Analysis
-
max time kernel
61s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
17/03/2025, 03:11
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
5a126ec71fc549061f9c446e09e5ba4596bcee1d2b1302d1bd2004366c66bf2b.exe
Resource
win7-20240729-en
windows7-x64
13 signatures
150 seconds
Behavioral task
behavioral2
Sample
5a126ec71fc549061f9c446e09e5ba4596bcee1d2b1302d1bd2004366c66bf2b.exe
Resource
win10v2004-20250314-en
windows10-2004-x64
12 signatures
150 seconds
General
-
Target
5a126ec71fc549061f9c446e09e5ba4596bcee1d2b1302d1bd2004366c66bf2b.exe
-
Size
96KB
-
MD5
80c48e28dcaf5cb52567a1b9c1207119
-
SHA1
88302a511a27204c475fb1639c2d324ac3ca3715
-
SHA256
5a126ec71fc549061f9c446e09e5ba4596bcee1d2b1302d1bd2004366c66bf2b
-
SHA512
bef539179b69cf132c0f094e1526e96606575a320a287f0f97fe441b87176471d44f29068178c71e94259af5e7f4939fb3fbd4e4653c94c17e4e901fcce5fc1e
-
SSDEEP
1536:dzwg51GQQwXvwjLikaURG2LY97RZObZUUWaegPYAW:Vw8G9wXvaiZ6AClUUWaeF
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abhnlqlf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bmcnmapk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpfbfh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hopibdfd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcbcah32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Laacmc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmkkhfmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amalcd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Agmbolin.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egmhjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnbdbomn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddmohbln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fodljn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Apjbpemb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijcmipjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hepdml32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhjcmcep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ilcfjkgj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Koacjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Emogdk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abaaakob.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dlmqip32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hbokkagk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mbfbfe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agmbolin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fiomhc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found -
Berbew family
-
Brute Ratel C4
A customized command and control framework for red teaming and adversary simulation.
-
Bruteratel family
-
Detect BruteRatel badger 10 IoCs
resource yara_rule behavioral1/files/0x000400000001c963-626.dat family_bruteratel behavioral1/files/0x00030000000207dc-4511.dat family_bruteratel behavioral1/files/0x0003000000021034-7353.dat family_bruteratel behavioral1/files/0x000300000002117b-7947.dat family_bruteratel behavioral1/files/0x000300000002128d-8492.dat family_bruteratel behavioral1/files/0x00030000000213b7-9052.dat family_bruteratel behavioral1/files/0x0003000000021c8d-13113.dat family_bruteratel behavioral1/files/0x00020000000230e6-14674.dat family_bruteratel behavioral1/files/0x0002000000024355-22441.dat family_bruteratel behavioral1/files/0x0002000000023d89-19036.dat family_bruteratel -
Executes dropped EXE 64 IoCs
pid Process 2328 Jigmeagl.exe 2696 Joaebkni.exe 2740 Jgljfmkd.exe 2836 Jnfbcg32.exe 2752 Jccjln32.exe 2620 Jjmchhhe.exe 2052 Kgqcam32.exe 2144 Kjopnh32.exe 1496 Kplhfo32.exe 3048 Kcgdgnmc.exe 2296 Kmphpc32.exe 2932 Kakdpb32.exe 2388 Kfhmhi32.exe 1592 Kigidd32.exe 2568 Kbonmjph.exe 2180 Kfkjnh32.exe 1244 Klgbfo32.exe 2548 Kofnbk32.exe 2292 Lepfoe32.exe 1200 Lhnckp32.exe 1528 Lpekln32.exe 2672 Lbdghi32.exe 1596 Lebcdd32.exe 2356 Lllkaobc.exe 3012 Lbfdnijp.exe 2224 Ledpjdid.exe 2712 Lhclfphg.exe 2840 Legmpdga.exe 2724 Lghigl32.exe 2708 Looahi32.exe 2248 Lanmde32.exe 1068 Lkfbmj32.exe 2536 Mpcjfa32.exe 2876 Mdnffpif.exe 2576 Mgmbbkij.exe 2912 Mkhocj32.exe 2920 Mpegka32.exe 1440 Mcccglnn.exe 1132 Mpgdaqmh.exe 1732 Mcfpmlll.exe 2164 Mlndfa32.exe 2232 Mpjqfpke.exe 1880 Mefiog32.exe 2376 Mibeofaf.exe 1536 Mlqakaqi.exe 1832 Mcjihk32.exe 916 Mdlfpcnd.exe 852 Mhgbpb32.exe 2140 Nlcnaaog.exe 2860 Nkfnln32.exe 2848 Nhjofbdk.exe 2600 Ngmoao32.exe 1940 Nkhkbmco.exe 1032 Nnfgnibb.exe 1064 Npecjdaf.exe 3040 Nhlkkabh.exe 1372 Nkjggmal.exe 1704 Nnidchqp.exe 1240 Ndclpb32.exe 2252 Ngahmngp.exe 936 Nnkqih32.exe 2964 Nqjmec32.exe 1100 Ndeifbfj.exe 560 Nffenj32.exe -
Loads dropped DLL 64 IoCs
pid Process 2532 5a126ec71fc549061f9c446e09e5ba4596bcee1d2b1302d1bd2004366c66bf2b.exe 2532 5a126ec71fc549061f9c446e09e5ba4596bcee1d2b1302d1bd2004366c66bf2b.exe 2328 Jigmeagl.exe 2328 Jigmeagl.exe 2696 Joaebkni.exe 2696 Joaebkni.exe 2740 Jgljfmkd.exe 2740 Jgljfmkd.exe 2836 Jnfbcg32.exe 2836 Jnfbcg32.exe 2752 Jccjln32.exe 2752 Jccjln32.exe 2620 Jjmchhhe.exe 2620 Jjmchhhe.exe 2052 Kgqcam32.exe 2052 Kgqcam32.exe 2144 Kjopnh32.exe 2144 Kjopnh32.exe 1496 Kplhfo32.exe 1496 Kplhfo32.exe 3048 Kcgdgnmc.exe 3048 Kcgdgnmc.exe 2296 Kmphpc32.exe 2296 Kmphpc32.exe 2932 Kakdpb32.exe 2932 Kakdpb32.exe 2388 Kfhmhi32.exe 2388 Kfhmhi32.exe 1592 Kigidd32.exe 1592 Kigidd32.exe 2568 Kbonmjph.exe 2568 Kbonmjph.exe 2180 Kfkjnh32.exe 2180 Kfkjnh32.exe 1244 Klgbfo32.exe 1244 Klgbfo32.exe 2548 Kofnbk32.exe 2548 Kofnbk32.exe 2292 Lepfoe32.exe 2292 Lepfoe32.exe 1200 Lhnckp32.exe 1200 Lhnckp32.exe 1528 Lpekln32.exe 1528 Lpekln32.exe 2672 Lbdghi32.exe 2672 Lbdghi32.exe 1596 Lebcdd32.exe 1596 Lebcdd32.exe 2356 Lllkaobc.exe 2356 Lllkaobc.exe 3012 Lbfdnijp.exe 3012 Lbfdnijp.exe 2224 Ledpjdid.exe 2224 Ledpjdid.exe 2712 Lhclfphg.exe 2712 Lhclfphg.exe 2840 Legmpdga.exe 2840 Legmpdga.exe 2724 Lghigl32.exe 2724 Lghigl32.exe 2708 Looahi32.exe 2708 Looahi32.exe 2248 Lanmde32.exe 2248 Lanmde32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Mgkncfdc.exe Process not Found File created C:\Windows\SysWOW64\Koebpa32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Gebflaga.exe Process not Found File created C:\Windows\SysWOW64\Endmgb32.exe Elfakg32.exe File created C:\Windows\SysWOW64\Melcmf32.dll Process not Found File created C:\Windows\SysWOW64\Ajkmbo32.exe Ahmpfc32.exe File opened for modification C:\Windows\SysWOW64\Ihhlbegd.exe Process not Found File created C:\Windows\SysWOW64\Jopfgaod.dll Lafpipoa.exe File created C:\Windows\SysWOW64\Cmlhih32.dll Pkeppngm.exe File created C:\Windows\SysWOW64\Mkbjgp32.dll Bhiiepcl.exe File created C:\Windows\SysWOW64\Kgghidfm.exe Process not Found File opened for modification C:\Windows\SysWOW64\Dljoac32.exe Process not Found File created C:\Windows\SysWOW64\Eeljbd32.dll Process not Found File created C:\Windows\SysWOW64\Jhbikcdn.dll Eligoe32.exe File created C:\Windows\SysWOW64\Ikoaghlg.dll Pdhdcnng.exe File opened for modification C:\Windows\SysWOW64\Ckgkfi32.exe Cbpbek32.exe File created C:\Windows\SysWOW64\Ofdkpo32.dll Process not Found File created C:\Windows\SysWOW64\Mpfpgbnn.dll Process not Found File created C:\Windows\SysWOW64\Anjjjn32.exe Process not Found File created C:\Windows\SysWOW64\Dqonafca.dll Bhmonoli.exe File created C:\Windows\SysWOW64\Mijmfogh.dll Process not Found File created C:\Windows\SysWOW64\Lgnqbl32.exe Process not Found File created C:\Windows\SysWOW64\Nfjpcjhe.exe Process not Found File created C:\Windows\SysWOW64\Pdopmade.dll Jnfbcg32.exe File opened for modification C:\Windows\SysWOW64\Fihojl32.dll Process not Found File created C:\Windows\SysWOW64\Ejidna32.dll Kbjmhd32.exe File opened for modification C:\Windows\SysWOW64\Hfbfpnel.exe Process not Found File opened for modification C:\Windows\SysWOW64\Pkpacaoj.exe Process not Found File created C:\Windows\SysWOW64\Bnnekk32.dll Nenaho32.exe File opened for modification C:\Windows\SysWOW64\Epcomc32.exe Dnecag32.exe File created C:\Windows\SysWOW64\Bndckc32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Dbenhc32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Hncjiecj.exe Process not Found File opened for modification C:\Windows\SysWOW64\Qepbjh32.exe Process not Found File created C:\Windows\SysWOW64\Mpnhhh32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Egnjbfqc.exe Process not Found File opened for modification C:\Windows\SysWOW64\Ephkak32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Cgklma32.exe Ccoplcii.exe File created C:\Windows\SysWOW64\Phhnkggl.dll Dcffmb32.exe File opened for modification C:\Windows\SysWOW64\Gnfoao32.exe Gjjcqpbj.exe File created C:\Windows\SysWOW64\Fgpqnpjh.exe Fimpcc32.exe File created C:\Windows\SysWOW64\Mdngapdg.dll Process not Found File created C:\Windows\SysWOW64\Nfoinj32.exe Process not Found File created C:\Windows\SysWOW64\Epflbbpp.exe Eaclgf32.exe File created C:\Windows\SysWOW64\Nbqnobge.exe Process not Found File created C:\Windows\SysWOW64\Iigcomkk.dll Mhmhpm32.exe File created C:\Windows\SysWOW64\Baoahf32.exe Boadlk32.exe File opened for modification C:\Windows\SysWOW64\Pjlbld32.exe Pgmfph32.exe File created C:\Windows\SysWOW64\Dhplgonm.dll Process not Found File created C:\Windows\SysWOW64\Aabhiikm.exe Andlmnki.exe File created C:\Windows\SysWOW64\Lkneko32.dll Polbemck.exe File opened for modification C:\Windows\SysWOW64\Ejcaanfg.exe Ehbdif32.exe File created C:\Windows\SysWOW64\Lbibla32.exe Llojpghe.exe File created C:\Windows\SysWOW64\Ibfdea32.dll Process not Found File created C:\Windows\SysWOW64\Gdilpd32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Kmedck32.exe Kiihcmoi.exe File created C:\Windows\SysWOW64\Qlqmjc32.dll Elfakg32.exe File created C:\Windows\SysWOW64\Mbmhnekp.dll Mipjbokm.exe File created C:\Windows\SysWOW64\Hfbfpnel.exe Process not Found File opened for modification C:\Windows\SysWOW64\Dlppgihj.exe Process not Found File created C:\Windows\SysWOW64\Opgfhf32.dll Process not Found File created C:\Windows\SysWOW64\Iikgkq32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Paqoef32.exe Pnbcij32.exe File created C:\Windows\SysWOW64\Mbpekm32.dll Process not Found -
Program crash 1 IoCs
pid pid_target Process procid_target 2760 3720 Process not Found 1413 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohljcnlh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmqpinlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lepihndm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajkokgia.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilolol32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lafpipoa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnbeacbd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddmohbln.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmojcceo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlfmoidh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofcnmh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlndfa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckboba32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iaknmm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idjjih32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abkqle32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elafbcao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Engnno32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihopjl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgibpj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oilgje32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aelgdhei.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Beccgi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Majfcb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgcoal32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" 5a126ec71fc549061f9c446e09e5ba4596bcee1d2b1302d1bd2004366c66bf2b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dcgiejje.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edehfe32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpgabh32.dll" Ooncljom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjdajc32.dll" Donijk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gimmbg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eicfhb32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ebkpma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdiekq32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klghoe32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kfhmhi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fmffhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgmajelk.dll" Cdkfco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjcieb32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hojeka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anbckadf.dll" Jofhqiec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dlgjie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cignlf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnhcidkc.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkockb32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pddbni32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aendjh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hiffbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hebqbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oabafcek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eccanfla.dll" Iobbfggm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Igomfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbogkp32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hfmcapna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogmkla32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Geckno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ghagjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldlfpf32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pejnpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Epflbbpp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpejff32.dll" Klgbfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nknmplji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajjdea32.dll" Andnff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ajnlqgfo.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2532 wrote to memory of 2328 2532 5a126ec71fc549061f9c446e09e5ba4596bcee1d2b1302d1bd2004366c66bf2b.exe 29 PID 2532 wrote to memory of 2328 2532 5a126ec71fc549061f9c446e09e5ba4596bcee1d2b1302d1bd2004366c66bf2b.exe 29 PID 2532 wrote to memory of 2328 2532 5a126ec71fc549061f9c446e09e5ba4596bcee1d2b1302d1bd2004366c66bf2b.exe 29 PID 2532 wrote to memory of 2328 2532 5a126ec71fc549061f9c446e09e5ba4596bcee1d2b1302d1bd2004366c66bf2b.exe 29 PID 2328 wrote to memory of 2696 2328 Jigmeagl.exe 30 PID 2328 wrote to memory of 2696 2328 Jigmeagl.exe 30 PID 2328 wrote to memory of 2696 2328 Jigmeagl.exe 30 PID 2328 wrote to memory of 2696 2328 Jigmeagl.exe 30 PID 2696 wrote to memory of 2740 2696 Joaebkni.exe 31 PID 2696 wrote to memory of 2740 2696 Joaebkni.exe 31 PID 2696 wrote to memory of 2740 2696 Joaebkni.exe 31 PID 2696 wrote to memory of 2740 2696 Joaebkni.exe 31 PID 2740 wrote to memory of 2836 2740 Jgljfmkd.exe 32 PID 2740 wrote to memory of 2836 2740 Jgljfmkd.exe 32 PID 2740 wrote to memory of 2836 2740 Jgljfmkd.exe 32 PID 2740 wrote to memory of 2836 2740 Jgljfmkd.exe 32 PID 2836 wrote to memory of 2752 2836 Jnfbcg32.exe 33 PID 2836 wrote to memory of 2752 2836 Jnfbcg32.exe 33 PID 2836 wrote to memory of 2752 2836 Jnfbcg32.exe 33 PID 2836 wrote to memory of 2752 2836 Jnfbcg32.exe 33 PID 2752 wrote to memory of 2620 2752 Jccjln32.exe 34 PID 2752 wrote to memory of 2620 2752 Jccjln32.exe 34 PID 2752 wrote to memory of 2620 2752 Jccjln32.exe 34 PID 2752 wrote to memory of 2620 2752 Jccjln32.exe 34 PID 2620 wrote to memory of 2052 2620 Jjmchhhe.exe 35 PID 2620 wrote to memory of 2052 2620 Jjmchhhe.exe 35 PID 2620 wrote to memory of 2052 2620 Jjmchhhe.exe 35 PID 2620 wrote to memory of 2052 2620 Jjmchhhe.exe 35 PID 2052 wrote to memory of 2144 2052 Kgqcam32.exe 36 PID 2052 wrote to memory of 2144 2052 Kgqcam32.exe 36 PID 2052 wrote to memory of 2144 2052 Kgqcam32.exe 36 PID 2052 wrote to memory of 2144 2052 Kgqcam32.exe 36 PID 2144 wrote to memory of 1496 2144 Kjopnh32.exe 37 PID 2144 wrote to memory of 1496 2144 Kjopnh32.exe 37 PID 2144 wrote to memory of 1496 2144 Kjopnh32.exe 37 PID 2144 wrote to memory of 1496 2144 Kjopnh32.exe 37 PID 1496 wrote to memory of 3048 1496 Kplhfo32.exe 38 PID 1496 wrote to memory of 3048 1496 Kplhfo32.exe 38 PID 1496 wrote to memory of 3048 1496 Kplhfo32.exe 38 PID 1496 wrote to memory of 3048 1496 Kplhfo32.exe 38 PID 3048 wrote to memory of 2296 3048 Kcgdgnmc.exe 39 PID 3048 wrote to memory of 2296 3048 Kcgdgnmc.exe 39 PID 3048 wrote to memory of 2296 3048 Kcgdgnmc.exe 39 PID 3048 wrote to memory of 2296 3048 Kcgdgnmc.exe 39 PID 2296 wrote to memory of 2932 2296 Kmphpc32.exe 40 PID 2296 wrote to memory of 2932 2296 Kmphpc32.exe 40 PID 2296 wrote to memory of 2932 2296 Kmphpc32.exe 40 PID 2296 wrote to memory of 2932 2296 Kmphpc32.exe 40 PID 2932 wrote to memory of 2388 2932 Kakdpb32.exe 41 PID 2932 wrote to memory of 2388 2932 Kakdpb32.exe 41 PID 2932 wrote to memory of 2388 2932 Kakdpb32.exe 41 PID 2932 wrote to memory of 2388 2932 Kakdpb32.exe 41 PID 2388 wrote to memory of 1592 2388 Kfhmhi32.exe 42 PID 2388 wrote to memory of 1592 2388 Kfhmhi32.exe 42 PID 2388 wrote to memory of 1592 2388 Kfhmhi32.exe 42 PID 2388 wrote to memory of 1592 2388 Kfhmhi32.exe 42 PID 1592 wrote to memory of 2568 1592 Kigidd32.exe 43 PID 1592 wrote to memory of 2568 1592 Kigidd32.exe 43 PID 1592 wrote to memory of 2568 1592 Kigidd32.exe 43 PID 1592 wrote to memory of 2568 1592 Kigidd32.exe 43 PID 2568 wrote to memory of 2180 2568 Kbonmjph.exe 44 PID 2568 wrote to memory of 2180 2568 Kbonmjph.exe 44 PID 2568 wrote to memory of 2180 2568 Kbonmjph.exe 44 PID 2568 wrote to memory of 2180 2568 Kbonmjph.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\5a126ec71fc549061f9c446e09e5ba4596bcee1d2b1302d1bd2004366c66bf2b.exe"C:\Users\Admin\AppData\Local\Temp\5a126ec71fc549061f9c446e09e5ba4596bcee1d2b1302d1bd2004366c66bf2b.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\Windows\SysWOW64\Jigmeagl.exeC:\Windows\system32\Jigmeagl.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2328 -
C:\Windows\SysWOW64\Joaebkni.exeC:\Windows\system32\Joaebkni.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Windows\SysWOW64\Jgljfmkd.exeC:\Windows\system32\Jgljfmkd.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Windows\SysWOW64\Jnfbcg32.exeC:\Windows\system32\Jnfbcg32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Windows\SysWOW64\Jccjln32.exeC:\Windows\system32\Jccjln32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\SysWOW64\Jjmchhhe.exeC:\Windows\system32\Jjmchhhe.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Windows\SysWOW64\Kgqcam32.exeC:\Windows\system32\Kgqcam32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2052 -
C:\Windows\SysWOW64\Kjopnh32.exeC:\Windows\system32\Kjopnh32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2144 -
C:\Windows\SysWOW64\Kplhfo32.exeC:\Windows\system32\Kplhfo32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1496 -
C:\Windows\SysWOW64\Kcgdgnmc.exeC:\Windows\system32\Kcgdgnmc.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Windows\SysWOW64\Kmphpc32.exeC:\Windows\system32\Kmphpc32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\Windows\SysWOW64\Kakdpb32.exeC:\Windows\system32\Kakdpb32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Windows\SysWOW64\Kfhmhi32.exeC:\Windows\system32\Kfhmhi32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\Windows\SysWOW64\Kigidd32.exeC:\Windows\system32\Kigidd32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1592 -
C:\Windows\SysWOW64\Kbonmjph.exeC:\Windows\system32\Kbonmjph.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Windows\SysWOW64\Kfkjnh32.exeC:\Windows\system32\Kfkjnh32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2180 -
C:\Windows\SysWOW64\Klgbfo32.exeC:\Windows\system32\Klgbfo32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1244 -
C:\Windows\SysWOW64\Kofnbk32.exeC:\Windows\system32\Kofnbk32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2548 -
C:\Windows\SysWOW64\Lepfoe32.exeC:\Windows\system32\Lepfoe32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2292 -
C:\Windows\SysWOW64\Lhnckp32.exeC:\Windows\system32\Lhnckp32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1200 -
C:\Windows\SysWOW64\Lpekln32.exeC:\Windows\system32\Lpekln32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1528 -
C:\Windows\SysWOW64\Lbdghi32.exeC:\Windows\system32\Lbdghi32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2672 -
C:\Windows\SysWOW64\Lebcdd32.exeC:\Windows\system32\Lebcdd32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1596 -
C:\Windows\SysWOW64\Lllkaobc.exeC:\Windows\system32\Lllkaobc.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2356 -
C:\Windows\SysWOW64\Lbfdnijp.exeC:\Windows\system32\Lbfdnijp.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3012 -
C:\Windows\SysWOW64\Ledpjdid.exeC:\Windows\system32\Ledpjdid.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2224 -
C:\Windows\SysWOW64\Lhclfphg.exeC:\Windows\system32\Lhclfphg.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2712 -
C:\Windows\SysWOW64\Legmpdga.exeC:\Windows\system32\Legmpdga.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2840 -
C:\Windows\SysWOW64\Lghigl32.exeC:\Windows\system32\Lghigl32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2724 -
C:\Windows\SysWOW64\Looahi32.exeC:\Windows\system32\Looahi32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2708 -
C:\Windows\SysWOW64\Lanmde32.exeC:\Windows\system32\Lanmde32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2248 -
C:\Windows\SysWOW64\Lkfbmj32.exeC:\Windows\system32\Lkfbmj32.exe33⤵
- Executes dropped EXE
PID:1068 -
C:\Windows\SysWOW64\Mpcjfa32.exeC:\Windows\system32\Mpcjfa32.exe34⤵
- Executes dropped EXE
PID:2536 -
C:\Windows\SysWOW64\Mdnffpif.exeC:\Windows\system32\Mdnffpif.exe35⤵
- Executes dropped EXE
PID:2876 -
C:\Windows\SysWOW64\Mgmbbkij.exeC:\Windows\system32\Mgmbbkij.exe36⤵
- Executes dropped EXE
PID:2576 -
C:\Windows\SysWOW64\Mkhocj32.exeC:\Windows\system32\Mkhocj32.exe37⤵
- Executes dropped EXE
PID:2912 -
C:\Windows\SysWOW64\Mpegka32.exeC:\Windows\system32\Mpegka32.exe38⤵
- Executes dropped EXE
PID:2920 -
C:\Windows\SysWOW64\Mcccglnn.exeC:\Windows\system32\Mcccglnn.exe39⤵
- Executes dropped EXE
PID:1440 -
C:\Windows\SysWOW64\Mpgdaqmh.exeC:\Windows\system32\Mpgdaqmh.exe40⤵
- Executes dropped EXE
PID:1132 -
C:\Windows\SysWOW64\Mcfpmlll.exeC:\Windows\system32\Mcfpmlll.exe41⤵
- Executes dropped EXE
PID:1732 -
C:\Windows\SysWOW64\Mlndfa32.exeC:\Windows\system32\Mlndfa32.exe42⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2164 -
C:\Windows\SysWOW64\Mpjqfpke.exeC:\Windows\system32\Mpjqfpke.exe43⤵
- Executes dropped EXE
PID:2232 -
C:\Windows\SysWOW64\Mefiog32.exeC:\Windows\system32\Mefiog32.exe44⤵
- Executes dropped EXE
PID:1880 -
C:\Windows\SysWOW64\Mibeofaf.exeC:\Windows\system32\Mibeofaf.exe45⤵
- Executes dropped EXE
PID:2376 -
C:\Windows\SysWOW64\Mlqakaqi.exeC:\Windows\system32\Mlqakaqi.exe46⤵
- Executes dropped EXE
PID:1536 -
C:\Windows\SysWOW64\Mcjihk32.exeC:\Windows\system32\Mcjihk32.exe47⤵
- Executes dropped EXE
PID:1832 -
C:\Windows\SysWOW64\Mdlfpcnd.exeC:\Windows\system32\Mdlfpcnd.exe48⤵
- Executes dropped EXE
PID:916 -
C:\Windows\SysWOW64\Mhgbpb32.exeC:\Windows\system32\Mhgbpb32.exe49⤵
- Executes dropped EXE
PID:852 -
C:\Windows\SysWOW64\Nlcnaaog.exeC:\Windows\system32\Nlcnaaog.exe50⤵
- Executes dropped EXE
PID:2140 -
C:\Windows\SysWOW64\Nkfnln32.exeC:\Windows\system32\Nkfnln32.exe51⤵
- Executes dropped EXE
PID:2860 -
C:\Windows\SysWOW64\Nhjofbdk.exeC:\Windows\system32\Nhjofbdk.exe52⤵
- Executes dropped EXE
PID:2848 -
C:\Windows\SysWOW64\Ngmoao32.exeC:\Windows\system32\Ngmoao32.exe53⤵
- Executes dropped EXE
PID:2600 -
C:\Windows\SysWOW64\Nkhkbmco.exeC:\Windows\system32\Nkhkbmco.exe54⤵
- Executes dropped EXE
PID:1940 -
C:\Windows\SysWOW64\Nnfgnibb.exeC:\Windows\system32\Nnfgnibb.exe55⤵
- Executes dropped EXE
PID:1032 -
C:\Windows\SysWOW64\Npecjdaf.exeC:\Windows\system32\Npecjdaf.exe56⤵
- Executes dropped EXE
PID:1064 -
C:\Windows\SysWOW64\Nhlkkabh.exeC:\Windows\system32\Nhlkkabh.exe57⤵
- Executes dropped EXE
PID:3040 -
C:\Windows\SysWOW64\Nkjggmal.exeC:\Windows\system32\Nkjggmal.exe58⤵
- Executes dropped EXE
PID:1372 -
C:\Windows\SysWOW64\Nnidchqp.exeC:\Windows\system32\Nnidchqp.exe59⤵
- Executes dropped EXE
PID:1704 -
C:\Windows\SysWOW64\Ndclpb32.exeC:\Windows\system32\Ndclpb32.exe60⤵
- Executes dropped EXE
PID:1240 -
C:\Windows\SysWOW64\Ngahmngp.exeC:\Windows\system32\Ngahmngp.exe61⤵
- Executes dropped EXE
PID:2252 -
C:\Windows\SysWOW64\Nnkqih32.exeC:\Windows\system32\Nnkqih32.exe62⤵
- Executes dropped EXE
PID:936 -
C:\Windows\SysWOW64\Nqjmec32.exeC:\Windows\system32\Nqjmec32.exe63⤵
- Executes dropped EXE
PID:2964 -
C:\Windows\SysWOW64\Ndeifbfj.exeC:\Windows\system32\Ndeifbfj.exe64⤵
- Executes dropped EXE
PID:1100 -
C:\Windows\SysWOW64\Nffenj32.exeC:\Windows\system32\Nffenj32.exe65⤵
- Executes dropped EXE
PID:560 -
C:\Windows\SysWOW64\Njbanida.exeC:\Windows\system32\Njbanida.exe66⤵PID:2880
-
C:\Windows\SysWOW64\Nlpmjdce.exeC:\Windows\system32\Nlpmjdce.exe67⤵PID:2364
-
C:\Windows\SysWOW64\Nqlikc32.exeC:\Windows\system32\Nqlikc32.exe68⤵PID:2728
-
C:\Windows\SysWOW64\Ocjfgo32.exeC:\Windows\system32\Ocjfgo32.exe69⤵PID:2772
-
C:\Windows\SysWOW64\Ogfagmck.exeC:\Windows\system32\Ogfagmck.exe70⤵PID:2892
-
C:\Windows\SysWOW64\Ombjpd32.exeC:\Windows\system32\Ombjpd32.exe71⤵PID:408
-
C:\Windows\SysWOW64\Ooaflp32.exeC:\Windows\system32\Ooaflp32.exe72⤵PID:2024
-
C:\Windows\SysWOW64\Obpbhk32.exeC:\Windows\system32\Obpbhk32.exe73⤵PID:1820
-
C:\Windows\SysWOW64\Ojgkih32.exeC:\Windows\system32\Ojgkih32.exe74⤵PID:1340
-
C:\Windows\SysWOW64\Omeged32.exeC:\Windows\system32\Omeged32.exe75⤵PID:2308
-
C:\Windows\SysWOW64\Okhgaqfj.exeC:\Windows\system32\Okhgaqfj.exe76⤵PID:2264
-
C:\Windows\SysWOW64\Ocoobngl.exeC:\Windows\system32\Ocoobngl.exe77⤵PID:1852
-
C:\Windows\SysWOW64\Odpljf32.exeC:\Windows\system32\Odpljf32.exe78⤵PID:2432
-
C:\Windows\SysWOW64\Oilgje32.exeC:\Windows\system32\Oilgje32.exe79⤵
- System Location Discovery: System Language Discovery
PID:2208 -
C:\Windows\SysWOW64\Oofpgolq.exeC:\Windows\system32\Oofpgolq.exe80⤵PID:3036
-
C:\Windows\SysWOW64\Obdlcjkd.exeC:\Windows\system32\Obdlcjkd.exe81⤵PID:264
-
C:\Windows\SysWOW64\Ofphdi32.exeC:\Windows\system32\Ofphdi32.exe82⤵PID:3000
-
C:\Windows\SysWOW64\Oindpd32.exeC:\Windows\system32\Oindpd32.exe83⤵PID:1984
-
C:\Windows\SysWOW64\Okmqlp32.exeC:\Windows\system32\Okmqlp32.exe84⤵PID:576
-
C:\Windows\SysWOW64\Onkmhl32.exeC:\Windows\system32\Onkmhl32.exe85⤵PID:2820
-
C:\Windows\SysWOW64\Obfiijia.exeC:\Windows\system32\Obfiijia.exe86⤵PID:2640
-
C:\Windows\SysWOW64\Oeeeeehe.exeC:\Windows\system32\Oeeeeehe.exe87⤵PID:1648
-
C:\Windows\SysWOW64\Okomappb.exeC:\Windows\system32\Okomappb.exe88⤵PID:2556
-
C:\Windows\SysWOW64\Pjbnmm32.exeC:\Windows\system32\Pjbnmm32.exe89⤵PID:2792
-
C:\Windows\SysWOW64\Pbienj32.exeC:\Windows\system32\Pbienj32.exe90⤵PID:2100
-
C:\Windows\SysWOW64\Pcjbfbmm.exeC:\Windows\system32\Pcjbfbmm.exe91⤵PID:1784
-
C:\Windows\SysWOW64\Pkajgonp.exeC:\Windows\system32\Pkajgonp.exe92⤵PID:1776
-
C:\Windows\SysWOW64\Pnpfckmc.exeC:\Windows\system32\Pnpfckmc.exe93⤵PID:2540
-
C:\Windows\SysWOW64\Pmbfoh32.exeC:\Windows\system32\Pmbfoh32.exe94⤵PID:1844
-
C:\Windows\SysWOW64\Pejnpe32.exeC:\Windows\system32\Pejnpe32.exe95⤵
- Modifies registry class
PID:1828 -
C:\Windows\SysWOW64\Pghklq32.exeC:\Windows\system32\Pghklq32.exe96⤵PID:2732
-
C:\Windows\SysWOW64\Pjfghl32.exeC:\Windows\system32\Pjfghl32.exe97⤵PID:2972
-
C:\Windows\SysWOW64\Pnbcij32.exeC:\Windows\system32\Pnbcij32.exe98⤵
- Drops file in System32 directory
PID:2084 -
C:\Windows\SysWOW64\Paqoef32.exeC:\Windows\system32\Paqoef32.exe99⤵PID:3056
-
C:\Windows\SysWOW64\Pcokaa32.exeC:\Windows\system32\Pcokaa32.exe100⤵PID:2040
-
C:\Windows\SysWOW64\Pfmgmm32.exeC:\Windows\system32\Pfmgmm32.exe101⤵PID:1600
-
C:\Windows\SysWOW64\Pjicnlqe.exeC:\Windows\system32\Pjicnlqe.exe102⤵PID:2764
-
C:\Windows\SysWOW64\Pmgpjgph.exeC:\Windows\system32\Pmgpjgph.exe103⤵PID:2360
-
C:\Windows\SysWOW64\Pcahga32.exeC:\Windows\system32\Pcahga32.exe104⤵PID:2404
-
C:\Windows\SysWOW64\Pfpdcm32.exeC:\Windows\system32\Pfpdcm32.exe105⤵PID:2484
-
C:\Windows\SysWOW64\Pinqoh32.exeC:\Windows\system32\Pinqoh32.exe106⤵PID:1416
-
C:\Windows\SysWOW64\Pllmkcdp.exeC:\Windows\system32\Pllmkcdp.exe107⤵PID:1996
-
C:\Windows\SysWOW64\Pphilb32.exeC:\Windows\system32\Pphilb32.exe108⤵PID:2828
-
C:\Windows\SysWOW64\Pbfehn32.exeC:\Windows\system32\Pbfehn32.exe109⤵PID:2664
-
C:\Windows\SysWOW64\Qipmdhcj.exeC:\Windows\system32\Qipmdhcj.exe110⤵PID:1792
-
C:\Windows\SysWOW64\Qmlief32.exeC:\Windows\system32\Qmlief32.exe111⤵PID:1124
-
C:\Windows\SysWOW64\Qpjeaa32.exeC:\Windows\system32\Qpjeaa32.exe112⤵PID:2796
-
C:\Windows\SysWOW64\Qbiamm32.exeC:\Windows\system32\Qbiamm32.exe113⤵PID:1632
-
C:\Windows\SysWOW64\Qegnii32.exeC:\Windows\system32\Qegnii32.exe114⤵PID:2768
-
C:\Windows\SysWOW64\Qhejed32.exeC:\Windows\system32\Qhejed32.exe115⤵PID:1640
-
C:\Windows\SysWOW64\Qpmbgaid.exeC:\Windows\system32\Qpmbgaid.exe116⤵PID:2080
-
C:\Windows\SysWOW64\Qnpbbn32.exeC:\Windows\system32\Qnpbbn32.exe117⤵PID:2960
-
C:\Windows\SysWOW64\Aeikohgk.exeC:\Windows\system32\Aeikohgk.exe118⤵PID:2592
-
C:\Windows\SysWOW64\Aiegpg32.exeC:\Windows\system32\Aiegpg32.exe119⤵PID:2684
-
C:\Windows\SysWOW64\Ajfcgoec.exeC:\Windows\system32\Ajfcgoec.exe120⤵PID:2924
-
C:\Windows\SysWOW64\Anbohn32.exeC:\Windows\system32\Anbohn32.exe121⤵PID:1508
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-