Analysis
-
max time kernel
93s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20250217-en -
resource tags
arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system -
submitted
05/03/2025, 23:41
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
3bee487c1f9ca59a47cda738ec821eb4fe74f3bd04e9b242eab2ed838d11c3f8.exe
Resource
win7-20240903-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
3bee487c1f9ca59a47cda738ec821eb4fe74f3bd04e9b242eab2ed838d11c3f8.exe
Resource
win10v2004-20250217-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
3bee487c1f9ca59a47cda738ec821eb4fe74f3bd04e9b242eab2ed838d11c3f8.exe
-
Size
94KB
-
MD5
28447f27d788a06ed83ad9cbfd395fbd
-
SHA1
6e9ed2d9deeccb4a2547173a53534d0438f4a9e2
-
SHA256
3bee487c1f9ca59a47cda738ec821eb4fe74f3bd04e9b242eab2ed838d11c3f8
-
SHA512
988ebdb44469b748a5012f318ec390b8af95f286c09ed77acdb5ee339f543519b79c10fe2c886059635505f31739488a551f7bcffc71ae03415a1ad32732d6e6
-
SSDEEP
1536:iMNv6GPyfBXSJsldQgrroYP7tX4T1lXAc87BR9L4DT2EnINs:ZcGPypXSJsf3o/PT86+ob
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aogiap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ebdcld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Emjgim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mqdcnl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmdhcddh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lqkgbcff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lmaamn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oanfen32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjpode32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahdpjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aggpfkjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fkjmlaac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fecadghc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mglfplgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mkmkkjko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dmcain32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nfjola32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bmeandma.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpfepf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mgaokl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgloefco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nflkbanj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Njmqnobn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jqknkedi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jmbhoeid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jcoaglhk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mjjkaabc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fpimlfke.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnmopk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jdaaaeqg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cdlqqcnl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chnbbqpn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekmhejao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hlnjbedi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lopmii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Akdilipp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mebcop32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdhbmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pehngkcg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jedccfqg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lomqcjie.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Boenhgdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jgkmgk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dooaoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gikdkj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lflbkcll.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eblpgjha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Efblbbqd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fligqhga.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imkbnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mqimikfj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hbohpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Apaadpng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hpchib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 4600 Bmofagfp.exe 1580 Bombmcec.exe 4568 Bjbfklei.exe 2860 Bmabggdm.exe 1364 Bkdcbd32.exe 1112 Bckkca32.exe 4768 Cfigpm32.exe 3092 Ckfphc32.exe 4848 Cfldelik.exe 4724 Cijpahho.exe 4996 Ccpdoqgd.exe 3920 Cjjlkk32.exe 1076 Cofecami.exe 1148 Cjliajmo.exe 4492 Coiaiakf.exe 2304 Cfcjfk32.exe 3432 Cmmbbejp.exe 3068 Ccgjopal.exe 3172 Dmoohe32.exe 1888 Dblgpl32.exe 3160 Djcoai32.exe 4536 Dmalne32.exe 3700 Dpphjp32.exe 4808 Dfjpfj32.exe 3888 Dmdhcddh.exe 3952 Dcnqpo32.exe 4772 Dflmlj32.exe 2696 Dlieda32.exe 5020 Dpdaepai.exe 5092 Dbcmakpl.exe 3348 Djjebh32.exe 5064 Dimenegi.exe 2552 Ejlbhh32.exe 264 Eiobceef.exe 3740 Elnoopdj.exe 4864 Ebhglj32.exe 4248 Ejoomhmi.exe 2720 Eplgeokq.exe 4988 Ejalcgkg.exe 1360 Emphocjj.exe 3712 Epndknin.exe 724 Eblpgjha.exe 2004 Ejchhgid.exe 3672 Eifhdd32.exe 4932 Eleepoob.exe 3088 Eppqqn32.exe 4412 Ebommi32.exe 852 Ejfeng32.exe 1420 Emdajb32.exe 3792 Elgaeolp.exe 1120 Fcniglmb.exe 4320 Ffmfchle.exe 4328 Fikbocki.exe 2764 Fpejlmcf.exe 1744 Fjjnifbl.exe 3312 Fmikeaap.exe 1488 Fpggamqc.exe 4924 Ffaong32.exe 4036 Fipkjb32.exe 2788 Fmkgkapm.exe 4948 Fpjcgm32.exe 820 Fbhpch32.exe 3076 Ffclcgfn.exe 4636 Fmndpq32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Jpdhkf32.exe Jnelok32.exe File created C:\Windows\SysWOW64\Pehngkcg.exe Palbgl32.exe File opened for modification C:\Windows\SysWOW64\Gojiiafp.exe Glkmmefl.exe File opened for modification C:\Windows\SysWOW64\Moipoh32.exe Mqfpckhm.exe File created C:\Windows\SysWOW64\Klbjgbff.dll Pmlfqh32.exe File created C:\Windows\SysWOW64\Holpib32.dll Process not Found File created C:\Windows\SysWOW64\Biiobo32.exe Process not Found File created C:\Windows\SysWOW64\Kmfhkf32.exe Knchpiom.exe File created C:\Windows\SysWOW64\Eleeje32.dll Lkalplel.exe File opened for modification C:\Windows\SysWOW64\Pmlmkn32.exe Pknqoc32.exe File opened for modification C:\Windows\SysWOW64\Pmoiqneg.exe Poliea32.exe File opened for modification C:\Windows\SysWOW64\Bedgjgkg.exe Bahkih32.exe File created C:\Windows\SysWOW64\Lhlgfb32.dll Hcblpdgg.exe File created C:\Windows\SysWOW64\Ggiabl32.dll Mnfnlf32.exe File created C:\Windows\SysWOW64\Ohfami32.exe Odjeljhd.exe File opened for modification C:\Windows\SysWOW64\Odoogi32.exe Oelolmnd.exe File opened for modification C:\Windows\SysWOW64\Dfdpad32.exe Dbicpfdk.exe File created C:\Windows\SysWOW64\Kpanan32.exe Kncaec32.exe File created C:\Windows\SysWOW64\Lckiihok.exe Lopmii32.exe File created C:\Windows\SysWOW64\Gpkpbaea.dll Moipoh32.exe File opened for modification C:\Windows\SysWOW64\Cfigpm32.exe Bckkca32.exe File opened for modification C:\Windows\SysWOW64\Cofecami.exe Cjjlkk32.exe File opened for modification C:\Windows\SysWOW64\Odjeljhd.exe Oeheqm32.exe File opened for modification C:\Windows\SysWOW64\Qhkdof32.exe Qdphngfl.exe File opened for modification C:\Windows\SysWOW64\Camddhoi.exe Cnahdi32.exe File created C:\Windows\SysWOW64\Dkokcl32.exe Dmlkhofd.exe File created C:\Windows\SysWOW64\Jcoaglhk.exe Jocefm32.exe File created C:\Windows\SysWOW64\Fihgkk32.dll Lqojclne.exe File created C:\Windows\SysWOW64\Gaigbkko.dll Fjadje32.exe File created C:\Windows\SysWOW64\Lbmock32.dll Jgpmmp32.exe File opened for modification C:\Windows\SysWOW64\Pkbjjbda.exe Plpjoe32.exe File created C:\Windows\SysWOW64\Gjpank32.dll Bkjiao32.exe File created C:\Windows\SysWOW64\Gpelhd32.exe Glipgf32.exe File created C:\Windows\SysWOW64\Fdllgpbm.dll Mqafhl32.exe File opened for modification C:\Windows\SysWOW64\Mmhgmmbf.exe Mnegbp32.exe File opened for modification C:\Windows\SysWOW64\Amlogfel.exe Aoioli32.exe File created C:\Windows\SysWOW64\Pdjpll32.dll Fpggamqc.exe File opened for modification C:\Windows\SysWOW64\Nelfeo32.exe Nmenca32.exe File opened for modification C:\Windows\SysWOW64\Pocpfphe.exe Pkgcea32.exe File created C:\Windows\SysWOW64\Gpbpbecj.exe Glgcbf32.exe File created C:\Windows\SysWOW64\Polalahi.dll Jleijb32.exe File created C:\Windows\SysWOW64\Flhkmbmp.dll Ocgbld32.exe File created C:\Windows\SysWOW64\Pjehnm32.dll Phcgcqab.exe File opened for modification C:\Windows\SysWOW64\Akblfj32.exe Aggpfkjj.exe File created C:\Windows\SysWOW64\Dfjpfj32.exe Dpphjp32.exe File opened for modification C:\Windows\SysWOW64\Hkpqkcpd.exe Hbhijepa.exe File opened for modification C:\Windows\SysWOW64\Ipoopgnf.exe Ilccoh32.exe File created C:\Windows\SysWOW64\Ijdabh32.dll Kgninn32.exe File created C:\Windows\SysWOW64\Nklinjmj.dll Ddligq32.exe File created C:\Windows\SysWOW64\Fbjena32.exe Fnnjmbpm.exe File created C:\Windows\SysWOW64\Impliekg.exe Iidphgcn.exe File created C:\Windows\SysWOW64\Eanmnefk.dll Lcimdh32.exe File created C:\Windows\SysWOW64\Djcoai32.exe Dblgpl32.exe File created C:\Windows\SysWOW64\Ladfllde.dll Hloqml32.exe File opened for modification C:\Windows\SysWOW64\Jcikgacl.exe Jdfjld32.exe File created C:\Windows\SysWOW64\Cndepccb.dll Palbgl32.exe File opened for modification C:\Windows\SysWOW64\Aknifq32.exe Alkijdci.exe File created C:\Windows\SysWOW64\Cfpffeaj.exe Cnindhpg.exe File opened for modification C:\Windows\SysWOW64\Knqepc32.exe Kjeiodek.exe File created C:\Windows\SysWOW64\Clahmb32.dll Lcnfohmi.exe File opened for modification C:\Windows\SysWOW64\Dmalne32.exe Djcoai32.exe File opened for modification C:\Windows\SysWOW64\Pkgcea32.exe Phigif32.exe File created C:\Windows\SysWOW64\Lpamfo32.dll Alelqb32.exe File created C:\Windows\SysWOW64\Eofgpikj.exe Ekkkoj32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5052 3660 Process not Found 1240 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpbpbecj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gokbgpeg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfldelik.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejfeng32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgmgqc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipmbjgpi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gblbca32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbnoiqdq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipjoja32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lomqcjie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfjfecno.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmpkadnm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oejbfmpg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aehgnied.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jepjhg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmfhkf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhmofj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnkkjh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dooaoj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adkgje32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnipbc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilnbicff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mqdcnl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdmmeo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmjkic32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbdoof32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnfnlf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Meepdp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akblfj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnpabe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibcaknbi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opclldhj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdlqqcnl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbhboolf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jofalmmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jniood32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emdajb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilafiihp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjmfjj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbhpch32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njfagf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fneggdhg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hoclopne.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igdgglfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppjbmc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gljgbllj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcpcdg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgmdec32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjjpnlbd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlolpq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfeeabda.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcggio32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgnbdh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngqagcag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnlhncgi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcphab32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddpapmqq.dll" Dmcain32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckjinf32.dll" Gncchb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Accimdgp.dll" Jmbhoeid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckkpjkai.dll" Ngndaccj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qpcecb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qdoacabq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gggikgqe.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node 3bee487c1f9ca59a47cda738ec821eb4fe74f3bd04e9b242eab2ed838d11c3f8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knknhqjn.dll" Dbcmakpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aqhblk32.dll" Pknqoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dmlkhofd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndnljbeg.dll" Lfgipd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Panhbfep.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Chdialdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dflmlj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pghaae32.dll" Cdlqqcnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Efblbbqd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Feoodn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klfhhpnk.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jkimho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fenghpla.dll" Ebnfbcbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ljnlecmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nnojho32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ngjkfd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pjmjdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ahfmpnql.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bkgeainn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hmbfbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ipjedh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Chnbbqpn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmncdk32.dll" Bddcenpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ghojbq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gjdaodja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hkfglb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ldipha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aaohcj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eppjfgcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Flpmagqi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hknkchkd.dll" Gpbpbecj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hiipmhmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jqknkedi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kqfngd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ohhnbhok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Phigif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Flmqlg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gojiiafp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajgflp32.dll" Fcniglmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfkohq32.dll" Igigla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fklenm32.dll" Ponfka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dblgpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohlljcfl.dll" Emdajb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmafqb32.dll" Mccfdmmo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Phdnngdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bnhenj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Felbnn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Flkdfh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jebfng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hbhijepa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jlobkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgnagk32.dll" Kdbjhbbd.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4612 wrote to memory of 4600 4612 3bee487c1f9ca59a47cda738ec821eb4fe74f3bd04e9b242eab2ed838d11c3f8.exe 85 PID 4612 wrote to memory of 4600 4612 3bee487c1f9ca59a47cda738ec821eb4fe74f3bd04e9b242eab2ed838d11c3f8.exe 85 PID 4612 wrote to memory of 4600 4612 3bee487c1f9ca59a47cda738ec821eb4fe74f3bd04e9b242eab2ed838d11c3f8.exe 85 PID 4600 wrote to memory of 1580 4600 Bmofagfp.exe 86 PID 4600 wrote to memory of 1580 4600 Bmofagfp.exe 86 PID 4600 wrote to memory of 1580 4600 Bmofagfp.exe 86 PID 1580 wrote to memory of 4568 1580 Bombmcec.exe 87 PID 1580 wrote to memory of 4568 1580 Bombmcec.exe 87 PID 1580 wrote to memory of 4568 1580 Bombmcec.exe 87 PID 4568 wrote to memory of 2860 4568 Bjbfklei.exe 88 PID 4568 wrote to memory of 2860 4568 Bjbfklei.exe 88 PID 4568 wrote to memory of 2860 4568 Bjbfklei.exe 88 PID 2860 wrote to memory of 1364 2860 Bmabggdm.exe 89 PID 2860 wrote to memory of 1364 2860 Bmabggdm.exe 89 PID 2860 wrote to memory of 1364 2860 Bmabggdm.exe 89 PID 1364 wrote to memory of 1112 1364 Bkdcbd32.exe 90 PID 1364 wrote to memory of 1112 1364 Bkdcbd32.exe 90 PID 1364 wrote to memory of 1112 1364 Bkdcbd32.exe 90 PID 1112 wrote to memory of 4768 1112 Bckkca32.exe 91 PID 1112 wrote to memory of 4768 1112 Bckkca32.exe 91 PID 1112 wrote to memory of 4768 1112 Bckkca32.exe 91 PID 4768 wrote to memory of 3092 4768 Cfigpm32.exe 92 PID 4768 wrote to memory of 3092 4768 Cfigpm32.exe 92 PID 4768 wrote to memory of 3092 4768 Cfigpm32.exe 92 PID 3092 wrote to memory of 4848 3092 Ckfphc32.exe 93 PID 3092 wrote to memory of 4848 3092 Ckfphc32.exe 93 PID 3092 wrote to memory of 4848 3092 Ckfphc32.exe 93 PID 4848 wrote to memory of 4724 4848 Cfldelik.exe 94 PID 4848 wrote to memory of 4724 4848 Cfldelik.exe 94 PID 4848 wrote to memory of 4724 4848 Cfldelik.exe 94 PID 4724 wrote to memory of 4996 4724 Cijpahho.exe 95 PID 4724 wrote to memory of 4996 4724 Cijpahho.exe 95 PID 4724 wrote to memory of 4996 4724 Cijpahho.exe 95 PID 4996 wrote to memory of 3920 4996 Ccpdoqgd.exe 97 PID 4996 wrote to memory of 3920 4996 Ccpdoqgd.exe 97 PID 4996 wrote to memory of 3920 4996 Ccpdoqgd.exe 97 PID 3920 wrote to memory of 1076 3920 Cjjlkk32.exe 98 PID 3920 wrote to memory of 1076 3920 Cjjlkk32.exe 98 PID 3920 wrote to memory of 1076 3920 Cjjlkk32.exe 98 PID 1076 wrote to memory of 1148 1076 Cofecami.exe 99 PID 1076 wrote to memory of 1148 1076 Cofecami.exe 99 PID 1076 wrote to memory of 1148 1076 Cofecami.exe 99 PID 1148 wrote to memory of 4492 1148 Cjliajmo.exe 100 PID 1148 wrote to memory of 4492 1148 Cjliajmo.exe 100 PID 1148 wrote to memory of 4492 1148 Cjliajmo.exe 100 PID 4492 wrote to memory of 2304 4492 Coiaiakf.exe 102 PID 4492 wrote to memory of 2304 4492 Coiaiakf.exe 102 PID 4492 wrote to memory of 2304 4492 Coiaiakf.exe 102 PID 2304 wrote to memory of 3432 2304 Cfcjfk32.exe 103 PID 2304 wrote to memory of 3432 2304 Cfcjfk32.exe 103 PID 2304 wrote to memory of 3432 2304 Cfcjfk32.exe 103 PID 3432 wrote to memory of 3068 3432 Cmmbbejp.exe 104 PID 3432 wrote to memory of 3068 3432 Cmmbbejp.exe 104 PID 3432 wrote to memory of 3068 3432 Cmmbbejp.exe 104 PID 3068 wrote to memory of 3172 3068 Ccgjopal.exe 105 PID 3068 wrote to memory of 3172 3068 Ccgjopal.exe 105 PID 3068 wrote to memory of 3172 3068 Ccgjopal.exe 105 PID 3172 wrote to memory of 1888 3172 Dmoohe32.exe 106 PID 3172 wrote to memory of 1888 3172 Dmoohe32.exe 106 PID 3172 wrote to memory of 1888 3172 Dmoohe32.exe 106 PID 1888 wrote to memory of 3160 1888 Dblgpl32.exe 108 PID 1888 wrote to memory of 3160 1888 Dblgpl32.exe 108 PID 1888 wrote to memory of 3160 1888 Dblgpl32.exe 108 PID 3160 wrote to memory of 4536 3160 Djcoai32.exe 109
Processes
-
C:\Users\Admin\AppData\Local\Temp\3bee487c1f9ca59a47cda738ec821eb4fe74f3bd04e9b242eab2ed838d11c3f8.exe"C:\Users\Admin\AppData\Local\Temp\3bee487c1f9ca59a47cda738ec821eb4fe74f3bd04e9b242eab2ed838d11c3f8.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4612 -
C:\Windows\SysWOW64\Bmofagfp.exeC:\Windows\system32\Bmofagfp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4600 -
C:\Windows\SysWOW64\Bombmcec.exeC:\Windows\system32\Bombmcec.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1580 -
C:\Windows\SysWOW64\Bjbfklei.exeC:\Windows\system32\Bjbfklei.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4568 -
C:\Windows\SysWOW64\Bmabggdm.exeC:\Windows\system32\Bmabggdm.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\SysWOW64\Bkdcbd32.exeC:\Windows\system32\Bkdcbd32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1364 -
C:\Windows\SysWOW64\Bckkca32.exeC:\Windows\system32\Bckkca32.exe7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1112 -
C:\Windows\SysWOW64\Cfigpm32.exeC:\Windows\system32\Cfigpm32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4768 -
C:\Windows\SysWOW64\Ckfphc32.exeC:\Windows\system32\Ckfphc32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3092 -
C:\Windows\SysWOW64\Cfldelik.exeC:\Windows\system32\Cfldelik.exe10⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4848 -
C:\Windows\SysWOW64\Cijpahho.exeC:\Windows\system32\Cijpahho.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4724 -
C:\Windows\SysWOW64\Ccpdoqgd.exeC:\Windows\system32\Ccpdoqgd.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4996 -
C:\Windows\SysWOW64\Cjjlkk32.exeC:\Windows\system32\Cjjlkk32.exe13⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3920 -
C:\Windows\SysWOW64\Cofecami.exeC:\Windows\system32\Cofecami.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1076 -
C:\Windows\SysWOW64\Cjliajmo.exeC:\Windows\system32\Cjliajmo.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1148 -
C:\Windows\SysWOW64\Coiaiakf.exeC:\Windows\system32\Coiaiakf.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4492 -
C:\Windows\SysWOW64\Cfcjfk32.exeC:\Windows\system32\Cfcjfk32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2304 -
C:\Windows\SysWOW64\Cmmbbejp.exeC:\Windows\system32\Cmmbbejp.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3432 -
C:\Windows\SysWOW64\Ccgjopal.exeC:\Windows\system32\Ccgjopal.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Windows\SysWOW64\Dmoohe32.exeC:\Windows\system32\Dmoohe32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3172 -
C:\Windows\SysWOW64\Dblgpl32.exeC:\Windows\system32\Dblgpl32.exe21⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1888 -
C:\Windows\SysWOW64\Djcoai32.exeC:\Windows\system32\Djcoai32.exe22⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3160 -
C:\Windows\SysWOW64\Dmalne32.exeC:\Windows\system32\Dmalne32.exe23⤵
- Executes dropped EXE
PID:4536 -
C:\Windows\SysWOW64\Dpphjp32.exeC:\Windows\system32\Dpphjp32.exe24⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3700 -
C:\Windows\SysWOW64\Dfjpfj32.exeC:\Windows\system32\Dfjpfj32.exe25⤵
- Executes dropped EXE
PID:4808 -
C:\Windows\SysWOW64\Dmdhcddh.exeC:\Windows\system32\Dmdhcddh.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3888 -
C:\Windows\SysWOW64\Dcnqpo32.exeC:\Windows\system32\Dcnqpo32.exe27⤵
- Executes dropped EXE
PID:3952 -
C:\Windows\SysWOW64\Dflmlj32.exeC:\Windows\system32\Dflmlj32.exe28⤵
- Executes dropped EXE
- Modifies registry class
PID:4772 -
C:\Windows\SysWOW64\Dlieda32.exeC:\Windows\system32\Dlieda32.exe29⤵
- Executes dropped EXE
PID:2696 -
C:\Windows\SysWOW64\Dpdaepai.exeC:\Windows\system32\Dpdaepai.exe30⤵
- Executes dropped EXE
PID:5020 -
C:\Windows\SysWOW64\Dbcmakpl.exeC:\Windows\system32\Dbcmakpl.exe31⤵
- Executes dropped EXE
- Modifies registry class
PID:5092 -
C:\Windows\SysWOW64\Djjebh32.exeC:\Windows\system32\Djjebh32.exe32⤵
- Executes dropped EXE
PID:3348 -
C:\Windows\SysWOW64\Dimenegi.exeC:\Windows\system32\Dimenegi.exe33⤵
- Executes dropped EXE
PID:5064 -
C:\Windows\SysWOW64\Ejlbhh32.exeC:\Windows\system32\Ejlbhh32.exe34⤵
- Executes dropped EXE
PID:2552 -
C:\Windows\SysWOW64\Eiobceef.exeC:\Windows\system32\Eiobceef.exe35⤵
- Executes dropped EXE
PID:264 -
C:\Windows\SysWOW64\Elnoopdj.exeC:\Windows\system32\Elnoopdj.exe36⤵
- Executes dropped EXE
PID:3740 -
C:\Windows\SysWOW64\Ebhglj32.exeC:\Windows\system32\Ebhglj32.exe37⤵
- Executes dropped EXE
PID:4864 -
C:\Windows\SysWOW64\Ejoomhmi.exeC:\Windows\system32\Ejoomhmi.exe38⤵
- Executes dropped EXE
PID:4248 -
C:\Windows\SysWOW64\Eplgeokq.exeC:\Windows\system32\Eplgeokq.exe39⤵
- Executes dropped EXE
PID:2720 -
C:\Windows\SysWOW64\Ejalcgkg.exeC:\Windows\system32\Ejalcgkg.exe40⤵
- Executes dropped EXE
PID:4988 -
C:\Windows\SysWOW64\Emphocjj.exeC:\Windows\system32\Emphocjj.exe41⤵
- Executes dropped EXE
PID:1360 -
C:\Windows\SysWOW64\Epndknin.exeC:\Windows\system32\Epndknin.exe42⤵
- Executes dropped EXE
PID:3712 -
C:\Windows\SysWOW64\Eblpgjha.exeC:\Windows\system32\Eblpgjha.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:724 -
C:\Windows\SysWOW64\Ejchhgid.exeC:\Windows\system32\Ejchhgid.exe44⤵
- Executes dropped EXE
PID:2004 -
C:\Windows\SysWOW64\Eifhdd32.exeC:\Windows\system32\Eifhdd32.exe45⤵
- Executes dropped EXE
PID:3672 -
C:\Windows\SysWOW64\Eleepoob.exeC:\Windows\system32\Eleepoob.exe46⤵
- Executes dropped EXE
PID:4932 -
C:\Windows\SysWOW64\Eppqqn32.exeC:\Windows\system32\Eppqqn32.exe47⤵
- Executes dropped EXE
PID:3088 -
C:\Windows\SysWOW64\Ebommi32.exeC:\Windows\system32\Ebommi32.exe48⤵
- Executes dropped EXE
PID:4412 -
C:\Windows\SysWOW64\Ejfeng32.exeC:\Windows\system32\Ejfeng32.exe49⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:852 -
C:\Windows\SysWOW64\Emdajb32.exeC:\Windows\system32\Emdajb32.exe50⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1420 -
C:\Windows\SysWOW64\Elgaeolp.exeC:\Windows\system32\Elgaeolp.exe51⤵
- Executes dropped EXE
PID:3792 -
C:\Windows\SysWOW64\Fcniglmb.exeC:\Windows\system32\Fcniglmb.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:1120 -
C:\Windows\SysWOW64\Ffmfchle.exeC:\Windows\system32\Ffmfchle.exe53⤵
- Executes dropped EXE
PID:4320 -
C:\Windows\SysWOW64\Fikbocki.exeC:\Windows\system32\Fikbocki.exe54⤵
- Executes dropped EXE
PID:4328 -
C:\Windows\SysWOW64\Fpejlmcf.exeC:\Windows\system32\Fpejlmcf.exe55⤵
- Executes dropped EXE
PID:2764 -
C:\Windows\SysWOW64\Fjjnifbl.exeC:\Windows\system32\Fjjnifbl.exe56⤵
- Executes dropped EXE
PID:1744 -
C:\Windows\SysWOW64\Fmikeaap.exeC:\Windows\system32\Fmikeaap.exe57⤵
- Executes dropped EXE
PID:3312 -
C:\Windows\SysWOW64\Fpggamqc.exeC:\Windows\system32\Fpggamqc.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1488 -
C:\Windows\SysWOW64\Ffaong32.exeC:\Windows\system32\Ffaong32.exe59⤵
- Executes dropped EXE
PID:4924 -
C:\Windows\SysWOW64\Fipkjb32.exeC:\Windows\system32\Fipkjb32.exe60⤵
- Executes dropped EXE
PID:4036 -
C:\Windows\SysWOW64\Fmkgkapm.exeC:\Windows\system32\Fmkgkapm.exe61⤵
- Executes dropped EXE
PID:2788 -
C:\Windows\SysWOW64\Fpjcgm32.exeC:\Windows\system32\Fpjcgm32.exe62⤵
- Executes dropped EXE
PID:4948 -
C:\Windows\SysWOW64\Fbhpch32.exeC:\Windows\system32\Fbhpch32.exe63⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:820 -
C:\Windows\SysWOW64\Ffclcgfn.exeC:\Windows\system32\Ffclcgfn.exe64⤵
- Executes dropped EXE
PID:3076 -
C:\Windows\SysWOW64\Fmndpq32.exeC:\Windows\system32\Fmndpq32.exe65⤵
- Executes dropped EXE
PID:4636 -
C:\Windows\SysWOW64\Fplpll32.exeC:\Windows\system32\Fplpll32.exe66⤵PID:2616
-
C:\Windows\SysWOW64\Fjadje32.exeC:\Windows\system32\Fjadje32.exe67⤵
- Drops file in System32 directory
PID:628 -
C:\Windows\SysWOW64\Fideeaco.exeC:\Windows\system32\Fideeaco.exe68⤵PID:5032
-
C:\Windows\SysWOW64\Glcaambb.exeC:\Windows\system32\Glcaambb.exe69⤵PID:4776
-
C:\Windows\SysWOW64\Gdjibj32.exeC:\Windows\system32\Gdjibj32.exe70⤵PID:3440
-
C:\Windows\SysWOW64\Gfheof32.exeC:\Windows\system32\Gfheof32.exe71⤵PID:1684
-
C:\Windows\SysWOW64\Gjdaodja.exeC:\Windows\system32\Gjdaodja.exe72⤵
- Modifies registry class
PID:3640 -
C:\Windows\SysWOW64\Gmbmkpie.exeC:\Windows\system32\Gmbmkpie.exe73⤵PID:4692
-
C:\Windows\SysWOW64\Gpqjglii.exeC:\Windows\system32\Gpqjglii.exe74⤵PID:460
-
C:\Windows\SysWOW64\Gbofcghl.exeC:\Windows\system32\Gbofcghl.exe75⤵PID:936
-
C:\Windows\SysWOW64\Gjfnedho.exeC:\Windows\system32\Gjfnedho.exe76⤵PID:1084
-
C:\Windows\SysWOW64\Giinpa32.exeC:\Windows\system32\Giinpa32.exe77⤵PID:3048
-
C:\Windows\SysWOW64\Glgjlm32.exeC:\Windows\system32\Glgjlm32.exe78⤵PID:1772
-
C:\Windows\SysWOW64\Gdobnj32.exeC:\Windows\system32\Gdobnj32.exe79⤵PID:4052
-
C:\Windows\SysWOW64\Gkhkjd32.exeC:\Windows\system32\Gkhkjd32.exe80⤵PID:2632
-
C:\Windows\SysWOW64\Gmggfp32.exeC:\Windows\system32\Gmggfp32.exe81⤵PID:3264
-
C:\Windows\SysWOW64\Gljgbllj.exeC:\Windows\system32\Gljgbllj.exe82⤵
- System Location Discovery: System Language Discovery
PID:2528 -
C:\Windows\SysWOW64\Gbdoof32.exeC:\Windows\system32\Gbdoof32.exe83⤵
- System Location Discovery: System Language Discovery
PID:3464 -
C:\Windows\SysWOW64\Gkkgpc32.exeC:\Windows\system32\Gkkgpc32.exe84⤵PID:2132
-
C:\Windows\SysWOW64\Glldgljg.exeC:\Windows\system32\Glldgljg.exe85⤵PID:3652
-
C:\Windows\SysWOW64\Gdcliikj.exeC:\Windows\system32\Gdcliikj.exe86⤵PID:5148
-
C:\Windows\SysWOW64\Ggahedjn.exeC:\Windows\system32\Ggahedjn.exe87⤵PID:5212
-
C:\Windows\SysWOW64\Gipdap32.exeC:\Windows\system32\Gipdap32.exe88⤵PID:5276
-
C:\Windows\SysWOW64\Hloqml32.exeC:\Windows\system32\Hloqml32.exe89⤵
- Drops file in System32 directory
PID:5340 -
C:\Windows\SysWOW64\Hbhijepa.exeC:\Windows\system32\Hbhijepa.exe90⤵
- Drops file in System32 directory
- Modifies registry class
PID:5384 -
C:\Windows\SysWOW64\Hkpqkcpd.exeC:\Windows\system32\Hkpqkcpd.exe91⤵PID:5424
-
C:\Windows\SysWOW64\Hibafp32.exeC:\Windows\system32\Hibafp32.exe92⤵PID:5468
-
C:\Windows\SysWOW64\Hlambk32.exeC:\Windows\system32\Hlambk32.exe93⤵PID:5512
-
C:\Windows\SysWOW64\Hplicjok.exeC:\Windows\system32\Hplicjok.exe94⤵PID:5556
-
C:\Windows\SysWOW64\Hckeoeno.exeC:\Windows\system32\Hckeoeno.exe95⤵PID:5600
-
C:\Windows\SysWOW64\Hgfapd32.exeC:\Windows\system32\Hgfapd32.exe96⤵PID:5644
-
C:\Windows\SysWOW64\Hkbmqb32.exeC:\Windows\system32\Hkbmqb32.exe97⤵PID:5688
-
C:\Windows\SysWOW64\Hmpjmn32.exeC:\Windows\system32\Hmpjmn32.exe98⤵PID:5740
-
C:\Windows\SysWOW64\Higjaoci.exeC:\Windows\system32\Higjaoci.exe99⤵PID:5784
-
C:\Windows\SysWOW64\Hmbfbn32.exeC:\Windows\system32\Hmbfbn32.exe100⤵
- Modifies registry class
PID:5828 -
C:\Windows\SysWOW64\Hpabni32.exeC:\Windows\system32\Hpabni32.exe101⤵PID:5872
-
C:\Windows\SysWOW64\Hcpojd32.exeC:\Windows\system32\Hcpojd32.exe102⤵PID:5916
-
C:\Windows\SysWOW64\Hgkkkcbc.exeC:\Windows\system32\Hgkkkcbc.exe103⤵PID:5960
-
C:\Windows\SysWOW64\Hkfglb32.exeC:\Windows\system32\Hkfglb32.exe104⤵
- Modifies registry class
PID:6000 -
C:\Windows\SysWOW64\Hmechmip.exeC:\Windows\system32\Hmechmip.exe105⤵PID:6044
-
C:\Windows\SysWOW64\Hlhccj32.exeC:\Windows\system32\Hlhccj32.exe106⤵PID:6088
-
C:\Windows\SysWOW64\Hpcodihc.exeC:\Windows\system32\Hpcodihc.exe107⤵PID:6132
-
C:\Windows\SysWOW64\Hcblpdgg.exeC:\Windows\system32\Hcblpdgg.exe108⤵
- Drops file in System32 directory
PID:5196 -
C:\Windows\SysWOW64\Hgmgqc32.exeC:\Windows\system32\Hgmgqc32.exe109⤵
- System Location Discovery: System Language Discovery
PID:3056 -
C:\Windows\SysWOW64\Hildmn32.exeC:\Windows\system32\Hildmn32.exe110⤵PID:5348
-
C:\Windows\SysWOW64\Ingpmmgm.exeC:\Windows\system32\Ingpmmgm.exe111⤵PID:5420
-
C:\Windows\SysWOW64\Ipflihfq.exeC:\Windows\system32\Ipflihfq.exe112⤵PID:5488
-
C:\Windows\SysWOW64\Idahjg32.exeC:\Windows\system32\Idahjg32.exe113⤵PID:5524
-
C:\Windows\SysWOW64\Icdheded.exeC:\Windows\system32\Icdheded.exe114⤵PID:5592
-
C:\Windows\SysWOW64\Ikkpgafg.exeC:\Windows\system32\Ikkpgafg.exe115⤵PID:5656
-
C:\Windows\SysWOW64\Iinqbn32.exeC:\Windows\system32\Iinqbn32.exe116⤵PID:5720
-
C:\Windows\SysWOW64\Ilmmni32.exeC:\Windows\system32\Ilmmni32.exe117⤵PID:5772
-
C:\Windows\SysWOW64\Iphioh32.exeC:\Windows\system32\Iphioh32.exe118⤵PID:5836
-
C:\Windows\SysWOW64\Idcepgmg.exeC:\Windows\system32\Idcepgmg.exe119⤵PID:5900
-
C:\Windows\SysWOW64\Igbalblk.exeC:\Windows\system32\Igbalblk.exe120⤵PID:5984
-
C:\Windows\SysWOW64\Iknmla32.exeC:\Windows\system32\Iknmla32.exe121⤵PID:6056
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-