Analysis
-
max time kernel
95s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
13-01-2025 17:27
Behavioral task
behavioral1
Sample
b9a4859d57806ca98b5504afdf7862d790d1016f2a379ad4a57e8e5d805f618d.exe
Resource
win7-20240903-en
windows7-x64
12 signatures
120 seconds
General
-
Target
b9a4859d57806ca98b5504afdf7862d790d1016f2a379ad4a57e8e5d805f618d.exe
-
Size
93KB
-
MD5
3a7c59206db2f3af4bb2c62ffc51d6a0
-
SHA1
0d1615abb1c04498dc86e73b0e160f81be2bc00a
-
SHA256
b9a4859d57806ca98b5504afdf7862d790d1016f2a379ad4a57e8e5d805f618d
-
SHA512
91177b51575a27011b8400671c05360ea568070c349e6b8c5b66cdd2bce2c10aa9d745a86ed9e23fea3c1391dfc8bd9872eb4da8a23d0366bd0ed67fad3dd8f7
-
SSDEEP
1536:kO4QgXca3UgvzgwK7aEQx7G6/KwOGsesJ1DaYfMZRWuLsV+1p:Cq4EQx7x/KwOVhJgYfc0DV+1p
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ijogmdqm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbgjbkfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nijeec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jnlbojee.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojgjndno.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnojho32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfjjga32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfcqpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chqogq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Heegad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Klndfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjjnae32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjmoag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gojiiafp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpbiip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mecjif32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjnmpl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iidphgcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qhhpop32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehndnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Emcbio32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Difpmfna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hildmn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlnjbedi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnmopk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qmepam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Efeihb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kjgeedch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bogkmgba.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bihjfnmm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkpheidp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nahgoe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aahbbkaq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Johggfha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hkehkocf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ncqlkemc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Foapaa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glfmgp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nofefp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Emeoooml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gphgbafl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebdlangb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lbjelc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppamophb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnbnhedj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdkifmjq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jeapcq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Daqbip32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opemca32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bggnof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfjpfj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eblimcdf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qhonib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cikglnkj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mglfplgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aoalgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mledmg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Filapfbo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgonlm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Leoghn32.exe -
Berbew family
-
Njrat family
-
Executes dropped EXE 64 IoCs
pid Process 2752 Bjddphlq.exe 1184 Beihma32.exe 1164 Bhhdil32.exe 3704 Bfkedibe.exe 3588 Belebq32.exe 4936 Chjaol32.exe 1220 Cfmajipb.exe 4860 Cndikf32.exe 3548 Chmndlge.exe 3612 Cfpnph32.exe 3956 Cmiflbel.exe 4420 Cdcoim32.exe 2748 Cjmgfgdf.exe 4068 Cmlcbbcj.exe 4800 Cdfkolkf.exe 2920 Cfdhkhjj.exe 2304 Cnkplejl.exe 3964 Cdhhdlid.exe 2072 Cmqmma32.exe 4032 Ddjejl32.exe 1180 Dfiafg32.exe 1372 Danecp32.exe 1004 Ddmaok32.exe 2728 Djgjlelk.exe 1012 Daqbip32.exe 4104 Dfnjafap.exe 4652 Dodbbdbb.exe 2672 Dogogcpo.exe 4792 Dddhpjof.exe 4576 Doilmc32.exe 1436 Edfdej32.exe 652 Eolhbc32.exe 2360 Eggmge32.exe 2912 Ealadnik.exe 1992 Egijmegb.exe 5028 Emcbio32.exe 3360 Ehiffh32.exe 3596 Emeoooml.exe 1084 Egnchd32.exe 1480 Eachem32.exe 1656 Fgppmd32.exe 1972 Foghnabl.exe 2600 Fafdkmap.exe 1752 Fnmepn32.exe 4040 Fdfmlhna.exe 3616 Fnobem32.exe 5116 Fhdfbfdh.exe 2460 Fehfljca.exe 3388 Fdkggg32.exe 4808 Fgjccb32.exe 3896 Fnckpmql.exe 1960 Gglpibgm.exe 1472 Gkglja32.exe 3408 Gempgj32.exe 892 Ggnlobej.exe 4292 Gepmlimi.exe 3000 Ghniielm.exe 1544 Gnkaalkd.exe 1816 Gddinf32.exe 1616 Ghpendjj.exe 4300 Gfdfgiid.exe 624 Ggeboaob.exe 748 Hffcmh32.exe 1348 Hghoeqmp.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Onnmdcjm.exe Ojbacd32.exe File created C:\Windows\SysWOW64\Pnmopk32.exe Pffgom32.exe File opened for modification C:\Windows\SysWOW64\Kjepjkhf.exe Kdigadjo.exe File opened for modification C:\Windows\SysWOW64\Mgobel32.exe Mepfiq32.exe File created C:\Windows\SysWOW64\Eegiklal.dll Mcecjmkl.exe File created C:\Windows\SysWOW64\Fofilp32.exe Filapfbo.exe File opened for modification C:\Windows\SysWOW64\Djegekil.exe Process not Found File created C:\Windows\SysWOW64\Fndchiip.dll Mblcnj32.exe File created C:\Windows\SysWOW64\Oboijgbl.exe Okgaijaj.exe File created C:\Windows\SysWOW64\Ppikbm32.exe Piocecgj.exe File created C:\Windows\SysWOW64\Fpgpgfmh.exe Fimhjl32.exe File created C:\Windows\SysWOW64\Jomdjhoo.dll Ngmpcn32.exe File opened for modification C:\Windows\SysWOW64\Ajjjocap.exe Aglnbhal.exe File created C:\Windows\SysWOW64\Gjpank32.dll Blgifbil.exe File created C:\Windows\SysWOW64\Pjphcf32.dll Ofckhj32.exe File created C:\Windows\SysWOW64\Djhpgofm.exe Dcogje32.exe File created C:\Windows\SysWOW64\Okehmlqi.dll Mmpmnl32.exe File created C:\Windows\SysWOW64\Eblimcdf.exe Ekaapi32.exe File created C:\Windows\SysWOW64\Mjodla32.exe Mcelpggq.exe File opened for modification C:\Windows\SysWOW64\Ibmeoq32.exe Ijfnmc32.exe File created C:\Windows\SysWOW64\Enkjji32.dll Miofjepg.exe File opened for modification C:\Windows\SysWOW64\Mepfiq32.exe Mnfnlf32.exe File created C:\Windows\SysWOW64\Hhfgeigk.dll Omcjep32.exe File created C:\Windows\SysWOW64\Nnahhegq.dll Oaplqh32.exe File opened for modification C:\Windows\SysWOW64\Mohidbkl.exe Mhoahh32.exe File created C:\Windows\SysWOW64\Aonhqi32.dll Aglnbhal.exe File created C:\Windows\SysWOW64\Hbjoeojc.exe Hplbickp.exe File created C:\Windows\SysWOW64\Policp32.dll Nlnbgddc.exe File opened for modification C:\Windows\SysWOW64\Jahqiaeb.exe Jpgdai32.exe File created C:\Windows\SysWOW64\Clgbhl32.dll Chnbbqpn.exe File created C:\Windows\SysWOW64\Jqlefl32.exe Jnmijq32.exe File created C:\Windows\SysWOW64\Cmbgdl32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Bagmdllg.exe Process not Found File created C:\Windows\SysWOW64\Aieeeflh.dll Ogfcjm32.exe File created C:\Windows\SysWOW64\Ehenqf32.dll Ddnobj32.exe File opened for modification C:\Windows\SysWOW64\Idebdcdo.exe Ifbbig32.exe File opened for modification C:\Windows\SysWOW64\Ppmcdq32.exe Plagcbdn.exe File created C:\Windows\SysWOW64\Dmihij32.exe Dinmhkke.exe File created C:\Windows\SysWOW64\Ijhjcchb.exe Igjngh32.exe File created C:\Windows\SysWOW64\Felbnn32.exe Enbjad32.exe File created C:\Windows\SysWOW64\Mjaofnii.dll Process not Found File created C:\Windows\SysWOW64\Nflkbanj.exe Nqpcjj32.exe File created C:\Windows\SysWOW64\Dempqa32.dll Nagiji32.exe File opened for modification C:\Windows\SysWOW64\Iamamcop.exe Iondqhpl.exe File created C:\Windows\SysWOW64\Qapnmopa.exe Process not Found File created C:\Windows\SysWOW64\Ifihif32.exe Ighhln32.exe File opened for modification C:\Windows\SysWOW64\Kfcdfbqo.exe Khbdikip.exe File opened for modification C:\Windows\SysWOW64\Emmkiclm.exe Ejoomhmi.exe File created C:\Windows\SysWOW64\Bpldbefn.dll Ommceclc.exe File opened for modification C:\Windows\SysWOW64\Fdcjlb32.exe Fphnlcdo.exe File created C:\Windows\SysWOW64\Alelqb32.exe Adndoe32.exe File opened for modification C:\Windows\SysWOW64\Fcpakn32.exe Process not Found File created C:\Windows\SysWOW64\Joffnk32.exe Jgonlm32.exe File opened for modification C:\Windows\SysWOW64\Iddljmpc.exe Ijogmdqm.exe File created C:\Windows\SysWOW64\Dlkbjqgm.exe Dimenegi.exe File created C:\Windows\SysWOW64\Dgooajdl.dll Nlqomd32.exe File opened for modification C:\Windows\SysWOW64\Mbbagk32.exe Lndham32.exe File created C:\Windows\SysWOW64\Gcghkm32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Djmibn32.exe Daediilg.exe File created C:\Windows\SysWOW64\Hankellh.dll Innfnl32.exe File created C:\Windows\SysWOW64\Fiboaq32.dll Dheibpje.exe File opened for modification C:\Windows\SysWOW64\Dfnjafap.exe Daqbip32.exe File created C:\Windows\SysWOW64\Gmimai32.exe Gfodeohd.exe File created C:\Windows\SysWOW64\Fpgfkbgm.dll Ooejohhq.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 9796 10864 Process not Found 1212 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgndoeag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hifcgion.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Geoapenf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjmgfgdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hocqam32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikokan32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aodfajaj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Diccgfpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fimhjl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbalopbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocjoadei.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgnomg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hahokfag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flinkojm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omegjomb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnnjmbpm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Komhll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omgcpokp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lindkm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efhlhh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdehni32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llmhaold.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aaenbd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkehkocf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfhadc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bggnof32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjlhgaqp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhckcgpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnckpmql.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijcahd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nliaao32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bheffh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cleegp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncqlkemc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nofefp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nognnj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omjpeo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aagkhd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Belebq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cidjbmcp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nijeec32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcejco32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gifkpknp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kidben32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfgogh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edemkd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idkbkl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjadje32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpchib32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mqafhl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oepifi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eiildjag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pajeam32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Domdjj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cogddd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbcjnilj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfigpm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfjpfj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdlfhj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Joahqn32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ialjan32.dll" Efeihb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nglhld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Afelhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfmjef32.dll" Phedhmhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pfojdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hdehni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokpod32.dll" Ioolkncg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dlkbjqgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kqmfklog.dll" Ahpmjejp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mpghkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fngdja32.dll" Oljaccjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofhjkmkl.dll" Megljppl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hicakqhn.dll" Kegpifod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmpockdl.dll" Aoioli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pjpobg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bcinna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nlkgmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cnkkjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbbpccql.dll" Fgjccb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmfooa32.dll" Hnddgjbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bhhdil32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hoclopne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ljceqb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Emmkiclm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mfhbga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mbibfm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Flqdlnde.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hkpqkcpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Boldhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dipidh32.dll" Fnckpmql.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bffcpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ooqqdi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bnfihkqm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojenek32.dll" Oanokhdb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Djgjlelk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Giecfejd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eajbghaq.dll" Hnlodjpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Einbcgha.dll" Khbdikip.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cgjjdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poigcbng.dll" Dbkqfe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ffceip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gpdennml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Neppokal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgooajdl.dll" Nlqomd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnchkf32.dll" Iqklon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ponfhp32.dll" Oaompd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jinboekc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lcfidb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pkcadhgm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hmpjmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbmdml32.dll" Qfmmplad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oileggkb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fganqbgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Piocecgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njonjm32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qgpogili.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cfldelik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ilphdlqh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjgkan32.dll" Oikjkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Micoed32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4616 wrote to memory of 2752 4616 b9a4859d57806ca98b5504afdf7862d790d1016f2a379ad4a57e8e5d805f618d.exe 83 PID 4616 wrote to memory of 2752 4616 b9a4859d57806ca98b5504afdf7862d790d1016f2a379ad4a57e8e5d805f618d.exe 83 PID 4616 wrote to memory of 2752 4616 b9a4859d57806ca98b5504afdf7862d790d1016f2a379ad4a57e8e5d805f618d.exe 83 PID 2752 wrote to memory of 1184 2752 Bjddphlq.exe 84 PID 2752 wrote to memory of 1184 2752 Bjddphlq.exe 84 PID 2752 wrote to memory of 1184 2752 Bjddphlq.exe 84 PID 1184 wrote to memory of 1164 1184 Beihma32.exe 85 PID 1184 wrote to memory of 1164 1184 Beihma32.exe 85 PID 1184 wrote to memory of 1164 1184 Beihma32.exe 85 PID 1164 wrote to memory of 3704 1164 Bhhdil32.exe 86 PID 1164 wrote to memory of 3704 1164 Bhhdil32.exe 86 PID 1164 wrote to memory of 3704 1164 Bhhdil32.exe 86 PID 3704 wrote to memory of 3588 3704 Bfkedibe.exe 87 PID 3704 wrote to memory of 3588 3704 Bfkedibe.exe 87 PID 3704 wrote to memory of 3588 3704 Bfkedibe.exe 87 PID 3588 wrote to memory of 4936 3588 Belebq32.exe 88 PID 3588 wrote to memory of 4936 3588 Belebq32.exe 88 PID 3588 wrote to memory of 4936 3588 Belebq32.exe 88 PID 4936 wrote to memory of 1220 4936 Chjaol32.exe 89 PID 4936 wrote to memory of 1220 4936 Chjaol32.exe 89 PID 4936 wrote to memory of 1220 4936 Chjaol32.exe 89 PID 1220 wrote to memory of 4860 1220 Cfmajipb.exe 90 PID 1220 wrote to memory of 4860 1220 Cfmajipb.exe 90 PID 1220 wrote to memory of 4860 1220 Cfmajipb.exe 90 PID 4860 wrote to memory of 3548 4860 Cndikf32.exe 91 PID 4860 wrote to memory of 3548 4860 Cndikf32.exe 91 PID 4860 wrote to memory of 3548 4860 Cndikf32.exe 91 PID 3548 wrote to memory of 3612 3548 Chmndlge.exe 92 PID 3548 wrote to memory of 3612 3548 Chmndlge.exe 92 PID 3548 wrote to memory of 3612 3548 Chmndlge.exe 92 PID 3612 wrote to memory of 3956 3612 Cfpnph32.exe 93 PID 3612 wrote to memory of 3956 3612 Cfpnph32.exe 93 PID 3612 wrote to memory of 3956 3612 Cfpnph32.exe 93 PID 3956 wrote to memory of 4420 3956 Cmiflbel.exe 94 PID 3956 wrote to memory of 4420 3956 Cmiflbel.exe 94 PID 3956 wrote to memory of 4420 3956 Cmiflbel.exe 94 PID 4420 wrote to memory of 2748 4420 Cdcoim32.exe 95 PID 4420 wrote to memory of 2748 4420 Cdcoim32.exe 95 PID 4420 wrote to memory of 2748 4420 Cdcoim32.exe 95 PID 2748 wrote to memory of 4068 2748 Cjmgfgdf.exe 96 PID 2748 wrote to memory of 4068 2748 Cjmgfgdf.exe 96 PID 2748 wrote to memory of 4068 2748 Cjmgfgdf.exe 96 PID 4068 wrote to memory of 4800 4068 Cmlcbbcj.exe 97 PID 4068 wrote to memory of 4800 4068 Cmlcbbcj.exe 97 PID 4068 wrote to memory of 4800 4068 Cmlcbbcj.exe 97 PID 4800 wrote to memory of 2920 4800 Cdfkolkf.exe 98 PID 4800 wrote to memory of 2920 4800 Cdfkolkf.exe 98 PID 4800 wrote to memory of 2920 4800 Cdfkolkf.exe 98 PID 2920 wrote to memory of 2304 2920 Cfdhkhjj.exe 99 PID 2920 wrote to memory of 2304 2920 Cfdhkhjj.exe 99 PID 2920 wrote to memory of 2304 2920 Cfdhkhjj.exe 99 PID 2304 wrote to memory of 3964 2304 Cnkplejl.exe 100 PID 2304 wrote to memory of 3964 2304 Cnkplejl.exe 100 PID 2304 wrote to memory of 3964 2304 Cnkplejl.exe 100 PID 3964 wrote to memory of 2072 3964 Cdhhdlid.exe 101 PID 3964 wrote to memory of 2072 3964 Cdhhdlid.exe 101 PID 3964 wrote to memory of 2072 3964 Cdhhdlid.exe 101 PID 2072 wrote to memory of 4032 2072 Cmqmma32.exe 102 PID 2072 wrote to memory of 4032 2072 Cmqmma32.exe 102 PID 2072 wrote to memory of 4032 2072 Cmqmma32.exe 102 PID 4032 wrote to memory of 1180 4032 Ddjejl32.exe 103 PID 4032 wrote to memory of 1180 4032 Ddjejl32.exe 103 PID 4032 wrote to memory of 1180 4032 Ddjejl32.exe 103 PID 1180 wrote to memory of 1372 1180 Dfiafg32.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\b9a4859d57806ca98b5504afdf7862d790d1016f2a379ad4a57e8e5d805f618d.exe"C:\Users\Admin\AppData\Local\Temp\b9a4859d57806ca98b5504afdf7862d790d1016f2a379ad4a57e8e5d805f618d.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4616 -
C:\Windows\SysWOW64\Bjddphlq.exeC:\Windows\system32\Bjddphlq.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\SysWOW64\Beihma32.exeC:\Windows\system32\Beihma32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1184 -
C:\Windows\SysWOW64\Bhhdil32.exeC:\Windows\system32\Bhhdil32.exe4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1164 -
C:\Windows\SysWOW64\Bfkedibe.exeC:\Windows\system32\Bfkedibe.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3704 -
C:\Windows\SysWOW64\Belebq32.exeC:\Windows\system32\Belebq32.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3588 -
C:\Windows\SysWOW64\Chjaol32.exeC:\Windows\system32\Chjaol32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4936 -
C:\Windows\SysWOW64\Cfmajipb.exeC:\Windows\system32\Cfmajipb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1220 -
C:\Windows\SysWOW64\Cndikf32.exeC:\Windows\system32\Cndikf32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4860 -
C:\Windows\SysWOW64\Chmndlge.exeC:\Windows\system32\Chmndlge.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3548 -
C:\Windows\SysWOW64\Cfpnph32.exeC:\Windows\system32\Cfpnph32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3612 -
C:\Windows\SysWOW64\Cmiflbel.exeC:\Windows\system32\Cmiflbel.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3956 -
C:\Windows\SysWOW64\Cdcoim32.exeC:\Windows\system32\Cdcoim32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4420 -
C:\Windows\SysWOW64\Cjmgfgdf.exeC:\Windows\system32\Cjmgfgdf.exe14⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\SysWOW64\Cmlcbbcj.exeC:\Windows\system32\Cmlcbbcj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4068 -
C:\Windows\SysWOW64\Cdfkolkf.exeC:\Windows\system32\Cdfkolkf.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4800 -
C:\Windows\SysWOW64\Cfdhkhjj.exeC:\Windows\system32\Cfdhkhjj.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\SysWOW64\Cnkplejl.exeC:\Windows\system32\Cnkplejl.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2304 -
C:\Windows\SysWOW64\Cdhhdlid.exeC:\Windows\system32\Cdhhdlid.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3964 -
C:\Windows\SysWOW64\Cmqmma32.exeC:\Windows\system32\Cmqmma32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2072 -
C:\Windows\SysWOW64\Ddjejl32.exeC:\Windows\system32\Ddjejl32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4032 -
C:\Windows\SysWOW64\Dfiafg32.exeC:\Windows\system32\Dfiafg32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1180 -
C:\Windows\SysWOW64\Danecp32.exeC:\Windows\system32\Danecp32.exe23⤵
- Executes dropped EXE
PID:1372 -
C:\Windows\SysWOW64\Ddmaok32.exeC:\Windows\system32\Ddmaok32.exe24⤵
- Executes dropped EXE
PID:1004 -
C:\Windows\SysWOW64\Djgjlelk.exeC:\Windows\system32\Djgjlelk.exe25⤵
- Executes dropped EXE
- Modifies registry class
PID:2728 -
C:\Windows\SysWOW64\Daqbip32.exeC:\Windows\system32\Daqbip32.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1012 -
C:\Windows\SysWOW64\Dfnjafap.exeC:\Windows\system32\Dfnjafap.exe27⤵
- Executes dropped EXE
PID:4104 -
C:\Windows\SysWOW64\Dodbbdbb.exeC:\Windows\system32\Dodbbdbb.exe28⤵
- Executes dropped EXE
PID:4652 -
C:\Windows\SysWOW64\Dogogcpo.exeC:\Windows\system32\Dogogcpo.exe29⤵
- Executes dropped EXE
PID:2672 -
C:\Windows\SysWOW64\Dddhpjof.exeC:\Windows\system32\Dddhpjof.exe30⤵
- Executes dropped EXE
PID:4792 -
C:\Windows\SysWOW64\Doilmc32.exeC:\Windows\system32\Doilmc32.exe31⤵
- Executes dropped EXE
PID:4576 -
C:\Windows\SysWOW64\Edfdej32.exeC:\Windows\system32\Edfdej32.exe32⤵
- Executes dropped EXE
PID:1436 -
C:\Windows\SysWOW64\Eolhbc32.exeC:\Windows\system32\Eolhbc32.exe33⤵
- Executes dropped EXE
PID:652 -
C:\Windows\SysWOW64\Eggmge32.exeC:\Windows\system32\Eggmge32.exe34⤵
- Executes dropped EXE
PID:2360 -
C:\Windows\SysWOW64\Ealadnik.exeC:\Windows\system32\Ealadnik.exe35⤵
- Executes dropped EXE
PID:2912 -
C:\Windows\SysWOW64\Egijmegb.exeC:\Windows\system32\Egijmegb.exe36⤵
- Executes dropped EXE
PID:1992 -
C:\Windows\SysWOW64\Emcbio32.exeC:\Windows\system32\Emcbio32.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5028 -
C:\Windows\SysWOW64\Ehiffh32.exeC:\Windows\system32\Ehiffh32.exe38⤵
- Executes dropped EXE
PID:3360 -
C:\Windows\SysWOW64\Emeoooml.exeC:\Windows\system32\Emeoooml.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3596 -
C:\Windows\SysWOW64\Egnchd32.exeC:\Windows\system32\Egnchd32.exe40⤵
- Executes dropped EXE
PID:1084 -
C:\Windows\SysWOW64\Eachem32.exeC:\Windows\system32\Eachem32.exe41⤵
- Executes dropped EXE
PID:1480 -
C:\Windows\SysWOW64\Fgppmd32.exeC:\Windows\system32\Fgppmd32.exe42⤵
- Executes dropped EXE
PID:1656 -
C:\Windows\SysWOW64\Foghnabl.exeC:\Windows\system32\Foghnabl.exe43⤵
- Executes dropped EXE
PID:1972 -
C:\Windows\SysWOW64\Fafdkmap.exeC:\Windows\system32\Fafdkmap.exe44⤵
- Executes dropped EXE
PID:2600 -
C:\Windows\SysWOW64\Fnmepn32.exeC:\Windows\system32\Fnmepn32.exe45⤵
- Executes dropped EXE
PID:1752 -
C:\Windows\SysWOW64\Fdfmlhna.exeC:\Windows\system32\Fdfmlhna.exe46⤵
- Executes dropped EXE
PID:4040 -
C:\Windows\SysWOW64\Fnobem32.exeC:\Windows\system32\Fnobem32.exe47⤵
- Executes dropped EXE
PID:3616 -
C:\Windows\SysWOW64\Fhdfbfdh.exeC:\Windows\system32\Fhdfbfdh.exe48⤵
- Executes dropped EXE
PID:5116 -
C:\Windows\SysWOW64\Fehfljca.exeC:\Windows\system32\Fehfljca.exe49⤵
- Executes dropped EXE
PID:2460 -
C:\Windows\SysWOW64\Fdkggg32.exeC:\Windows\system32\Fdkggg32.exe50⤵
- Executes dropped EXE
PID:3388 -
C:\Windows\SysWOW64\Fgjccb32.exeC:\Windows\system32\Fgjccb32.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:4808 -
C:\Windows\SysWOW64\Fnckpmql.exeC:\Windows\system32\Fnckpmql.exe52⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3896 -
C:\Windows\SysWOW64\Gglpibgm.exeC:\Windows\system32\Gglpibgm.exe53⤵
- Executes dropped EXE
PID:1960 -
C:\Windows\SysWOW64\Gkglja32.exeC:\Windows\system32\Gkglja32.exe54⤵
- Executes dropped EXE
PID:1472 -
C:\Windows\SysWOW64\Gempgj32.exeC:\Windows\system32\Gempgj32.exe55⤵
- Executes dropped EXE
PID:3408 -
C:\Windows\SysWOW64\Ggnlobej.exeC:\Windows\system32\Ggnlobej.exe56⤵
- Executes dropped EXE
PID:892 -
C:\Windows\SysWOW64\Gepmlimi.exeC:\Windows\system32\Gepmlimi.exe57⤵
- Executes dropped EXE
PID:4292 -
C:\Windows\SysWOW64\Ghniielm.exeC:\Windows\system32\Ghniielm.exe58⤵
- Executes dropped EXE
PID:3000 -
C:\Windows\SysWOW64\Gnkaalkd.exeC:\Windows\system32\Gnkaalkd.exe59⤵
- Executes dropped EXE
PID:1544 -
C:\Windows\SysWOW64\Gddinf32.exeC:\Windows\system32\Gddinf32.exe60⤵
- Executes dropped EXE
PID:1816 -
C:\Windows\SysWOW64\Ghpendjj.exeC:\Windows\system32\Ghpendjj.exe61⤵
- Executes dropped EXE
PID:1616 -
C:\Windows\SysWOW64\Gfdfgiid.exeC:\Windows\system32\Gfdfgiid.exe62⤵
- Executes dropped EXE
PID:4300 -
C:\Windows\SysWOW64\Ggeboaob.exeC:\Windows\system32\Ggeboaob.exe63⤵
- Executes dropped EXE
PID:624 -
C:\Windows\SysWOW64\Hffcmh32.exeC:\Windows\system32\Hffcmh32.exe64⤵
- Executes dropped EXE
PID:748 -
C:\Windows\SysWOW64\Hghoeqmp.exeC:\Windows\system32\Hghoeqmp.exe65⤵
- Executes dropped EXE
PID:1348 -
C:\Windows\SysWOW64\Hdlpneli.exeC:\Windows\system32\Hdlpneli.exe66⤵PID:620
-
C:\Windows\SysWOW64\Hkehkocf.exeC:\Windows\system32\Hkehkocf.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2820 -
C:\Windows\SysWOW64\Hnddgjbj.exeC:\Windows\system32\Hnddgjbj.exe68⤵
- Modifies registry class
PID:4968 -
C:\Windows\SysWOW64\Hhihdcbp.exeC:\Windows\system32\Hhihdcbp.exe69⤵PID:1984
-
C:\Windows\SysWOW64\Hglipp32.exeC:\Windows\system32\Hglipp32.exe70⤵PID:2660
-
C:\Windows\SysWOW64\Hocqam32.exeC:\Windows\system32\Hocqam32.exe71⤵
- System Location Discovery: System Language Discovery
PID:3628 -
C:\Windows\SysWOW64\Hfningai.exeC:\Windows\system32\Hfningai.exe72⤵PID:2332
-
C:\Windows\SysWOW64\Hhlejcpm.exeC:\Windows\system32\Hhlejcpm.exe73⤵PID:4956
-
C:\Windows\SysWOW64\Hfpecg32.exeC:\Windows\system32\Hfpecg32.exe74⤵PID:4880
-
C:\Windows\SysWOW64\Iohjlmeg.exeC:\Windows\system32\Iohjlmeg.exe75⤵PID:4012
-
C:\Windows\SysWOW64\Ifbbig32.exeC:\Windows\system32\Ifbbig32.exe76⤵
- Drops file in System32 directory
PID:1528 -
C:\Windows\SysWOW64\Idebdcdo.exeC:\Windows\system32\Idebdcdo.exe77⤵PID:2664
-
C:\Windows\SysWOW64\Ikokan32.exeC:\Windows\system32\Ikokan32.exe78⤵
- System Location Discovery: System Language Discovery
PID:2284 -
C:\Windows\SysWOW64\Iickkbje.exeC:\Windows\system32\Iickkbje.exe79⤵PID:3288
-
C:\Windows\SysWOW64\Ikaggmii.exeC:\Windows\system32\Ikaggmii.exe80⤵PID:768
-
C:\Windows\SysWOW64\Idjlpc32.exeC:\Windows\system32\Idjlpc32.exe81⤵PID:4020
-
C:\Windows\SysWOW64\Ighhln32.exeC:\Windows\system32\Ighhln32.exe82⤵
- Drops file in System32 directory
PID:1076 -
C:\Windows\SysWOW64\Ifihif32.exeC:\Windows\system32\Ifihif32.exe83⤵PID:3932
-
C:\Windows\SysWOW64\Ienekbld.exeC:\Windows\system32\Ienekbld.exe84⤵PID:544
-
C:\Windows\SysWOW64\Jilnqqbj.exeC:\Windows\system32\Jilnqqbj.exe85⤵PID:2972
-
C:\Windows\SysWOW64\Jgonlm32.exeC:\Windows\system32\Jgonlm32.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3608 -
C:\Windows\SysWOW64\Joffnk32.exeC:\Windows\system32\Joffnk32.exe87⤵PID:536
-
C:\Windows\SysWOW64\Jkmgblok.exeC:\Windows\system32\Jkmgblok.exe88⤵PID:2884
-
C:\Windows\SysWOW64\Jkodhk32.exeC:\Windows\system32\Jkodhk32.exe89⤵PID:4404
-
C:\Windows\SysWOW64\Jnnpdg32.exeC:\Windows\system32\Jnnpdg32.exe90⤵PID:4904
-
C:\Windows\SysWOW64\Jfehed32.exeC:\Windows\system32\Jfehed32.exe91⤵PID:4764
-
C:\Windows\SysWOW64\Jejefqaf.exeC:\Windows\system32\Jejefqaf.exe92⤵PID:3600
-
C:\Windows\SysWOW64\Kppici32.exeC:\Windows\system32\Kppici32.exe93⤵PID:4908
-
C:\Windows\SysWOW64\Kfjapcii.exeC:\Windows\system32\Kfjapcii.exe94⤵PID:1792
-
C:\Windows\SysWOW64\Kgknhl32.exeC:\Windows\system32\Kgknhl32.exe95⤵PID:5080
-
C:\Windows\SysWOW64\Kijjbofj.exeC:\Windows\system32\Kijjbofj.exe96⤵PID:4148
-
C:\Windows\SysWOW64\Kpdboimg.exeC:\Windows\system32\Kpdboimg.exe97⤵PID:2400
-
C:\Windows\SysWOW64\Kfnkkb32.exeC:\Windows\system32\Kfnkkb32.exe98⤵PID:1712
-
C:\Windows\SysWOW64\Klkcdj32.exeC:\Windows\system32\Klkcdj32.exe99⤵PID:1028
-
C:\Windows\SysWOW64\Knippe32.exeC:\Windows\system32\Knippe32.exe100⤵PID:1488
-
C:\Windows\SysWOW64\Kiodmn32.exeC:\Windows\system32\Kiodmn32.exe101⤵PID:3872
-
C:\Windows\SysWOW64\Khbdikip.exeC:\Windows\system32\Khbdikip.exe102⤵
- Drops file in System32 directory
- Modifies registry class
PID:1916 -
C:\Windows\SysWOW64\Kfcdfbqo.exeC:\Windows\system32\Kfcdfbqo.exe103⤵PID:4564
-
C:\Windows\SysWOW64\Kiaqcnpb.exeC:\Windows\system32\Kiaqcnpb.exe104⤵PID:1612
-
C:\Windows\SysWOW64\Lbjelc32.exeC:\Windows\system32\Lbjelc32.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3820 -
C:\Windows\SysWOW64\Lpneegel.exeC:\Windows\system32\Lpneegel.exe106⤵PID:3440
-
C:\Windows\SysWOW64\Lhijijbg.exeC:\Windows\system32\Lhijijbg.exe107⤵PID:2856
-
C:\Windows\SysWOW64\Lldfjh32.exeC:\Windows\system32\Lldfjh32.exe108⤵PID:4320
-
C:\Windows\SysWOW64\Lfjjga32.exeC:\Windows\system32\Lfjjga32.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4516 -
C:\Windows\SysWOW64\Lhkgoiqe.exeC:\Windows\system32\Lhkgoiqe.exe110⤵PID:2560
-
C:\Windows\SysWOW64\Loeolc32.exeC:\Windows\system32\Loeolc32.exe111⤵PID:4336
-
C:\Windows\SysWOW64\Leoghn32.exeC:\Windows\system32\Leoghn32.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4920 -
C:\Windows\SysWOW64\Likcilhh.exeC:\Windows\system32\Likcilhh.exe113⤵PID:3640
-
C:\Windows\SysWOW64\Llipehgk.exeC:\Windows\system32\Llipehgk.exe114⤵PID:3524
-
C:\Windows\SysWOW64\Lfodbqfa.exeC:\Windows\system32\Lfodbqfa.exe115⤵PID:4760
-
C:\Windows\SysWOW64\Mhppji32.exeC:\Windows\system32\Mhppji32.exe116⤵PID:1700
-
C:\Windows\SysWOW64\Mpghkf32.exeC:\Windows\system32\Mpghkf32.exe117⤵
- Modifies registry class
PID:2640 -
C:\Windows\SysWOW64\Mfaqhp32.exeC:\Windows\system32\Mfaqhp32.exe118⤵PID:3988
-
C:\Windows\SysWOW64\Medqcmki.exeC:\Windows\system32\Medqcmki.exe119⤵PID:1624
-
C:\Windows\SysWOW64\Mlnipg32.exeC:\Windows\system32\Mlnipg32.exe120⤵PID:4060
-
C:\Windows\SysWOW64\Molelb32.exeC:\Windows\system32\Molelb32.exe121⤵PID:5144
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-