplqp32.exeLmbmbi32.exeOqcffi32.exeDdbbod32.exeFmbkfd32.exeAfjncabj.exeHmiicj32.exeFnkchahn.exeHopibdfd.exePahpcd32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Odhjmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fahdja32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eempcfbi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gipahplk.dll" Jcjffc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlkdim32.dll" Odhjmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhljef32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhhgqnio.dll" Qajiek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igcopdgo.dll" Lbmknipc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lccmiked.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekgfbh32.dll" Mphfji32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lgpkobnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fjmdgmnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qjfebqec.dll" Ghdfhc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lmkgajnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nmlekj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gdimlllq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mefiog32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qibjjgag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cnoamj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aopndi32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dcmkciap.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Beoekl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jckiolgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jijnlnha.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lkahbkgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mimilgnj.dll" Idhplaoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ffdgef32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Afebpmal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kglhbijp.dll" Pconjjql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jnlkkkod.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jecnpg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Agpdfmfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jcodcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhijhdjn.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fpliec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pcbmhb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dnkhcnfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ceeaqa32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Amaiklki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jmplqp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfembi32.dll" Lmbmbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akgjlqfp.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eecapl32.dll" Oqcffi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ddbbod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dngkjalh.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Caegea32.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fmbkfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibjnpail.dll" Afjncabj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hmiicj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fnkchahn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfnbfp32.dll" Hopibdfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlbpogem.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qbllgblj.dll" Pahpcd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
b47a3c2d4ba2e47b217d57322458710fa0d07192d59c6771f9112dbd66e5275d.exeDfpcdh32.exeEaegaaah.exeEiplecnc.exeEbhani32.exeElaego32.exeEbmjihqn.exeEhjbaooe.exeFijolbfh.exeFbbcdh32.exeFoidii32.exeFlmecm32.exeFeeilbhg.exeFaljqcmk.exeFmbkfd32.exeGmegkd32.exedescription pid process target process PID 1568 wrote to memory of 1956 1568 b47a3c2d4ba2e47b217d57322458710fa0d07192d59c6771f9112dbd66e5275d.exe Dfpcdh32.exe PID 1568 wrote to memory of 1956 1568 b47a3c2d4ba2e47b217d57322458710fa0d07192d59c6771f9112dbd66e5275d.exe Dfpcdh32.exe PID 1568 wrote to memory of 1956 1568 b47a3c2d4ba2e47b217d57322458710fa0d07192d59c6771f9112dbd66e5275d.exe Dfpcdh32.exe PID 1568 wrote to memory of 1956 1568 b47a3c2d4ba2e47b217d57322458710fa0d07192d59c6771f9112dbd66e5275d.exe Dfpcdh32.exe PID 1956 wrote to memory of 1936 1956 Dfpcdh32.exe Eaegaaah.exe PID 1956 wrote to memory of 1936 1956 Dfpcdh32.exe Eaegaaah.exe PID 1956 wrote to memory of 1936 1956 Dfpcdh32.exe Eaegaaah.exe PID 1956 wrote to memory of 1936 1956 Dfpcdh32.exe Eaegaaah.exe PID 1936 wrote to memory of 2616 1936 Eaegaaah.exe Eiplecnc.exe PID 1936 wrote to memory of 2616 1936 Eaegaaah.exe Eiplecnc.exe PID 1936 wrote to memory of 2616 1936 Eaegaaah.exe Eiplecnc.exe PID 1936 wrote to memory of 2616 1936 Eaegaaah.exe Eiplecnc.exe PID 2616 wrote to memory of 2732 2616 Eiplecnc.exe Ebhani32.exe PID 2616 wrote to memory of 2732 2616 Eiplecnc.exe Ebhani32.exe PID 2616 wrote to memory of 2732 2616 Eiplecnc.exe Ebhani32.exe PID 2616 wrote to memory of 2732 2616 Eiplecnc.exe Ebhani32.exe PID 2732 wrote to memory of 2772 2732 Ebhani32.exe Elaego32.exe PID 2732 wrote to memory of 2772 2732 Ebhani32.exe Elaego32.exe PID 2732 wrote to memory of 2772 2732 Ebhani32.exe Elaego32.exe PID 2732 wrote to memory of 2772 2732 Ebhani32.exe Elaego32.exe PID 2772 wrote to memory of 2984 2772 Elaego32.exe Ebmjihqn.exe PID 2772 wrote to memory of 2984 2772 Elaego32.exe Ebmjihqn.exe PID 2772 wrote to memory of 2984 2772 Elaego32.exe Ebmjihqn.exe PID 2772 wrote to memory of 2984 2772 Elaego32.exe Ebmjihqn.exe PID 2984 wrote to memory of 2640 2984 Ebmjihqn.exe Ehjbaooe.exe PID 2984 wrote to memory of 2640 2984 Ebmjihqn.exe Ehjbaooe.exe PID 2984 wrote to memory of 2640 2984 Ebmjihqn.exe Ehjbaooe.exe PID 2984 wrote to memory of 2640 2984 Ebmjihqn.exe Ehjbaooe.exe PID 2640 wrote to memory of 2988 2640 Ehjbaooe.exe Fijolbfh.exe PID 2640 wrote to memory of 2988 2640 Ehjbaooe.exe Fijolbfh.exe PID 2640 wrote to memory of 2988 2640 Ehjbaooe.exe Fijolbfh.exe PID 2640 wrote to memory of 2988 2640 Ehjbaooe.exe Fijolbfh.exe PID 2988 wrote to memory of 2504 2988 Fijolbfh.exe Fbbcdh32.exe PID 2988 wrote to memory of 2504 2988 Fijolbfh.exe Fbbcdh32.exe PID 2988 wrote to memory of 2504 2988 Fijolbfh.exe Fbbcdh32.exe PID 2988 wrote to memory of 2504 2988 Fijolbfh.exe Fbbcdh32.exe PID 2504 wrote to memory of 1964 2504 Fbbcdh32.exe Foidii32.exe PID 2504 wrote to memory of 1964 2504 Fbbcdh32.exe Foidii32.exe PID 2504 wrote to memory of 1964 2504 Fbbcdh32.exe Foidii32.exe PID 2504 wrote to memory of 1964 2504 Fbbcdh32.exe Foidii32.exe PID 1964 wrote to memory of 844 1964 Foidii32.exe Flmecm32.exe PID 1964 wrote to memory of 844 1964 Foidii32.exe Flmecm32.exe PID 1964 wrote to memory of 844 1964 Foidii32.exe Flmecm32.exe PID 1964 wrote to memory of 844 1964 Foidii32.exe Flmecm32.exe PID 844 wrote to memory of 1312 844 Flmecm32.exe Feeilbhg.exe PID 844 wrote to memory of 1312 844 Flmecm32.exe Feeilbhg.exe PID 844 wrote to memory of 1312 844 Flmecm32.exe Feeilbhg.exe PID 844 wrote to memory of 1312 844 Flmecm32.exe Feeilbhg.exe PID 1312 wrote to memory of 840 1312 Feeilbhg.exe Faljqcmk.exe PID 1312 wrote to memory of 840 1312 Feeilbhg.exe Faljqcmk.exe PID 1312 wrote to memory of 840 1312 Feeilbhg.exe Faljqcmk.exe PID 1312 wrote to memory of 840 1312 Feeilbhg.exe Faljqcmk.exe PID 840 wrote to memory of 1692 840 Faljqcmk.exe Fmbkfd32.exe PID 840 wrote to memory of 1692 840 Faljqcmk.exe Fmbkfd32.exe PID 840 wrote to memory of 1692 840 Faljqcmk.exe Fmbkfd32.exe PID 840 wrote to memory of 1692 840 Faljqcmk.exe Fmbkfd32.exe PID 1692 wrote to memory of 320 1692 Fmbkfd32.exe Gmegkd32.exe PID 1692 wrote to memory of 320 1692 Fmbkfd32.exe Gmegkd32.exe PID 1692 wrote to memory of 320 1692 Fmbkfd32.exe Gmegkd32.exe PID 1692 wrote to memory of 320 1692 Fmbkfd32.exe Gmegkd32.exe PID 320 wrote to memory of 2196 320 Gmegkd32.exe Geplpfnh.exe PID 320 wrote to memory of 2196 320 Gmegkd32.exe Geplpfnh.exe PID 320 wrote to memory of 2196 320 Gmegkd32.exe Geplpfnh.exe PID 320 wrote to memory of 2196 320 Gmegkd32.exe Geplpfnh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b47a3c2d4ba2e47b217d57322458710fa0d07192d59c6771f9112dbd66e5275d.exe"C:\Users\Admin\AppData\Local\Temp\b47a3c2d4ba2e47b217d57322458710fa0d07192d59c6771f9112dbd66e5275d.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1568 -
C:\Windows\SysWOW64\Dfpcdh32.exeC:\Windows\system32\Dfpcdh32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Windows\SysWOW64\Eaegaaah.exeC:\Windows\system32\Eaegaaah.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1936 -
C:\Windows\SysWOW64\Eiplecnc.exeC:\Windows\system32\Eiplecnc.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\SysWOW64\Ebhani32.exeC:\Windows\system32\Ebhani32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\SysWOW64\Elaego32.exeC:\Windows\system32\Elaego32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\SysWOW64\Ebmjihqn.exeC:\Windows\system32\Ebmjihqn.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Windows\SysWOW64\Ehjbaooe.exeC:\Windows\system32\Ehjbaooe.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\SysWOW64\Fijolbfh.exeC:\Windows\system32\Fijolbfh.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Windows\SysWOW64\Fbbcdh32.exeC:\Windows\system32\Fbbcdh32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Windows\SysWOW64\Foidii32.exeC:\Windows\system32\Foidii32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Windows\SysWOW64\Flmecm32.exeC:\Windows\system32\Flmecm32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:844 -
C:\Windows\SysWOW64\Feeilbhg.exeC:\Windows\system32\Feeilbhg.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1312 -
C:\Windows\SysWOW64\Faljqcmk.exeC:\Windows\system32\Faljqcmk.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:840 -
C:\Windows\SysWOW64\Fmbkfd32.exeC:\Windows\system32\Fmbkfd32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1692 -
C:\Windows\SysWOW64\Gmegkd32.exeC:\Windows\system32\Gmegkd32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:320 -
C:\Windows\SysWOW64\Geplpfnh.exeC:\Windows\system32\Geplpfnh.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2196 -
C:\Windows\SysWOW64\Ggphji32.exeC:\Windows\system32\Ggphji32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1220 -
C:\Windows\SysWOW64\Gcfioj32.exeC:\Windows\system32\Gcfioj32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1804 -
C:\Windows\SysWOW64\Gkancm32.exeC:\Windows\system32\Gkancm32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1828 -
C:\Windows\SysWOW64\Hkdkhl32.exeC:\Windows\system32\Hkdkhl32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1528 -
C:\Windows\SysWOW64\Hkfgnldd.exeC:\Windows\system32\Hkfgnldd.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1712 -
C:\Windows\SysWOW64\Hhjhgpcn.exeC:\Windows\system32\Hhjhgpcn.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2204 -
C:\Windows\SysWOW64\Hngppgae.exeC:\Windows\system32\Hngppgae.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:3068 -
C:\Windows\SysWOW64\Hgbanlfc.exeC:\Windows\system32\Hgbanlfc.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3024 -
C:\Windows\SysWOW64\Hmojfcdk.exeC:\Windows\system32\Hmojfcdk.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2972 -
C:\Windows\SysWOW64\Hchbcmlh.exeC:\Windows\system32\Hchbcmlh.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1276 -
C:\Windows\SysWOW64\Ioochn32.exeC:\Windows\system32\Ioochn32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1160 -
C:\Windows\SysWOW64\Imccab32.exeC:\Windows\system32\Imccab32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2728 -
C:\Windows\SysWOW64\Ibplji32.exeC:\Windows\system32\Ibplji32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2660 -
C:\Windows\SysWOW64\Ikhqbo32.exeC:\Windows\system32\Ikhqbo32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2548 -
C:\Windows\SysWOW64\Ifndph32.exeC:\Windows\system32\Ifndph32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2532 -
C:\Windows\SysWOW64\Iionacad.exeC:\Windows\system32\Iionacad.exe33⤵
- Executes dropped EXE
PID:2508 -
C:\Windows\SysWOW64\Jnlfjjpl.exeC:\Windows\system32\Jnlfjjpl.exe34⤵
- Executes dropped EXE
PID:1096 -
C:\Windows\SysWOW64\Jkpfcnoe.exeC:\Windows\system32\Jkpfcnoe.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1460 -
C:\Windows\SysWOW64\Jfigdl32.exeC:\Windows\system32\Jfigdl32.exe36⤵
- Executes dropped EXE
PID:2512 -
C:\Windows\SysWOW64\Jaolad32.exeC:\Windows\system32\Jaolad32.exe37⤵
- Executes dropped EXE
PID:568 -
C:\Windows\SysWOW64\Jijqeg32.exeC:\Windows\system32\Jijqeg32.exe38⤵
- Executes dropped EXE
PID:2836 -
C:\Windows\SysWOW64\Jcodcp32.exeC:\Windows\system32\Jcodcp32.exe39⤵
- Executes dropped EXE
- Modifies registry class
PID:2356 -
C:\Windows\SysWOW64\Jlkigbef.exeC:\Windows\system32\Jlkigbef.exe40⤵
- Executes dropped EXE
PID:1380 -
C:\Windows\SysWOW64\Jecnpg32.exeC:\Windows\system32\Jecnpg32.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:2180 -
C:\Windows\SysWOW64\Kfbjjjci.exeC:\Windows\system32\Kfbjjjci.exe42⤵
- Executes dropped EXE
PID:1200 -
C:\Windows\SysWOW64\Kononm32.exeC:\Windows\system32\Kononm32.exe43⤵
- Executes dropped EXE
PID:1784 -
C:\Windows\SysWOW64\Kiccle32.exeC:\Windows\system32\Kiccle32.exe44⤵
- Executes dropped EXE
PID:1164 -
C:\Windows\SysWOW64\Kopldl32.exeC:\Windows\system32\Kopldl32.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:972 -
C:\Windows\SysWOW64\Kkglim32.exeC:\Windows\system32\Kkglim32.exe46⤵
- Executes dropped EXE
PID:2044 -
C:\Windows\SysWOW64\Kelqff32.exeC:\Windows\system32\Kelqff32.exe47⤵
- Executes dropped EXE
PID:2384 -
C:\Windows\SysWOW64\Koeeoljm.exeC:\Windows\system32\Koeeoljm.exe48⤵
- Executes dropped EXE
PID:2964 -
C:\Windows\SysWOW64\Lgpjcnhh.exeC:\Windows\system32\Lgpjcnhh.exe49⤵
- Executes dropped EXE
PID:2020 -
C:\Windows\SysWOW64\Lmjbphod.exeC:\Windows\system32\Lmjbphod.exe50⤵
- Executes dropped EXE
PID:2376 -
C:\Windows\SysWOW64\Lphnlcnh.exeC:\Windows\system32\Lphnlcnh.exe51⤵
- Executes dropped EXE
PID:2768 -
C:\Windows\SysWOW64\Llooad32.exeC:\Windows\system32\Llooad32.exe52⤵
- Executes dropped EXE
PID:2300 -
C:\Windows\SysWOW64\Nhalag32.exeC:\Windows\system32\Nhalag32.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2572 -
C:\Windows\SysWOW64\Oifelfni.exeC:\Windows\system32\Oifelfni.exe54⤵
- Executes dropped EXE
PID:2800 -
C:\Windows\SysWOW64\Okdahbmm.exeC:\Windows\system32\Okdahbmm.exe55⤵
- Executes dropped EXE
PID:2664 -
C:\Windows\SysWOW64\Oemfahcn.exeC:\Windows\system32\Oemfahcn.exe56⤵
- Executes dropped EXE
PID:2908 -
C:\Windows\SysWOW64\Ojjnioae.exeC:\Windows\system32\Ojjnioae.exe57⤵
- Executes dropped EXE
PID:1396 -
C:\Windows\SysWOW64\Oqcffi32.exeC:\Windows\system32\Oqcffi32.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:1116 -
C:\Windows\SysWOW64\Ognobcqo.exeC:\Windows\system32\Ognobcqo.exe59⤵
- Executes dropped EXE
PID:2336 -
C:\Windows\SysWOW64\Omjgkjof.exeC:\Windows\system32\Omjgkjof.exe60⤵
- Executes dropped EXE
PID:1204 -
C:\Windows\SysWOW64\Ojnhdn32.exeC:\Windows\system32\Ojnhdn32.exe61⤵
- Executes dropped EXE
PID:276 -
C:\Windows\SysWOW64\Opkpme32.exeC:\Windows\system32\Opkpme32.exe62⤵
- Executes dropped EXE
PID:1544 -
C:\Windows\SysWOW64\Ofehiocd.exeC:\Windows\system32\Ofehiocd.exe63⤵
- Executes dropped EXE
PID:1548 -
C:\Windows\SysWOW64\Pmoqfi32.exeC:\Windows\system32\Pmoqfi32.exe64⤵
- Executes dropped EXE
PID:2860 -
C:\Windows\SysWOW64\Pfgeoo32.exeC:\Windows\system32\Pfgeoo32.exe65⤵
- Executes dropped EXE
PID:2432 -
C:\Windows\SysWOW64\Pldnge32.exeC:\Windows\system32\Pldnge32.exe66⤵PID:2232
-
C:\Windows\SysWOW64\Pembpkfi.exeC:\Windows\system32\Pembpkfi.exe67⤵PID:1848
-
C:\Windows\SysWOW64\Plfjme32.exeC:\Windows\system32\Plfjme32.exe68⤵PID:2052
-
C:\Windows\SysWOW64\Pbqbioeb.exeC:\Windows\system32\Pbqbioeb.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2784 -
C:\Windows\SysWOW64\Pjlgna32.exeC:\Windows\system32\Pjlgna32.exe70⤵PID:1388
-
C:\Windows\SysWOW64\Pafpjljk.exeC:\Windows\system32\Pafpjljk.exe71⤵PID:2188
-
C:\Windows\SysWOW64\Plkchdiq.exeC:\Windows\system32\Plkchdiq.exe72⤵PID:2680
-
C:\Windows\SysWOW64\Qechqj32.exeC:\Windows\system32\Qechqj32.exe73⤵PID:3000
-
C:\Windows\SysWOW64\Qjqqianh.exeC:\Windows\system32\Qjqqianh.exe74⤵PID:1504
-
C:\Windows\SysWOW64\Qajiek32.exeC:\Windows\system32\Qajiek32.exe75⤵
- Modifies registry class
PID:2756 -
C:\Windows\SysWOW64\Qhdabemb.exeC:\Windows\system32\Qhdabemb.exe76⤵PID:2492
-
C:\Windows\SysWOW64\Amaiklki.exeC:\Windows\system32\Amaiklki.exe77⤵
- Modifies registry class
PID:2556 -
C:\Windows\SysWOW64\Afjncabj.exeC:\Windows\system32\Afjncabj.exe78⤵
- Modifies registry class
PID:2348 -
C:\Windows\SysWOW64\Aihjpman.exeC:\Windows\system32\Aihjpman.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2104 -
C:\Windows\SysWOW64\Aflkiapg.exeC:\Windows\system32\Aflkiapg.exe80⤵PID:592
-
C:\Windows\SysWOW64\Aijgemok.exeC:\Windows\system32\Aijgemok.exe81⤵PID:2236
-
C:\Windows\SysWOW64\Abbknb32.exeC:\Windows\system32\Abbknb32.exe82⤵PID:2452
-
C:\Windows\SysWOW64\Ahpdficc.exeC:\Windows\system32\Ahpdficc.exe83⤵PID:812
-
C:\Windows\SysWOW64\Aioppl32.exeC:\Windows\system32\Aioppl32.exe84⤵PID:1960
-
C:\Windows\SysWOW64\Akpmhdqd.exeC:\Windows\system32\Akpmhdqd.exe85⤵PID:2444
-
C:\Windows\SysWOW64\Aajedn32.exeC:\Windows\system32\Aajedn32.exe86⤵PID:1668
-
C:\Windows\SysWOW64\Bonenbgj.exeC:\Windows\system32\Bonenbgj.exe87⤵PID:2600
-
C:\Windows\SysWOW64\Behnkm32.exeC:\Windows\system32\Behnkm32.exe88⤵PID:572
-
C:\Windows\SysWOW64\Bkefcc32.exeC:\Windows\system32\Bkefcc32.exe89⤵PID:1616
-
C:\Windows\SysWOW64\Bpbokj32.exeC:\Windows\system32\Bpbokj32.exe90⤵PID:1700
-
C:\Windows\SysWOW64\Bkgchckl.exeC:\Windows\system32\Bkgchckl.exe91⤵PID:1676
-
C:\Windows\SysWOW64\Baakem32.exeC:\Windows\system32\Baakem32.exe92⤵PID:1084
-
C:\Windows\SysWOW64\Bgndnd32.exeC:\Windows\system32\Bgndnd32.exe93⤵PID:2520
-
C:\Windows\SysWOW64\Blklfk32.exeC:\Windows\system32\Blklfk32.exe94⤵PID:2892
-
C:\Windows\SysWOW64\Bfcqoqeh.exeC:\Windows\system32\Bfcqoqeh.exe95⤵PID:1612
-
C:\Windows\SysWOW64\Ccgahe32.exeC:\Windows\system32\Ccgahe32.exe96⤵PID:2176
-
C:\Windows\SysWOW64\Chdjpl32.exeC:\Windows\system32\Chdjpl32.exe97⤵PID:2304
-
C:\Windows\SysWOW64\Cblniaii.exeC:\Windows\system32\Cblniaii.exe98⤵PID:2924
-
C:\Windows\SysWOW64\Clbbfj32.exeC:\Windows\system32\Clbbfj32.exe99⤵PID:2724
-
C:\Windows\SysWOW64\Cdmgkl32.exeC:\Windows\system32\Cdmgkl32.exe100⤵PID:1464
-
C:\Windows\SysWOW64\Ckgogfmg.exeC:\Windows\system32\Ckgogfmg.exe101⤵PID:2624
-
C:\Windows\SysWOW64\Cfmceomm.exeC:\Windows\system32\Cfmceomm.exe102⤵
- System Location Discovery: System Language Discovery
PID:2476 -
C:\Windows\SysWOW64\Chkpakla.exeC:\Windows\system32\Chkpakla.exe103⤵PID:704
-
C:\Windows\SysWOW64\Cqfdem32.exeC:\Windows\system32\Cqfdem32.exe104⤵PID:2060
-
C:\Windows\SysWOW64\Dklibf32.exeC:\Windows\system32\Dklibf32.exe105⤵PID:236
-
C:\Windows\SysWOW64\Dcgmgh32.exeC:\Windows\system32\Dcgmgh32.exe106⤵PID:2084
-
C:\Windows\SysWOW64\Dmobpn32.exeC:\Windows\system32\Dmobpn32.exe107⤵PID:924
-
C:\Windows\SysWOW64\Dcijmhdj.exeC:\Windows\system32\Dcijmhdj.exe108⤵
- Drops file in System32 directory
PID:1436 -
C:\Windows\SysWOW64\Djcbib32.exeC:\Windows\system32\Djcbib32.exe109⤵PID:768
-
C:\Windows\SysWOW64\Dqmkflcd.exeC:\Windows\system32\Dqmkflcd.exe110⤵PID:2448
-
C:\Windows\SysWOW64\Dclgbgbh.exeC:\Windows\system32\Dclgbgbh.exe111⤵PID:1592
-
C:\Windows\SysWOW64\Djfooa32.exeC:\Windows\system32\Djfooa32.exe112⤵PID:1652
-
C:\Windows\SysWOW64\Dpbgghhl.exeC:\Windows\system32\Dpbgghhl.exe113⤵PID:2932
-
C:\Windows\SysWOW64\Dbadcdgp.exeC:\Windows\system32\Dbadcdgp.exe114⤵PID:3020
-
C:\Windows\SysWOW64\Dpedmhfi.exeC:\Windows\system32\Dpedmhfi.exe115⤵PID:2240
-
C:\Windows\SysWOW64\Eeameodq.exeC:\Windows\system32\Eeameodq.exe116⤵PID:2588
-
C:\Windows\SysWOW64\Enjand32.exeC:\Windows\system32\Enjand32.exe117⤵PID:2568
-
C:\Windows\SysWOW64\Eipekmjg.exeC:\Windows\system32\Eipekmjg.exe118⤵PID:3052
-
C:\Windows\SysWOW64\Enlncdio.exeC:\Windows\system32\Enlncdio.exe119⤵PID:1688
-
C:\Windows\SysWOW64\Eeffpn32.exeC:\Windows\system32\Eeffpn32.exe120⤵PID:2644
-
C:\Windows\SysWOW64\Elpnmhgh.exeC:\Windows\system32\Elpnmhgh.exe121⤵PID:2716
-
C:\Windows\SysWOW64\Eeicenni.exeC:\Windows\system32\Eeicenni.exe122⤵PID:1664
-
C:\Windows\SysWOW64\Enagnc32.exeC:\Windows\system32\Enagnc32.exe123⤵PID:2164
-
C:\Windows\SysWOW64\Eekpknlf.exeC:\Windows\system32\Eekpknlf.exe124⤵PID:1572
-
C:\Windows\SysWOW64\Fncddc32.exeC:\Windows\system32\Fncddc32.exe125⤵PID:1564
-
C:\Windows\SysWOW64\Fpdqlkhe.exeC:\Windows\system32\Fpdqlkhe.exe126⤵PID:1760
-
C:\Windows\SysWOW64\Ffoihepa.exeC:\Windows\system32\Ffoihepa.exe127⤵PID:964
-
C:\Windows\SysWOW64\Fadmenpg.exeC:\Windows\system32\Fadmenpg.exe128⤵
- Drops file in System32 directory
PID:2352 -
C:\Windows\SysWOW64\Fjlaod32.exeC:\Windows\system32\Fjlaod32.exe129⤵PID:1884
-
C:\Windows\SysWOW64\Flnnfllf.exeC:\Windows\system32\Flnnfllf.exe130⤵PID:2528
-
C:\Windows\SysWOW64\Fmmjpoci.exeC:\Windows\system32\Fmmjpoci.exe131⤵PID:1496
-
C:\Windows\SysWOW64\Ffeoid32.exeC:\Windows\system32\Ffeoid32.exe132⤵PID:2116
-
C:\Windows\SysWOW64\Flbgak32.exeC:\Windows\system32\Flbgak32.exe133⤵PID:1032
-
C:\Windows\SysWOW64\Hjhaob32.exeC:\Windows\system32\Hjhaob32.exe134⤵PID:1608
-
C:\Windows\SysWOW64\Hcaehhnd.exeC:\Windows\system32\Hcaehhnd.exe135⤵PID:2488
-
C:\Windows\SysWOW64\Hhnnpolk.exeC:\Windows\system32\Hhnnpolk.exe136⤵PID:2652
-
C:\Windows\SysWOW64\Hhpjfoji.exeC:\Windows\system32\Hhpjfoji.exe137⤵
- System Location Discovery: System Language Discovery
PID:2032 -
C:\Windows\SysWOW64\Ikembicd.exeC:\Windows\system32\Ikembicd.exe138⤵PID:980
-
C:\Windows\SysWOW64\Imgija32.exeC:\Windows\system32\Imgija32.exe139⤵PID:3040
-
C:\Windows\SysWOW64\Idnako32.exeC:\Windows\system32\Idnako32.exe140⤵PID:2024
-
C:\Windows\SysWOW64\Ijkjde32.exeC:\Windows\system32\Ijkjde32.exe141⤵PID:2008
-
C:\Windows\SysWOW64\Iqdbqp32.exeC:\Windows\system32\Iqdbqp32.exe142⤵PID:2544
-
C:\Windows\SysWOW64\Ifajif32.exeC:\Windows\system32\Ifajif32.exe143⤵PID:1152
-
C:\Windows\SysWOW64\Iipgeb32.exeC:\Windows\system32\Iipgeb32.exe144⤵PID:2320
-
C:\Windows\SysWOW64\Iojoalda.exeC:\Windows\system32\Iojoalda.exe145⤵PID:2324
-
C:\Windows\SysWOW64\Jfdgnf32.exeC:\Windows\system32\Jfdgnf32.exe146⤵
- Drops file in System32 directory
PID:396 -
C:\Windows\SysWOW64\Jmnpkp32.exeC:\Windows\system32\Jmnpkp32.exe147⤵PID:2076
-
C:\Windows\SysWOW64\Jbkhcg32.exeC:\Windows\system32\Jbkhcg32.exe148⤵PID:3004
-
C:\Windows\SysWOW64\Jmplqp32.exeC:\Windows\system32\Jmplqp32.exe149⤵
- Modifies registry class
PID:1328 -
C:\Windows\SysWOW64\Jbmdig32.exeC:\Windows\system32\Jbmdig32.exe150⤵
- Drops file in System32 directory
PID:1296 -
C:\Windows\SysWOW64\Jigmeagl.exeC:\Windows\system32\Jigmeagl.exe151⤵PID:764
-
C:\Windows\SysWOW64\Jkeialfp.exeC:\Windows\system32\Jkeialfp.exe152⤵PID:1632
-
C:\Windows\SysWOW64\Jabajc32.exeC:\Windows\system32\Jabajc32.exe153⤵PID:2220
-
C:\Windows\SysWOW64\Jkgfgl32.exeC:\Windows\system32\Jkgfgl32.exe154⤵PID:2696
-
C:\Windows\SysWOW64\Jbandfkj.exeC:\Windows\system32\Jbandfkj.exe155⤵PID:1808
-
C:\Windows\SysWOW64\Jccjln32.exeC:\Windows\system32\Jccjln32.exe156⤵PID:596
-
C:\Windows\SysWOW64\Knhoig32.exeC:\Windows\system32\Knhoig32.exe157⤵PID:1404
-
C:\Windows\SysWOW64\Kceganoe.exeC:\Windows\system32\Kceganoe.exe158⤵PID:2128
-
C:\Windows\SysWOW64\Kmnljc32.exeC:\Windows\system32\Kmnljc32.exe159⤵PID:2424
-
C:\Windows\SysWOW64\Kplhfo32.exeC:\Windows\system32\Kplhfo32.exe160⤵PID:1336
-
C:\Windows\SysWOW64\Kjalch32.exeC:\Windows\system32\Kjalch32.exe161⤵PID:1736
-
C:\Windows\SysWOW64\Kpndlobg.exeC:\Windows\system32\Kpndlobg.exe162⤵PID:1256
-
C:\Windows\SysWOW64\Kjdiigbm.exeC:\Windows\system32\Kjdiigbm.exe163⤵PID:3032
-
C:\Windows\SysWOW64\Kleeqp32.exeC:\Windows\system32\Kleeqp32.exe164⤵PID:2852
-
C:\Windows\SysWOW64\Kemjieol.exeC:\Windows\system32\Kemjieol.exe165⤵PID:2796
-
C:\Windows\SysWOW64\Kpcngnob.exeC:\Windows\system32\Kpcngnob.exe166⤵PID:2108
-
C:\Windows\SysWOW64\Lepfoe32.exeC:\Windows\system32\Lepfoe32.exe167⤵PID:2580
-
C:\Windows\SysWOW64\Lljolodf.exeC:\Windows\system32\Lljolodf.exe168⤵PID:872
-
C:\Windows\SysWOW64\Lafgdfbm.exeC:\Windows\system32\Lafgdfbm.exe169⤵PID:2708
-
C:\Windows\SysWOW64\Lkolmk32.exeC:\Windows\system32\Lkolmk32.exe170⤵PID:2112
-
C:\Windows\SysWOW64\Ledpjdid.exeC:\Windows\system32\Ledpjdid.exe171⤵PID:284
-
C:\Windows\SysWOW64\Lkahbkgk.exeC:\Windows\system32\Lkahbkgk.exe172⤵
- Drops file in System32 directory
- Modifies registry class
PID:1976 -
C:\Windows\SysWOW64\Lheilofe.exeC:\Windows\system32\Lheilofe.exe173⤵PID:880
-
C:\Windows\SysWOW64\Lmbadfdl.exeC:\Windows\system32\Lmbadfdl.exe174⤵PID:1260
-
C:\Windows\SysWOW64\Ldljqpli.exeC:\Windows\system32\Ldljqpli.exe175⤵PID:1364
-
C:\Windows\SysWOW64\Lkfbmj32.exeC:\Windows\system32\Lkfbmj32.exe176⤵PID:1272
-
C:\Windows\SysWOW64\Mapjjdjb.exeC:\Windows\system32\Mapjjdjb.exe177⤵PID:1488
-
C:\Windows\SysWOW64\Mgmbbkij.exeC:\Windows\system32\Mgmbbkij.exe178⤵PID:2896
-
C:\Windows\SysWOW64\Mmgkoe32.exeC:\Windows\system32\Mmgkoe32.exe179⤵
- Drops file in System32 directory
PID:584 -
C:\Windows\SysWOW64\Mdqclpgd.exeC:\Windows\system32\Mdqclpgd.exe180⤵PID:3044
-
C:\Windows\SysWOW64\Minldf32.exeC:\Windows\system32\Minldf32.exe181⤵PID:2168
-
C:\Windows\SysWOW64\Mpgdaqmh.exeC:\Windows\system32\Mpgdaqmh.exe182⤵PID:2916
-
C:\Windows\SysWOW64\Mgalnk32.exeC:\Windows\system32\Mgalnk32.exe183⤵PID:2464
-
C:\Windows\SysWOW64\Mhbhecjc.exeC:\Windows\system32\Mhbhecjc.exe184⤵PID:3096
-
C:\Windows\SysWOW64\Mlndfa32.exeC:\Windows\system32\Mlndfa32.exe185⤵PID:3136
-
C:\Windows\SysWOW64\Mefiog32.exeC:\Windows\system32\Mefiog32.exe186⤵
- Modifies registry class
PID:3176 -
C:\Windows\SysWOW64\Mamjchoa.exeC:\Windows\system32\Mamjchoa.exe187⤵PID:3220
-
C:\Windows\SysWOW64\Mhgbpb32.exeC:\Windows\system32\Mhgbpb32.exe188⤵PID:3260
-
C:\Windows\SysWOW64\Nndjhi32.exeC:\Windows\system32\Nndjhi32.exe189⤵PID:3300
-
C:\Windows\SysWOW64\Nhjofbdk.exeC:\Windows\system32\Nhjofbdk.exe190⤵PID:3340
-
C:\Windows\SysWOW64\Nnfgnibb.exeC:\Windows\system32\Nnfgnibb.exe191⤵PID:3380
-
C:\Windows\SysWOW64\Ndqokc32.exeC:\Windows\system32\Ndqokc32.exe192⤵PID:3420
-
C:\Windows\SysWOW64\Nkjggmal.exeC:\Windows\system32\Nkjggmal.exe193⤵PID:3460
-
C:\Windows\SysWOW64\Nadpdg32.exeC:\Windows\system32\Nadpdg32.exe194⤵PID:3500
-
C:\Windows\SysWOW64\Ndclpb32.exeC:\Windows\system32\Ndclpb32.exe195⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:3540 -
C:\Windows\SysWOW64\Nkmdmm32.exeC:\Windows\system32\Nkmdmm32.exe196⤵PID:3580
-
C:\Windows\SysWOW64\Nqjmec32.exeC:\Windows\system32\Nqjmec32.exe197⤵PID:3620
-
C:\Windows\SysWOW64\Ngcebnen.exeC:\Windows\system32\Ngcebnen.exe198⤵PID:3660
-
C:\Windows\SysWOW64\Njbanida.exeC:\Windows\system32\Njbanida.exe199⤵PID:3700
-
C:\Windows\SysWOW64\Nlpmjdce.exeC:\Windows\system32\Nlpmjdce.exe200⤵PID:3740
-
C:\Windows\SysWOW64\Ocjfgo32.exeC:\Windows\system32\Ocjfgo32.exe201⤵PID:3780
-
C:\Windows\SysWOW64\Ojdndi32.exeC:\Windows\system32\Ojdndi32.exe202⤵PID:3820
-
C:\Windows\SysWOW64\Oqnfqcjk.exeC:\Windows\system32\Oqnfqcjk.exe203⤵PID:3860
-
C:\Windows\SysWOW64\Obpbhk32.exeC:\Windows\system32\Obpbhk32.exe204⤵PID:3900
-
C:\Windows\SysWOW64\Okhgaqfj.exeC:\Windows\system32\Okhgaqfj.exe205⤵PID:3940
-
C:\Windows\SysWOW64\Obbonk32.exeC:\Windows\system32\Obbonk32.exe206⤵PID:3980
-
C:\Windows\SysWOW64\Oilgje32.exeC:\Windows\system32\Oilgje32.exe207⤵PID:4020
-
C:\Windows\SysWOW64\Onipbl32.exeC:\Windows\system32\Onipbl32.exe208⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4060 -
C:\Windows\SysWOW64\Ogadkajl.exeC:\Windows\system32\Ogadkajl.exe209⤵PID:2440
-
C:\Windows\SysWOW64\Oohmmojn.exeC:\Windows\system32\Oohmmojn.exe210⤵PID:3124
-
C:\Windows\SysWOW64\Obfiijia.exeC:\Windows\system32\Obfiijia.exe211⤵PID:3160
-
C:\Windows\SysWOW64\Oeeeeehe.exeC:\Windows\system32\Oeeeeehe.exe212⤵PID:3236
-
C:\Windows\SysWOW64\Pnminkof.exeC:\Windows\system32\Pnminkof.exe213⤵PID:3292
-
C:\Windows\SysWOW64\Pqlfjfni.exeC:\Windows\system32\Pqlfjfni.exe214⤵PID:3348
-
C:\Windows\SysWOW64\Pgfnfq32.exeC:\Windows\system32\Pgfnfq32.exe215⤵PID:3396
-
C:\Windows\SysWOW64\Pnpfckmc.exeC:\Windows\system32\Pnpfckmc.exe216⤵PID:3452
-
C:\Windows\SysWOW64\Pejnpe32.exeC:\Windows\system32\Pejnpe32.exe217⤵
- System Location Discovery: System Language Discovery
PID:3488 -
C:\Windows\SysWOW64\Pnbcij32.exeC:\Windows\system32\Pnbcij32.exe218⤵PID:3552
-
C:\Windows\SysWOW64\Ppcoqbao.exeC:\Windows\system32\Ppcoqbao.exe219⤵PID:3600
-
C:\Windows\SysWOW64\Pfmgmm32.exeC:\Windows\system32\Pfmgmm32.exe220⤵PID:3656
-
C:\Windows\SysWOW64\Ppelfbol.exeC:\Windows\system32\Ppelfbol.exe221⤵PID:3712
-
C:\Windows\SysWOW64\Pbdhbnnp.exeC:\Windows\system32\Pbdhbnnp.exe222⤵PID:3764
-
C:\Windows\SysWOW64\Pmimpf32.exeC:\Windows\system32\Pmimpf32.exe223⤵PID:3808
-
C:\Windows\SysWOW64\Pccelqeb.exeC:\Windows\system32\Pccelqeb.exe224⤵PID:3856
-
C:\Windows\SysWOW64\Qeeadi32.exeC:\Windows\system32\Qeeadi32.exe225⤵PID:3916
-
C:\Windows\SysWOW64\Qloiqcbn.exeC:\Windows\system32\Qloiqcbn.exe226⤵
- Drops file in System32 directory
PID:3956 -
C:\Windows\SysWOW64\Qbiamm32.exeC:\Windows\system32\Qbiamm32.exe227⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4004 -
C:\Windows\SysWOW64\Qibjjgag.exeC:\Windows\system32\Qibjjgag.exe228⤵
- Modifies registry class
PID:4048 -
C:\Windows\SysWOW64\Qlaffbqk.exeC:\Windows\system32\Qlaffbqk.exe229⤵PID:3092
-
C:\Windows\SysWOW64\Abkncmhh.exeC:\Windows\system32\Abkncmhh.exe230⤵PID:3152
-
C:\Windows\SysWOW64\Aiegpg32.exeC:\Windows\system32\Aiegpg32.exe231⤵PID:3212
-
C:\Windows\SysWOW64\Ajfcgoec.exeC:\Windows\system32\Ajfcgoec.exe232⤵PID:1952
-
C:\Windows\SysWOW64\Bmpooiji.exeC:\Windows\system32\Bmpooiji.exe233⤵PID:3376
-
C:\Windows\SysWOW64\Bpokkdim.exeC:\Windows\system32\Bpokkdim.exe234⤵PID:3448
-
C:\Windows\SysWOW64\Bigpdjpm.exeC:\Windows\system32\Bigpdjpm.exe235⤵PID:3280
-
C:\Windows\SysWOW64\Bodhlane.exeC:\Windows\system32\Bodhlane.exe236⤵PID:3240
-
C:\Windows\SysWOW64\Benpik32.exeC:\Windows\system32\Benpik32.exe237⤵PID:3616
-
C:\Windows\SysWOW64\Bkkiab32.exeC:\Windows\system32\Bkkiab32.exe238⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3684 -
C:\Windows\SysWOW64\Baeanl32.exeC:\Windows\system32\Baeanl32.exe239⤵PID:3732
-
C:\Windows\SysWOW64\Bdcmjg32.exeC:\Windows\system32\Bdcmjg32.exe240⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3812 -
C:\Windows\SysWOW64\Boiagp32.exeC:\Windows\system32\Boiagp32.exe241⤵PID:3872
-
C:\Windows\SysWOW64\Bebjdjal.exeC:\Windows\system32\Bebjdjal.exe242⤵PID:3936