Analysis
-
max time kernel
94s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 00:53
Static task
static1
Behavioral task
behavioral1
Sample
03064632d313f5fab27c434447580b676e58075349d0f5b591faa980edaf8ff0N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
03064632d313f5fab27c434447580b676e58075349d0f5b591faa980edaf8ff0N.exe
Resource
win10v2004-20241007-en
General
-
Target
03064632d313f5fab27c434447580b676e58075349d0f5b591faa980edaf8ff0N.exe
-
Size
93KB
-
MD5
ccbdae47bee0cf4825bdf28244e1b980
-
SHA1
f3d0892a63447a67c19e6f02ca4e86af1f96bf54
-
SHA256
03064632d313f5fab27c434447580b676e58075349d0f5b591faa980edaf8ff0
-
SHA512
4d0fe17084cabd42e0f1257e115af591362eb497cd0c23cab148a836105590751542861787aea99d5901b33ee518dfa49c2218979ede791e4c6b641caf310838
-
SSDEEP
1536:+3rvZUmN3myAX8oKL6LXxYwxB7SaDMjTZjiwg58:8GDzcwnPotY58
Malware Config
Extracted
berbew
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Bfbaonae.exeJmbhoeid.exeKmieae32.exeCaageq32.exeEibfck32.exeAnclbkbp.exeKaehljpj.exeOacoqnci.exeHmbphg32.exeEbifmm32.exeOdmbaj32.exeAcqgojmb.exeIcdheded.exeKjjiej32.exeFcniglmb.exeCflkpblf.exeLelchgne.exeGflhoo32.exeLafmjp32.exeJgkmgk32.exePdmdnadc.exePhodcg32.exeNjjdho32.exeOnapdl32.exeAonoao32.exeLplfcf32.exeNggnadib.exeFelbnn32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bfbaonae.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmbhoeid.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kmieae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Caageq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eibfck32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anclbkbp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kaehljpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oacoqnci.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmbphg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebifmm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Odmbaj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Acqgojmb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icdheded.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kjjiej32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fcniglmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hmbphg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cflkpblf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lelchgne.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gflhoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lafmjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgkmgk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pdmdnadc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Phodcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Njjdho32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onapdl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aonoao32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lplfcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nggnadib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Onapdl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Felbnn32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
Processes:
Cmdfgm32.exeCpbbch32.exeCflkpblf.exeCmfclm32.exeCpeohh32.exeCfogeb32.exeCmipblaq.exeCpglnhad.exeCfadkb32.exeCaghhk32.exeCfcqpa32.exeCaienjfd.exeCgcmjd32.exeDmpfbk32.exeDpnbog32.exeDjdflp32.exeDmbbhkjf.exeDhhfedil.exeDiicml32.exeDapkni32.exeDcogje32.exeDikpbl32.exeDpehof32.exeDfoplpla.exeDaediilg.exeDhomfc32.exeDjmibn32.exeEagaoh32.exeEfdjgo32.exeEibfck32.exeEplnpeol.exeEdhjqc32.exeEfffmo32.exeEmpoiimf.exeEpokedmj.exeEhfcfb32.exeEigonjcj.exeEangpgcl.exeEdmclccp.exeEjflhm32.exeEaqdegaj.exeEhjlaaig.exeFkihnmhj.exeFiliii32.exeFpeafcfa.exeFhmigagd.exeFfpicn32.exeFmjaphek.exeFdcjlb32.exeFknbil32.exeFmlneg32.exeFdffbake.exeFibojhim.exeFdhcgaic.exeFkbkdkpp.exeFalcae32.exeFhflnpoi.exeGkdhjknm.exeGaopfe32.exeGhhhcomg.exeGgkiol32.exeGaamlecg.exeGdoihpbk.exeGgnedlao.exepid process 4356 Cmdfgm32.exe 4320 Cpbbch32.exe 528 Cflkpblf.exe 2316 Cmfclm32.exe 684 Cpeohh32.exe 3568 Cfogeb32.exe 4288 Cmipblaq.exe 4784 Cpglnhad.exe 3652 Cfadkb32.exe 740 Caghhk32.exe 888 Cfcqpa32.exe 608 Caienjfd.exe 4468 Cgcmjd32.exe 3844 Dmpfbk32.exe 2240 Dpnbog32.exe 1076 Djdflp32.exe 884 Dmbbhkjf.exe 2980 Dhhfedil.exe 2684 Diicml32.exe 2140 Dapkni32.exe 3640 Dcogje32.exe 5116 Dikpbl32.exe 3136 Dpehof32.exe 1468 Dfoplpla.exe 3200 Daediilg.exe 3196 Dhomfc32.exe 2392 Djmibn32.exe 4236 Eagaoh32.exe 2936 Efdjgo32.exe 2368 Eibfck32.exe 1444 Eplnpeol.exe 4344 Edhjqc32.exe 5004 Efffmo32.exe 3648 Empoiimf.exe 1844 Epokedmj.exe 5076 Ehfcfb32.exe 4808 Eigonjcj.exe 4012 Eangpgcl.exe 4652 Edmclccp.exe 2860 Ejflhm32.exe 3212 Eaqdegaj.exe 4888 Ehjlaaig.exe 1608 Fkihnmhj.exe 4864 Filiii32.exe 2992 Fpeafcfa.exe 5104 Fhmigagd.exe 404 Ffpicn32.exe 2720 Fmjaphek.exe 1984 Fdcjlb32.exe 3428 Fknbil32.exe 908 Fmlneg32.exe 1840 Fdffbake.exe 4764 Fibojhim.exe 4000 Fdhcgaic.exe 1736 Fkbkdkpp.exe 2628 Falcae32.exe 100 Fhflnpoi.exe 1008 Gkdhjknm.exe 1584 Gaopfe32.exe 2216 Ghhhcomg.exe 3392 Ggkiol32.exe 1044 Gaamlecg.exe 3364 Gdoihpbk.exe 3124 Ggnedlao.exe -
Drops file in System32 directory 64 IoCs
Processes:
Eaqdegaj.exeMicoed32.exeKmkbfeab.exeLepleocn.exeOikjkc32.exeLancko32.exeHhiajmod.exeJkjcbe32.exeGgmmlamj.exeApmhiq32.exeKpnjah32.exeOqmhqapg.exeGphphj32.exeJcbdgb32.exeKjccdkki.exeDdgplado.exeGpnfge32.exeFgoakc32.exeHnibokbd.exeOnkidm32.exeNhbolp32.exeDmalne32.exeEfafgifc.exeDoaneiop.exeFikbocki.exeDbnmke32.exeOpeiadfg.exeQcnjijoe.exeFbbpmb32.exeFligqhga.exeAfpjel32.exeCaojpaij.exedescription ioc process File created C:\Windows\SysWOW64\Gqpapacd.exe File created C:\Windows\SysWOW64\Jhgadmdk.dll File created C:\Windows\SysWOW64\Mhoind32.exe File created C:\Windows\SysWOW64\Qnopjfgi.exe File opened for modification C:\Windows\SysWOW64\Ehjlaaig.exe Eaqdegaj.exe File opened for modification C:\Windows\SysWOW64\Mblcnj32.exe Micoed32.exe File created C:\Windows\SysWOW64\Amlkko32.dll Kmkbfeab.exe File opened for modification C:\Windows\SysWOW64\Lhnhajba.exe Lepleocn.exe File created C:\Windows\SysWOW64\Hpkdfd32.dll Oikjkc32.exe File opened for modification C:\Windows\SysWOW64\Janghmia.exe File created C:\Windows\SysWOW64\Dcmnee32.dll File opened for modification C:\Windows\SysWOW64\Hcflch32.exe File created C:\Windows\SysWOW64\Enedio32.exe File created C:\Windows\SysWOW64\Jmepcj32.exe File created C:\Windows\SysWOW64\Nmdkcj32.dll Lancko32.exe File created C:\Windows\SysWOW64\Lnedgk32.dll File created C:\Windows\SysWOW64\Nlcidopb.exe File created C:\Windows\SysWOW64\Ecidpiad.exe File created C:\Windows\SysWOW64\Hnfjbdmk.exe Hhiajmod.exe File created C:\Windows\SysWOW64\Jnhpoamf.exe Jkjcbe32.exe File opened for modification C:\Windows\SysWOW64\Gpdennml.exe Ggmmlamj.exe File created C:\Windows\SysWOW64\Fodbhbhk.dll File created C:\Windows\SysWOW64\Ahdpjn32.exe Apmhiq32.exe File opened for modification C:\Windows\SysWOW64\Kapfiqoj.exe Kpnjah32.exe File created C:\Windows\SysWOW64\Ebdpoomj.dll Oqmhqapg.exe File opened for modification C:\Windows\SysWOW64\Klpjad32.exe File created C:\Windows\SysWOW64\Gdcliikj.exe Gphphj32.exe File created C:\Windows\SysWOW64\Jnhidk32.exe Jcbdgb32.exe File created C:\Windows\SysWOW64\Hdjgko32.dll Kjccdkki.exe File created C:\Windows\SysWOW64\Dkahilkl.exe Ddgplado.exe File created C:\Windows\SysWOW64\Mociol32.exe File created C:\Windows\SysWOW64\Pnfdnnbo.exe File created C:\Windows\SysWOW64\Fpdggeba.dll File created C:\Windows\SysWOW64\Laeojd32.dll File created C:\Windows\SysWOW64\Ocoaob32.dll Gpnfge32.exe File created C:\Windows\SysWOW64\Fbdehlip.exe Fgoakc32.exe File created C:\Windows\SysWOW64\Hecjke32.exe Hnibokbd.exe File opened for modification C:\Windows\SysWOW64\Gdmcki32.exe File created C:\Windows\SysWOW64\Oaifpi32.exe Onkidm32.exe File opened for modification C:\Windows\SysWOW64\Abgjkpll.exe File created C:\Windows\SysWOW64\Dmplkd32.exe File created C:\Windows\SysWOW64\Hladlc32.exe File opened for modification C:\Windows\SysWOW64\Nkqkhk32.exe Nhbolp32.exe File opened for modification C:\Windows\SysWOW64\Dbndfl32.exe Dmalne32.exe File opened for modification C:\Windows\SysWOW64\Eiobceef.exe Efafgifc.exe File opened for modification C:\Windows\SysWOW64\Dijbno32.exe Doaneiop.exe File created C:\Windows\SysWOW64\Llpofd32.exe File created C:\Windows\SysWOW64\Iloajfml.exe File created C:\Windows\SysWOW64\Cifdjg32.exe File created C:\Windows\SysWOW64\Mkkfal32.dll File created C:\Windows\SysWOW64\Flinkojm.exe Fikbocki.exe File created C:\Windows\SysWOW64\Dmcain32.exe Dbnmke32.exe File created C:\Windows\SysWOW64\Pnpkdp32.dll Opeiadfg.exe File opened for modification C:\Windows\SysWOW64\Qfmfefni.exe Qcnjijoe.exe File opened for modification C:\Windows\SysWOW64\Pljpbhin.dll File created C:\Windows\SysWOW64\Hhbdko32.exe File created C:\Windows\SysWOW64\Fimhbfpl.dll Fbbpmb32.exe File opened for modification C:\Windows\SysWOW64\Kdpiqehp.exe File opened for modification C:\Windows\SysWOW64\Nejgbn32.exe File created C:\Windows\SysWOW64\Hlhaee32.exe File created C:\Windows\SysWOW64\Nfmifiap.dll Fligqhga.exe File opened for modification C:\Windows\SysWOW64\Aogbfi32.exe Afpjel32.exe File created C:\Windows\SysWOW64\Chiblk32.exe Caojpaij.exe File created C:\Windows\SysWOW64\Ibdplaho.exe -
Program crash 1 IoCs
Processes:
pid pid_target process target process 3736 3056 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Dnpdegjp.exeMmpmnl32.exeBllbaa32.exeMbighjdd.exeIinqbn32.exeGbchdp32.exeMqimikfj.exeIqklon32.exeMblcnj32.exeHefnkkkj.exeIdkbkl32.exeCnahdi32.exeKjmfjj32.exeLindkm32.exeFdhcgaic.exeFbjmhh32.exeHdilnojp.exeDmadco32.exeMgaokl32.exeCgnomg32.exeMfnhfm32.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnpdegjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmpmnl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bllbaa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbighjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iinqbn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbchdp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mqimikfj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iqklon32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mblcnj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hefnkkkj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idkbkl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnahdi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjmfjj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lindkm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdhcgaic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbjmhh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdilnojp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmadco32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgaokl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgnomg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfnhfm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language -
Modifies registry class 64 IoCs
Processes:
Ojdnid32.exeAbjmkf32.exeOblhcj32.exeLankbigo.exeDafppp32.exeNmjfodne.exeIggaah32.exeKnenkbio.exeLfeljd32.exeOjnfihmo.exeFmlneg32.exeGahcmd32.exeAogbfi32.exeHgghjjid.exeHaafcb32.exeIiopca32.exeBfbaonae.exeQlimed32.exeGbnoiqdq.exeGikdkj32.exePdjgha32.exeBoenhgdd.exeLggldm32.exeNcabfkqo.exeQobhkjdi.exeJimldogg.exeBiiobo32.exePoliea32.exeHffken32.exeKlfaapbl.exeAcqgojmb.exeKjccdkki.exeOobfob32.exeFibhpbea.exeKglmio32.exeKmieae32.exeGnblnlhl.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghldkkkk.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjpefo32.dll" Ojdnid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Abjmkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oblhcj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmdmqp32.dll" Lankbigo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dafppp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nmjfodne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iggaah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Knenkbio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edngom32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qemgmmip.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmplqd32.dll" Lfeljd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ojnfihmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odehaccj.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fmlneg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gahcmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aogbfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmkock32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kncgmcgd.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnoeha32.dll" Hgghjjid.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Haafcb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lckggdbo.dll" Iiopca32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bepdmhnd.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfapoa32.dll" Bfbaonae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgfcalbj.dll" Qlimed32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ilmjim32.dll" Gbnoiqdq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dibkjmof.dll" Gikdkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pneall32.dll" Pdjgha32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Boenhgdd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lggldm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ncabfkqo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cggkemhh.dll" Qobhkjdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jimldogg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Biiobo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gijaekjb.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfdefo32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdgmickl.dll" Poliea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hffken32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgeaiknl.dll" Klfaapbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Acqgojmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehmfqgao.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdjgko32.dll" Kjccdkki.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oobfob32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fibhpbea.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kglmio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohpfbb32.dll" Kmieae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gnblnlhl.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
03064632d313f5fab27c434447580b676e58075349d0f5b591faa980edaf8ff0N.exeCmdfgm32.exeCpbbch32.exeCflkpblf.exeCmfclm32.exeCpeohh32.exeCfogeb32.exeCmipblaq.exeCpglnhad.exeCfadkb32.exeCaghhk32.exeCfcqpa32.exeCaienjfd.exeCgcmjd32.exeDmpfbk32.exeDpnbog32.exeDjdflp32.exeDmbbhkjf.exeDhhfedil.exeDiicml32.exeDapkni32.exeDcogje32.exedescription pid process target process PID 3492 wrote to memory of 4356 3492 03064632d313f5fab27c434447580b676e58075349d0f5b591faa980edaf8ff0N.exe Cmdfgm32.exe PID 3492 wrote to memory of 4356 3492 03064632d313f5fab27c434447580b676e58075349d0f5b591faa980edaf8ff0N.exe Cmdfgm32.exe PID 3492 wrote to memory of 4356 3492 03064632d313f5fab27c434447580b676e58075349d0f5b591faa980edaf8ff0N.exe Cmdfgm32.exe PID 4356 wrote to memory of 4320 4356 Cmdfgm32.exe Cpbbch32.exe PID 4356 wrote to memory of 4320 4356 Cmdfgm32.exe Cpbbch32.exe PID 4356 wrote to memory of 4320 4356 Cmdfgm32.exe Cpbbch32.exe PID 4320 wrote to memory of 528 4320 Cpbbch32.exe Cflkpblf.exe PID 4320 wrote to memory of 528 4320 Cpbbch32.exe Cflkpblf.exe PID 4320 wrote to memory of 528 4320 Cpbbch32.exe Cflkpblf.exe PID 528 wrote to memory of 2316 528 Cflkpblf.exe Cmfclm32.exe PID 528 wrote to memory of 2316 528 Cflkpblf.exe Cmfclm32.exe PID 528 wrote to memory of 2316 528 Cflkpblf.exe Cmfclm32.exe PID 2316 wrote to memory of 684 2316 Cmfclm32.exe Cpeohh32.exe PID 2316 wrote to memory of 684 2316 Cmfclm32.exe Cpeohh32.exe PID 2316 wrote to memory of 684 2316 Cmfclm32.exe Cpeohh32.exe PID 684 wrote to memory of 3568 684 Cpeohh32.exe Cfogeb32.exe PID 684 wrote to memory of 3568 684 Cpeohh32.exe Cfogeb32.exe PID 684 wrote to memory of 3568 684 Cpeohh32.exe Cfogeb32.exe PID 3568 wrote to memory of 4288 3568 Cfogeb32.exe Cmipblaq.exe PID 3568 wrote to memory of 4288 3568 Cfogeb32.exe Cmipblaq.exe PID 3568 wrote to memory of 4288 3568 Cfogeb32.exe Cmipblaq.exe PID 4288 wrote to memory of 4784 4288 Cmipblaq.exe Cpglnhad.exe PID 4288 wrote to memory of 4784 4288 Cmipblaq.exe Cpglnhad.exe PID 4288 wrote to memory of 4784 4288 Cmipblaq.exe Cpglnhad.exe PID 4784 wrote to memory of 3652 4784 Cpglnhad.exe Cfadkb32.exe PID 4784 wrote to memory of 3652 4784 Cpglnhad.exe Cfadkb32.exe PID 4784 wrote to memory of 3652 4784 Cpglnhad.exe Cfadkb32.exe PID 3652 wrote to memory of 740 3652 Cfadkb32.exe Caghhk32.exe PID 3652 wrote to memory of 740 3652 Cfadkb32.exe Caghhk32.exe PID 3652 wrote to memory of 740 3652 Cfadkb32.exe Caghhk32.exe PID 740 wrote to memory of 888 740 Caghhk32.exe Cfcqpa32.exe PID 740 wrote to memory of 888 740 Caghhk32.exe Cfcqpa32.exe PID 740 wrote to memory of 888 740 Caghhk32.exe Cfcqpa32.exe PID 888 wrote to memory of 608 888 Cfcqpa32.exe Caienjfd.exe PID 888 wrote to memory of 608 888 Cfcqpa32.exe Caienjfd.exe PID 888 wrote to memory of 608 888 Cfcqpa32.exe Caienjfd.exe PID 608 wrote to memory of 4468 608 Caienjfd.exe Cgcmjd32.exe PID 608 wrote to memory of 4468 608 Caienjfd.exe Cgcmjd32.exe PID 608 wrote to memory of 4468 608 Caienjfd.exe Cgcmjd32.exe PID 4468 wrote to memory of 3844 4468 Cgcmjd32.exe Dmpfbk32.exe PID 4468 wrote to memory of 3844 4468 Cgcmjd32.exe Dmpfbk32.exe PID 4468 wrote to memory of 3844 4468 Cgcmjd32.exe Dmpfbk32.exe PID 3844 wrote to memory of 2240 3844 Dmpfbk32.exe Dpnbog32.exe PID 3844 wrote to memory of 2240 3844 Dmpfbk32.exe Dpnbog32.exe PID 3844 wrote to memory of 2240 3844 Dmpfbk32.exe Dpnbog32.exe PID 2240 wrote to memory of 1076 2240 Dpnbog32.exe Djdflp32.exe PID 2240 wrote to memory of 1076 2240 Dpnbog32.exe Djdflp32.exe PID 2240 wrote to memory of 1076 2240 Dpnbog32.exe Djdflp32.exe PID 1076 wrote to memory of 884 1076 Djdflp32.exe Dmbbhkjf.exe PID 1076 wrote to memory of 884 1076 Djdflp32.exe Dmbbhkjf.exe PID 1076 wrote to memory of 884 1076 Djdflp32.exe Dmbbhkjf.exe PID 884 wrote to memory of 2980 884 Dmbbhkjf.exe Dhhfedil.exe PID 884 wrote to memory of 2980 884 Dmbbhkjf.exe Dhhfedil.exe PID 884 wrote to memory of 2980 884 Dmbbhkjf.exe Dhhfedil.exe PID 2980 wrote to memory of 2684 2980 Dhhfedil.exe Diicml32.exe PID 2980 wrote to memory of 2684 2980 Dhhfedil.exe Diicml32.exe PID 2980 wrote to memory of 2684 2980 Dhhfedil.exe Diicml32.exe PID 2684 wrote to memory of 2140 2684 Diicml32.exe Dapkni32.exe PID 2684 wrote to memory of 2140 2684 Diicml32.exe Dapkni32.exe PID 2684 wrote to memory of 2140 2684 Diicml32.exe Dapkni32.exe PID 2140 wrote to memory of 3640 2140 Dapkni32.exe Dcogje32.exe PID 2140 wrote to memory of 3640 2140 Dapkni32.exe Dcogje32.exe PID 2140 wrote to memory of 3640 2140 Dapkni32.exe Dcogje32.exe PID 3640 wrote to memory of 5116 3640 Dcogje32.exe Dikpbl32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\03064632d313f5fab27c434447580b676e58075349d0f5b591faa980edaf8ff0N.exe"C:\Users\Admin\AppData\Local\Temp\03064632d313f5fab27c434447580b676e58075349d0f5b591faa980edaf8ff0N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3492 -
C:\Windows\SysWOW64\Cmdfgm32.exeC:\Windows\system32\Cmdfgm32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4356 -
C:\Windows\SysWOW64\Cpbbch32.exeC:\Windows\system32\Cpbbch32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4320 -
C:\Windows\SysWOW64\Cflkpblf.exeC:\Windows\system32\Cflkpblf.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:528 -
C:\Windows\SysWOW64\Cmfclm32.exeC:\Windows\system32\Cmfclm32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Windows\SysWOW64\Cpeohh32.exeC:\Windows\system32\Cpeohh32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:684 -
C:\Windows\SysWOW64\Cfogeb32.exeC:\Windows\system32\Cfogeb32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3568 -
C:\Windows\SysWOW64\Cmipblaq.exeC:\Windows\system32\Cmipblaq.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4288 -
C:\Windows\SysWOW64\Cpglnhad.exeC:\Windows\system32\Cpglnhad.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4784 -
C:\Windows\SysWOW64\Cfadkb32.exeC:\Windows\system32\Cfadkb32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3652 -
C:\Windows\SysWOW64\Caghhk32.exeC:\Windows\system32\Caghhk32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:740 -
C:\Windows\SysWOW64\Cfcqpa32.exeC:\Windows\system32\Cfcqpa32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:888 -
C:\Windows\SysWOW64\Caienjfd.exeC:\Windows\system32\Caienjfd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:608 -
C:\Windows\SysWOW64\Cgcmjd32.exeC:\Windows\system32\Cgcmjd32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4468 -
C:\Windows\SysWOW64\Dmpfbk32.exeC:\Windows\system32\Dmpfbk32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3844 -
C:\Windows\SysWOW64\Dpnbog32.exeC:\Windows\system32\Dpnbog32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Windows\SysWOW64\Djdflp32.exeC:\Windows\system32\Djdflp32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1076 -
C:\Windows\SysWOW64\Dmbbhkjf.exeC:\Windows\system32\Dmbbhkjf.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:884 -
C:\Windows\SysWOW64\Dhhfedil.exeC:\Windows\system32\Dhhfedil.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Windows\SysWOW64\Diicml32.exeC:\Windows\system32\Diicml32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Windows\SysWOW64\Dapkni32.exeC:\Windows\system32\Dapkni32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2140 -
C:\Windows\SysWOW64\Dcogje32.exeC:\Windows\system32\Dcogje32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3640 -
C:\Windows\SysWOW64\Dikpbl32.exeC:\Windows\system32\Dikpbl32.exe23⤵
- Executes dropped EXE
PID:5116 -
C:\Windows\SysWOW64\Dpehof32.exeC:\Windows\system32\Dpehof32.exe24⤵
- Executes dropped EXE
PID:3136 -
C:\Windows\SysWOW64\Dfoplpla.exeC:\Windows\system32\Dfoplpla.exe25⤵
- Executes dropped EXE
PID:1468 -
C:\Windows\SysWOW64\Daediilg.exeC:\Windows\system32\Daediilg.exe26⤵
- Executes dropped EXE
PID:3200 -
C:\Windows\SysWOW64\Dhomfc32.exeC:\Windows\system32\Dhomfc32.exe27⤵
- Executes dropped EXE
PID:3196 -
C:\Windows\SysWOW64\Djmibn32.exeC:\Windows\system32\Djmibn32.exe28⤵
- Executes dropped EXE
PID:2392 -
C:\Windows\SysWOW64\Eagaoh32.exeC:\Windows\system32\Eagaoh32.exe29⤵
- Executes dropped EXE
PID:4236 -
C:\Windows\SysWOW64\Efdjgo32.exeC:\Windows\system32\Efdjgo32.exe30⤵
- Executes dropped EXE
PID:2936 -
C:\Windows\SysWOW64\Eibfck32.exeC:\Windows\system32\Eibfck32.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2368 -
C:\Windows\SysWOW64\Eplnpeol.exeC:\Windows\system32\Eplnpeol.exe32⤵
- Executes dropped EXE
PID:1444 -
C:\Windows\SysWOW64\Edhjqc32.exeC:\Windows\system32\Edhjqc32.exe33⤵
- Executes dropped EXE
PID:4344 -
C:\Windows\SysWOW64\Efffmo32.exeC:\Windows\system32\Efffmo32.exe34⤵
- Executes dropped EXE
PID:5004 -
C:\Windows\SysWOW64\Empoiimf.exeC:\Windows\system32\Empoiimf.exe35⤵
- Executes dropped EXE
PID:3648 -
C:\Windows\SysWOW64\Epokedmj.exeC:\Windows\system32\Epokedmj.exe36⤵
- Executes dropped EXE
PID:1844 -
C:\Windows\SysWOW64\Ehfcfb32.exeC:\Windows\system32\Ehfcfb32.exe37⤵
- Executes dropped EXE
PID:5076 -
C:\Windows\SysWOW64\Eigonjcj.exeC:\Windows\system32\Eigonjcj.exe38⤵
- Executes dropped EXE
PID:4808 -
C:\Windows\SysWOW64\Eangpgcl.exeC:\Windows\system32\Eangpgcl.exe39⤵
- Executes dropped EXE
PID:4012 -
C:\Windows\SysWOW64\Edmclccp.exeC:\Windows\system32\Edmclccp.exe40⤵
- Executes dropped EXE
PID:4652 -
C:\Windows\SysWOW64\Ejflhm32.exeC:\Windows\system32\Ejflhm32.exe41⤵
- Executes dropped EXE
PID:2860 -
C:\Windows\SysWOW64\Eaqdegaj.exeC:\Windows\system32\Eaqdegaj.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3212 -
C:\Windows\SysWOW64\Ehjlaaig.exeC:\Windows\system32\Ehjlaaig.exe43⤵
- Executes dropped EXE
PID:4888 -
C:\Windows\SysWOW64\Fkihnmhj.exeC:\Windows\system32\Fkihnmhj.exe44⤵
- Executes dropped EXE
PID:1608 -
C:\Windows\SysWOW64\Filiii32.exeC:\Windows\system32\Filiii32.exe45⤵
- Executes dropped EXE
PID:4864 -
C:\Windows\SysWOW64\Fpeafcfa.exeC:\Windows\system32\Fpeafcfa.exe46⤵
- Executes dropped EXE
PID:2992 -
C:\Windows\SysWOW64\Fhmigagd.exeC:\Windows\system32\Fhmigagd.exe47⤵
- Executes dropped EXE
PID:5104 -
C:\Windows\SysWOW64\Ffpicn32.exeC:\Windows\system32\Ffpicn32.exe48⤵
- Executes dropped EXE
PID:404 -
C:\Windows\SysWOW64\Fmjaphek.exeC:\Windows\system32\Fmjaphek.exe49⤵
- Executes dropped EXE
PID:2720 -
C:\Windows\SysWOW64\Fdcjlb32.exeC:\Windows\system32\Fdcjlb32.exe50⤵
- Executes dropped EXE
PID:1984 -
C:\Windows\SysWOW64\Fknbil32.exeC:\Windows\system32\Fknbil32.exe51⤵
- Executes dropped EXE
PID:3428 -
C:\Windows\SysWOW64\Fmlneg32.exeC:\Windows\system32\Fmlneg32.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:908 -
C:\Windows\SysWOW64\Fdffbake.exeC:\Windows\system32\Fdffbake.exe53⤵
- Executes dropped EXE
PID:1840 -
C:\Windows\SysWOW64\Fibojhim.exeC:\Windows\system32\Fibojhim.exe54⤵
- Executes dropped EXE
PID:4764 -
C:\Windows\SysWOW64\Fdhcgaic.exeC:\Windows\system32\Fdhcgaic.exe55⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4000 -
C:\Windows\SysWOW64\Fkbkdkpp.exeC:\Windows\system32\Fkbkdkpp.exe56⤵
- Executes dropped EXE
PID:1736 -
C:\Windows\SysWOW64\Falcae32.exeC:\Windows\system32\Falcae32.exe57⤵
- Executes dropped EXE
PID:2628 -
C:\Windows\SysWOW64\Fhflnpoi.exeC:\Windows\system32\Fhflnpoi.exe58⤵
- Executes dropped EXE
PID:100 -
C:\Windows\SysWOW64\Gkdhjknm.exeC:\Windows\system32\Gkdhjknm.exe59⤵
- Executes dropped EXE
PID:1008 -
C:\Windows\SysWOW64\Gaopfe32.exeC:\Windows\system32\Gaopfe32.exe60⤵
- Executes dropped EXE
PID:1584 -
C:\Windows\SysWOW64\Ghhhcomg.exeC:\Windows\system32\Ghhhcomg.exe61⤵
- Executes dropped EXE
PID:2216 -
C:\Windows\SysWOW64\Ggkiol32.exeC:\Windows\system32\Ggkiol32.exe62⤵
- Executes dropped EXE
PID:3392 -
C:\Windows\SysWOW64\Gaamlecg.exeC:\Windows\system32\Gaamlecg.exe63⤵
- Executes dropped EXE
PID:1044 -
C:\Windows\SysWOW64\Gdoihpbk.exeC:\Windows\system32\Gdoihpbk.exe64⤵
- Executes dropped EXE
PID:3364 -
C:\Windows\SysWOW64\Ggnedlao.exeC:\Windows\system32\Ggnedlao.exe65⤵
- Executes dropped EXE
PID:3124 -
C:\Windows\SysWOW64\Gacjadad.exeC:\Windows\system32\Gacjadad.exe66⤵PID:1900
-
C:\Windows\SysWOW64\Gdafnpqh.exeC:\Windows\system32\Gdafnpqh.exe67⤵PID:2204
-
C:\Windows\SysWOW64\Ginnfgop.exeC:\Windows\system32\Ginnfgop.exe68⤵PID:5096
-
C:\Windows\SysWOW64\Gddbcp32.exeC:\Windows\system32\Gddbcp32.exe69⤵PID:1956
-
C:\Windows\SysWOW64\Gknkpjfb.exeC:\Windows\system32\Gknkpjfb.exe70⤵PID:1392
-
C:\Windows\SysWOW64\Gahcmd32.exeC:\Windows\system32\Gahcmd32.exe71⤵
- Modifies registry class
PID:8 -
C:\Windows\SysWOW64\Hkpheidp.exeC:\Windows\system32\Hkpheidp.exe72⤵PID:1680
-
C:\Windows\SysWOW64\Hnodaecc.exeC:\Windows\system32\Hnodaecc.exe73⤵PID:3300
-
C:\Windows\SysWOW64\Hdilnojp.exeC:\Windows\system32\Hdilnojp.exe74⤵
- System Location Discovery: System Language Discovery
PID:920 -
C:\Windows\SysWOW64\Hgghjjid.exeC:\Windows\system32\Hgghjjid.exe75⤵
- Modifies registry class
PID:4816 -
C:\Windows\SysWOW64\Hjedffig.exeC:\Windows\system32\Hjedffig.exe76⤵PID:4932
-
C:\Windows\SysWOW64\Hammhcij.exeC:\Windows\system32\Hammhcij.exe77⤵PID:4696
-
C:\Windows\SysWOW64\Hhfedm32.exeC:\Windows\system32\Hhfedm32.exe78⤵PID:3532
-
C:\Windows\SysWOW64\Hjhalefe.exeC:\Windows\system32\Hjhalefe.exe79⤵PID:4312
-
C:\Windows\SysWOW64\Haoimcgg.exeC:\Windows\system32\Haoimcgg.exe80⤵PID:1860
-
C:\Windows\SysWOW64\Hhiajmod.exeC:\Windows\system32\Hhiajmod.exe81⤵
- Drops file in System32 directory
PID:3444 -
C:\Windows\SysWOW64\Hnfjbdmk.exeC:\Windows\system32\Hnfjbdmk.exe82⤵PID:4648
-
C:\Windows\SysWOW64\Haafcb32.exeC:\Windows\system32\Haafcb32.exe83⤵
- Modifies registry class
PID:3084 -
C:\Windows\SysWOW64\Hacbhb32.exeC:\Windows\system32\Hacbhb32.exe84⤵PID:5040
-
C:\Windows\SysWOW64\Iklgah32.exeC:\Windows\system32\Iklgah32.exe85⤵PID:1516
-
C:\Windows\SysWOW64\Iddljmpc.exeC:\Windows\system32\Iddljmpc.exe86⤵PID:2976
-
C:\Windows\SysWOW64\Iqklon32.exeC:\Windows\system32\Iqklon32.exe87⤵
- System Location Discovery: System Language Discovery
PID:1532 -
C:\Windows\SysWOW64\Igedlh32.exeC:\Windows\system32\Igedlh32.exe88⤵PID:780
-
C:\Windows\SysWOW64\Inomhbeq.exeC:\Windows\system32\Inomhbeq.exe89⤵PID:4712
-
C:\Windows\SysWOW64\Iqmidndd.exeC:\Windows\system32\Iqmidndd.exe90⤵PID:1300
-
C:\Windows\SysWOW64\Iggaah32.exeC:\Windows\system32\Iggaah32.exe91⤵
- Modifies registry class
PID:4636 -
C:\Windows\SysWOW64\Ijfnmc32.exeC:\Windows\system32\Ijfnmc32.exe92⤵PID:2220
-
C:\Windows\SysWOW64\Ibmeoq32.exeC:\Windows\system32\Ibmeoq32.exe93⤵PID:744
-
C:\Windows\SysWOW64\Idkbkl32.exeC:\Windows\system32\Idkbkl32.exe94⤵
- System Location Discovery: System Language Discovery
PID:2440 -
C:\Windows\SysWOW64\Igjngh32.exeC:\Windows\system32\Igjngh32.exe95⤵PID:2528
-
C:\Windows\SysWOW64\Ijhjcchb.exeC:\Windows\system32\Ijhjcchb.exe96⤵PID:452
-
C:\Windows\SysWOW64\Iqbbpm32.exeC:\Windows\system32\Iqbbpm32.exe97⤵PID:5196
-
C:\Windows\SysWOW64\Jdnoplhh.exeC:\Windows\system32\Jdnoplhh.exe98⤵PID:5240
-
C:\Windows\SysWOW64\Jglklggl.exeC:\Windows\system32\Jglklggl.exe99⤵PID:5288
-
C:\Windows\SysWOW64\Jjjghcfp.exeC:\Windows\system32\Jjjghcfp.exe100⤵PID:5332
-
C:\Windows\SysWOW64\Jnfcia32.exeC:\Windows\system32\Jnfcia32.exe101⤵PID:5376
-
C:\Windows\SysWOW64\Jqdoem32.exeC:\Windows\system32\Jqdoem32.exe102⤵PID:5420
-
C:\Windows\SysWOW64\Jhlgfj32.exeC:\Windows\system32\Jhlgfj32.exe103⤵PID:5464
-
C:\Windows\SysWOW64\Jkjcbe32.exeC:\Windows\system32\Jkjcbe32.exe104⤵
- Drops file in System32 directory
PID:5508 -
C:\Windows\SysWOW64\Jnhpoamf.exeC:\Windows\system32\Jnhpoamf.exe105⤵PID:5556
-
C:\Windows\SysWOW64\Jqglkmlj.exeC:\Windows\system32\Jqglkmlj.exe106⤵PID:5600
-
C:\Windows\SysWOW64\Jgadgf32.exeC:\Windows\system32\Jgadgf32.exe107⤵PID:5656
-
C:\Windows\SysWOW64\Jjopcb32.exeC:\Windows\system32\Jjopcb32.exe108⤵PID:5696
-
C:\Windows\SysWOW64\Jbfheo32.exeC:\Windows\system32\Jbfheo32.exe109⤵PID:5736
-
C:\Windows\SysWOW64\Jhpqaiji.exeC:\Windows\system32\Jhpqaiji.exe110⤵PID:5776
-
C:\Windows\SysWOW64\Jgcamf32.exeC:\Windows\system32\Jgcamf32.exe111⤵PID:5820
-
C:\Windows\SysWOW64\Jnmijq32.exeC:\Windows\system32\Jnmijq32.exe112⤵PID:5864
-
C:\Windows\SysWOW64\Jkaicd32.exeC:\Windows\system32\Jkaicd32.exe113⤵PID:5912
-
C:\Windows\SysWOW64\Jnpfop32.exeC:\Windows\system32\Jnpfop32.exe114⤵PID:5956
-
C:\Windows\SysWOW64\Kqnbkl32.exeC:\Windows\system32\Kqnbkl32.exe115⤵PID:6000
-
C:\Windows\SysWOW64\Kiejmi32.exeC:\Windows\system32\Kiejmi32.exe116⤵PID:6036
-
C:\Windows\SysWOW64\Kkcfid32.exeC:\Windows\system32\Kkcfid32.exe117⤵PID:6092
-
C:\Windows\SysWOW64\Kqpoakco.exeC:\Windows\system32\Kqpoakco.exe118⤵PID:6132
-
C:\Windows\SysWOW64\Kkfcndce.exeC:\Windows\system32\Kkfcndce.exe119⤵PID:5204
-
C:\Windows\SysWOW64\Kndojobi.exeC:\Windows\system32\Kndojobi.exe120⤵PID:5272
-
C:\Windows\SysWOW64\Kbpkkn32.exeC:\Windows\system32\Kbpkkn32.exe121⤵PID:5348
-
C:\Windows\SysWOW64\Kenggi32.exeC:\Windows\system32\Kenggi32.exe122⤵PID:5412
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-