Analysis
-
max time kernel
150s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
29-09-2024 04:13
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
edbe25ebc1a88ba8233a9fca22aff1de4210f85481290ee71774a3afb64ee989.exe
Resource
win7-20240903-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
edbe25ebc1a88ba8233a9fca22aff1de4210f85481290ee71774a3afb64ee989.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
edbe25ebc1a88ba8233a9fca22aff1de4210f85481290ee71774a3afb64ee989.exe
-
Size
63KB
-
MD5
c4dfb8b703271b2b012da7f9d71846aa
-
SHA1
256892a1c7c03c561830a10f2ea1f2c02cccfc7d
-
SHA256
edbe25ebc1a88ba8233a9fca22aff1de4210f85481290ee71774a3afb64ee989
-
SHA512
e0a0134367c5a0435cb99935f97ca0c8fe793100c6b8121c9b80aef412e204aab088034d7c4318ad2a9e409df8955371c4512f798f75c53b420720d178ae7606
-
SSDEEP
1536:COcEGNe8DpXocnAZHHaAxZ6dQffSNH1juIZo:6E+ercnAZHHXZwNH1juIZo
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Paldmbmq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imhanp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgkanomj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gomjckqc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dqqqokla.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahllda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ljjkgfig.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hklhca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cohlnkeg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmjfae32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Docjpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oeidlc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agkfil32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dippfplg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdhino32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mibdcakk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmnlog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hbokkagk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lmppmi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efdmohmm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocmdeg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Polakmbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajpgkb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbhmfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qajiek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Edokna32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qoonqmqf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akmgoehg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eibikc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibbffq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddjbbbna.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnbfkccn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oimpppoj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khjkiikl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lllihf32.exe -
Executes dropped EXE 64 IoCs
pid Process 2168 Cobjmq32.exe 2800 Chmkkf32.exe 2956 Cdfief32.exe 2704 Dggbgadf.exe 2724 Dgiomabc.exe 2744 Dijgnm32.exe 1892 Deahcneh.exe 2604 Eagiho32.exe 2316 Ekpmad32.exe 3016 Edkopifk.exe 1984 Eaooin32.exe 2992 Eaalom32.exe 832 Egndgdai.exe 2452 Fnjiin32.exe 2136 Ffenmp32.exe 972 Fkdckgpc.exe 1652 Fmdpejgf.exe 1804 Ggnqfgce.exe 1772 Gqfeom32.exe 2408 Gimmpj32.exe 928 Gcgnphgf.exe 520 Gqknjlfp.exe 2576 Gfggbcdg.exe 1340 Gamkol32.exe 1736 Hmdldmja.exe 2100 Hnjagdlj.exe 1888 Hiabjm32.exe 2908 Ihgpkinf.exe 2828 Iaoddodf.exe 940 Imfeip32.exe 2872 Imhanp32.exe 2748 Ipfnjkgk.exe 968 Iklbhdga.exe 2552 Jgeobdkc.exe 1368 Jhfljm32.exe 1480 Kahciaog.exe 3064 Knaqcabh.exe 1300 Kfobmc32.exe 2852 Kccbgh32.exe 2640 Lddoopbi.exe 2384 Lnambeed.exe 2368 Ldkeoo32.exe 540 Ljhngfkh.exe 1764 Lmfjcajl.exe 2500 Mfakbf32.exe 1644 Mqfooonp.exe 596 Mbhlgg32.exe 604 Mibdcakk.exe 1976 Mkpppmko.exe 2492 Meidib32.exe 1604 Mlbmem32.exe 2292 Mnaiah32.exe 2832 Mekanbol.exe 2108 Mlejkl32.exe 2812 Memncbmj.exe 2848 Nhljpmlm.exe 3036 Nnfbmgcj.exe 2608 Njlcah32.exe 3020 Nafknbqk.exe 3040 Njopgh32.exe 2864 Naihdb32.exe 1400 Nhbqqlfe.exe 1864 Nidmhd32.exe 924 Npneeocq.exe -
Loads dropped DLL 64 IoCs
pid Process 792 edbe25ebc1a88ba8233a9fca22aff1de4210f85481290ee71774a3afb64ee989.exe 792 edbe25ebc1a88ba8233a9fca22aff1de4210f85481290ee71774a3afb64ee989.exe 2168 Cobjmq32.exe 2168 Cobjmq32.exe 2800 Chmkkf32.exe 2800 Chmkkf32.exe 2956 Cdfief32.exe 2956 Cdfief32.exe 2704 Dggbgadf.exe 2704 Dggbgadf.exe 2724 Dgiomabc.exe 2724 Dgiomabc.exe 2744 Dijgnm32.exe 2744 Dijgnm32.exe 1892 Deahcneh.exe 1892 Deahcneh.exe 2604 Eagiho32.exe 2604 Eagiho32.exe 2316 Ekpmad32.exe 2316 Ekpmad32.exe 3016 Edkopifk.exe 3016 Edkopifk.exe 1984 Eaooin32.exe 1984 Eaooin32.exe 2992 Eaalom32.exe 2992 Eaalom32.exe 832 Egndgdai.exe 832 Egndgdai.exe 2452 Fnjiin32.exe 2452 Fnjiin32.exe 2136 Ffenmp32.exe 2136 Ffenmp32.exe 972 Fkdckgpc.exe 972 Fkdckgpc.exe 1652 Fmdpejgf.exe 1652 Fmdpejgf.exe 1804 Ggnqfgce.exe 1804 Ggnqfgce.exe 1772 Gqfeom32.exe 1772 Gqfeom32.exe 2408 Gimmpj32.exe 2408 Gimmpj32.exe 928 Gcgnphgf.exe 928 Gcgnphgf.exe 520 Gqknjlfp.exe 520 Gqknjlfp.exe 2576 Gfggbcdg.exe 2576 Gfggbcdg.exe 1340 Gamkol32.exe 1340 Gamkol32.exe 1736 Hmdldmja.exe 1736 Hmdldmja.exe 2984 Hiofdmkq.exe 2984 Hiofdmkq.exe 1888 Hiabjm32.exe 1888 Hiabjm32.exe 2908 Ihgpkinf.exe 2908 Ihgpkinf.exe 2828 Iaoddodf.exe 2828 Iaoddodf.exe 940 Imfeip32.exe 940 Imfeip32.exe 2872 Imhanp32.exe 2872 Imhanp32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Namedgnk.exe Process not Found File created C:\Windows\SysWOW64\Cadqllao.dll Ppgdjqna.exe File created C:\Windows\SysWOW64\Ienfml32.exe Ilfadg32.exe File opened for modification C:\Windows\SysWOW64\Gqmqkn32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Jjnqhh32.exe Process not Found File created C:\Windows\SysWOW64\Gnnbhf32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Jlknfpcg.exe Process not Found File opened for modification C:\Windows\SysWOW64\Jlqniihl.exe Jfffmo32.exe File created C:\Windows\SysWOW64\Jmepmj32.dll Mboekp32.exe File created C:\Windows\SysWOW64\Lbpcjpek.exe Process not Found File created C:\Windows\SysWOW64\Ccpnbk32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Pqgkagcf.exe Process not Found File created C:\Windows\SysWOW64\Hbajjiml.exe Process not Found File created C:\Windows\SysWOW64\Kbdikmpd.dll Process not Found File created C:\Windows\SysWOW64\Jjoejj32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Eagdgaoe.exe Efbpihoo.exe File created C:\Windows\SysWOW64\Ogpkhb32.exe Oafclh32.exe File created C:\Windows\SysWOW64\Cnnohmog.exe Cgdflb32.exe File created C:\Windows\SysWOW64\Alpokdmi.dll Ecfcle32.exe File opened for modification C:\Windows\SysWOW64\Cnhjbjam.exe Ckjnfobi.exe File created C:\Windows\SysWOW64\Gogilc32.dll Process not Found File created C:\Windows\SysWOW64\Ebddmq32.exe Process not Found File created C:\Windows\SysWOW64\Ockiklha.exe Process not Found File created C:\Windows\SysWOW64\Fnnnoaop.dll Jhikhefb.exe File created C:\Windows\SysWOW64\Ohqbbi32.exe Onhnjclg.exe File created C:\Windows\SysWOW64\Mmabiedh.dll Ofkoijhc.exe File created C:\Windows\SysWOW64\Hpejcnlf.exe Process not Found File created C:\Windows\SysWOW64\Nigefc32.dll Process not Found File created C:\Windows\SysWOW64\Ahhjjmgb.dll Process not Found File created C:\Windows\SysWOW64\Pbkdoogb.exe Process not Found File created C:\Windows\SysWOW64\Ibhieo32.exe Imkqmh32.exe File created C:\Windows\SysWOW64\Emhnah32.dll Ajkokgia.exe File created C:\Windows\SysWOW64\Midgogjn.dll Process not Found File created C:\Windows\SysWOW64\Egqahe32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Hfgbbb32.exe Process not Found File created C:\Windows\SysWOW64\Jciiam32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Jblmpmfe.exe Process not Found File created C:\Windows\SysWOW64\Deahcneh.exe Dijgnm32.exe File opened for modification C:\Windows\SysWOW64\Nafknbqk.exe Njlcah32.exe File created C:\Windows\SysWOW64\Nlfdjphd.exe Nppceo32.exe File created C:\Windows\SysWOW64\Eakkkdnm.exe Process not Found File created C:\Windows\SysWOW64\Ccfcic32.dll Process not Found File created C:\Windows\SysWOW64\Jonqfq32.exe Jdhlih32.exe File created C:\Windows\SysWOW64\Ahlejlon.dll Ggcnbh32.exe File opened for modification C:\Windows\SysWOW64\Bcbabodk.exe Bkkiab32.exe File opened for modification C:\Windows\SysWOW64\Gadlio32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Fbaoegkb.exe Process not Found File opened for modification C:\Windows\SysWOW64\Kmqldpab.exe Process not Found File created C:\Windows\SysWOW64\Onhlfc32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Clinckba.exe Process not Found File created C:\Windows\SysWOW64\Gcflig32.dll Bnqcaffa.exe File created C:\Windows\SysWOW64\Ppicdhan.dll Bkgqpjch.exe File opened for modification C:\Windows\SysWOW64\Inopce32.exe Hhbgkn32.exe File created C:\Windows\SysWOW64\Nboohcij.dll Process not Found File created C:\Windows\SysWOW64\Jkegigal.exe Process not Found File opened for modification C:\Windows\SysWOW64\Nkhhie32.exe Nbodpo32.exe File created C:\Windows\SysWOW64\Kjngjj32.exe Process not Found File created C:\Windows\SysWOW64\Dpkmgi32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Bcnmdend.exe Process not Found File created C:\Windows\SysWOW64\Cmfnedeb.dll Process not Found File created C:\Windows\SysWOW64\Ifchhf32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Feaeni32.exe Process not Found File created C:\Windows\SysWOW64\Hhdkchcn.dll Chmkkf32.exe File created C:\Windows\SysWOW64\Jmfbkjnn.dll Okolfkjg.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bncboo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lllihf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfggbcdg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbhlgg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhbqqlfe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agebam32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fefpfi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iqgofo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjiiim32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkipiodd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lceond32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qlbnja32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhffikob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgihjl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npfhjifm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onhihepp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpdjnefm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhdmahpn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ianambhc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pqdend32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Andkbien.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enokidgl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iicoai32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdjedk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbodpo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmjicn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmgkoe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggeiooea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ginefe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhdddnep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lafpipoa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnglkgkb.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gekdej32.dll" Fleihi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hbblpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Meeopb32.dll" Heoadcmh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nliqoofa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmgbpfel.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jokofini.dll" Gqkqbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oakcan32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fofhdidp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnpicg32.dll" Aodjdede.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibonjd.dll" Jcmjfiab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oepghe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gohnpcmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Llalgdbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nehipedn.dll" Fbhhlo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mjeffc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofilmn32.dll" Mookod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kkiiom32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cfjgopop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iqgofo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nknmplji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eaooin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Foaccp32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdmpmneg.dll" Kboill32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lmfjcajl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iociomhg.dll" Fidkep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmomag32.dll" Gfpkbbmo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nadbabeo.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Homfboco.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kkiiom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlgqod32.dll" Dpbgghhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jggiah32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nphbhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldgkid32.dll" Mlgjce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qagidc32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihceebkc.dll" Edkopifk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbppkb32.dll" Gqfeom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Phmkaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Napibq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Egfglocf.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 792 wrote to memory of 2168 792 edbe25ebc1a88ba8233a9fca22aff1de4210f85481290ee71774a3afb64ee989.exe 30 PID 792 wrote to memory of 2168 792 edbe25ebc1a88ba8233a9fca22aff1de4210f85481290ee71774a3afb64ee989.exe 30 PID 792 wrote to memory of 2168 792 edbe25ebc1a88ba8233a9fca22aff1de4210f85481290ee71774a3afb64ee989.exe 30 PID 792 wrote to memory of 2168 792 edbe25ebc1a88ba8233a9fca22aff1de4210f85481290ee71774a3afb64ee989.exe 30 PID 2168 wrote to memory of 2800 2168 Cobjmq32.exe 31 PID 2168 wrote to memory of 2800 2168 Cobjmq32.exe 31 PID 2168 wrote to memory of 2800 2168 Cobjmq32.exe 31 PID 2168 wrote to memory of 2800 2168 Cobjmq32.exe 31 PID 2800 wrote to memory of 2956 2800 Chmkkf32.exe 32 PID 2800 wrote to memory of 2956 2800 Chmkkf32.exe 32 PID 2800 wrote to memory of 2956 2800 Chmkkf32.exe 32 PID 2800 wrote to memory of 2956 2800 Chmkkf32.exe 32 PID 2956 wrote to memory of 2704 2956 Cdfief32.exe 33 PID 2956 wrote to memory of 2704 2956 Cdfief32.exe 33 PID 2956 wrote to memory of 2704 2956 Cdfief32.exe 33 PID 2956 wrote to memory of 2704 2956 Cdfief32.exe 33 PID 2704 wrote to memory of 2724 2704 Dggbgadf.exe 34 PID 2704 wrote to memory of 2724 2704 Dggbgadf.exe 34 PID 2704 wrote to memory of 2724 2704 Dggbgadf.exe 34 PID 2704 wrote to memory of 2724 2704 Dggbgadf.exe 34 PID 2724 wrote to memory of 2744 2724 Dgiomabc.exe 35 PID 2724 wrote to memory of 2744 2724 Dgiomabc.exe 35 PID 2724 wrote to memory of 2744 2724 Dgiomabc.exe 35 PID 2724 wrote to memory of 2744 2724 Dgiomabc.exe 35 PID 2744 wrote to memory of 1892 2744 Dijgnm32.exe 36 PID 2744 wrote to memory of 1892 2744 Dijgnm32.exe 36 PID 2744 wrote to memory of 1892 2744 Dijgnm32.exe 36 PID 2744 wrote to memory of 1892 2744 Dijgnm32.exe 36 PID 1892 wrote to memory of 2604 1892 Deahcneh.exe 37 PID 1892 wrote to memory of 2604 1892 Deahcneh.exe 37 PID 1892 wrote to memory of 2604 1892 Deahcneh.exe 37 PID 1892 wrote to memory of 2604 1892 Deahcneh.exe 37 PID 2604 wrote to memory of 2316 2604 Eagiho32.exe 38 PID 2604 wrote to memory of 2316 2604 Eagiho32.exe 38 PID 2604 wrote to memory of 2316 2604 Eagiho32.exe 38 PID 2604 wrote to memory of 2316 2604 Eagiho32.exe 38 PID 2316 wrote to memory of 3016 2316 Ekpmad32.exe 39 PID 2316 wrote to memory of 3016 2316 Ekpmad32.exe 39 PID 2316 wrote to memory of 3016 2316 Ekpmad32.exe 39 PID 2316 wrote to memory of 3016 2316 Ekpmad32.exe 39 PID 3016 wrote to memory of 1984 3016 Edkopifk.exe 40 PID 3016 wrote to memory of 1984 3016 Edkopifk.exe 40 PID 3016 wrote to memory of 1984 3016 Edkopifk.exe 40 PID 3016 wrote to memory of 1984 3016 Edkopifk.exe 40 PID 1984 wrote to memory of 2992 1984 Eaooin32.exe 41 PID 1984 wrote to memory of 2992 1984 Eaooin32.exe 41 PID 1984 wrote to memory of 2992 1984 Eaooin32.exe 41 PID 1984 wrote to memory of 2992 1984 Eaooin32.exe 41 PID 2992 wrote to memory of 832 2992 Eaalom32.exe 42 PID 2992 wrote to memory of 832 2992 Eaalom32.exe 42 PID 2992 wrote to memory of 832 2992 Eaalom32.exe 42 PID 2992 wrote to memory of 832 2992 Eaalom32.exe 42 PID 832 wrote to memory of 2452 832 Egndgdai.exe 43 PID 832 wrote to memory of 2452 832 Egndgdai.exe 43 PID 832 wrote to memory of 2452 832 Egndgdai.exe 43 PID 832 wrote to memory of 2452 832 Egndgdai.exe 43 PID 2452 wrote to memory of 2136 2452 Fnjiin32.exe 44 PID 2452 wrote to memory of 2136 2452 Fnjiin32.exe 44 PID 2452 wrote to memory of 2136 2452 Fnjiin32.exe 44 PID 2452 wrote to memory of 2136 2452 Fnjiin32.exe 44 PID 2136 wrote to memory of 972 2136 Ffenmp32.exe 45 PID 2136 wrote to memory of 972 2136 Ffenmp32.exe 45 PID 2136 wrote to memory of 972 2136 Ffenmp32.exe 45 PID 2136 wrote to memory of 972 2136 Ffenmp32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\edbe25ebc1a88ba8233a9fca22aff1de4210f85481290ee71774a3afb64ee989.exe"C:\Users\Admin\AppData\Local\Temp\edbe25ebc1a88ba8233a9fca22aff1de4210f85481290ee71774a3afb64ee989.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:792 -
C:\Windows\SysWOW64\Cobjmq32.exeC:\Windows\system32\Cobjmq32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Windows\SysWOW64\Chmkkf32.exeC:\Windows\system32\Chmkkf32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Windows\SysWOW64\Cdfief32.exeC:\Windows\system32\Cdfief32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Windows\SysWOW64\Dggbgadf.exeC:\Windows\system32\Dggbgadf.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\SysWOW64\Dgiomabc.exeC:\Windows\system32\Dgiomabc.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\SysWOW64\Dijgnm32.exeC:\Windows\system32\Dijgnm32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\SysWOW64\Deahcneh.exeC:\Windows\system32\Deahcneh.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1892 -
C:\Windows\SysWOW64\Eagiho32.exeC:\Windows\system32\Eagiho32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Windows\SysWOW64\Ekpmad32.exeC:\Windows\system32\Ekpmad32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Windows\SysWOW64\Edkopifk.exeC:\Windows\system32\Edkopifk.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Windows\SysWOW64\Eaooin32.exeC:\Windows\system32\Eaooin32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\Windows\SysWOW64\Eaalom32.exeC:\Windows\system32\Eaalom32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\Windows\SysWOW64\Egndgdai.exeC:\Windows\system32\Egndgdai.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:832 -
C:\Windows\SysWOW64\Fnjiin32.exeC:\Windows\system32\Fnjiin32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2452 -
C:\Windows\SysWOW64\Ffenmp32.exeC:\Windows\system32\Ffenmp32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2136 -
C:\Windows\SysWOW64\Fkdckgpc.exeC:\Windows\system32\Fkdckgpc.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:972 -
C:\Windows\SysWOW64\Fmdpejgf.exeC:\Windows\system32\Fmdpejgf.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1652 -
C:\Windows\SysWOW64\Ggnqfgce.exeC:\Windows\system32\Ggnqfgce.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1804 -
C:\Windows\SysWOW64\Gqfeom32.exeC:\Windows\system32\Gqfeom32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1772 -
C:\Windows\SysWOW64\Gimmpj32.exeC:\Windows\system32\Gimmpj32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2408 -
C:\Windows\SysWOW64\Gcgnphgf.exeC:\Windows\system32\Gcgnphgf.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:928 -
C:\Windows\SysWOW64\Gqknjlfp.exeC:\Windows\system32\Gqknjlfp.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:520 -
C:\Windows\SysWOW64\Gfggbcdg.exeC:\Windows\system32\Gfggbcdg.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2576 -
C:\Windows\SysWOW64\Gamkol32.exeC:\Windows\system32\Gamkol32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1340 -
C:\Windows\SysWOW64\Hmdldmja.exeC:\Windows\system32\Hmdldmja.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1736 -
C:\Windows\SysWOW64\Hnjagdlj.exeC:\Windows\system32\Hnjagdlj.exe27⤵
- Executes dropped EXE
PID:2100 -
C:\Windows\SysWOW64\Hiofdmkq.exeC:\Windows\system32\Hiofdmkq.exe28⤵
- Loads dropped DLL
PID:2984 -
C:\Windows\SysWOW64\Hiabjm32.exeC:\Windows\system32\Hiabjm32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1888 -
C:\Windows\SysWOW64\Ihgpkinf.exeC:\Windows\system32\Ihgpkinf.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2908 -
C:\Windows\SysWOW64\Iaoddodf.exeC:\Windows\system32\Iaoddodf.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2828 -
C:\Windows\SysWOW64\Imfeip32.exeC:\Windows\system32\Imfeip32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:940 -
C:\Windows\SysWOW64\Imhanp32.exeC:\Windows\system32\Imhanp32.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2872 -
C:\Windows\SysWOW64\Ipfnjkgk.exeC:\Windows\system32\Ipfnjkgk.exe34⤵
- Executes dropped EXE
PID:2748 -
C:\Windows\SysWOW64\Iklbhdga.exeC:\Windows\system32\Iklbhdga.exe35⤵
- Executes dropped EXE
PID:968 -
C:\Windows\SysWOW64\Jgeobdkc.exeC:\Windows\system32\Jgeobdkc.exe36⤵
- Executes dropped EXE
PID:2552 -
C:\Windows\SysWOW64\Jhfljm32.exeC:\Windows\system32\Jhfljm32.exe37⤵
- Executes dropped EXE
PID:1368 -
C:\Windows\SysWOW64\Kahciaog.exeC:\Windows\system32\Kahciaog.exe38⤵
- Executes dropped EXE
PID:1480 -
C:\Windows\SysWOW64\Knaqcabh.exeC:\Windows\system32\Knaqcabh.exe39⤵
- Executes dropped EXE
PID:3064 -
C:\Windows\SysWOW64\Kfobmc32.exeC:\Windows\system32\Kfobmc32.exe40⤵
- Executes dropped EXE
PID:1300 -
C:\Windows\SysWOW64\Kccbgh32.exeC:\Windows\system32\Kccbgh32.exe41⤵
- Executes dropped EXE
PID:2852 -
C:\Windows\SysWOW64\Lddoopbi.exeC:\Windows\system32\Lddoopbi.exe42⤵
- Executes dropped EXE
PID:2640 -
C:\Windows\SysWOW64\Lnambeed.exeC:\Windows\system32\Lnambeed.exe43⤵
- Executes dropped EXE
PID:2384 -
C:\Windows\SysWOW64\Ldkeoo32.exeC:\Windows\system32\Ldkeoo32.exe44⤵
- Executes dropped EXE
PID:2368 -
C:\Windows\SysWOW64\Ljhngfkh.exeC:\Windows\system32\Ljhngfkh.exe45⤵
- Executes dropped EXE
PID:540 -
C:\Windows\SysWOW64\Lmfjcajl.exeC:\Windows\system32\Lmfjcajl.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:1764 -
C:\Windows\SysWOW64\Mfakbf32.exeC:\Windows\system32\Mfakbf32.exe47⤵
- Executes dropped EXE
PID:2500 -
C:\Windows\SysWOW64\Mqfooonp.exeC:\Windows\system32\Mqfooonp.exe48⤵
- Executes dropped EXE
PID:1644 -
C:\Windows\SysWOW64\Mbhlgg32.exeC:\Windows\system32\Mbhlgg32.exe49⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:596 -
C:\Windows\SysWOW64\Mibdcakk.exeC:\Windows\system32\Mibdcakk.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:604 -
C:\Windows\SysWOW64\Mkpppmko.exeC:\Windows\system32\Mkpppmko.exe51⤵
- Executes dropped EXE
PID:1976 -
C:\Windows\SysWOW64\Meidib32.exeC:\Windows\system32\Meidib32.exe52⤵
- Executes dropped EXE
PID:2492 -
C:\Windows\SysWOW64\Mlbmem32.exeC:\Windows\system32\Mlbmem32.exe53⤵
- Executes dropped EXE
PID:1604 -
C:\Windows\SysWOW64\Mnaiah32.exeC:\Windows\system32\Mnaiah32.exe54⤵
- Executes dropped EXE
PID:2292 -
C:\Windows\SysWOW64\Mekanbol.exeC:\Windows\system32\Mekanbol.exe55⤵
- Executes dropped EXE
PID:2832 -
C:\Windows\SysWOW64\Mlejkl32.exeC:\Windows\system32\Mlejkl32.exe56⤵
- Executes dropped EXE
PID:2108 -
C:\Windows\SysWOW64\Memncbmj.exeC:\Windows\system32\Memncbmj.exe57⤵
- Executes dropped EXE
PID:2812 -
C:\Windows\SysWOW64\Nhljpmlm.exeC:\Windows\system32\Nhljpmlm.exe58⤵
- Executes dropped EXE
PID:2848 -
C:\Windows\SysWOW64\Nnfbmgcj.exeC:\Windows\system32\Nnfbmgcj.exe59⤵
- Executes dropped EXE
PID:3036 -
C:\Windows\SysWOW64\Njlcah32.exeC:\Windows\system32\Njlcah32.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2608 -
C:\Windows\SysWOW64\Nafknbqk.exeC:\Windows\system32\Nafknbqk.exe61⤵
- Executes dropped EXE
PID:3020 -
C:\Windows\SysWOW64\Njopgh32.exeC:\Windows\system32\Njopgh32.exe62⤵
- Executes dropped EXE
PID:3040 -
C:\Windows\SysWOW64\Naihdb32.exeC:\Windows\system32\Naihdb32.exe63⤵
- Executes dropped EXE
PID:2864 -
C:\Windows\SysWOW64\Nhbqqlfe.exeC:\Windows\system32\Nhbqqlfe.exe64⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1400 -
C:\Windows\SysWOW64\Nidmhd32.exeC:\Windows\system32\Nidmhd32.exe65⤵
- Executes dropped EXE
PID:1864 -
C:\Windows\SysWOW64\Npneeocq.exeC:\Windows\system32\Npneeocq.exe66⤵
- Executes dropped EXE
PID:924 -
C:\Windows\SysWOW64\Nfhmai32.exeC:\Windows\system32\Nfhmai32.exe67⤵PID:1900
-
C:\Windows\SysWOW64\Nlefjpid.exeC:\Windows\system32\Nlefjpid.exe68⤵PID:1404
-
C:\Windows\SysWOW64\Odlnkmjg.exeC:\Windows\system32\Odlnkmjg.exe69⤵PID:1500
-
C:\Windows\SysWOW64\Opbopn32.exeC:\Windows\system32\Opbopn32.exe70⤵PID:1496
-
C:\Windows\SysWOW64\Obakli32.exeC:\Windows\system32\Obakli32.exe71⤵PID:2460
-
C:\Windows\SysWOW64\Oepghe32.exeC:\Windows\system32\Oepghe32.exe72⤵
- Modifies registry class
PID:660 -
C:\Windows\SysWOW64\Opekenmh.exeC:\Windows\system32\Opekenmh.exe73⤵PID:2932
-
C:\Windows\SysWOW64\Oebdndlp.exeC:\Windows\system32\Oebdndlp.exe74⤵PID:2420
-
C:\Windows\SysWOW64\Okolfkjg.exeC:\Windows\system32\Okolfkjg.exe75⤵
- Drops file in System32 directory
PID:3060 -
C:\Windows\SysWOW64\Ohbmppia.exeC:\Windows\system32\Ohbmppia.exe76⤵PID:2248
-
C:\Windows\SysWOW64\Okailkhd.exeC:\Windows\system32\Okailkhd.exe77⤵PID:1920
-
C:\Windows\SysWOW64\Oefmid32.exeC:\Windows\system32\Oefmid32.exe78⤵PID:1688
-
C:\Windows\SysWOW64\Oheieo32.exeC:\Windows\system32\Oheieo32.exe79⤵PID:2228
-
C:\Windows\SysWOW64\Pooaaink.exeC:\Windows\system32\Pooaaink.exe80⤵PID:300
-
C:\Windows\SysWOW64\Pdljjplb.exeC:\Windows\system32\Pdljjplb.exe81⤵PID:2052
-
C:\Windows\SysWOW64\Pmdocf32.exeC:\Windows\system32\Pmdocf32.exe82⤵PID:2112
-
C:\Windows\SysWOW64\Ppbkoabf.exeC:\Windows\system32\Ppbkoabf.exe83⤵PID:2348
-
C:\Windows\SysWOW64\Plildb32.exeC:\Windows\system32\Plildb32.exe84⤵PID:1532
-
C:\Windows\SysWOW64\Pgopak32.exeC:\Windows\system32\Pgopak32.exe85⤵PID:2808
-
C:\Windows\SysWOW64\Ppgdjqna.exeC:\Windows\system32\Ppgdjqna.exe86⤵
- Drops file in System32 directory
PID:1876 -
C:\Windows\SysWOW64\Pgamgken.exeC:\Windows\system32\Pgamgken.exe87⤵PID:1100
-
C:\Windows\SysWOW64\Phbinc32.exeC:\Windows\system32\Phbinc32.exe88⤵PID:1512
-
C:\Windows\SysWOW64\Polakmbi.exeC:\Windows\system32\Polakmbi.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1732 -
C:\Windows\SysWOW64\Qjbehfbo.exeC:\Windows\system32\Qjbehfbo.exe90⤵PID:2412
-
C:\Windows\SysWOW64\Qoonqmqf.exeC:\Windows\system32\Qoonqmqf.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2972 -
C:\Windows\SysWOW64\Qlbnja32.exeC:\Windows\system32\Qlbnja32.exe92⤵
- System Location Discovery: System Language Discovery
PID:1752 -
C:\Windows\SysWOW64\Andkbien.exeC:\Windows\system32\Andkbien.exe93⤵
- System Location Discovery: System Language Discovery
PID:3044 -
C:\Windows\SysWOW64\Ahllda32.exeC:\Windows\system32\Ahllda32.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2140 -
C:\Windows\SysWOW64\Anhdmh32.exeC:\Windows\system32\Anhdmh32.exe95⤵PID:2728
-
C:\Windows\SysWOW64\Aqgqid32.exeC:\Windows\system32\Aqgqid32.exe96⤵PID:3012
-
C:\Windows\SysWOW64\Acemeo32.exeC:\Windows\system32\Acemeo32.exe97⤵PID:2300
-
C:\Windows\SysWOW64\Ajoebigm.exeC:\Windows\system32\Ajoebigm.exe98⤵PID:2392
-
C:\Windows\SysWOW64\Aqimoc32.exeC:\Windows\system32\Aqimoc32.exe99⤵PID:2016
-
C:\Windows\SysWOW64\Anmnhhmd.exeC:\Windows\system32\Anmnhhmd.exe100⤵PID:2464
-
C:\Windows\SysWOW64\Aonjpp32.exeC:\Windows\system32\Aonjpp32.exe101⤵PID:2544
-
C:\Windows\SysWOW64\Agebam32.exeC:\Windows\system32\Agebam32.exe102⤵
- System Location Discovery: System Language Discovery
PID:2572 -
C:\Windows\SysWOW64\Bmbkid32.exeC:\Windows\system32\Bmbkid32.exe103⤵PID:1192
-
C:\Windows\SysWOW64\Bbocak32.exeC:\Windows\system32\Bbocak32.exe104⤵PID:1580
-
C:\Windows\SysWOW64\Biikne32.exeC:\Windows\system32\Biikne32.exe105⤵PID:2924
-
C:\Windows\SysWOW64\Bocckoom.exeC:\Windows\system32\Bocckoom.exe106⤵PID:2700
-
C:\Windows\SysWOW64\Beplcfmd.exeC:\Windows\system32\Beplcfmd.exe107⤵PID:1924
-
C:\Windows\SysWOW64\Bnhqll32.exeC:\Windows\system32\Bnhqll32.exe108⤵PID:2272
-
C:\Windows\SysWOW64\Bgqeea32.exeC:\Windows\system32\Bgqeea32.exe109⤵PID:2896
-
C:\Windows\SysWOW64\Bgcbja32.exeC:\Windows\system32\Bgcbja32.exe110⤵PID:2600
-
C:\Windows\SysWOW64\Bjanfl32.exeC:\Windows\system32\Bjanfl32.exe111⤵PID:2732
-
C:\Windows\SysWOW64\Cakfcfoc.exeC:\Windows\system32\Cakfcfoc.exe112⤵PID:2172
-
C:\Windows\SysWOW64\Cgeopqfp.exeC:\Windows\system32\Cgeopqfp.exe113⤵PID:944
-
C:\Windows\SysWOW64\Cancif32.exeC:\Windows\system32\Cancif32.exe114⤵PID:1004
-
C:\Windows\SysWOW64\Cghkepdm.exeC:\Windows\system32\Cghkepdm.exe115⤵PID:2004
-
C:\Windows\SysWOW64\Cnacbj32.exeC:\Windows\system32\Cnacbj32.exe116⤵PID:2504
-
C:\Windows\SysWOW64\Cpcpjbah.exeC:\Windows\system32\Cpcpjbah.exe117⤵PID:2712
-
C:\Windows\SysWOW64\Cgjhkpbj.exeC:\Windows\system32\Cgjhkpbj.exe118⤵PID:1800
-
C:\Windows\SysWOW64\Cikdbhhi.exeC:\Windows\system32\Cikdbhhi.exe119⤵PID:2680
-
C:\Windows\SysWOW64\Domffn32.exeC:\Windows\system32\Domffn32.exe120⤵PID:2020
-
C:\Windows\SysWOW64\Dlqgob32.exeC:\Windows\system32\Dlqgob32.exe121⤵PID:2072
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-