Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
92s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
14/10/2024, 05:49
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
f5b19ce0c7cba9203e3d9aa20455f3442ffa3f877a3101d84a76930a4af05ead.exe
Resource
win7-20241010-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
f5b19ce0c7cba9203e3d9aa20455f3442ffa3f877a3101d84a76930a4af05ead.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
f5b19ce0c7cba9203e3d9aa20455f3442ffa3f877a3101d84a76930a4af05ead.exe
-
Size
52KB
-
MD5
5d6b4f36c2034c3893d9f04068e897bc
-
SHA1
28e6381d224bf1ebbcf661c9fe882d99cee9573b
-
SHA256
f5b19ce0c7cba9203e3d9aa20455f3442ffa3f877a3101d84a76930a4af05ead
-
SHA512
6347cee09a0f47250ec2da626bc0cac5c4c1ed7340b965ddbe6ff17e218701f9d6ef03b71d3ab8e5da5825f71f7987e49cbcbb263e1bfa87a657f30d683acdca
-
SSDEEP
768:aovK8xpxnk2K39n6+yujv0tfzkvaAfXz11oyGjOUSMy/1H5F/sUMABvKWe:lhvkjtn1jv017Av7rGKUSM49MAdKZ
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://tat-neftbank.ru/kkq.php
http://tat-neftbank.ru/wcmd.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpnlbi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhcdhf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bodfdfld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkmblgop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chbcinee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Liickcmi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nblcqenl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmobnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Blgiim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jkpjel32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Maggam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nliadjph.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkkifnpj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgkdel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pkpmgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qkbjmnol.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhofplpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hdnbqe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hdbmkaoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Codhamjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gipkmn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hingnlfo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qqadmagh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Neamhfjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qfkieb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ighnho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Beklnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhnlnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bggdkd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nacmgapa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oldapi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npekjeph.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agkeoeki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ilcjkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gonnblgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gpcmjmel.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igpkcd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nejpmamp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldbjkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iinbbnie.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogfcmhma.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nloonlhb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plgnfh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhfjdclb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iklnoihi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cqhljhob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Paklon32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emhaaokm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iiigjjla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jfnbgp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmmefd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfkegd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oeffce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Plnkan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Epgnmjjq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njhnpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eoilpoig.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opqdknbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Edngmp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlcobmbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Igkknomn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnmole32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Capiemme.exe -
Executes dropped EXE 64 IoCs
pid Process 4492 Lpicgihh.exe 1160 Lbhocegl.exe 4592 Libgpooi.exe 872 Llpcljnl.exe 4772 Lbjlid32.exe 1968 Liddfolf.exe 4744 Llbpbjlj.exe 4012 Lpnlbi32.exe 1276 Lghdockp.exe 1284 Lmbmlmbl.exe 1628 Llemgj32.exe 2988 Ldlehg32.exe 3896 Miiman32.exe 1552 Mlgjmi32.exe 1544 Mgmnjb32.exe 2628 Mljfbiea.exe 3116 Mgokpbeh.exe 2140 Mpgoig32.exe 2848 Mgageace.exe 1560 Mmkpbl32.exe 1540 Mchhjbii.exe 2308 Mibpgm32.exe 2460 Ngfqqa32.exe 2508 Nnpimkfl.exe 4732 Nghmfqmm.exe 4816 Nlefngkd.exe 1980 Ndlnoelf.exe 2372 Ngkjlpkj.exe 4040 Nnebhj32.exe 3524 Ncakqaqo.exe 1036 Njlcmk32.exe 1624 Npekjeph.exe 3676 Nfbdblnp.exe 2208 Odcdpd32.exe 1664 Ofeqhl32.exe 3540 Oloidfcj.exe 2108 Odfqecdl.exe 4280 Ogdmaocp.exe 3236 Opmakd32.exe 60 Ofijckhg.exe 2760 Oqonpdgn.exe 3424 Odjjqc32.exe 2452 Ogifmn32.exe 4412 Olfoee32.exe 1504 Ofncnkcb.exe 4176 Pqcgkc32.exe 1840 Pjlldiji.exe 1340 Pnghdh32.exe 1388 Pfcmij32.exe 1344 Pmmefd32.exe 1920 Pcgmbnnf.exe 5032 Pmoakd32.exe 1000 Pfgfdikg.exe 2960 Pjcbeh32.exe 1332 Pqmjab32.exe 3224 Pckfnn32.exe 3536 Pfjcji32.exe 3532 Pnakkf32.exe 2972 Qqoggb32.exe 4152 Qdkcgqad.exe 2700 Qgiodlqh.exe 4368 Qncgqf32.exe 2636 Qqadmagh.exe 1868 Qcppimfl.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Ffjipc32.exe Fdlmdh32.exe File created C:\Windows\SysWOW64\Mkqlbg32.exe Legcfmij.exe File created C:\Windows\SysWOW64\Pkpmgn32.exe Phaakb32.exe File created C:\Windows\SysWOW64\Cbndlo32.dll Llbpbjlj.exe File created C:\Windows\SysWOW64\Qnjnjdho.dll Opmakd32.exe File created C:\Windows\SysWOW64\Ncijlgfm.dll Hnjadg32.exe File created C:\Windows\SysWOW64\Jnaiamni.exe Jjfnpo32.exe File opened for modification C:\Windows\SysWOW64\Lnpoiicf.exe Lhfflo32.exe File created C:\Windows\SysWOW64\Baaligbp.dll Legcfmij.exe File created C:\Windows\SysWOW64\Colpjg32.dll Dhagbfnj.exe File created C:\Windows\SysWOW64\Nehjagbo.exe Nbjnelck.exe File created C:\Windows\SysWOW64\Pdmjgf32.dll Epehbapo.exe File created C:\Windows\SysWOW64\Idahmb32.exe Iljpleib.exe File opened for modification C:\Windows\SysWOW64\Jkpjel32.exe Jciaco32.exe File created C:\Windows\SysWOW64\Aaalegbc.exe Anepdh32.exe File created C:\Windows\SysWOW64\Dcdnmk32.exe Dkmeknng.exe File created C:\Windows\SysWOW64\Ggjbga32.exe Gdlekell.exe File created C:\Windows\SysWOW64\Ceihplga.exe Cmbpoofo.exe File opened for modification C:\Windows\SysWOW64\Dagoel32.exe Doicia32.exe File created C:\Windows\SysWOW64\Hdbmkaoo.exe Hfompd32.exe File opened for modification C:\Windows\SysWOW64\Idnlgpea.exe Ibopkdfn.exe File created C:\Windows\SysWOW64\Llkcgenf.exe Lbbono32.exe File created C:\Windows\SysWOW64\Pffkgici.dll Lgoplp32.exe File created C:\Windows\SysWOW64\Jeoogqop.dll Pkiggogf.exe File created C:\Windows\SysWOW64\Mhbmbc32.exe Mecqfh32.exe File opened for modification C:\Windows\SysWOW64\Fgmmpikl.exe Fhjlel32.exe File opened for modification C:\Windows\SysWOW64\Ghhhfjha.exe Ganpip32.exe File opened for modification C:\Windows\SysWOW64\Hkpghdoj.exe Hhaklipf.exe File created C:\Windows\SysWOW64\Hidnok32.exe Hgfaco32.exe File created C:\Windows\SysWOW64\Djbcqfje.dll Idjblc32.exe File created C:\Windows\SysWOW64\Lghdockp.exe Lpnlbi32.exe File opened for modification C:\Windows\SysWOW64\Mljfbiea.exe Mgmnjb32.exe File opened for modification C:\Windows\SysWOW64\Eapkad32.exe Dfjgdlka.exe File opened for modification C:\Windows\SysWOW64\Neglmk32.exe Nmpdkn32.exe File created C:\Windows\SysWOW64\Pcgmbnnf.exe Pmmefd32.exe File opened for modification C:\Windows\SysWOW64\Anmjfe32.exe Afebeg32.exe File opened for modification C:\Windows\SysWOW64\Qleaamkc.exe Qfkieb32.exe File created C:\Windows\SysWOW64\Fangbb32.exe Figoae32.exe File opened for modification C:\Windows\SysWOW64\Fmiabcpf.exe Fkkefgab.exe File opened for modification C:\Windows\SysWOW64\Qmqfiinp.exe Qkbjmnol.exe File opened for modification C:\Windows\SysWOW64\Nfbdblnp.exe Npekjeph.exe File created C:\Windows\SysWOW64\Hndenf32.dll Kihnpj32.exe File opened for modification C:\Windows\SysWOW64\Jncffmlf.exe Jkejjamb.exe File created C:\Windows\SysWOW64\Achbiiaf.dll Cchnamig.exe File created C:\Windows\SysWOW64\Bhnlpd32.dll Mjjbocai.exe File created C:\Windows\SysWOW64\Ofeqhl32.exe Odcdpd32.exe File created C:\Windows\SysWOW64\Bhqnki32.exe Bebbom32.exe File created C:\Windows\SysWOW64\Dejafj32.exe Dmbiem32.exe File opened for modification C:\Windows\SysWOW64\Klapqf32.exe Khfdpgng.exe File created C:\Windows\SysWOW64\Mppbnb32.exe Mhijle32.exe File created C:\Windows\SysWOW64\Cimclo32.dll Nijehoad.exe File created C:\Windows\SysWOW64\Omonnimc.dll Dpknaldn.exe File opened for modification C:\Windows\SysWOW64\Hccoaaoa.exe Hpecefpn.exe File created C:\Windows\SysWOW64\Ckclkibf.exe Chepomcc.exe File created C:\Windows\SysWOW64\Eociebin.dll Hnaqjplk.exe File created C:\Windows\SysWOW64\Fmolaphb.dll Igpkcd32.exe File opened for modification C:\Windows\SysWOW64\Lopecoga.exe Llbigdhn.exe File opened for modification C:\Windows\SysWOW64\Nidfbf32.exe Nehjagbo.exe File created C:\Windows\SysWOW64\Pmcmcqge.dll Pjnbobdj.exe File created C:\Windows\SysWOW64\Lcfbok32.dll Qodmnhjg.exe File created C:\Windows\SysWOW64\Fjgphn32.dll Capbjg32.exe File created C:\Windows\SysWOW64\Emcpbhfm.dll Ghkeljfo.exe File created C:\Windows\SysWOW64\Pfhihm32.dll Kgcapa32.exe File opened for modification C:\Windows\SysWOW64\Pogpmm32.exe Plhcaa32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2652 4432 Process not Found 1114 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amhngl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gonnblgo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmbiem32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfnbgp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Figoae32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgahhpeh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aqffmkpg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bijnhleg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlmbilje.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejeljd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljaohdid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jniflb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahpdggif.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkbpda32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iaaffnpo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afjlqgkb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaadif32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbchemic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eapkad32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgmmpikl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlfeokbj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phnokiil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plkpfalf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Capbjg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmbbkf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpnkhpgd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Badiio32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fejjnh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jinkikkb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljlfme32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahkdaa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmnpjmla.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eehnhhmo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajlnqq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amaqmkaf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhofplpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nacmgapa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oehlno32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cflkbnga.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkhpgolm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfefnf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbcfkd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilcjkf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lqikpo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cffcbbdo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofijckhg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Diamoh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikndjb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccfakmkj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjjjbolj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jecoimci.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bggdkd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fphnoopj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikicdm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afebeg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnfmmc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmpmpm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aaabomfo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmmefd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hknamkdi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olbkeoki.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efmcil32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Linmfc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpjegcmf.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cooofnnk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kmjibckp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llppio32.dll" Cnjbfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cknbpi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lghdockp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Chlngg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfbmfl32.dll" Eoilpoig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnqpiqch.dll" Aoboikcp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gonnblgo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bjbmginf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kkpbljoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibmmml32.dll" Bgjhkjbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlnfcjfl.dll" Pgabig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgbcgo32.dll" Giincl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ngkjlpkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hngmqk32.dll" Boqljigp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Chbcinee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jnqbfg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jljhmpee.dll" Hgjlmlfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ifmiqbld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kldmff32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ngjcajgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akelhgea.dll" Ejmiej32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ehaion32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jjcakogb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mlmbilje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Facghh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmalcg32.dll" Kbkimpnn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Llbigdhn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Daieqf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jkejjamb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfegqb32.dll" Olhkjdll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mecjlb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Epbdbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Baadld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qqoggb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgagpf32.dll" Fhfjdclb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adficcoj.dll" Mpieda32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lfeaomjf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gmnknb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Galcdqbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhmimcad.dll" Hddbfkip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oehlno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agoeglig.dll" Ecpmhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cfkegd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lbbono32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oooklkmo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fimognda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Omldglpg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Emjofl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cjeccfna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgknpgmf.dll" Gdepjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ldbjkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mglfbhbe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Njlcmk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ogifmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifnknfhg.dll" Degdaj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bhdghp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bnheqeje.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fogham32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Igekijlj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Afekka32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Llmibn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bjkpmhfl.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3220 wrote to memory of 4492 3220 f5b19ce0c7cba9203e3d9aa20455f3442ffa3f877a3101d84a76930a4af05ead.exe 84 PID 3220 wrote to memory of 4492 3220 f5b19ce0c7cba9203e3d9aa20455f3442ffa3f877a3101d84a76930a4af05ead.exe 84 PID 3220 wrote to memory of 4492 3220 f5b19ce0c7cba9203e3d9aa20455f3442ffa3f877a3101d84a76930a4af05ead.exe 84 PID 4492 wrote to memory of 1160 4492 Lpicgihh.exe 85 PID 4492 wrote to memory of 1160 4492 Lpicgihh.exe 85 PID 4492 wrote to memory of 1160 4492 Lpicgihh.exe 85 PID 1160 wrote to memory of 4592 1160 Lbhocegl.exe 86 PID 1160 wrote to memory of 4592 1160 Lbhocegl.exe 86 PID 1160 wrote to memory of 4592 1160 Lbhocegl.exe 86 PID 4592 wrote to memory of 872 4592 Libgpooi.exe 88 PID 4592 wrote to memory of 872 4592 Libgpooi.exe 88 PID 4592 wrote to memory of 872 4592 Libgpooi.exe 88 PID 872 wrote to memory of 4772 872 Llpcljnl.exe 89 PID 872 wrote to memory of 4772 872 Llpcljnl.exe 89 PID 872 wrote to memory of 4772 872 Llpcljnl.exe 89 PID 4772 wrote to memory of 1968 4772 Lbjlid32.exe 90 PID 4772 wrote to memory of 1968 4772 Lbjlid32.exe 90 PID 4772 wrote to memory of 1968 4772 Lbjlid32.exe 90 PID 1968 wrote to memory of 4744 1968 Liddfolf.exe 91 PID 1968 wrote to memory of 4744 1968 Liddfolf.exe 91 PID 1968 wrote to memory of 4744 1968 Liddfolf.exe 91 PID 4744 wrote to memory of 4012 4744 Llbpbjlj.exe 92 PID 4744 wrote to memory of 4012 4744 Llbpbjlj.exe 92 PID 4744 wrote to memory of 4012 4744 Llbpbjlj.exe 92 PID 4012 wrote to memory of 1276 4012 Lpnlbi32.exe 93 PID 4012 wrote to memory of 1276 4012 Lpnlbi32.exe 93 PID 4012 wrote to memory of 1276 4012 Lpnlbi32.exe 93 PID 1276 wrote to memory of 1284 1276 Lghdockp.exe 94 PID 1276 wrote to memory of 1284 1276 Lghdockp.exe 94 PID 1276 wrote to memory of 1284 1276 Lghdockp.exe 94 PID 1284 wrote to memory of 1628 1284 Lmbmlmbl.exe 95 PID 1284 wrote to memory of 1628 1284 Lmbmlmbl.exe 95 PID 1284 wrote to memory of 1628 1284 Lmbmlmbl.exe 95 PID 1628 wrote to memory of 2988 1628 Llemgj32.exe 96 PID 1628 wrote to memory of 2988 1628 Llemgj32.exe 96 PID 1628 wrote to memory of 2988 1628 Llemgj32.exe 96 PID 2988 wrote to memory of 3896 2988 Ldlehg32.exe 97 PID 2988 wrote to memory of 3896 2988 Ldlehg32.exe 97 PID 2988 wrote to memory of 3896 2988 Ldlehg32.exe 97 PID 3896 wrote to memory of 1552 3896 Miiman32.exe 98 PID 3896 wrote to memory of 1552 3896 Miiman32.exe 98 PID 3896 wrote to memory of 1552 3896 Miiman32.exe 98 PID 1552 wrote to memory of 1544 1552 Mlgjmi32.exe 99 PID 1552 wrote to memory of 1544 1552 Mlgjmi32.exe 99 PID 1552 wrote to memory of 1544 1552 Mlgjmi32.exe 99 PID 1544 wrote to memory of 2628 1544 Mgmnjb32.exe 100 PID 1544 wrote to memory of 2628 1544 Mgmnjb32.exe 100 PID 1544 wrote to memory of 2628 1544 Mgmnjb32.exe 100 PID 2628 wrote to memory of 3116 2628 Mljfbiea.exe 101 PID 2628 wrote to memory of 3116 2628 Mljfbiea.exe 101 PID 2628 wrote to memory of 3116 2628 Mljfbiea.exe 101 PID 3116 wrote to memory of 2140 3116 Mgokpbeh.exe 102 PID 3116 wrote to memory of 2140 3116 Mgokpbeh.exe 102 PID 3116 wrote to memory of 2140 3116 Mgokpbeh.exe 102 PID 2140 wrote to memory of 2848 2140 Mpgoig32.exe 103 PID 2140 wrote to memory of 2848 2140 Mpgoig32.exe 103 PID 2140 wrote to memory of 2848 2140 Mpgoig32.exe 103 PID 2848 wrote to memory of 1560 2848 Mgageace.exe 104 PID 2848 wrote to memory of 1560 2848 Mgageace.exe 104 PID 2848 wrote to memory of 1560 2848 Mgageace.exe 104 PID 1560 wrote to memory of 1540 1560 Mmkpbl32.exe 105 PID 1560 wrote to memory of 1540 1560 Mmkpbl32.exe 105 PID 1560 wrote to memory of 1540 1560 Mmkpbl32.exe 105 PID 1540 wrote to memory of 2308 1540 Mchhjbii.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\f5b19ce0c7cba9203e3d9aa20455f3442ffa3f877a3101d84a76930a4af05ead.exe"C:\Users\Admin\AppData\Local\Temp\f5b19ce0c7cba9203e3d9aa20455f3442ffa3f877a3101d84a76930a4af05ead.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3220 -
C:\Windows\SysWOW64\Lpicgihh.exeC:\Windows\system32\Lpicgihh.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4492 -
C:\Windows\SysWOW64\Lbhocegl.exeC:\Windows\system32\Lbhocegl.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1160 -
C:\Windows\SysWOW64\Libgpooi.exeC:\Windows\system32\Libgpooi.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4592 -
C:\Windows\SysWOW64\Llpcljnl.exeC:\Windows\system32\Llpcljnl.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:872 -
C:\Windows\SysWOW64\Lbjlid32.exeC:\Windows\system32\Lbjlid32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4772 -
C:\Windows\SysWOW64\Liddfolf.exeC:\Windows\system32\Liddfolf.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\Windows\SysWOW64\Llbpbjlj.exeC:\Windows\system32\Llbpbjlj.exe8⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4744 -
C:\Windows\SysWOW64\Lpnlbi32.exeC:\Windows\system32\Lpnlbi32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4012 -
C:\Windows\SysWOW64\Lghdockp.exeC:\Windows\system32\Lghdockp.exe10⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1276 -
C:\Windows\SysWOW64\Lmbmlmbl.exeC:\Windows\system32\Lmbmlmbl.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1284 -
C:\Windows\SysWOW64\Llemgj32.exeC:\Windows\system32\Llemgj32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1628 -
C:\Windows\SysWOW64\Ldlehg32.exeC:\Windows\system32\Ldlehg32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Windows\SysWOW64\Miiman32.exeC:\Windows\system32\Miiman32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3896 -
C:\Windows\SysWOW64\Mlgjmi32.exeC:\Windows\system32\Mlgjmi32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1552 -
C:\Windows\SysWOW64\Mgmnjb32.exeC:\Windows\system32\Mgmnjb32.exe16⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1544 -
C:\Windows\SysWOW64\Mljfbiea.exeC:\Windows\system32\Mljfbiea.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\SysWOW64\Mgokpbeh.exeC:\Windows\system32\Mgokpbeh.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3116 -
C:\Windows\SysWOW64\Mpgoig32.exeC:\Windows\system32\Mpgoig32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2140 -
C:\Windows\SysWOW64\Mgageace.exeC:\Windows\system32\Mgageace.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Windows\SysWOW64\Mmkpbl32.exeC:\Windows\system32\Mmkpbl32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1560 -
C:\Windows\SysWOW64\Mchhjbii.exeC:\Windows\system32\Mchhjbii.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1540 -
C:\Windows\SysWOW64\Mibpgm32.exeC:\Windows\system32\Mibpgm32.exe23⤵
- Executes dropped EXE
PID:2308 -
C:\Windows\SysWOW64\Ngfqqa32.exeC:\Windows\system32\Ngfqqa32.exe24⤵
- Executes dropped EXE
PID:2460 -
C:\Windows\SysWOW64\Nnpimkfl.exeC:\Windows\system32\Nnpimkfl.exe25⤵
- Executes dropped EXE
PID:2508 -
C:\Windows\SysWOW64\Nghmfqmm.exeC:\Windows\system32\Nghmfqmm.exe26⤵
- Executes dropped EXE
PID:4732 -
C:\Windows\SysWOW64\Nlefngkd.exeC:\Windows\system32\Nlefngkd.exe27⤵
- Executes dropped EXE
PID:4816 -
C:\Windows\SysWOW64\Ndlnoelf.exeC:\Windows\system32\Ndlnoelf.exe28⤵
- Executes dropped EXE
PID:1980 -
C:\Windows\SysWOW64\Ngkjlpkj.exeC:\Windows\system32\Ngkjlpkj.exe29⤵
- Executes dropped EXE
- Modifies registry class
PID:2372 -
C:\Windows\SysWOW64\Nnebhj32.exeC:\Windows\system32\Nnebhj32.exe30⤵
- Executes dropped EXE
PID:4040 -
C:\Windows\SysWOW64\Ncakqaqo.exeC:\Windows\system32\Ncakqaqo.exe31⤵
- Executes dropped EXE
PID:3524 -
C:\Windows\SysWOW64\Njlcmk32.exeC:\Windows\system32\Njlcmk32.exe32⤵
- Executes dropped EXE
- Modifies registry class
PID:1036 -
C:\Windows\SysWOW64\Npekjeph.exeC:\Windows\system32\Npekjeph.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1624 -
C:\Windows\SysWOW64\Nfbdblnp.exeC:\Windows\system32\Nfbdblnp.exe34⤵
- Executes dropped EXE
PID:3676 -
C:\Windows\SysWOW64\Odcdpd32.exeC:\Windows\system32\Odcdpd32.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2208 -
C:\Windows\SysWOW64\Ofeqhl32.exeC:\Windows\system32\Ofeqhl32.exe36⤵
- Executes dropped EXE
PID:1664 -
C:\Windows\SysWOW64\Oloidfcj.exeC:\Windows\system32\Oloidfcj.exe37⤵
- Executes dropped EXE
PID:3540 -
C:\Windows\SysWOW64\Odfqecdl.exeC:\Windows\system32\Odfqecdl.exe38⤵
- Executes dropped EXE
PID:2108 -
C:\Windows\SysWOW64\Ogdmaocp.exeC:\Windows\system32\Ogdmaocp.exe39⤵
- Executes dropped EXE
PID:4280 -
C:\Windows\SysWOW64\Opmakd32.exeC:\Windows\system32\Opmakd32.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3236 -
C:\Windows\SysWOW64\Ofijckhg.exeC:\Windows\system32\Ofijckhg.exe41⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:60 -
C:\Windows\SysWOW64\Oqonpdgn.exeC:\Windows\system32\Oqonpdgn.exe42⤵
- Executes dropped EXE
PID:2760 -
C:\Windows\SysWOW64\Odjjqc32.exeC:\Windows\system32\Odjjqc32.exe43⤵
- Executes dropped EXE
PID:3424 -
C:\Windows\SysWOW64\Ogifmn32.exeC:\Windows\system32\Ogifmn32.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:2452 -
C:\Windows\SysWOW64\Olfoee32.exeC:\Windows\system32\Olfoee32.exe45⤵
- Executes dropped EXE
PID:4412 -
C:\Windows\SysWOW64\Ofncnkcb.exeC:\Windows\system32\Ofncnkcb.exe46⤵
- Executes dropped EXE
PID:1504 -
C:\Windows\SysWOW64\Pqcgkc32.exeC:\Windows\system32\Pqcgkc32.exe47⤵
- Executes dropped EXE
PID:4176 -
C:\Windows\SysWOW64\Pjlldiji.exeC:\Windows\system32\Pjlldiji.exe48⤵
- Executes dropped EXE
PID:1840 -
C:\Windows\SysWOW64\Pnghdh32.exeC:\Windows\system32\Pnghdh32.exe49⤵
- Executes dropped EXE
PID:1340 -
C:\Windows\SysWOW64\Pfcmij32.exeC:\Windows\system32\Pfcmij32.exe50⤵
- Executes dropped EXE
PID:1388 -
C:\Windows\SysWOW64\Pmmefd32.exeC:\Windows\system32\Pmmefd32.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1344 -
C:\Windows\SysWOW64\Pcgmbnnf.exeC:\Windows\system32\Pcgmbnnf.exe52⤵
- Executes dropped EXE
PID:1920 -
C:\Windows\SysWOW64\Pmoakd32.exeC:\Windows\system32\Pmoakd32.exe53⤵
- Executes dropped EXE
PID:5032 -
C:\Windows\SysWOW64\Pfgfdikg.exeC:\Windows\system32\Pfgfdikg.exe54⤵
- Executes dropped EXE
PID:1000 -
C:\Windows\SysWOW64\Pjcbeh32.exeC:\Windows\system32\Pjcbeh32.exe55⤵
- Executes dropped EXE
PID:2960 -
C:\Windows\SysWOW64\Pqmjab32.exeC:\Windows\system32\Pqmjab32.exe56⤵
- Executes dropped EXE
PID:1332 -
C:\Windows\SysWOW64\Pckfnn32.exeC:\Windows\system32\Pckfnn32.exe57⤵
- Executes dropped EXE
PID:3224 -
C:\Windows\SysWOW64\Pfjcji32.exeC:\Windows\system32\Pfjcji32.exe58⤵
- Executes dropped EXE
PID:3536 -
C:\Windows\SysWOW64\Pnakkf32.exeC:\Windows\system32\Pnakkf32.exe59⤵
- Executes dropped EXE
PID:3532 -
C:\Windows\SysWOW64\Qqoggb32.exeC:\Windows\system32\Qqoggb32.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:2972 -
C:\Windows\SysWOW64\Qdkcgqad.exeC:\Windows\system32\Qdkcgqad.exe61⤵
- Executes dropped EXE
PID:4152 -
C:\Windows\SysWOW64\Qgiodlqh.exeC:\Windows\system32\Qgiodlqh.exe62⤵
- Executes dropped EXE
PID:2700 -
C:\Windows\SysWOW64\Qncgqf32.exeC:\Windows\system32\Qncgqf32.exe63⤵
- Executes dropped EXE
PID:4368 -
C:\Windows\SysWOW64\Qqadmagh.exeC:\Windows\system32\Qqadmagh.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2636 -
C:\Windows\SysWOW64\Qcppimfl.exeC:\Windows\system32\Qcppimfl.exe65⤵
- Executes dropped EXE
PID:1868 -
C:\Windows\SysWOW64\Qgllil32.exeC:\Windows\system32\Qgllil32.exe66⤵PID:1984
-
C:\Windows\SysWOW64\Qjjheg32.exeC:\Windows\system32\Qjjheg32.exe67⤵PID:2016
-
C:\Windows\SysWOW64\Amhdab32.exeC:\Windows\system32\Amhdab32.exe68⤵PID:4276
-
C:\Windows\SysWOW64\Acbmnmdi.exeC:\Windows\system32\Acbmnmdi.exe69⤵PID:3620
-
C:\Windows\SysWOW64\Afaijhcm.exeC:\Windows\system32\Afaijhcm.exe70⤵PID:1168
-
C:\Windows\SysWOW64\Anhaledo.exeC:\Windows\system32\Anhaledo.exe71⤵PID:2632
-
C:\Windows\SysWOW64\Aqfmhacc.exeC:\Windows\system32\Aqfmhacc.exe72⤵PID:3048
-
C:\Windows\SysWOW64\Aceidl32.exeC:\Windows\system32\Aceidl32.exe73⤵PID:4080
-
C:\Windows\SysWOW64\Afcfph32.exeC:\Windows\system32\Afcfph32.exe74⤵PID:2352
-
C:\Windows\SysWOW64\Anjnae32.exeC:\Windows\system32\Anjnae32.exe75⤵PID:3392
-
C:\Windows\SysWOW64\Aqijmq32.exeC:\Windows\system32\Aqijmq32.exe76⤵PID:1104
-
C:\Windows\SysWOW64\Acgfil32.exeC:\Windows\system32\Acgfil32.exe77⤵PID:4088
-
C:\Windows\SysWOW64\Afebeg32.exeC:\Windows\system32\Afebeg32.exe78⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4676 -
C:\Windows\SysWOW64\Anmjfe32.exeC:\Windows\system32\Anmjfe32.exe79⤵PID:764
-
C:\Windows\SysWOW64\Aakfcp32.exeC:\Windows\system32\Aakfcp32.exe80⤵PID:4900
-
C:\Windows\SysWOW64\Acicol32.exeC:\Windows\system32\Acicol32.exe81⤵PID:3916
-
C:\Windows\SysWOW64\Afhokgme.exeC:\Windows\system32\Afhokgme.exe82⤵PID:3960
-
C:\Windows\SysWOW64\Aclpdklo.exeC:\Windows\system32\Aclpdklo.exe83⤵PID:3500
-
C:\Windows\SysWOW64\Afjlqgkb.exeC:\Windows\system32\Afjlqgkb.exe84⤵
- System Location Discovery: System Language Discovery
PID:2716 -
C:\Windows\SysWOW64\Bmddma32.exeC:\Windows\system32\Bmddma32.exe85⤵PID:1156
-
C:\Windows\SysWOW64\Beklnn32.exeC:\Windows\system32\Beklnn32.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4936 -
C:\Windows\SysWOW64\Bgjhkjbe.exeC:\Windows\system32\Bgjhkjbe.exe87⤵
- Modifies registry class
PID:1780 -
C:\Windows\SysWOW64\Bncqgd32.exeC:\Windows\system32\Bncqgd32.exe88⤵PID:1440
-
C:\Windows\SysWOW64\Babmco32.exeC:\Windows\system32\Babmco32.exe89⤵PID:5104
-
C:\Windows\SysWOW64\Benidnao.exeC:\Windows\system32\Benidnao.exe90⤵PID:1896
-
C:\Windows\SysWOW64\Bfoelf32.exeC:\Windows\system32\Bfoelf32.exe91⤵PID:548
-
C:\Windows\SysWOW64\Bnfmmc32.exeC:\Windows\system32\Bnfmmc32.exe92⤵
- System Location Discovery: System Language Discovery
PID:3900 -
C:\Windows\SysWOW64\Badiio32.exeC:\Windows\system32\Badiio32.exe93⤵
- System Location Discovery: System Language Discovery
PID:772 -
C:\Windows\SysWOW64\Bccfej32.exeC:\Windows\system32\Bccfej32.exe94⤵PID:2600
-
C:\Windows\SysWOW64\Bfabaf32.exeC:\Windows\system32\Bfabaf32.exe95⤵PID:2652
-
C:\Windows\SysWOW64\Bmkjnp32.exeC:\Windows\system32\Bmkjnp32.exe96⤵PID:2260
-
C:\Windows\SysWOW64\Bebbom32.exeC:\Windows\system32\Bebbom32.exe97⤵
- Drops file in System32 directory
PID:4876 -
C:\Windows\SysWOW64\Bhqnki32.exeC:\Windows\system32\Bhqnki32.exe98⤵PID:1888
-
C:\Windows\SysWOW64\Bjokgd32.exeC:\Windows\system32\Bjokgd32.exe99⤵PID:4752
-
C:\Windows\SysWOW64\Bmngcp32.exeC:\Windows\system32\Bmngcp32.exe100⤵PID:3928
-
C:\Windows\SysWOW64\Baicdncn.exeC:\Windows\system32\Baicdncn.exe101⤵PID:1460
-
C:\Windows\SysWOW64\Bhckqh32.exeC:\Windows\system32\Bhckqh32.exe102⤵PID:4116
-
C:\Windows\SysWOW64\Cjagmd32.exeC:\Windows\system32\Cjagmd32.exe103⤵PID:1720
-
C:\Windows\SysWOW64\Cmpcioha.exeC:\Windows\system32\Cmpcioha.exe104⤵PID:3584
-
C:\Windows\SysWOW64\Cegljmid.exeC:\Windows\system32\Cegljmid.exe105⤵PID:3800
-
C:\Windows\SysWOW64\Chehfhhh.exeC:\Windows\system32\Chehfhhh.exe106⤵PID:4328
-
C:\Windows\SysWOW64\Cjddbcgk.exeC:\Windows\system32\Cjddbcgk.exe107⤵PID:4112
-
C:\Windows\SysWOW64\Cmbpoofo.exeC:\Windows\system32\Cmbpoofo.exe108⤵
- Drops file in System32 directory
PID:4800 -
C:\Windows\SysWOW64\Ceihplga.exeC:\Windows\system32\Ceihplga.exe109⤵PID:524
-
C:\Windows\SysWOW64\Cfkegd32.exeC:\Windows\system32\Cfkegd32.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3448 -
C:\Windows\SysWOW64\Cnamib32.exeC:\Windows\system32\Cnamib32.exe111⤵PID:5156
-
C:\Windows\SysWOW64\Capiemme.exeC:\Windows\system32\Capiemme.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5204 -
C:\Windows\SysWOW64\Cdoeaili.exeC:\Windows\system32\Cdoeaili.exe113⤵PID:5248
-
C:\Windows\SysWOW64\Cfmamdkm.exeC:\Windows\system32\Cfmamdkm.exe114⤵PID:5292
-
C:\Windows\SysWOW64\Cndinalo.exeC:\Windows\system32\Cndinalo.exe115⤵PID:5336
-
C:\Windows\SysWOW64\Cmgjjn32.exeC:\Windows\system32\Cmgjjn32.exe116⤵PID:5380
-
C:\Windows\SysWOW64\Cdabfhjf.exeC:\Windows\system32\Cdabfhjf.exe117⤵PID:5424
-
C:\Windows\SysWOW64\Chlngg32.exeC:\Windows\system32\Chlngg32.exe118⤵
- Modifies registry class
PID:5468 -
C:\Windows\SysWOW64\Cmifon32.exeC:\Windows\system32\Cmifon32.exe119⤵PID:5512
-
C:\Windows\SysWOW64\Cdcolh32.exeC:\Windows\system32\Cdcolh32.exe120⤵PID:5556
-
C:\Windows\SysWOW64\Dfakhc32.exeC:\Windows\system32\Dfakhc32.exe121⤵PID:5600
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-