Analysis
-
max time kernel
93s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
23-11-2024 02:44
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
b5d76945b821090553b5eefad0ef437c86c282ec35aee67ada10392ab80dfd6f.exe
Resource
win7-20240903-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
b5d76945b821090553b5eefad0ef437c86c282ec35aee67ada10392ab80dfd6f.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
10 signatures
150 seconds
General
-
Target
b5d76945b821090553b5eefad0ef437c86c282ec35aee67ada10392ab80dfd6f.exe
-
Size
640KB
-
MD5
d6aa77d1a2930a6282309045ed950b38
-
SHA1
749c014d59f1de7f7654c610071bda68b3c260b3
-
SHA256
b5d76945b821090553b5eefad0ef437c86c282ec35aee67ada10392ab80dfd6f
-
SHA512
e7309b22a0e560fd0aa76595427a0ad33631b6cf6a833850aaa87215c7b7752291c9bbb8f076e1b530007adf7eb128e5db97325e688e4bfdecdf476efcd7b334
-
SSDEEP
12288:pOibdvV6IvBaSHaMaZRBEYyqmaf2qwiHPKgRC4gvGZ+C8lMuk:pOOtaSHFaZRBEYyqmaf2qwiHPKgRC4gI
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikamfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lcbmcf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oljgboed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Npipeoem.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hicnqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hogljhng.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgbphp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qojjjenl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajianleg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igkakpld.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcmkai32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eiffmc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhnmliii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Glngldmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Caegoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kiijgaff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bcclbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Coflbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nadjnhdq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fagaeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Olcabpkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kgofhq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ngkokm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njjkgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Egpglm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Poejeo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhbapabo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpeloo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdipacgl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkieec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mfgifjfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ncmfen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oknnhb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Peehadjb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adjninqg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phdbblpm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnjccjok.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hikklg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdfgkjhg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfimdlcg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgfepmnj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjhpod32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggjgfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Afpbcm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Panfke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Panfke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jcenfd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oahgelgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aejkcahj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mcnmodgj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfaihp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idobedjm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nkpbgdlj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oaqqdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njokmnho.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qpgemjkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jhpgqboa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oogncajf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejgibo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gikbej32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahqjdgij.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejelmp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipkboj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mqhchdjb.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 952 Cjcdeo32.exe 4400 Canlbi32.exe 3124 Ddnedd32.exe 2984 Dabemhfm.exe 1348 Dmifbi32.exe 2828 Dohcllbd.exe 2276 Ddekdc32.exe 4568 Dgdgqo32.exe 3204 Deehofho.exe 3756 Eghalnlj.exe 1280 Edlaebkd.exe 4500 Emefng32.exe 3560 Ehjjkp32.exe 3016 Egpglm32.exe 932 Eogonj32.exe 472 Fecdpd32.exe 4340 Fajeeeac.exe 3948 Foneni32.exe 3128 Fhfjgogm.exe 3752 Fannpd32.exe 4136 Faqkedkk.exe 4992 Geoclb32.exe 1636 Geapabpo.exe 2960 Gnleedmj.exe 1924 Golapg32.exe 2844 Gggfdiag.exe 4056 Hhfbnl32.exe 1156 Hboggbok.exe 4556 Hnehlceo.exe 1472 Hnhdabcl.exe 1776 Hhmiokbb.exe 4808 Hogakejo.exe 1988 Hfaihp32.exe 2800 Hhpedk32.exe 4448 Ioljfe32.exe 3088 Ioogld32.exe 3596 Ifhoiokd.exe 2244 Ioadadbd.exe 1368 Ifklnn32.exe 3280 Iiihjj32.exe 4608 Ifmidn32.exe 4216 Inhnhp32.exe 4248 Jfpeinel.exe 3704 Jgqbaf32.exe 1100 Jnkjnpbg.exe 3476 Jedbjj32.exe 4480 Jkokgdaq.exe 2180 Jfdodm32.exe 2064 Jkagmd32.exe 760 Jbkpingk.exe 888 Jiehfh32.exe 1288 Jkcdbc32.exe 1500 Jbmloneh.exe 3584 Jelhki32.exe 2304 Jleahcki.exe 1868 Kndmdojl.exe 2812 Keneqi32.exe 4124 Kijaagjb.exe 5040 Kpcina32.exe 1580 Kilngg32.exe 920 Kpffcapl.exe 3764 Kbdbpmop.exe 544 Kphcianj.exe 2212 Knmpjmba.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Ijchgmap.exe Igdlkaal.exe File created C:\Windows\SysWOW64\Jpeloo32.exe Jljpoqdm.exe File created C:\Windows\SysWOW64\Dophhc32.dll Kkilnfpl.exe File opened for modification C:\Windows\SysWOW64\Gpimbm32.exe Giodecjm.exe File created C:\Windows\SysWOW64\Paomfkao.exe Popqjpbk.exe File created C:\Windows\SysWOW64\Anccadgg.exe Alafjl32.exe File created C:\Windows\SysWOW64\Mgpoondb.exe Mohgnacp.exe File created C:\Windows\SysWOW64\Bpjkjh32.exe Bkmbaa32.exe File opened for modification C:\Windows\SysWOW64\Golapg32.exe Gnleedmj.exe File created C:\Windows\SysWOW64\Nhdiko32.exe Ngcmcfha.exe File created C:\Windows\SysWOW64\Pimobp32.dll Fplnfk32.exe File opened for modification C:\Windows\SysWOW64\Oeafpk32.exe Oogncajf.exe File opened for modification C:\Windows\SysWOW64\Fqdpnbfe.exe Foccfj32.exe File created C:\Windows\SysWOW64\Lglciloo.exe Lengmppk.exe File created C:\Windows\SysWOW64\Ljccjaqo.exe Lcikmh32.exe File created C:\Windows\SysWOW64\Dnhnko32.exe Dmgacfqo.exe File opened for modification C:\Windows\SysWOW64\Hegkem32.exe Hbioia32.exe File opened for modification C:\Windows\SysWOW64\Jkagmd32.exe Jfdodm32.exe File created C:\Windows\SysWOW64\Cpiaobqf.dll Nmfahj32.exe File opened for modification C:\Windows\SysWOW64\Lqadbk32.exe Ljglea32.exe File created C:\Windows\SysWOW64\Ppdbpl32.dll Neniig32.exe File created C:\Windows\SysWOW64\Jandfpae.dll Hbnoog32.exe File created C:\Windows\SysWOW64\Ebchgpne.dll Jkagmd32.exe File opened for modification C:\Windows\SysWOW64\Opgahjed.exe Ohpigm32.exe File opened for modification C:\Windows\SysWOW64\Fkoend32.exe Fhqiai32.exe File created C:\Windows\SysWOW64\Nljefh32.exe Neqminpe.exe File created C:\Windows\SysWOW64\Npiilqfn.dll Eigenf32.exe File opened for modification C:\Windows\SysWOW64\Jllfjjoo.exe Jmienm32.exe File opened for modification C:\Windows\SysWOW64\Kpgkafie.exe Kfbfdmio.exe File created C:\Windows\SysWOW64\Cagdeieg.exe Coigim32.exe File created C:\Windows\SysWOW64\Ihfejdgl.exe Iqomiffj.exe File created C:\Windows\SysWOW64\Neqminpe.exe Nofemc32.exe File created C:\Windows\SysWOW64\Hiddkh32.exe Hdglca32.exe File created C:\Windows\SysWOW64\Iphhjddi.dll Kjqfdbca.exe File created C:\Windows\SysWOW64\Oaknboap.dll Gbginh32.exe File created C:\Windows\SysWOW64\Ihmhdjgl.dll Epbkpm32.exe File opened for modification C:\Windows\SysWOW64\Oahgelgg.exe Oknnhb32.exe File opened for modification C:\Windows\SysWOW64\Lmcllm32.exe Ljeppa32.exe File created C:\Windows\SysWOW64\Mapjmdij.dll Cochbdpg.exe File created C:\Windows\SysWOW64\Jkfkpo32.dll Fmohei32.exe File created C:\Windows\SysWOW64\Gbhpiodj.exe Glngldmm.exe File created C:\Windows\SysWOW64\Dhglghlk.exe Dbmdjn32.exe File opened for modification C:\Windows\SysWOW64\Pjkemn32.exe Pgmiqb32.exe File opened for modification C:\Windows\SysWOW64\Popqjpbk.exe Phfhmeko.exe File opened for modification C:\Windows\SysWOW64\Odliqbkj.exe Oanmdglf.exe File opened for modification C:\Windows\SysWOW64\Hijdaapp.exe Hflhefql.exe File opened for modification C:\Windows\SysWOW64\Opglfmim.exe Omhpjaji.exe File created C:\Windows\SysWOW64\Fgjljj32.dll Pnapjcia.exe File opened for modification C:\Windows\SysWOW64\Mhdqdamb.exe Mbghljok.exe File opened for modification C:\Windows\SysWOW64\Poeaoe32.exe Phlibkje.exe File created C:\Windows\SysWOW64\Emilfa32.dll Jhbdfbmo.exe File opened for modification C:\Windows\SysWOW64\Bbkehg32.exe Blnmpp32.exe File opened for modification C:\Windows\SysWOW64\Pgjlkc32.exe Plehnjdq.exe File created C:\Windows\SysWOW64\Cijpih32.dll Bcclbk32.exe File opened for modification C:\Windows\SysWOW64\Nmfjndjo.exe Njgnahkk.exe File created C:\Windows\SysWOW64\Jglkoipg.dll Bohpalnq.exe File opened for modification C:\Windows\SysWOW64\Dmhimmdj.exe Dbbdpddd.exe File created C:\Windows\SysWOW64\Fbggbabl.exe Fmjnjjde.exe File opened for modification C:\Windows\SysWOW64\Ebkpllin.exe Eiblcgbm.exe File created C:\Windows\SysWOW64\Qnfjfnhe.dll Fecdpd32.exe File created C:\Windows\SysWOW64\Edngpkee.exe Epbkpm32.exe File created C:\Windows\SysWOW64\Jcdoqn32.dll Hgkidbjf.exe File created C:\Windows\SysWOW64\Gjefeo32.dll Oioofi32.exe File created C:\Windows\SysWOW64\Jchklcdi.exe Jcenfd32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 7904 6596 WerFault.exe 1090 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgpcbp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aaiommpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mflgcg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Camehbfg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dimcgdpm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljhcpgpe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahhgomgm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhogia32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Diopmdnj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihakod32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejgibo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chkmkjfh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qhnmnhkl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Baenhkem.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fqiiia32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Necqicao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cilcfpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmmmla32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhpgqboa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnnagh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eijbcfle.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bqafldpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlakgfaj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Baigck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehgfkj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Keneqi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjhjijog.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flpkkfim.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnhecaep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phjdch32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkagmd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgofhq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlaijo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofohng32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfpeinel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdelgabo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qlhcdm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhdgkkmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgdgqo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amcdoh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgijjlla.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmnbjp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfpdodim.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gplpbccc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imkimodd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnkfccdi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oockch32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnldahil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mefcihdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bqjpke32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Malnbp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmpifphe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjgcnckl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Goiphjjg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jqkleell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hegkem32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jeoagpid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkphnn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oflkhg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eiccmm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpbfcb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phgogl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oielpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glngldmm.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 760 Jbkpingk.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cfdnjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hdglca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cbadopok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hckmekoo.dll" Kpcafgmj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aapeml32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cdmmkemf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ainnoi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cjlgjieb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Caqndjkp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Chjfad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fdkmgc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Loaanb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkhijmlh.dll" Egpglm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fkflncpb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iqjcng32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kiijgaff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbjnfk32.dll" Coflbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckdcffoc.dll" Cfpdodim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pfennfld.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eggbjmcj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ahqjdgij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aokbqa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhkdoo32.dll" Ocemdfdh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bcmohj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cceplddm.dll" Dbbdpddd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mapjmdij.dll" Cochbdpg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jliidjqa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ncmfen32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Edapmbjn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Midllmkh.dll" Gpfpmm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cpklhpag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cocomk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mjehfoqi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eembac32.dll" Bfhgdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmmhnfaq.dll" Chkmkjfh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncliaj32.dll" Dhglghlk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Afkihnoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gkpodbhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbongepd.dll" Mbfaad32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fmjgodpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahcbjc32.dll" Mnnagh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qofiebel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnfmia32.dll" Gkpodbhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mnmbfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blffpabb.dll" Bjpqde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgjjkl32.dll" Ncbfjdcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fikhoofg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeqien32.dll" Iiljljjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pegefdho.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qaelld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pphbeihm.dll" Olihblon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qfbfao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bqjpke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Okiembdp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gmhjkh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jkkpmh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jcenfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Locnca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Njgnahkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcfhkb32.dll" Ahqjdgij.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Baldij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Feihhdlp.dll" Mmokgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eaddkpgo.dll" Gflonh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cdcckd32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2216 wrote to memory of 952 2216 b5d76945b821090553b5eefad0ef437c86c282ec35aee67ada10392ab80dfd6f.exe 83 PID 2216 wrote to memory of 952 2216 b5d76945b821090553b5eefad0ef437c86c282ec35aee67ada10392ab80dfd6f.exe 83 PID 2216 wrote to memory of 952 2216 b5d76945b821090553b5eefad0ef437c86c282ec35aee67ada10392ab80dfd6f.exe 83 PID 952 wrote to memory of 4400 952 Cjcdeo32.exe 84 PID 952 wrote to memory of 4400 952 Cjcdeo32.exe 84 PID 952 wrote to memory of 4400 952 Cjcdeo32.exe 84 PID 4400 wrote to memory of 3124 4400 Canlbi32.exe 85 PID 4400 wrote to memory of 3124 4400 Canlbi32.exe 85 PID 4400 wrote to memory of 3124 4400 Canlbi32.exe 85 PID 3124 wrote to memory of 2984 3124 Ddnedd32.exe 86 PID 3124 wrote to memory of 2984 3124 Ddnedd32.exe 86 PID 3124 wrote to memory of 2984 3124 Ddnedd32.exe 86 PID 2984 wrote to memory of 1348 2984 Dabemhfm.exe 87 PID 2984 wrote to memory of 1348 2984 Dabemhfm.exe 87 PID 2984 wrote to memory of 1348 2984 Dabemhfm.exe 87 PID 1348 wrote to memory of 2828 1348 Dmifbi32.exe 88 PID 1348 wrote to memory of 2828 1348 Dmifbi32.exe 88 PID 1348 wrote to memory of 2828 1348 Dmifbi32.exe 88 PID 2828 wrote to memory of 2276 2828 Dohcllbd.exe 89 PID 2828 wrote to memory of 2276 2828 Dohcllbd.exe 89 PID 2828 wrote to memory of 2276 2828 Dohcllbd.exe 89 PID 2276 wrote to memory of 4568 2276 Ddekdc32.exe 90 PID 2276 wrote to memory of 4568 2276 Ddekdc32.exe 90 PID 2276 wrote to memory of 4568 2276 Ddekdc32.exe 90 PID 4568 wrote to memory of 3204 4568 Dgdgqo32.exe 91 PID 4568 wrote to memory of 3204 4568 Dgdgqo32.exe 91 PID 4568 wrote to memory of 3204 4568 Dgdgqo32.exe 91 PID 3204 wrote to memory of 3756 3204 Deehofho.exe 92 PID 3204 wrote to memory of 3756 3204 Deehofho.exe 92 PID 3204 wrote to memory of 3756 3204 Deehofho.exe 92 PID 3756 wrote to memory of 1280 3756 Eghalnlj.exe 93 PID 3756 wrote to memory of 1280 3756 Eghalnlj.exe 93 PID 3756 wrote to memory of 1280 3756 Eghalnlj.exe 93 PID 1280 wrote to memory of 4500 1280 Edlaebkd.exe 94 PID 1280 wrote to memory of 4500 1280 Edlaebkd.exe 94 PID 1280 wrote to memory of 4500 1280 Edlaebkd.exe 94 PID 4500 wrote to memory of 3560 4500 Emefng32.exe 95 PID 4500 wrote to memory of 3560 4500 Emefng32.exe 95 PID 4500 wrote to memory of 3560 4500 Emefng32.exe 95 PID 3560 wrote to memory of 3016 3560 Ehjjkp32.exe 96 PID 3560 wrote to memory of 3016 3560 Ehjjkp32.exe 96 PID 3560 wrote to memory of 3016 3560 Ehjjkp32.exe 96 PID 3016 wrote to memory of 932 3016 Egpglm32.exe 97 PID 3016 wrote to memory of 932 3016 Egpglm32.exe 97 PID 3016 wrote to memory of 932 3016 Egpglm32.exe 97 PID 932 wrote to memory of 472 932 Eogonj32.exe 98 PID 932 wrote to memory of 472 932 Eogonj32.exe 98 PID 932 wrote to memory of 472 932 Eogonj32.exe 98 PID 472 wrote to memory of 4340 472 Fecdpd32.exe 99 PID 472 wrote to memory of 4340 472 Fecdpd32.exe 99 PID 472 wrote to memory of 4340 472 Fecdpd32.exe 99 PID 4340 wrote to memory of 3948 4340 Fajeeeac.exe 100 PID 4340 wrote to memory of 3948 4340 Fajeeeac.exe 100 PID 4340 wrote to memory of 3948 4340 Fajeeeac.exe 100 PID 3948 wrote to memory of 3128 3948 Foneni32.exe 101 PID 3948 wrote to memory of 3128 3948 Foneni32.exe 101 PID 3948 wrote to memory of 3128 3948 Foneni32.exe 101 PID 3128 wrote to memory of 3752 3128 Fhfjgogm.exe 102 PID 3128 wrote to memory of 3752 3128 Fhfjgogm.exe 102 PID 3128 wrote to memory of 3752 3128 Fhfjgogm.exe 102 PID 3752 wrote to memory of 4136 3752 Fannpd32.exe 103 PID 3752 wrote to memory of 4136 3752 Fannpd32.exe 103 PID 3752 wrote to memory of 4136 3752 Fannpd32.exe 103 PID 4136 wrote to memory of 4992 4136 Faqkedkk.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\b5d76945b821090553b5eefad0ef437c86c282ec35aee67ada10392ab80dfd6f.exe"C:\Users\Admin\AppData\Local\Temp\b5d76945b821090553b5eefad0ef437c86c282ec35aee67ada10392ab80dfd6f.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Windows\SysWOW64\Cjcdeo32.exeC:\Windows\system32\Cjcdeo32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:952 -
C:\Windows\SysWOW64\Canlbi32.exeC:\Windows\system32\Canlbi32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4400 -
C:\Windows\SysWOW64\Ddnedd32.exeC:\Windows\system32\Ddnedd32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3124 -
C:\Windows\SysWOW64\Dabemhfm.exeC:\Windows\system32\Dabemhfm.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Windows\SysWOW64\Dmifbi32.exeC:\Windows\system32\Dmifbi32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1348 -
C:\Windows\SysWOW64\Dohcllbd.exeC:\Windows\system32\Dohcllbd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Windows\SysWOW64\Ddekdc32.exeC:\Windows\system32\Ddekdc32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\Windows\SysWOW64\Dgdgqo32.exeC:\Windows\system32\Dgdgqo32.exe9⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4568 -
C:\Windows\SysWOW64\Deehofho.exeC:\Windows\system32\Deehofho.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3204 -
C:\Windows\SysWOW64\Eghalnlj.exeC:\Windows\system32\Eghalnlj.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3756 -
C:\Windows\SysWOW64\Edlaebkd.exeC:\Windows\system32\Edlaebkd.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1280 -
C:\Windows\SysWOW64\Emefng32.exeC:\Windows\system32\Emefng32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4500 -
C:\Windows\SysWOW64\Ehjjkp32.exeC:\Windows\system32\Ehjjkp32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3560 -
C:\Windows\SysWOW64\Egpglm32.exeC:\Windows\system32\Egpglm32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Windows\SysWOW64\Eogonj32.exeC:\Windows\system32\Eogonj32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:932 -
C:\Windows\SysWOW64\Fecdpd32.exeC:\Windows\system32\Fecdpd32.exe17⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:472 -
C:\Windows\SysWOW64\Fajeeeac.exeC:\Windows\system32\Fajeeeac.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4340 -
C:\Windows\SysWOW64\Foneni32.exeC:\Windows\system32\Foneni32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3948 -
C:\Windows\SysWOW64\Fhfjgogm.exeC:\Windows\system32\Fhfjgogm.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3128 -
C:\Windows\SysWOW64\Fannpd32.exeC:\Windows\system32\Fannpd32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3752 -
C:\Windows\SysWOW64\Faqkedkk.exeC:\Windows\system32\Faqkedkk.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4136 -
C:\Windows\SysWOW64\Geoclb32.exeC:\Windows\system32\Geoclb32.exe23⤵
- Executes dropped EXE
PID:4992 -
C:\Windows\SysWOW64\Geapabpo.exeC:\Windows\system32\Geapabpo.exe24⤵
- Executes dropped EXE
PID:1636 -
C:\Windows\SysWOW64\Gnleedmj.exeC:\Windows\system32\Gnleedmj.exe25⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2960 -
C:\Windows\SysWOW64\Golapg32.exeC:\Windows\system32\Golapg32.exe26⤵
- Executes dropped EXE
PID:1924 -
C:\Windows\SysWOW64\Gggfdiag.exeC:\Windows\system32\Gggfdiag.exe27⤵
- Executes dropped EXE
PID:2844 -
C:\Windows\SysWOW64\Hhfbnl32.exeC:\Windows\system32\Hhfbnl32.exe28⤵
- Executes dropped EXE
PID:4056 -
C:\Windows\SysWOW64\Hboggbok.exeC:\Windows\system32\Hboggbok.exe29⤵
- Executes dropped EXE
PID:1156 -
C:\Windows\SysWOW64\Hnehlceo.exeC:\Windows\system32\Hnehlceo.exe30⤵
- Executes dropped EXE
PID:4556 -
C:\Windows\SysWOW64\Hnhdabcl.exeC:\Windows\system32\Hnhdabcl.exe31⤵
- Executes dropped EXE
PID:1472 -
C:\Windows\SysWOW64\Hhmiokbb.exeC:\Windows\system32\Hhmiokbb.exe32⤵
- Executes dropped EXE
PID:1776 -
C:\Windows\SysWOW64\Hogakejo.exeC:\Windows\system32\Hogakejo.exe33⤵
- Executes dropped EXE
PID:4808 -
C:\Windows\SysWOW64\Hfaihp32.exeC:\Windows\system32\Hfaihp32.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1988 -
C:\Windows\SysWOW64\Hhpedk32.exeC:\Windows\system32\Hhpedk32.exe35⤵
- Executes dropped EXE
PID:2800 -
C:\Windows\SysWOW64\Ioljfe32.exeC:\Windows\system32\Ioljfe32.exe36⤵
- Executes dropped EXE
PID:4448 -
C:\Windows\SysWOW64\Ioogld32.exeC:\Windows\system32\Ioogld32.exe37⤵
- Executes dropped EXE
PID:3088 -
C:\Windows\SysWOW64\Ifhoiokd.exeC:\Windows\system32\Ifhoiokd.exe38⤵
- Executes dropped EXE
PID:3596 -
C:\Windows\SysWOW64\Ioadadbd.exeC:\Windows\system32\Ioadadbd.exe39⤵
- Executes dropped EXE
PID:2244 -
C:\Windows\SysWOW64\Ifklnn32.exeC:\Windows\system32\Ifklnn32.exe40⤵
- Executes dropped EXE
PID:1368 -
C:\Windows\SysWOW64\Iiihjj32.exeC:\Windows\system32\Iiihjj32.exe41⤵
- Executes dropped EXE
PID:3280 -
C:\Windows\SysWOW64\Ifmidn32.exeC:\Windows\system32\Ifmidn32.exe42⤵
- Executes dropped EXE
PID:4608 -
C:\Windows\SysWOW64\Inhnhp32.exeC:\Windows\system32\Inhnhp32.exe43⤵
- Executes dropped EXE
PID:4216 -
C:\Windows\SysWOW64\Jfpeinel.exeC:\Windows\system32\Jfpeinel.exe44⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4248 -
C:\Windows\SysWOW64\Jgqbaf32.exeC:\Windows\system32\Jgqbaf32.exe45⤵
- Executes dropped EXE
PID:3704 -
C:\Windows\SysWOW64\Jnkjnpbg.exeC:\Windows\system32\Jnkjnpbg.exe46⤵
- Executes dropped EXE
PID:1100 -
C:\Windows\SysWOW64\Jedbjj32.exeC:\Windows\system32\Jedbjj32.exe47⤵
- Executes dropped EXE
PID:3476 -
C:\Windows\SysWOW64\Jkokgdaq.exeC:\Windows\system32\Jkokgdaq.exe48⤵
- Executes dropped EXE
PID:4480 -
C:\Windows\SysWOW64\Jfdodm32.exeC:\Windows\system32\Jfdodm32.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2180 -
C:\Windows\SysWOW64\Jkagmd32.exeC:\Windows\system32\Jkagmd32.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2064 -
C:\Windows\SysWOW64\Jbkpingk.exeC:\Windows\system32\Jbkpingk.exe51⤵
- Executes dropped EXE
- System Network Configuration Discovery: Internet Connection Discovery
PID:760 -
C:\Windows\SysWOW64\Jiehfh32.exeC:\Windows\system32\Jiehfh32.exe52⤵
- Executes dropped EXE
PID:888 -
C:\Windows\SysWOW64\Jkcdbc32.exeC:\Windows\system32\Jkcdbc32.exe53⤵
- Executes dropped EXE
PID:1288 -
C:\Windows\SysWOW64\Jbmloneh.exeC:\Windows\system32\Jbmloneh.exe54⤵
- Executes dropped EXE
PID:1500 -
C:\Windows\SysWOW64\Jelhki32.exeC:\Windows\system32\Jelhki32.exe55⤵
- Executes dropped EXE
PID:3584 -
C:\Windows\SysWOW64\Jleahcki.exeC:\Windows\system32\Jleahcki.exe56⤵
- Executes dropped EXE
PID:2304 -
C:\Windows\SysWOW64\Kndmdojl.exeC:\Windows\system32\Kndmdojl.exe57⤵
- Executes dropped EXE
PID:1868 -
C:\Windows\SysWOW64\Keneqi32.exeC:\Windows\system32\Keneqi32.exe58⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2812 -
C:\Windows\SysWOW64\Kijaagjb.exeC:\Windows\system32\Kijaagjb.exe59⤵
- Executes dropped EXE
PID:4124 -
C:\Windows\SysWOW64\Kpcina32.exeC:\Windows\system32\Kpcina32.exe60⤵
- Executes dropped EXE
PID:5040 -
C:\Windows\SysWOW64\Kilngg32.exeC:\Windows\system32\Kilngg32.exe61⤵
- Executes dropped EXE
PID:1580 -
C:\Windows\SysWOW64\Kpffcapl.exeC:\Windows\system32\Kpffcapl.exe62⤵
- Executes dropped EXE
PID:920 -
C:\Windows\SysWOW64\Kbdbpmop.exeC:\Windows\system32\Kbdbpmop.exe63⤵
- Executes dropped EXE
PID:3764 -
C:\Windows\SysWOW64\Kphcianj.exeC:\Windows\system32\Kphcianj.exe64⤵
- Executes dropped EXE
PID:544 -
C:\Windows\SysWOW64\Knmpjmba.exeC:\Windows\system32\Knmpjmba.exe65⤵
- Executes dropped EXE
PID:2212 -
C:\Windows\SysWOW64\Keghgg32.exeC:\Windows\system32\Keghgg32.exe66⤵PID:4792
-
C:\Windows\SysWOW64\Klapcaak.exeC:\Windows\system32\Klapcaak.exe67⤵PID:2272
-
C:\Windows\SysWOW64\Lnpmpmpo.exeC:\Windows\system32\Lnpmpmpo.exe68⤵PID:3576
-
C:\Windows\SysWOW64\Lejelg32.exeC:\Windows\system32\Lejelg32.exe69⤵PID:4240
-
C:\Windows\SysWOW64\Lhhahb32.exeC:\Windows\system32\Lhhahb32.exe70⤵PID:3740
-
C:\Windows\SysWOW64\Lnbiem32.exeC:\Windows\system32\Lnbiem32.exe71⤵PID:2608
-
C:\Windows\SysWOW64\Lelabgfi.exeC:\Windows\system32\Lelabgfi.exe72⤵PID:4596
-
C:\Windows\SysWOW64\Lndfkl32.exeC:\Windows\system32\Lndfkl32.exe73⤵PID:3908
-
C:\Windows\SysWOW64\Lenngfcf.exeC:\Windows\system32\Lenngfcf.exe74⤵PID:1004
-
C:\Windows\SysWOW64\Logbpljg.exeC:\Windows\system32\Logbpljg.exe75⤵PID:5080
-
C:\Windows\SysWOW64\Leqkmf32.exeC:\Windows\system32\Leqkmf32.exe76⤵PID:2476
-
C:\Windows\SysWOW64\Lhogia32.exeC:\Windows\system32\Lhogia32.exe77⤵
- System Location Discovery: System Language Discovery
PID:1492 -
C:\Windows\SysWOW64\Loioflhd.exeC:\Windows\system32\Loioflhd.exe78⤵PID:4664
-
C:\Windows\SysWOW64\Lfpggiif.exeC:\Windows\system32\Lfpggiif.exe79⤵PID:644
-
C:\Windows\SysWOW64\Lioccdhj.exeC:\Windows\system32\Lioccdhj.exe80⤵PID:3500
-
C:\Windows\SysWOW64\Mbghljok.exeC:\Windows\system32\Mbghljok.exe81⤵
- Drops file in System32 directory
PID:2096 -
C:\Windows\SysWOW64\Mhdqdamb.exeC:\Windows\system32\Mhdqdamb.exe82⤵PID:2796
-
C:\Windows\SysWOW64\Mfeabh32.exeC:\Windows\system32\Mfeabh32.exe83⤵PID:1032
-
C:\Windows\SysWOW64\Mlaijo32.exeC:\Windows\system32\Mlaijo32.exe84⤵
- System Location Discovery: System Language Discovery
PID:2248 -
C:\Windows\SysWOW64\Mfgnhhbo.exeC:\Windows\system32\Mfgnhhbo.exe85⤵PID:4016
-
C:\Windows\SysWOW64\Mldfpoaf.exeC:\Windows\system32\Mldfpoaf.exe86⤵PID:2612
-
C:\Windows\SysWOW64\Mppbqn32.exeC:\Windows\system32\Mppbqn32.exe87⤵PID:3708
-
C:\Windows\SysWOW64\Mihficpp.exeC:\Windows\system32\Mihficpp.exe88⤵PID:848
-
C:\Windows\SysWOW64\Mpbofm32.exeC:\Windows\system32\Mpbofm32.exe89⤵PID:532
-
C:\Windows\SysWOW64\Mflgcg32.exeC:\Windows\system32\Mflgcg32.exe90⤵
- System Location Discovery: System Language Discovery
PID:3540 -
C:\Windows\SysWOW64\Nliokn32.exeC:\Windows\system32\Nliokn32.exe91⤵PID:4700
-
C:\Windows\SysWOW64\Nbchhhdm.exeC:\Windows\system32\Nbchhhdm.exe92⤵PID:4812
-
C:\Windows\SysWOW64\Neadddca.exeC:\Windows\system32\Neadddca.exe93⤵PID:5044
-
C:\Windows\SysWOW64\Nlklqn32.exeC:\Windows\system32\Nlklqn32.exe94⤵PID:3028
-
C:\Windows\SysWOW64\Noihmi32.exeC:\Windows\system32\Noihmi32.exe95⤵PID:868
-
C:\Windows\SysWOW64\Necqicao.exeC:\Windows\system32\Necqicao.exe96⤵
- System Location Discovery: System Language Discovery
PID:180 -
C:\Windows\SysWOW64\Npiegl32.exeC:\Windows\system32\Npiegl32.exe97⤵PID:4696
-
C:\Windows\SysWOW64\Ngcmcfha.exeC:\Windows\system32\Ngcmcfha.exe98⤵
- Drops file in System32 directory
PID:2036 -
C:\Windows\SysWOW64\Nhdiko32.exeC:\Windows\system32\Nhdiko32.exe99⤵PID:4432
-
C:\Windows\SysWOW64\Nonbhifl.exeC:\Windows\system32\Nonbhifl.exe100⤵PID:4332
-
C:\Windows\SysWOW64\Ncjnhg32.exeC:\Windows\system32\Ncjnhg32.exe101⤵PID:5132
-
C:\Windows\SysWOW64\Nidfeaeb.exeC:\Windows\system32\Nidfeaeb.exe102⤵PID:5176
-
C:\Windows\SysWOW64\Nlbbam32.exeC:\Windows\system32\Nlbbam32.exe103⤵PID:5220
-
C:\Windows\SysWOW64\Noqomh32.exeC:\Windows\system32\Noqomh32.exe104⤵PID:5264
-
C:\Windows\SysWOW64\Nghfof32.exeC:\Windows\system32\Nghfof32.exe105⤵PID:5308
-
C:\Windows\SysWOW64\Ohicfnjj.exeC:\Windows\system32\Ohicfnjj.exe106⤵PID:5352
-
C:\Windows\SysWOW64\Oockch32.exeC:\Windows\system32\Oockch32.exe107⤵
- System Location Discovery: System Language Discovery
PID:5392 -
C:\Windows\SysWOW64\Oemcpbid.exeC:\Windows\system32\Oemcpbid.exe108⤵PID:5444
-
C:\Windows\SysWOW64\Opbhmk32.exeC:\Windows\system32\Opbhmk32.exe109⤵PID:5488
-
C:\Windows\SysWOW64\Oglpjeqf.exeC:\Windows\system32\Oglpjeqf.exe110⤵PID:5532
-
C:\Windows\SysWOW64\Oiklfqpj.exeC:\Windows\system32\Oiklfqpj.exe111⤵PID:5576
-
C:\Windows\SysWOW64\Olihblon.exeC:\Windows\system32\Olihblon.exe112⤵
- Modifies registry class
PID:5620 -
C:\Windows\SysWOW64\Occqof32.exeC:\Windows\system32\Occqof32.exe113⤵PID:5680
-
C:\Windows\SysWOW64\Ohpigm32.exeC:\Windows\system32\Ohpigm32.exe114⤵
- Drops file in System32 directory
PID:5740 -
C:\Windows\SysWOW64\Opgahjed.exeC:\Windows\system32\Opgahjed.exe115⤵PID:5784
-
C:\Windows\SysWOW64\Ocemdfdh.exeC:\Windows\system32\Ocemdfdh.exe116⤵
- Modifies registry class
PID:5856 -
C:\Windows\SysWOW64\Ohbflmbp.exeC:\Windows\system32\Ohbflmbp.exe117⤵PID:5900
-
C:\Windows\SysWOW64\Ogcfjd32.exeC:\Windows\system32\Ogcfjd32.exe118⤵PID:5948
-
C:\Windows\SysWOW64\Phdbblpm.exeC:\Windows\system32\Phdbblpm.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5996 -
C:\Windows\SysWOW64\Plpobk32.exeC:\Windows\system32\Plpobk32.exe120⤵PID:6040
-
C:\Windows\SysWOW64\Pcjgoe32.exeC:\Windows\system32\Pcjgoe32.exe121⤵PID:6084
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-