Analysis
-
max time kernel
96s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
23-11-2024 17:07
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ea4dbb5566f535c9ee1b185d21a291310f5a0f2fc14178ef05a306beef113c27N.exe
Resource
win7-20241010-en
windows7-x64
10 signatures
120 seconds
Behavioral task
behavioral2
Sample
ea4dbb5566f535c9ee1b185d21a291310f5a0f2fc14178ef05a306beef113c27N.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
120 seconds
General
-
Target
ea4dbb5566f535c9ee1b185d21a291310f5a0f2fc14178ef05a306beef113c27N.exe
-
Size
488KB
-
MD5
aa0fbae5073b0077cb78764f33a281f0
-
SHA1
94ce6e81d8f8b581c91a525b7bb0655c4a02063f
-
SHA256
ea4dbb5566f535c9ee1b185d21a291310f5a0f2fc14178ef05a306beef113c27
-
SHA512
2e1f7b41992e43ac2698ca0c6cd583fa6bcc043c9dc0d7ce34655b6aee5dc3e384d933e5742856624211fe963bf9b9d21229484f2c53739106a470e81346d2ee
-
SSDEEP
6144:AK/deM4Bvon/TNId/1fon/T9P7GSon/TNId/1fon/T2oI0YokOsfY7Uon2KO:p/J42NIVyeNIVy2oIvPKiKO
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kejipb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aighcfhp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfeacf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lmdbkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbcnjfel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Acdpef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pdcfadae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Haoidgog.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbaoad32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cqjbijfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpfqff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Icbpiflo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lffhnljg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qgnicd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mbppmoap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pfegjjck.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcnpeeaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lhemni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ikjjcl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Enplhenb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kabiefbh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okdlgp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Holcml32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbgjjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bgpqkebk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjohcdab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecmlkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ciigemeo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lamjpbae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ciioopad.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjbepb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pogdcdfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bebbcfjo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blogfppi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cebdpn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmmcad32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdcgkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Liaqjb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opkdjaon.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mlqjoiek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pjcpphib.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dihalh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mdjann32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndlgih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gqaekd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdfone32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hcpccgna.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 2564 Jhfifngd.exe 1600 Kejipb32.exe 1060 Kppnmk32.exe 868 Klgoalkh.exe 4032 Keocjbai.exe 4064 Kafcpc32.exe 840 Klkhml32.exe 2968 Kojdig32.exe 3080 Klndbkep.exe 2836 Kpiqcj32.exe 1828 Lchmoe32.exe 3884 Llpahkcm.exe 1824 Lplmhj32.exe 2900 Lcjide32.exe 3240 Lamjpbae.exe 3156 Lidbao32.exe 3420 Lhgbmlia.exe 672 Llbnmk32.exe 2412 Lpnjniid.exe 4848 Lclfjehh.exe 5060 Laoffa32.exe 1484 Lekbfpgk.exe 1148 Lhioblgo.exe 1768 Llekcj32.exe 4496 Lppgciga.exe 4244 Lcocpdfe.exe 400 Laacka32.exe 5016 Ljiklonb.exe 1144 Llgghjme.exe 4040 Loeceeli.exe 4200 Ladpaakm.exe 1832 Lfplap32.exe 2392 Ljkhbnlo.exe 2336 Llidnjkc.exe 5000 Lpepoh32.exe 4636 Mcclkd32.exe 4432 Mafmfqij.exe 1268 Mjmdgn32.exe 996 Mhpeckqg.exe 3704 Mpgmdhai.exe 3628 Mojmpe32.exe 3820 Mbhilp32.exe 4452 Mjpamn32.exe 4424 Mlnnii32.exe 3108 Mpjijhof.exe 704 Mchffcnj.exe 2008 Mffbbomn.exe 1748 Mjbnbm32.exe 1176 Mlqjoiek.exe 3756 Mplfog32.exe 1836 Mcjbkc32.exe 1208 Mfiogn32.exe 4368 Mhgkdj32.exe 4088 Mlcgdhch.exe 2808 Moacqdbl.exe 5012 Mbppmoap.exe 4440 Mjggnmab.exe 1244 Mhihii32.exe 4592 Nqqpjgio.exe 392 Ncolfbhb.exe 3136 Nbblbo32.exe 2012 Njidcl32.exe 4380 Nmgpoh32.exe 2360 Nqclpfgl.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Gmmmmobo.exe Process not Found File created C:\Windows\SysWOW64\Qfmlllci.exe Qocdob32.exe File opened for modification C:\Windows\SysWOW64\Nbblbo32.exe Ncolfbhb.exe File created C:\Windows\SysWOW64\Abigbemk.dll Niqnjh32.exe File opened for modification C:\Windows\SysWOW64\Neadipli.exe Nkkplglc.exe File created C:\Windows\SysWOW64\Ejioof32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Mjmdgn32.exe Mafmfqij.exe File opened for modification C:\Windows\SysWOW64\Laiofe32.exe Lfckhm32.exe File created C:\Windows\SysWOW64\Hmnbig32.dll Nnebmc32.exe File created C:\Windows\SysWOW64\Dnokil32.exe Dgecmbpc.exe File created C:\Windows\SysWOW64\Gbggfl32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Gfdkln32.exe Process not Found File created C:\Windows\SysWOW64\Mlcgdhch.exe Mhgkdj32.exe File opened for modification C:\Windows\SysWOW64\Ceaeokaj.exe Cdpigbll.exe File created C:\Windows\SysWOW64\Jgilec32.exe Jcnpeeaa.exe File created C:\Windows\SysWOW64\Aqhbphol.dll Process not Found File created C:\Windows\SysWOW64\Majogj32.exe Mlmgob32.exe File created C:\Windows\SysWOW64\Kjmollak.dll Qpccan32.exe File created C:\Windows\SysWOW64\Gobkejbf.dll Process not Found File opened for modification C:\Windows\SysWOW64\Dekhei32.exe Ddilnaca.exe File created C:\Windows\SysWOW64\Nkfdjg32.dll Process not Found File created C:\Windows\SysWOW64\Cbbfml32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Mlbpjbol.exe Mehhmh32.exe File created C:\Windows\SysWOW64\Dmigic32.dll Hjgokagq.exe File opened for modification C:\Windows\SysWOW64\Haoidgog.exe Hoqmhl32.exe File opened for modification C:\Windows\SysWOW64\Fjldkd32.exe Process not Found File created C:\Windows\SysWOW64\Ahmjac32.exe Process not Found File created C:\Windows\SysWOW64\Jmkjjl32.dll Mhihii32.exe File created C:\Windows\SysWOW64\Daoici32.dll Djdfcd32.exe File created C:\Windows\SysWOW64\Idaqqmnl.dll Pdellnkg.exe File created C:\Windows\SysWOW64\Akpdjl32.exe Adflmbqp.exe File opened for modification C:\Windows\SysWOW64\Omdnoejb.exe Ofjebkbe.exe File opened for modification C:\Windows\SysWOW64\Kppiknil.exe Kjcqcgke.exe File created C:\Windows\SysWOW64\Oejgoodo.exe Oaokop32.exe File created C:\Windows\SysWOW64\Hllafgkc.exe Ggoinqml.exe File opened for modification C:\Windows\SysWOW64\Ppjgfe32.exe Pgbbmppi.exe File created C:\Windows\SysWOW64\Fjdhbm32.dll Dccbjm32.exe File created C:\Windows\SysWOW64\Cennnc32.dll Jmknij32.exe File created C:\Windows\SysWOW64\Ojlldk32.dll Cpaign32.exe File created C:\Windows\SysWOW64\Oaolap32.dll Ongaoklk.exe File created C:\Windows\SysWOW64\Khahefnj.dll Ikndnlpp.exe File created C:\Windows\SysWOW64\Conaej32.exe Process not Found File created C:\Windows\SysWOW64\Dogddj32.dll Bfbehpem.exe File created C:\Windows\SysWOW64\Ilajaj32.dll Djnaamol.exe File created C:\Windows\SysWOW64\Maqdkkmo.dll Hdfmgk32.exe File created C:\Windows\SysWOW64\Pbqfaojc.dll Mfodje32.exe File opened for modification C:\Windows\SysWOW64\Eaedqm32.exe Enfhda32.exe File created C:\Windows\SysWOW64\Mbgjjo32.exe Mmjbah32.exe File opened for modification C:\Windows\SysWOW64\Eliqfkoh.exe Process not Found File created C:\Windows\SysWOW64\Qbhpfh32.dll Ncolfbhb.exe File created C:\Windows\SysWOW64\Bdadojcg.exe Bjlpaaca.exe File created C:\Windows\SysWOW64\Ooopbb32.exe Oqlofeoa.exe File created C:\Windows\SysWOW64\Mjnbkm32.exe Mbgjjo32.exe File created C:\Windows\SysWOW64\Hhcmagom.dll Process not Found File created C:\Windows\SysWOW64\Clmhcogh.exe Process not Found File opened for modification C:\Windows\SysWOW64\Oacdjpgp.exe Okilme32.exe File opened for modification C:\Windows\SysWOW64\Ofelgkfk.exe Opkdjaon.exe File created C:\Windows\SysWOW64\Cbfbcm32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Nggnhi32.exe Process not Found File created C:\Windows\SysWOW64\Mpjijhof.exe Mlnnii32.exe File created C:\Windows\SysWOW64\Pbhneo32.exe Pojaic32.exe File created C:\Windows\SysWOW64\Kampjg32.exe Kfhlmo32.exe File created C:\Windows\SysWOW64\Nmiemmhk.exe Nhllef32.exe File opened for modification C:\Windows\SysWOW64\Cplhddaj.exe Process not Found -
Program crash 1 IoCs
pid pid_target Process procid_target 4960 4536 Process not Found 1613 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fckaaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apmnpg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qeqcao32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbihih32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfbkgiga.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhjcbh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlqjoiek.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhbidkoj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hplgbeog.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhinopca.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fihchonh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blmakgeg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imonmknj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehcfhf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Haefnhga.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkdfkeql.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Encedlcj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nomclbho.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhcjogao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akbqpl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hocjnknq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhcqimej.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pojaic32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agcbndeb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Diadqb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggoinqml.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ompknl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gehpih32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgbmpeph.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Inokgnel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgbdkk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olphib32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qkdndgoo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eicimp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bipliajo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgbbmppi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djdfcd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbnmhldl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lplmhj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jaljon32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qocdob32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfehmheo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fknbpple.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmaokj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkaanhqa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcqjnmam.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpidfl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdncliaj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbaaeggo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Monpqn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oehjjo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Delgfm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omemqfbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgcmijhn.dll" Jbdphb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Blmakgeg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kclebhha.dll" Bkfcpdni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mlmgob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dpdockad.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qkgadm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onamhaki.dll" Bbhhhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dnkiic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hcjlckjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bdadojcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmqbkk32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jadmdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjmknp32.dll" Gpnkqg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gcaphbfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hmcoamhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfidlbkc.dll" Mhognn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmdjbp32.dll" Mpekmkgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dbhaoaeg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lbibjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qmjhhlmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eefhahob.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nacbmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebohom32.dll" Ndlgih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hoqmhl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jbfhldkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjbaoe32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fchdlj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Abpmll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Delgfm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcfndbgo.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Giqcfg32.dll" Khjlgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aldodhma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mjleemal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngpmin32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Legllcdi.dll" Dpnpmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hplgbeog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nacknplf.dll" Ofcoal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iqleclad.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Monpqn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkmjlm32.dll" Eiffbp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dgbfgbbe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gaaopd32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ieijno32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gfimne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fhmioe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pmmcad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbbqkplf.dll" Bipliajo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hamfde32.dll" Jaljon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmipbigc.dll" Cecbejpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kpiqcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nfdncm32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2440 wrote to memory of 2564 2440 ea4dbb5566f535c9ee1b185d21a291310f5a0f2fc14178ef05a306beef113c27N.exe 82 PID 2440 wrote to memory of 2564 2440 ea4dbb5566f535c9ee1b185d21a291310f5a0f2fc14178ef05a306beef113c27N.exe 82 PID 2440 wrote to memory of 2564 2440 ea4dbb5566f535c9ee1b185d21a291310f5a0f2fc14178ef05a306beef113c27N.exe 82 PID 2564 wrote to memory of 1600 2564 Jhfifngd.exe 83 PID 2564 wrote to memory of 1600 2564 Jhfifngd.exe 83 PID 2564 wrote to memory of 1600 2564 Jhfifngd.exe 83 PID 1600 wrote to memory of 1060 1600 Kejipb32.exe 84 PID 1600 wrote to memory of 1060 1600 Kejipb32.exe 84 PID 1600 wrote to memory of 1060 1600 Kejipb32.exe 84 PID 1060 wrote to memory of 868 1060 Kppnmk32.exe 85 PID 1060 wrote to memory of 868 1060 Kppnmk32.exe 85 PID 1060 wrote to memory of 868 1060 Kppnmk32.exe 85 PID 868 wrote to memory of 4032 868 Klgoalkh.exe 86 PID 868 wrote to memory of 4032 868 Klgoalkh.exe 86 PID 868 wrote to memory of 4032 868 Klgoalkh.exe 86 PID 4032 wrote to memory of 4064 4032 Keocjbai.exe 87 PID 4032 wrote to memory of 4064 4032 Keocjbai.exe 87 PID 4032 wrote to memory of 4064 4032 Keocjbai.exe 87 PID 4064 wrote to memory of 840 4064 Kafcpc32.exe 88 PID 4064 wrote to memory of 840 4064 Kafcpc32.exe 88 PID 4064 wrote to memory of 840 4064 Kafcpc32.exe 88 PID 840 wrote to memory of 2968 840 Klkhml32.exe 89 PID 840 wrote to memory of 2968 840 Klkhml32.exe 89 PID 840 wrote to memory of 2968 840 Klkhml32.exe 89 PID 2968 wrote to memory of 3080 2968 Kojdig32.exe 90 PID 2968 wrote to memory of 3080 2968 Kojdig32.exe 90 PID 2968 wrote to memory of 3080 2968 Kojdig32.exe 90 PID 3080 wrote to memory of 2836 3080 Klndbkep.exe 91 PID 3080 wrote to memory of 2836 3080 Klndbkep.exe 91 PID 3080 wrote to memory of 2836 3080 Klndbkep.exe 91 PID 2836 wrote to memory of 1828 2836 Kpiqcj32.exe 92 PID 2836 wrote to memory of 1828 2836 Kpiqcj32.exe 92 PID 2836 wrote to memory of 1828 2836 Kpiqcj32.exe 92 PID 1828 wrote to memory of 3884 1828 Lchmoe32.exe 93 PID 1828 wrote to memory of 3884 1828 Lchmoe32.exe 93 PID 1828 wrote to memory of 3884 1828 Lchmoe32.exe 93 PID 3884 wrote to memory of 1824 3884 Llpahkcm.exe 94 PID 3884 wrote to memory of 1824 3884 Llpahkcm.exe 94 PID 3884 wrote to memory of 1824 3884 Llpahkcm.exe 94 PID 1824 wrote to memory of 2900 1824 Lplmhj32.exe 95 PID 1824 wrote to memory of 2900 1824 Lplmhj32.exe 95 PID 1824 wrote to memory of 2900 1824 Lplmhj32.exe 95 PID 2900 wrote to memory of 3240 2900 Lcjide32.exe 96 PID 2900 wrote to memory of 3240 2900 Lcjide32.exe 96 PID 2900 wrote to memory of 3240 2900 Lcjide32.exe 96 PID 3240 wrote to memory of 3156 3240 Lamjpbae.exe 97 PID 3240 wrote to memory of 3156 3240 Lamjpbae.exe 97 PID 3240 wrote to memory of 3156 3240 Lamjpbae.exe 97 PID 3156 wrote to memory of 3420 3156 Lidbao32.exe 98 PID 3156 wrote to memory of 3420 3156 Lidbao32.exe 98 PID 3156 wrote to memory of 3420 3156 Lidbao32.exe 98 PID 3420 wrote to memory of 672 3420 Lhgbmlia.exe 99 PID 3420 wrote to memory of 672 3420 Lhgbmlia.exe 99 PID 3420 wrote to memory of 672 3420 Lhgbmlia.exe 99 PID 672 wrote to memory of 2412 672 Llbnmk32.exe 100 PID 672 wrote to memory of 2412 672 Llbnmk32.exe 100 PID 672 wrote to memory of 2412 672 Llbnmk32.exe 100 PID 2412 wrote to memory of 4848 2412 Lpnjniid.exe 101 PID 2412 wrote to memory of 4848 2412 Lpnjniid.exe 101 PID 2412 wrote to memory of 4848 2412 Lpnjniid.exe 101 PID 4848 wrote to memory of 5060 4848 Lclfjehh.exe 102 PID 4848 wrote to memory of 5060 4848 Lclfjehh.exe 102 PID 4848 wrote to memory of 5060 4848 Lclfjehh.exe 102 PID 5060 wrote to memory of 1484 5060 Laoffa32.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\ea4dbb5566f535c9ee1b185d21a291310f5a0f2fc14178ef05a306beef113c27N.exe"C:\Users\Admin\AppData\Local\Temp\ea4dbb5566f535c9ee1b185d21a291310f5a0f2fc14178ef05a306beef113c27N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2440 -
C:\Windows\SysWOW64\Jhfifngd.exeC:\Windows\system32\Jhfifngd.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Windows\SysWOW64\Kejipb32.exeC:\Windows\system32\Kejipb32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1600 -
C:\Windows\SysWOW64\Kppnmk32.exeC:\Windows\system32\Kppnmk32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1060 -
C:\Windows\SysWOW64\Klgoalkh.exeC:\Windows\system32\Klgoalkh.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:868 -
C:\Windows\SysWOW64\Keocjbai.exeC:\Windows\system32\Keocjbai.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4032 -
C:\Windows\SysWOW64\Kafcpc32.exeC:\Windows\system32\Kafcpc32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4064 -
C:\Windows\SysWOW64\Klkhml32.exeC:\Windows\system32\Klkhml32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:840 -
C:\Windows\SysWOW64\Kojdig32.exeC:\Windows\system32\Kojdig32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Windows\SysWOW64\Klndbkep.exeC:\Windows\system32\Klndbkep.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3080 -
C:\Windows\SysWOW64\Kpiqcj32.exeC:\Windows\system32\Kpiqcj32.exe11⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Windows\SysWOW64\Lchmoe32.exeC:\Windows\system32\Lchmoe32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1828 -
C:\Windows\SysWOW64\Llpahkcm.exeC:\Windows\system32\Llpahkcm.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3884 -
C:\Windows\SysWOW64\Lplmhj32.exeC:\Windows\system32\Lplmhj32.exe14⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1824 -
C:\Windows\SysWOW64\Lcjide32.exeC:\Windows\system32\Lcjide32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Windows\SysWOW64\Lamjpbae.exeC:\Windows\system32\Lamjpbae.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3240 -
C:\Windows\SysWOW64\Lidbao32.exeC:\Windows\system32\Lidbao32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3156 -
C:\Windows\SysWOW64\Lhgbmlia.exeC:\Windows\system32\Lhgbmlia.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3420 -
C:\Windows\SysWOW64\Llbnmk32.exeC:\Windows\system32\Llbnmk32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:672 -
C:\Windows\SysWOW64\Lpnjniid.exeC:\Windows\system32\Lpnjniid.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Windows\SysWOW64\Lclfjehh.exeC:\Windows\system32\Lclfjehh.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4848 -
C:\Windows\SysWOW64\Laoffa32.exeC:\Windows\system32\Laoffa32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5060 -
C:\Windows\SysWOW64\Lekbfpgk.exeC:\Windows\system32\Lekbfpgk.exe23⤵
- Executes dropped EXE
PID:1484 -
C:\Windows\SysWOW64\Lhioblgo.exeC:\Windows\system32\Lhioblgo.exe24⤵
- Executes dropped EXE
PID:1148 -
C:\Windows\SysWOW64\Llekcj32.exeC:\Windows\system32\Llekcj32.exe25⤵
- Executes dropped EXE
PID:1768 -
C:\Windows\SysWOW64\Lppgciga.exeC:\Windows\system32\Lppgciga.exe26⤵
- Executes dropped EXE
PID:4496 -
C:\Windows\SysWOW64\Lcocpdfe.exeC:\Windows\system32\Lcocpdfe.exe27⤵
- Executes dropped EXE
PID:4244 -
C:\Windows\SysWOW64\Laacka32.exeC:\Windows\system32\Laacka32.exe28⤵
- Executes dropped EXE
PID:400 -
C:\Windows\SysWOW64\Ljiklonb.exeC:\Windows\system32\Ljiklonb.exe29⤵
- Executes dropped EXE
PID:5016 -
C:\Windows\SysWOW64\Llgghjme.exeC:\Windows\system32\Llgghjme.exe30⤵
- Executes dropped EXE
PID:1144 -
C:\Windows\SysWOW64\Loeceeli.exeC:\Windows\system32\Loeceeli.exe31⤵
- Executes dropped EXE
PID:4040 -
C:\Windows\SysWOW64\Ladpaakm.exeC:\Windows\system32\Ladpaakm.exe32⤵
- Executes dropped EXE
PID:4200 -
C:\Windows\SysWOW64\Lfplap32.exeC:\Windows\system32\Lfplap32.exe33⤵
- Executes dropped EXE
PID:1832 -
C:\Windows\SysWOW64\Ljkhbnlo.exeC:\Windows\system32\Ljkhbnlo.exe34⤵
- Executes dropped EXE
PID:2392 -
C:\Windows\SysWOW64\Llidnjkc.exeC:\Windows\system32\Llidnjkc.exe35⤵
- Executes dropped EXE
PID:2336 -
C:\Windows\SysWOW64\Lpepoh32.exeC:\Windows\system32\Lpepoh32.exe36⤵
- Executes dropped EXE
PID:5000 -
C:\Windows\SysWOW64\Mcclkd32.exeC:\Windows\system32\Mcclkd32.exe37⤵
- Executes dropped EXE
PID:4636 -
C:\Windows\SysWOW64\Mafmfqij.exeC:\Windows\system32\Mafmfqij.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4432 -
C:\Windows\SysWOW64\Mjmdgn32.exeC:\Windows\system32\Mjmdgn32.exe39⤵
- Executes dropped EXE
PID:1268 -
C:\Windows\SysWOW64\Mhpeckqg.exeC:\Windows\system32\Mhpeckqg.exe40⤵
- Executes dropped EXE
PID:996 -
C:\Windows\SysWOW64\Mpgmdhai.exeC:\Windows\system32\Mpgmdhai.exe41⤵
- Executes dropped EXE
PID:3704 -
C:\Windows\SysWOW64\Mojmpe32.exeC:\Windows\system32\Mojmpe32.exe42⤵
- Executes dropped EXE
PID:3628 -
C:\Windows\SysWOW64\Mbhilp32.exeC:\Windows\system32\Mbhilp32.exe43⤵
- Executes dropped EXE
PID:3820 -
C:\Windows\SysWOW64\Mjpamn32.exeC:\Windows\system32\Mjpamn32.exe44⤵
- Executes dropped EXE
PID:4452 -
C:\Windows\SysWOW64\Mlnnii32.exeC:\Windows\system32\Mlnnii32.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4424 -
C:\Windows\SysWOW64\Mpjijhof.exeC:\Windows\system32\Mpjijhof.exe46⤵
- Executes dropped EXE
PID:3108 -
C:\Windows\SysWOW64\Mchffcnj.exeC:\Windows\system32\Mchffcnj.exe47⤵
- Executes dropped EXE
PID:704 -
C:\Windows\SysWOW64\Mffbbomn.exeC:\Windows\system32\Mffbbomn.exe48⤵
- Executes dropped EXE
PID:2008 -
C:\Windows\SysWOW64\Mjbnbm32.exeC:\Windows\system32\Mjbnbm32.exe49⤵
- Executes dropped EXE
PID:1748 -
C:\Windows\SysWOW64\Mlqjoiek.exeC:\Windows\system32\Mlqjoiek.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1176 -
C:\Windows\SysWOW64\Mplfog32.exeC:\Windows\system32\Mplfog32.exe51⤵
- Executes dropped EXE
PID:3756 -
C:\Windows\SysWOW64\Mcjbkc32.exeC:\Windows\system32\Mcjbkc32.exe52⤵
- Executes dropped EXE
PID:1836 -
C:\Windows\SysWOW64\Mfiogn32.exeC:\Windows\system32\Mfiogn32.exe53⤵
- Executes dropped EXE
PID:1208 -
C:\Windows\SysWOW64\Mhgkdj32.exeC:\Windows\system32\Mhgkdj32.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4368 -
C:\Windows\SysWOW64\Mlcgdhch.exeC:\Windows\system32\Mlcgdhch.exe55⤵
- Executes dropped EXE
PID:4088 -
C:\Windows\SysWOW64\Moacqdbl.exeC:\Windows\system32\Moacqdbl.exe56⤵
- Executes dropped EXE
PID:2808 -
C:\Windows\SysWOW64\Mbppmoap.exeC:\Windows\system32\Mbppmoap.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5012 -
C:\Windows\SysWOW64\Mjggnmab.exeC:\Windows\system32\Mjggnmab.exe58⤵
- Executes dropped EXE
PID:4440 -
C:\Windows\SysWOW64\Mhihii32.exeC:\Windows\system32\Mhihii32.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1244 -
C:\Windows\SysWOW64\Nqqpjgio.exeC:\Windows\system32\Nqqpjgio.exe60⤵
- Executes dropped EXE
PID:4592 -
C:\Windows\SysWOW64\Ncolfbhb.exeC:\Windows\system32\Ncolfbhb.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:392 -
C:\Windows\SysWOW64\Nbblbo32.exeC:\Windows\system32\Nbblbo32.exe62⤵
- Executes dropped EXE
PID:3136 -
C:\Windows\SysWOW64\Njidcl32.exeC:\Windows\system32\Njidcl32.exe63⤵
- Executes dropped EXE
PID:2012 -
C:\Windows\SysWOW64\Nmgpoh32.exeC:\Windows\system32\Nmgpoh32.exe64⤵
- Executes dropped EXE
PID:4380 -
C:\Windows\SysWOW64\Nqclpfgl.exeC:\Windows\system32\Nqclpfgl.exe65⤵
- Executes dropped EXE
PID:2360 -
C:\Windows\SysWOW64\Ncailbfp.exeC:\Windows\system32\Ncailbfp.exe66⤵PID:320
-
C:\Windows\SysWOW64\Nfpehmec.exeC:\Windows\system32\Nfpehmec.exe67⤵PID:2112
-
C:\Windows\SysWOW64\Nhnadidg.exeC:\Windows\system32\Nhnadidg.exe68⤵PID:848
-
C:\Windows\SysWOW64\Nmjmeg32.exeC:\Windows\system32\Nmjmeg32.exe69⤵PID:4624
-
C:\Windows\SysWOW64\Nohiacld.exeC:\Windows\system32\Nohiacld.exe70⤵PID:1532
-
C:\Windows\SysWOW64\Nbfemnkg.exeC:\Windows\system32\Nbfemnkg.exe71⤵PID:2540
-
C:\Windows\SysWOW64\Njnnnllj.exeC:\Windows\system32\Njnnnllj.exe72⤵PID:2636
-
C:\Windows\SysWOW64\Niqnjh32.exeC:\Windows\system32\Niqnjh32.exe73⤵
- Drops file in System32 directory
PID:3596 -
C:\Windows\SysWOW64\Nqhfkf32.exeC:\Windows\system32\Nqhfkf32.exe74⤵PID:1780
-
C:\Windows\SysWOW64\Ncfbga32.exeC:\Windows\system32\Ncfbga32.exe75⤵PID:4016
-
C:\Windows\SysWOW64\Nfdncm32.exeC:\Windows\system32\Nfdncm32.exe76⤵
- Modifies registry class
PID:4960 -
C:\Windows\SysWOW64\Njpjdkig.exeC:\Windows\system32\Njpjdkig.exe77⤵PID:2108
-
C:\Windows\SysWOW64\Nmofpgik.exeC:\Windows\system32\Nmofpgik.exe78⤵PID:2700
-
C:\Windows\SysWOW64\Nomclbho.exeC:\Windows\system32\Nomclbho.exe79⤵
- System Location Discovery: System Language Discovery
PID:3996 -
C:\Windows\SysWOW64\Nchomqph.exeC:\Windows\system32\Nchomqph.exe80⤵PID:1188
-
C:\Windows\SysWOW64\Nfgkilok.exeC:\Windows\system32\Nfgkilok.exe81⤵PID:2800
-
C:\Windows\SysWOW64\Niegehno.exeC:\Windows\system32\Niegehno.exe82⤵PID:1364
-
C:\Windows\SysWOW64\Oqlofeoa.exeC:\Windows\system32\Oqlofeoa.exe83⤵
- Drops file in System32 directory
PID:4776 -
C:\Windows\SysWOW64\Ooopbb32.exeC:\Windows\system32\Ooopbb32.exe84⤵PID:4588
-
C:\Windows\SysWOW64\Obnlnm32.exeC:\Windows\system32\Obnlnm32.exe85⤵PID:220
-
C:\Windows\SysWOW64\Ojecok32.exeC:\Windows\system32\Ojecok32.exe86⤵PID:2188
-
C:\Windows\SysWOW64\Omcpkf32.exeC:\Windows\system32\Omcpkf32.exe87⤵PID:3480
-
C:\Windows\SysWOW64\Oqolldmo.exeC:\Windows\system32\Oqolldmo.exe88⤵PID:4748
-
C:\Windows\SysWOW64\Ocmhhplb.exeC:\Windows\system32\Ocmhhplb.exe89⤵PID:3492
-
C:\Windows\SysWOW64\Oflddl32.exeC:\Windows\system32\Oflddl32.exe90⤵PID:5124
-
C:\Windows\SysWOW64\Omemqfbc.exeC:\Windows\system32\Omemqfbc.exe91⤵
- System Location Discovery: System Language Discovery
PID:5168 -
C:\Windows\SysWOW64\Oqaiad32.exeC:\Windows\system32\Oqaiad32.exe92⤵PID:5208
-
C:\Windows\SysWOW64\Ocpemp32.exeC:\Windows\system32\Ocpemp32.exe93⤵PID:5252
-
C:\Windows\SysWOW64\Ofnajk32.exeC:\Windows\system32\Ofnajk32.exe94⤵PID:5292
-
C:\Windows\SysWOW64\Oilmfg32.exeC:\Windows\system32\Oilmfg32.exe95⤵PID:5332
-
C:\Windows\SysWOW64\Omhifeqp.exeC:\Windows\system32\Omhifeqp.exe96⤵PID:5372
-
C:\Windows\SysWOW64\Opfebqpd.exeC:\Windows\system32\Opfebqpd.exe97⤵PID:5412
-
C:\Windows\SysWOW64\Obdbolog.exeC:\Windows\system32\Obdbolog.exe98⤵PID:5452
-
C:\Windows\SysWOW64\Ojljpi32.exeC:\Windows\system32\Ojljpi32.exe99⤵PID:5492
-
C:\Windows\SysWOW64\Oiojkffd.exeC:\Windows\system32\Oiojkffd.exe100⤵PID:5532
-
C:\Windows\SysWOW64\Oqfblcgf.exeC:\Windows\system32\Oqfblcgf.exe101⤵PID:5572
-
C:\Windows\SysWOW64\Ocdnhofj.exeC:\Windows\system32\Ocdnhofj.exe102⤵PID:5612
-
C:\Windows\SysWOW64\Ofbjdken.exeC:\Windows\system32\Ofbjdken.exe103⤵PID:5652
-
C:\Windows\SysWOW64\Ojnfei32.exeC:\Windows\system32\Ojnfei32.exe104⤵PID:5692
-
C:\Windows\SysWOW64\Pmmcad32.exeC:\Windows\system32\Pmmcad32.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5732 -
C:\Windows\SysWOW64\Ppkonp32.exeC:\Windows\system32\Ppkonp32.exe106⤵PID:5772
-
C:\Windows\SysWOW64\Pcfknodh.exeC:\Windows\system32\Pcfknodh.exe107⤵PID:5812
-
C:\Windows\SysWOW64\Pfegjjck.exeC:\Windows\system32\Pfegjjck.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5852 -
C:\Windows\SysWOW64\Piccfe32.exeC:\Windows\system32\Piccfe32.exe109⤵PID:5892
-
C:\Windows\SysWOW64\Pajkgc32.exeC:\Windows\system32\Pajkgc32.exe110⤵PID:5932
-
C:\Windows\SysWOW64\Ppmlcpil.exeC:\Windows\system32\Ppmlcpil.exe111⤵PID:5972
-
C:\Windows\SysWOW64\Pblhokip.exeC:\Windows\system32\Pblhokip.exe112⤵PID:6012
-
C:\Windows\SysWOW64\Pjcpphib.exeC:\Windows\system32\Pjcpphib.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6052 -
C:\Windows\SysWOW64\Pmalldhe.exeC:\Windows\system32\Pmalldhe.exe114⤵PID:6092
-
C:\Windows\SysWOW64\Pamhmb32.exeC:\Windows\system32\Pamhmb32.exe115⤵PID:6132
-
C:\Windows\SysWOW64\Pfjqei32.exeC:\Windows\system32\Pfjqei32.exe116⤵PID:516
-
C:\Windows\SysWOW64\Pjemfhgo.exeC:\Windows\system32\Pjemfhgo.exe117⤵PID:2480
-
C:\Windows\SysWOW64\Paoebbol.exeC:\Windows\system32\Paoebbol.exe118⤵PID:4880
-
C:\Windows\SysWOW64\Pjgikh32.exeC:\Windows\system32\Pjgikh32.exe119⤵PID:4792
-
C:\Windows\SysWOW64\Paaahbmi.exeC:\Windows\system32\Paaahbmi.exe120⤵PID:4396
-
C:\Windows\SysWOW64\Pbbnpj32.exeC:\Windows\system32\Pbbnpj32.exe121⤵PID:2668
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-