Analysis
-
max time kernel
94s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20-11-2024 23:18
Behavioral task
behavioral1
Sample
825b6250bfe4c14f8d072834ccc53c5a93b91f848ab203e598dd49f38d66450d.exe
Resource
win7-20240903-en
windows7-x64
12 signatures
120 seconds
General
-
Target
825b6250bfe4c14f8d072834ccc53c5a93b91f848ab203e598dd49f38d66450d.exe
-
Size
93KB
-
MD5
a37628ee325b1d38ad5efb9ff3820a2d
-
SHA1
9b2a6b24153db674b0ee2a050e0d7831ad89d23c
-
SHA256
825b6250bfe4c14f8d072834ccc53c5a93b91f848ab203e598dd49f38d66450d
-
SHA512
806ce5812c3e110752192fbc18f6f300bcc6280a2aa82cd3b080bf87bffa8cc45604a0d363e69b05b989d9a12ab66db839832ed3096ca92963b35a91180c83a4
-
SSDEEP
1536:T2LXghj7oHUhaRfK+myaK3IruA1DaYfMZRWuLsV+1J:WgRhaFKZ7K4yAgYfc0DV+1J
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ljeafb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Baannc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fganqbgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ggmmlamj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mjahlgpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Omqmop32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dflfac32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Deqcbpld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojcpdg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fiaael32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnnjmbpm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qhjmdp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhnojl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jjafok32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ombcji32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omgmeigd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmblagmf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hibjli32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njmqnobn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ompfej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hnbeeiji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lobjni32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nqbpojnp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apodoq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmphaaln.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnbeeiji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lchfib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nfqnbjfi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipjedh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mmkkmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmojkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bajqda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pcgdhkem.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nccokk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Anmfbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jifecp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kadpdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kjepjkhf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fechomko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gflhoo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pagbaglh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhblllfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fganqbgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ibqnkh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nclbpf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nagiji32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipbaol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jhnojl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qeodhjmo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpbpbecj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jllokajf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mnhdgpii.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljdkll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmphaaln.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nncccnol.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njjdho32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhplpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lplfcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oodcdb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpiplm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hbohpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ofhknodl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oqklkbbi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aajhndkb.exe -
Berbew family
-
Njrat family
-
Executes dropped EXE 64 IoCs
pid Process 4372 Hkpqkcpd.exe 3924 Hlambk32.exe 3404 Hdhedh32.exe 4400 Hienlpel.exe 3708 Hlcjhkdp.exe 5056 Hginecde.exe 864 Higjaoci.exe 1772 Hdmoohbo.exe 2464 Hiiggoaf.exe 5104 Hpcodihc.exe 4032 Hgmgqc32.exe 1692 Ingpmmgm.exe 1368 Idahjg32.exe 2088 Iinqbn32.exe 4668 Idcepgmg.exe 4520 Iknmla32.exe 4956 Iloidijb.exe 2276 Ipjedh32.exe 2328 Ikpjbq32.exe 4172 Ipmbjgpi.exe 2644 Inqbclob.exe 1900 Ipoopgnf.exe 4272 Ikdcmpnl.exe 444 Jnelok32.exe 4780 Jkimho32.exe 4308 Jgpmmp32.exe 392 Jjafok32.exe 2596 Kkpbin32.exe 1432 Kclgmq32.exe 4388 Kjepjkhf.exe 4524 Kjhloj32.exe 4616 Kglmio32.exe 2264 Kqdaadln.exe 5028 Kkjeomld.exe 4632 Kmkbfeab.exe 488 Lcjcnoej.exe 5088 Ljclki32.exe 2616 Lmbhgd32.exe 2836 Ljfhqh32.exe 1956 Lmdemd32.exe 4900 Lkeekk32.exe 3056 Lndagg32.exe 3984 Lmgabcge.exe 1860 Mjkblhfo.exe 2304 Madjhb32.exe 4148 Mgobel32.exe 3088 Mmkkmc32.exe 2588 Mebcop32.exe 2560 Mjokgg32.exe 2956 Mnkggfkb.exe 3368 Mchppmij.exe 744 Mjahlgpf.exe 4596 Malpia32.exe 2528 Mcjmel32.exe 4052 Mgehfkop.exe 3332 Nclikl32.exe 1308 Njfagf32.exe 1516 Nmenca32.exe 4732 Nelfeo32.exe 4860 Nlfnaicd.exe 1212 Nenbjo32.exe 4436 Njkkbehl.exe 1464 Nmigoagp.exe 3420 Nccokk32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Egilaj32.dll Qacameaj.exe File created C:\Windows\SysWOW64\Jojdlfeo.exe Jhplpl32.exe File created C:\Windows\SysWOW64\Glgcbf32.exe Gemkelcd.exe File created C:\Windows\SysWOW64\Kfpcoefj.exe Kcbfcigf.exe File created C:\Windows\SysWOW64\Mcbpjg32.exe Mmhgmmbf.exe File created C:\Windows\SysWOW64\Cnnbme32.dll Glgcbf32.exe File opened for modification C:\Windows\SysWOW64\Llcghg32.exe Ljdkll32.exe File opened for modification C:\Windows\SysWOW64\Fbgihaji.exe Flmqlg32.exe File created C:\Windows\SysWOW64\Kncaec32.exe Kflide32.exe File created C:\Windows\SysWOW64\Aepjgm32.dll Ngqagcag.exe File created C:\Windows\SysWOW64\Gdgiklme.dll Hlcjhkdp.exe File created C:\Windows\SysWOW64\Fkldkg32.dll Nlfnaicd.exe File created C:\Windows\SysWOW64\Leifdf32.dll Aajohjon.exe File opened for modification C:\Windows\SysWOW64\Odmbaj32.exe Oanfen32.exe File created C:\Windows\SysWOW64\Keifdpif.exe Kcjjhdjb.exe File created C:\Windows\SysWOW64\Nbenoa32.dll Cdpjlb32.exe File created C:\Windows\SysWOW64\Hidgai32.exe Hffken32.exe File created C:\Windows\SysWOW64\Ngqagcag.exe Nceefd32.exe File created C:\Windows\SysWOW64\Cdmfllhn.exe Caojpaij.exe File created C:\Windows\SysWOW64\Hifmmb32.exe Hejqldci.exe File created C:\Windows\SysWOW64\Cdbbdk32.dll Higjaoci.exe File opened for modification C:\Windows\SysWOW64\Qlgpod32.exe Qemhbj32.exe File created C:\Windows\SysWOW64\Anaomkdb.exe Akccap32.exe File created C:\Windows\SysWOW64\Ipkdek32.exe Ihdldn32.exe File created C:\Windows\SysWOW64\Jidinqpb.exe Ipkdek32.exe File opened for modification C:\Windows\SysWOW64\Dndgfpbo.exe Dgjoif32.exe File opened for modification C:\Windows\SysWOW64\Ebifmm32.exe Enmjlojd.exe File created C:\Windows\SysWOW64\Gegkpf32.exe Gbiockdj.exe File created C:\Windows\SysWOW64\Falmlm32.dll Jadgnb32.exe File created C:\Windows\SysWOW64\Noppeaed.exe Nmaciefp.exe File created C:\Windows\SysWOW64\Nbdfqocb.dll Hffken32.exe File created C:\Windows\SysWOW64\Eeccjdie.dll Klhnfo32.exe File created C:\Windows\SysWOW64\Dgcihgaj.exe Dddllkbf.exe File created C:\Windows\SysWOW64\Holpib32.dll Oqklkbbi.exe File created C:\Windows\SysWOW64\Fljhbbae.dll Omdieb32.exe File created C:\Windows\SysWOW64\Kcbfcigf.exe Klhnfo32.exe File opened for modification C:\Windows\SysWOW64\Ombcji32.exe Ofhknodl.exe File created C:\Windows\SysWOW64\Dnonkq32.exe Dgeenfog.exe File opened for modification C:\Windows\SysWOW64\Hnbeeiji.exe Hifmmb32.exe File created C:\Windows\SysWOW64\Gcmjja32.dll Jifecp32.exe File created C:\Windows\SysWOW64\Gehcdm32.dll Nenbjo32.exe File created C:\Windows\SysWOW64\Ilmjim32.dll Gppcmeem.exe File created C:\Windows\SysWOW64\Komhll32.exe Kpjgaoqm.exe File created C:\Windows\SysWOW64\Kbhmbdle.exe Khbiello.exe File opened for modification C:\Windows\SysWOW64\Jpaekqhh.exe Jleijb32.exe File opened for modification C:\Windows\SysWOW64\Mcbpjg32.exe Mmhgmmbf.exe File created C:\Windows\SysWOW64\Npepkf32.exe Nqbpojnp.exe File opened for modification C:\Windows\SysWOW64\Kjhloj32.exe Kjepjkhf.exe File created C:\Windows\SysWOW64\Ljclki32.exe Lcjcnoej.exe File opened for modification C:\Windows\SysWOW64\Qklmpalf.exe Qhmqdemc.exe File created C:\Windows\SysWOW64\Pmlmkn32.exe Omjpeo32.exe File opened for modification C:\Windows\SysWOW64\Gmojkj32.exe Gehbjm32.exe File created C:\Windows\SysWOW64\Jbblob32.dll Fkjmlaac.exe File created C:\Windows\SysWOW64\Cbpajgmf.exe Ckeimm32.exe File created C:\Windows\SysWOW64\Ghjnkpdc.dll Gpbpbecj.exe File created C:\Windows\SysWOW64\Ombcji32.exe Ofhknodl.exe File created C:\Windows\SysWOW64\Dkbnla32.dll Bahdob32.exe File opened for modification C:\Windows\SysWOW64\Cammjakm.exe Ckbemgcp.exe File created C:\Windows\SysWOW64\Njkkbehl.exe Nenbjo32.exe File created C:\Windows\SysWOW64\Mhpbkngk.dll Nmnqjp32.exe File opened for modification C:\Windows\SysWOW64\Ponfka32.exe Poliea32.exe File created C:\Windows\SysWOW64\Cimjkpjn.dll Ibqnkh32.exe File created C:\Windows\SysWOW64\Giecfejd.exe Ganldgib.exe File created C:\Windows\SysWOW64\Dgpamjnb.dll Ggmmlamj.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 12744 12664 WerFault.exe 639 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oloahhki.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhnikc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdlqqcnl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmfkhmdi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckgohf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjepjkhf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnphoj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oophlo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgpmmp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojbacd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohfami32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckjbhmad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfbped32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dahmfpap.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enmjlojd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jojdlfeo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjggal32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhahaiec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oodcdb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iefgbh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lohqnd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llcghg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmbhgd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnoaaaad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkeekk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hplbickp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmhbqbae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Popbpqjh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igfclkdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amjbbfgo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cogddd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkofga32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbohpn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qacameaj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Heegad32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpcodihc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgmgqc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njjdho32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Feqeog32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iijfhbhl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihdldn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfagighf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iknmla32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipjedh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jahqiaeb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qeodhjmo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jilfifme.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knnhjcog.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gngeik32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jblmgf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jeapcq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hginecde.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glgcbf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imiehfao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Moipoh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjhloj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kqdaadln.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eiokinbk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fiaael32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljnlecmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehlhih32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgphpe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhpofl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikpjbq32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mklbeh32.dll" Bffcpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pccopc32.dll" Hbohpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccbolagk.dll" Gaebef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkgppbgc.dll" Lepleocn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lllagh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ikdcmpnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lmgabcge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkjefc32.dll" Amjillkj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oqklkbbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dmcain32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iahgad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iiopca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Efgemb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Flpmagqi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chfhllkp.dll" Holfoqcm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmhkafda.dll" Imiehfao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eklajcmc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qoelkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfegnkqm.dll" Dokgdkeh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dnpdegjp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pbjddh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gegkpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gndick32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dahkpm32.dll" Jidinqpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehenqf32.dll" Dhikci32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mhoahh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Omdieb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mokmqben.dll" Aolblopj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Blqllqqa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ncchae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kpmdfonj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkjpda32.dll" Kjlopc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnjfof32.dll" Hihibbjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Koajmepf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lplfcf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mjahlgpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcmgob32.dll" Eoideh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ifomll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbjpeo32.dll" Nnojho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ampillfk.dll" Bkibgh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Doccpcja.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fnfmbmbi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ookoaokf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfdjaieh.dll" Iinqbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffchaq32.dll" Anaomkdb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldjcfk32.dll" Kjeiodek.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Enmjlojd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dokgdkeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikgbdnie.dll" Igajal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eehmok32.dll" Qpcecb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dahmfpap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Laiipofp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgdojhec.dll" Ingpmmgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kjhloj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oanfen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jcanll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pneall32.dll" Pdjgha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dojpmiij.dll" Jojdlfeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjgjmg32.dll" Hibjli32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ahfmpnql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbaffgag.dll" Hgmgqc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cncijina.dll" Omqmop32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qoelkp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ocohmc32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3204 wrote to memory of 4372 3204 825b6250bfe4c14f8d072834ccc53c5a93b91f848ab203e598dd49f38d66450d.exe 82 PID 3204 wrote to memory of 4372 3204 825b6250bfe4c14f8d072834ccc53c5a93b91f848ab203e598dd49f38d66450d.exe 82 PID 3204 wrote to memory of 4372 3204 825b6250bfe4c14f8d072834ccc53c5a93b91f848ab203e598dd49f38d66450d.exe 82 PID 4372 wrote to memory of 3924 4372 Hkpqkcpd.exe 83 PID 4372 wrote to memory of 3924 4372 Hkpqkcpd.exe 83 PID 4372 wrote to memory of 3924 4372 Hkpqkcpd.exe 83 PID 3924 wrote to memory of 3404 3924 Hlambk32.exe 84 PID 3924 wrote to memory of 3404 3924 Hlambk32.exe 84 PID 3924 wrote to memory of 3404 3924 Hlambk32.exe 84 PID 3404 wrote to memory of 4400 3404 Hdhedh32.exe 85 PID 3404 wrote to memory of 4400 3404 Hdhedh32.exe 85 PID 3404 wrote to memory of 4400 3404 Hdhedh32.exe 85 PID 4400 wrote to memory of 3708 4400 Hienlpel.exe 86 PID 4400 wrote to memory of 3708 4400 Hienlpel.exe 86 PID 4400 wrote to memory of 3708 4400 Hienlpel.exe 86 PID 3708 wrote to memory of 5056 3708 Hlcjhkdp.exe 87 PID 3708 wrote to memory of 5056 3708 Hlcjhkdp.exe 87 PID 3708 wrote to memory of 5056 3708 Hlcjhkdp.exe 87 PID 5056 wrote to memory of 864 5056 Hginecde.exe 88 PID 5056 wrote to memory of 864 5056 Hginecde.exe 88 PID 5056 wrote to memory of 864 5056 Hginecde.exe 88 PID 864 wrote to memory of 1772 864 Higjaoci.exe 89 PID 864 wrote to memory of 1772 864 Higjaoci.exe 89 PID 864 wrote to memory of 1772 864 Higjaoci.exe 89 PID 1772 wrote to memory of 2464 1772 Hdmoohbo.exe 90 PID 1772 wrote to memory of 2464 1772 Hdmoohbo.exe 90 PID 1772 wrote to memory of 2464 1772 Hdmoohbo.exe 90 PID 2464 wrote to memory of 5104 2464 Hiiggoaf.exe 91 PID 2464 wrote to memory of 5104 2464 Hiiggoaf.exe 91 PID 2464 wrote to memory of 5104 2464 Hiiggoaf.exe 91 PID 5104 wrote to memory of 4032 5104 Hpcodihc.exe 92 PID 5104 wrote to memory of 4032 5104 Hpcodihc.exe 92 PID 5104 wrote to memory of 4032 5104 Hpcodihc.exe 92 PID 4032 wrote to memory of 1692 4032 Hgmgqc32.exe 93 PID 4032 wrote to memory of 1692 4032 Hgmgqc32.exe 93 PID 4032 wrote to memory of 1692 4032 Hgmgqc32.exe 93 PID 1692 wrote to memory of 1368 1692 Ingpmmgm.exe 94 PID 1692 wrote to memory of 1368 1692 Ingpmmgm.exe 94 PID 1692 wrote to memory of 1368 1692 Ingpmmgm.exe 94 PID 1368 wrote to memory of 2088 1368 Idahjg32.exe 95 PID 1368 wrote to memory of 2088 1368 Idahjg32.exe 95 PID 1368 wrote to memory of 2088 1368 Idahjg32.exe 95 PID 2088 wrote to memory of 4668 2088 Iinqbn32.exe 96 PID 2088 wrote to memory of 4668 2088 Iinqbn32.exe 96 PID 2088 wrote to memory of 4668 2088 Iinqbn32.exe 96 PID 4668 wrote to memory of 4520 4668 Idcepgmg.exe 97 PID 4668 wrote to memory of 4520 4668 Idcepgmg.exe 97 PID 4668 wrote to memory of 4520 4668 Idcepgmg.exe 97 PID 4520 wrote to memory of 4956 4520 Iknmla32.exe 98 PID 4520 wrote to memory of 4956 4520 Iknmla32.exe 98 PID 4520 wrote to memory of 4956 4520 Iknmla32.exe 98 PID 4956 wrote to memory of 2276 4956 Iloidijb.exe 99 PID 4956 wrote to memory of 2276 4956 Iloidijb.exe 99 PID 4956 wrote to memory of 2276 4956 Iloidijb.exe 99 PID 2276 wrote to memory of 2328 2276 Ipjedh32.exe 100 PID 2276 wrote to memory of 2328 2276 Ipjedh32.exe 100 PID 2276 wrote to memory of 2328 2276 Ipjedh32.exe 100 PID 2328 wrote to memory of 4172 2328 Ikpjbq32.exe 101 PID 2328 wrote to memory of 4172 2328 Ikpjbq32.exe 101 PID 2328 wrote to memory of 4172 2328 Ikpjbq32.exe 101 PID 4172 wrote to memory of 2644 4172 Ipmbjgpi.exe 102 PID 4172 wrote to memory of 2644 4172 Ipmbjgpi.exe 102 PID 4172 wrote to memory of 2644 4172 Ipmbjgpi.exe 102 PID 2644 wrote to memory of 1900 2644 Inqbclob.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\825b6250bfe4c14f8d072834ccc53c5a93b91f848ab203e598dd49f38d66450d.exe"C:\Users\Admin\AppData\Local\Temp\825b6250bfe4c14f8d072834ccc53c5a93b91f848ab203e598dd49f38d66450d.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3204 -
C:\Windows\SysWOW64\Hkpqkcpd.exeC:\Windows\system32\Hkpqkcpd.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4372 -
C:\Windows\SysWOW64\Hlambk32.exeC:\Windows\system32\Hlambk32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3924 -
C:\Windows\SysWOW64\Hdhedh32.exeC:\Windows\system32\Hdhedh32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3404 -
C:\Windows\SysWOW64\Hienlpel.exeC:\Windows\system32\Hienlpel.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4400 -
C:\Windows\SysWOW64\Hlcjhkdp.exeC:\Windows\system32\Hlcjhkdp.exe6⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3708 -
C:\Windows\SysWOW64\Hginecde.exeC:\Windows\system32\Hginecde.exe7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5056 -
C:\Windows\SysWOW64\Higjaoci.exeC:\Windows\system32\Higjaoci.exe8⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:864 -
C:\Windows\SysWOW64\Hdmoohbo.exeC:\Windows\system32\Hdmoohbo.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1772 -
C:\Windows\SysWOW64\Hiiggoaf.exeC:\Windows\system32\Hiiggoaf.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2464 -
C:\Windows\SysWOW64\Hpcodihc.exeC:\Windows\system32\Hpcodihc.exe11⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5104 -
C:\Windows\SysWOW64\Hgmgqc32.exeC:\Windows\system32\Hgmgqc32.exe12⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4032 -
C:\Windows\SysWOW64\Ingpmmgm.exeC:\Windows\system32\Ingpmmgm.exe13⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1692 -
C:\Windows\SysWOW64\Idahjg32.exeC:\Windows\system32\Idahjg32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1368 -
C:\Windows\SysWOW64\Iinqbn32.exeC:\Windows\system32\Iinqbn32.exe15⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Windows\SysWOW64\Idcepgmg.exeC:\Windows\system32\Idcepgmg.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4668 -
C:\Windows\SysWOW64\Iknmla32.exeC:\Windows\system32\Iknmla32.exe17⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4520 -
C:\Windows\SysWOW64\Iloidijb.exeC:\Windows\system32\Iloidijb.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4956 -
C:\Windows\SysWOW64\Ipjedh32.exeC:\Windows\system32\Ipjedh32.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\Windows\SysWOW64\Ikpjbq32.exeC:\Windows\system32\Ikpjbq32.exe20⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2328 -
C:\Windows\SysWOW64\Ipmbjgpi.exeC:\Windows\system32\Ipmbjgpi.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4172 -
C:\Windows\SysWOW64\Inqbclob.exeC:\Windows\system32\Inqbclob.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\SysWOW64\Ipoopgnf.exeC:\Windows\system32\Ipoopgnf.exe23⤵
- Executes dropped EXE
PID:1900 -
C:\Windows\SysWOW64\Ikdcmpnl.exeC:\Windows\system32\Ikdcmpnl.exe24⤵
- Executes dropped EXE
- Modifies registry class
PID:4272 -
C:\Windows\SysWOW64\Jnelok32.exeC:\Windows\system32\Jnelok32.exe25⤵
- Executes dropped EXE
PID:444 -
C:\Windows\SysWOW64\Jkimho32.exeC:\Windows\system32\Jkimho32.exe26⤵
- Executes dropped EXE
PID:4780 -
C:\Windows\SysWOW64\Jgpmmp32.exeC:\Windows\system32\Jgpmmp32.exe27⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4308 -
C:\Windows\SysWOW64\Jjafok32.exeC:\Windows\system32\Jjafok32.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:392 -
C:\Windows\SysWOW64\Kkpbin32.exeC:\Windows\system32\Kkpbin32.exe29⤵
- Executes dropped EXE
PID:2596 -
C:\Windows\SysWOW64\Kclgmq32.exeC:\Windows\system32\Kclgmq32.exe30⤵
- Executes dropped EXE
PID:1432 -
C:\Windows\SysWOW64\Kjepjkhf.exeC:\Windows\system32\Kjepjkhf.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4388 -
C:\Windows\SysWOW64\Kjhloj32.exeC:\Windows\system32\Kjhloj32.exe32⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4524 -
C:\Windows\SysWOW64\Kglmio32.exeC:\Windows\system32\Kglmio32.exe33⤵
- Executes dropped EXE
PID:4616 -
C:\Windows\SysWOW64\Kqdaadln.exeC:\Windows\system32\Kqdaadln.exe34⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2264 -
C:\Windows\SysWOW64\Kkjeomld.exeC:\Windows\system32\Kkjeomld.exe35⤵
- Executes dropped EXE
PID:5028 -
C:\Windows\SysWOW64\Kmkbfeab.exeC:\Windows\system32\Kmkbfeab.exe36⤵
- Executes dropped EXE
PID:4632 -
C:\Windows\SysWOW64\Lcjcnoej.exeC:\Windows\system32\Lcjcnoej.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:488 -
C:\Windows\SysWOW64\Ljclki32.exeC:\Windows\system32\Ljclki32.exe38⤵
- Executes dropped EXE
PID:5088 -
C:\Windows\SysWOW64\Lmbhgd32.exeC:\Windows\system32\Lmbhgd32.exe39⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2616 -
C:\Windows\SysWOW64\Ljfhqh32.exeC:\Windows\system32\Ljfhqh32.exe40⤵
- Executes dropped EXE
PID:2836 -
C:\Windows\SysWOW64\Lmdemd32.exeC:\Windows\system32\Lmdemd32.exe41⤵
- Executes dropped EXE
PID:1956 -
C:\Windows\SysWOW64\Lkeekk32.exeC:\Windows\system32\Lkeekk32.exe42⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4900 -
C:\Windows\SysWOW64\Lndagg32.exeC:\Windows\system32\Lndagg32.exe43⤵
- Executes dropped EXE
PID:3056 -
C:\Windows\SysWOW64\Lmgabcge.exeC:\Windows\system32\Lmgabcge.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:3984 -
C:\Windows\SysWOW64\Mjkblhfo.exeC:\Windows\system32\Mjkblhfo.exe45⤵
- Executes dropped EXE
PID:1860 -
C:\Windows\SysWOW64\Madjhb32.exeC:\Windows\system32\Madjhb32.exe46⤵
- Executes dropped EXE
PID:2304 -
C:\Windows\SysWOW64\Mgobel32.exeC:\Windows\system32\Mgobel32.exe47⤵
- Executes dropped EXE
PID:4148 -
C:\Windows\SysWOW64\Mmkkmc32.exeC:\Windows\system32\Mmkkmc32.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3088 -
C:\Windows\SysWOW64\Mebcop32.exeC:\Windows\system32\Mebcop32.exe49⤵
- Executes dropped EXE
PID:2588 -
C:\Windows\SysWOW64\Mjokgg32.exeC:\Windows\system32\Mjokgg32.exe50⤵
- Executes dropped EXE
PID:2560 -
C:\Windows\SysWOW64\Mnkggfkb.exeC:\Windows\system32\Mnkggfkb.exe51⤵
- Executes dropped EXE
PID:2956 -
C:\Windows\SysWOW64\Mchppmij.exeC:\Windows\system32\Mchppmij.exe52⤵
- Executes dropped EXE
PID:3368 -
C:\Windows\SysWOW64\Mjahlgpf.exeC:\Windows\system32\Mjahlgpf.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:744 -
C:\Windows\SysWOW64\Malpia32.exeC:\Windows\system32\Malpia32.exe54⤵
- Executes dropped EXE
PID:4596 -
C:\Windows\SysWOW64\Mcjmel32.exeC:\Windows\system32\Mcjmel32.exe55⤵
- Executes dropped EXE
PID:2528 -
C:\Windows\SysWOW64\Mgehfkop.exeC:\Windows\system32\Mgehfkop.exe56⤵
- Executes dropped EXE
PID:4052 -
C:\Windows\SysWOW64\Nclikl32.exeC:\Windows\system32\Nclikl32.exe57⤵
- Executes dropped EXE
PID:3332 -
C:\Windows\SysWOW64\Njfagf32.exeC:\Windows\system32\Njfagf32.exe58⤵
- Executes dropped EXE
PID:1308 -
C:\Windows\SysWOW64\Nmenca32.exeC:\Windows\system32\Nmenca32.exe59⤵
- Executes dropped EXE
PID:1516 -
C:\Windows\SysWOW64\Nelfeo32.exeC:\Windows\system32\Nelfeo32.exe60⤵
- Executes dropped EXE
PID:4732 -
C:\Windows\SysWOW64\Nlfnaicd.exeC:\Windows\system32\Nlfnaicd.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4860 -
C:\Windows\SysWOW64\Nenbjo32.exeC:\Windows\system32\Nenbjo32.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1212 -
C:\Windows\SysWOW64\Njkkbehl.exeC:\Windows\system32\Njkkbehl.exe63⤵
- Executes dropped EXE
PID:4436 -
C:\Windows\SysWOW64\Nmigoagp.exeC:\Windows\system32\Nmigoagp.exe64⤵
- Executes dropped EXE
PID:1464 -
C:\Windows\SysWOW64\Nccokk32.exeC:\Windows\system32\Nccokk32.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3420 -
C:\Windows\SysWOW64\Njmhhefi.exeC:\Windows\system32\Njmhhefi.exe66⤵PID:4992
-
C:\Windows\SysWOW64\Nmlddqem.exeC:\Windows\system32\Nmlddqem.exe67⤵PID:4444
-
C:\Windows\SysWOW64\Neclenfo.exeC:\Windows\system32\Neclenfo.exe68⤵PID:1400
-
C:\Windows\SysWOW64\Nhahaiec.exeC:\Windows\system32\Nhahaiec.exe69⤵
- System Location Discovery: System Language Discovery
PID:3324 -
C:\Windows\SysWOW64\Nmnqjp32.exeC:\Windows\system32\Nmnqjp32.exe70⤵
- Drops file in System32 directory
PID:3716 -
C:\Windows\SysWOW64\Oeehkn32.exeC:\Windows\system32\Oeehkn32.exe71⤵PID:1528
-
C:\Windows\SysWOW64\Oloahhki.exeC:\Windows\system32\Oloahhki.exe72⤵
- System Location Discovery: System Language Discovery
PID:3960 -
C:\Windows\SysWOW64\Ojbacd32.exeC:\Windows\system32\Ojbacd32.exe73⤵
- System Location Discovery: System Language Discovery
PID:2996 -
C:\Windows\SysWOW64\Omqmop32.exeC:\Windows\system32\Omqmop32.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3424 -
C:\Windows\SysWOW64\Ohfami32.exeC:\Windows\system32\Ohfami32.exe75⤵
- System Location Discovery: System Language Discovery
PID:4236 -
C:\Windows\SysWOW64\Omcjep32.exeC:\Windows\system32\Omcjep32.exe76⤵PID:4480
-
C:\Windows\SysWOW64\Oanfen32.exeC:\Windows\system32\Oanfen32.exe77⤵
- Drops file in System32 directory
- Modifies registry class
PID:1640 -
C:\Windows\SysWOW64\Odmbaj32.exeC:\Windows\system32\Odmbaj32.exe78⤵PID:4656
-
C:\Windows\SysWOW64\Oobfob32.exeC:\Windows\system32\Oobfob32.exe79⤵PID:3160
-
C:\Windows\SysWOW64\Oodcdb32.exeC:\Windows\system32\Oodcdb32.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:360 -
C:\Windows\SysWOW64\Omjpeo32.exeC:\Windows\system32\Omjpeo32.exe81⤵
- Drops file in System32 directory
PID:2252 -
C:\Windows\SysWOW64\Pmlmkn32.exeC:\Windows\system32\Pmlmkn32.exe82⤵PID:3944
-
C:\Windows\SysWOW64\Phaahggp.exeC:\Windows\system32\Phaahggp.exe83⤵PID:4432
-
C:\Windows\SysWOW64\Poliea32.exeC:\Windows\system32\Poliea32.exe84⤵
- Drops file in System32 directory
PID:1632 -
C:\Windows\SysWOW64\Ponfka32.exeC:\Windows\system32\Ponfka32.exe85⤵PID:4708
-
C:\Windows\SysWOW64\Pdkoch32.exeC:\Windows\system32\Pdkoch32.exe86⤵PID:1932
-
C:\Windows\SysWOW64\Popbpqjh.exeC:\Windows\system32\Popbpqjh.exe87⤵
- System Location Discovery: System Language Discovery
PID:2164 -
C:\Windows\SysWOW64\Pejkmk32.exeC:\Windows\system32\Pejkmk32.exe88⤵PID:3764
-
C:\Windows\SysWOW64\Pkgcea32.exeC:\Windows\system32\Pkgcea32.exe89⤵PID:3596
-
C:\Windows\SysWOW64\Qemhbj32.exeC:\Windows\system32\Qemhbj32.exe90⤵
- Drops file in System32 directory
PID:1080 -
C:\Windows\SysWOW64\Qlgpod32.exeC:\Windows\system32\Qlgpod32.exe91⤵PID:3312
-
C:\Windows\SysWOW64\Qoelkp32.exeC:\Windows\system32\Qoelkp32.exe92⤵
- Modifies registry class
PID:1656 -
C:\Windows\SysWOW64\Qeodhjmo.exeC:\Windows\system32\Qeodhjmo.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1740 -
C:\Windows\SysWOW64\Qhmqdemc.exeC:\Windows\system32\Qhmqdemc.exe94⤵
- Drops file in System32 directory
PID:5080 -
C:\Windows\SysWOW64\Qklmpalf.exeC:\Windows\system32\Qklmpalf.exe95⤵PID:2532
-
C:\Windows\SysWOW64\Amjillkj.exeC:\Windows\system32\Amjillkj.exe96⤵
- Modifies registry class
PID:3104 -
C:\Windows\SysWOW64\Ahpmjejp.exeC:\Windows\system32\Ahpmjejp.exe97⤵PID:3552
-
C:\Windows\SysWOW64\Anmfbl32.exeC:\Windows\system32\Anmfbl32.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2084 -
C:\Windows\SysWOW64\Aahbbkaq.exeC:\Windows\system32\Aahbbkaq.exe99⤵PID:1428
-
C:\Windows\SysWOW64\Ahbjoe32.exeC:\Windows\system32\Ahbjoe32.exe100⤵PID:2136
-
C:\Windows\SysWOW64\Aolblopj.exeC:\Windows\system32\Aolblopj.exe101⤵
- Modifies registry class
PID:2880 -
C:\Windows\SysWOW64\Aajohjon.exeC:\Windows\system32\Aajohjon.exe102⤵
- Drops file in System32 directory
PID:3864 -
C:\Windows\SysWOW64\Aefjii32.exeC:\Windows\system32\Aefjii32.exe103⤵PID:5072
-
C:\Windows\SysWOW64\Akccap32.exeC:\Windows\system32\Akccap32.exe104⤵
- Drops file in System32 directory
PID:4748 -
C:\Windows\SysWOW64\Anaomkdb.exeC:\Windows\system32\Anaomkdb.exe105⤵
- Modifies registry class
PID:5156 -
C:\Windows\SysWOW64\Adkgje32.exeC:\Windows\system32\Adkgje32.exe106⤵PID:5200
-
C:\Windows\SysWOW64\Albpkc32.exeC:\Windows\system32\Albpkc32.exe107⤵PID:5244
-
C:\Windows\SysWOW64\Aoalgn32.exeC:\Windows\system32\Aoalgn32.exe108⤵PID:5288
-
C:\Windows\SysWOW64\Aekddhcb.exeC:\Windows\system32\Aekddhcb.exe109⤵PID:5332
-
C:\Windows\SysWOW64\Ahippdbe.exeC:\Windows\system32\Ahippdbe.exe110⤵PID:5368
-
C:\Windows\SysWOW64\Bnfihkqm.exeC:\Windows\system32\Bnfihkqm.exe111⤵PID:5420
-
C:\Windows\SysWOW64\Baadiiif.exeC:\Windows\system32\Baadiiif.exe112⤵PID:5464
-
C:\Windows\SysWOW64\Bdpaeehj.exeC:\Windows\system32\Bdpaeehj.exe113⤵PID:5508
-
C:\Windows\SysWOW64\Bnhenj32.exeC:\Windows\system32\Bnhenj32.exe114⤵PID:5552
-
C:\Windows\SysWOW64\Bdbnjdfg.exeC:\Windows\system32\Bdbnjdfg.exe115⤵PID:5596
-
C:\Windows\SysWOW64\Bhnikc32.exeC:\Windows\system32\Bhnikc32.exe116⤵
- System Location Discovery: System Language Discovery
PID:5640 -
C:\Windows\SysWOW64\Bnkbcj32.exeC:\Windows\system32\Bnkbcj32.exe117⤵PID:5684
-
C:\Windows\SysWOW64\Bddjpd32.exeC:\Windows\system32\Bddjpd32.exe118⤵PID:5728
-
C:\Windows\SysWOW64\Bllbaa32.exeC:\Windows\system32\Bllbaa32.exe119⤵PID:5760
-
C:\Windows\SysWOW64\Bojomm32.exeC:\Windows\system32\Bojomm32.exe120⤵PID:5812
-
C:\Windows\SysWOW64\Bdgged32.exeC:\Windows\system32\Bdgged32.exe121⤵PID:5856
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-