Analysis
-
max time kernel
99s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22-12-2024 19:44
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
0f71fa836d8d39a2535da5f4ab6cdeb58dcb44a65aafe878a8bf5d386364bd4b.exe
Resource
win7-20240903-en
windows7-x64
9 signatures
150 seconds
Behavioral task
behavioral2
Sample
0f71fa836d8d39a2535da5f4ab6cdeb58dcb44a65aafe878a8bf5d386364bd4b.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
0f71fa836d8d39a2535da5f4ab6cdeb58dcb44a65aafe878a8bf5d386364bd4b.exe
-
Size
92KB
-
MD5
f428129d87e691d581e02d7b254476fb
-
SHA1
e1eab05654c7f2a35f8115147c7b3b22bad23121
-
SHA256
0f71fa836d8d39a2535da5f4ab6cdeb58dcb44a65aafe878a8bf5d386364bd4b
-
SHA512
21fbdf160fe4eea54b50bdff1d5c2636286c764617bcb1a7772492af66b2f733d087e56222fe9ad1f22d73692f24073a949575009bea90b5ee4af933fa9e279c
-
SSDEEP
1536:og5cmjhL9BUVtCqpPTM5Pd2cxsrx9GS2CgM2SogFkEztuqMTefHjXq+66DFUABA2:7jfBUVtCqpPTM5F2cxsrx9GST72JgFkW
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://master-x.com/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://crutop.ru/index.php
http://kaspersky.ru/index.php
http://color-bank.ru/index.php
http://adult-empire.com/index.php
http://virus-list.com/index.php
http://trojan.ru/index.php
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://fethard.biz/index.htm
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://kaspersky.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mflgcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dncepokb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oeafpk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Igfafklm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmjien32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Goiphjjg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbchjgfq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lgacnppb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ekdmll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fnfjlmjm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jinaeidp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omdnihaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Phahgp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckiigeel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kleiphfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gnglje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fhecmhca.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jkokgdaq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Npghamcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ijchgmap.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njlhmh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kddnlkdj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfkmqmkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fkhnpaki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Embbnapk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bfkkde32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Embbnapk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkflncpb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkdnokff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hhklilde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mihficpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fkmihehm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Necjomnc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofohng32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbfedeoa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lqmkglhk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmceaf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbnfhj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npiegl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fkflncpb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbfhkfib.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oioofi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nmmgiigb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Beodnq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blpbkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Imhmgpff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 952 Chehic32.exe 1552 Cmbpaj32.exe 3980 Ceihbgbl.exe 2376 Chgdocap.exe 644 Doamlm32.exe 1556 Delehgpi.exe 3860 Dhjadbom.exe 1668 Dodiam32.exe 4248 Denang32.exe 1816 Dhlnjb32.exe 4036 Dkkjfn32.exe 1100 Dmifbi32.exe 2192 Depncf32.exe 2620 Dfakkobb.exe 4020 Dohcllbd.exe 4468 Dagohgah.exe 4188 Dhageaie.exe 404 Dokpbl32.exe 2604 Dailng32.exe 4292 Egfdfn32.exe 4692 Ekapgmff.exe 1080 Emplchej.exe 4180 Edjepb32.exe 3456 Ekdmll32.exe 2280 Edlaebkd.exe 912 Ekfjbl32.exe 3800 Eapbofjm.exe 2912 Edonkaia.exe 4316 Eodbhj32.exe 1472 Ehmgapog.exe 4016 Egpglm32.exe 4304 Eaekje32.exe 2740 Fkmpbk32.exe 916 Fhaplo32.exe 2004 Feeqec32.exe 4452 Fkbinj32.exe 4532 Fncboeed.exe 2244 Foboih32.exe 3264 Felgfb32.exe 408 Gdogaojo.exe 1904 Goekohjd.exe 3168 Gnglje32.exe 4928 Ghmphn32.exe 5100 Gkkldi32.exe 3604 Gnjhpd32.exe 444 Ggbmij32.exe 1336 Gnleedmj.exe 3560 Gecmganl.exe 3016 Ghbicmmp.exe 3780 Gajnlb32.exe 720 Gffjla32.exe 3948 Gkbbdh32.exe 3700 Galjabam.exe 376 Hdkgmnpa.exe 1308 Hoqkkfpg.exe 2216 Hboggbok.exe 4724 Hfjcgq32.exe 3132 Hocgpf32.exe 552 Hnehlceo.exe 4988 Hhklilde.exe 4164 Hnhdabcl.exe 2812 Hdbmnm32.exe 2768 Hogakejo.exe 1988 Hfaihp32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Obbjdp32.exe Olhagekb.exe File created C:\Windows\SysWOW64\Jqogmk32.dll Elobdigp.exe File created C:\Windows\SysWOW64\Ojmfgo32.dll Bddaomhl.exe File created C:\Windows\SysWOW64\Qmfeai32.exe Process not Found File created C:\Windows\SysWOW64\Fhqiai32.exe Fpjaplgd.exe File opened for modification C:\Windows\SysWOW64\Gekkjo32.exe Process not Found File created C:\Windows\SysWOW64\Fcdbdeif.dll Process not Found File created C:\Windows\SysWOW64\Bmkhcf32.exe Process not Found File created C:\Windows\SysWOW64\Jiaaliep.dll Cdpakk32.exe File opened for modification C:\Windows\SysWOW64\Hiaakbhk.exe Gfbeogig.exe File opened for modification C:\Windows\SysWOW64\Ekbnjl32.exe Process not Found File created C:\Windows\SysWOW64\Llpaaqik.exe Process not Found File created C:\Windows\SysWOW64\Hgbllhmi.dll Process not Found File opened for modification C:\Windows\SysWOW64\Adohdn32.exe Anepgcee.exe File created C:\Windows\SysWOW64\Omhipkfm.exe Process not Found File created C:\Windows\SysWOW64\Qnddegdf.dll Eaekje32.exe File opened for modification C:\Windows\SysWOW64\Nijldmja.exe Nenpdn32.exe File created C:\Windows\SysWOW64\Meodomin.dll Mniglhko.exe File created C:\Windows\SysWOW64\Jhigcf32.dll Dhageaie.exe File opened for modification C:\Windows\SysWOW64\Jikmhoam.exe Jglqlc32.exe File created C:\Windows\SysWOW64\Lieamfpe.exe Lfgdajaa.exe File opened for modification C:\Windows\SysWOW64\Kfmmin32.exe Kcoamb32.exe File opened for modification C:\Windows\SysWOW64\Jlhbjd32.exe Process not Found File created C:\Windows\SysWOW64\Eaeilpel.exe Process not Found File opened for modification C:\Windows\SysWOW64\Hnmnlb32.exe Hhpedk32.exe File created C:\Windows\SysWOW64\Dfhajiml.dll Cgdaom32.exe File opened for modification C:\Windows\SysWOW64\Diambckg.exe Dhpqkk32.exe File created C:\Windows\SysWOW64\Fcqlekbc.dll Ejfcgf32.exe File created C:\Windows\SysWOW64\Fhecmhca.exe Fdjgljkh.exe File created C:\Windows\SysWOW64\Ollccfgk.dll Lmcllm32.exe File created C:\Windows\SysWOW64\Efbcalel.exe Eohkda32.exe File opened for modification C:\Windows\SysWOW64\Jaqagk32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Dijgad32.exe Dgijjlla.exe File created C:\Windows\SysWOW64\Eqhjlgpf.dll Hmicbfib.exe File created C:\Windows\SysWOW64\Bkeplf32.exe Blboaicf.exe File created C:\Windows\SysWOW64\Ecebinga.dll Fkhnpaki.exe File created C:\Windows\SysWOW64\Hmcclp32.exe Hobcoibm.exe File created C:\Windows\SysWOW64\Qqhkgkfb.dll Process not Found File created C:\Windows\SysWOW64\Aolfbl32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Egpglm32.exe Ehmgapog.exe File opened for modification C:\Windows\SysWOW64\Ajadcghd.exe Aajlaiga.exe File opened for modification C:\Windows\SysWOW64\Bcehgkdg.exe Bkopfmce.exe File opened for modification C:\Windows\SysWOW64\Akbjpi32.exe Ahdndm32.exe File opened for modification C:\Windows\SysWOW64\Ieadfbed.exe Hbchjgfq.exe File opened for modification C:\Windows\SysWOW64\Dkgnnmfp.exe Process not Found File opened for modification C:\Windows\SysWOW64\Edlaebkd.exe Ekdmll32.exe File created C:\Windows\SysWOW64\Njgagikp.dll Mhfmjqkp.exe File created C:\Windows\SysWOW64\Jngcfmeo.dll Bkefgl32.exe File opened for modification C:\Windows\SysWOW64\Ohlolqom.exe Oabfpf32.exe File created C:\Windows\SysWOW64\Ojkkhlna.exe Ohlolqom.exe File created C:\Windows\SysWOW64\Adohdn32.exe Anepgcee.exe File created C:\Windows\SysWOW64\Jijbpkak.dll Process not Found File created C:\Windows\SysWOW64\Mpilpo32.exe Lhadoa32.exe File opened for modification C:\Windows\SysWOW64\Obbjdp32.exe Olhagekb.exe File created C:\Windows\SysWOW64\Nppgkpme.dll Hgehom32.exe File opened for modification C:\Windows\SysWOW64\Qabhlnfb.exe Process not Found File opened for modification C:\Windows\SysWOW64\Pclmjn32.exe Pkedia32.exe File opened for modification C:\Windows\SysWOW64\Bhacke32.exe Process not Found File created C:\Windows\SysWOW64\Omemjk32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Gqaedifi.exe Process not Found File opened for modification C:\Windows\SysWOW64\Almmoleo.exe Aecebbnb.exe File opened for modification C:\Windows\SysWOW64\Blmffj32.exe Becnippo.exe File created C:\Windows\SysWOW64\Fhlqko32.dll Ighgadfo.exe File opened for modification C:\Windows\SysWOW64\Lhplfbdg.exe Process not Found -
Program crash 1 IoCs
pid pid_target Process procid_target 13080 12624 Process not Found 1550 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afkamgke.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhgjka32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aanobb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pejifj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bknilg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnhecaep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dokpbl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdkgmnpa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhpqkk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdqoip32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alafjl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbkibj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eegpbh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mihficpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dncepokb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcfpdoif.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jegopjha.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdfhec32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcmohj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhdgkkmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnqnmg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oldhlf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejelmp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdjkfmmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kndejk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qfbfao32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aqoppgqj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfgnjf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oeafpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emchik32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkeljdfo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdoompkd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glmqania.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmmmla32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbhkooic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lghioo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Legala32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbhpiodj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkfnkk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oelfkebl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iehkga32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipnodj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omomdbbd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfgpom32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egfdfn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfpggiif.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgnknnfo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mankhp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajadcghd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akenpokp.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hghedmhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokmbhlp.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hefkmn32.dll" Klocnbcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfnkdb32.dll" Blpbkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Makghjlk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qcgpoebc.dll" Fmihoqjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgemng32.dll" Melcnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ebkpllin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iecalbca.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbogbo32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jemmbafh.dll" Knmpjmba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjggjldf.dll" Cpklhpag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node 0f71fa836d8d39a2535da5f4ab6cdeb58dcb44a65aafe878a8bf5d386364bd4b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pifnnane.dll" Dmcobm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eomdpajj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Plijnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bjbmjdia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eocgfoga.dll" Halcglnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qifodf32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enhfnn32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oioofi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obiklhjf.dll" Iibalfmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnclbh32.dll" Cddjfkjj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Opglfmim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gikkehnm.dll" Empehban.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kigbblfi.dll" Bcehgkdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdnbao32.dll" Kknmcl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Biqkdhhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oockch32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kgmqmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fplnfk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kcanbbln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mjilfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfqdqj32.dll" Dppeco32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ggmlcd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pegdcflk.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hhklilde.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bqmlae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlclmk32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cehefi32.dll" Dhjadbom.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lnenai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qojcpnjq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aolpenhn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jcakfk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aokikhdb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ipkboj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nlpelmgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Manlchnb.dll" Gkhhdc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mnohan32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nafgdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hginlhoo.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dhageaie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Doohnc32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5016 wrote to memory of 952 5016 0f71fa836d8d39a2535da5f4ab6cdeb58dcb44a65aafe878a8bf5d386364bd4b.exe 83 PID 5016 wrote to memory of 952 5016 0f71fa836d8d39a2535da5f4ab6cdeb58dcb44a65aafe878a8bf5d386364bd4b.exe 83 PID 5016 wrote to memory of 952 5016 0f71fa836d8d39a2535da5f4ab6cdeb58dcb44a65aafe878a8bf5d386364bd4b.exe 83 PID 952 wrote to memory of 1552 952 Chehic32.exe 84 PID 952 wrote to memory of 1552 952 Chehic32.exe 84 PID 952 wrote to memory of 1552 952 Chehic32.exe 84 PID 1552 wrote to memory of 3980 1552 Cmbpaj32.exe 85 PID 1552 wrote to memory of 3980 1552 Cmbpaj32.exe 85 PID 1552 wrote to memory of 3980 1552 Cmbpaj32.exe 85 PID 3980 wrote to memory of 2376 3980 Ceihbgbl.exe 86 PID 3980 wrote to memory of 2376 3980 Ceihbgbl.exe 86 PID 3980 wrote to memory of 2376 3980 Ceihbgbl.exe 86 PID 2376 wrote to memory of 644 2376 Chgdocap.exe 87 PID 2376 wrote to memory of 644 2376 Chgdocap.exe 87 PID 2376 wrote to memory of 644 2376 Chgdocap.exe 87 PID 644 wrote to memory of 1556 644 Doamlm32.exe 88 PID 644 wrote to memory of 1556 644 Doamlm32.exe 88 PID 644 wrote to memory of 1556 644 Doamlm32.exe 88 PID 1556 wrote to memory of 3860 1556 Delehgpi.exe 89 PID 1556 wrote to memory of 3860 1556 Delehgpi.exe 89 PID 1556 wrote to memory of 3860 1556 Delehgpi.exe 89 PID 3860 wrote to memory of 1668 3860 Dhjadbom.exe 90 PID 3860 wrote to memory of 1668 3860 Dhjadbom.exe 90 PID 3860 wrote to memory of 1668 3860 Dhjadbom.exe 90 PID 1668 wrote to memory of 4248 1668 Dodiam32.exe 91 PID 1668 wrote to memory of 4248 1668 Dodiam32.exe 91 PID 1668 wrote to memory of 4248 1668 Dodiam32.exe 91 PID 4248 wrote to memory of 1816 4248 Denang32.exe 92 PID 4248 wrote to memory of 1816 4248 Denang32.exe 92 PID 4248 wrote to memory of 1816 4248 Denang32.exe 92 PID 1816 wrote to memory of 4036 1816 Dhlnjb32.exe 93 PID 1816 wrote to memory of 4036 1816 Dhlnjb32.exe 93 PID 1816 wrote to memory of 4036 1816 Dhlnjb32.exe 93 PID 4036 wrote to memory of 1100 4036 Dkkjfn32.exe 94 PID 4036 wrote to memory of 1100 4036 Dkkjfn32.exe 94 PID 4036 wrote to memory of 1100 4036 Dkkjfn32.exe 94 PID 1100 wrote to memory of 2192 1100 Dmifbi32.exe 95 PID 1100 wrote to memory of 2192 1100 Dmifbi32.exe 95 PID 1100 wrote to memory of 2192 1100 Dmifbi32.exe 95 PID 2192 wrote to memory of 2620 2192 Depncf32.exe 96 PID 2192 wrote to memory of 2620 2192 Depncf32.exe 96 PID 2192 wrote to memory of 2620 2192 Depncf32.exe 96 PID 2620 wrote to memory of 4020 2620 Dfakkobb.exe 97 PID 2620 wrote to memory of 4020 2620 Dfakkobb.exe 97 PID 2620 wrote to memory of 4020 2620 Dfakkobb.exe 97 PID 4020 wrote to memory of 4468 4020 Dohcllbd.exe 98 PID 4020 wrote to memory of 4468 4020 Dohcllbd.exe 98 PID 4020 wrote to memory of 4468 4020 Dohcllbd.exe 98 PID 4468 wrote to memory of 4188 4468 Dagohgah.exe 99 PID 4468 wrote to memory of 4188 4468 Dagohgah.exe 99 PID 4468 wrote to memory of 4188 4468 Dagohgah.exe 99 PID 4188 wrote to memory of 404 4188 Dhageaie.exe 100 PID 4188 wrote to memory of 404 4188 Dhageaie.exe 100 PID 4188 wrote to memory of 404 4188 Dhageaie.exe 100 PID 404 wrote to memory of 2604 404 Dokpbl32.exe 101 PID 404 wrote to memory of 2604 404 Dokpbl32.exe 101 PID 404 wrote to memory of 2604 404 Dokpbl32.exe 101 PID 2604 wrote to memory of 4292 2604 Dailng32.exe 102 PID 2604 wrote to memory of 4292 2604 Dailng32.exe 102 PID 2604 wrote to memory of 4292 2604 Dailng32.exe 102 PID 4292 wrote to memory of 4692 4292 Egfdfn32.exe 103 PID 4292 wrote to memory of 4692 4292 Egfdfn32.exe 103 PID 4292 wrote to memory of 4692 4292 Egfdfn32.exe 103 PID 4692 wrote to memory of 1080 4692 Ekapgmff.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\0f71fa836d8d39a2535da5f4ab6cdeb58dcb44a65aafe878a8bf5d386364bd4b.exe"C:\Users\Admin\AppData\Local\Temp\0f71fa836d8d39a2535da5f4ab6cdeb58dcb44a65aafe878a8bf5d386364bd4b.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5016 -
C:\Windows\SysWOW64\Chehic32.exeC:\Windows\system32\Chehic32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:952 -
C:\Windows\SysWOW64\Cmbpaj32.exeC:\Windows\system32\Cmbpaj32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1552 -
C:\Windows\SysWOW64\Ceihbgbl.exeC:\Windows\system32\Ceihbgbl.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3980 -
C:\Windows\SysWOW64\Chgdocap.exeC:\Windows\system32\Chgdocap.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2376 -
C:\Windows\SysWOW64\Doamlm32.exeC:\Windows\system32\Doamlm32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:644 -
C:\Windows\SysWOW64\Delehgpi.exeC:\Windows\system32\Delehgpi.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1556 -
C:\Windows\SysWOW64\Dhjadbom.exeC:\Windows\system32\Dhjadbom.exe8⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3860 -
C:\Windows\SysWOW64\Dodiam32.exeC:\Windows\system32\Dodiam32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1668 -
C:\Windows\SysWOW64\Denang32.exeC:\Windows\system32\Denang32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4248 -
C:\Windows\SysWOW64\Dhlnjb32.exeC:\Windows\system32\Dhlnjb32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1816 -
C:\Windows\SysWOW64\Dkkjfn32.exeC:\Windows\system32\Dkkjfn32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4036 -
C:\Windows\SysWOW64\Dmifbi32.exeC:\Windows\system32\Dmifbi32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1100 -
C:\Windows\SysWOW64\Depncf32.exeC:\Windows\system32\Depncf32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Windows\SysWOW64\Dfakkobb.exeC:\Windows\system32\Dfakkobb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Windows\SysWOW64\Dohcllbd.exeC:\Windows\system32\Dohcllbd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4020 -
C:\Windows\SysWOW64\Dagohgah.exeC:\Windows\system32\Dagohgah.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4468 -
C:\Windows\SysWOW64\Dhageaie.exeC:\Windows\system32\Dhageaie.exe18⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4188 -
C:\Windows\SysWOW64\Dokpbl32.exeC:\Windows\system32\Dokpbl32.exe19⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:404 -
C:\Windows\SysWOW64\Dailng32.exeC:\Windows\system32\Dailng32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Windows\SysWOW64\Egfdfn32.exeC:\Windows\system32\Egfdfn32.exe21⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4292 -
C:\Windows\SysWOW64\Ekapgmff.exeC:\Windows\system32\Ekapgmff.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4692 -
C:\Windows\SysWOW64\Emplchej.exeC:\Windows\system32\Emplchej.exe23⤵
- Executes dropped EXE
PID:1080 -
C:\Windows\SysWOW64\Edjepb32.exeC:\Windows\system32\Edjepb32.exe24⤵
- Executes dropped EXE
PID:4180 -
C:\Windows\SysWOW64\Ekdmll32.exeC:\Windows\system32\Ekdmll32.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:3456 -
C:\Windows\SysWOW64\Edlaebkd.exeC:\Windows\system32\Edlaebkd.exe26⤵
- Executes dropped EXE
PID:2280 -
C:\Windows\SysWOW64\Ekfjbl32.exeC:\Windows\system32\Ekfjbl32.exe27⤵
- Executes dropped EXE
PID:912 -
C:\Windows\SysWOW64\Eapbofjm.exeC:\Windows\system32\Eapbofjm.exe28⤵
- Executes dropped EXE
PID:3800 -
C:\Windows\SysWOW64\Edonkaia.exeC:\Windows\system32\Edonkaia.exe29⤵
- Executes dropped EXE
PID:2912 -
C:\Windows\SysWOW64\Eodbhj32.exeC:\Windows\system32\Eodbhj32.exe30⤵
- Executes dropped EXE
PID:4316 -
C:\Windows\SysWOW64\Ehmgapog.exeC:\Windows\system32\Ehmgapog.exe31⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1472 -
C:\Windows\SysWOW64\Egpglm32.exeC:\Windows\system32\Egpglm32.exe32⤵
- Executes dropped EXE
PID:4016 -
C:\Windows\SysWOW64\Eaekje32.exeC:\Windows\system32\Eaekje32.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4304 -
C:\Windows\SysWOW64\Fkmpbk32.exeC:\Windows\system32\Fkmpbk32.exe34⤵
- Executes dropped EXE
PID:2740 -
C:\Windows\SysWOW64\Fhaplo32.exeC:\Windows\system32\Fhaplo32.exe35⤵
- Executes dropped EXE
PID:916 -
C:\Windows\SysWOW64\Feeqec32.exeC:\Windows\system32\Feeqec32.exe36⤵
- Executes dropped EXE
PID:2004 -
C:\Windows\SysWOW64\Fkbinj32.exeC:\Windows\system32\Fkbinj32.exe37⤵
- Executes dropped EXE
PID:4452 -
C:\Windows\SysWOW64\Fncboeed.exeC:\Windows\system32\Fncboeed.exe38⤵
- Executes dropped EXE
PID:4532 -
C:\Windows\SysWOW64\Foboih32.exeC:\Windows\system32\Foboih32.exe39⤵
- Executes dropped EXE
PID:2244 -
C:\Windows\SysWOW64\Felgfb32.exeC:\Windows\system32\Felgfb32.exe40⤵
- Executes dropped EXE
PID:3264 -
C:\Windows\SysWOW64\Gdogaojo.exeC:\Windows\system32\Gdogaojo.exe41⤵
- Executes dropped EXE
PID:408 -
C:\Windows\SysWOW64\Goekohjd.exeC:\Windows\system32\Goekohjd.exe42⤵
- Executes dropped EXE
PID:1904 -
C:\Windows\SysWOW64\Gnglje32.exeC:\Windows\system32\Gnglje32.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3168 -
C:\Windows\SysWOW64\Ghmphn32.exeC:\Windows\system32\Ghmphn32.exe44⤵
- Executes dropped EXE
PID:4928 -
C:\Windows\SysWOW64\Gkkldi32.exeC:\Windows\system32\Gkkldi32.exe45⤵
- Executes dropped EXE
PID:5100 -
C:\Windows\SysWOW64\Gnjhpd32.exeC:\Windows\system32\Gnjhpd32.exe46⤵
- Executes dropped EXE
PID:3604 -
C:\Windows\SysWOW64\Ggbmij32.exeC:\Windows\system32\Ggbmij32.exe47⤵
- Executes dropped EXE
PID:444 -
C:\Windows\SysWOW64\Gnleedmj.exeC:\Windows\system32\Gnleedmj.exe48⤵
- Executes dropped EXE
PID:1336 -
C:\Windows\SysWOW64\Gecmganl.exeC:\Windows\system32\Gecmganl.exe49⤵
- Executes dropped EXE
PID:3560 -
C:\Windows\SysWOW64\Ghbicmmp.exeC:\Windows\system32\Ghbicmmp.exe50⤵
- Executes dropped EXE
PID:3016 -
C:\Windows\SysWOW64\Gajnlb32.exeC:\Windows\system32\Gajnlb32.exe51⤵
- Executes dropped EXE
PID:3780 -
C:\Windows\SysWOW64\Gffjla32.exeC:\Windows\system32\Gffjla32.exe52⤵
- Executes dropped EXE
PID:720 -
C:\Windows\SysWOW64\Gkbbdh32.exeC:\Windows\system32\Gkbbdh32.exe53⤵
- Executes dropped EXE
PID:3948 -
C:\Windows\SysWOW64\Galjabam.exeC:\Windows\system32\Galjabam.exe54⤵
- Executes dropped EXE
PID:3700 -
C:\Windows\SysWOW64\Hdkgmnpa.exeC:\Windows\system32\Hdkgmnpa.exe55⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:376 -
C:\Windows\SysWOW64\Hoqkkfpg.exeC:\Windows\system32\Hoqkkfpg.exe56⤵
- Executes dropped EXE
PID:1308 -
C:\Windows\SysWOW64\Hboggbok.exeC:\Windows\system32\Hboggbok.exe57⤵
- Executes dropped EXE
PID:2216 -
C:\Windows\SysWOW64\Hfjcgq32.exeC:\Windows\system32\Hfjcgq32.exe58⤵
- Executes dropped EXE
PID:4724 -
C:\Windows\SysWOW64\Hocgpf32.exeC:\Windows\system32\Hocgpf32.exe59⤵
- Executes dropped EXE
PID:3132 -
C:\Windows\SysWOW64\Hnehlceo.exeC:\Windows\system32\Hnehlceo.exe60⤵
- Executes dropped EXE
PID:552 -
C:\Windows\SysWOW64\Hhklilde.exeC:\Windows\system32\Hhklilde.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4988 -
C:\Windows\SysWOW64\Hnhdabcl.exeC:\Windows\system32\Hnhdabcl.exe62⤵
- Executes dropped EXE
PID:4164 -
C:\Windows\SysWOW64\Hdbmnm32.exeC:\Windows\system32\Hdbmnm32.exe63⤵
- Executes dropped EXE
PID:2812 -
C:\Windows\SysWOW64\Hogakejo.exeC:\Windows\system32\Hogakejo.exe64⤵
- Executes dropped EXE
PID:2768 -
C:\Windows\SysWOW64\Hfaihp32.exeC:\Windows\system32\Hfaihp32.exe65⤵
- Executes dropped EXE
PID:1988 -
C:\Windows\SysWOW64\Hhpedk32.exeC:\Windows\system32\Hhpedk32.exe66⤵
- Drops file in System32 directory
PID:2172 -
C:\Windows\SysWOW64\Hnmnlb32.exeC:\Windows\system32\Hnmnlb32.exe67⤵PID:4464
-
C:\Windows\SysWOW64\Idffilfd.exeC:\Windows\system32\Idffilfd.exe68⤵PID:4072
-
C:\Windows\SysWOW64\Igebegeg.exeC:\Windows\system32\Igebegeg.exe69⤵PID:1976
-
C:\Windows\SysWOW64\Ioljfe32.exeC:\Windows\system32\Ioljfe32.exe70⤵PID:2168
-
C:\Windows\SysWOW64\Idicol32.exeC:\Windows\system32\Idicol32.exe71⤵PID:3600
-
C:\Windows\SysWOW64\Iggokg32.exeC:\Windows\system32\Iggokg32.exe72⤵PID:848
-
C:\Windows\SysWOW64\Ibmchp32.exeC:\Windows\system32\Ibmchp32.exe73⤵PID:3520
-
C:\Windows\SysWOW64\Iiglejjg.exeC:\Windows\system32\Iiglejjg.exe74⤵PID:3476
-
C:\Windows\SysWOW64\Ioadadbd.exeC:\Windows\system32\Ioadadbd.exe75⤵PID:3636
-
C:\Windows\SysWOW64\Idnljkpl.exeC:\Windows\system32\Idnljkpl.exe76⤵PID:4308
-
C:\Windows\SysWOW64\Iglhffop.exeC:\Windows\system32\Iglhffop.exe77⤵PID:2248
-
C:\Windows\SysWOW64\Ifmidn32.exeC:\Windows\system32\Ifmidn32.exe78⤵PID:228
-
C:\Windows\SysWOW64\Iilepi32.exeC:\Windows\system32\Iilepi32.exe79⤵PID:4536
-
C:\Windows\SysWOW64\Ioemmcno.exeC:\Windows\system32\Ioemmcno.exe80⤵PID:3884
-
C:\Windows\SysWOW64\Jinaeidp.exeC:\Windows\system32\Jinaeidp.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4716 -
C:\Windows\SysWOW64\Johjbc32.exeC:\Windows\system32\Johjbc32.exe82⤵PID:2660
-
C:\Windows\SysWOW64\Jfbbomci.exeC:\Windows\system32\Jfbbomci.exe83⤵PID:2832
-
C:\Windows\SysWOW64\Jkokgdaq.exeC:\Windows\system32\Jkokgdaq.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2720 -
C:\Windows\SysWOW64\Jegopjha.exeC:\Windows\system32\Jegopjha.exe85⤵
- System Location Discovery: System Language Discovery
PID:4884 -
C:\Windows\SysWOW64\Jkagmd32.exeC:\Windows\system32\Jkagmd32.exe86⤵PID:1580
-
C:\Windows\SysWOW64\Jffljm32.exeC:\Windows\system32\Jffljm32.exe87⤵PID:1872
-
C:\Windows\SysWOW64\Jnapno32.exeC:\Windows\system32\Jnapno32.exe88⤵PID:2212
-
C:\Windows\SysWOW64\Jelhki32.exeC:\Windows\system32\Jelhki32.exe89⤵PID:2208
-
C:\Windows\SysWOW64\Jigdlhle.exeC:\Windows\system32\Jigdlhle.exe90⤵PID:4644
-
C:\Windows\SysWOW64\Jleahcki.exeC:\Windows\system32\Jleahcki.exe91⤵PID:1032
-
C:\Windows\SysWOW64\Kndmdojl.exeC:\Windows\system32\Kndmdojl.exe92⤵PID:660
-
C:\Windows\SysWOW64\Kijaagjb.exeC:\Windows\system32\Kijaagjb.exe93⤵PID:4044
-
C:\Windows\SysWOW64\Klhnmcif.exeC:\Windows\system32\Klhnmcif.exe94⤵PID:4980
-
C:\Windows\SysWOW64\Kbbfjm32.exeC:\Windows\system32\Kbbfjm32.exe95⤵PID:2924
-
C:\Windows\SysWOW64\Kfnaklil.exeC:\Windows\system32\Kfnaklil.exe96⤵PID:2544
-
C:\Windows\SysWOW64\Kilngg32.exeC:\Windows\system32\Kilngg32.exe97⤵PID:3756
-
C:\Windows\SysWOW64\Kpffcapl.exeC:\Windows\system32\Kpffcapl.exe98⤵PID:1680
-
C:\Windows\SysWOW64\Kbdbpmop.exeC:\Windows\system32\Kbdbpmop.exe99⤵PID:1404
-
C:\Windows\SysWOW64\Kebolhnd.exeC:\Windows\system32\Kebolhnd.exe100⤵PID:4360
-
C:\Windows\SysWOW64\Klmghb32.exeC:\Windows\system32\Klmghb32.exe101⤵PID:2476
-
C:\Windows\SysWOW64\Kfbkfk32.exeC:\Windows\system32\Kfbkfk32.exe102⤵PID:880
-
C:\Windows\SysWOW64\Keekahla.exeC:\Windows\system32\Keekahla.exe103⤵PID:3956
-
C:\Windows\SysWOW64\Klocnbcn.exeC:\Windows\system32\Klocnbcn.exe104⤵
- Modifies registry class
PID:4656 -
C:\Windows\SysWOW64\Knmpjmba.exeC:\Windows\system32\Knmpjmba.exe105⤵
- Modifies registry class
PID:3912 -
C:\Windows\SysWOW64\Keghgg32.exeC:\Windows\system32\Keghgg32.exe106⤵PID:2632
-
C:\Windows\SysWOW64\Khfdcc32.exeC:\Windows\system32\Khfdcc32.exe107⤵PID:3752
-
C:\Windows\SysWOW64\Klapcaak.exeC:\Windows\system32\Klapcaak.exe108⤵PID:3764
-
C:\Windows\SysWOW64\Lfgdajaa.exeC:\Windows\system32\Lfgdajaa.exe109⤵
- Drops file in System32 directory
PID:4368 -
C:\Windows\SysWOW64\Lieamfpe.exeC:\Windows\system32\Lieamfpe.exe110⤵PID:4340
-
C:\Windows\SysWOW64\Llcmia32.exeC:\Windows\system32\Llcmia32.exe111⤵PID:868
-
C:\Windows\SysWOW64\Lbnefkfe.exeC:\Windows\system32\Lbnefkfe.exe112⤵PID:5136
-
C:\Windows\SysWOW64\Lfiafj32.exeC:\Windows\system32\Lfiafj32.exe113⤵PID:5180
-
C:\Windows\SysWOW64\Lihnbe32.exeC:\Windows\system32\Lihnbe32.exe114⤵PID:5224
-
C:\Windows\SysWOW64\Lndfkl32.exeC:\Windows\system32\Lndfkl32.exe115⤵PID:5268
-
C:\Windows\SysWOW64\Lflnlj32.exeC:\Windows\system32\Lflnlj32.exe116⤵PID:5312
-
C:\Windows\SysWOW64\Lhmjcbcj.exeC:\Windows\system32\Lhmjcbcj.exe117⤵PID:5356
-
C:\Windows\SysWOW64\Llhfdq32.exeC:\Windows\system32\Llhfdq32.exe118⤵PID:5400
-
C:\Windows\SysWOW64\Logbpljg.exeC:\Windows\system32\Logbpljg.exe119⤵PID:5460
-
C:\Windows\SysWOW64\Lfnkaiki.exeC:\Windows\system32\Lfnkaiki.exe120⤵PID:5512
-
C:\Windows\SysWOW64\Lilgnejm.exeC:\Windows\system32\Lilgnejm.exe121⤵PID:5584
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-